:k      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijportable experimental!dominic.steinitz@blueyonder.co.ukk lm    portablebetaThomas.DuBuisson@gmail.com%Handle for manual resource mangement nOpen a   Close the  Read random data from a  BInefficiently get a specific number of bytes of cryptographically : secure random data using the system-specific facilities. Use '/dev/urandom'' on *nix and CryptAPI when on Windows. o portable betaThomas.DuBuisson@gmail.com5Not that it is technically correct as an instance of , but simply because  it'is a reasonable engineering choice here is a CryptoRandomGen which streams the system randoms. Take note: # It uses the default definition of genByteWithEntropy   will always fail!   will always fail! 1 the handle to the system random is never closed pMA class of random bit generators that allows for the possibility of failure, C reseeding, providing entropy at the same time as requesting bytes Minimum complete definition: , , , . HInstantiate a new random bit generator. The provided bytestring should > be of length >= genSeedLength. If the bytestring is shorter * then the call may fail (suggested error: ! ). If the C bytestring is of sufficent length the call should always succeed. GLength of input entropy necessary to instantiate or reseed a generator genBytes len g) generates a random ByteString of length len and new generator.  The MonadCryptoRandom; package has routines useful for converting the ByteString  to commonly needed values (but cereal6 or other deserialization libraries would also work). XThis routine can fail if the generator has gone too long without a reseed (usually this J is in the ball-park of 2^48 requests). Suggested error in this cases is " genBytesWithEntropy g i entropy generates i random bytes and use the  additional input entropy, in the generation of the requested data to G increase the confidence our generated data is a secure random stream. Some generators use entropy1 to perturb the state of the generator, meaning:    (_,g2') <!- genBytesWithEntropy len g1 ent  (_,g2 ) <- genBytes len g1  g2 /= g2' But this is not required.  Default:  J genBytesWithEntropy g bytes entropy = xor entropy (genBytes g bytes) IIf the generator has produced too many random bytes on its existing seed  it will throw ">. In that case, reseed the generator using this function and & a new high-entropy seed of length >= (. Using bytestrings that are too short  can result in an error (!). By default this uses System.Crypto.Random to obtain entropy for . 6many generators have these error conditions in common KThis generator can not be instantiated or reseeded with a finite seed (ex: ) !0For instantiating new generators (or reseeding) "]Some generators cease operation after too high a count without a reseed (ex: NIST SP 800-90) # When using genInteger g (l,h) and %logBase 2 (h - l) > (maxBound :: Int). $bRequested more bytes than a single pass can generate (The maximum request is generator dependent) %Misc qJget a random number generator based on the standard system entropy source &r:Obtain a tagged value for a particular instantiated type. s !"#$%&%$#"! &%$#"! !"#$%& portable betaThomas.DuBuisson@gmail.com&'FA class for signing operations which inherently can not be as generic ! as asymetric ciphers (ex: DSA). ()*+,-WA stream cipher class. Instance are expected to work on messages as small as one byte 9 The length of the resulting cipher text should be equal % to the length of the input message. ./0126Asymetric ciphers (common ones being RSA or EC based) 3build a public/.private key pair using the provided generator 4Asymetric encryption 5Asymetric decryption 67;The BlockCipher class is intended as the generic interface < targeted by maintainers of Haskell cipher implementations. 5 Using this generic interface higher level functions  such as cbcC, and other functions from Data.Crypto.Modes, provide a useful API * for comsumers of cipher implementations. %Instances must handle unaligned data 8LThe size of a single block; the smallest unit on which the cipher operates. 9encrypt data of size  n*blockSize where n t [0..] (ecb encryption) :decrypt data of size  n*blockSize where n t [0..] (ecb decryption) ;.smart constructor for keys from a bytestring. <8keyLength may inspect its argument to return the length =4The Hash class is intended as the generic interface < targeted by maintainers of Haskell digest implementations. 6 Using this generic interface, higher level functions  such as C and D provide a useful API ( for comsumers of hash implementations. ;Any instantiated implementation must handle unaligned data >$The size of the digest when encoded ?GThe amount of data operated on in each round of the digest computation @4An initial context, provided with the first call to A AHUsed to update a context, repeatedly called until all data is exhausted ( must operate correctly for imputs of  n*blockLength bytes for n t [0..] BUFinializing a context, plus any message data less than the block size, into a digest C*Hash a lazy ByteString, creating a digest D,Hash a strict ByteString, creating a digest E*Obtain a lazy hash function from a digest F,Obtain a strict hash function from a digest uG'Obtain a tagged value for a given type HInfix G operator Iv`signUsing d k msg`5 Returns a signature (not a message + signature) for msg # by hashing into a digest asTypeOf d( and encrypting using the asymetric key k.  Expect a  Signature( class to appear in a future crypto-api < (this function might become depricated pending discussion) wLike v but for strict ByteStrings. #'()*+,-./0123456789:;<=>?@ABCDEFGHI#=>?@AB789:;<I-./0123456'()*+,GHCDEF#'()*+,()*+,-./01./01234563456789:;<89:;<=>?@AB>?@ABCDEFGHI portable betaThomas.DuBuisson@gmail.comJKL>Message authentication code calculation for lazy bytestrings.   hmac k msg) will compute an authentication code for msg using key k M hmac k msg) will compute an authentication code for msg using key k JKLMLMJKJKKLM portable betaThomas.DuBuisson@gmail.comNFInitilization Vectors for BlockCipher implementations (IV k) are used > for various modes and guarrenteed to be blockSize bits long. xyz{|OzipWith xor + Pack C This is written intentionally to take advantage of the bytestring  libraries zipWith'+ rewrite rule but at the extra cost of the D resulting lazy bytestring being more fragmented than either of the  two inputs. zipWith xor + Pack Y As a result of rewrite rules, this should automatically be optimized (at compile time) ! to use the bytestring libraries zipWith' function. <Cipher block chaining encryption mode on strict bytestrings P8Cipher block chaining decryption for strict bytestrings Q6Cipher block chaining encryption for lazy bytestrings R6Cipher block chaining decryption for lazy bytestrings STUVWPCiphertext feed-back encryption mode for lazy bytestrings (with s == blockSize) XPCiphertext feed-back decryption mode for lazy bytestrings (with s == blockSize) YRCiphertext feed-back encryption mode for strict bytestrings (with s == blockSize) ZRCiphertext feed-back decryption mode for strict bytestrings (with s == blockSize) [*Output feedback mode for lazy bytestrings \*Output feedback mode for lazy bytestrings ],Output feedback mode for strict bytestrings ^,Output feedback mode for strict bytestrings }_ Obtain an N+ using the provided CryptoRandomGenerator. ` Obtain an N using the system entropy (see System.Crypto.Random) ~NOPQRSTUVWXYZ[\]^_`STQRWX[\UVOPYZ]^N_`NOPQRSTUVWXYZ[\]^_` a$PKCS5 (aka RFC1423) padding method. : This method will not work properly for pad modulos > 256 b   putPaddedPKCS5 m bs  Will pad out bs to a byte multiple  of m# and put both the bytestring and it's padding via  : (this saves on copying if you are already using Cereal). cBPKCS5 (aka RFC1423) padding method using the BlockCipher instance  to determine the pad size.  Leverages b# to put the bytestring and padding = of sufficient length for use by the specified block cipher. d>unpad a strict bytestring padded in the typical PKCS5 manner. E This routine verifies all pad bytes and pad length match correctly. ef0Pad a bytestring to the IPSEC esp specification   padESP m payload is equivilent to:   : (msg) (padding) (length field) ) B.concat [payload, B.pack [1,2,3,4..], B.pack [padLen]] Where: ( the msg is any payload, including TFC.  the padding is <= 255  the length field is one byte. -Notice the result bytesting length remainder r equals zero. The lack  of a " next header"7 field means this function is not directly useable for  an IPSec implementation (copy/'paste the 4 line function and add in a  " next header"% field if you are making IPSec ESP). gGLike padESP but use the BlockCipher instance to determine padding size hLLike putPadESP but using the BlockCipher instance to determine padding size i6Pad a bytestring to the IPSEC ESP specification using . 2 This can reduce copying if you are already using . j/A static espPad allows reuse of a single B.pack'ed pad for all calls to padESP Tunpad and return the padded message (Nothing is returned if the padding is invalid) abcdefghij acbdefjghi abcdefghij      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxPyz{|}~Vcrypto-api-0.3.1Data.LargeWord Crypto.TypesSystem.Crypto.Random Crypto.RandomCrypto.Classes Crypto.HMAC Crypto.ModesCrypto.PaddingWord256Word224Word192Word160Word128Word96LargeKey LargeWordlargeWordToIntegerintegerToLargeWord largeWordPlus largeWordAnd largeWordOrlargeWordShift largeWordXor largeBitSize ByteLength BitLength CryptHandle openHandle closeHandle hGetEntropy getEntropy SystemRandomCryptoRandomGennewGen genSeedLengthgenBytesgenBytesWithEntropyreseednewGenIOGenErrorNeedsInfiniteSeedNotEnoughEntropy NeedReseed RangeInvalidRequestedTooManyBytes GenErrorOthersplitGenSigningsignverifybuildSigningPairsigningKeyLengthverifyingKeyLength StreamCipherbuildStreamKey encryptStream decryptStreamstreamKeyLength AsymCipher buildKeyPair encryptAsym decryptAsym asymKeyLength BlockCipher blockSize encryptBlock decryptBlockbuildKey keyLengthHash outputLength blockLength initialCtx updateCtxfinalizehashhash'hashFunc hashFunc'for.::.blockSizeBytesMacKeyhmachmac'IVcbc'unCbc'cbcunCbcecbunEcbecb'unEcb'cfbunCfbcfb'unCfb'ofbunOfbofb'unOfb'getIVgetIVIOpadPKCS5putPaddedPKCS5 padBlockSizeunpadPKCS5safe unpadPKCS5padESPpadESPBlockSizeputPadESPBlockSize putPadESPunpadESPaoflkboflkCHgetEnt SysRandom getSystemGenbs2ibaseGHC.Listelem makeBlocks signUsing signUsing'initializationVectorcollectchunkFor chunkFor'unfoldKivProxy deIVProxyproxyOfivBlockSizeBytescereal-0.3.0.0Data.Serialize.PutPutputPaddedBlockSize