From 8fa79475298e9171bbd92740ef3159c383df2848 Mon Sep 17 00:00:00 2001
From: Herbert Poul <herbert@codeux.design>
Date: Wed, 19 Feb 2020 12:48:50 +0100
Subject: [PATCH] first version implementing kdbx4 support.

---
 .idea/dictionaries/herbert.xml               |   1 +
 bin/kdbx.dart                                |   4 +-
 example/kdbx_example.dart                    |   2 +-
 lib/src/crypto/key_encrypter_kdf.dart        | 113 +++++++++++++
 lib/src/crypto/protected_salt_generator.dart |  37 ++++
 lib/src/internal/byte_utils.dart             |  42 ++++-
 lib/src/kdbx_format.dart                     | 169 +++++++++++++++++--
 lib/src/kdbx_header.dart                     |  42 ++++-
 lib/src/kdbx_var_dictionary.dart             | 127 ++++++++++++++
 libargon2_ffi.dylib                          | Bin 0 -> 72052 bytes
 pubspec.yaml                                 |   4 +
 test/kdbx4_test.dart                         | 117 +++++++++++++
 test/kdbx_test.dart                          |  20 +--
 test/keepassxcpasswords.kdbx                 | Bin 1493 -> 1461 bytes
 14 files changed, 641 insertions(+), 37 deletions(-)
 create mode 100644 lib/src/crypto/key_encrypter_kdf.dart
 create mode 100644 lib/src/kdbx_var_dictionary.dart
 create mode 100755 libargon2_ffi.dylib
 create mode 100644 test/kdbx4_test.dart

diff --git a/.idea/dictionaries/herbert.xml b/.idea/dictionaries/herbert.xml
index 93abe3f..7e2bf04 100644
--- a/.idea/dictionaries/herbert.xml
+++ b/.idea/dictionaries/herbert.xml
@@ -3,6 +3,7 @@
     <words>
       <w>consts</w>
       <w>derivator</w>
+      <w>encrypter</w>
       <w>kdbx</w>
     </words>
   </dictionary>
diff --git a/bin/kdbx.dart b/bin/kdbx.dart
index 971ce70..cbab6c7 100644
--- a/bin/kdbx.dart
+++ b/bin/kdbx.dart
@@ -74,8 +74,8 @@ abstract class KdbxFileCommand extends Command<void> {
     final bytes = await File(inputFile).readAsBytes();
     final password = prompts.get('Password for $inputFile',
         conceal: true, validate: (str) => str.isNotEmpty);
-    final file = KdbxFormat.read(
-        bytes, Credentials(ProtectedValue.fromString(password)));
+    final file = KdbxFormat(null)
+        .read(bytes, Credentials(ProtectedValue.fromString(password)));
     return runWithFile(file);
   }
 
diff --git a/example/kdbx_example.dart b/example/kdbx_example.dart
index 0453429..d4902e5 100644
--- a/example/kdbx_example.dart
+++ b/example/kdbx_example.dart
@@ -1,5 +1,5 @@
 import 'package:kdbx/kdbx.dart';
 
 void main() {
-  KdbxFormat.read(null, null);
+  KdbxFormat().read(null, null);
 }
diff --git a/lib/src/crypto/key_encrypter_kdf.dart b/lib/src/crypto/key_encrypter_kdf.dart
new file mode 100644
index 0000000..dc902f0
--- /dev/null
+++ b/lib/src/crypto/key_encrypter_kdf.dart
@@ -0,0 +1,113 @@
+import 'dart:convert';
+import 'dart:typed_data';
+
+import 'package:kdbx/kdbx.dart';
+import 'package:kdbx/src/internal/byte_utils.dart';
+import 'package:kdbx/src/kdbx_var_dictionary.dart';
+import 'package:logging/logging.dart';
+
+final _logger = Logger('key_encrypter_kdf');
+
+enum KdfType {
+  Argon2,
+  Aes,
+}
+
+class KdfField<T> {
+  KdfField(this.field, this.type);
+
+  final String field;
+  final ValueType<T> type;
+
+  static final salt = KdfField('S', ValueType.typeBytes);
+  static final parallelism = KdfField('P', ValueType.typeUInt32);
+  static final memory = KdfField('M', ValueType.typeUInt64);
+  static final iterations = KdfField('I', ValueType.typeUInt64);
+  static final version = KdfField('V', ValueType.typeUInt32);
+  static final secretKey = KdfField('K', ValueType.typeBytes);
+  static final assocData = KdfField('A', ValueType.typeBytes);
+  static final rounds = KdfField('R', ValueType.typeInt64);
+
+  static final fields = [
+    salt,
+    parallelism,
+    memory,
+    iterations,
+    version,
+    secretKey,
+    assocData,
+    rounds
+  ];
+
+  static void debugAll(VarDictionary dict) {
+    _logger
+        .fine('VarDictionary{\n${fields.map((f) => f.debug(dict)).join('\n')}');
+  }
+
+  T read(VarDictionary dict) => dict.get(type, field);
+  String debug(VarDictionary dict) {
+    final value = dict.get(type, field);
+    final strValue = type == ValueType.typeBytes
+        ? ByteUtils.toHexList(value as Uint8List)
+        : value;
+    return '$field=$strValue';
+  }
+}
+
+class KeyEncrypterKdf {
+  KeyEncrypterKdf(this.argon2);
+
+  static const kdfUuids = <String, KdfType>{
+    '72Nt34wpREuR96mkA+MKDA==': KdfType.Argon2,
+    'ydnzmmKKRGC/dA0IwYpP6g==': KdfType.Aes,
+  };
+
+  final Argon2 argon2;
+
+  Uint8List encrypt(Uint8List key, VarDictionary kdfParameters) {
+    final uuid = kdfParameters.get(ValueType.typeBytes, '\$UUID');
+    if (uuid == null) {
+      throw KdbxCorruptedFileException('No Kdf UUID');
+    }
+    final kdfUuid = base64.encode(uuid);
+    switch (kdfUuids[kdfUuid]) {
+      case KdfType.Argon2:
+        _logger.fine('Must be using argon2');
+        return encryptArgon2(key, kdfParameters);
+        break;
+      case KdfType.Aes:
+        _logger.fine('Must be using aes');
+        break;
+    }
+    throw UnsupportedError('unsupported encrypt stuff.');
+  }
+
+  Uint8List encryptArgon2(Uint8List key, VarDictionary kdfParameters) {
+    _logger.fine('argon2():');
+    _logger.fine('key: ${ByteUtils.toHexList(key)}');
+    KdfField.debugAll(kdfParameters);
+    return argon2.argon2(
+      key,
+      KdfField.salt.read(kdfParameters),
+      65536, //KdfField.memory.read(kdfParameters),
+      KdfField.iterations.read(kdfParameters),
+      32,
+      KdfField.parallelism.read(kdfParameters),
+      0,
+      KdfField.version.read(kdfParameters),
+    );
+  }
+}
+
+abstract class Argon2 {
+  Uint8List argon2(
+    Uint8List key,
+    Uint8List salt,
+    int memory,
+    int iterations,
+    int length,
+    int parallelism,
+    int type,
+    int version,
+  );
+}
diff --git a/lib/src/crypto/protected_salt_generator.dart b/lib/src/crypto/protected_salt_generator.dart
index 891da36..b63f5bb 100644
--- a/lib/src/crypto/protected_salt_generator.dart
+++ b/lib/src/crypto/protected_salt_generator.dart
@@ -2,6 +2,7 @@ import 'dart:convert';
 import 'dart:typed_data';
 
 import 'package:crypto/crypto.dart';
+import 'package:cryptography/cryptography.dart' as cryptography;
 import 'package:pointycastle/export.dart';
 
 class ProtectedSaltGenerator {
@@ -11,6 +12,9 @@ class ProtectedSaltGenerator {
       ..init(false, ParametersWithIV(KeyParameter(hash), salsaNonce));
     return ProtectedSaltGenerator._(cipher);
   }
+  factory ProtectedSaltGenerator.chacha20(Uint8List key) {
+    return ChachaProtectedSaltGenerator.create(key); // Chacha20();
+  }
 
   ProtectedSaltGenerator._(this._cipher);
 
@@ -30,3 +34,36 @@ class ProtectedSaltGenerator {
     return base64.encode(encrypted);
   }
 }
+
+class ChachaProtectedSaltGenerator implements ProtectedSaltGenerator {
+  ChachaProtectedSaltGenerator._(this._secretKey, this._nonce);
+
+  factory ChachaProtectedSaltGenerator.create(Uint8List key) {
+    final hash = sha512.convert(key);
+    final secretKey = hash.bytes.sublist(0, 32);
+    final nonce = hash.bytes.sublist(32, 32 + 12);
+    return ChachaProtectedSaltGenerator._(
+        cryptography.SecretKey(secretKey), cryptography.SecretKey(nonce));
+  }
+
+  final cryptography.SecretKey _secretKey;
+  final cryptography.SecretKey _nonce;
+
+  @override
+  StreamCipher get _cipher => throw UnimplementedError();
+
+  @override
+  String decryptBase64(String protectedValue) {
+    final result = cryptography.chacha20
+        .decrypt(base64.decode(protectedValue), _secretKey, nonce: _nonce);
+    return utf8.decode(result);
+  }
+
+  @override
+  String encryptToBase64(String plainValue) {
+    final input = utf8.encode(plainValue) as Uint8List;
+    final encrypted =
+        cryptography.chacha20.encrypt(input, _secretKey, nonce: _nonce);
+    return base64.encode(encrypted);
+  }
+}
diff --git a/lib/src/internal/byte_utils.dart b/lib/src/internal/byte_utils.dart
index dfa3aff..560cf50 100644
--- a/lib/src/internal/byte_utils.dart
+++ b/lib/src/internal/byte_utils.dart
@@ -1,3 +1,4 @@
+import 'dart:convert';
 import 'dart:io';
 import 'dart:math';
 import 'dart:typed_data';
@@ -20,7 +21,7 @@ class ByteUtils {
     return true;
   }
 
-  static String toHex(int val) => '0x${val.toRadixString(16)}';
+  static String toHex(int val) => '0x${val.toRadixString(16).padLeft(2, '0')}';
 
   static String toHexList(List<int> list) =>
       list?.map((val) => toHex(val))?.join(' ') ?? '(null)';
@@ -73,8 +74,13 @@ class ReaderHelper {
   int readUint32() => _nextByteBuffer(4).getUint32(0, Endian.little);
   int readUint64() => _nextByteBuffer(8).getUint64(0, Endian.little);
 
+  int readInt32() => _nextByteBuffer(4).getInt32(0, Endian.little);
+  int readInt64() => _nextByteBuffer(8).getInt64(0, Endian.little);
+
   Uint8List readBytes(int size) => _nextBytes(size);
 
+  String readString(int size) => const Utf8Decoder().convert(readBytes(size));
+
   Uint8List readBytesUpTo(int maxSize) =>
       _nextBytes(min(maxSize, lengthInBytes - pos));
 
@@ -84,6 +90,8 @@ class ReaderHelper {
   static int singleUint64(Uint8List bytes) => ReaderHelper(bytes).readUint64();
 }
 
+typedef LengthWriter = void Function(int length);
+
 class WriterHelper {
   WriterHelper([BytesBuilder output]) : output = output ?? BytesBuilder();
 
@@ -91,25 +99,40 @@ class WriterHelper {
 
   void _write(ByteData byteData) => output.add(byteData.buffer.asUint8List());
 
-  void writeBytes(Uint8List bytes) {
+  void writeBytes(Uint8List bytes, [LengthWriter lengthWriter]) {
+    lengthWriter?.call(4);
     output.add(bytes);
 //    output.asUint8List().addAll(bytes);
   }
 
-  void writeUint32(int value) {
+  void writeUint32(int value, [LengthWriter lengthWriter]) {
+    lengthWriter?.call(4);
     _write(ByteData(4)..setUint32(0, value, Endian.little));
 //    output.asUint32List().add(value);
   }
 
-  void writeUint64(int value) {
+  void writeUint64(int value, [LengthWriter lengthWriter]) {
+    lengthWriter?.call(8);
     _write(ByteData(8)..setUint64(0, value, Endian.little));
   }
 
-  void writeUint16(int value) {
+  void writeUint16(int value, [LengthWriter lengthWriter]) {
+    lengthWriter?.call(2);
     _write(ByteData(2)..setUint16(0, value, Endian.little));
   }
 
-  void writeUint8(int value) {
+  void writeInt32(int value, [LengthWriter lengthWriter]) {
+    lengthWriter?.call(4);
+    _write(ByteData(4)..setInt32(0, value, Endian.little));
+  }
+
+  void writeInt64(int value, [LengthWriter lengthWriter]) {
+    lengthWriter?.call(8);
+    _write(ByteData(8)..setInt64(0, value, Endian.little));
+  }
+
+  void writeUint8(int value, [LengthWriter lengthWriter]) {
+    lengthWriter?.call(1);
     output.addByte(value);
   }
 
@@ -117,4 +140,11 @@ class WriterHelper {
       (WriterHelper()..writeUint32(val)).output.toBytes();
   static Uint8List singleUint64Bytes(int val) =>
       (WriterHelper()..writeUint64(val)).output.toBytes();
+
+  int writeString(String value, [LengthWriter lengthWriter]) {
+    final bytes = const Utf8Encoder().convert(value);
+    lengthWriter?.call(bytes.length);
+    writeBytes(bytes);
+    return bytes.length;
+  }
 }
diff --git a/lib/src/kdbx_format.dart b/lib/src/kdbx_format.dart
index ccc9a20..90f8497 100644
--- a/lib/src/kdbx_format.dart
+++ b/lib/src/kdbx_format.dart
@@ -1,14 +1,17 @@
 import 'dart:async';
 import 'dart:convert';
+import 'dart:ffi';
 import 'dart:io';
 import 'dart:typed_data';
 
 import 'package:convert/convert.dart' as convert;
 import 'package:crypto/crypto.dart' as crypto;
 import 'package:kdbx/kdbx.dart';
+import 'package:kdbx/src/crypto/key_encrypter_kdf.dart';
 import 'package:kdbx/src/crypto/protected_salt_generator.dart';
 import 'package:kdbx/src/crypto/protected_value.dart';
 import 'package:kdbx/src/internal/byte_utils.dart';
+import 'package:kdbx/src/internal/consts.dart';
 import 'package:kdbx/src/internal/crypto_utils.dart';
 import 'package:kdbx/src/kdbx_group.dart';
 import 'package:kdbx/src/kdbx_header.dart';
@@ -278,7 +281,11 @@ class KdbxBody extends KdbxNode {
 }
 
 class KdbxFormat {
-  static KdbxFile create(
+  KdbxFormat([this.argon2]);
+
+  final Argon2 argon2;
+
+  KdbxFile create(
     Credentials credentials,
     String name, {
     String generator,
@@ -293,19 +300,22 @@ class KdbxFormat {
     return KdbxFile(credentials, header, body);
   }
 
-  static KdbxFile read(Uint8List input, Credentials credentials) {
+  KdbxFile read(Uint8List input, Credentials credentials) {
     final reader = ReaderHelper(input);
     final header = KdbxHeader.read(reader);
-    if (header.versionMajor != 3) {
+    if (header.versionMajor == 3) {
+      return _loadV3(header, reader, credentials);
+    } else if (header.versionMajor == 4) {
+      return _loadV4(header, reader, credentials);
+    } else {
       _logger.finer('Unsupported version for $header');
       throw KdbxUnsupportedException('Unsupported kdbx version '
           '${header.versionMajor}.${header.versionMinor}.'
-          ' Only 3.x is supported.');
+          ' Only 3.x and 4.x is supported.');
     }
-    return _loadV3(header, reader, credentials);
   }
 
-  static KdbxFile _loadV3(
+  KdbxFile _loadV3(
       KdbxHeader header, ReaderHelper reader, Credentials credentials) {
 //    _getMasterKeyV3(header, credentials);
     final masterKey = _generateMasterKeyV3(header, credentials);
@@ -324,14 +334,138 @@ class KdbxFormat {
     }
   }
 
-  static KdbxBody _loadXml(KdbxHeader header, String xmlString) {
+  KdbxFile _loadV4(
+      KdbxHeader header, ReaderHelper reader, Credentials credentials) {
+    final headerBytes = reader.byteData.sublist(0, header.endPos);
+    final hash = crypto.sha256.convert(headerBytes).bytes;
+    final actualHash = reader.readBytes(hash.length);
+    if (!ByteUtils.eq(hash, actualHash)) {
+      _logger.fine(
+          'Does not match ${ByteUtils.toHexList(hash)} vs ${ByteUtils.toHexList(actualHash)}');
+      throw KdbxCorruptedFileException('Header hash does not match.');
+    }
+    _logger
+        .finest('KdfParameters: ${header.readKdfParameters.toDebugString()}');
+    _logger.finest('Header hash matches.');
+    final key = _computeKeysV4(header, credentials);
+    final masterSeed = header.fields[HeaderFields.MasterSeed].bytes;
+    if (masterSeed.length != 32) {
+      throw const FormatException('Master seed must be 32 bytes.');
+    }
+//    final keyWithSeed = Uint8List(65);
+//    keyWithSeed.replaceRange(0, masterSeed.length, masterSeed);
+//    keyWithSeed.replaceRange(
+//        masterSeed.length, masterSeed.length + key.length, key);
+//    keyWithSeed[64] = 1;
+    _logger.fine('masterSeed: ${ByteUtils.toHexList(masterSeed)}');
+    final keyWithSeed = masterSeed + key + Uint8List.fromList([1]);
+    assert(keyWithSeed.length == 65);
+    final cipher = crypto.sha256.convert(keyWithSeed.sublist(0, 64));
+    final hmacKey = crypto.sha512.convert(keyWithSeed);
+    _logger.fine('hmacKey: ${ByteUtils.toHexList(hmacKey.bytes)}');
+    final headerHmac =
+        _getHeaderHmac(header, reader, hmacKey.bytes as Uint8List);
+    final expectedHmac = reader.readBytes(headerHmac.bytes.length);
+    _logger.fine('Expected: ${ByteUtils.toHexList(expectedHmac)}');
+    _logger.fine('Actual  : ${ByteUtils.toHexList(headerHmac.bytes)}');
+    if (!ByteUtils.eq(hash, actualHash)) {
+      throw KdbxInvalidKeyException();
+    }
+//    final hmacTransformer = crypto.Hmac(crypto.sha256, hmacKey.bytes);
+//    final blockreader.readBytes(32);
+    final bodyStuff = hmacBlockTransformer(reader);
+    _logger.fine('body decrypt: ${ByteUtils.toHexList(bodyStuff)}');
+    final decrypted = decrypt(header, bodyStuff, cipher.bytes as Uint8List);
+    _logger.finer('compression: ${header.compression}');
+    if (header.compression == Compression.gzip) {
+      final content = GZipCodec().decode(decrypted) as Uint8List;
+      final contentReader = ReaderHelper(content);
+      final fieldIterable =
+          KdbxHeader.readField(contentReader, 4, InnerHeaderFields.values);
+      final headerFields = Map.fromEntries(
+          fieldIterable.map((field) => MapEntry(field.field, field)));
+      _logger.fine('inner header fields: $headerFields');
+      header.fields.addAll(headerFields);
+      final xml = utf8.decode(contentReader.readRemaining());
+      _logger.fine('content: $xml');
+      return KdbxFile(credentials, header, _loadXml(header, xml));
+    }
+    return null;
+  }
+
+  Uint8List hmacBlockTransformer(ReaderHelper reader) {
+    Uint8List blockHash;
+    int blockLength;
+    List<int> ret = <int>[];
+    while (true) {
+      blockHash = reader.readBytes(32);
+      blockLength = reader.readUint32();
+      if (blockLength < 1) {
+        return Uint8List.fromList(ret);
+      }
+      ret.addAll(reader.readBytes(blockLength));
+    }
+  }
+
+  Uint8List decrypt(
+      KdbxHeader header, Uint8List encrypted, Uint8List cipherKey) {
+    final cipherId = base64.encode(header.fields[HeaderFields.CipherID].bytes);
+    if (cipherId == CryptoConsts.CIPHER_IDS[Cipher.aes].uuid) {
+      _logger.fine('We need AES');
+      final result = _decryptContentV4(header, cipherKey, encrypted);
+      _logger.fine('Result: ${ByteUtils.toHexList(result)}');
+      return result;
+    } else if (cipherId == CryptoConsts.CIPHER_IDS[Cipher.chaCha20].uuid) {
+      _logger.fine('We need chacha20');
+    } else {
+      throw UnsupportedError('Unsupported cipherId $cipherId');
+    }
+  }
+
+//  Uint8List _transformDataV4Aes() {
+//  }
+
+  crypto.Digest _getHeaderHmac(
+      KdbxHeader header, ReaderHelper reader, Uint8List key) {
+    final writer = WriterHelper()
+      ..writeUint32(0xffffffff)
+      ..writeUint32(0xffffffff)
+      ..writeBytes(key);
+    final hmacKey = crypto.sha512.convert(writer.output.toBytes()).bytes;
+    final src = reader.byteData.sublist(0, header.endPos);
+    final hmacKeyStuff = crypto.Hmac(crypto.sha256, hmacKey);
+    _logger.fine('keySha: ${ByteUtils.toHexList(hmacKey)}');
+    _logger.fine('src: ${ByteUtils.toHexList(src)}');
+    return hmacKeyStuff.convert(src);
+  }
+
+  Uint8List _computeKeysV4(KdbxHeader header, Credentials credentials) {
+    final masterSeed = header.fields[HeaderFields.MasterSeed].bytes;
+    final kdfParameters = header.readKdfParameters;
+    assert(masterSeed.length == 32);
+    final credentialHash = credentials.getHash();
+    _logger.fine('MasterSeed: ${ByteUtils.toHexList(masterSeed)}');
+    _logger.fine('credentialHash: ${ByteUtils.toHexList(credentialHash)}');
+    final ret = KeyEncrypterKdf(argon2).encrypt(credentialHash, kdfParameters);
+    _logger.fine('keyv4: ${ByteUtils.toHexList(ret)}');
+    return ret;
+  }
+
+  ProtectedSaltGenerator _createProtectedSaltGenerator(KdbxHeader header) {
     final protectedValueEncryption = header.innerRandomStreamEncryption;
-    if (protectedValueEncryption != ProtectedValueEncryption.salsa20) {
+    final streamKey = header.fields[HeaderFields.ProtectedStreamKey].bytes;
+    if (protectedValueEncryption == ProtectedValueEncryption.salsa20) {
+      return ProtectedSaltGenerator(streamKey);
+    } else if (protectedValueEncryption == ProtectedValueEncryption.chaCha20) {
+      return ProtectedSaltGenerator.chacha20(streamKey);
+    } else {
       throw KdbxUnsupportedException(
           'Inner encryption: $protectedValueEncryption');
     }
-    final streamKey = header.fields[HeaderFields.ProtectedStreamKey].bytes;
-    final gen = ProtectedSaltGenerator(streamKey);
+  }
+
+  KdbxBody _loadXml(KdbxHeader header, String xmlString) {
+    final gen = _createProtectedSaltGenerator(header);
 
     final document = xml.parse(xmlString);
 
@@ -350,7 +484,7 @@ class KdbxFormat {
     return KdbxBody.read(keePassFile, KdbxMeta.read(meta), rootGroup);
   }
 
-  static Uint8List _decryptContent(
+  Uint8List _decryptContent(
       KdbxHeader header, Uint8List masterKey, Uint8List encryptedPayload) {
     final encryptionIv = header.fields[HeaderFields.EncryptionIV].bytes;
     final decryptCipher = CBCBlockCipher(AESFastEngine());
@@ -383,6 +517,19 @@ class KdbxFormat {
     return content;
   }
 
+  Uint8List _decryptContentV4(
+      KdbxHeader header, Uint8List masterKey, Uint8List encryptedPayload) {
+    final encryptionIv = header.fields[HeaderFields.EncryptionIV].bytes;
+    final decryptCipher = CBCBlockCipher(AESFastEngine());
+    decryptCipher.init(
+        false, ParametersWithIV(KeyParameter(masterKey), encryptionIv));
+    final paddedDecrypted =
+        AesHelper.processBlocks(decryptCipher, encryptedPayload);
+
+    final decrypted = AesHelper.unpad(paddedDecrypted);
+    return decrypted;
+  }
+
   static Uint8List _generateMasterKeyV3(
       KdbxHeader header, Credentials credentials) {
     final rounds = ReaderHelper.singleUint64(
diff --git a/lib/src/kdbx_header.dart b/lib/src/kdbx_header.dart
index e3f68cc..6730eca 100644
--- a/lib/src/kdbx_header.dart
+++ b/lib/src/kdbx_header.dart
@@ -3,6 +3,7 @@ import 'dart:typed_data';
 import 'package:crypto/crypto.dart' as crypto;
 import 'package:kdbx/src/internal/byte_utils.dart';
 import 'package:kdbx/src/internal/consts.dart';
+import 'package:kdbx/src/kdbx_var_dictionary.dart';
 import 'package:logging/logging.dart';
 import 'package:meta/meta.dart';
 
@@ -23,7 +24,7 @@ enum Compression {
 }
 
 /// how protected values are encrypted in the xml.
-enum ProtectedValueEncryption { plainText, arc4variant, salsa20 }
+enum ProtectedValueEncryption { plainText, arc4variant, salsa20, chaCha20 }
 
 enum HeaderFields {
   EndOfHeader,
@@ -41,6 +42,13 @@ enum HeaderFields {
   PublicCustomData,
 }
 
+enum InnerHeaderFields {
+  EndOfHeader,
+  InnerRandomStreamID,
+  InnerRandomStreamKey,
+  Binary,
+}
+
 class HeaderField {
   HeaderField(this.field, this.bytes);
 
@@ -57,6 +65,7 @@ class KdbxHeader {
     @required this.versionMinor,
     @required this.versionMajor,
     @required this.fields,
+    @required this.endPos,
   });
 
   KdbxHeader.create()
@@ -66,6 +75,7 @@ class KdbxHeader {
           versionMinor: 1,
           versionMajor: 3,
           fields: _defaultFieldValues(),
+          endPos: null,
         );
 
   static List<HeaderFields> _requiredFields(int majorVersion) {
@@ -76,7 +86,8 @@ class KdbxHeader {
       HeaderFields.CipherID,
       HeaderFields.CompressionFlags,
       HeaderFields.MasterSeed,
-      HeaderFields.EncryptionIV
+      HeaderFields.EncryptionIV,
+      HeaderFields.InnerRandomStreamID,
     ];
     if (majorVersion < 4) {
       return baseHeaders +
@@ -85,7 +96,7 @@ class KdbxHeader {
             HeaderFields.TransformRounds,
             HeaderFields.ProtectedStreamKey,
             HeaderFields.StreamStartBytes,
-            HeaderFields.InnerRandomStreamID
+//            HeaderFields.InnerRandomStreamID
           ];
     } else {
       // TODO kdbx 4 support
@@ -189,26 +200,37 @@ class KdbxHeader {
     _logger.finer('Reading version: $versionMajor.$versionMinor');
     final headerFields = Map.fromEntries(readField(reader, versionMajor)
         .map((field) => MapEntry(field.field, field)));
+
     return KdbxHeader(
       sig1: sig1,
       sig2: sig2,
       versionMinor: versionMinor,
       versionMajor: versionMajor,
       fields: headerFields,
+      endPos: reader.pos,
     );
   }
 
-  static Iterable<HeaderField> readField(
-      ReaderHelper reader, int versionMajor) sync* {
+  static Iterable<HeaderField> readField(ReaderHelper reader, int versionMajor,
+      [List<dynamic> fields = HeaderFields.values]) sync* {
     while (true) {
       final headerId = reader.readUint8();
       final int bodySize =
           versionMajor >= 4 ? reader.readUint32() : reader.readUint16();
       final bodyBytes = bodySize > 0 ? reader.readBytes(bodySize) : null;
       _logger.finer(
-          'Read header ${HeaderFields.values[headerId]}: ${ByteUtils.toHexList(bodyBytes)}');
+          'Read header ${fields[headerId]}: ${ByteUtils.toHexList(bodyBytes)}');
       if (headerId > 0) {
-        yield HeaderField(HeaderFields.values[headerId], bodyBytes);
+        final dynamic field = fields[headerId];
+        if (field is HeaderFields) {
+          yield HeaderField(field, bodyBytes);
+        } else {
+          if (field == InnerHeaderFields.InnerRandomStreamID) {
+            yield HeaderField(HeaderFields.InnerRandomStreamID, bodyBytes);
+          } else if (field == InnerHeaderFields.InnerRandomStreamKey) {
+            yield HeaderField(HeaderFields.ProtectedStreamKey, bodyBytes);
+          }
+        }
       } else {
         break;
       }
@@ -221,6 +243,9 @@ class KdbxHeader {
   final int versionMajor;
   final Map<HeaderFields, HeaderField> fields;
 
+  /// end position of the header, if we have been reading from a stream.
+  final int endPos;
+
   Compression get compression {
     switch (ReaderHelper.singleUint32(
         fields[HeaderFields.CompressionFlags].bytes)) {
@@ -237,6 +262,9 @@ class KdbxHeader {
       ProtectedValueEncryption.values[ReaderHelper.singleUint32(
           fields[HeaderFields.InnerRandomStreamID].bytes)];
 
+  VarDictionary get readKdfParameters => VarDictionary.read(
+      ReaderHelper(fields[HeaderFields.KdfParameters].bytes));
+
   @override
   String toString() {
     return 'KdbxHeader{sig1: $sig1, sig2: $sig2, versionMajor: $versionMajor, versionMinor: $versionMinor}';
diff --git a/lib/src/kdbx_var_dictionary.dart b/lib/src/kdbx_var_dictionary.dart
new file mode 100644
index 0000000..b1ff948
--- /dev/null
+++ b/lib/src/kdbx_var_dictionary.dart
@@ -0,0 +1,127 @@
+import 'package:kdbx/src/internal/byte_utils.dart';
+import 'package:logging/logging.dart';
+import 'package:meta/meta.dart';
+
+final _logger = Logger('kdbx_var_dictionary');
+
+typedef Decoder<T> = T Function(ReaderHelper reader, int length);
+typedef Encoder<T> = void Function(WriterHelper writer, T value);
+
+extension on WriterHelper {
+  LengthWriter _lengthWriter() => (int length) => writeInt32(length);
+}
+
+@immutable
+class ValueType<T> {
+  const ValueType(this.code, this.decoder, [this.encoder]);
+  final int code;
+  final Decoder<T> decoder;
+  final Encoder<T> encoder;
+
+  static final typeUInt32 = ValueType(
+    0x04,
+    (reader, _) => reader.readUint32(),
+    (writer, value) => writer.writeUint32(value, writer._lengthWriter()),
+  );
+  static final typeUInt64 = ValueType(
+    0x05,
+    (reader, _) => reader.readUint64(),
+    (writer, value) => writer.writeUint64(value, writer._lengthWriter()),
+  );
+  static final typeBool = ValueType(
+    0x08,
+    (reader, _) => reader.readUint8() != 0,
+    (writer, value) => writer.writeUint8(value ? 1 : 0, writer._lengthWriter()),
+  );
+  static final typeInt32 = ValueType(
+    0x0C,
+    (reader, _) => reader.readInt32(),
+    (writer, value) => writer.writeInt32(value, writer._lengthWriter()),
+  );
+  static final typeInt64 = ValueType(
+    0x0D,
+    (reader, _) => reader.readInt64(),
+    (writer, value) => writer.writeInt64(value, writer._lengthWriter()),
+  );
+  static final typeString = ValueType(
+    0x18,
+    (reader, length) => reader.readString(length),
+    (writer, value) => writer.writeString(value, writer._lengthWriter()),
+  );
+  static final typeBytes = ValueType(
+    0x42,
+    (reader, length) => reader.readBytes(length),
+    (writer, value) => writer.writeBytes(value, writer._lengthWriter()),
+  );
+
+  static ValueType typeByCode(int code) =>
+      values.firstWhere((t) => t.code == code);
+
+  static final values = [
+    typeUInt32,
+    typeUInt64,
+    typeBool,
+    typeInt32,
+    typeInt64,
+    typeString,
+    typeBytes,
+  ];
+}
+
+class VarDictionaryItem<T> {
+  VarDictionaryItem(this._key, this._valueType, this._value);
+
+  final String _key;
+  final ValueType<T> _valueType;
+  final T _value;
+
+  String toDebugString() {
+    return 'VarDictionaryItem{key=$_key, valueType=$_valueType, value=${_value.runtimeType}}';
+  }
+}
+
+class VarDictionary {
+  VarDictionary(List<VarDictionaryItem<dynamic>> items)
+      : assert(items != null),
+        _items = items,
+        _dict = Map.fromEntries(items.map((item) => MapEntry(item._key, item)));
+
+  factory VarDictionary.read(ReaderHelper reader) {
+    final items = <VarDictionaryItem>[];
+    final versionMinor = reader.readUint8();
+    final versionMajor = reader.readUint8();
+    _logger.finest('Reading VarDictionary $versionMajor.$versionMinor');
+    assert(versionMajor == 1);
+
+    while (true) {
+      final item = _readItem(reader);
+      if (item == null) {
+        break;
+      }
+      items.add(item);
+    }
+    return VarDictionary(items);
+  }
+
+  final List<VarDictionaryItem<dynamic>> _items;
+  final Map<String, VarDictionaryItem<dynamic>> _dict;
+
+  T get<T>(ValueType<T> type, String key) => _dict[key]?._value as T;
+
+  static VarDictionaryItem<dynamic> _readItem(ReaderHelper reader) {
+    final type = reader.readUint8();
+    if (type == 0) {
+      return null;
+    }
+    final keyLength = reader.readUint32();
+    final key = reader.readString(keyLength);
+    final valueLength = reader.readInt32();
+    final valueType = ValueType.typeByCode(type);
+    return VarDictionaryItem<dynamic>(
+        key, valueType, valueType.decoder(reader, valueLength));
+  }
+
+  String toDebugString() {
+    return 'VarDictionary{${_items.map((item) => item.toDebugString())}';
+  }
+}
diff --git a/libargon2_ffi.dylib b/libargon2_ffi.dylib
new file mode 100755
index 0000000000000000000000000000000000000000..bf06d71a898dcc9fd8fda96dbe348c532adfbf98
GIT binary patch
literal 72052
zcmeHw3w%`7wfD&b2tGQorM<NEF;=*R;v@JfO3{gCbgGF)B`sCyB#;29fy6u%ZF3C{
zQI5y4saF(Vx9RQU($?0r1wKH*2~vXAYOr4AwzfvEt!I?hXsO0Z<@^8F-uuislNm35
z^y}~YeZLHxbN1SMt+m%)d+q00`{b#={_(vDmQ_$>S=M-5AHvl)&a%3#QiLq)<G7|3
zT2?$hH#%>wL<MiDAZTeAEG%B+$zMF)-mtt~g%up+*K?#wd+RRsBwU<9C(z{w<MFok
zjs<OARJMFKty4+=qA>^;c-WRzqWNXyBft2PhNhN=R^VmxD_*aNU(!4XLoJ!#DESsP
zFKf#bIGf+F=GQ~T<3~79UKQ=#<MD-U?X8W=7VDU7eqEbX!bf$13~U$#WJP2=-m&c3
z#%1;K#$}6|1rFB7nnx7n63u{cHV>U7588=~D;}>XpIaV3_u`8#n=1(^xm((tEMp%A
zX7PEEH!Ut6U)-G0T7G_$fh)h1qSuhv+eZz6C-jz84?+1RgPy+<^{@!*D$y~)N3fi}
zv_TzK&Bn5_V1GG@8IL#B#oMl1x}do!-qPNx^){N{S`!6+e!0+QEl&r+ufDFm&LA7T
zW#F}1p2Kt$VL!hNrV6o~F<kL@<>xQDFk10>RhyPIq|&X3ermY=3<a}|`P<pyfM?;N
ztp4~&YfD}Gl9QSm7u2;bZeDhBe9@xD6YH-73`G1sWm#Qi3=FBdDZ#Uvu>Q>(vaBUw
zn0gTx8V>D;c}#xAvJL^zR8nA-9AR09BF@nL4EVgxM%<ft`t^sXz;EM(0_%i8i~>H1
z2kE~5%wu<d>4~!Kt7Z>g@}qxw=aiEX7sds)mK8cgE{2tkKV0}3giD#Gf2@aDxX6pL
zgA(0kfpt<xTPwA~>$2<G+8dUhc#dB${|rp>>H33Z_24;O!=)&<v0+4w{l+vfrhzdH
zjA>v@17jK()4-Sp#xyXdfiVq?X<$qPV;UIKz?cTcG%%)tF%67qU`zx5PidegX8+#q
z+-G-;I34?nI!5f_`HwC-F?7sIk#bQF(_?n$NX)@ycMiv#=*Y~+?8hJBMtkh-w_}OF
zTA`KPr8g;CRmxkj>CeWBI)-C5E+;xnA}`5~N?fdes4%9(^B)ZzQ(;+>Ut&+S<Yjlb
zu|(%EGT>_k1YIlC%{Lsef#?VxR{FQt^M`1zJ9q#7{b02lS?!J`QUx)4z^%l)O~ef$
z4p-;y9mTUqIY>%8cgoX=4#s9j-B98dVMW2J216SrmDq!zO@Ve$_zBK&q;wG5KU4xd
z;MM@Q{fGkljo8GUz~7kWiv|w`5eRSeF)CD<<zrN681-c{>I0)b%?SCsAC4u4&W<Gy
zzZZqPWl{lBQO1s)t0tAH+}*>7;H6aUTs60ZSiaJH+7s0suenwExd}~SS`;qqt9I_F
zC@Gwyxnvhb$#du^4n^4<isqy})hAL#DAXWW?u43)5#E_z@*e7v8QM|U9j?UoYFK5)
zK344M1%sJy#geR`!`A|eITK@c6-^Y{9@xxRHtxLDh)>R$cn`uY60RDoOjf197uxKE
zHmiCn?W$Gomyl@husa?Yh_2<!p@Hak_-<$*+RIl;PUl*u<2z1GFKWE6!ihdm=~S(X
z4HQpdCXlZuW>-upi49atDGejW{nA8c+c~(EkR4s=PWzkK<{IGQI{ck)Dsi2Tk=Pk;
z#O&_nu-#C%;wC_B#r9s%&VSUs>JGfwIyBQDReMbA3A0Vw9ebUQy(nSX-EbnX++{!>
zhz^4i+3rD`n;qR7O3nZ%T3lE)9NKVd3GhP-|199!Q5T44FldJ9$JmGx+ry%4)dR3S
zmVdGQ3zx-K?BTmnCpxX-mYQ&-Gk>x(zqHahZ3aqH<(yt=cc8vHccZzZ-PE8hRHZ8H
z=))Cu6`DZR<e2>uqM`D~V~K5{SmLE&J9=Nt9;{eZb8n?RzsH_`D@eNB1^)_Zr*Dth
zL!jzH)LK|I%%dg+%|Be>kXz^E(1!Wp3a4{gEU~AwGI>;V4T$V5)MKUnLWSKQwRcuJ
zNy7G#Q!4DQp?d7@7J$%Fj5#E>mqHJXptHN1RD2oZ(MzyR+q>*1?d~N=a2*<Ba!v(M
zL3}8Yl5=JWVZ9=J`*tDRNg)+sEeS7Ggoi4^r-2mOP!&$RgB-6!dZ_!$teE7SKcm5b
z^G|@_bZ&Gy9(HO<QTE-HXsfU^6r?6ab)&4|N_*0jN@q1oQfbefQc`JOIi=L@p2z%J
z@j8-~XLqwNOn(vFLmQ&u#7IG?JIb2N#T<qK<~71RW*1M1Iie=9Xy#DrI&g4MY^%u@
zj41T^O6Yyx0EGIm--$U}C>7OKNonTN=96;{S9s3|UdLpE)g2>F>0hN?^g;++9Wai)
zG3T^j-$$OOgY8i4jQ3D)5#WZpKg^6B0b<Dp_loi_m&egSE&%7yp*`MDjc0o?=%8tI
zzh!sq39aONWf9zo?n$_?bT_o}%s^bB9ep{p@_fcE#EmUt1jRgj@tw#t`OzhOgrd7(
z!6WGl{0LuA2w(IgO!p&16~g&`1im*mBN$tzf5g?}UoFQ!2oEg`yGt;<&U_1E&+dTa
z915MNYe)B`&qwz(Gc`MkGEPJ6M)p<$eS#2sGJ!ZG4Mg|-0eVbN0uJ&Vc4F0b)yq!R
z%K}u-?SHB0j9sCG?(2~}xBtZ=Vnl&aHSAmhj6w)e^Bwz5^oDOkoFO$P3_I7&?SG{(
z^xy!LD7fWUvV%omihPk7sLLzu=sK{%cnBhN3%FzKm+_U!bM5GMg*Xob0IJE3K7kQo
zc658_CfFa!yB+bckzsVKYu)Fjpxlp9Ayq+zoX!l15&c*mj7cIA<}t~RwQd|n1;ro=
zIqZX#*ZQl%8*kYEmCt1l$iCHyMk<_|S!j}FF=zg?N~Z(8VdvyZr=b-6pWX3{U4tGF
z?G~lO=(2GW)V@D<Mper0J|3Y8d-XItD((BjjJNNfEYSK=d2A_>$9F9}LN}?3d;VPj
z=_#nrjR=5MwA4#_he;ECNntMu4RC+@Pps}lXSg_&(9F;)?N2`^R?r!Cr{9KjySt2h
z6I=Me3`=9aO3WV#rb19n5e5^s`|Tu~Fv95RyQ@_&#c1|Lh{h<~&2A9EQbsRfctAQA
zs(V1jIfh^-U3?BiSMh<4&#t=Fsd@%uGbUno)g5wQ1GHYI8?zdS_7QZdB6ih%PRFcR
zatr$j_u+l$gt|Y6U}6jJm^;!H1Ral*5tZepLmuoNmjn+%x1-OeQ^ZVkP6pAZ7#!#a
z2Na<b9oKqAUlVqJek+pf?h*FyiOy+2Zcub(2wu)0M<%DE%&CG{t3|BSFbbnf39UR$
z(lf$bDZ(gx_hO%9HgXw=KK~*FNV9RPp4V55Px+9qRLDSsc|MQn0}b_x@+(y*nVCMQ
z`MlV3jk0Je9d!gVR)acBx->fTt*HIB-T4g0a=YdU4&^ZBjWFgur}G&M#||PLM53B8
zLiN$~E1jii0v%z@tuSJPpFL#?r$i-`snTwmQd()ZPr)>xVoDg%(_mH>o@F1A<eFa0
z0oKGY52&;|SGhN%5>W`s#zM?j#R#^?p!{fpHOPN{>CE4h+rRrDqIW{{29PcdSK6PO
zQfb$7RE4+{eli4r6+mPLvc+amD{Un@rawLIAR6juu`}8a9TSoDjbHzm9puqJYT<*F
zLsfxRKdYfPPc=9VP<FkqDs<UQRjlE33{|lTRnb*pum2h>(ESUC>J{55ZJ<U*l}FoC
zus&w~=7W^vgVl&%`s^CPq|%+OB+s%XEGB~U+w!12{lnV>2kX4;;aYU_qYdl-h4$bV
zJ6rp1Y9yD~quT=p))b1*DG!zpE@oLncGdG3EjX4){mPV<q0NZF2v{>@hPiz*IDUhp
zl<XAf!E4_T@Y2`I;Ds5~@|($CW}SKrm9WP|uqy>y5;$U2fP*7<ED?1;hB2)E?5Et<
zZz9WRmm_hA_?<+kK`+tSg}$D?-56DC!3d)&x@!!3oSVzQx{isM$3d(X#34AuT$f82
zv)7vEF{F{ywU6Q|g@lPMyo2*N5T{#(gUV2?0X$hQ^~;h+fK!BgJ$3BM>`KJu%1m-Z
z8f5P5a`$vIpu`(eVe)aGLD&&dF+Js!YQ^>xXtLImT*;WqwrenF?8IdKWw+oj7`mfF
ziOwOEP|b2NRos_WLuRK76%EH6Ou9IGEwLYW!>BMBRMmuK-)|v8dIItb%;~tA^)|Eu
z>u1@TvTMMY`&-<ms&O}gr{yl<>O~g9dOjYW`4}V~$wlFw;UR~PG5c36Ury{zY%%V5
zk3{n?#b$=yWpm&8vt(Y%9WleN)TC||`JVMq484~w{5J&CeX{I`zQ8%u5Tu~_4XN#@
zSqg#{s)o4trBu!EsU<Vt3~lImVdArqRc}XDb-o}(vcVP|O0zj)k@*5vRsAC+iJ<}n
z{OZ>GhghZ0eA?59*0%eGQUc03x_(r7W$RGY&1Nb0R*%Hre{&ZgoBL+b!)-b7?asYU
z=ibD?arQ{!_2bZpUAyz;(9Lr}5=)NzG9ONr8(TPORjgp!{+AH<4GbT^8%fVrI4cc2
zL&1)LKdIoa8~9KK-)`V{Q4H`~W8l{me7}Kzqu_5E_!kQ9HSj|U{*i%ysNhWozE{Cp
z4D2X4W#F$Wc)-9{DfmePU!maV41A%2hYUPh!M`)`3<dwzz@Jobv90xWsDh6(@Vhj$
z<hb(;{F;K78TdB}zQ(}6Q1HzLen`Rh8Tf|^{-J^IRq$2=I||-m;IAt9F#}(v;KvPo
zg@T_j@P%3M>@0YOf}b?_pH%Rl4ScAAkGMtY1C0l({TI+`p2GDAt_N{_6W7;q-GHkZ
zR~*;HxX#9P60T!#g>dc1isN-$FW`C#*CV(d#Pv;FU&nO=u4Y_uTo>ay8`nv=j=>ee
zwI8kFbzCptdJ5MgxE{onX?|XNt)7`uZw2g{y>``b1@;rMljmZm-QMA@`4c)Q?5}^S
z3#Ce=LQdyCG>##6csi!~PR-Eg3$~$+V`{wH{jG}HEm3<BHRwLBq6Q^u7*RXjPphb%
z614|WDR+{JN+IeIy++vReqBXwMC9ia+X^bNMK4>!-tJG2*S|+r4V&c~dcRfCx7o>~
zBYS(ZRg4aJ!VOX(c)cLIojJw_z4kL*CpT*`PNAE@hz({Pu41$i2cB4X%_#G}1bx>)
zbPuZETG6=&in2mUwGhQ1wy+8tJH<QE%Z$Vp*6fL$QjD#o;$7UH;zsNq*@$KLuht9b
z-y+BunXAbW7G%5GQ^!INB4AfR3-V?}4}&tjz=Vf0qTLuuKgA$66Zr-v_IAf^booP}
zm40NkXoX;j<+UK-?vWY+BDE+q#>bAq{e#$&Nta4W=b-yWCsC-23BZIJXL<Vu`y~HS
z!*C=}o-(h$=J;!)EbMVno*`8@6xQk3?Vct1K}(72mO!w7Qi7o-B1@z;fU|!vJyA(D
z?AB1K#P+h$^9^r&NX(gz&2RAH+71fhnp|yqsd2`Y7K`oS;QOfX%#<gwbK1r1?qnFN
zkxH?5Q2hO<M9&Zc<I{>gWhJB-_a5h=4h;sAgDo!Ci}v~<J`w^!m`m7WCblpV(7A-1
zZb1Q^lVr%bWU{?0*8k!mv4WkkaTXWL$t^=~li3b;HX8Im_w#^2ipdy5nr?Rak)gzb
z?AXwQ<&!gv6R#E&4BFkhGgNr9;s}gV_WuESzTxHeq<c7WQ+d#GCA0J@^fW*jX0ej%
zDVO^_Dm%GaqMY?oZs#oQsW9Z6S7PtjB(3t|YlxOqMR{r~<LvHd$lx?|Uz(>xyHgn9
zC>1KL@C}f&TJ&>Hsl6>`KdG4B0uiD51gFGQA*|_)ouO_qnibnwG1x{f`YLSV(9C=*
zY-&5J4JXvBIXdE0?Llk8u4$}b5c9@i!cWGWQ{QCA_}L@44`Uj0iu#a#M)S|ul3lY0
zy(&z7c=q^EcLG{M8a7Nr8!jn1W6*4RbH006B3*#(*fg7}w06_1fg3B~xDt9WHi@ma
z$iqc%>Ep+ehaS8HIM{K$`mn@%)>a6%KUA@!U>j!PX&_taFL><32$8K5gLOnlW@Iz}
zG}1-b5tt)+&v<{<GgC@s7!{ze-DvB$^}h;5*X+hNG>eD+2_dL4^dNev{y&9d)1l6q
z-2>5QkQt<@8J=AjTKQQenG`(nPEn})5D|s_6Lx(mv`Xsd>rPRNU4`A`C+z4mPV^bO
zKUT!<vu4COXEM!XC#T+cbMqz&k&3<jhW#wIz0l*yn{aPDk^Wb`i<V^_GD$2yGSlh3
z0#&AG>g*HC!+7ZeBY-eieNIDwy*j&GiFi&$$Ue6$leBeIc<;ZZe;kPJ1tKg7uSKdx
zW|topN}%Jx>V~^}u!3Ri>efqyj5A=T@X*T7L^SB|LR>O=9^$U*UsW|U5Pg}nkYa=#
zEYvXMHXiS{)(tEOaacn2TJZKv)Lx0&o91>dYG3uW-sqWWKef_+2BNOyrq>(T&J+-t
zJLey14{Sx-v)tRRg*-OL5Z@s7ybL0za`r4Xc%=Q*R`%F#t->Ax_K>H2g*_hFIaKy4
z`oVz8c1Xl-ib7`rQ7u$fj%W`Khi+8M&ZvtWX<EyS3&J$enDe<o_hz(0-@^0x7pS0{
zK`)Ba^A1se3LNongX-V5s%Gav^a*AQ)kFQALr5&QQ&m@`CRY{=#O%)^o^kd-?5h2f
zV+HTU5<Bp^wlf7~Zd9|5jq1(zIqWDg<luei?h4Zn?P6`Jm?vXby#)qnJx|4wr@1gZ
zXt>X9{*spa90;LX6`I8C=<ZNLdnBN^&*)Nq3)pt_0U$`FKa<{tVxkVEv>ZgWne3M2
z-RTFVOJ<L8r0Oxkn5TFe)kcXFYE)-&mJtXNLLkMOgMJq497b7&+%%Rk%JC*jnUYL#
zm>;|3GdrLIwY9*!5Iw}`;}Fdqb9wb+=3AKi_Dg%8jh@(SC`kkV*CKX$NJUo^n|+9v
z2*vDAUxP&O9o~dt%bFc4@phLW*8cQ7lS*8s>K8KmFg)!~pBZ3$L20Nv3?^zYm|Z^E
zo33Hzy+3_8kfrFEbp5JmALau4(|=UWW?0@l&5lj>vchP)Km8O^GiA6S9L#E(m(?GM
z{O>@PtfXLUud`#*yn<nCb$|MXU~bdA+~nO<T`;$@U~aR#-1d+a+k2YTZwfZc%jzwr
zPYPx=%gYKoNBh%nnFi=9T_l)a%**dJQfw!MKfjol-w4ycgLEl40MuE`%MVkM{pp)b
zem>n)dko$r%0kV+!Q0lIdhc?Z$K?&8L^3Gk<9M%PRg>5!d}LWo(*iPTpwi1_FIoHz
zkv=giy$rAmv_JiVNmaCSJ=$TW_M21y;5^r(eVwV_HmQnso=5vKQ?c3S<qO(*9_@cK
zbum(XHBlQ{d2}#liPwD6#OJUc!0#S~Zx$^s@q;T2netcY@e}iHv_VYzZu=S^?EJFk
z+n6DvF(60IkU3FRb4ZyXAC1CdPT+LQJT;Muu%oCzq(2J2O3r$rMB=BJsAs&+YLdw$
zbyE!d-RrMn;(9grmH9hnsud<%nXp!b9z17qc_L*+Z8*(r!?Y69Y^)}p!bBX*+zFC-
zQpwW~d7e_+fDeLy-h2xWJl}%R`98yZzwYUWUA!nN{RDe?RaP|<zXui?b51)BGic?u
zf%)}&nfWy;0`u!{H)qeUGwW-(F<~$qi6t@5v3G0+f#uc#Urh?~t<UwsJkR`G=HuS{
z991-BJjKJL5A*b=u-N|V`^?YrKBAU3fR4V>8F#_;ba28uOtB#griV2fU;f&w_fi+L
zlLSI5Io%Wcot-37sCyhD((kg{Ps(fktr3>&q01Ptewd`r7Lqy_&&A+Q&zU`d++Q;V
z3YN#}63K7N5Fz_HESVTmIx7DnIjvTlL?Y*!5+I?XfaBh-7$`m>K+JwtQBKG~SuK>i
zNjWb+<u9>7$j-A;D4!wa(fKL=H3#LDLODpvmoW?)#!6kDv|q|lI_pK{EF<mE{c(P(
z<1$pxn&|nO$&%krQnu%(OxK`{&T5jx64#ev3A!D@(8^_~K6C*R@3fTaAl65i%qWrF
zA7@CN3tAE{7Kpo7O32mjk0xL4Cx6nt6TPkGHxS`GR}Z?$ZdJQtV$Rjm*b{A*^}b3l
zn$oT2B*|Wov11a3<PS^M(*u%+J;|qKB;Pw1lfCYZEOS<-vzTc#f2Ny3iSARW>$);<
zS(igyWnQMUGMU~Wq@rn2SD~n@FNeDP<WIVbxdEwaVjwaruexHC++pvoi<G4<D<F9U
zl0T3`T@g=mIxp&q{yAE)-MyCTa@I?qpb|DmAdP!|9aFy}spAg0hWf$(;Kl=c7<7!c
ze1#ojW(QWk&uPKnwF`4oZ}95u#qQslf#@A9Ehe(P*c?(@Rh?_Rb<hJcNp*-JuBKHW
zDu?Pi*8uK?1ij8B*a_3SE#JZ%$d2BT=)6Poa-w%&zMsC3^hvnKIvqmiR8Mh#kEvcP
z39l|S9IBODFD7jovDZyt#zbJN40_#28i+nXVc{?va}F<-!eED{2E)THJKCd02zt*Z
zwzohLD;lYY%z8UBKFCWq86Y}_H_MXoT;S#!9Wv`rl#(l4T--OsB0T1t4ISXog3XfZ
zQn&pm)YA)<=&~QPcS3}~exIQQjgUu&=Rd0Vn5BMJ?4k1!CaHQ;R$gM_o$VK<+0R1S
z-OwC>5&;IC&X=(*SN|N;Lw~nKXUeND<&u}eh?l0O@Lo<__#iL#glaZo>Gs;y5HqzT
zu-sJdwr`OcPIP0ehzp#kt2j8FDc1oyVo-mwb(;dKKKE<6c$}wr^cf!1&_Lu$+2w`%
z9)>O$lE|_aveZ$QQ#GG%bTzcHwHaC<COdlFL&(%y&#w#tZzBdV`mObP^T#1Xqz5=Q
zI?-OPr=r7l>`Ey^<_3MN@yW0TGQ8LV8Tv4_^ew;jyMD!NjgiObgF^MV9ZbzFR8LT-
zlNFyHBUH6w1ot$bD61gK<rHOVE>T`r%am2QMCo#0Wom9wx`LwohvL&^M5)xGi0@oR
zn$^px-Q;P%#GJ{!V^I#>s8^cGwLHsQpq};gKX5M#ibZ!@U2Wo@5R~k2kxUYdaC2FQ
za2r)sIS<|&+#^CKr%h-zK}h*=O8KXT98%Ku(bo!IP)h95c;19)!pp-jX$oFT!GDln
zaHa<ZpR4j<f)RY0(ds-z`s5`Dc^fh8yJzK+7hk-hyn>e{?;zx@CcShyv$VL3ao;6X
zruzMQW_nQE?~3|_l@XVFy?C`1DMJ#nXM>dyP)A2H(J>PQcC9ar7HlYC!VF@MvKTWE
zJNiVT^9gS-z=r9*^l=K;4Q(yK;Owo~NM}}HY|F~mqYttExA~?&*4-r9^KKHddqg)m
zM3KSQu6icX`Ak{pR_@~>bVlelnL1;{z~J#r!Y#wjZEVxs>i2QD((Vr3B=2m@DWHEN
z)2pJp4}oHL#})!xj~+9ycZbdXAT|pvNJX?O?f~-57mp0#2!vQ4BjhF7RH9<5NJ@{r
zi%%&SHi#Eh32ZQfxq5wMMB%$iP=G1+^=<Azqo`OpU>DQx&k-?02c4Z@9zcTEu-1>>
zCCr>qLjJSdr?DY`t;7|b+qrJl%ZnSefLi_`r|OCR7snS>ZReJE)y_o!cz7ZwI(L?Y
zZoCwzaMw+^CE`lWH-|infnsALp6v<ySvLmMim3@G$mdt?RA#!08(*;PXR$E}x{kqB
zhotAD_K`tx=;lv)=;EyLtC#RD>DWQ(r~_<At7yom2m^7%Z$SEeH2lNRYG%UWblk&D
z{?!=Uam*GUrkK5&?Z-}5(j2$&j$!wYPZ2?#8gRBq1N;Q0Cdxw?uh}9%gDyEp4ah+d
z@wZ)90z)+J!(7*C7h%Cj--%SyXOw|n^%=@VdbV^2p&PRpE(D3ON#!<$j)SyPZ^_e&
zq3W2u&HYL(ttTldMM+gU_0W;dYUysKKaS!`$nNIqLW$!j7ifn}?Cxn~@2E!}v7W#l
zO14<*sS-mctzw(|tGI|I9J9qz*^Cy8O9`W;Fj%Vbs++-B9&zU65JwSEj^t@WOIWaN
zZiNy@SY?YNkvX))MTLliogJLbLIG(EPVCBZY|L?^38y`Jz#k`Z-uN<S?_3HH)BPNC
zv%4oNwa6on{GHrm&^=F*hnB=a4p|A2*5%FMjw+U@Y~fWNqjlM9gf|K;%_x+?d<xxz
ze$)u$2_pnbq5q263l;k3`682~WXmLxITX6a$RrBw^AuX`Q|Q^?4~6!Ez1@9>QfQz1
z8gsL|OO!(8kw>A&`{YmJe2`ZLA<_yxT?sEy*}|(lMk{oc5#A`&$|#h<d<wmnb6Z`*
zo-jh76nY+JUsUM7!;KP^EGgMCNn{R%b{UyOp*@~LD}4&(ya@`u80_utuPKH0xc4wO
zeIP;aPvlYPZ_o;j{FoMJ6slJ590RwxzrR9+m#A#vB{GNbEk<~wQ0`mkCeL6#g<jwj
z$Wy2gD22XL&!TN}FHtf{O14ZAnL{QXBlViRoKEv}I@hPudyoZm`Yzt-+1>S&H7UsM
zxy;k<b{U1u;P)xTN=`vd!<XrFMzcbvP1QjjFbj#wE``cww5iTBr7)TuLWCZ27|f^H
zVa_wNO;re#X1}qJrQ7DdjaP7xNm8<9lE@sItu``w#aus6wdQJhREIrHPji1jL9mfc
zSrc3Mz}{%q_^91n1gFS&G}kJY66vUOMbrCZ>V%O|#vs^fWiXge8UM`=K3f?=pp>z4
zfl|h+^F$evlC2Dh%%O}J@>Sv(0}d*q)YC<YD-%__dnZLrY~f?HF8Ce<B!ZKz3yI9u
zg_^j43e%J((b?g5vU2GUqjp=mE0B{?x+7uwWkYS)b~ywk&awYg8<?MpzZvGVn|}BM
z^^3jzVyxh4oZ^M!A0~vH@A9ZSVt2h7OBP>>+3&^}D+^mIE;^N}KBTWzrxdlWxR>Pe
z^nY)t`zXk6q6hU<mRuPo3d5M6Mh8PTo0%laxj+4T&<#Ylv*-iS6dynw0>MrtQa|SC
znEqj^%US467~V0T-LB5=@61epcZN31EWmkWyrxejQYF}>!6wc4(2b`Eek$RPM-&L*
zAMz^~r`)lt*nt)=vtdl!&1`rWv*AZ6)(yDHHqT9;Q8{kH#K4*X>LEq_+1%6+8tf=E
zRW`gsii7F4T0W?E)ZBl9XC_=O?U6k7F)WGpfYcUzY5MWCfMapIeK>h)Wcu6odx<|4
z*qwXeOBh-?6>^E<`8LFrQ?P-`@YY2lnyQRphPjsM0<rj~Lmn($*x_LLwhya_FhZIF
zCBe2pbl=RUH*t9f_ZloJpM`=H7uoN_TN5c!;`Q?W*GpEs!llNFw|U=$4ik#o*Pkv~
z@uEb(!TYgKIaT`->2m$7%SzsiH#XLcntlDRmaKS5sNNK+T~5uu#H;5YyKADNFUzJo
z<NfIN8M-%S*xRN*p2a-z(peLqqf~F4lr#10iO*qI5qrRBl8HAhdtmx=S!JbgZ<bFV
z>~~9Kv2_|{mfNud6W_6SX8b2J`uc>&gIV_*g?u8bU{dZ=J&BJMMQqC`;?!LDXJzAO
z6mV9~BF@kXID7ieKp7H4Cruo%vHay0s<*$b-`~Ll4qKx1!raS2RC!pX8BES8#>@^Q
z^Ih0$cRKgTD^DCTc0az2*26Q&R|2U-W|KRB*9<&FJjuyXbO;e&W`uaVRV(~Td3+vw
zRGq^W&iN(4enGIG2X>iY<0#6tlMz1&Y_T_h_{k>zV)H^L`b=o$$51&y+Xr&s?8V|5
z-BcQ#DS9FocXTw^!>t;o^G1SuHPRlONGbLO?8kAgg5Mt)P}CcQ8ZK%sMk8zurBiGl
z$vJ~~O$X+8Niw^%VW(vp;_p&qHy~bTCViLA4-Oc<{KEeHzNiS#6Nc!~vhu4{`F$G6
z)R1%SEM#^XXmDT~a)iA2mc$<l;XjBj-&4e&F<Ao6YnKpvT~0;7UBf3BPRC{xu~kw3
zNT~Zp2{wRtd0>8<B;#!Y6%m7M-&17QAl_5NT2JwC*YM>R@#lAuBAg=(zcVVoFRJ{G
zMly2w0+2CGL4d>k8QlkewMZy&ysBF??M!iAN4Ev^-&K=vO@{sBs$NI1caG#oB>4{Y
z{v+Totj<UA`yRS&)G?FfoEH_}n?N|~J0CtlhCKsYqzGyxCl`7X0~=27RDv`sK~9(C
zmmx^lzxm>wFVyF?eDbWLfy<{y=Bgb2e6dd?d^7-q1U(i@Ly46}Ke5sk?{onWAC}Dw
zh0fmv?{EDEA0v=_Vy7Gle0_p`0efb6|Aj_`H}?Inz$HSzy>|{9fim`B;tDNZhn&&e
zGq3Z1hO+4~%@mijA~nCrDx!DZp-dkc)4dXUq=L|GM?e%B8{ExHFpTY1?(fNQNluvw
zBb^AG{Gb>wa{z>^<3}WxZ$nON0H*u;MQXEKdy>6Os&s7ziB53t<5@`Ll|DU#bQF=k
zn}vjK(o$Zf$vOMc_qf=rR^z#dhEf!UZu=zSFk;X}9VNN0bTh|cw-u~x`27xTECnc=
zou5EpBZc?Q2SCf4$@ZTRiPu>0PIU3cj4!^#@zeOrdFQX3Ia8?`zG}n7GkMzGAfB0m
z<LOR!U6o}$!a~{6z3#UF_~sArx2Q%^EE&BumaJM6OX5s5-ZkP=J@^31M;`~1D(AyE
z6*7Xe;daMLyjtKI8oV&4m-p!m4s_Esph!Z)2!$m?kBVZ1D&cL)+{-sJ9-C)e+Em&&
zl%^IYc9PTkN;NgFw38`7?qrCG6%J9iQq{`$vQWhmU%qFhUP<nOVt~uV%2sB$`7qqv
zXC+p)=#Ue4BL=#;p%O--)3MTC&rir;^(FIqTQ-FTWXFpL^kxS;2s=#(%W!99AsbnX
z*jr{vd<6Fr#8<*iANVLlOyao~qZG<%!d}m_qmDS9s2x*hJ+))6zf$5=Sk_$X)eR`A
z-xj1YnE7IZ)3FLmWERG~=pl-K_@^;&_?H{vbznT~S+!Vbd<(CY&HLRIds-kEHjpvh
zg`wDJE80aE&)t%-at6l!kCm=~KGDkD#PTTxKPgz1{2|=hLMvlPqHS^OI&uA!!d1y1
zFur?=j^|9m#8GQFrZ|#7d$_${#op3Q{8ioLc8lDn6ofYHw381YBC&;cOiHdMH|!X0
z*$vqJ<}cv&ED+Bmd;<`ADx3zgxA43KIz$Qc_ySHEjR@cZz+mb+*Om%A?7@c#JmSGq
z1hz)#SUu3aj``y^8?Q*ZD=0+@pAQ=0$p!Wb3V}xHiOS|nLB-!;y&T|3t`@N;qg6<U
zKp%YgTGhCr2QR=klseG8GTb_;;EkdrbF`Biad+g-G&nIZb|+82u3p0+9H6%_@b<Nn
zog@?S)tGK}F-|v0(aE?)<&*i9o$iML^IID_$%}KOaCUbe(jB>zYIgagP~uA{QHIgX
zr{BJMa^kOWrO&~|D>s@WXvi!vbOYCU-T5`~A>praZE@ti^_QYCbO01L3}&=7jyp*f
z00kCryg~8A=q3^t=kn-x!xY@P<VbrLj<>%326U977_huh_s79W*&G0AhH%Hnia1FW
zB`=mjG!1dnjU6WfV8QGt44k`r7M}+z58aU}?;0v7hi&3b_AqvAHvJM}u|v1l?-X%5
zATGa`<T~e1wg<4{+rm85kog|!OR!`B#pjgx+D!<Qo`LVB>}HA@56&wIb)SF|pyIVQ
zR*N>CRY!m@kdO~v9APay5e+=Ogvcqe)&r&61(Ng(+)NhP3iq;5hqAv#d|Z0Ps;ZoR
ziL6gm8cuJ-4jr*R0mTgOpu5+K?d*2^Qyg#nA9cPPZ{(cTGWDJdPbgR3T4G#tS+mrO
zM6n5txLn_>>67*kk@H@9GJ!tM#nBz1$2l!JR^B;4GeY~*@D9TI3>S_}5v2`LiO!eN
z2dO?Eb*2#9yOE+!cu^UNEj-~>5=tzd6jTqR`-h5^l|TGTIT$4ev=9mJRTaNZ;@xMb
zp$)ATikFJ*r*XQ>Ua2TdWMbQ4h({|}`E%i9;syB>g$!fZ8iq*jfS;YB%*C-paeO$)
z(aUL_#Jgt(nUN?LGm1T0yu>zz?~`ycC7c>$n!C(-#M3!x@$UWf-%E9@XZKb=yMtBT
z{(tt#W>hh{W)E0(XH&vggG>Xeljf<;1B#Uu<gvbS0qdI=<XDiWh7ZqE!wTP5!(obf
zZjdR7bD7P=Je907)0Mmd8)aVmNNgifE@tEMNT~3A5{eCeE69|@xtOweFzivSL}#WY
zoD^hs&^i=j+>gnWuh<8t!`2|PgVv!K<NP4gfDW^bu`rJ@jt>~)FOCb8xiC+yd?-&<
zD|}y7i!p8pG9_`Ysy-x7RqM=jRZkBxBT+79<MT+U@O=`BF-{6HC2=mMEM6{S)R}1s
zZ~oNZSBGMZtwE*-r^DYL8<6mzbtuL-7-SmIVYV?A<uS$y0b@KX$gwC-t%UMawZivR
zwHV{{AX5_Os_H}YRJG1bSM_~h>FXj$l#AJfJQ6B=pM+wJHwT%LI2ThEFPAau%(R4m
zJtiRGLF-VA@%KTd2dBe%L1qW7Lovp4gG>WD3>sq|OAL<D>yGwmF;9KuHbX)7)v(y$
zcm3?}LEt<b^L2<p8=M?umaj4A8=Z4^h($rBfsw^C_&f#}9Gb5?>hGmGF}<(&*&VFv
zetV=(w#2rBR-KsM&LGo(>Vl@n1)8kFN3BnSgYxM?j`?OcxtA#Lam;Ch#|D{_I9D%|
zuOHNz>0agz?16Y@k=T~64d)w_bN7Qc1epc~6klffW{AN-`Auw#WD(^m?g8sijPbWY
zrU$3P>L9a&)}a{V>>$&C4zrCh-wZK0D1RRt06s<Ln<3^~uH>E}-VtP)Z>pVd$sAm+
zOb9Z|w`9&YDCb@>zlovQSM0!m;)~BWLktee4MAoHtwS-!>LAmD)8V6d>ESEZLF-VA
z@y9`?0Uc%=W4;+;aOdX8Ajf>On|#Za+%v=pL8kep+WFSb!R5;J9}6fl-?}f~CPePF
zb3>46U=zYuYx!n~Iy2pO@BU~&!h_bK7~`WsrU$3P(}T<oT8Cnc#|D`ObSTE?vq;%V
z<^Ev$R-76<;N8cZqkBOj6%MR&=3(d3R9eoVy&$ozR!y~nyN|iY_0Rj+Daug;9XLjE
zP2Ms&Y1?=hFGM}r6j3f_;hf?beBbO>);IqVWJ==EO!J7RbJF4+<>!=>&4H>;jP^r*
zb_c7v6(9cls!oiyDabUSI-kAv<5Q%$=az^+Heh|f#%q3G4d*k!x;!<U+XjCgWJ==E
zHJsR1o~M#^X1bDR1(}g37qesYNT~3$ZSc4tQxfN5T98LVotc*KPFT<1Q-@-VD}qex
z@<>>oM?&IbcR)+H7q1X~5|SuaagS9*S>24Ps9iCi4#gN>2r?zH$28j*OLHxBV2ot}
zW2_2tEcJ8riQke(Ooi_gQx@B^f=o&5iRoint(XQkn$aQZ%(NnZ_@RIzNtBCOSsn=$
zzE48w5bq2!C2=mMrFkUOnP~|p2APp47qgZ;5-NP3gkp?)4-XWZ#JQMO=aEonrX^e)
zWJaP~%*ygesPKIfiZNaqWJ+R>X|^#Qk;fQk28=O<x1~P&IKt1-7k_mgF%`Z~OfkkE
z2APuB6Vu1^62)|sG3v~;B99I-BT+79GxJEO@O=`BF-{CJC2=mMN92)EXQn0m+M$16
z9f~n74l=zukA#=xk&yVAp7Gc42g_1?uHx!qjp`Yh$>^T(=Ru|<_Lv5ZF^?q%$LQ1j
z?EJiZg6mRc379RN*x;xA>=N5Z=}G6~$aXere;FO3&PmtsJre`^Q;jq0B`b*XjVz-Y
zv)CY=r+ktGMiwtVk9ayKE#A8&K2CWGdSI#()7#@`cd)992bmqT>ZBjMAjmYJx}fRh
zpCJYZ<&6`3Dm1%^qieWU)kl^A8hl?bBR2T$AX5_OvcXI8RI<)YSMtY#%t(}rSy>(l
z6~0eGvB82MQxfN5T98LVotc)fef-~7hhmKJAk%}>;nU*+5+1Y;#Td5)nFe&2ZH)P5
zh`~X5Mv!A^o?5BPQ`HLJSJh&S9}6-iajvS4<f&?%nXYQPIG{)p<zhB7kAw=}C!rW)
zdypxKb1`M{a&_4{GcDmOMF9y9T8CncPY0PEoDQQwW(Tc9F~+hW(|``MjWOR0F}QQ{
zZ}g|su3#ABj>uChEqSV1;rpsujL{A<C2_8*F3(fdIx}6>`w9XQk|-Cma2^R2zE46i
z##e$&Nt}x*i<iq7b!J+^%Y)1gT8Cnc(IC@<)8R(z@2f*G#%~9i26QOK=(9);)au*v
z+<g?!OL$3QH`1;8w+u|L$xg!NtM1<U1nr2q6)x*=r-vscT&<78x518s1A6E|IK|>m
zjnW&Ff3Dg=xc`*`etnr=02hBw(Cd#>(#QLa*sorP%j(G12#PQR5pOYSC^iwFaMq{X
zGJlXlpLYw(mm$q}aQMv^ep}dl!Hs{`8jB7b9^v<U_or!O>c|E^Tvh|u)2bo&PQ0#!
z$FTZCl{~29Kc7=7=qx9`dFEaVRJfz!n`Y*G<$yaMahdaXWdV8U5KPBl`E#0BJu~xu
zkuV@uBT~SB*u7R{eI9ol_<SC|r=OJ+oWiMkUL2<7tN3sY{;|aK>-f*(49_XWe^p=J
ze4Z7Gzqj}Z>jVD9p$#Q?4BM+-27cg=H<kIlb-nt;`6#&I>+{^Y(3^)r>z;%+rudS_
zvsAzU&IyWj;Do`Gn<5m&hFdRP*l`jDM|RwI@oo@-A?3Q8(Whp~gDl?n--72=y2#BL
zcOsk&GoR>N3nljA#MWA`I@eKxbc)D<PxkdjLN{Ueo!VUM{ucrRQH8o1VfpxR@2baF
z)ok1m-DK^EZZ6mneW+j{`Y;kvtZ0hQ9nqb*9z$uXHllp+RQ@o(BD!NU>rei+a#fG}
z1s2e$>cNrXFuoe=blkUz-2-*NzkB`JOmdk@hPAD7!xG)O7Hy)({RKRy<&U?n!$FU;
zrjnm`t~|QZxVEoEqw4}^9Q4?Tmyi5Y3M&D6-?J};BE>ehN;NIIPgRWjH|#<xOAYF`
z4E-1M`{WcpSVySCEn!xty<WbOVz1^o8o1N*9170TGYx9TP8ZHb91noM^na60VhbtY
zNKMUX2>OSmfVU93UjTxS>;Xl_96$zJA{jHvFd>x1<cJ`X#bCm!lv6!Yn+TJP;Z6TX
zwc1?_a+G-l=XTud(My0M!=`%IGd)woNuGmpFAd;HJqsR=7fJfblCG4iK9uS{hpv<-
zDUyC2oeX9^9j&5PlJXHFv_+gY?_vZEOMNQCmQPB!&)`)eK9MPv<*2XO;;(j4X7$Yp
z_gW$(^<P&NDK;xka+t}zQnHc1m%5el_<JBM)YN;7Fo?tP57s#B^WWej=(Epmo|7`C
zN94>Dh6Yp%tn|ak7T-NE=aH+Wq07*KzL{Mvzl!Dm8w2~8QQ8s9-~o?(eRm@<cxW)O
zyc$^kZv7&i<g6M3FC6tKLf12=3*pdBj4?eLsGS~0VD^Ah#T&brHUnQlP#-n`>r^dh
zF}2{QCi%D42i!8e5M|#iN&;faeUns(QNn-%pTjy)OEAzigjD{Jx|73;e64|hh6kYe
zF4~IDp)R0=ZaPa4HFNiF4KaK7c>yqXtoTzGgX(<A?%0YQ8r+>`&nAPpuY6JjeD=)w
z=@6*!w>S7#RHQUREX@LRj+6?YX<=twQM7_+6}CL|0D(f{k4f{dHdo7F=<9FT*T~<F
zlkptm`n8dmjZ6OQ!ZnfD?2h5k?I}6$6<hcQlth#mP-4O1rXuq_aZ%j3v%-`MrIh|i
z%ou;aM;ZpdxeOV39s?m9d_4yMjtVi=Nir@lGTwo&<9pHe%KzjsJ2=h*O-*(XNdE+J
zc-4wvhOsx;N-Og?IK_ir7~I&fv$;JiO=R3dRIUDt&(65@3gSV+m^1D{1@S;3pzkXv
zrl4;Va@4nLPAP{z^#=~e-5yAQ7S$IKopCDy320&Z4?>S?2_(!z!V=^$APruXl;;@n
z*G?{<=s(f|WwKncA~{0oB#9(C9gm}?Q^>R6S?5EDDN^bLU%^+O`ih;RAah3L+jx-(
zjA|*J`W9P}f{bz`8<3R|1!SC+xqSZ!GS#2umuJo$cnKXVc+R=F_y7cwDf@>%us|}8
z{tZV^C6H=l`U_A+^3|~{Exm{LyVTM}B>|~q4AEb*JVkw>+NkMkiv2vLCb5$uRl#<*
zvKsYuvr`mg)D%@@lNFip&n3{Dr6Lg2bl3q1Bx-sMca--72qbD+r^qOfQIkdCisZO$
zmYSYpRZvZ(0jY$*QC574oI$2pglQHvihZpruQVX<+dTp~>O*#?s810ZH65+U!ivnw
zC(xYpL?EbX(g6qro|d~EGa;y{_P_-aH6;}p1u|;llm%*<hDVl~`dG<S6Tg6-X>>xM
zzvFs}`plbA(}{{bn>$)_OmP-S9a=`@G)A7H(u|tk#>@?ckt9cP%q7sAV?-dR>Bs{R
zNYr${;w&N@m_VYYMHzvNnsnDh1ItpA%}S=4!U3st-y~UQ^-U83Qbhu45=ehiFw2?-
z@dglT(v2>!KyyY|3+$Vw9DqQgrfU>ut)>GJNYr$8Mj)dm-4)QlvedLdq=K5J1*Fn_
zll0SBebW#oS17OU!edHJ0(sWNe6p?S`-)7Gyv}m8Ky!An7O1A<4?rMM)5RZHAW_rg
zj6g<BmMYA&(Q2A4QbA2+0jY$*>%s*xjcya(7D7$B$1GEv1@cBZ=94|r-KfYU$x*#s
z&PMkGRx;Ie>H!EOYMS<e1rjyAfwy+L7cgonQH3cTt)@vL71YE(H!!Mis#WC`a-*i(
z6?;i?)M(~);j@VEm<fSErf<4Jkx>L-<P~TR|J;+P>2n7lkf^EP0}CW-dVHd&i2{k5
z<fc9iAydoUm^P*F#@|!QF|~|i=s+nrvGt~t{;B0DdTJ^2*+hSd{6#b!iS?w9?n&(Q
zyqP@(y+f2VZiI6q%%ZdYB7$C-Er<MB`v)ub^gu8!rVoEuXeVO(0#khTM-i}8>xm_+
z`uO*9c5IGt^!qY(pmtoagTUY#ti`Y~flToi2l$5&zVR|3Y}?|C3i>Z`Jpk$Ur}Yx4
zH?V$FNgt6#05Wx=y?PDzr0d8L{LWtYWTa+xrGTQ=IGw%DT|><3IefncOO0Mx-p){Q
z`2NU%`&GQKWCF#)O1_r6Id-(mT>;Jm(OW@_UA9{>@jnHj7(R^RRNV?2^8WT@FJbR*
zPre2uCwi;wu-z)(qch7c`GTtYQxHxMOYgpmH+(Vv&4vg$+wy^U_wie3$x$Ufth|eu
z>rEsgi0pm`5rIGOa2#iHnXRGjb|}*<y&1*^5i1c(@4JvIE4T~bsK0OC^@z*p&`Q)G
zwKC$KNg??upn*s=YshRDtt6hI51T@IOFyjX@VNx_ah8ve1vdQDK40dKZJ6(q<L^bW
z@>1pYwo2!yFJZD(<$SWzp3hAu)s@O0kiqvIWKgwb6@>4saBYW=#jr&U$i4*StDG%Z
zp>8O|!oCq31=i4b!)B!?NjBVDRevMM>@9JSLz&UFlY$WTmW1LZM5*0a*-r^|YaHfj
zg>LpihN4d~Q3yAkN=R+%nD5D`aW|$v;o|Jkdp(j}8_?6()bwaH);R3D%Z`v>RS^pp
zvD7q1n!aJV7Jr^4gB(_PqDTE#bu`m3cDvPnPAuuo6NiEBp0^4ekZ3gKoc35LGvWs>
z_?M;Z_u15$1L^!9v&_`*uqYni5C0mNW&WDea%d4diY@Y3y+j_#T0WelN=wcoluXW*
zG<Gn>6!34j4|G=}l0WqYk28|wqwDQKylaC#gv{w?g57UF>Hd+?i7kX9p_})BmC+-k
zi~{e%A4J2v1~G{(ykjR$^nN+01z!;**9&{4O(oX}_^W-nD8oTYXT6lwSuJJN)$s-_
zAs6k-g@Ih1^`a7IwO`^I{C${Qv}--uyAjgmQ$5H}-P|PnwC4L4GL}cs*+I&jg*+?|
zEx#fg$TgLz4>hK=V#g*|5r1wdO&640FSO1U>S=SB=5jj=kMFjUXQDrhEnKBTu^4P}
zl_%VAh234rbbPHIkHi)NXwy4DAJZ(8Te=Xb#G#s`V@R%MBvi{>bx*#27Q*-*6d%Z}
zj1d2rS+|7nEqO$^1=!`yRiM3|ReGN^CTr}KQ)pG7eiV9if$&%DD0Q$j(-4zB0j(rg
zDISz|i4HMP3dP3WQNA(4(%Z=}c&GwM$dL#)lE>&cPO27?s{oq$HurDByL&R_Ll9aH
zc0&CLc0$!iMkiFk>6@<;nuKUGyfKX7jeQK?e}Gli{Dt51%e<}1_4n?s7FkA*P-=e~
zgW7?=fAkM;5j8&QcQ3Jl^EvI`KmXDFQ`@n%zkljAa$hd@>*fA6x&MpYyX1bO+*it-
zFHQDOT_yKh<bJE%`H{K(Q+wooyWDvma{tsj<-SJl_sIP|+$)nu-H%84W&5Z84Rc(6
zb{`e?2S~PLGDFWZbUZ^(GZbNHCqp$1ZDnXFL)=(i@>Pa@z|hSM^)hrPLw7Rt?+o3_
z5QoL|jSOvNXgNbqFtm)JUo*syu`S{FlfImxVm53}IhIUj=sbq_mmbrfW9W2-PG*Sj
z+SAh*s$uA8gup}p%Fj8sB6{BWvCm&{VP(}t7gt|$>1A_kzVO9)U%I?*!NU56MT?g-
ze&wpBrOTRIu5N8>@3`jL<=0(bHuL0DPCf1P&(1ny#z}^cd6qo(@Shj|Vd7V2|HtDi
zyMMg+p&280yx02YWuJTF^rPZu{^jED?z-_0Kf2-44_$Ih(^)faT{7<8tG1NC`@{cA
z9CO{V|MHQK|8nRG@`02VdJhX@0{_Ii#j#~PF3gfF%tft<xKJ+^mT4Bu-ojGK;zR=r
zba^t3bOx94#32vzCJleggFMKWc`!f1q%$~-C!XO!-pq@*Mkey4Ow5zK7-l--nJ;;f
zFX_mObmVK~L{Rt}c?mO}yogV}#5Lt3UsHDSA|3N%Uc_g9j3*6$rcA^kFXEXp`*~7s
z(lT%6VbX|iWI#}8$)Eg4!#pVi^C2#u<j?YwA9)#E^5&1c$&+;CMIMxwVUsU;lNV|E
zBQE(7*OY<0jci7zMjpmf4)P=()5)7W$=lQ;d6J*`5tlrSzDP$N<V6`sOIgXs(2|#t
zn`x$O#AQ7B8#zeBAM-G}Vjj$|rLL{*+UC}JtEpkx;`SwHhNsqtPdFiLO)WcldDyzD
z;X1@4vZ?;~a9dqddj?t>U)bE%u9MpRz>>PQB^kW->slJf_4x2L4XtgB&Ey8&hmiM~
zVU&w(5vXfj+`R1M`a>*|11?vviPvzWh8qoBZzAfgi!Zb;?r3l6Xb-nEH!f>$Xbm^E
zg)ge9tTfR8+nbxiZA+S4+q2@DnwKrMs<kdimqE;q71YZhbP&xSBPiu<ZOscC>)IRY
z!}WFTbwTVriHdi_!q$dt?twT#o7=dwA<R1PI4`YhYO+Q}H$k%vR#n5&=GN<S;O9tC
z6my}fMGe=6o9dP|v{{6f)-AhEgPu~dRDFDS0rhVbsf>yOE^BTNmsz5uoFue@@F;Xu
z>f8h>Et@1;u{mk$>PKaz)c_4PFRW{anT8u$Tbo<0xl0<ti&`5R!b`ORfw7=&;Z-b?
z*cK5qRemI8%<*%ZVV29=Q48wn<I&onv=naZSh&PAm2mT-up%|)YKpV8v2AHx`@$vG
zMbK-*vgVG(OTz6-S{v%>eN|;5sv6tc8ka2&!w@=_HY{szv!cruHrF$1QC(wGL%mhe
z5QOInD}&I{+F)JQ3~Pfp4Wxugx74-PEp0#}YXjQ`X)d(NaC57#=}<SGEz~zRC^Hbj
zA#DT7+S1b02ySfiR?V`jmNj3i6%QTNH&|1wDc8)grYxOf9p8?tWsWtqsl%FcV827G
zscoJnmvt;%fF5BgIv7>e=!QDN7dD=AeE9Pyg;aSP<Bktkqi9V{4NXw7AV~u_K0LQ>
zv9=nCU2t7{L)#%<pK-<1j``@d&aI4=UmC4I)+e9H4wMG3lP(j3)j*b+>e%Ymh7+g?
zD!#sPaRd8T3;E)HNVt3vyELj3Ql5E;bq*}`s_@hkPwfa_G4&MYKDBJ-=}k@OS{to;
ztFhj?wv{!a3@FTgI2fb*<FHbV6{Wp{2?~WD$D||mGmIyHVO$(T@GIy+;w%Js-Mo%b
zD$FtEFpNA?^e7rGwu%NZ5QQgNg~Nwh1zp&0*fnol!4ZcR7t|FLF`Kd9m<Gl)Fs6Yq
z4UB1EOao&Y7}LO*2F5fnrhzdHjA>v@1OK0EVA6V3z@znZntq<FpP$pu^YpV?KQGtM
zdi`9cpUd_0M*X~1KkwAfUj6)mey-Ect@^oBKcCjm=k?Q6!`Oy}(ZtwuOao&Y7}LO*
z2F5fnrhzdHjA>v@17jK()4-Sp#x!u?8aU!pR_#ZDencc5kGHkMvnIZ9$yM>i9d+<Y
zyX0!CN5$8}8>fW;+;G|&+O4jVo=E+5P4yt@SP);(xC{tZ*Dzd7<yX+tsyLEaTl-b<
z`nuL@8<$x<R%?mm1U3s>u45|WN=+PCo4CnJqLx;;k}Wck;Vd!fK0^l65Wi5ofC!ZV
zYFOUb&hRXR7bzwLBLv}2#BdB@x@<KsBvegEq#`s=K`bhuT0j{dO9(07o;W<k;9*9b
z7GJE%e7P^~EAWXUURMDk+uB<fE`>g=)>Rs;?+~y@gK(>2>KY9$)7ZTlZg1{jx%n%I
z!_P6a%(|~&f%U%%mRRo;z;EZ?!a6Hehz$R8+(PRc<CizL#uw0C#d>J`BJ1bl+Zq<a
zrzn1HV@m_e497I<rSaF)H8sLft|8vI3_g5q)=wuWUn2?&hZyVC38I2{d);E|#*(FV
z;C@@ld6nho#}_s=)U|>P{xQqynheK{@Hl~6&ovG4y83$Srv)8LS*W)r6j?oIz>nqh
zQ>}r5rn;*dPF`UByu>PstK6&?3y3y6Vd0XxRtNzmFtWz$8?4t0ti1(AR^J)$Z0S7{
z9N?&PS$oH#Mb@2#Ephl(!F@3<j!X{~7Fj8LBcyOa$KrG7CS+|Wq&t%-$;*%-6#<*R
zav%wz^_xQFdFCl3H6AiquNF31KPjq@TW=Iu<JzrTiWasnxBjC@vU#8g9z2bUuCsnq
z++h89oK*-9pOdw+{=G;%xZ>75B}LZIc@#Ou3@=26aqD4n{2n}W$R}?7r(v|GnCw@B
zm3H&8UMXs=yVlxMRAhBs0{YaY@ETP_w-oE#M}(-yM|58?iM~|~qPZX%tnr8*F+?lJ
zF{gWcM7xCOSrGMnkwo)w>$$ujPP|vh>dT1eimQn4j6+#;_?rk1>G1av?x_W0A8&)a
z4cFn;yMW*VY8y^Yu#mR4IygoCVx013V~r1jv}+-88zC+l?_b8%H!P3WHMK0Mv;H<-
z+tyWe?bfOi=upf#4x8<0ux=gSSl482L9Gsb1z9wsV^P+=VSG-@{Ox$;auu=~;;pZV
zVl{Xbzk7V6^$IY$mLYMNx4vdzz_MwDBjcNz;?|AGYq%LnUF{H7H6fK}oAsj!iyGlN
zZ@~XGp{-#tz5c8_U<!TLf~fZfxC;;6gsn{2!ebN2_IDGkLNTh{6IjH36N;@~eA@^2
zJ9tms#e3iPB>XV%gIjp-+QxhDPTu<-<Gtq>68|)q7wOLFXC>12Y$}m%>5-CRYxu!J
zpbqx&K8!o%c(TO$-bAaoaT!$qdPzqMy8`Q;iHjOhaI1HsxV%1q))==&O03%u5D!Fa
z)kOFaTX#%^EI%Q;)X#YD-N1X#L%jDrE8*YpKKwhmzb5hDqOV%d8R3@R;;zD$zHzC7
zo}xkAQw4*#_;0wVtDvl`EF2EYvv+)|AQGt_ENF>D`ig4%iduj)E;XUIC{o)sv8yl=
z3HKe+Q`lEH{NdiBo`OhUVXB~ad{4npL8>q^T+}nMy63V;q&8fdDyR+j6_yPb4;EE-
z{nJoUBr;UgH8B#g;Kz*vian5&2kJfqCAO3y62HUYuuZrZeHVY9&~W&33ZALqAq~eg
zY(-W2B^r)sc)o_i=n?o^q~Tf(FV}FdhPyO8T&?iY-bEe@JpzCC8~iI3yjH`dJVK4%
zW(`Mb1+<>f@Zcf^|H|MmR&ZLwJxdk*j)sRcJPtmEqMy4|`iC^!r{RxjIC8g2_sXN;
zsXBf59+iH!hHJm6;L8m^4L51H^hYY)=&xGCM&H9fQ|U&YGVL3g(DW@DzMC-WII=<E
ze^<j@8eT^j&i|8BD*ac4;hDL1P{A(&u2(_1ACAKUe)toB7s0*q*N0YpnFuf)i$}TX
zx5?iPNT1?^nLY(q7#DwpFTyQM06)T{@6+^-rZ+ItN#BBtKf<K<!=w-6ul4bFzos{^
zp%0@s;Lp(eVbVvAQR&~;^aeKcLg=IS!$Kcc^y>`0h7G-6-dytcY5bHae-{1svg9}L
zAn-M+#UJyl=S}~9jdXwgg;4i?crswt=Wizj>$CPa#UO!n)~A8Vn)Q)V$&w$-<A<q_
zFp==POVb<J(DyKaA0MRm!=&$<D#_NjHNAm}Pu7E3`tZY~@0zCQ`!v0Q4Sh-_d-?le
z(nqE%gdLjRzz0fieMZsm*7OE8^t!ou`TJq!Kd9;dr0ET8=>76ugh)S3`komoe;)FY
z_Nd_lrLR6-(f^aCH}HYdm!6>LKcndlZ0LE2lRrKvzaOUj)=5mYtTQydftkem@505O
zq3;q%!KClf^p%?4z=poehtK@|FzNd={gs;Dzz0e{r0JV9y@3yuzElg;sp$=D=)+m^
z`(esors;3d^aegq`f5#om!>!Hfzr2V`tNFb0~`9TEcyK~<sa7c>ovWB4ZTkG>faBO
zK0H%p@R+7I@PX1-Yx>`s@@x1&>AN)ko0{IhhCa+mB7TG~!p#p;{$9-2_$$HK%=T+w
z;?w?(`v76m`{DQN|33+S^`J4oPXW%^|DUEX9G!oyhE4tv&A{aEhedvkf4`Cc1JVy^
z{O@ae1DpJ-v-0=D%)jh(g|JT38`#hfX3_g$(p#TZ2>b&p)W3lZeM=U-A0~Z^rhi(~
z8`#iCvgrLV>H9Q&TGJc&K<S4yJr90Ueghl&J_hjP<09PrF!ML-feD9d`_t<K;?w?W
zaq(y9YX!>mzZP~f_?x8Z4Q%NB`Q^&LZ?>X8R?{2U(EIgGdOuA0&HCjuO>baBpHl2S
z`Ta2I&3dO&(;L{M&zgUvd@$*I&sG^M)bs}S=(E~?$_JCa_FP5ZuIUYI=zAH!kB^IR
z^TVV!>$96Ry@8p;`itP=&(KE%%G94(&-G|}0~`8UA3pQ<!_2=osu1oo<=3#G?<!X5
zgh}s*NguvIrT;+F8`#i`;6O3-epu))RP-ARy@m~aL?wIlewg%Tz50lzH}HYdoAvE3
zO>baB|M9H+4g6og|7Xnk%=&Bua9HE=LHhUW-zVWvw!eQr25_$aJ$0dCdMnb|KN#4^
zSB7;le}q{-ewg|(>-Bpzy@3sVDFgWNL3%$-db7UgpDC06Rj>D%MEfjb06#t?e;-Wx
zvdbjd+NkLbOf=HBVBF=;(EDN1_v-zG0ZngUL*L7QkKPZHJ|e4M%X(VV8`#kIC~_}<
zKTP^TP5*06Z(u_o$)fkeq&NE?FKK!M8~XoAf00_1!CoW3h7JA0D%q3Y55J%NjXykS
ze<8rR?9ZxG8C;KasecWd{KLNf@FGO|VU|Cvjr?X!Z(u|3*Ei|?FzNd={q36Gz=nP(
ztNebL^gRs<p;yxz*w9B9z>g2+?}tfm_NTt5=?zSL+HV9Ge;&O81txvzVioZtO>baB
zkGBf)GxUD={p#;g@YAXh`o{q0tiMLZe<nT{A@!$WlYdWfFn>QR`dg~f&(`#2KhDrs
zt7NbIewg%TzwTm9Z(u{;Gd(MRA58j|yHxrWn%=;MK9ZHcA11xo53JYp1~&93XVLrN
z_tSq9`1$qU0XUcbhqe4eI)4M3{A;uF_rsLGdW}MOOVb<J(1)|={jlgy(;pI2_1~gl
zLl3i&AK{B|^TYn~9}Rkcc`wg`>jCE~f0xehIi0_OP5vpBy=OmunDU$b+t)O`fen3a
z7QG)PeXri{{i~)ou%QoU(feW2r!;+GsnVZ;4gLSrf1CZ~QcZ7Qk3K8^G9S$R!}qF)
z&uDrB8~PUCeD)$l`eD-d+^^_Ar|AuB=m#0Vj}OxOVbYuZ@JdZ@VB$}~RgH^3L+^)4
z->3J_7i)S08~QHHoBZ^CnDk{oRO#1gdIKB!AqMc{gYx@f(wqJIRhr(w#HaibT>KgO
zh(HP^z1iRYrlvRWfztQ<NHJWi=?!e?{qp9LzvV$i{}WAbU_<YpkCWaHQ-1S4;t@@6
zU_<XOFX{a->CO9#otoaj2TE_=cMKZ&_4^M)|1niOPyYt~1MvU381m@%A#ZBfydNRG
zzkgyg2w@G~H>emMO_=iQ{e_b>9A>5C$7L(i&3?^A8aDes^%^$&*;i}W^xrpY*z~7t
zrsQY(XI2|wvmgJchRy!!(;BuY7=FLUMf}n-0j)PRZ1$r|kj8Ygzx)XeoBhtuXxQw(
zou%P2&F?}DoBj1V4V(S)Hj}R9Nod&Y$KeIADxc=}T@9Q4YrGUz>BlSipVF||Po<qx
zezRZq7Y%#we^7x;H}8`^LKyWwyk7A;N~fFo`&12^_H?3#P5&@Q!=}H!P{XGGoUdUs
z9$l?r)4p!du<0+qZqoIB4d3ff-d?@`^-~Q;!b;w)8aC^-UuxK_f1cN{*)Moq!)E^k
z9v8wN-*S=P5gIo8L!UJ1TApbdHt)ku(Qu!Z=UjuY_j{@}Z1xKmXxQurv>5z4m4By(
z&HCQfu$hnFrC~F_zTd$5ec|^tY}QXd(Xd$$Jgi}}e>SLLvmf)KhRy!s9>7pP{;S`6
zS@2=79e?^Kvf$}i@a!!3qAd7JS#Vtzyf_PP$%3!Rg8wB8z9|d7EepOg3x@YjpnU7H
z;B8s(<5}?2S@5s3;Q!8o_hi9uLb-p&wHFuL@>{sx!Sz>M@8aU$nfx2B_i*uBvKH*S
z09PTdB3#9|#^D-|YXYtkTyFz!1lL4_|8MXQTk-et7lW&heEZ9D#4$cy^guFU?H5Id
zAulT6Qe<MqnZ^J?XT7Xg@rucc6Necu&ga)<;<WEo5ENf29aSF$#AnMmb$KWfOJ6N7
zCdjuwu3$f}#vqW3aih4w#eIw$H6xRefdjk(A~)76CRs9@Xg_ZwrN`VvDDDeRKh^m5
z#WP{;)W;a*>Bo>%>jLc*2nQ<h4vZ@oBo7o1r2rJC3sNvfIVX8>;=SZS+PNu@-y%Mx
z=sA$Z>l-{DLWKQJgt|<|rw~%YF)ZNurJ{n)VJgmegaOiSW#W`-JSRo-%C#}RB<R`*
zFUyQq9DqjcXQn;jBnHlK$`8_m=u&0?dYd8a^QVIoEPOfR%QDWIaeR_Y>LTOu8PDM}
z%1i?;qw$QRDZGiZe18$4{A<OTS3$<#7f_pWur-MpS7h<=B|?^SvP3DrWaIm*yna1@
zU*+j*e0+887N7L%H6Fd$zPui+ItJtEtGWd3xXW6n$1b0uC_KeSml5KeJIXoQbQKGm
zm%=zv2W{=m@WEA%iaAUL=~k}jrHB^NQ%<(xP0e-nhJ{4Jt2SU_addqOjVaoK@o0qO
zGca45m&O;=wKXuYz1a)0nX*+%92{uTxDdlH?lFcbpv5;e!D4a4GJd@e3HVyxH4O_<
zs5aOVzOqQS-&Qz!!u?i>WQuxDQ(e_nbymE!xxJMcn|4lXF7tz)d7<h>2;CtxE`w(y
zT`JL3J7~!nB5IeJW@2b!O?7SUI(L(qiC)If9C{*r{tKCKTjS!TkaD!$pQsFoDONl#
z6%E_Hh9aI+(}piHp0uQ)6(2inKdHXqnv=9+@}fnJCp9*=opdf_fl5x&pG}P;{=|hJ
zfNtSZbc!b|=xA)JKS4UDlg_O|%z5~XWScLq6YCpW{oukAn}aQ!6{`Do<zDUUn=O9_
z<nIBqJ0mbro%ey4TdAY1b)nI~|K-v%Cza=kq61wW{2HV2)%IGZZ=T_wKIq{zdn8oj
zqi-P0J!0xuAD$UQvl))Y%o??G&IWSN7)Fi7CL%b<=O6#kv~)kEG!`7wRa~A~#OOIo
zT)yRsj#s&T8-;5HumfF)zVIJl2`U@5h0#N&f7thpW20uJJU+rPgr_F*O(8~i8tenj
zSRd&50|UBDA{1}ct((3x5chsVgV$&3Qyi-64bDq)4j)v=sF{OI77k!w8C~8$C;2|J
zez5@@FZl;lekLm#K-O&TeTPP6s8G8cgvlByW&Af2rUMu`F=Apq_75np$;g;HYgcB1
zzFA$aiQxN<?5z!p{sEFpE)-kZgEw3LAhQa!<ogH6YBHj@W^hqwfAsN-tk~evQenzW
z^Z#TFRkN9sEIq6F2NYN5=w--aYe4m>St~C+spCX7d#>jv^t!E4Q$4J30?RwIc*|t^
m0Vac4OGz^c)N@0xqtm=I0;=_+*KcOeTn(T9X)>wz%KkUhjNq~W

literal 0
HcmV?d00001

diff --git a/pubspec.yaml b/pubspec.yaml
index 646d3c0..830b3db 100644
--- a/pubspec.yaml
+++ b/pubspec.yaml
@@ -13,6 +13,7 @@ dependencies:
   logging: '>=0.11.3+2 <1.0.0'
   crypto: '>=2.0.0 <3.0.0'
   pointycastle: '>=1.0.1 <2.0.0'
+  cryptography: ^0.1.2
   xml: '>=3.7.0 <4.0.0'
   uuid: '>=2.0.0 <3.0.0'
   meta: '>=1.0.0 <2.0.0'
@@ -25,8 +26,11 @@ dependencies:
   args: '>1.5.0 <2.0.0'
   prompts: '>=1.3.0 <2.0.0'
   logging_appenders: '>=0.1.0 <1.0.0'
+  ffi_helper: ^1.4.0
 
 dev_dependencies:
   pedantic: '>=1.7.0 <2.0.0'
   test: '>=1.6.0 <2.0.0'
+  ffi: ^0.1.3
+
 
diff --git a/test/kdbx4_test.dart b/test/kdbx4_test.dart
new file mode 100644
index 0000000..d7c1af8
--- /dev/null
+++ b/test/kdbx4_test.dart
@@ -0,0 +1,117 @@
+import 'dart:convert';
+import 'dart:ffi';
+import 'dart:io';
+import 'dart:typed_data';
+
+import 'package:ffi/ffi.dart';
+import 'package:ffi_helper/ffi_helper.dart';
+import 'package:kdbx/kdbx.dart';
+import 'package:kdbx/src/crypto/key_encrypter_kdf.dart';
+import 'package:logging/logging.dart';
+import 'package:logging_appenders/logging_appenders.dart';
+import 'package:test/test.dart';
+
+final _logger = Logger('kdbx4_test');
+
+//typedef HashStuff = Pointer<Utf8> Function(Pointer<Utf8> str);
+typedef Argon2HashNative = Pointer<Utf8> Function(
+  Pointer<Uint8> key,
+  IntPtr keyLen,
+  Pointer<Uint8> salt,
+  Uint64 saltlen,
+  Uint32 m_cost, // memory cost
+  Uint32 t_cost, // time cost (number iterations)
+  Uint32 parallelism,
+  IntPtr hashlen,
+  Uint8 type,
+  Uint32 version,
+);
+typedef Argon2Hash = Pointer<Utf8> Function(
+  Pointer<Uint8> key,
+  int keyLen,
+  Pointer<Uint8> salt,
+  int saltlen,
+  int m_cost, // memory cost
+  int t_cost, // time cost (number iterations)
+  int parallelism,
+  int hashlen,
+  int type,
+  int version,
+);
+
+class Argon2Test implements Argon2 {
+  Argon2Test() {
+//    final argon2lib = DynamicLibrary.open('libargon2.1.dylib');
+    final argon2lib = DynamicLibrary.open('libargon2_ffi.dylib');
+    _argon2hash = argon2lib
+        .lookup<NativeFunction<Argon2HashNative>>('hp_argon2_hash')
+        .asFunction();
+  }
+  Argon2Hash _argon2hash;
+
+  @override
+  Uint8List argon2(
+    Uint8List key,
+    Uint8List salt,
+    int memory,
+    int iterations,
+    int length,
+    int parallelism,
+    int type,
+    int version,
+  ) {
+//    print('hash: ${hashStuff('abc')}');
+    final keyArray = Uint8Array.fromTypedList(key);
+//    final saltArray = Uint8Array.fromTypedList(salt);
+    final saltArray = allocate<Uint8>(count: salt.length);
+    final saltList = saltArray.asTypedList(length);
+    saltList.setAll(0, salt);
+    const int memoryCost = 1 << 16;
+
+//    _logger.fine('saltArray: ${ByteUtils.toHexList(saltArray.view)}');
+
+    final result = _argon2hash(
+      keyArray.rawPtr,
+      keyArray.length,
+      saltArray,
+      salt.length,
+      memoryCost,
+      iterations,
+      parallelism,
+      length,
+      type,
+      version,
+    );
+
+    keyArray.free();
+//    saltArray.free();
+    free(saltArray);
+    final resultString = Utf8.fromUtf8(result);
+    return base64.decode(resultString);
+  }
+
+//  String hashStuff(String password) =>
+//      Utf8.fromUtf8(_hashStuff(Utf8.toUtf8(password)));
+}
+
+void main() {
+  Logger.root.level = Level.ALL;
+  PrintAppender().attachToLogger(Logger.root);
+  final kdbxFormat = KdbxFormat(Argon2Test());
+  group('Reading', () {
+    final argon2 = Argon2Test();
+    test('bubb', () async {
+      final key = utf8.encode('asdf') as Uint8List;
+      final salt = Uint8List(8);
+//      final result = Argon2Test().argon2(key, salt, 1 << 16, 5, 16, 1, 0x13, 1);
+//      _logger.fine('hashing: $result');
+      final data = await File('test/keepassxcpasswords.kdbx').readAsBytes();
+      final file =
+          kdbxFormat.read(data, Credentials(ProtectedValue.fromString('asdf')));
+      final firstEntry = file.body.rootGroup.entries.first;
+      final pwd = firstEntry.getString(KdbxKey('Password')).getText();
+      _logger.info('password: $pwd');
+      expect(pwd, 'MyPassword');
+    });
+  });
+}
diff --git a/test/kdbx_test.dart b/test/kdbx_test.dart
index d34a145..ce08173 100644
--- a/test/kdbx_test.dart
+++ b/test/kdbx_test.dart
@@ -1,3 +1,4 @@
+import 'dart:ffi';
 import 'dart:io';
 import 'dart:typed_data';
 
@@ -20,12 +21,13 @@ class FakeProtectedSaltGenerator implements ProtectedSaltGenerator {
 void main() {
   Logger.root.level = Level.ALL;
   PrintAppender().attachToLogger(Logger.root);
+  final kdbxForamt = KdbxFormat();
   group('Reading', () {
     setUp(() {});
 
     test('First Test', () async {
       final data = await File('test/FooBar.kdbx').readAsBytes();
-      KdbxFormat.read(data, Credentials(ProtectedValue.fromString('FooBar')));
+      kdbxForamt.read(data, Credentials(ProtectedValue.fromString('FooBar')));
     });
   });
 
@@ -36,14 +38,14 @@ void main() {
       final cred = Credentials.composite(
           ProtectedValue.fromString('asdf'), keyFileBytes);
       final data = await File('test/password-and-keyfile.kdbx').readAsBytes();
-      final file = KdbxFormat.read(data, cred);
+      final file = kdbxForamt.read(data, cred);
       expect(file.body.rootGroup.entries, hasLength(2));
     });
   });
 
   group('Creating', () {
     test('Simple create', () {
-      final kdbx = KdbxFormat.create(
+      final kdbx = kdbxForamt.create(
           Credentials(ProtectedValue.fromString('FooBar')), 'CreateTest');
       expect(kdbx, isNotNull);
       expect(kdbx.body.rootGroup, isNotNull);
@@ -54,7 +56,7 @@ void main() {
           .toXmlString(pretty: true));
     });
     test('Create Entry', () {
-      final kdbx = KdbxFormat.create(
+      final kdbx = kdbxForamt.create(
           Credentials(ProtectedValue.fromString('FooBar')), 'CreateTest');
       final rootGroup = kdbx.body.rootGroup;
       final entry = KdbxEntry.create(kdbx, rootGroup);
@@ -71,7 +73,7 @@ void main() {
     test('Simple save and load', () {
       final credentials = Credentials(ProtectedValue.fromString('FooBar'));
       final Uint8List saved = (() {
-        final kdbx = KdbxFormat.create(credentials, 'CreateTest');
+        final kdbx = kdbxForamt.create(credentials, 'CreateTest');
         final rootGroup = kdbx.body.rootGroup;
         final entry = KdbxEntry.create(kdbx, rootGroup);
         rootGroup.addEntry(entry);
@@ -82,7 +84,7 @@ void main() {
 
 //      print(ByteUtils.toHexList(saved));
 
-      final kdbx = KdbxFormat.read(saved, credentials);
+      final kdbx = kdbxForamt.read(saved, credentials);
       expect(
           kdbx.body.rootGroup.entries.first
               .getString(KdbxKey('Password'))
@@ -92,12 +94,10 @@ void main() {
     });
   });
 
-  group('Unsupported version', () {
+  group('kdbx 4.x', () {
     test('Fails with exception', () async {
       final data = await File('test/keepassxcpasswords.kdbx').readAsBytes();
-      expect(() {
-        KdbxFormat.read(data, Credentials(ProtectedValue.fromString('asdf')));
-      }, throwsA(const TypeMatcher<KdbxUnsupportedException>()));
+      kdbxForamt.read(data, Credentials(ProtectedValue.fromString('asdf')));
     });
   });
 }
diff --git a/test/keepassxcpasswords.kdbx b/test/keepassxcpasswords.kdbx
index 69ad677291d8ca0008d10e770f34c8ec169868d3..2a50297c6dfe6db4a2d3a739990e5549d721458e 100644
GIT binary patch
delta 1337
zcmV-91;+Z-3$+W7FExyI@$rqG`*JOqi7KOKrkP)7+rGPds$&QKpvlpVD!vC00000D
zA+eK}tkX;S`>-rBt|=^$WMO~mQkqReuv82y&Tw{BdK%jnn@^T-2f2UF3|{9B8-ED|
z0RR91Rs;Y5022TJ0000400000(5(va0Zb7uV8$j}VjSt-nj-h?Oqk2V1c;S3%}SoL
z*{X~RfVQK+K8zM~HUcbrh9UTYxII>M1Kzm=FU*wSciiVB%6*)cS@VBkkUhhjos(H5
z({Ud3H5`oA&RTlo;ZwN^Fa!Vqrl2I8P8jds!!Ov7Y_4|;S2ES-hixJwmxq#%m_4)Y
z<cGiuEC9@vS=L2cwSIC@IP2xwTLQb-vYzQ_T|?A34h+NF)}?@f))1&R!#*TY69N4H
zM^1XTE^-}iOVbudX^MZX+ks_ntusuNA54K+tZ!~98}@sbfJ`nUE2HVxyZ>cSao~Zg
zcO8?8uU5iF;~;c9h_yx^%kWjo7DmZe^?7B>0a%Nhp>YJUI<8%m>gk@f2EkT8@$aYM
z27s-kUaRxkkK`Fj*}iZao)As{Q-&yneu8BiP;Ak*1SK0qKu~`u?RtLo8UU&!n0pUr
zGD?+jKmU_6nV&fBYMEiUX=rb;V^jM49+cI8gwzX>ic?EQ_UL^G;*v}rL{{vX)hU^(
z3N3o=;a{Ok3jmzH(NK^hs}3;8I{Y>GJkXNA?w-j2S$u=XO;)CfCdX&wwE+fHLgJP{
zzRQqnq;S@vjN5;n)rbm$syYu<YQ<3YBo`K%qQ@0Lb{8ACkui>aG`SQ8te*~2^lB#f
zyzK(e$EocAm00jp9PL)-5;Ng#yyJrVR2FR>s%y6?u$)7V0WeX;?hCAZX#|4`fA%o$
zl)ZY748WN0&%q}-Zvx!%>A)>Q?$20H+;K~5f4(VW`J#VToK)Wioy|9)%|(LtQ=Mg+
zAT(-h%^iHEB9}?mlI9v!r6CD_Nto#|Eb5?yO|2~f$w$J;Hm~YsQBnmOPQ?32#gZ{s
zQJXEYFOHFj4GsBhVST2A&n3F%9;a5WaZsuBWELZ_Qr1UVFdPELelIkHxf_!;u!CU7
z6@yeY=e>Vd`k5$&#(S{=gkMyv{63$D=`W17^=PJW+ezkEH0nE=dC81g1e0GnXx{@_
z)e&qILZuoO@EjVq`Ys=@>s*kP^_(9Gy@b)tHBn|kwEQr9mHdlaVawYe1<OmG>zBD<
za=an=Q;kK4aul!Yd;xX?tuy0vsp~8t<SlC0{MUcc!@8Iyo%r~{>|yS*yjt1kMJLA(
zPA;AG9x1sO8$m|GUd<O%6l+~(ezYHVb;pBCA*-KLfSqYD>1wT%qhO4MIm$Q;FGe9C
za8B=sJGp_|+n6+i8D*ABKY`LGOGx^WF^eD$Gv#OGkiPdWV8}a$b6=VCsTuz+sJU-v
zs|bH2LE|We6oE28efB?P3Qb~~Xa1r_rW=4I`NwxFRJs5tB*i<G6JU0QVS|>u4mt6g
zLLxV<Wy42O_6F5Uxnogfd*O#%?UsB1+!T=E0cWh4Mocw#c^u!F&YnD*G1)^aq}2T3
z)=hO8xf~lpR|QXsIdk`<2PB;2mr_vkIB0p>O<bug6*Axd;;n2dfa7<P^3SoRAnEso
zKN>ker`RRyNi&+R2aXL}5Rsf;yribRwVyEF;sw~>uM;u)%398;X3SM+@5h)h$+A80
vDXmC7Hk6zgwH|nQN%#3MMN1Q8rT)tzPH@CKpKlCE-vD*Kp3(~u00000d$@Y>

delta 1370
zcmV-g1*Q763)KsdFEyzC<l-eBSd6xBp+QrpreJ$Oekla)lGbO6#Go6C?hFSI0001^
zbsY(`(aI?YBkeY;G<b`VWMO|M1TX<lBcOsiS|VN&a^wUAOkp9SsDoA{?eB^7pSAb|
z0RR91Rs;Y5022TJ000040000D3JnTtv)&~56wc9AyIU+%WARU`Q_I^HZ!;HCVc*;|
zEQ<2J%%W+!d5#e?yfPHZxasAwhkw}hY{6PP-vZem<~{_1FKUKIgCc)8i2cG`W3kjL
zXD8BZ0Gl3~;Ei=J-a1BiPy_$~k3@NXdOa#-*56MFzI+fS5%RIM$k?<x#S+~I^+p?F
ziXT>;6F`5$>_k|B=b-yNU*GXl=^iP)4}6~4M)P!=Q)iNBv<(UiInYSmN^N;($fiWi
zV9cdN1U$_9U<FnX)#`te#o<%<b8m4~G7y_q+~?qbATU_`QiCOpvFAksB*f20b5aaI
z{4y;}W6T}T?>Yc18x`eEx;1k)jvL;hFsrkOLRDJup&h{X05u@8T4XU?Xv-j~4N|bY
zapE3%xjKp(Qmg&<KVvL`p;GR7V&pIxC5n1dZVm{d3C}fT?_z(P5m@g8C6-x|>WZDg
z2t3-km>w91gI~S@ZT!m2wquz68;5;>UUQ!y>iqnHcM@1_R#v#YY)IP43@9s8p|zFm
z(#fYE$)TD&&XBp;nu)F)uLn_nBOejO+6anQQ+f7+K8_$tLCYwlj}kVJV-F~)_Jo#;
zBeH8K<M?<!9xQ+6R&|~c%Z!slXnoZHm{nRr1vB~990CBi-sw2X7mE1b1^@OrkYGJN
zWtxvD`%d=bI!7t%aX*^l2hmC165c|)g@A8pP{5TZ3RD7pY2yKJ{A4bK9w$m%_3@6g
z7&;wFtL3P!b}!mMz`7drh1yW{i12Gam;2HJW^%bgp#XomWr8g#!x@WKv=t@foAIA&
zlN<=9Q;t?|0mNTp-^+m67pIlw9w>hwa47JcY&F{XJlgw~UkU7F9-~qQ*cze@K*>)t
z)T+~0M5u^xK42T?=LT8OLn+5?SV6t?md)c9pWqqWy!NlrA;EpJ3++g8`NAuD#fo?n
zreJhq{ONzcbh)Er%G-#QD5xfU<a9t`vfaYQg>&=02yL@inGr>Ft*6mi!Dxq;u@9z8
z=#R=eq3xW##{(W4?^jifY<u1<j(JDDjEh9CC^ll)W{%s$_1hAbET^+Ym)}PtRCc0p
z%Hz)}B#$kCubx*L7@Z*vO}k*lNd-ly*RH6L{AGVdxOMD`$kw(8VD&}B>mBI0vo)jP
znX`|p`z;<vr~L;G35{~qScBrf8JT#mvG#2Zj|`33(rBme;tsM!ZD%4BXtxk1k^A_+
zHb1hLIW*I}gHfsDTdYbyXuD$E?cy{gAwlOX_ZIEopwl#C(ti4sfRnZ0%x2zTr^D@(
z8One8W0EBc#{m3KGma9$O?_kLjd4_<X<Bl}wPBxM#kfChqLimHE*~z$7sdd74QS<T
z#)e;EfCGJr8loR(p}dC-##bu|R@q8sI}V=DbWw~vP?G4I==%1*Y57FV)SOn$S<G=V
zzX=g|69gO0DQIfsF*1j=4|r(kfC|GYdeeVevC_K^WC65qP)}-uR73>*StQLG@>CJy
zSe9!7Z-x!)wT9>DB($v{VcChrK9iQ=G~gNUbIuVf)~xz;F{X3tGbrOHjY0r<-OTNo
z{TfTcsfC$lVlbk44aL{!9zL_8jv7(aX&>n8dJ<{V)Y8cPY|WnuaEZcbE}Od4^>Z3W
cY!Nr)ID6~q?ep#8@A^;ubBe1C9{>OV00eK6fB*mh