lS      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~                                  ! " # $ % &'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} ~     >None:<=DRThe result of a comparison. This is an opaque type and the monoid instance essentially takes AND of two comparisons in a timing safe way.HAll types that support timing safe equality are instances of this class.9Check whether two values are equal using the timing safe 0 function. Use this function when defining the % instance for a Sensitive data type.9Checks whether a given equality comparison is successful.Vector of Results.MVector for Results. SafeQThis class captures all types that have some sort of description attached to it.%Short name that describes the object.Longer description!NoneI$The destination of a copy operation.&Note to Developers of Raaz: Since the d type inherits the Storable instance of the base type, one can use this type in foreign functions. The source of a copy operation. smart constructor for source#smart constructor for destionation.     "Safe*,9;<=DORT4The constraint on the alignment o(since base 4.7.0).A type w0 forced to be aligned to the alignment boundary algThe underlying unAligned value.#Align the value to 16-byte boundary#Align the value to 32-byte boundary#Align the value to 64-byte boundary Safe9;<=A monadic arrow field.WA field where the underlying arrow is the (->). This is normally what we call a field.vA field on the space is a function from the points in the space to some value. Here we define it for a general arrow.dThe twisted functor is essentially a generalisation of semi-direct product to applicative functors."The generalisation of distributivity to applicative functors. This generalisation is what allows us to capture applicative functors like parsers. For an applicative functor, and a monoid acting uniformly on it, we say that the action is distributive if the following laws are satisfied: vm <<.>> (pure a) = pure a -- pure values are stoic m <<.>> (a <*> b) = (m <<.>> a) <*> (m <<.>> b) -- distThe semidirect product Space " Monoid. For monoids acting on monoidal spaces distributively the semi-direct product is itself a monoid. It turns out that data serialisers can essentially seen as a semidirect product.jA left-monoid action on a monoidal-space, i.e. the space on which the monoid acts is itself a monoid, is  distributive if it satisfies the law: 'a <.> p <> q = (a <.> p) <> (a <.> q).)The above law implies that every element m is a monoid homomorphism.PUniform action of a monoid on a functor. The laws that should be satisfied are: p1 <<.>> fx = fx (a <> b) <<.>> fx = a . (b <<.>> fx) m <<.>> fmap f u = fmap f (m <<.>> u) -- acts uniformly A monoid mx acting on the left of a space. Think of a left action as a multiplication with the monoid. It should satisfy the law: k1 <.> p = p -- identity a <> b <.> p = a <.> b <.> p -- successive displacements!?An alternate symbol for <> more useful in the additive context."LFrom the an element of semi-direct product Space " Monoid return the point.#UFrom the an element of semi-direct product Space " Monoid return the monoid element.$!Get the underlying functor value.% Get the underlying monoid value.&;Compute the value of a field at a given point in the space.' Lift a monadic action to FieldM.(3Runs a monadic field at a given point in the space.*:The action on the space translates to the action on field. !"#$%&'()*+,- !"#$%&'( !"#$%&(' !"#$%&'()*+,-5 5!5#None9;<=I$.-Types to measure alignment in units of bytes./Type safe length unit that measures offsets in multiples of word length. This length unit can be used if one wants to make sure that all offsets are word aligned.0+Type safe lengths/offsets in units of bits.2,Type safe lengths/offsets in units of bytes.4In cryptographic settings, we need to measure pointer offsets and buffer sizes. The smallest of length/offset that we have is bytes measured using the type 2. In various other circumstances, it would be more natural to measure these in multiples of bytes. For example, when allocating buffer to use encrypt using a block cipher it makes sense to measure the buffer size in multiples of block of the cipher. Explicit conversion between these length units, while allocating or moving pointers, involves a lot of low level scaling that is also error prone. To avoid these errors due to unit conversions, we distinguish between different length units at the type level. This type class capturing all such types, i.e. types that stand of length units. Allocation functions and pointer arithmetic are generalised to these length units.All instances of a 4" are required to be instances of ~ where the monoid operation gives these types the natural size/offset addition semantics: i.e. shifting a pointer by offset a  b is same as shifting it by a and then by b.5"Express the length units in bytes.63The pointer type used by all cryptographic library.RA type whose only purpose in this universe is to provide alignment safe pointers.;Some common PTR functions abstracted over type safe length.7!Express the length units in bits.8Express length unit src in terms of length unit dest rounding upwards.9+Often we want to allocate a buffer of size lN. We also want to make sure that the buffer starts at an alignment boundary an. However, the standard word allocation functions might return a pointer that is not aligned as desired. The atLeastAligned l a returns a length n such the length n1 is big enough to ensure that there is at least lJ length of valid buffer starting at the next pointer aligned at boundary a . If the alignment required in a0 then allocating @l + a - 1 should do the trick.:Express length unit src in terms of length unit dest rounding downwards.;A length unit u/ is usually a multiple of bytes. The function ; is like  : the value byteQuotRem bytes is a tuple (x,r), where x is bytes expressed in the unit u with r being the reminder.<Function similar to ; but returns only the quotient.=Function similar to ; but works with bits instead.>Function similar to = but returns only the quotient.?.The default alignment to use is word boundary.@'Compute the size of a storable element.A@Size of the buffer to be allocated to store an element of type a so as to guarantee that there exist enough space to store the element after aligning the pointer. If the size of the element is s and its alignment is a- then this quantity is essentially equal to  s + a - 1'. All units measured in word alignment.B,Compute the alignment for a storable object.C-Align a pointer to the appropriate alignment.D.Move the given pointer with a specific offset.EKCompute the next aligned pointer starting from the given pointer location.F0Peek the element from the next aligned location.G0Poke the element from the next aligned location.HThe expression allocaAligned a l action% allocates a local buffer of length l and alignment a$ and passes it on to the IO action action. No explicit freeing of the memory is required as the memory is allocated locally and freed once the action finishes. It is better to use this function than , as it does type safe scaling and alignment.IThis function allocates a chunk of "secure" memory of a given size and runs the action. The memory (1) exists for the duration of the action (2) will not be swapped during that time and (3) will be wiped clean and deallocated when the action terminates either directly or indirectly via errors. While this is mostly secure, there can be strange situations in multi-threaded application where the memory is not wiped out. For example if you run a crypto-sensitive action inside a child thread and the main thread gets exists, then the child thread is killed (due to the demonic nature of haskell threads) immediately and might not give it chance to wipe the memory clean. This is a problem inherent to how the bracket( combinator works inside a child thread.'TODO: File this insecurity in the wiki.JA less general version of H7 where the pointer passed is aligned to word boundary.KA less general version of I6 where the pointer passed is aligned to word boundaryL:Creates a memory of given size. It is better to use over  as it uses typesafe length.M A version of , which works for any type safe length units.NCopy between pointers.OMove between pointers.P6Sets the given number of Bytes to the specified value.,The most interesting monoidal action for us.4./0123456789:;<=>?@ABCDEFGHthe alignment of the buffersize of the bufferthe action to runIJ buffer lengththe action to runKL buffer lengthMN destinationsrcNumber of Bytes to copyO destinationsourceNumber of Bytes to copyPTargetValue byte to setNumber of bytes to set#./0123456789:;<=>?@ABCDEFGHIJKLMNOP,./0123456789:;<=>?@ABCDEFGHIJKLMNOP$None 09;<=DIRQ$Big endian version of the word type wR'Little endian version of the word type wSThis class captures types which provides an endian agnostic way of loading from and storing to data buffers. Any multi-byte type that is meant to be serialised to the outside world should be an instance of this class. When defining the U, T, VL member functions, care should be taken to ensure proper endian conversion.T The action  store ptr w stores w at the location pointed by ptr. Endianness of the type w^ is taken care of when storing. For example, irrespective of the endianness of the machine, #store ptr (0x01020304 :: BE Word32) will store the bytes 0x01, 0x02, 0x03, 0x04 respectively at locations ptr, ptr +1, ptr+2 and ptr+3. On the other hand $store ptr (0x01020304 :: LE Word32) would store 0x04, 0x03, 0x02, 0x01 at the above locations.U The action load ptr loads the value stored at the ptrS. Like store, it takes care of the endianness of the data type. For example, if ptr) points to a buffer containing the bytes 0x01, 0x02, 0x03, 0x042, irrespective of the endianness of the machine, load ptr :: IO (BE Word32) will load the vale  0x01020304 of type  BE Word32 and load ptr :: IO (LE Word32) will load  0x04030201 of type  LE Word32.V The action adjustEndian ptr n7 adjusts the encoding of bytes stored at the location ptrW to conform with the endianness of the underlying data type. For example, assume that ptr* points to a buffer containing the bytes 0x01 0x02 0x03 0x04,, and we are on a big endian machine, then (adjustEndian (ptr :: Ptr (LE Word32)) 1 will result in ptr pointing to the sequence 0x04 0x03 0x02 0x01. On the other hand if we were on a little endian machine, the sequence should remain the same. In particular, the following equalities should hold. 9 store ptr w = poke ptr w >> adjustEndian ptr 1 Similarly the value loaded by load ptr* should be same as the value returned by adjustEndian ptr 1 >> peak ptr>, although the former does not change the contents stored at ptr@ where as the latter might does modify the contents pointed by ptr= if the endianness of the machine and the time do not agree. The action )adjustEndian ptr n >> adjustEndian ptr n  should be equivalent to  return ().WdStore the given value at an offset from the crypto pointer. The offset is given in type safe units.XStore the given value as the n8-th element of the array pointed by the crypto pointer.Y Load the n4-th value of an array pointed by the crypto pointer.ZALoad from a given offset. The offset is given in type safe units.[ For the type w , the action copyFromBytes dest src n copies n-elements from src to destP. Copy performed by this combinator accounts for the endianness of the data in dest and is therefore not a mere copy of  n * sizeOf(w)( bytes. This action does not modify the src pointer in any way.\ Similar to  copyFromBytesu but the transfer is done in the other direction. The copy takes care of performing the appropriate endian encoding.]%Convert to the little endian variant.^#Convert to the big endian variants.+QRSTUVW the pointer.the absolute offset in type safe length units.value to storeX.the pointer to the first element of the arraythe index of the arraythe value to storeY.the pointer to the first element of the arraythe index of the arrayZ the pointer the offset[How many items.\]^QRSTUVWXYZ[\]^ QRSTUVWXYZ[\]^%None:_ A typesafe length for Bytestring` A type safe version of replicateaCopy the bytestring to the crypto buffer. This operation leads to undefined behaviour if the crypto pointer points to an area smaller than the size of the byte string.b Similar to a but takes an additional input n which is the number of bytes (expressed in type safe length units) to transfer. This operation leads to undefined behaviour if either the bytestring is shorter than n7 or the crypto pointer points to an area smaller than n.c3Works directly on the pointer associated with the M. This function should only read and not modify the contents of the pointer.d(Get the value from the bytestring using .e The action  create l act creates a length l9 bytestring where the contents are filled using the the act to fill the buffer.fThe IO action createFrom n cptr" creates a bytestring by copying n bytes from the pointer cptr._`a The source.The destination.blength of data to be copiedThe source byte string The buffercdef_`abcdef_`abcdefNone g;An applicative parser type for reading data from a pointer.h/A parser that fails with a given error message.i,Return the bytes that this parser will read.j+Runs a parser on a byte string. It returns C if the byte string is smaller than what the parser would consume.k7Run the parser without checking the length constraints.AThe primary purpose of this function is to satisfy type checkers.lParses a value which is an instance of Storable. Beware that this parser expects that the value is stored in machine endian. Mostly it is useful in defining the  function in a complicated  instance.mParse a crypto value. Endian safety is take into account here. This is what you would need when you parse packets from an external source. You can also use this to define the U function in a complicated S instance.n-Parses a strict bytestring of a given length.o Similar to parseStorableVector but is expected to be slightly faster. It does not check whether the length parameter is non-negative and hence is unsafe. Use it only if you can prove that the length parameter is non-negative.p Similar to  parseVector but is expected to be slightly faster. It does not check whether the length parameter is non-negative and hence is unsafe. Use it only if you can prove that the length parameter is non-negative.q Similar to r but parses according to the host endian. This function is essentially used to define storable instances of complicated data. It is unlikely to be of use when parsing externally serialised data as one would want to keep track of the endianness of the data.rParses a vector of elements. It takes care of the correct endian conversion. This is the function to use while parsing external data.ghijklmnopqr ghijklmnopqr gihjkmlrqponghijklmnopqrNone_`abcdef_`defcab&None69:;sA binary format is a representation of binary data often in printable form. We distinguish between various binary formats at the type level and each supported format corresponds to an instance of the the class s. The t and u! are required to satisfy the laws $decodeFormat . encodeByteString = idFor type safety, the formats themselves are opaque types and hence it is not possible to obtain the underlying binary data directly. We require binary formats to be instances of the class v, with the combinators w and x of the v3 class performing the actual encoding and decoding. Instances of s! are required to be instances of c and so that the encoded format can be easily printed. They are also required to be instances of  E so that they can be easily represented in Haskell source using the OverloadedStringsu extension. However, be careful when using this due to the fact that invalid encodings can lead to runtime errors.txEncode binary data into the format. The return type gurantees that any binary data can indeed be encoded into a format.uDecode the format to its associated binary representation. Notice that this function always succeeds: we assume that elements of the type fmt3 are valid encodings and hence the return type is  instead of   ByteString.vThe type class vZ captures all the types that can be encoded into a stream of bytes. By making a type say Foo an instance of the vl class, we get for free methods to encode it in any of the supported formats (i.e. instances of the class s)..Minimum complete definition for this class is w and x. Instances of S{ have default definitions for both these functions and hence a trivial instance declaration is sufficient for such types.  instance Encodable Foo wConvert stuff to bytestringx5Try parsing back a value. Returns nothing on failure.yUnsafe version of x ?Bytestring itself is an encoding format (namely binary format).stuvwxy   stuvwxy stuvwxywx   'NoneIz&The type corresponding to the standard padded base-64 binary encoding. The base-64 encoding only produces valid base-64 characters. However, to aid easy presentation of long base-64 strings, a user can add add arbitrary amount of spaces and newlines. The decoding ignores these characters.Encoding word.z !"#$%&'()*+zz !"#$%&'()*+(NoneI{@The type corresponding to base-16 or hexadecimal encoding. The {M encoding has a special place in this library: most cryptographic types use { encoding for their  and   instance. The combinators | and }4 are exposed mainly to make these definitions easy.The base16 encoding only produces valid hex characters. However, to aid easy presentation of long hexadecimal strings, a user can add add arbitrary amount of spaces, newlines and the character :). The decoding ignores these characters.|Base16 variant of ,. Useful in definition of  2 instances as well as in cases where the default  0 instance does not parse from a base16 encoding.}Base16 variant of -.{./012345|}6789{|} {./012345|}6789None~Encode in a given format.MDecode from a given format. It results in Nothing if there is a parse error.The unsafe version of .%Translate from one format to another.~stuvwxyz{|}~vwxywxstu~{|}z~None9:;<=IA read io-action.The  is the type that captures the act of reading from a buffer and possibly doing some action on the bytes read. Although inaccurate, it is helpful to think of elements of W as action that on an input buffer transfers data from it to some unspecified source.<Read actions form a monoid with the following semantics: if r1 and r2 are two read actions then r1 : r2' first reads the data associated from r1- and then the read associated with the data r2.A write io-action.PAn element of type `WriteM m` is an action which when executed transfers bytes into its input buffer. The type  m8 forms a monoid and hence can be concatnated using the : operator.;jByte transfers that keep track of the number of bytes that were transferred (from/into) its input buffer.<cA action that transfers bytes from its input pointer. Transfer could either be writing or reading.='This monoid captures a transfer action.>'Make an explicit transfer action given.JReturns the bytes that will be written when the write action is performed.9Perform the write action without any checks of the buffer?3Function that explicitly constructs a write action.The expression  a+ gives a write action that stores a value a* in machine endian. The type of the value a has to be an instance of . This should be used when we want to talk with C functions and not when talking to the outside world (otherwise this could lead to endian confusion). To take care of endianness use the  combinator.The expression  a+ gives a write action that stores a value a". One needs the type of the value a to be an instance of S. Proper endian conversion is done irrespective of what the machine endianness is. The man use of this write is to serialize data for the consumption of the outside world.)Write many elements from the given bufferThe vector version of .The vector version of .The combinator writeBytes n b writes b as the next n consecutive bytes.The combinator glueWrites w n hdr ftr is equivalent to hdr <> glue <> ftr where the write glue writes as many bytes w5 so that the total length is aligned to the boundary n.The write action prependWrite w n wr is wr pre-pended with the byte w1 so that the total length ends at a multiple of n.The write action padWrite w n wr is wr padded with the byte w1 so that the total length ends at a multiple of n.Writes a strict bytestring.4A write action that just skips over the given bytes.@3Function that explicitly constructs a write action.The expression  bytesToRead rY gives the total number of bytes that would be read from the input buffer if the action r is performed. The action unsafeRead r ptr results in reading  bytesToRead r# bytes from the buffer pointed by ptrq. This action is unsafe as it will not (and cannot) check if the action reads beyond what is legally stored at ptr. The action readBytes sz dptrG gives a read action, which if run on an input buffer, will transfers sz' to the destination buffer pointed by dptrD. Note that it is the responsibility of the user to make sure that dptr has enough space to receive sz8 units of data if and when the read action is executed. The action readInto n dptrF gives a read action which if run on an input buffer, will transfers n elements of type a into the buffer pointed by dptr!. In particular, the read action readInto n dptr is the same as ,readBytes (fromIntegral n :: BYTES Int) dptr when the type a is A.&BCDE;<=FG>.The pointer for the buffer to be written into.?The bytes to use in the glue The length boundary to align to.The header writeThe footer writethe byte to pre-pend with."the length to align the message to"the message that needs pre-pendingthe padding byte to usethe length to align message tothe message that needs padding@.The pointer for the buffer to be written into.how much to read.buffer to read the bytes intohow many elements to read. buffer to read the elements into BCDE;<=FG>?@)None*,9;<=DOQRT Function that returns the dimension of the tuple. The dimension is calculated without inspecting the tuple and hence the term  (undefined :: Tuple 5 Int) will evaluate to 5.>The constaint on the dimension of the tuple (since base 4.7.0)^Tuples that encode their length in their types. For tuples, we call the length its dimension.H'Function to make the type checker happy3This combinator returns the dimension of the tuple.IGet the dimension to parser0Construct a tuple by repeating a monadic action.Construct a tuple out of the list. This function is unsafe and will result in run time error if the list is not of the correct dimension.gComputes the initial fragment of a tuple. No length needs to be given as it is infered from the types.The  diagonal a( gives a tuple, all of whose entries is a.J!Equality checking is timing safe.KLHMINOPJQKLHMINOPJQNoneH ./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^MSTUV[\RQ]^WXZY64523017@=;><89:.?/BCDAEFGHIJKLPONM  None %&9;<=DORT2A memory location to store a value of type having  instance.A memory type that can extract bytes into a buffer. The extraction will perform a direct copy and hence the chances of the extracted value ending up in the swap space is minimised.A memory type that can be initialised from a pointer buffer. The initialisation performs a direct copy from the input buffer and hence the chances of the initialisation value ending up in the swap is minimised.RMemories from which pure values can be extracted. Once a pure value is extracted,Memories that can be initialised with a pure value. The pure value resides in the Haskell heap and hence can potentially be swapped. Therefore, this class should be avoided if compromising the initialisation value can be dangerous. Consider using InitialiseableFromBuffer$A memory element that holds nothing.Any cryptographic primitives use memory to store stuff. This class abstracts all types that hold some memory. Cryptographic application often requires securing the memory from being swapped out (think of memory used to store private keys or passwords). This abstraction supports memory securing. If your platform supports memory locking, then securing a memory will prevent the memory from being swapped to the disk. Once secured the memory location is overwritten by nonsense before being freed.&While some basic memory elements like i are exposed from the library, often we require compound memory objects built out of simpler ones. The R instance of the  can be made use of in such situation to simplify such instance declaration as illustrated in the instance declaration for a pair of memory elements. instance (Memory ma, Memory mb) => Memory (ma, mb) where memoryAlloc = (,) <$> memoryAlloc <*> memoryAlloc unsafeToPointer (ma, _) = unsafeToPointer ma%Returns an allocator for this memory.-Returns the pointer to the underlying buffer.'A memory allocator for the memory type mem. The R instance of AllocU can be used to build allocations for complicated memory elements from simpler ones.BA memory action that uses some sort of memory element internally.S"A runner of a memory state thread.T A pointer action inside a monad m7 is some function that takes a pointer action of type Pointer -> m ae and supplies it with an appropriate pointer. In particular, memory allocators are pointer actions.An action of type  mem aE is an action that uses internally a a single memory object of type mem and returns a result of type aw. All the actions are performed on a single memory element and hence the side effects persist. It is analogues to the ST monad.AA class that captures monads that use an internal memory element.Any instance of  can be executed  in which case all allocations are performed from a locked pool of memory. which at the end of the operation is also wiped clean before deallocation.Systems often put tight restriction on the amount of memory a process can lock. Therefore, secure memory is often to be used judiciously. Instances of this class should$ also implement the the combinator : which allocates all memory from an unlocked memory pool.&This library exposes two instances of  Memory threads captured by the type G, which are a sequence of actions that use the same memory element andMemory actions captured by the type .WARNING: Be careful with U.The rule of thumb to follow is that the action being lifted should itself never unlock any memory. In particular, the following code is bad because the 2 action unlocks some portion of the memory after foo is executed.  liftIO $ securely $ foo ,On the other hand the following code is fine ( liftIO $ insecurely $ someMemoryAction  Whether an IOn action unlocks memory is difficult to keep track of; for all you know, it might be a FFI call that does an  memunlock.BAs to why this is dangerous, it has got to do with the fact that mlock and munlock! do not nest correctly. A single munlock can unlock multiple calls of mlock on the same page.Perform the memory action where all memory elements are allocated locked memory. All memory allocated will be locked and hence will never be swapped out by the operating system. It will also be wiped clean before releasing.Memory locking is an expensive operation and usually there would be a limit to how much locked memory can be allocated. Nonetheless, actions that work with sensitive information like passwords should use this to run an memory action.Perform the memory action where all memory elements are allocated unlocked memory. Use this function when you work with data that is not sensitive to security considerations (for example, when you want to verify checksums of files).DAn IO allocator can be lifted to the memory thread level as follows./Run a given memory action in the memory thread.The combinator  onSubMemory[ allows us to run a memory action on a sub-memory element. Given a memory element of type mem and a sub-element of type submemA which can be obtained from the compound memory element of type mem using the projection proj, then onSubMemory projG lifts the a memory thread of the sub element to the compound element.Alternate name for onSubMemory.0Run the memory thread to obtain a memory action.V*Make an allocator for a given memory type.Allocates a buffer of size l' and returns the pointer to it pointer.Copy data from a given memory location to the other. The first argument is destionation and the second argument is source to match with the convention followed in memcpy.WCPerform an action which makes use of this memory. The memory allocated will automatically be freed when the action finishes either gracefully or with some exception. Besides being safer, this method might be more efficient as the memory might be allocated from the stack directly and will have very little GC overhead.X Similar to W but allocates a secure memory for the action. Secure memories are never swapped on to disk and will be wiped clean of sensitive data after use. However, be careful when using this function in a child thread. Due to the daemonic nature of Haskell threads, if the main thread exists before the child thread is done with its job, sensitive data can leak. This is essentially a limitation of the bracket which is used internally.BApply the given function to the value in the cell. For a function  f :: b -> a, the action modify f first extracts a value of type b# from the memory element, applies f1 to it and puts the result back into the memory. Cmodify f = do b <- extract initialise $ f bYThe location where the actual storing of element happens. This pointer is guaranteed to be aligned to the alignment restriction of a^Work with the underlying pointer of the memory cell. Useful while working with ffi functions.6Get the pointer associated with the given memory cell.@Z[\]^_`STab<Projection from the compound element to sub memory element.!Memory thread of the sub-element.V DestinationSourceWXY0Z[\]^_`STabVWXYNone *:<=ADIRT Type safe message length in units of blocks of the primitive. When dealing with buffer lengths for a primitive, it is often better to use the type safe units . Functions in the raaz package that take lengths usually allow any type safe length as long as they can be converted to bytes. This can avoid a lot of tedious and error prone length calculations.Some primitives like ciphers have an encryption/decryption key. This type family captures the key associated with a primitive if it has any.3Primitives that have a recommended implementations.1The recommended implementation for the primitive.The type class that captures an abstract block cryptographic primitive. Bulk cryptographic primitives like hashes, ciphers etc often acts on blocks of data. The size of the block is captured by the member .nAs a library, raaz believes in providing multiple implementations for a given primitive. The associated type , captures implementations of the primitive.ZFor use in production code, the library recommends a particular implementation using the b class. By default this is the implementation used when no explicit implementation is specified.CAssociated type that captures an implementation of this primitive.The block size.Implementation of block primitives work on buffers. Often for optimal performance, and in some case for safety, we need restrictions on the size and alignment of the buffer pointer. This type class captures such restrictions..The alignment expected for the buffer pointer.NAllocate a buffer a particular implementation of a primitive prim. algorithm algo_. It ensures that the memory passed is aligned according to the demands of the implementation.The expression n  pN specifies the message lengths in units of the block length of the primitive pH. This expression is sometimes required to make the type checker happy.cd cd SafeDRMThe DH (Diffie-Hellman) typeclass provides an interface for key exchanges. I represents the secret generated by each party & known only to itself. + represents the token generated from the $ which is sent to the other party. ] represents the common secret generated by both parties from the respective public tokens. R takes the generator of the group and a secret and generates the public token. } takes the generator of the group, secret of one party and public token of the other party and generates the shared secret.*NoneRTypical size of L1 cache. Used for selecting buffer size etc in crypto operations. None: A byte source src is pure if filling from it does not have any other side effect on the state of the byte source. Formally, two different fills form the same source should fill the buffer with the same bytes. This additional constraint on the source helps to purify` certain crypto computations like computing the hash or mac of the source. Usualy sources like D etc are pure byte sources. A file handle is a byte source that is not a pure source.TAbstract byte sources. A bytesource is something that you can use to fill a buffer.Fills a buffer from the source.2This type captures the result of a fill operation.the buffer is filled completely*source exhausted with so much bytes read.#Combinator to handle a fill result.=A version of fillBytes that takes type safe lengths as input.:Process data from a source in chunks of a particular size.stuff to do when filledstuff to do when exhaustedthe fill result to process  None ./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefstuvwxyz{|}~+NoneeGet random bytes from the system. Do not over use this function as it is meant to be used by a PRG. This function reads bytes from '/dev/urandom'.eee None!"*9:;<=ADRTComputing cryptographic hashes usually involves chunking the message into blocks and compressing one block at a time. Usually this compression makes use of the hash of the previous block and the length of the message seen so far to compressing the current block. Most implementations therefore need to keep track of only hash and the length of the message seen so. This memory can be used in such situations.Cell to store the hashCell to store the length*Type class capturing a cryptographic hash. Cryptographic hashes can be computed for messages that are not a multiple of the block size. This combinator computes the maximum size of padding that can be attached to a message. Some implementation of a given hash. The existentially quantification allows us freedom to choose the best memory type suitable for each implementations. LThe constraints that a memory used by a hash implementation should satisfy. FThe Hash implementation. Implementations should ensure the following.  The action compress impl ptr blks should only read till the blks1 offset starting at ptr and never write any data. The action padFinal impl ptr byts should touch at most #byts/blocksize# + padBlocks@ blocks starting at ptr. It should not write anything till the byts) offset but may write stuff beyond that.mAn easy to remember this rule is to remember that computing hash of a payload should not modify the payload.compress the blocks, pad and process the final bytes,Certain hashes are essentially bit-truncated versions of other hashes. For example, SHA224 is obtained from SHA256 by dropping the last 32-bits. This combinator can be used build an implementation of truncated hash from the implementation of its parent hash.-Compute the hash of a pure byte source like, .Compute the hash of file.*Compute the hash of a generic byte source. Similar to 5 but the user can specify the implementation to use.ISimilar to hashFile' but the user can specify the implementation to use. Similar to  hashSource5 but the user can specify the implementation to use.Gives a memory action that completes the hashing procedure with the rest of the source. Useful to compute the hash of a source with some prefix (like in the HMAC procedure).0Extract the length of the message hashed so far.,Update the message length by a given amount.!     MessageFile to be hashedMessageImplementationthe message as a byte source.ImplementationFile to be hashed !"#$                !"#$,None*:DR fAction on a BuffergThe type alias for the raw compressor function. The compressor function does not need to know the length of the message so far and hence this is not supposed to update lengths.h!Type that captures length writes.iThe Writes used in this module.j+All actions here are in the following monadkaThe utilities in this module can be used on primitives which satisfies the following constraint.l&The length encoding that uses 64-bits.m'The length encoding that uses 128-bits.nXLifts the raw compressor to a buffer action. This function does not update the lengths.oThe combinator o on an input compressor comp4 gives a buffer action that process blocks of data.pThe combinator p on an input compressor comp2 gives buffer action for the final chunk of data.qPadding is message followed by a single bit 1 and a glue of zeros followed by the length so that the message is aligned to the block boundary.rUCreates an implementation for a sha hash given the compressor and the length writer. fThe data bufferTotal data presentgThe buffer to compress The number of blocks to compress#The cell memory containing the hashhijklmnothe compressor functionpthe raw compressorthe length writerqrName Descriptionglmr fghijklmnopqr-None ,9;<=DIR%The cryptographic hash SHA1.%stuvwxy%s%stuvwxyNone&&The portable C implementation of SHA1.z&{&&z&{.None||/None ,9;<=DIR'1Sha224 hash value which consist of 7 32bit words.'}~'}'}~0None ,9;<=DIR(The Sha256 hash value.(((None)(The portable C implementation of SHA256.)*)*)*)*None<=+(The portable C implementation of SHA224.+,-.+++,-.1None2None3None ,9;<=DIR/The Sha384 hash value.///4None ,9;<=DIR0@The Sha512 hash value. Used in implementation of Sha384 as well.000None1(The portable C implementation of SHA512.12121212None<=3(The portable C implementation of SHA384.34563334565None6NoneNone*9:;<=ADRT73Class that captures stream ciphers. An instance of 7 should be an instance of 8-, with the following additional constraints. ;The encryption and decryption should be the same algorithm.=Encryption/decryption can be applied to a messages of length l even if l# is not a multiple of block length.'The encryption of a prefix of a length l of a message m should be the same as the l( length prefix of the encryption of m.It is the duty of the implementer of the cipher to ensure that the above conditions are true before declaring an instance of a stream cipher.8Class capturing ciphers. The implementation of this class should give an encryption and decryption algorithm for messages of length which is a multiple of the block size. Needless to say, the encryption and decryption should be inverses of each other for such messages.9ySome implementation of a block cipher. This type is existentially quantifies over the memory used in the implementation.@Type constraints on the memory of a block cipher implementation.;%The implementation of a block cipher.?)The underlying block encryption function.@)The underlying block decryption function.BBlock cipher modes.CCipher-block chainingDCounterE Constructs a ;l value out of a stream transformation function. Useful in building a Cipher instance of a stream cipher.FEncrypt the given J. This function is unsafe because it only works correctly when the input E is of length which is a multiple of the block length of the cipher.GTransforms a given bytestring using a stream cipher. We use the transform instead of encrypt/decrypt because for stream ciphers these operations are same.HVTransform a given bytestring using the recommended implementation of a stream cipher.IvEncrypt using the recommended implementation. This function is unsafe because it only works correctly when the input E is of length which is a multiple of the block length of the cipher.JDecrypts the given J. This function is unsafe because it only works correctly when the input E is of length which is a multiple of the block length of the cipher.KvDecrypt using the recommended implementation. This function is unsafe because it only works correctly when the input E is of length which is a multiple of the block length of the cipher.789:;<=>?@ABCDEname descriptionstream transformerbuffer starting alignmentFThe cipher to useThe implementation to useThe key to useThe string to encrypt.GHI The cipherThe key to useThe string to encryptJThe cipher to useThe implementation to useThe key to useThe string to encrypt.K The cipherThe key to useThe string to encryptLMNO789:;<=>?@ABCDEFGHIJK8BCD;<=>?@A9:7EHGIKFJ789:;<=>?@ABCDEFGHIJKLMNO7None ,9;<=DIRchacha20 memoryS The key type.TThe counter type for chacha20UThe IV for the chacha20The chacha20 stream cipher. The word typeRSTURSTURSTUNone,9;<=Chacha20 block transformation.*Encrypting/Decrypting a block of chacha20.W"The chacha20 randomness generator.The chacha20 randomness generator. We have set the alignment to 32 because this allows gcc to further optimise the implementation.VWVWVWVW8None9; The chacha stream cipher is also used as the prg for generating random bytes. Such a prg needs to keep an auxilary buffer type so that one can generate random bytes not just of block size but smaller. This memory type is essentially for maintaining such a buffer.dGet the actual location where the data is to be stored. Ensures that the pointer is aligned to the randomBufferAlignment restriction.6The size of the buffer in blocks of ChaCha20. While the implementations should handle any multiple of blocks, often implementations naturally handle some multiple of blocks, for example the Vector256 implementation handles 2-chacha blocks. Set this quantity to the maximum supported by all implementations.Implementations are also designed to work with a specific alignment boundary. Unaligned access can slow down the primitives quite a bit. Set this to the maximum of alignment supported by all implementationsW9None: ,Memory for strong the internal memory state.The maximum value of counter before reseeding from entropy source. Currently set to 1024 * 1024 * 1024. Which will generate 64GB before reseeding.The counter is a 32-bit quantity. Which means that one can generate 2^32 blocks of data before the counter roles over and starts repeating. We have choosen a conservative 2^30 blocks here.%Run an action on the auxilary buffer.&Get the number of bytes in the buffer."Set the number of remaining bytes.7This fills in the random block with some new randomness See the PRG from system entropy.HSeed if we have already generated maxCounterVal blocks of random bytes.Reseed the prg.qThe function to generate random bytes. Fills from existing bytes and continues if not enough bytes are obtained.Fill from already existing bytes. Returns the number of bytes filled. Let remaining bytes be r. Then fillExistingBytes will fill min(r,m) bytes into the buffer, and return the number of bytes filled. NoneI XTypes that can be generated at random. It might appear that all storables should be an instance of this class, after all we know the size of the element why not write that many random bytes. In fact, this module provides an _ which does exactly that. However, we do not give a blanket definition for all storables because for certain refinements of a given type, like for example, Word8's modulo 10, _ introduces unacceptable skews.Z>The monad for generating cryptographically secure random data.[)A batch of actions on the memory element mem that uses some randomness.\4Lift a memory action to the corresponding RT action.mRun a randomness thread. In particular, this combinator takes care of seeding the internal prg at the start.]Reseed from the system entropy pool. There is never a need to explicitly seed your generator. The insecurely and securely calls makes sure that your generator is seed before starting. Furthermore, the generator also reseeds after every few GB of random bytes generates. Generating random data from the system entropy is usually an order of magnitude slower than using a fast stream cipher. Reseeding often can slow your program considerably without any additional security advantage.^/Fill the given input pointer with random bytes._SGenerate a random element. The element picked is crypto-graphically pseudo-random.RThis is a helper function that has been exported to simplify the definition of a X instance for ] types. However, there is a reason why we do not give a blanket instance for all instances T and why this function is unsafe? This function generates a random element of type a by generating n random bytes where n is the size of the elements of a'. For instances that range the entire ns byte space this is fine. However, if the type is actually a refinement of such a type --- consider for example, A modulo 10o -- this function generates an unacceptable skew in the distribution. Hence this function is prefixed unsafe.`Generate a random byteString. The action unsafePokeManyRandom n ptr pokes n random elements at the location starting at ptr. If the underlying type does not saturate its entire binary size (think of say Word8 modulo 5), the distribution of elements can be rather skewed . Hence the prefix unsafe. This function is exported to simplify the definition X" instance. Do not use it unwisely.!XYZ[\]^_`abcdefghijklmnopqrst XYZ[\]^_` Z[\`XY^_]XYZ[\]^_`abcdefghijklmnopqrst:None*9:;ADIRTyThe HMAC associated to a hash value. The HMAC type is essentially the underlying hash type wrapped inside a newtype. Therefore, the & instance for HMAC is essentially the  instance for the underlying hash. It is safe against timing attack provided the underlying hash comparison is safe under timing attack.The HMAC key type. The HMAC keys are usually of size at most the block size of the associated hash, although the hmac construction allows using keys arbitrary size. Using keys of small size, in particular smaller than the size of the corresponding hash, can can compromise security. A note on  and   instances of keys.6As any other cryptographic type HMAC keys also have a   and  instance which is essentially the key expressed in base16. Keys larger than the block size of the underlying hashes are shortened by applying the appropriate hash. As a result the - and ,$ need not be inverses of each other.z-Compute the hash of a pure byte source like, .{Compute the hash of file.|*Compute the hash of a generic byte source.-Compute the hash of a pure byte source like, .Compute the hash of file.$Base16 representation of the string.ythe key.zMessage{File to be hashed|MessageMessageFile to be hashed yz{|yz{| None}(Compute the sha1 hash of an instance of H. Use this for computing the sha1 hash of a strict or lazy byte string.~ Compute the sha1 hash of a file./Compute the sha1 hash of a general byte source.8Compute the message authentication code using hmac-sha1.3Compute the message authentication code for a file.ACompute the message authetication code for a generic byte source.}~%}~%}~}~None*Compute the sha224 hash of an instance of J. Use this for computing the sha224 hash of a strict or lazy byte string."Compute the sha224 hash of a file.1Compute the sha224 hash of a general byte source.:Compute the message authentication code using hmac-sha224.3Compute the message authentication code for a file.ACompute the message authetication code for a generic byte source. Key to use)pure source whose hmac is to be computed Key to use!File whose hmac is to be computed''None*Compute the sha256 hash of an instance of J. Use this for computing the sha256 hash of a strict or lazy byte string."Compute the sha256 hash of a file.1Compute the sha256 hash of a general byte source.:Compute the message authentication code using hmac-sha256.3Compute the message authentication code for a file.ACompute the message authetication code for a generic byte source. Key to use)pure source whose hmac is to be computed Key to use!File whose hmac is to be computed((None*Compute the sha384 hash of an instance of J. Use this for computing the sha384 hash of a strict or lazy byte string."Compute the sha384 hash of a file.1Compute the sha384 hash of a general byte source.:Compute the message authentication code using hmac-sha384.3Compute the message authentication code for a file.ACompute the message authetication code for a generic byte source. Key to use)pure source whose hmac is to be computed Key to use!File whose hmac is to be computed//None*Compute the sha512 hash of an instance of J. Use this for computing the sha512 hash of a strict or lazy byte string."Compute the sha512 hash of a file.1Compute the sha512 hash of a general byte source.:Compute the message authentication code using hmac-sha512.3Compute the message authentication code for a file.ACompute the message authetication code for a generic byte source. Key to use)pure source whose hmac is to be computed Key to use!File whose hmac is to be computed00None$'(/0yz{|yz{|NoneThe chacha20 stream cipher.RSTURSUT;None ,9;<=DIRThe IV used by the CBC mode.Key used for AES-128Key used for AES-128Key used for AES-128A tuple of AES words.The basic word used in AES.The type associated with AES ciphers. Raaz provides AES variants with key lengths 128, 192 and 256. The key types for the above ciphers in cbc mode are given by the types (, IV), (, IV) (, IV) respectively.128-bit aes cipher in C mode.128-bit aes cipher in C mode.128-bit aes cipher in C mode.#Smart constructors for AES 128 ctr.0Poke a key and expand it with the given routine.#The 256-bit aes cipher in cbc mode.#The 192-bit aes cipher in cbc mode.#The 128-bit aes cipher in cbc mode.Shown as a its base16 encoding.Expects in base16.Shows in base 16Expects in base 16Shows in base 16Expects in base 16Shows in base 16Expects in base 164 key to pokeexpansion algorithmbuffer pointer.      ,     None,9;<=Memory for aes-256-cbcMemory for aes-192-cbcMemory for aes-128-cbc CBC decrypt CBC encrypt.Transpose AES matrices.;Implementation of 128-bit AES in CBC mode using Portable C.)128-bit AES in CBC mode using Portable C.The encryption action.The decryption action.;Implementation of 192-bit AES in CBC mode using Portable C. )192-bit AES in CBC mode using Portable C.!The encryption action."The decryption action.;Implementation of 256-bit AES in CBC mode using Portable C.#)256-bit AES in CBC mode using Portable C.$The encryption action.%The decryption action.!&'()*+,-. !"#$%&'()*+,-. !"#$%<None,9;/01/01None  =None78H7H8>Safe 23456789:;<=>39:;<=> 23456789:;<=>NoneRaaz library version number. ./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefstuvwxyz{|}~'(/078HXYZ[\]^_`yz{|??@AB C D E!F!F!G!H!H!I!J!K"L"M"N"O"PQRSTTUVVWXYZ[\]^_`abcdefgh#i#j#k#k#l#l#m#n#o#p#q#r#s#t#u#v#w#x#y#z#{#|#}#~###########$$$$$$$$$$$$$$%%%%%%%%&&&&&&&'((()))))))      !" # $ % & ' (*) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = = > ? @ A B B C D D E F G H I J K L M N O P Q R S T U V W X Y Z-[\/]0^\_\`ab3c4d\_\efghijjkklmnopqrstuvwxyz{|}~7777\::::      ;;;;;;;;;?!!""L""####i##j### # # # # ####$$$$$$$$$$$$$$$$$ $!$"$#$$$%$&$'$($)$*$+$,-./01230456789:;<&=&>&?&@&A&B&C&D'E''F'G'H'I'J'K'L'M'N'O'P'Q'R'S'T'U'V'W'X'Y'Z'['\:]8^((_(`(a(I(J(b(c(d(e(f(ghijklmnopqrslt)u)v)w))x)y)z){)|)}~+,,,,,,,,,,,,,-[------_./]/////0^000000_123c333334d444444_5677777777777777777777777888888889999999999999999::::::::::::::::;;;;;;;;;;;;;;; ; ; ; ; ; ;;;;;; ; ;;;;;;;;;;;;;;;; !"#$%&'()*+,-./0<1<2<3>4>>5>6>7>8>9>:>;><>=>>>?@!raaz-0.1.0-81uGGwrTG6TG4mE3qPBdjTRaaz.Core.TypesRaaz.Core.MonoidalActionRaaz.Core.UtilRaaz.Core.Parse.ApplicativeRaaz.Core.EncodeRaaz.Core.TransferRaaz.Core.MemoryRaaz.Core.Primitives Raaz.Core.DH Raaz.CoreRaaz.Core.ByteSourceRaaz.Hash.InternalRaaz.Hash.Sha1'Raaz.Hash.Sha1.Implementation.CPortableRaaz.Hash.Sha224Raaz.Hash.Sha256)Raaz.Hash.Sha256.Implementation.CPortable)Raaz.Hash.Sha224.Implementation.CPortableRaaz.Hash.Sha384Raaz.Hash.Sha512)Raaz.Hash.Sha512.Implementation.CPortable)Raaz.Hash.Sha384.Implementation.CPortableRaaz.Cipher.InternalRaaz.Cipher.ChaCha20-Raaz.Cipher.ChaCha20.Implementation.CPortable Raaz.Random Raaz.HashRaaz.Cipher.AES,Raaz.Cipher.AES.CBC.Implementation.CPortableRaazRaaz.Core.Types.EqualityRaaz.Core.Types.DescribeRaaz.Core.Types.CopyingRaaz.Core.Types.AlignedRaaz.Core.Types.PointerRaaz.Core.Types.EndianRaaz.Core.Util.ByteStringRaaz.Core.Encode.InternalRaaz.Core.Encode.Base64Raaz.Core.Encode.Base16Raaz.Core.Types.TupleRaaz.Core.Constants Raaz.EntropyRaaz.Hash.Sha.UtilRaaz.Hash.Sha1.InternalRaaz.Hash.Sha1.RecommendationRaaz.Hash.Sha224.InternalRaaz.Hash.Sha256.InternalRaaz.Hash.Sha224.RecommendationRaaz.Hash.Sha256.RecommendationRaaz.Hash.Sha384.InternalRaaz.Hash.Sha512.InternalRaaz.Hash.Sha384.RecommendationRaaz.Hash.Sha512.RecommendationRaaz.Cipher.ChaCha20.Internal#Raaz.Cipher.ChaCha20.RecommendationRaaz.Random.ChaCha20PRGRaaz.Hash.Internal.HMACRaaz.Cipher.AES.InternalRaaz.Cipher.AES.Recommendation Raaz.Cipher Paths_raazResultEqualityeq=== Describablename descriptionDestunDestSrcunSrcsource destinationAligned unAlignedaligned16Bytesaligned32Bytesaligned64BytesFieldMFieldFieldATwistRF DistributiveFSemiR DistributiveLActionF<<.>>LAction<.><++> semiRSpace semiRMonoidtwistFunctorValuetwistMonoidValue computeField liftToFieldM runFieldM$fDistributiveFmWrappedArrow$fLActionFmWrappedArrow$fApplicativeTwistRF$fFunctorTwistRF $fMonoidSemiR AlignmentALIGNBITSBYTES LengthUnitinBytesPointerinBitsatLeastatLeastAlignedatMost bytesQuotRem bytesQuot bitsQuotRembitsQuot wordAlignmentsizeOf alignedSizeOf alignmentalignPtrmovePtrnextAlignedPtr peekAligned pokeAligned allocaAlignedallocaSecureAligned allocaBuffer allocaSecure mallocBufferhFillBufmemcpymemmovememsetBELE EndianStorestoreload adjustEndianstoreAt storeAtIndex loadFromIndexloadFrom copyFromBytes copyToBytes littleEndian bigEndianlength replicateunsafeCopyToPointerunsafeNCopyToPointerwithByteStringfromByteStringStorablecreate createFromParser parseError parseWidth runParserunsafeRunParser parseStorableparseparseByteStringunsafeParseStorableVectorunsafeParseVectorparseStorableVector parseVectorFormatencodeByteString decodeFormat Encodable toByteStringfromByteStringunsafeFromByteStringBase64Base16 fromBase16 showBase16encodedecode unsafeDecode translateReadIOReadMWriteIOWriteM bytesToWrite unsafeWrite writeStorablewrite writeFromwriteStorableVector writeVector writeBytes glueWrites prependWritepadWritewriteByteString skipWrite bytesToRead unsafeRead readBytesreadInto$fEncodableWriteM$fIsStringWriteM$fDistributiveBYTES(->)$fLActionBYTES(->)$fMonoidTransferM$fMonoidWriteM $fMonoidReadM DimensionTuple dimensionrepeatMunsafeFromListinitialdiagonal MemoryCellExtractableToBuffer extractorInitialisableFromBuffer initialiser Extractableextract Initialisable initialise VoidMemoryMemory memoryAllocunsafeToPointerAllocMemoryMMT MonadMemorysecurely insecurelyliftPointerActionexecute getMemory onSubMemory liftSubMTrunMT pointerAlloc copyMemorymodifywithCellPointergetCellPointer$fExtractableToBufferMemoryCell#$fInitialisableFromBufferMemoryCell$fExtractableMemoryCella$fInitialisableMemoryCella$fMemoryMemoryCell $fMemory(,,,) $fMemory(,,) $fMemory(,)$fMemoryVoidMemory$fMonadMemoryMemoryM$fMonadIOMemoryM$fMonadMemoryM$fApplicativeMemoryM$fFunctorMemoryM$fMonadMemoryMT $fMonadIOMT $fMonadMT$fApplicativeMT $fFunctorMTBLOCKSKeyRecommendation recommended PrimitiveImplementation blockSizeBlockAlgorithmbufferStartAlignmentallocBufferForblocksOf$fLengthUnitBLOCKS$fMonoidBLOCKS $fShowBLOCKS $fEqBLOCKS $fOrdBLOCKS $fEnumBLOCKS $fRealBLOCKS $fNumBLOCKS$fIntegralBLOCKSDHSecret PublicToken SharedSecret publicToken sharedSecretl1CachePureByteSource ByteSource fillBytes FillResult Remaining ExhaustedwithFillResultfill processChunks$fPureByteSourceMaybe$fPureByteSource[]$fPureByteSourceByteString$fPureByteSourceByteString0$fByteSource[]$fByteSourceMaybe$fByteSourceByteString$fByteSourceByteString0$fByteSourceHandle$fFunctorFillResult HashMemoryhashCellmessageLengthCellHashadditionalPadBlocks SomeHashIHashMHashI hashINamehashIDescriptioncompress compressFinalcompressStartAlignment truncatedIhashhashFile hashSourcehash' hashFile' hashSource'completeHashing extractLength updateLength$fExtractableHashMemoryh$fInitialisableHashMemoryh$fMemoryHashMemory$fBlockAlgorithmSomeHashI$fDescribableSomeHashI$fDescribableHashI$fBlockAlgorithmHashISHA1implementationSHA224SHA256 cPortable$fExtractableSHA224MemorySHA224$fInitialisableSHA224Memory()$fMemorySHA224MemorySHA384SHA512$fExtractableSHA384MemorySHA384$fInitialisableSHA384Memory()$fMemorySHA384Memory StreamCipherCipher SomeCipherICipherI cipherINamecipherIDescription encryptBlocks decryptBlockscipherStartAlignment CipherModeCBCCTR makeCipherIunsafeEncrypt' transform' transform unsafeEncryptunsafeDecrypt' unsafeDecrypt$fBlockAlgorithmSomeCipherI$fDescribableSomeCipherI$fDescribableCipherI$fBlockAlgorithmCipherI$fShowCipherMode$fEqCipherModeChaCha20KEYCounterIVchacha20RandomRandomrandomRandMRTliftMTreseedfillRandomBytesunsafeStorableRandomrandomByteString$fRandom(,,,,) $fRandom(,,,) $fRandom(,,) $fRandom(,) $fRandomTuple $fRandomBE $fRandomLE $fRandomIV $fRandomKEY $fRandomInt $fRandomInt64 $fRandomInt32 $fRandomInt16 $fRandomInt8 $fRandomWord$fRandomWord64$fRandomWord32$fRandomWord16 $fRandomWord8$fMonadMemoryRT $fFunctorRT$fApplicativeRT $fMonadRT $fMonadIORTHMAChmachmacFile hmacSourcesha1sha1File sha1SourcehmacSha1 hmacSha1FilehmacSha1Sourcesha224 sha224File sha224Source hmacSha224hmacSha224FilehmacSha224Sourcesha256 sha256File sha256Source hmacSha256hmacSha256FilehmacSha256Sourcesha384 sha384File sha384Source hmacSha384hmacSha384FilehmacSha384Sourcesha512 sha512File sha512Source hmacSha512hmacSha512FilehmacSha512Sourcechacha20KEY256KEY192KEY128AES aes128cbc aes192cbc aes256cbc aes128ctr aes128cbcI aes192cbcI aes256cbcI$fInitialisableM256(,) $fMemoryM256$fInitialisableM192(,) $fMemoryM192$fInitialisableM128(,) $fMemoryM128versionghc-prim GHC.ClassesEq isSuccessfulD:R:VectorResult0D:R:MVectorsResult0unResultV_Result MV_Result$fVectorVectorResult$fMVectorMVectorResult $fUnboxResult$fMonoidResult$fEquality(,,,,,,)$fEquality(,,,,,)$fEquality(,,,,)$fEquality(,,,)$fEquality(,,) $fEquality(,)$fEqualityWord64$fEqualityWord32$fEqualityWord16$fEqualityWord8$fEqualityWord $fFunctorDest $fFunctorSrc AlignBoundaryalignmentBoundary$fStorableAlignedbaseGHC.BaseMonoidmappendAlignc_memcpyGHC.RealquotRemForeign.Marshal.AllocallocaBytesAligned mallocBytesGHC.IO.Handle.TexthGetBuf $fLActionuPtr unAlignmentunALIGNc_memset c_memmove c_munlockc_mlock$fMonoidAlignment$fLengthUnitBYTES$fLengthUnitALIGN $fMonoidALIGN $fMonoidBYTESunBEunLEV_BEMV_BEV_LEMV_LE c_Swap64Array c_Swap32ArrayunBEPtr$fVectorVectorBE$fMVectorMVectorBE$fVectorVectorLE$fMVectorMVectorLE D:R:VectorBE0D:R:MVectorsBE0 D:R:VectorLE0D:R:MVectorsLE0 $fUnboxBE $fUnboxLE$fEndianStoreLE$fEndianStoreLE0$fEndianStoreBE$fEndianStoreBE0 $fFunctorBE $fFunctorLE$fEndianStoreBYTES$fEndianStoreWord8bytestring-0.10.8.1Data.ByteString.Internal ByteStringForeign.StorablepeekNothing undefParseStorable ParseAction BytesMonoid makeParserGHC.ShowShow Data.StringIsStringMaybe$fFormatByteString$fEncodableBYTES$fEncodableBITS$fEncodableByteString $fEncodableBE$fEncodableBE0 $fEncodableLE$fEncodableLE0b64unBase64top6bot2top4bot4top2bot6byte0byte1byte2byte3padunB64toB64merg0merg1merg2 unsafeFromB64unsafeFromB64P$fFormatBase64$fIsStringBase64 $fShowBase64$fEncodableBase64 fromStringshowunBase16hexhexDigit unsafeFromHexunsafeFromHexP$fFormatBase16$fIsStringBase16 $fShowBase16$fEncodableBase16 Data.Monoid<>TransferTransferAction TransferM makeTransfer makeWritemakeReadGHC.WordWord8unReadMunWriteM unTransferMgetAgetParseDimension $fEqTupleunTuple dimensionP getTupFromP$fEndianStoreTuple$fStorableTuple$fEqualityTuple ApplicativeRunner PointerActionControl.Monad.IO.ClassliftIO makeAlloc withMemorywithSecureMemory actualCellPtr unMemoryCell unVoidMemory AllocField unMemoryMunMTunBLOCKS getEntropyShaBufferAction Compressor LengthWriteShaWriteShaMonadIsSha length64Writelength128WriteliftCompressor shaBlocksshaFinalshaPadshaImplementation $fHashSHA1$fPrimitiveSHA1$fInitialisableHashMemory() $fShowSHA1$fIsStringSHA1$fEncodableSHA1c_sha1_compress$fRecommendationSHA1 $fHashSHA224$fPrimitiveSHA224 $fShowSHA224$fIsStringSHA224$fEncodableSHA224 $fHashSHA256$fPrimitiveSHA256 $fShowSHA256$fIsStringSHA256$fEncodableSHA256c_sha256_compress SHA224Memory unSHA224Mem$fRecommendationSHA224$fRecommendationSHA256 $fHashSHA384$fPrimitiveSHA384 $fShowSHA384$fIsStringSHA384$fEncodableSHA384 $fHashSHA512$fPrimitiveSHA512 $fShowSHA512$fIsStringSHA512$fEncodableSHA512c_sha512_compress SHA384Memory unSHA384Mem$fRecommendationSHA384$fRecommendationSHA512CipherM ChaCha20MemWORDkeyCellivCell counterCell ChaCha20Key$fInitialisableChaCha20Mem(,)$fInitialisableChaCha20Mem(,,)$fMemoryChaCha20Mem$fStreamCipherChaCha20$fCipherChaCha20$fDescribableChaCha20$fPrimitiveChaCha20 $fIsStringKEY $fShowKEY$fEncodableKEY $fIsStringIV$fShowIV $fEncodableIVc_chacha20_block chacha20Blockchacha20Portable RandomBufgetBufferPointerrandomBufferSizerandomBufferAlignmentunBuf$fMemoryRandomBuf$fRecommendationChaCha20 RandomState maxCounterVal withAuxBuffergetRemainingBytessetRemainingBytes newSampleseed seedIfReqreseedMTfillRandomBytesMTfillExistingBytes chacha20State auxBufferremainingBytes$fMemoryRandomStaterunRTunsafePokeManyRandomHMACKeyhmac' hmacFile'$fIsStringHMACKeyunHMACunKey hmacAdjustKey hmacSource' $fShowHMAC $fShowHMACKey$fEncodableHMACKey$fRandomHMACKey$fEndianStoreHMACKey$fStorableHMACKeyTUPLE pokeAndExpand$fPrimitiveAES$fPrimitiveAES0$fPrimitiveAES1 $fShowKEY256$fIsStringKEY256 $fShowKEY192$fIsStringKEY192 $fShowKEY128$fIsStringKEY128EKEY256EKEY192EKEY128c_expand$fInitialisableMemoryCellKEY256$fInitialisableMemoryCellKEY192$fInitialisableMemoryCellKEY128 $fCipherAES$fDescribableAES $fCipherAES0$fDescribableAES0 $fCipherAES1$fDescribableAES1$fRandomKEY256$fRandomKEY192$fRandomKEY128$fEncodableKEY256$fEncodableKEY192$fEncodableKEY128M256M192M128 c_aes_cbc_d c_aes_cbc_e c_transposecbc128CPortable cbc128Encrypt cbc128Decryptcbc192CPortable cbc192Encrypt cbc192Decryptcbc256CPortable cbc256Encrypt cbc256Decryptm256ekeym256ivm192ekeym192ivm128ekeym128iv$fRecommendationAES$fRecommendationAES0$fRecommendationAES1catchIObindirlibdirdatadir libexecdir sysconfdir getBinDir getLibDir getDataDir getLibexecDir getSysconfDirgetDataFileName