úÎ!®¡.ÿ°      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿À Á Â Ã Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ß à á â ã ä å æ ç è é ê ë ì í î ï ð ñ ò ó ô õ ö ÷ ø ù ú û ü ý þ ÿ                                  !" #$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬­®¯ B!Safe>°±²³´µ¶·None_raaz-Check whether the cpu supports sse extension.raaz.Check whether the cpu supports sse2 extension.raaz.Check whether the cpu supports sse3 extension.raaz0Check whether the cpu supports sse4_1 extension.raaz1Check whether the cpu supports sse-4.2 extension.raaz-Check whether the cpu supports avx extension.raaz.Check whether the cpu supports avx2 extension.Safe=?@A@&raazA monadic arrow field.raazWA field where the underlying arrow is the (->). This is normally what we call a field. raazvA field on the space is a function from the points in the space to some value. Here we define it for a general arrow. raazdThe twisted functor is essentially a generalisation of semi-direct product to applicative functors. raazÿ"The generalisation of distributivity to applicative functors. This generalisation is what allows us to capture applicative functors like parsers. For an applicative functor, and a monoid acting uniformly on it, we say that the action is distributive if the following laws are satisfied: vm <<.>> (pure a) = pure a -- pure values are stoic m <<.>> (a <*> b) = (m <<.>> a) <*> (m <<.>> b) -- dist raazÛThe semidirect product Space "Ê Monoid. For monoids acting on monoidal spaces distributively the semi-direct product is itself a monoid. It turns out that data serialisers can essentially seen as a semidirect product.raazjA left-monoid action on a monoidal-space, i.e. the space on which the monoid acts is itself a monoid, is  distributive if it satisfies the law: 'a <.> p <> q = (a <.> p) <> (a <.> q).)The above law implies that every element m is a monoid homomorphism.raazPUniform action of a monoid on a functor. The laws that should be satisfied are: p1 <<.>> fx = fx (a <> b) <<.>> fx = a . (b <<.>> fx) m <<.>> fmap f u = fmap f (m <<.>> u) -- acts uniformlyraaz A monoid mx acting on the left of a space. Think of a left action as a multiplication with the monoid. It should satisfy the law: k1 <.> p = p -- identity a <> b <.> p = a <.> b <.> p -- successive displacementsraaz?An alternate symbol for <> more useful in the additive context.raazLFrom the an element of semi-direct product Space "Ê Monoid return the point.raazUFrom the an element of semi-direct product Space "Ê Monoid return the monoid element.raaz!Get the underlying functor value.raaz Get the underlying monoid value.raaz;Compute the value of a field at a given point in the space.raaz Lift a monadic action to FieldM.raaz3Runs a monadic field at a given point in the space.raaz:The action on the space translates to the action on field.    555"Safe,.=?@AHSVXF0¸raaz4The constraint on the alignment o(since base 4.7.0)."raazA type w0 forced to be aligned to the alignment boundary alg#raazThe underlying unAligned value.$raaz#Align the value to 16-byte boundary%raaz#Align the value to 32-byte boundary&raaz#Align the value to 64-byte boundary"#$%&#NoneMK('raaz$The destination of a copy operation.&Note to Developers of Raaz: Since the 'd type inherits the Storable instance of the base type, one can use this type in foreign functions.(raazThe source of a copy operation.)raazsmart constructor for source*raaz#smart constructor for destionation.'¹º(»¼)*$SafeMí+raazQThis class captures all types that have some sort of description attached to it.,raaz%Short name that describes the object.-raazLonger description+,-%None>@AHVV.raazŠThe result of a comparison. This is an opaque type and the monoid instance essentially takes AND of two comparisons in a timing safe way./raazHAll types that support timing safe equality are instances of this class.1raaz9Check whether two values are equal using the timing safe 00 function. Use this function when defining the ½% instance for a Sensitive data type.¾raaz9Checks whether a given equality comparison is successful.¿raazVector of Results.ÀraazMVector for Results../01&None=?@AM­Š$2raaz-Types to measure alignment in units of bytes.3raaz¤Type safe length unit that measures offsets in multiples of word length. This length unit can be used if one wants to make sure that all offsets are word aligned.4raaz+Type safe lengths/offsets in units of bits.6raaz,Type safe lengths/offsets in units of bytes.8raazžIn cryptographic settings, we need to measure pointer offsets and buffer sizes. The smallest of length/offset that we have is bytes measured using the type 6ÿª. In various other circumstances, it would be more natural to measure these in multiples of bytes. For example, when allocating buffer to use encrypt using a block cipher it makes sense to measure the buffer size in multiples of block of the cipher. Explicit conversion between these length units, while allocating or moving pointers, involves a lot of low level scaling that is also error prone. To avoid these errors due to unit conversions, we distinguish between different length units at the type level. This type class capturing all such types, i.e. types that stand of length units. Allocation functions and pointer arithmetic are generalised to these length units.All instances of a 8" are required to be instances of Á~ where the monoid operation gives these types the natural size/offset addition semantics: i.e. shifting a pointer by offset a  b is same as shifting it by a and then by b.9raaz"Express the length units in bytes.:raaz3The pointer type used by all cryptographic library.ÃraazRA type whose only purpose in this universe is to provide alignment safe pointers.Äraaz;Some common PTR functions abstracted over type safe length.;raaz!Express the length units in bits.<raazExpress length unit src in terms of length unit dest rounding upwards.=raaz+Often we want to allocate a buffer of size lN. We also want to make sure that the buffer starts at an alignment boundary an. However, the standard word allocation functions might return a pointer that is not aligned as desired. The atLeastAligned l a returns a length n such the length n1 is big enough to ensure that there is at least lJ length of valid buffer starting at the next pointer aligned at boundary a . If the alignment required in a0 then allocating @l + a - 1 should do the trick.>raazExpress length unit src in terms of length unit dest rounding downwards.?raazA length unit u/ is usually a multiple of bytes. The function ? is like Å : the value byteQuotRem bytes is a tuple (x,r), where x is bytes expressed in the unit u with r being the reminder.@raazFunction similar to ? but returns only the quotient.AraazFunction similar to ? but works with bits instead.BraazFunction similar to A but returns only the quotient.Craaz.The default alignment to use is word boundary.Draaz'Compute the size of a storable element.Eraaz@Size of the buffer to be allocated to store an element of type aƒ so as to guarantee that there exist enough space to store the element after aligning the pointer. If the size of the element is s and its alignment is a- then this quantity is essentially equal to  s + a - 1'. All units measured in word alignment.Fraaz,Compute the alignment for a storable object.Graaz-Align a pointer to the appropriate alignment.Hraaz.Move the given pointer with a specific offset.IraazKCompute the next aligned pointer starting from the given pointer location.Jraaz0Peek the element from the next aligned location.Kraaz0Poke the element from the next aligned location.LraazA less general version of M7 where the pointer passed is aligned to word boundary.MraazThe expression allocaAligned a l action% allocates a local buffer of length l and alignment a$ and passes it on to the IO action action¡. No explicit freeing of the memory is required as the memory is allocated locally and freed once the action finishes. It is better to use this function than Æ, as it does type safe scaling and alignment.NraazA less general version of O6 where the pointer passed is aligned to word boundaryOraazÿÐThis function allocates a chunk of "secure" memory of a given size and runs the action. The memory (1) exists for the duration of the action (2) will not be swapped during that time and (3) will be wiped clean and deallocated when the action terminates either directly or indirectly via errors. While this is mostly secure, there can be strange situations in multi-threaded application where the memory is not wiped out. For example if you run a crypto-sensitive action inside a child thread and the main thread gets exists, then the child thread is killed (due to the demonic nature of haskell threads) immediately and might not give it chance to wipe the memory clean. This is a problem inherent to how the bracket( combinator works inside a child thread.'TODO: File this insecurity in the wiki.Praaz:Creates a memory of given size. It is better to use over Ç as it uses typesafe length.Qraaz A version of È, which works for any type safe length units.RraazCopy between pointers.SraazMove between pointers.Traaz6Sets the given number of Bytes to the specified value.Éraaz,The most interesting monoidal action for us.Lraaz buffer lengthraazthe action to runMraazthe alignment of the bufferraazsize of the bufferraazthe action to runPraaz buffer lengthRraaz destinationraazsrcraazNumber of Bytes to copySraaz destinationraazsourceraazNumber of Bytes to copyTraazTargetraazValue byte to setraazNumber of bytes to set#23456789:;<=>?@ABCDEFGHIJKLMNOPQRST'None 2=?@AHMVè-Uraaz$Big endian version of the word type wVraaz'Little endian version of the word type wWraazïThis class captures types which provides an endian agnostic way of loading from and storing to data buffers. Any multi-byte type that is meant to be serialised to the outside world should be an instance of this class. When defining the Y, X, ZL member functions, care should be taken to ensure proper endian conversion.Xraaz The action  store ptr w stores w at the location pointed by ptr. Endianness of the type w^ is taken care of when storing. For example, irrespective of the endianness of the machine, #store ptr (0x01020304 :: BE Word32) will store the bytes 0x01, 0x02, 0x03, 0x04 respectively at locations ptr, ptr +1, ptr+2 and ptr+3. On the other hand $store ptr (0x01020304 :: LE Word32) would store 0x04, 0x03, 0x02, 0x01 at the above locations.Yraaz The action load ptr loads the value stored at the ptrS. Like store, it takes care of the endianness of the data type. For example, if ptr) points to a buffer containing the bytes 0x01, 0x02, 0x03, 0x042, irrespective of the endianness of the machine, load ptr :: IO (BE Word32) will load the vale  0x01020304 of type  BE Word32 and load ptr :: IO (LE Word32) will load  0x04030201 of type  LE Word32.Zraaz The action adjustEndian ptr n7 adjusts the encoding of bytes stored at the location ptrW to conform with the endianness of the underlying data type. For example, assume that ptr* points to a buffer containing the bytes 0x01 0x02 0x03 0x04,, and we are on a big endian machine, then (adjustEndian (ptr :: Ptr (LE Word32)) 1 will result in ptr pointing to the sequence 0x04 0x03 0x02 0x01—. On the other hand if we were on a little endian machine, the sequence should remain the same. In particular, the following equalities should hold. 9 store ptr w = poke ptr w >> adjustEndian ptr 1 Similarly the value loaded by load ptr* should be same as the value returned by adjustEndian ptr 1 >> peak ptr>, although the former does not change the contents stored at ptr@ where as the latter might does modify the contents pointed by ptr= if the endianness of the machine and the time do not agree. The action )adjustEndian ptr n >> adjustEndian ptr n  should be equivalent to  return ().[raazdStore the given value at an offset from the crypto pointer. The offset is given in type safe units.\raazStore the given value as the n8-th element of the array pointed by the crypto pointer.]raaz Load the n4-th value of an array pointed by the crypto pointer.^raazALoad from a given offset. The offset is given in type safe units._raaz For the type w , the action copyFromBytes dest src n copies n-elements from src to destP. Copy performed by this combinator accounts for the endianness of the data in dest and is therefore not a mere copy of  n * sizeOf(w)( bytes. This action does not modify the src pointer in any way.`raaz Similar to  copyFromBytesu but the transfer is done in the other direction. The copy takes care of performing the appropriate endian encoding.araaz%Convert to the little endian variant.braaz#Convert to the big endian variants.Xraaz the location.raazvalue to storeZraazbuffer pointers,raazhow many w's are present,[raaz the pointerraaz.the absolute offset in type safe length units.raazvalue to store\raaz.the pointer to the first element of the arrayraazthe index of the arrayraazthe value to store]raaz.the pointer to the first element of the arrayraazthe index of the array^raaz the pointerraaz the offset_raazHow many items.UVWXYZ[\]^_`ab(None>ùªcraaz A typesafe length for Bytestringdraaz A type safe version of replicateeraaz©Copy the bytestring to the crypto buffer. This operation leads to undefined behaviour if the crypto pointer points to an area smaller than the size of the byte string.fraaz Similar to e but takes an additional input n¨ which is the number of bytes (expressed in type safe length units) to transfer. This operation leads to undefined behaviour if either the bytestring is shorter than n7 or the crypto pointer points to an area smaller than n.graaz3Works directly on the pointer associated with the ÊM. This function should only read and not modify the contents of the pointer.hraaz(Get the value from the bytestring using Ë.iraaz The action  create l act creates a length l9 bytestring where the contents are filled using the the act to fill the buffer.jraazThe IO action createFrom n cptr" creates a bytestring by copying n bytes from the pointer cptr.eraaz The source.raazThe destination.fraazlength of data to be copiedraazThe source byte stringraaz The buffercdefghijNoneúcdefghijcdhijgefNone÷kraaz;An applicative parser type for reading data from a pointer.lraazSkip over some data.mraaz/A parser that fails with a given error message.nraaz,Return the bytes that this parser will read.oraaz+Runs a parser on a byte string. It returns ÌC if the byte string is smaller than what the parser would consume.praaz7Run the parser without checking the length constraints.ÍraazAThe primary purpose of this function is to satisfy type checkers.qraaz£Parses a value which is an instance of Storable. Beware that this parser expects that the value is stored in machine endian. Mostly it is useful in defining the Ë function in a complicated Î instance.rraaz±Parse a crypto value. Endian safety is take into account here. This is what you would need when you parse packets from an external source. You can also use this to define the Y function in a complicated W instance.sraaz-Parses a strict bytestring of a given length.traaz Similar to parseStorableVectorÆ but is expected to be slightly faster. It does not check whether the length parameter is non-negative and hence is unsafe. Use it only if you can prove that the length parameter is non-negative.uraaz Similar to  parseVectorÆ but is expected to be slightly faster. It does not check whether the length parameter is non-negative and hence is unsafe. Use it only if you can prove that the length parameter is non-negative.vraaz Similar to wÿ but parses according to the host endian. This function is essentially used to define storable instances of complicated data. It is unlikely to be of use when parsing externally serialised data as one would want to keep track of the endianness of the data.wraaz‡Parses a vector of elements. It takes care of the correct endian conversion. This is the function to use while parsing external data. klmnopqrstuvw knmoprqwvutsl)None8=>?=@xraazÕA binary format is a representation of binary data often in printable form. We distinguish between various binary formats at the type level and each supported format corresponds to an instance of the the class x. The y and z! are required to satisfy the laws $decodeFormat . encodeByteString = id¾For type safety, the formats themselves are opaque types and hence it is not possible to obtain the underlying binary data directly. We require binary formats to be instances of the class {, with the combinators | and } of the {3 class performing the actual encoding and decoding. Instances of x! are required to be instances of Ïc and so that the encoded format can be easily printed. They are also required to be instances of ÐE so that they can be easily represented in Haskell source using the OverloadedStringsu extension. However, be careful when using this due to the fact that invalid encodings can lead to runtime errors.yraazxEncode binary data into the format. The return type gurantees that any binary data can indeed be encoded into a format.zraazŒDecode the format to its associated binary representation. Notice that this function always succeeds: we assume that elements of the type fmt3 are valid encodings and hence the return type is Ê instead of Ñ ByteString.{raazThe type class {a captures all the types that can be encoded into a stream of bytes. For a user defined type say Foo, defining an instance {) is all that is required to make use of encode and decodeI for any of the supported encoding formats (i.e. instances of the class x)..Minimum complete definition for this class is | and }. Instances of W{ have default definitions for both these functions and hence a trivial instance declaration is sufficient for such types. }newtype Foo = Foo (LE Word64) deriving (Storable, EndianStore) instance EndianStore Foo where ... instance Encodable Foo RIn particular, all the endian encoded versions of Haskell's word, i.e types like V Word32, V Word64 etc, are instances of {,. Note that the corresponding plain type is not an instance of { because encoding of say Ò; without specifying whether the endianness is meaningless.|raazConvert stuff to bytestring}raaz5Try parsing back a value. Returns nothing on failure.~raazUnsafe version of }Óraaz?Bytestring itself is an encoding format (namely binary format).xyz{|}~*NoneM?µraazGThe type corresponding to the standard padded base-64 binary encoding.ÔraazEncoding word.ÕraazIgnores spaces and newlines.+NoneMG±€raaz@The type corresponding to base-16 or hexadecimal encoding. The €M encoding has a special place in this library: most cryptographic types use € encoding for their Ï and Ð instance. The combinators  and ‚4 are exposed mainly to make these definitions easy.raazBase16 variant of Ö. Useful in definition of Ð2 instances as well as in cases where the default Ð0 instance does not parse from a base16 encoding.‚raazBase16 variant of ×.ØraazIgnores spaces and : (colon).€‚NoneJíƒraazEncode in a given format.„raazMDecode from a given format. It results in Nothing if there is a parse error.…raazThe unsafe version of „.†raaz%Translate from one format to another.xyz{|}~€‚ƒ„…†{|}~xyzƒ„†…€‚None=>?@AMŽc‡raazA read io-action.ˆraazThe ˆ« is the type that captures the act of reading from a buffer and possibly doing some action on the bytes read. Although inaccurate, it is helpful to think of elements of ˆW as action that on an input buffer transfers data from it to some unspecified source.<Read actions form a monoid with the following semantics: if r1 and r2 are two read actions then r1 Ù r2' first reads the data associated from r1- and then the read associated with the data r2.‰raazA write io-action.ŠraazPAn element of type `WriteM m` is an action which when executed transfers bytes into its input buffer. The type Š m8 forms a monoid and hence can be concatnated using the Ù operator.ÚraazjByte transfers that keep track of the number of bytes that were transferred (from/into) its input buffer.ÛraazcA action that transfers bytes from its input pointer. Transfer could either be writing or reading.Üraaz'This monoid captures a transfer action.Ýraaz'Make an explicit transfer action given.‹raazJReturns the bytes that will be written when the write action is performed.Œraaz9Perform the write action without any checks of the bufferÞraaz3Function that explicitly constructs a write action.raazThe expression  a+ gives a write action that stores a value a* in machine endian. The type of the value a has to be an instance of ν. This should be used when we want to talk with C functions and not when talking to the outside world (otherwise this could lead to endian confusion). To take care of endianness use the Ž combinator.ŽraazThe expression Ž a+ gives a write action that stores a value a". One needs the type of the value a to be an instance of W­. Proper endian conversion is done irrespective of what the machine endianness is. The man use of this write is to serialize data for the consumption of the outside world.raaz)Write many elements from the given bufferraazThe vector version of .‘raazThe vector version of Ž.’raazThe combinator writeBytes n b writes b as the next n consecutive bytes.“raazThe combinator glueWrites w n hdr ftr is equivalent to hdr <> glue <> ftr where the write glue writes as many bytes w5 so that the total length is aligned to the boundary n.”raazThe write action prependWrite w n wr is wr pre-pended with the byte w1 so that the total length ends at a multiple of n.•raazThe write action padWrite w n wr is wr padded with the byte w1 so that the total length ends at a multiple of n.–raazWrites a strict bytestring.—raaz4A write action that just skips over the given bytes.ßraaz3Function that explicitly constructs a write action.˜raazThe expression  bytesToRead rY gives the total number of bytes that would be read from the input buffer if the action r is performed.™raaz The action unsafeRead r ptr results in reading  bytesToRead r# bytes from the buffer pointed by ptrq. This action is unsafe as it will not (and cannot) check if the action reads beyond what is legally stored at ptr.šraaz The action readBytes sz dptrG gives a read action, which if run on an input buffer, will transfers sz' to the destination buffer pointed by dptrD. Note that it is the responsibility of the user to make sure that dptr has enough space to receive sz8 units of data if and when the read action is executed.›raaz The action readInto n dptrF gives a read action which if run on an input buffer, will transfers n elements of type a into the buffer pointed by dptr!. In particular, the read action readInto n dptr is the same as ,readBytes (fromIntegral n :: BYTES Int) dptr when the type a is à.Œraaz.The pointer for the buffer to be written into.“raazThe bytes to use in the glueraaz The length boundary to align to.raazThe header writeraazThe footer write”raazthe byte to pre-pend with.raaz"the length to align the message toraaz"the message that needs pre-pending•raazthe padding byte to useraazthe length to align message toraazthe message that needs padding™raaz.The pointer for the buffer to be written into.šraazhow much to read.raazbuffer to read the bytes into›raazhow many elements to read.raaz buffer to read the elements into‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›ˆ‡˜™š›Š‰‹ŒŽ‘’•”“–—,None,.=?@AHSUVXžV ¦raaz€Function that returns the dimension of the tuple. The dimension is calculated without inspecting the tuple and hence the term ¨ (undefined :: Tuple 5 Int) will evaluate to 5.>The constaint on the dimension of the tuple (since base 4.7.0)§raaz^Tuples that encode their length in their types. For tuples, we call the length its dimension.áraaz'Function to make the type checker happy¨raaz3This combinator returns the dimension of the tuple.âraazGet the dimension to parser©raaz0Construct a tuple by repeating a monadic action.ªraaz‹Construct a tuple out of the list. This function is unsafe and will result in run time error if the list is not of the correct dimension.«raazgComputes the initial fragment of a tuple. No length needs to be given as it is infered from the types.¬raazThe  diagonal a( gives a tuple, all of whose entries is a.­raazA zipwith function for tuplesãraaz!Equality checking is timing safe.¦§¨©ª«¬­Nonež­I"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ab¦§¨©ª«¬­I/01.WXYZ_`VUab[\^]:896745;DA?B@<=>2C3FGHEIJKMOLNPTSRQ"#$%&§¦¨«¬©­ª'()*+,-None ,>@AEHMVX¿ï ®raaz Type safe message length in units of blocks of the primitive. When dealing with buffer lengths for a primitive, it is often better to use the type safe units ®Ç. Functions in the raaz package that take lengths usually allow any type safe length as long as they can be converted to bytes. This can avoid a lot of tedious and error prone length calculations.¯raazŽSome primitives like ciphers have an encryption/decryption key. This type family captures the key associated with a primitive if it has any.°raaz3Primitives that have a recommended implementations.±raaz1The recommended implementation for the primitive.²raazÐThe type class that captures an abstract block cryptographic primitive. Bulk cryptographic primitives like hashes, ciphers etc often acts on blocks of data. The size of the block is captured by the member ´.nAs a library, raaz believes in providing multiple implementations for a given primitive. The associated type ³, captures implementations of the primitive.ZFor use in production code, the library recommends a particular implementation using the °b class. By default this is the implementation used when no explicit implementation is specified.³raazCAssociated type that captures an implementation of this primitive.´raazThe block size.µraazäImplementation of block primitives work on buffers. Often for optimal performance, and in some case for safety, we need restrictions on the size and alignment of the buffer pointer. This type class captures such restrictions.¶raaz.The alignment expected for the buffer pointer.·raazNAllocate a buffer a particular implementation of a primitive prim. algorithm algo_. It ensures that the memory passed is aligned according to the demands of the implementation.¸raazThe expression n ¸ pN specifies the message lengths in units of the block length of the primitive pH. This expression is sometimes required to make the type checker happy. ®¯°±²³´µ¶·¸ ²³´µ¶¯°±®¸·-NoneÁßÀraazRTypical size of L1 cache. Used for selecting buffer size etc in crypto operations.À None &'=?@AHSVX(Áraaz2A memory location to store a value of type having Î instance.Âraaz¶A memory type that can extract bytes into a buffer. The extraction will perform a direct copy and hence the chances of the extracted value ending up in the swap space is minimised.ÄraazÔA memory type that can be initialised from a pointer buffer. The initialisation performs a direct copy from the input buffer and hence the chances of the initialisation value ending up in the swap is minimised.ÆraazRMemories from which pure values can be extracted. Once a pure value is extracted,ÈraazûMemories that can be initialised with a pure value. The pure value resides in the Haskell heap and hence can potentially be swapped. Therefore, this class should be avoided if compromising the initialisation value can be dangerous. Consider using InitialiseableFromBufferÊraaz$A memory element that holds nothing.Ëraazÿ÷Any cryptographic primitives use memory to store stuff. This class abstracts all types that hold some memory. Cryptographic application often requires securing the memory from being swapped out (think of memory used to store private keys or passwords). This abstraction supports memory securing. If your platform supports memory locking, then securing a memory will prevent the memory from being swapped to the disk. Once secured the memory location is overwritten by nonsense before being freed.&While some basic memory elements like Ái are exposed from the library, often we require compound memory objects built out of simpler ones. The ä instance of the Θ can be made use of in such situation to simplify such instance declaration as illustrated in the instance declaration for a pair of memory elements. ¬instance (Memory ma, Memory mb) => Memory (ma, mb) where memoryAlloc = (,) <$> memoryAlloc <*> memoryAlloc unsafeToPointer (ma, _) = unsafeToPointer maÌraaz%Returns an allocator for this memory.Íraaz-Returns the pointer to the underlying buffer.Îraaz'A memory allocator for the memory type mem. The ä instance of AllocU can be used to build allocations for complicated memory elements from simpler ones.åraaz A pointer action inside a monad m7 is some function that takes a pointer action of type Pointer -> m ae and supplies it with an appropriate pointer. In particular, memory allocators are pointer actions.ÏraazTA class that captures abstract "memory threads". A memory thread can either be run Ð or Ñ?. Pure IO actions can be run inside a memory thread using the runIO-. However, the IO action that is being run must not directly or indirectly run a secure7 action ever. In particular, the following code is bad. 3-- BAD EXAMPLE: DO NOT USE. runIO $ securely $ foo ,On the other hand the following code is fine ' runIO $ insecurely $ someMemoryAction BAs to why this is dangerous, it has got to do with the fact that mlock and munlock! do not nest correctly. A single munlock can unlock multiple calls of mlock% on the same page. Whether a given IOm action unlocks memory is difficult to keep track of; for all you know, it might be a FFI call that does an  memunlock9. Hence, currently there is no easy way to enforce this.ÐraazÅRun a memory action with the internal memory allocated from a locked memory buffer. This memory buffer will never be swapped out by the operating system and will be wiped clean before releasing.ìMemory locking is an expensive operation and usually there would be a limit to how much locked memory can be allocated. Nonetheless, actions that work with sensitive information like passwords should use this to run an memory action.ÑraazþRun a memory action with the internal memory used by the action being allocated from unlocked memory. Use this function when you work with data that is not sensitive to security considerations (for example, when you want to verify checksums of files).ÒraazLift an actual memory thread.Óraaz[Combinator that allows us to run a memory action on a sub-memory element. A sub-memory of submem of a memory element mem is given by a projection proj : mem -> submem. The action onSubMemory projG lifts the a memory thread on the sub element to the compound element.ÔraazAn action of type Ô mem aC is an action that uses internally a single memory object of type mem and returns a result of type aw. All the actions are performed on a single memory element and hence the side effects persist. It is analogues to the ST monad.Õraaz/Run a given memory action in the memory thread.Öraaz.Perform an IO action inside the memory thread.×raazDAn IO allocator can be lifted to the memory thread level as follows.Øraaz7Get the underlying memory element of the memory thread.æraaz*Make an allocator for a given memory type.ÙraazAllocates a buffer of size l' and returns the pointer to it pointer.Úraaz¬Copy data from a given memory location to the other. The first argument is destionation and the second argument is source to match with the convention followed in memcpy.çraazÿCPerform an action which makes use of this memory. The memory allocated will automatically be freed when the action finishes either gracefully or with some exception. Besides being safer, this method might be more efficient as the memory might be allocated from the stack directly and will have very little GC overhead.èraaz Similar to çÿ° but allocates a secure memory for the action. Secure memories are never swapped on to disk and will be wiped clean of sensitive data after use. However, be careful when using this function in a child thread. Due to the daemonic nature of Haskell threads, if the main thread exists before the child thread is done with its job, sensitive data can leak. This is essentially a limitation of the bracket which is used internally.ÛraazBApply the given function to the value in the cell. For a function  f :: b -> a, the action modify f first extracts a value of type b# from the memory element, applies f1 to it and puts the result back into the memory. Cmodify f = do b <- extract initialise $ f béraaz„The location where the actual storing of element happens. This pointer is guaranteed to be aligned to the alignment restriction of aÜraaz^Work with the underlying pointer of the memory cell. Useful while working with ffi functions.Ýraaz6Get the pointer associated with the given memory cell.ÞraazWARNING:$ do not lift a secure memory action.Úraaz DestinationraazSourceÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝËÌÍÊÚÈÉÆÇÄÅÂÃÁÜÝÏÐÑÒÓÖØÛÕÔ×ÎÙ None>A ìraazÿA byte source src is pure if filling from it does not have any other side effect on the state of the byte source. Formally, two different fills form the same source should fill the buffer with the same bytes. This additional constraint on the source helps to purify` certain crypto computations like computing the hash or mac of the source. Usualy sources like ÊD etc are pure byte sources. A file handle is a byte source that is not a pure source.íraazTAbstract byte sources. A bytesource is something that you can use to fill a buffer.WARNING:" The source is required to return ñr in the boundary case where it has exactly the number of bytes requested. In other words, if the source returns  Remainingÿ on any particular request, there should be at least 1 additional byte left on the source for the next request. Cryptographic block primitives have do certain special processing for the last block and it is required to know whether the last block has been read or not.îraazFills a buffer from the source.ïraaz2This type captures the result of a fill operation.ðraazThere is still bytes left.ñraaz*source exhausted with so much bytes read.òraaz#Combinator to handle a fill result.óraaz=A version of fillBytes that takes type safe lengths as input.ôraaz:Process data from a source in chunks of a particular size.úraaz__WARNING:_ The î may block.îraaz Buffer sizeraazThe source to fill.raazBuffer pointeròraazstuff to do when filledraazstuff to do when exhaustedraazthe fill result to process ìíîïðñòóô íîìïðñóôò NoneAÿ’"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijxyz{|}~€‚ƒ„…†¦§¨©ª«¬­®¯°±²³´µ¶·¸ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝìíîïðñòóôÀ None,=>?@AEHVXqWraaz3Class that captures stream ciphers. An instance of  should be an instance of -, with the following additional constraints. ;The encryption and decryption should be the same algorithm.=Encryption/decryption can be applied to a messages of length l even if l# is not a multiple of block length.'The encryption of a prefix of a length l of a message m should be the same as the l( length prefix of the encryption of m.It is the duty of the implementer of the cipher to ensure that the above conditions are true before declaring an instance of a stream cipher.raazÿClass capturing ciphers. The implementation of this class should give an encryption and decryption algorithm for messages of length which is a multiple of the block size. Needless to say, the encryption and decryption should be inverses of each other for such messages.raazySome implementation of a block cipher. This type is existentially quantifies over the memory used in the implementation.êraaz@Type constraints on the memory of a block cipher implementation.raaz%The implementation of a block cipher. raaz)The underlying block encryption function. raaz)The underlying block decryption function. raazBlock cipher modes. raazCipher-block chainingraazCounterraaz Constructs a l value out of a stream transformation function. Useful in building a Cipher instance of a stream cipher.raazEncrypt the given ÊJ. This function is unsafe because it only works correctly when the input ÊE is of length which is a multiple of the block length of the cipher.raazœTransforms a given bytestring using a stream cipher. We use the transform instead of encrypt/decrypt because for stream ciphers these operations are same.raazVTransform a given bytestring using the recommended implementation of a stream cipher.raazvEncrypt using the recommended implementation. This function is unsafe because it only works correctly when the input ÊE is of length which is a multiple of the block length of the cipher.raazDecrypts the given ÊJ. This function is unsafe because it only works correctly when the input ÊE is of length which is a multiple of the block length of the cipher.raazvDecrypt using the recommended implementation. This function is unsafe because it only works correctly when the input ÊE is of length which is a multiple of the block length of the cipher.raaznameraaz descriptionraazstream transformerraazbuffer starting alignmentraazThe cipher to useraazThe implementation to useraazThe key to useraazThe string to encrypt.raaz The cipherraazThe key to useraazThe string to encryptraazThe cipher to useraazThe implementation to useraazThe key to useraazThe string to encrypt.raaz The cipherraazThe key to useraazThe string to encrypt          .None .=?@AHMVv'ëraazchacha20 memoryraaz-The type associated with the ChaCha20 cipher.raaz The key type.raazThe counter type for chacha20raazThe IV for the chacha20ìraazThe chacha20 stream cipher. The word typeíraazThe key for ChaCha20.ëîïðñòóôõìNone.=?@A{¸öraazChacha20 block transformation. raaz1The portable c implementation of chacha20 cipher.÷raaz*Encrypting/Decrypting a block of chacha20.!raaz"The chacha20 randomness generator.øraazƒThe chacha20 randomness generator. We have set the alignment to 32 because this allows gcc to further optimise the implementation. ! !/None=?Šñùraazÿ The chacha stream cipher is also used as the prg for generating random bytes. Such a prg needs to keep an auxilary buffer type so that one can generate random bytes not just of block size but smaller. This memory type is essentially for maintaining such a buffer.úraazdGet the actual location where the data is to be stored. Ensures that the pointer is aligned to the randomBufferAlignment restriction.ûraazÿ6The size of the buffer in blocks of ChaCha20. While the implementations should handle any multiple of blocks, often implementations naturally handle some multiple of blocks, for example the Vector256 implementation handles 2-chacha blocks. Set this quantity to the maximum supported by all implementations.üraazÑImplementations are also designed to work with a specific alignment boundary. Unaligned access can slow down the primitives quite a bit. Set this to the maximum of alignment supported by all implementations!ùúû None‹¾"raazThe chacha20 stream cipher.""0NoneŽŒýraaz…Get random bytes from the system. Do not over use this function as it is meant to be used by a PRG. This function reads bytes from '/dev/urandom'.ýNone"#,=>?@AEHVX¸3#raazÿžComputing cryptographic hashes usually involves chunking the message into blocks and compressing one block at a time. Usually this compression makes use of the hash of the previous block and the length of the message seen so far to compressing the current block. Most implementations therefore need to keep track of only hash and the length of the message seen so. This memory can be used in such situations.%raazCell to store the hash&raazCell to store the length'raaz*Type class capturing a cryptographic hash.(raaz¶Cryptographic hashes can be computed for messages that are not a multiple of the block size. This combinator computes the maximum size of padding that can be attached to a message.)raaz›Some implementation of a given hash. The existentially quantification allows us freedom to choose the best memory type suitable for each implementations.+raazLThe constraints that a memory used by a hash implementation should satisfy.,raazFThe Hash implementation. Implementations should ensure the following.  The action compress impl ptr blks should only read till the blks1 offset starting at ptr and never write any data. The action padFinal impl ptr byts should touch at most #byts/blocksize# + padBlocks@ blocks starting at ptr. It should not write anything till the byts) offset but may write stuff beyond that.mAn easy to remember this rule is to remember that computing hash of a payload should not modify the payload.0raazcompress the blocks,1raaz pad and process the final bytes,3raazÿCertain hashes are essentially bit-truncated versions of other hashes. For example, SHA224 is obtained from SHA256 by dropping the last 32-bits. This combinator can be used build an implementation of truncated hash from the implementation of its parent hash.4raaz-Compute the hash of a pure byte source like, Ê.5raazCompute the hash of file.6raaz*Compute the hash of a generic byte source.7raaz Similar to 45 but the user can specify the implementation to use.8raazISimilar to hashFile' but the user can specify the implementation to use.9raaz Similar to  hashSource5 but the user can specify the implementation to use.:raaz¯Gives a memory action that completes the hashing procedure with the rest of the source. Useful to compute the hash of a source with some prefix (like in the HMAC procedure).;raaz0Extract the length of the message hashed so far.<raaz,Update the message length by a given amount.4raazMessage5raazFile to be hashed6raazMessage7raazImplementationraazthe message as a byte source.8raazImplementationraazFile to be hashed#$%&'()*+,-./0123456789:;<'(456789,-./012)*+3#$%&;<:1None "#.=>?@AHMVÉ$ þraaz+Memory element for BLAKE2s implementations.ÿraaz+Memory element for BLAKE2b implementations.DraazThe BLAKE2s hash type.EraazThe BLAKE2b hash type.raazWord type for Blake2sraazWord type for Blake2braazThe BLAKE2 type.raazIThe initial value to start the blake2b hashing. This is equal to the iv  the parameter block.raazIThe initial value to start the blake2b hashing. This is equal to the iv  the parameter block.raaz%The generic blake2 padding algorithm.raazdCreate a hash implementation form BLAKE2b given a compression function and the last block function.raazdCreate a hash implementation form BLAKE2s given a compression function and the last block function. raazBufferraaznumber of blocksraazlength of the message so farraaz Hash pointer raazBufferraaznumber of blocksraaz Upper countraazLowerraaz#the primitive (BLAKE2b or BLAKE2s).raazlength of the messageraazNameraaz DescriptionraazNameraaz DescriptionþÿDENoneÊ÷Fraaz)The portable C implementation of BLAKE2b.Graaz)The portable C implementation of BLAKE2s.FGFG2None=?̹ raaz'Recommended implementation for balke2s. raaz'Recommended implementation for blake2b.NoneÐgHraaz+Compute the blake2b hash of an instance of ìH. Use this for computing the sha1 hash of a strict or lazy byte string.Iraaz#Compute the blake2b hash of a file.Jraaz2Compute the blake2b hash of a general byte source.DEHIJEDHIJ3None,>HVæ  raazAction on a Bufferraaz²The type alias for the raw compressor function. The compressor function does not need to know the length of the message so far and hence this is not supposed to update lengths.raaz!Type that captures length writes.raazThe Writes used in this module.raaz+All actions here are in the following monadraazaThe utilities in this module can be used on primitives which satisfies the following constraint.raaz&The length encoding that uses 64-bits.raaz'The length encoding that uses 128-bits.raazXLifts the raw compressor to a buffer action. This function does not update the lengths.raazThe combinator  on an input compressor comp4 gives a buffer action that process blocks of data.raazThe combinator  on an input compressor comp2 gives buffer action for the final chunk of data.raazPadding is message followed by a single bit 1 and a glue of zeros followed by the length so that the message is aligned to the block boundary.raazUCreates an implementation for a sha hash given the compressor and the length writer. raazThe data bufferraazTotal data presentraazThe buffer to compressraaz The number of blocks to compressraaz#The cell memory containing the hashraazthe compressor functionraazthe raw compressorraazthe length writerraazNameraaz Description4None .=?@AHMVç5KraazThe cryptographic hash SHA1.KNoneè&Lraaz&The portable C implementation of SHA1.LL5Noneéraaz$Recommended implementation for SHA1.6None .=?@AHMVê{Mraaz1Sha224 hash value which consist of 7 32bit words.M7None .=?@AHMVë„NraazThe Sha256 hash value.NNoneïdOraaz(The portable C implementation of SHA256.PraazThe Hash implementation, i.e. ,“ associated with the portable C implementation for the hash SHA256. This can be used to define an implementation of truncated hashes like SHA224.OPOPNone@AðtQraaz(The portable C implementation of SHA224.QQ8Noneñdraaz&Recommended implementation for SHA224.9NoneòMraaz&Recommended implementation for SHA256.:None .=?@AHMVóNUraazThe Sha384 hash value.U ;None .=?@AHMVôÿVraaz@The Sha512 hash value. Used in implementation of Sha384 as well.V!Noneø·Wraaz(The portable C implementation of SHA512.XraazThe Hash implementation, i.e. ,‰ associated with the portable C implementation for the hash SHA512. This can be used to implement truncated implementation like SHA384.WXWXNone@AùÇYraaz(The portable C implementation of SHA384.YY<Noneú·"raaz&Recommended implementation for SHA384.=Noneû˜#raaz$Recommend implementation for SHA512.>None>Ö $raaz,Memory for strong the internal memory state.%raaz”The maximum value of counter before reseeding from entropy source. Currently set to 1024 * 1024 * 1024. Which will generate 64GB before reseeding.¾The counter is a 32-bit quantity. Which means that one can generate 2^32 blocks of data before the counter roles over and starts repeating. We have choosen a conservative 2^30 blocks here.&raaz%Run an action on the auxilary buffer.'raaz&Get the number of bytes in the buffer.(raaz"Set the number of remaining bytes.)raazÿ‚The overall idea is to generate a key stream into the auxilary buffer using chacha20 and giving out bytes from this buffer. This operation we call sampling. A portion of the sample is used for resetting the key and iv to make the prg safe against backward prediction, i.e. even if one knows the current seed (i.e. key iv pair) one cannot predict the random values generated before.7This fills in the random block with some new randomness*raaz See the PRG from system entropy.+raazHSeed if we have already generated maxCounterVal blocks of random bytes.,raaz,Fill the iv and key from a filling function.-raazReseed the prg..raazqThe function to generate random bytes. Fills from existing bytes and continues if not enough bytes are obtained./raazÊFill from already existing bytes. Returns the number of bytes filled. Let remaining bytes be r. Then fillExistingBytes will fill min(r,m) bytes into the buffer, and return the number of bytes filled.,raaz$The function used to fill the buffer$0123-.NoneM8 ]raaz Instances of ÎS which can be randomly generated. It might appear that all instances of the class Îœ should be be instances of this class, after all we know the size of the element, why not write that many random bytes. In fact, this module provides an cª which does that. However, we do not give a blanket definition for all storables because for certain refinements of a given type, like for example, Word8's modulo 10, c introduces unacceptable skews.^raaz7Fill the buffer with so many random elements of type a._raaz>The monad for generating cryptographically secure random data.`raaz)A batch of actions on the memory element mem that uses some randomness.4raazmRun a randomness thread. In particular, this combinator takes care of seeding the internal prg at the start.araazÿòReseed from the system entropy pool. There is never a need to explicitly seed your generator. The insecurely and securely calls makes sure that your generator is seed before starting. Furthermore, the generator also reseeds after every few GB of random bytes that it generates. Generating random data from the system entropy is usually an order of magnitude slower than using a fast stream cipher. Reseeding often can slow your program considerably without any additional security advantage.braaz/Fill the given input pointer with random bytes.craazRThis is a helper function that has been exported to simplify the definition of a ] instance for Î] types. However, there is a reason why we do not give a blanket instance for all instances ÎT and why this function is unsafe? This function generates a random element of type a by generating n random bytes where n! is the size of the elements of a&. For instances that range the entire nf byte space this is fine. However, if the type is actually a refinement of such a type, (consider a à modulo 10y for example) this function generates an unacceptable skew in the distribution. Hence this function is prefixed unsafe.draazHGenerate a random element from an instance of a RandomStorable element.eraaz7Randomise the contents of a memory cell. Equivalent to d >>= liftMT . initialise= but ensures that no data is transferred to unlocked memory.fraazGenerate a random byteString.^raaznumber of elements to fillraazThe buffer to fill ]^_`abcdef `_fde]^cba?None,=>?EHMVXPc {raaz†The HMAC associated to a hash value. The HMAC type is essentially the underlying hash type wrapped inside a newtype. Therefore, the ½& instance for HMAC is essentially the ½Š instance for the underlying hash. It is safe against timing attack provided the underlying hash comparison is safe under timing attack.5raazÿThe HMAC key type. The HMAC keys are usually of size at most the block size of the associated hash, although the hmac construction allows using keys arbitrary size. Using keys of small size, in particular smaller than the size of the corresponding hash, can can compromise security. A note on Ï and Ð instances of keys.6As any other cryptographic type HMAC keys also have a Ð and Ϲ instance which is essentially the key expressed in base16. Keys larger than the block size of the underlying hashes are shortened by applying the appropriate hash. As a result the × and Ö$ need not be inverses of each other.|raaz-Compute the hash of a pure byte source like, Ê.}raazCompute the hmac of file.~raaz*Compute the hmac of a generic byte source.6raaz-Compute the hmac of a pure byte source like, Ê.7raazCompute the hmac of file.8raazFCompute the hmac of a generic ByteSource using a given implementation.9raaz$Base16 representation of the string.:raazthe key.|raazMessage}raazKey to use for mac-ingraazFile to be hashed~raazkey to use for mac-ing.raazMessage6raazMessage7raazFile to be hashed {;<|}~678NoneY1raaz*Compute the sha512 hash of an instance of ìJ. Use this for computing the sha512 hash of a strict or lazy byte string.€raaz"Compute the sha512 hash of a file.raaz1Compute the sha512 hash of a general byte source.‚raaz:Compute the message authentication code using hmac-sha512.ƒraaz3Compute the message authentication code for a file.„raazACompute the message authetication code for a generic byte source.‚raaz Key to useraaz)pure source whose hmac is to be computedƒraaz Key to useraaz!File whose hmac is to be computedV€‚ƒ„V€‚ƒ„Noneb…raaz*Compute the sha384 hash of an instance of ìJ. Use this for computing the sha384 hash of a strict or lazy byte string.†raaz"Compute the sha384 hash of a file.‡raaz1Compute the sha384 hash of a general byte source.ˆraaz:Compute the message authentication code using hmac-sha384.‰raaz3Compute the message authentication code for a file.ŠraazACompute the message authetication code for a generic byte source.ˆraaz Key to useraaz)pure source whose hmac is to be computed‰raaz Key to useraaz!File whose hmac is to be computedU…†‡ˆ‰ŠU…†‡ˆ‰ŠNonejó‹raaz*Compute the sha256 hash of an instance of ìJ. Use this for computing the sha256 hash of a strict or lazy byte string.Œraaz"Compute the sha256 hash of a file.raaz1Compute the sha256 hash of a general byte source.Žraaz:Compute the message authentication code using hmac-sha256.raaz3Compute the message authentication code for a file.raazACompute the message authetication code for a generic byte source.Žraaz Key to useraaz)pure source whose hmac is to be computedraaz Key to useraaz!File whose hmac is to be computedN‹ŒŽN‹ŒŽNonesÔ‘raaz*Compute the sha224 hash of an instance of ìJ. Use this for computing the sha224 hash of a strict or lazy byte string.’raaz"Compute the sha224 hash of a file.“raaz1Compute the sha224 hash of a general byte source.”raaz:Compute the message authentication code using hmac-sha224.•raaz3Compute the message authentication code for a file.–raazACompute the message authetication code for a generic byte source.”raaz Key to useraaz)pure source whose hmac is to be computed•raaz Key to useraaz!File whose hmac is to be computedM‘’“”•–M‘’“”•–Nonez“—raaz(Compute the sha1 hash of an instance of ìH. Use this for computing the sha1 hash of a strict or lazy byte string.˜raaz Compute the sha1 hash of a file.™raaz/Compute the sha1 hash of a general byte source.šraaz8Compute the message authentication code using hmac-sha1.›raaz3Compute the message authentication code for a file.œraazACompute the message authetication code for a generic byte source.K—˜™š›œK—˜™š›œNone{)'456DEHIJMNUV{|}~€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–'456{|}~@None .=?@AHMVŽ¾=raazExtended key for aes256>raazExtended key for aes192?raazExtended key for aes128raazThe IV used by the CBC mode.žraazKey used for AES-128ŸraazKey used for AES-128 raazKey used for AES-128@raazA tuple of AES words.AraazThe basic word used in AES.¡raaz­The type associated with AES ciphers. Raaz provides AES variants with key lengths 128, 192 and 256. The key types for the above ciphers in cbc mode are given by the types ( , IV), (Ÿ, IV) (ž, IV) respectively.¢raaz128-bit aes cipher in   mode.£raaz128-bit aes cipher in   mode.¤raaz128-bit aes cipher in   mode.¥raaz#Smart constructors for AES 128 ctr.Braaz0Poke a key and expand it with the given routine.Craaz#The 256-bit aes cipher in cbc mode.Draaz#The 192-bit aes cipher in cbc mode.Eraaz#The 128-bit aes cipher in cbc mode.FraazShows in base 16GraazExpects in base 16HraazShows in base 16IraazExpects in base 16JraazShows in base 16KraazExpects in base 16LraazKey is (ž,) pair.MraazKey is (Ÿ,) pair.NraazKey is ( ,) pair.OraazShown as a its base16 encoding.PraazExpects in base16.Braaz key to pokeraazexpansion algorithmraazbuffer pointer. =>?žŸ ¡Q¢£¤¥None.=?@A™¥RraazMemory for aes-256-cbcSraazMemory for aes-192-cbcTraazMemory for aes-128-cbcUraaz CBC decryptVraaz CBC encrypt.WraazTranspose AES matrices.¦raaz;Implementation of 128-bit AES in CBC mode using Portable C.Xraaz)128-bit AES in CBC mode using Portable C.YraazThe encryption action.ZraazThe decryption action.§raaz;Implementation of 192-bit AES in CBC mode using Portable C.[raaz)192-bit AES in CBC mode using Portable C.\raazThe encryption action.]raazThe decryption action.¨raaz;Implementation of 256-bit AES in CBC mode using Portable C.^raaz)256-bit AES in CBC mode using Portable C._raazThe encryption action.`raazThe decryption action.¦§¨¦§¨ANone.=?œEaraaz)Recommended implementation of AES-256 cbcbraaz)Recommended implementation of AES-192 cbccraaz)Recommended implementation of AES-128 cbcNoneœ| žŸ ¡¢£¤¥ ¡ Ÿž¢£¤¥BNoneœú"¢£¤"¢£¤ Noneò¯raazRaaz library version number.Í"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijxyz{|}~€‚ƒ„…†¦§¨©ª«¬­®¯°±²³´µ¶·¸ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝìíîïðñòóô"'456DEHIJMNUV]^_`abcdef{|}~€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–¢£¤¯¯dCDEFGHIJKLMMNOOPQRSTUVWXYZ[\]^_`ab"c"d"e"f"g#h#i#j#k$l$m$n%o%p%q%r&s&t&u&u&v&v&w&x&y&z&{&|&}&~&&€&&‚&ƒ&„&…&†&‡&ˆ&‰&Š&‹&Œ&&Ž&&&‘&’&“'”'•'–'—'˜'™'š'›'œ''ž'Ÿ' '¡(¢(£(¤(¥(¦(§(¨(©ª«¬­®¯°±²³´µ¶)·)¸)¹)º)»)¼)½*¾+¿+À+ÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãä,å,æ,ç,è,é,ê,ë,ìíîïðñòóôõö÷øùúûüýþ-ÿ                                  ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B B C C D E F G H I J K L M N O P Q R S T U V W X.Y.Z.[.\]^ _``abcdeefgghijklmnopqrstuvwxyz{|}1~1€‚ƒ„4…]6†7‡]ˆ]‰Š‹:Œ;]ˆ]Ž‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬­®?¯?°?±?²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐ@\@Ñ@Ò@Ó@Ô@Õ@Ö@×@ØÙÚÛÜÝÞßàá â!â!ã!ä!å!æ!ç!è!é"ê#h#ë#i#ìíîï%ð%ñ%òóôõóôö&÷&øóùúóûüóûýóþÿ&óóó ó  ó  óó)**ó ó +óôó,, ,!óô" # $ % & ' (.).*.+.).,.-...Y./.[.\012/3/4/5/60718191:1;1<1=ó>?1@1A1B1C1D1E2F2G3H3I3J3K3L3M3N3O3P3Q3R3S3T4…5U6†7‡8V9W:Œ;<X=Y>Z>[>\>]>^>_>`>a>b>c>d>e>Z>f>g>hi?j?k?l?m?n?o?¯?p@q@r@s@t@*@u@v@w@x@y@z@{@|@}@~@@€@@‚@ƒ@Ô„…†‡ˆ‰Š‹ŒŽ‘’A“A”A•–!raaz-0.2.1-5q1HdpWcs2P6PnGR5d84JWRaaz.Core.CpuSupportsRaaz.Core.MonoidalActionRaaz.Core.TypesRaaz.Core.UtilRaaz.Core.Parse.ApplicativeRaaz.Core.EncodeRaaz.Core.TransferRaaz.Core.Primitives Raaz.CoreRaaz.Core.MemoryRaaz.Core.ByteSourceRaaz.Cipher.InternalRaaz.Cipher.ChaCha20-Raaz.Cipher.ChaCha20.Implementation.CPortableRaaz.Hash.InternalRaaz.Hash.Blake2)Raaz.Hash.Blake2.Implementation.CPortableRaaz.Hash.Sha1'Raaz.Hash.Sha1.Implementation.CPortableRaaz.Hash.Sha224Raaz.Hash.Sha256)Raaz.Hash.Sha256.Implementation.CPortable)Raaz.Hash.Sha224.Implementation.CPortableRaaz.Hash.Sha384Raaz.Hash.Sha512)Raaz.Hash.Sha512.Implementation.CPortable)Raaz.Hash.Sha384.Implementation.CPortable Raaz.Random Raaz.HashRaaz.Cipher.AES,Raaz.Cipher.AES.CBC.Implementation.CPortableRaaz Paths_raazRaaz.Core.Types.AlignedRaaz.Core.Types.CopyingRaaz.Core.Types.DescribeRaaz.Core.Types.EqualityRaaz.Core.Types.PointerRaaz.Core.Types.EndianRaaz.Core.Util.ByteStringRaaz.Core.Encode.InternalRaaz.Core.Encode.Base64Raaz.Core.Encode.Base16Raaz.Core.Types.TupleRaaz.Core.ConstantsRaaz.Cipher.ChaCha20.Internal#Raaz.Cipher.ChaCha20.Recommendation Raaz.EntropyRaaz.Hash.Blake2.InternalRaaz.Hash.Blake2.RecommendationRaaz.Hash.Sha.UtilRaaz.Hash.Sha1.InternalRaaz.Hash.Sha1.RecommendationRaaz.Hash.Sha224.InternalRaaz.Hash.Sha256.InternalRaaz.Hash.Sha224.RecommendationRaaz.Hash.Sha256.RecommendationRaaz.Hash.Sha384.InternalRaaz.Hash.Sha512.InternalRaaz.Hash.Sha384.RecommendationRaaz.Hash.Sha512.RecommendationRaaz.Random.ChaCha20PRGRaaz.Hash.Internal.HMACRaaz.Cipher.AES.InternalRaaz.Cipher.AES.Recommendation Raaz.Cipherssesse2sse3sse4_1sse4_2avxavx2FieldMFieldFieldATwistRF DistributiveFSemiR DistributiveLActionF<<.>>LAction<.><++> semiRSpace semiRMonoidtwistFunctorValuetwistMonoidValue computeField liftToFieldM runFieldM$fLActionFmWrappedArrow $fMonoidSemiR$fSemigroupSemiR$fDistributiveFmWrappedArrow$fApplicativeTwistRF$fFunctorTwistRFAligned unAlignedaligned16Bytesaligned32Bytesaligned64BytesDestSrcsource destination Describablename descriptionResultEqualityeq=== AlignmentALIGNBITSBYTES LengthUnitinBytesPointerinBitsatLeastatLeastAlignedatMost bytesQuotRem bytesQuot bitsQuotRembitsQuot wordAlignmentsizeOf alignedSizeOf alignmentalignPtrmovePtrnextAlignedPtr peekAligned pokeAligned allocaBuffer allocaAligned allocaSecureallocaSecureAligned mallocBufferhFillBufmemcpymemmovememsetBELE EndianStorestoreload adjustEndianstoreAt storeAtIndex loadFromIndexloadFrom copyFromBytes copyToBytes littleEndian bigEndianlength replicateunsafeCopyToPointerunsafeNCopyToPointerwithByteStringfromByteStringStorablecreate createFromParserskip parseError parseWidth runParserunsafeRunParser parseStorableparseparseByteStringunsafeParseStorableVectorunsafeParseVectorparseStorableVector parseVectorFormatencodeByteString decodeFormat Encodable toByteStringfromByteStringunsafeFromByteStringBase64Base16 fromBase16 showBase16encodedecode unsafeDecode translateReadIOReadMWriteIOWriteM bytesToWrite unsafeWrite writeStorablewrite writeFromwriteStorableVector writeVector writeBytes glueWrites prependWritepadWritewriteByteString skipWrite bytesToRead unsafeRead readBytesreadInto$fMonoidTransferM$fSemigroupTransferM$fDistributiveBYTES->$fLActionBYTES->$fEncodableWriteM$fIsStringWriteM$fSemigroupWriteM$fMonoidWriteM$fSemigroupReadM $fMonoidReadM DimensionTuple dimensionrepeatMunsafeFromListinitialdiagonalzipWithBLOCKSKeyRecommendation recommended PrimitiveImplementation blockSizeBlockAlgorithmbufferStartAlignmentallocBufferForblocksOf$fLengthUnitBLOCKS$fMonoidBLOCKS$fSemigroupBLOCKS $fShowBLOCKS $fEqBLOCKS $fOrdBLOCKS $fEnumBLOCKSl1Cache MemoryCellExtractableToBuffer extractorInitialisableFromBuffer initialiser Extractableextract Initialisable initialise VoidMemoryMemory memoryAllocunsafeToPointerAlloc MemoryThreadsecurely insecurelyliftMT onSubMemoryMTexecutedoIOliftPointerAction getMemory pointerAlloc copyMemorymodifywithCellPointergetCellPointer $fMonadIOMT $fMonadMT$fApplicativeMT $fFunctorMT $fMemory(,,,) $fMemory(,,) $fMemory(,)$fMemoryThreadMT$fMemoryVoidMemory$fExtractableToBufferMemoryCell#$fInitialisableFromBufferMemoryCell$fExtractableMemoryCella$fInitialisableMemoryCella$fMemoryMemoryCellPureByteSource ByteSource fillBytes FillResult Remaining ExhaustedwithFillResultfill processChunks$fFunctorFillResult$fByteSource[]$fByteSourceMaybe$fByteSourceByteString$fByteSourceByteString0$fByteSourceHandle$fPureByteSourceMaybe$fPureByteSource[]$fPureByteSourceByteString$fPureByteSourceByteString0$fShowFillResult$fEqFillResult StreamCipherCipher SomeCipherICipherI cipherINamecipherIDescription encryptBlocks decryptBlockscipherStartAlignment CipherModeCBCCTR makeCipherIunsafeEncrypt' transform' transform unsafeEncryptunsafeDecrypt' unsafeDecrypt$fDescribableCipherI$fBlockAlgorithmCipherI$fBlockAlgorithmSomeCipherI$fDescribableSomeCipherI$fShowCipherMode$fEqCipherModeChaCha20KEYCounterIVimplementationchacha20Randomchacha20 HashMemoryhashCellmessageLengthCellHashadditionalPadBlocks SomeHashIHashMHashI hashINamehashIDescriptioncompress compressFinalcompressStartAlignment truncatedIhashhashFile hashSourcehash' hashFile' hashSource'completeHashing extractLength updateLength$fDescribableHashI$fBlockAlgorithmHashI$fBlockAlgorithmSomeHashI$fDescribableSomeHashI$fExtractableHashMemoryh$fInitialisableHashMemoryh$fMemoryHashMemoryBLAKE2sBLAKE2bimplementation2bimplementation2sblake2b blake2bFile blake2bSourceSHA1SHA224SHA256 cPortable$fExtractableSHA224MemorySHA224$fInitialisableSHA224Memory()$fMemorySHA224MemorySHA384SHA512$fExtractableSHA384MemorySHA384$fInitialisableSHA384Memory()$fMemorySHA384MemoryRandomStorablefillRandomElementsRandMRTreseedfillRandomBytesunsafeFillRandomElementsrandom randomiseCellrandomByteString$fMemoryThreadRT$fRandomStorableTuple$fRandomStorableBE$fRandomStorableLE$fRandomStorableIV$fRandomStorableKEY$fRandomStorableInt$fRandomStorableInt64$fRandomStorableInt32$fRandomStorableInt16$fRandomStorableInt8$fRandomStorableWord$fRandomStorableWord64$fRandomStorableWord32$fRandomStorableWord16$fRandomStorableWord8 $fFunctorRT$fApplicativeRT $fMonadRT $fMonadIORTHMAChmachmacFile hmacSourcesha512 sha512File sha512Source hmacSha512hmacSha512FilehmacSha512Sourcesha384 sha384File sha384Source hmacSha384hmacSha384FilehmacSha384Sourcesha256 sha256File sha256Source hmacSha256hmacSha256FilehmacSha256Sourcesha224 sha224File sha224Source hmacSha224hmacSha224FilehmacSha224Sourcesha1sha1File sha1SourcehmacSha1 hmacSha1FilehmacSha1SourceKEY256KEY192KEY128AES aes128cbc aes192cbc aes256cbc aes128ctr aes128cbcI aes192cbcI aes256cbcI$fInitialisableM128(,) $fMemoryM128$fInitialisableM192(,) $fMemoryM192$fInitialisableM256(,) $fMemoryM256version getBinDir getLibDir getDynLibDir getDataDir getLibexecDir getSysconfDirgetDataFileName AlignBoundaryunDestunSrcghc-prim GHC.ClassesEq isSuccessfulD:R:VectorResult0D:R:MVectorsResult0baseGHC.BaseMonoidmappendAlignc_memcpyGHC.RealquotRemForeign.Marshal.AllocallocaBytesAligned mallocBytesGHC.IO.Handle.TexthGetBuf $fLActionuPtrbytestring-0.10.8.2Data.ByteString.Internal ByteStringForeign.Storablepeek GHC.MaybeNothing undefParseStorableGHC.ShowShow Data.StringIsStringMaybeGHC.WordWord32$fFormatByteStringb64$fIsStringBase64 fromStringshow$fIsStringBase16<>TransferTransferAction TransferM makeTransfer makeWritemakeReadWord8getAgetParseDimension $fEqTuple Applicative PointerAction makeAlloc withMemorywithSecureMemory actualCellPtrCipherM ChaCha20MemWORDD:R:KeyChaCha20keyCellivCell counterCell ChaCha20Keyc_chacha20_block chacha20Blockchacha20Portable RandomBufgetBufferPointerrandomBufferSizerandomBufferAlignment getEntropy Blake2sMem Blake2bMemWord2sWord2bBLAKE2hash2b0 Data.Bitsxorhash2s0 blake2Padblake2bImplementationblake2sImplementation Compress2s Compress2b$fRecommendationBLAKE2$fRecommendationBLAKE20ShaBufferAction Compressor LengthWriteShaWriteShaMonadIsSha length64Writelength128WriteliftCompressor shaBlocksshaFinalshaPadshaImplementation$fRecommendationSHA1$fRecommendationSHA224$fRecommendationSHA256$fRecommendationSHA384$fRecommendationSHA512 RandomState maxCounterVal withAuxBuffergetRemainingBytessetRemainingBytes newSampleseed seedIfReq fillKeyIVWithreseedMTfillRandomBytesMTfillExistingBytes chacha20State auxBufferremainingBytes seedAndRunRTHMACKeyhmac' hmacFile' hmacSource'$fIsStringHMACKey hmacAdjustKeyunHMACEKEY256EKEY192EKEY128TUPLE pokeAndExpand$fPrimitiveAES$fPrimitiveAES0$fPrimitiveAES1 $fShowKEY128$fIsStringKEY128 $fShowKEY192$fIsStringKEY192 $fShowKEY256$fIsStringKEY256 D:R:KeyAES D:R:KeyAES0 D:R:KeyAES1$fShowIV $fIsStringIVM256M192M128 c_aes_cbc_d c_aes_cbc_e c_transposecbc128CPortable cbc128Encrypt cbc128Decryptcbc192CPortable cbc192Encrypt cbc192Decryptcbc256CPortable cbc256Encrypt cbc256Decrypt$fRecommendationAES$fRecommendationAES0$fRecommendationAES1