!N6      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~= BSD-styleKazu Yamamoto <kazu@iij.ad.jp> experimentalunknownSafe,6543210/.- BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownSafe" BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone3      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      ! BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone%:tlsConnection IO backend<tls,Flush the connection sending buffer, if any.=tlsClose the connection.>tls)Send a bytestring through the connection.?tls6Receive specified number of bytes from the connection. 789:;<=>? BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone)@tls'record some data about this connection.Btls$number of handshakes on this contextCtls#bytes received since last handshakeDtlsbytes sent since last handshake @ABCD"#$%& NoneM* '()*+,-./0 None*1E2F3456789:;<= BSD-styleKazu Yamamoto <kazu@iij.ad.jp> experimentalunknownNone7dGtls2048 bits finite field Diffie-Hellman ephemeral parameters defined in RFC 7919. The estimated symmetric-equivalent strength is 103 bits.Htls3072 bits finite field Diffie-Hellman ephemeral parameters defined in RFC 7919. The estimated symmetric-equivalent strength is 125 bits.Itls4096 bits finite field Diffie-Hellman ephemeral parameters defined in RFC 7919. The estimated symmetric-equivalent strength is 150 bits.Jtls6144 bits finite field Diffie-Hellman ephemeral parameters defined in RFC 7919. The estimated symmetric-equivalent strength is 175 bits.Ktls8192 bits finite field Diffie-Hellman ephemeral parameters defined in RFC 7919. The estimated symmetric-equivalent strength is 192 bits.GHIJKGHIJK  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneG<>tls Direction?tlsRoleLtlsCompression identificationMtlsCipher identification@tls(Certificate request context for TLS 1.3.OtlsSession data to resumeZtls A session ID[tlsVersions known to TLSDSSL2 is just defined, but this version is and will not be supported.;ABCDEFGHIJKLMNOPQRSTU>VW?XYLMNZ[\]^@OPQRSTUVWXYZ[\]^_`a_`ba  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneDctlsA session manageretlsAused on server side to decide whether to resume a client session.ftls_used on server side to decide whether to resume a client session for TLS 1.3 0RTT. For a given Z%, the implementation must return its O( only once and must not return the same O after the call.gtls#used when a session is established.htls#used when a session is invalidated.cdefghi  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneEXQbtls0This is the default compression which is a NOOP.jtlsAevery compression need to be wrapped in this, to fit in structureltls>supported compression algorithms need to be part of this classctls+return the associated ID for this algorithmdtlszdeflate (compress) a bytestring using a compression context and return the result along with the new compression context.etlswinflate (decompress) a bytestring using a compression context and return the result along the new compression context.ftlsintersect a list of ids commonly given by the other side with a list of compression the function keeps the list of compression in order, to be able to find quickly the prefered compression.ptlsdefault null compression Lbjklmnocdefp BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneRghNoneXZ;itlsUAn opaque newtype wrapper to prevent from poking inside content that has been saved.jtlsThis is a strict version of &&.ktlsverify that 2 bytestrings are equals. it's a non lazy version, that will compare every bytes. arguments with different length will bail out earlyltlsSave the content of an m to restore it later.ntlsRestore the content of an mO to a previous saved value and return the content that has just been replaced.iopqrsjktuvwxln BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone^&ytls\Attempt to decode a bytestring representing an DER ASN.1 serialized object into the object.ztls7Encode an ASN.1 Object to the DER serialized bytestringyzNone^e{|}~ BSD-styleKazu Yamamoto <kazu@iij.ad.jp> experimentalunknownNone_ NoneEXetlsPTest the RSASSA-PKCS1 length condition described in RFC 8017 section 9.2, i.e. emLen >= tLen + 11. Lengths are in bytes.tlsPTest the RSASSA-PSS length condition described in RFC 8017 section 9.1.1, i.e. emBits >= 8hLen + 8sLen + 9. Lengths are in bits.tls+(for the md5 context, for the sha1 context)f ,-./01234561E2F3456789:;<=qwvutsrxyz{ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone2tlsBdeprecated alert, should never be sent by compliant implementationtls@TLS Exceptions related to bad user usage or asynchronous errorstlsGEarly termination exception with the reason and the error associatedtls(Handshake failed for the reason attachedtlsjUsage error when the connection has not been established and the user is trying to send or receive datatls5TLSError that might be returned through the TLS stacktlsmainly for instance of Errortlshandshake policy failed.tls,Some of the IANA registered code points for  are not currently supported by the library. Nor should they be, they're are either unwise, obsolete or both. There's no point in conveying these to the user in the client certificate request callback. The request callback will be filtered to exclude unsupported values. If the user cannot find a certificate for a supported code point, we'll go ahead without a client certificate and hope for the best, unless the user's callback decides to throw an exception.tlsTLS10 and up, RFC5246tlsTLS10 and up, RFC5246tlsTLS10 and up, RFC8422tlsTLS13 and up, synthetictlsTLS13 and up, synthetic | None of the below will ever be presented to the callback. Any future public key algorithms valid for client certificates go above this line.tlshLast supported certificate type, no 'CertificateType that compares greater than this one (based on the y instance, not on the wire code point) will be reported to the application via the client certificate request callback.OPQRSTUVWXYZ[\]^_`a|}~    BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone|    !"#$%&'()*+ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone,tlsFor now we ignore the version, but perhaps some day the PRF will depend not only on the cipher PRF algorithm, but also on the protocol version.-./012, BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneEXytlsCipher algorithmtlsCheck if a specific 2 is allowed to be used with the version specified@Mqwvutsrx      BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonetlsyAll AES and ChaCha20-Poly1305 ciphers supported ordered from strong to weak. This choice of ciphersuites should satisfy most normal needs. For otherwise strong ciphers we make little distinction between AES128 and AES256, and list each but the weakest of the AES128 ciphers ahead of the corresponding AES256 ciphers, with the ChaCha20-Poly1305 variant placed just after.aThe CCM ciphers all come together after the GCM variants due to their relative performance cost.tlsDThe default ciphersuites + some not recommended last resort ciphers.tlslist of medium ciphers.tlsThe strongest ciphers supported. For ciphers with PFS, AEAD and SHA2, we list each AES128 variant after the corresponding AES256 and ChaCha20-Poly1305 variants. For weaker constructs, we use just the AES256 form.gThe CCM ciphers come just after the corresponding GCM ciphers despite their relative performance cost.tls}DHE-RSA cipher suite. This only includes ciphers bound specifically to DHE-RSA so TLS 1.3 ciphers must be added separately.tls8all unencrypted ciphers, do not use on insecure network.tls@unencrypted cipher using RSA for key exchange and MD5 for digesttlsAunencrypted cipher using RSA for key exchange and SHA1 for digesttls/RC4 cipher, RSA key exchange and MD5 for digest tls0RC4 cipher, RSA key exchange and SHA1 for digest!tls?3DES cipher (168 bit key), RSA key exchange and SHA1 for digest"tls>AES cipher (128 bit key), RSA key exchange and SHA1 for digest#tlsMAES cipher (128 bit key), DHE key exchanged signed by DSA and SHA1 for digest$tlsMAES cipher (128 bit key), DHE key exchanged signed by RSA and SHA1 for digest%tls>AES cipher (256 bit key), RSA key exchange and SHA1 for digest&tlsMAES cipher (256 bit key), DHE key exchanged signed by DSA and SHA1 for digest'tlsMAES cipher (256 bit key), DHE key exchanged signed by RSA and SHA1 for digest(tls@AES cipher (128 bit key), RSA key exchange and SHA256 for digest)tls@AES cipher (256 bit key), RSA key exchange and SHA256 for digest-tlsaAESCCM cipher (128 bit key), RSA key exchange. The SHA256 digest is used as a PRF, not as a MAC..tlsbAESCCM8 cipher (128 bit key), RSA key exchange. The SHA256 digest is used as a PRF, not as a MAC./tlsaAESGCM cipher (128 bit key), RSA key exchange. The SHA256 digest is used as a PRF, not as a MAC.0tlsaAESCCM cipher (256 bit key), RSA key exchange. The SHA256 digest is used as a PRF, not as a MAC.1tlsbAESCCM8 cipher (256 bit key), RSA key exchange. The SHA256 digest is used as a PRF, not as a MAC.2tlsaAESGCM cipher (256 bit key), RSA key exchange. The SHA384 digest is used as a PRF, not as a MAC.; !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOP;"%()-./012$'+,#&345678;OPECDF9ABGHIJKLMN:<=>?@! * BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone@GHIJK !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOP BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone&.3456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_` BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneƝatlscurrent protocol versionbtlscurrent key exchange typectls$Decode a list CA distinguished namesdtls%Encode a list of distinguished names.etlsin certain cases, we haven't manage to decode ServerKeyExchange properly, because the decoding was too eager and the cipher wasn't been set yet. we keep the Server Key Exchange in it unparsed format, and this function is able to really decode the server key xchange if it's unparsed.ftlsfThe TLS12 PRF is cipher specific, and some TLS12 algorithms use SHA384 instead of the default SHA256..ghabijklmnopqrstucvwxydz{|}~e BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone@AȤ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneGқtlsRepresent a TLS record.tlsXturn a plaintext record into a compressed record using the compression function suppliedtlsTturn a compressed record into a ciphertext record using the cipher function suppliedtlsXturn a ciphertext fragment into a compressed fragment using the cipher function suppliedtls^turn a compressed fragment into a plaintext fragment using the decompression function suppliedtls&turn a record into an header and bytestls*turn a header and a fragment into a recordtlsturn a record into a header BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneF BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone>Չ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone  BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone>w! BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone@AMQtls5Type to show which handshake mode is used in TLS 1.3.RtlsFull handshake is used.Stls/Full handshake is used with hello retry reuest.Ttls!Server authentication is skipped.Utls8Server authentication is skipped and early data is sent.tls-When we receive a CertificateRequest from a server, a just-in-time callback is issued to the application to obtain a suitable certificate. Somewhat unfortunately, the callback parameters don't abstract away the details of the TLS 1.2 Certificate Request message, which combines the legacy certificate_types and new supported_signature_algorithms& parameters is a rather subtle way.TLS 1.2 also (again unfortunately, in the opinion of the author of this comment) overloads the signature algorithms parameter to constrain not only the algorithms used in TLS, but also the algorithms used by issuing CAs in the X.509 chain. Best practice is to NOT treat such that restriction as a MUST, but rather take it as merely a preference, when a choice exists. If the best chain available does not match the provided signature algorithm list, go ahead and use it anyway, it will probably work, and the server may not even care about the issuer CAs at all, it may be doing DANE or have explicit mappings for the client's public key, ... The TLS 1.3 CertificateRequest message, drops certificate_types and no longer overloads supported_signature_algorithmsi to cover X.509. It also includes a new opaque context token that the client must echo back, which makes certain client authentication replay attacks more difficult. We will store that context separately, it does not need to be presented in the user callback. The certificate signature algorithms preferred by the peer are now in the separate signature_algorithms_cert extension, but we cannot report these to the application callback without an API change. The good news is that filtering the X.509 signature types is generally unnecessary, unwise and difficult. So we just ignore this extension.As a result, the information we provide to the callback is no longer a verbatim copy of the certificate request payload. In the case of TLS 1.3 The 6 list is synthetically generated from the server's signature_algorithms extension, and the signature_algorithms_certs extension is ignored.Since the original TLS 1.2  has no provision for the newer certificate types that have appeared in TLS 1.3 we're adding some synthetic values that have no equivalent values in the TLS 1.2  as defined in the IANA < Uhttps://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-2d TLS ClientCertificateType Identifiers> registry. These values are inferred from the TLS 1.3 signature_algorithmsl extension, and will allow clients to present Ed25519 and Ed448 certificates when these become supported.tls>Set to Just-value when a TLS13 certificate request is receivedtls8Set to Just-value when a certificate request is receivedtlsIn TLS 1.3, these are separate from the certificate issuer signature algorithm hints in the callback data. In TLS 1.2 the same list is overloaded for both purposes. Not present in TLS 1.1 and earliertls4Set to true when a client certificate chain was senttls|Set to true when a certificate request was sent. This applies only to requests sent during handshake (not post-handshake).tlsECompress the whole transcript with the specified function. Function fo takes the handshake digest as input and returns an encoded handshake message to replace the transcript with.tls6Generate the master secret from the pre master secret.tlsSet master secret and as a side effect generate the key block with all the right parameters, and setup the pending tx/rx state.tlschosen transmission versiontls2the role (Client or Server) of the generating sidetlsthe pre master secrettlschosen version\QTRSU     " BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone !# BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone&"tls-Application Layer Protocol Negotiation (ALPN)#tlsSecure Renegotiation$tls?Max fragment extension with length from 512 bytes to 4096 bytesRFC 6066 defines: If a server receives a maximum fragment length negotiation request for a value other than the allowed values, it MUST abort the handshake with an "illegal_parameter" alert.HSo, if a server receives MaxFragmentLengthOther, it must send the alert.%tlsServer Name extension including the name type and the associated name. the associated name decoding is dependant of its name type. name type = 0 : hostname&tlsKExtension class to transform bytes to and from a high level Extension type.'tls.all supported extensions by the implementationk,-./0123456()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVW"X#YVWXYZ$Z[\]^%_&`abcdefghijklmnopqrstuvwxyz{|'$ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone@AMSX*G/}~% BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone/[tls3Certificate Usage callback possible returns values.\tlsusage of certificate accepted]tlsusage of certificate rejected^tls&Certificate and Chain rejection reason!#+[\]^_`abc& BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone5dtlsA collection of hooks actions.ftls)called at each handshake message receivedgtls5called at each handshake message received for TLS 1.3htls1called at each certificate chain message receiveditls/hooks on IO and packets, receiving and sending.jtlsHooks for logging8This is called when sending and receiving packets and IO defghijklmno' BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneDstlstry to create a new credential object from a public certificate and the associated private key that are stored on the filesystem in PEM format.ttls similar to sV but take the certificate and private key from memory instead of from the filesystem.utls similar to s/ but also allow specifying chain certificates.vtls similar to t/ but also allow specifying chain certificates.tlsChecks whether certificate signatures in the chain comply with a list of hash/signature algorithm pairs. Currently the verification applies only to the signature of the leaf certificate, and when not self-signed. This may be extended to additional chain elements in the future.stls!public certificate (X.509 format)tlsprivate key associatedutls!public certificate (X.509 format)tls!chain certificates (X.509 format)tlsprivate key associated pqrstuv( BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone2wtlsQA set of callbacks run by the server for various corners of the TLS establishmentytlsThis action is called when a client certificate chain is received from the client. When it returns a CertificateUsageReject value, the handshake is aborted.The function is not expected to verify the key-usage extension of the certificate. This verification is performed by the library internally.ztlsNThis action is called when the client certificate cannot be verified. Return ' to accept the certificate anyway, or  to fail verification.{tlsiAllow the server to choose the cipher relative to the the client version and the client list of ciphers.xThis could be useful with old clients and as a workaround to the BEAST (where RC4 is sometimes prefered with TLS < 1.1)'The client cipher list cannot be empty.|tlstAllow the server to indicate additional credentials to be used depending on the host name indicated by the client.This is most useful for transparent proxies where credentials must be generated on the fly according to the host the client is trying to connect to.yReturned credentials may be ignored if a client does not support the signature algorithms used in the certificate chain.}tlsQat each new handshake, we call this hook to see if we allow handshake to happens.~tlsAllow the server to choose an application layer protocol suggested from the client through the ALPN (Application Layer Protocol Negotiation) extensions.tlsNA set of callbacks run by the clients for various corners of TLS establishmenttls$This action is called when the a certificate request is received from the server. The callback argument is the information from the request. The server, at its discretion, may be willing to continue the handshake without a client certificate. Therefore, the callback is free to return  to indicate that no client certificate should be sent, despite the server's request. In some cases it may be appropriate to get user consent before sending the certificate; the content of the user's certificate may be sensitive and intended only for specific servers.!The action should select a certificate chain of one of the given certificate types and one of the certificates in the chain should (if possible) be signed by one of the given distinguished names. Some servers, that don't have a narrow set of preferred issuer CAs, will send an empty  list, rather than send all the names from their trusted CA bundle. If the client does not have a certificate chaining to a matching CA, it may choose a default certificate instead.Each certificate except the last should be signed by the following one. The returned private key must be for the first certificates in the chain. This key will be used to signing the certificate verify message.|The public key in the first certificate, and the matching returned private key must be compatible with one of the list of  value when provided. TLS 1.3 changes the meaning of the list elements, adding explicit code points for each supported pair of hash and signature (public key) algorithms, rather than combining separate codes for the hash and key. For details see  1https://tools.ietf.org/html/rfc8446#section-4.2.3RFC 8446M section 4.2.3. When no compatible certificate chain is available, return  if it is OK to continue without a client certificate. Returning a non-matching certificate should result in a handshake failure.KWhile the TLS version is not provided to the callback, the content of the signature_algorithmsm list provides a strong hint, since TLS 1.3 servers will generally list RSA pairs with a hash component of  Intrinsic (0x08).Note that is is the responsibility of this action to select a certificate matching one of the requested certificate types (public key algorithms). Returning a non-matching one will lead to handshake failure later.tlsZUsed by the client to validate the server certificate. The default implementation calls H which validates according to the default hooks and checks provided by Data.X509.ValidationT. This can be replaced with a custom validation function using different settings.The function is not expected to verify the key-usage extension of the end-entity certificate, as this depends on the dynamically-selected cipher and this part should not be cached. Key-usage verification is performed by the library internally.tlsqThis action is called when the client sends ClientHello to determine ALPN values such as '["h2", "http/1.1"]'.tlsThis action is called to validate DHE parameters when the server selected a finite-field group not part of the "Supported Groups Registry" or not part of  list.With TLS 1.3 custom groups have been removed from the protocol, so this callback is only used when the version negotiated is 1.2 or below.CThe default behavior with (dh_p, dh_g, dh_size) and pub as follows: rejecting if dh_p is even,rejecting unless 1 < dh_g && dh_g < dh_p - 1+rejecting unless 1 < dh_p && pub < dh_p - 16rejecting if dh_size < 1024 (to prevent Logjam attack)-See RFC 7919 section 3.1 for recommandations.tls Type for 4. This type synonym is to make document readable.tls Type for 4. This type synonym is to make document readable.tls,Group usage callback possible return values.tlsusage of group acceptedtls-usage of group provides insufficient securitytls>usage of group rejected for other reason (specified as string)tls+usage of group with an invalid public valuetls2Parameters that are common to clients and servers.tlsThe list of certificates and private keys that a server will use as part of authentication to clients. Actual credentials that are used are selected dynamically from this list based on client capabilities. Additional credentials returned by | are also considered.XWhen credential list is left empty (the default value), no key exchange can take place.tlsCallbacks used by clients and servers in order to resume TLS sessions. The default implementation never resumes sessions. Package  7https://hackage.haskell.org/package/tls-session-managertls-session-manager' provides an in-memory implementation.tlsA collection of trust anchors to be used by a client as part of validation of server certificates. This is set as first argument to function  . Package  /https://hackage.haskell.org/package/x509-system x509-systemH gives access to a default certificate store configured in the system.tlsCallbacks that may be used by a client to cache certificate validation results (positive or negative) and avoid expensive signature check. The default implementation does not have any caching.tlsDList all the supported algorithms, versions, ciphers, etc supported.tlsSupported versions by this context. On the client side, the highest version will be used to establish the connection. On the server side, the highest version that is less or equal than the client version will be chosen.KVersions should be listed in preference order, i.e. higher versions first.tlsSSupported cipher methods. The default is empty, specify a suitable cipher list. ) is often a good choice.tlsSupported compressions methods. By default only the "null" compression is supported, which means no compression will be performed. Allowing other compression method is not advised as it causes a connection failure when TLS 1.3 is negotiated.tlsAll supported hash/signature algorithms pair for client certificate verification and server signature in (EC)DHE, ordered by decreasing priority.BThis list is sent to the peer as part of the "signature_algorithms" extension. It is used to restrict accepted signatures received from the peer at TLS level (not in X.509 certificates), but only when the TLS version is 1.2 or above. In order to disable SHA-1 one must then also disable earlier protocol versions in .WThe list also impacts the selection of possible algorithms when generating signatures.Note: with TLS 1.3 some algorithms have been deprecated and will not be used even when listed in the parameter: MD5, SHA-1, SHA-224, RSA PKCS#1, DSS.tls/Secure renegotiation defined in RFC5746. If 7, clients send the renegotiation_info extension. If g, servers handle the extension or the renegotiation SCSV then send the renegotiation_info extension.tlsIf ], renegotiation is allowed from the client side. This is vulnerable to DOS attacks. If I, renegotiation is allowed only from the server side via HelloRequest.tlsSet if we support session.tls4Support for fallback SCSV defined in RFC7507. If b, servers reject handshakes which suggest a lower protocol than the highest protocol supported.tlsdIn ver <= TLS1.0, block ciphers using CBC are using CBC residue as IV, which can be guessed by an attacker. Hence, an empty packet is normally sent before a normal data packet, to prevent guessability. Some Microsoft TLS-based protocol implementations, however, consider these empty packets as a protocol violation and disconnect. If this parameter is Y, empty packets will never be added, which is less secure, but might help in rare cases.tlsVA list of supported elliptic curves and finite-field groups in the preferred order.The list is sent to the server as part of the "supported_groups" extension. It is used in both clients and servers to restrict accepted groups in DH key exchange.The default value is [0,-,.,/]. 0 and - provide 128-bit security which is strong enough until 2030. Both curves are fast because their backends are written in C.tls"request a certificate from client.tlsThis is a list of certificates from which the disinguished names are sent in certificate request messages. For TLS1.0, it should not be empty.tlsServer Optional Diffie Hellman parameters. Setting parameters is necessary for FFDHE key exchange when clients are not compatible with RFC 7919.9Value can be one of the standardized groups from module Network.TLS.Extra.FFDHE& or custom parameters generated with *+.tlsrServer accepts this size of early data in TLS 1.3. 0 (or lower) means that the server does not accept early data.tlsLifetime in seconds for session tickets generated by the server. Acceptable value range is 0 to 604800 (7 days). The default lifetime is 86400 seconds (1 day).tlsDefine the name of the server, along with an extra service identification blob. this is important that the hostname part is properly filled for security reason, as it allow to properly associate the remote side with the given certificate during a handshake.The extra blob is useful to differentiate services running on the same host, but that might have different certificates given. It's only used as part of the X509 validation infrastructure.tlsAllow the use of the Server Name Indication TLS extension during handshake, which allow the client to specify which host name, it's trying to access. This is useful to distinguish CNAME aliasing (e.g. web virtual host).tls1try to establish a connection using this session.tlsIIn this element, you'll need to override the default empty value of of  with a suitable cipherlist.tlsClient tries to send this early data in TLS 1.3 if possible. If not accepted by the server, it is application's responsibility to re-sent it.tls-All settings should not be used in productiontlsDisable the true randomness in favor of deterministic seed that will produce a deterministic random from. This is useful for tests and debugging purpose. Do not use in productiontlsyAdd a way to print the seed that was randomly generated. re-using the same seed will reproduce the same randomness with tls0Force to choose this version in the server side.tls1Printing master keys. The default is no printing.SVWXYZ[\]^_`abcwxyz{|}~, BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonemtlssimple pending actiontls=pending action taking transcript hash up to preceding messagetlsJA TLS Context keep tls specific state, parameters and backend information.tls6return the backend object associated with this contexttlshas the handle EOFed or not.tls0has the handshake been done and been successful.tls-empty packet workaround for CBC guessability.tlsenable the reception of compatibility SSLv2 client hello. the flag will be set to false regardless of its initial value after the first packet received.tlscurrent tx statetlscurrent rx statetlsoptional handshake statetlshooks for this contexttls;lock to use for writing data (including updating the state)tls;lock to use for reading data (including updating the state)tlsmlock used during read/write when receiving and sending packet. it is usually nested in a write or read lock.tlspending PHA requeststls=Information related to a running context, e.g. current ciphertls.A shortcut for 'backendFlush . ctxConnection'.tls.A shortcut for 'backendClose . ctxConnection'.tls%Information about the current context@ABCDOPQRSTUVWXYZVWXYZdefghi     - BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonetlsmarshall packet data tlsjwritePacket transform a packet into marshalled data related to current state and updating state on the go . BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone>!/ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone>R"0 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone#$%&'()*+,-1 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneQ)#.tls Generate a server random suitable for the version selected by the server and its supported versions. We use an 8-byte downgrade suffix when the selected version is lowered because of incomplete client support, but also when a version downgrade has been forced with debugVersionForced. This second part allows to test that the client implementation correctly detects downgrades. The suffix is not used when forcing TLS13 to a server not officially supporting TLS13 (this is not a downgrade scenario but only the consequence of our debug API allowing this)./tlsTest if the negotiated version was artificially downgraded (that is, for other reason than the versions supported by the client)../0122 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone*n343 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneM85tlsjState monad used to group several packets together and send them on wire as single flight. When packets are loaded in the monad, they are logged immediately, update the context digest and transcript, but actual sending is deferred. Packets are sent all at once when the monadic computation ends (normal termination but also if interrupted by an exception).6tlsJrecvRecord receive a full TLS record (header + data), from the other side..The record is disengaged from the record layer7tlsreceive one packet from the context that contains 1 or many messages (many only in case of handshake). if will returns a TLSError if the packet is unexpected or malformed8tlsSend one packet to the context6tls1flag to enable SSLv2 compat ClientHello receptiontls;number of AppData bytes to accept above normal maximum sizetls TLS context 5978:;<=>4 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone=?A??tlsTest whether the argument is a public key supported for signature. This also accepts a key for RSA encryption. This test is performed by clients or servers before verifying a remote Certificate Verify.@tlsTest whether the argument is matching key pair supported for signature. This also accepts material for RSA encryption. This test is performed by servers or clients before using a credential from the local configuration. ABCDEFGHI?@JK5 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneRHLtls0Check that the key is compatible with a list of t values. Ed25519 and Ed448 have no assigned code point and are checked with extension "signature_algorithms" only.Mtls Translate a  to an acceptable . Perhaps this needs to take supported groups into account, so that, for example, if we don't support any shared ECDSA groups with the server, we return  rather than .Therefore, this interface is preliminary. It gets us moving in the right direction. The interplay between all the various TLS extensions and certificate selection is rather complex.NThe goal is to ensure that the client certificate request callback only sees n values that are supported by the library and also compatible with the server signature algorithms extension.DSince we don't yet support ECDSA private keys, the caller will use , to filter those out for now, leaving just RSA@ as the only supported client certificate algorithm for TLS 1.3.1FIXME: Add RSA_PSS_PSS signatures when supported. NLOMPQRSTUVW6 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneSXYZ7NoneY[tls1when a new handshake is done, wrap up & clean up.\tls?process a list of handshakes message in the recv state machine.]tlsStore the specified keypair. Whether the public key and private key actually match is left for the peer to discover. We're not presently burning CPU to detect that misconfiguration. We verify only that the types of keys match.^_`abcde[fgh\ijkl]mn8 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone[3opqrs9 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneMb7ttls1TLS13 handshake wrap up & clean up. Contrary to handshakeTerminate, this does not handle session, which is managed separately for TLS 1.3. This does not reset byte counters because renegotiation is not allowed. And a few more state attributes are preserved, necessary for TLS13 handshake modes, session tickets and post-handshake authentication.'uvwxyz{|}~t: BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonettls)Put the server context in handshake mode.Expect a client hello message as parameter. This is useful when the client hello has been already poped from the recv layer to inspect the packet.When the function returns, a new handshake has been succesfully negociated. On any error, a HandshakeFailed exception is raised.handshake protocol ( - receiving, -K sending, [] optional): (no session) (session resumption) <- client hello <- client hello -> server hello -> server hello -> [certificate] -> [server key xchg] -> [cert request] -> hello done <- [certificate] <- client key xchg <- [cert verify]  -change cipher - change cipher  -finish -Z finish -> change cipher <- change cipher -> finish <- finishtls>receive Client data in handshake until the Finished handshake.g<- [certificate] <- client key xchg <- [cert verify] <- change cipher <- finish; BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone_gtlsBStore the keypair and check that it is compatible with a list of  values.tlsWhen the server requests a client certificate, we try to obtain a suitable certificate chain and private key via the callback in the client parameters. It is OK for the callback to return an empty chain, in many cases the client certificate is optional. If the client wishes to abort the handshake for lack of a suitable certificate, it can throw an exception in the callback.The return value is  when no CertificateRequest was received and no  Certificate? message needs to be sent. An empty chain means that an empty  Certificate> message needs to be sent to the server, naturally without a CertificateVerify. A non-empty @ is the chain to send to the server along with a corresponding CertificateVerify.With TLS < 1.2 the server's CertificateRequesto does not carry a signature algorithm list. It has a list of supported public key signing algorithms in the certificate_types' field. The hash is implicit. It is s for DSS and x for RSA.With TLS == 1.2 the server's CertificateRequest always has a supported_signature_algorithms. list, as a fixed component of the structure. This list is (wrongly) overloaded to also limit X.509 signatures in the client's certificate chain. The BCP strategy is to find a compatible chain if possible, but else ignore the constraint, and let the server verify the chain as it sees fit. The supported_signature_algorithmsY field is only obligatory with respect to signatures on TLS messages, in this case the CertificateVerify message. The certificate_types field is still included.With TLS 1.3 the server's CertificateRequest has a mandatory signature_algorithms extension, the signature_algorithms_cert extension, which is optional, carries a list of algorithms the server promises to support in verifying the certificate chain. As with TLS 1.2, the client's makes a  best-effortD to deliver a compatible certificate chain where all the CA signatures are known to be supported, but it should not abort the connection just because the chain might not work out, just send the best chain you have and let the server worry about the rest. The supported public key algorithms are now inferred from the signature_algorithms extension and certificate_types is gone.(With TLS 1.3, we synthesize and store a certificate_types& field at the time that the server's CertificateRequestx message is received. This is then present across all the protocol versions, and can be used to determine whether a CertificateRequest was received or not.If signature_algorithms is ), then we're doing TLS 1.0 or 1.1. The signature_algorithms_cert extension is optional in TLS 1.3, and so the application callback will not be able to distinguish between TLS 1.[01] and TLS 1.3 with no certificate algorithm hints, but this just simplifies the chain selection process, all CA signatures are OK.tlsReturn a most preferred HandAndSignatureAlgorithm that is compatible with the local key and server's signature algorithms (both already saved). Must only be called for TLS versions 1.2 and up.The values in the server's signature_algorithmsv extension are in descending order of preference. However here the algorithms are selected by client preference in  cHashSigs.tlsReturn the supported M values that are compatible with at least one supported signature algorithm.tlsHTLS 1.2 and below. Send the client handshake messages that follow the  ServerHello, etc. except for CCS and Finished.aXXX: Is any buffering done here to combined these messages into a single TCP packet? Otherwise we're prone to Nagle delays, or in any case needlessly generate multiple small packets, where a single larger packet will do. The TLS 1.3 code path seems to separating record generation and transmission and sending multiple records in a single packet.> [certificate]> client key exchange> [cert verify]tls<onServerHello process the ServerHello message on the client.1) check the version chosen by the server is one allowed by parameters. 2) check that our compression and cipher algorithms are part of the list we sent 3) check extensions received are part of the one we sent 4) process the session parameter to see if the server want to start a new session or can resume 5) if no resume switch to processCertificate SM or in resume switch to expectChangeCipher< BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNonetls:Post-handshake certificate request with TLS 1.3. Returns u if the request was possible, i.e. if TLS 1.3 is used and the remote client supports post-handshake authentication.= BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone²tlssHandshake for a new TLS connection This is to be called at the beginning of a connection, and during renegotiation> BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone:tls@create a new context using the backend and parameters specified.tls"create a new context on an handle.tls!create a new context on a socket.tlsNBackend abstraction with specific method to interact with the connection type.tlsParameters of the context.tlsHandle of the connection.tlsParameters of the context.tlsSocket of the connection.tlsParameters of the context.Tdefghi     ? BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNoneX tlsHow to update keys in TLS 1.3tlsUnidirectional key updatetls&Bidirectional key update (normal case)tlsnotify the context that this side wants to close connection. this is important that it is called before closing the handle, otherwise the session might not be resumable (for version < TLS1.2).&this doesn't actually close the handletlsVIf the ALPN extensions have been used, this will return get the protocol agreed upon.tlsdIf the Server Name Indication extension has been used, return the hostname specified by the client.tls[sendData sends a bunch of data. It will automatically chunk data to acceptable packet sizetlsGet data out of Data packet, and automatically renegotiate if a Handshake ClientHello is received. An empty result means EOF.tls/same as recvData but returns a lazy bytestring.tlsWUpdating appication traffic secrets for TLS 1.3. If this API is called for TLS 1.3,  is returned. Otherwise,  is returned.78@ BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone_`3456789:OPQRSTUVWXYZ[\]^_`a|}~      !"#$%&'()*+;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ghabijklmnopqrstucvwxydz{|}~e "78 BSD-style#Vincent Hanquez <vincent@snarc.org> experimentalunknownNone" "! #'&%$+*)(,-./0123456789:;<=>?@ABCDEFLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqwvutsrxyz{|}~     QTRSUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~789:;<=>?wxyz{|}~pqrstuvZOPQRSTUVWXYcdefghiNdefghi|jklmnobEF@ABCD[\]^_`abcVWXYZ"! +*)('&%$#[\]^_`ajklmnopL    qwvutsrxM  ,-./0123456QTRSUyz{}~ABCABDABEABFABGABHABIABJAKLAKMAKNAKOAKPAKQAKRAKSAKTAKUVWXVWYVWZVW[VW\VW]VW^VW_VW`VWaVWaVWbVWcVWdVWeVWfVWfVghVgiVgjVgkVglVgmVgnVgoVgopqrstuvwxyz{|}~~                            !"#$%%&'()*+,-./0123456789:;<=>?@ABBCDEFGHIJKLMNOP)QRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~!!!!!#####%%%%%%%%%&&&&&&&&&&&&'''''''((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((,,,,,,,,,,,,,,,,,<=>>>>>>>>????? ? ? ? ? ? !"#$"%&"%'"#(")*"#+"#,"#-"#."#/"#0"#1"#2"#345645745845945:45;45<45=">?"#@"#A"#B"#C"#D"#E"FG"FH"FI"FJ"FK"FL"FM"FN"FO"FP"FQ"FR"ST"SU"#V"#W"#X"#Y"Z["Z\"Z]4^_4^`4^a4^b4^c"de"df"dg"dhijk"lm"ln"lo"lp"lq"lq"lr"ls"ls"lt"lu"lu"lv"lw"lx"lx"ly"lz"lz"l{"l|"l}"l~"l"l"l")")")")")")")")")")")")")")""S"S"S""""""""""""""F"F"F"F"F"F"F"F"F"F"F"F"F"F"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""d"d"d""""""""""" " " " " """""""""""""""""" "%!"%""%#"%$"%%"%&"%'"%("%)"%*"%+"%,"%-"%."%/"%0"%1"%2"%3"%4"%5"%6"%7"%8"%9"%:"%;"%<"%="%>"%?"@A"@B"@C"@D"@E"@F"@G"@H"#I"#J"#K"#L"#M"#N"#O"#P"#Q"#R"#S"#T"#U"#V"#W"#X"#Y"#Z"#["\]^_`abcdecdfcdgcdhcijcik l l m n o p q r s t u v w x y z { | } ~                                      "cccA         !"#$%%&''()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTFUVWXYZ[\]^_`abcabdabeafgafhafiafjafklmnopqrstuvwxyz{|}~      !!!!!!!!!!!!!!!!!!!!!!!! ! ! ! ! !!!!!!!!!!!!!!!!!!! !!!"!#!$!%!&!'!(!)!*!+!,!-!.!/!0!1!2!3!4!5!6!7!8!9!:!;!<!=!>!?!@!A!B!C!D!E!F!G!H"I"J"K#L#M#N#O#P#Q#R#R#S#S#T#T##U#V#W#W#X#X#Y#Z#[#\#]#^#_#`#`#a#b#c#d#e#f#f#g#g#h#h#i#j#k#l#l#m#m#n#o#p#q#r#r#s#s#L#M#N#t#u#v#w#O#x#y#z#{#|#}#~######################$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$ $$$$$$$$$$$$$$$$AAAAAAAAAAAAAAVWVWV%%%%&'''''4^4^(,,,,,,,,,,,,,,,,,, , , ,, , ,,,,,,,,,,,,,,,,,,, ,!,",#,$,%,&,',(,),*,+,,,-,.,/,0,1,2,3-4-5.6/708090:0;0<0=0>0?0@0A0B1C1D1E1F1G2H2I3J3K3L3M3N3O3P3Q3R3S4T4U4V4W4X4Y4Z4[4\4]4^4_4`5a5b5c5d5e5f5g5h5i5j5k5l6m6n6o7p7q7r7s7t7u7v7w7x7y7z7{7|7}7~7777788888999999999999999999999999999999999999999:::::;;;;;;;;;<= tls-1.5.2-6qg3M1dYcvo7ITGBTJ1xBn Network.TLSNetwork.TLS.Extra.FFDHENetwork.TLS.Extra.CipherNetwork.TLS.Crypto.TypesNetwork.TLS.ErrTNetwork.TLS.ImportsNetwork.TLS.BackendNetwork.TLS.MeasurementNetwork.TLS.RNGNetwork.TLS.Crypto.DHNetwork.TLS.TypesNetwork.TLS.SessionNetwork.TLS.CompressionNetwork.TLS.CapNetwork.TLS.UtilNetwork.TLS.Util.ASN1Network.TLS.Util.SerializationNetwork.TLS.Crypto.IESNetwork.TLS.CryptoNetwork.TLS.StructNetwork.TLS.Struct13Network.TLS.MACNetwork.TLS.CipherNetwork.TLS.ExtraNetwork.TLS.WireNetwork.TLS.PacketNetwork.TLS.Record.StateNetwork.TLS.Record.TypesNetwork.TLS.Record.EngageNetwork.TLS.Record.DisengageNetwork.TLS.RecordNetwork.TLS.Packet13Network.TLS.Handshake.StateNetwork.TLS.KeyScheduleNetwork.TLS.ExtensionNetwork.TLS.StateNetwork.TLS.X509Network.TLS.HooksNetwork.TLS.CredentialsNetwork.TLS.Parametersciphersuite_defaultCrypto.PubKey.DHgenerateParamsNetwork.TLS.Context.InternalNetwork.TLS.SendingNetwork.TLS.Receiving13Network.TLS.ReceivingNetwork.TLS.Handshake.State13Network.TLS.Handshake.RandomNetwork.TLS.Sending13Network.TLS.IONetwork.TLS.Handshake.KeyNetwork.TLS.Handshake.SignatureNetwork.TLS.Handshake.ProcessNetwork.TLS.Handshake.Common!Network.TLS.Handshake.CertificateNetwork.TLS.Handshake.Common13Network.TLS.Handshake.ServerNetwork.TLS.Handshake.ClientNetwork.TLS.PostHandshakeNetwork.TLS.HandshakeNetwork.TLS.ContextNetwork.TLS.CoreNetwork.TLS.Internal!x509-1.7.5-88sFAu8thSMBsuVkhC0qSyData.X509.PrivateKey PrivKeyEd448PrivKeyEd25519 PrivKeyX448 PrivKeyX25519 PrivKeyEC PrivKeyDSA PrivKeyRSAPrivKeyData.X509.PublicKey PubKeyUnknown PubKeyEd448 PubKeyEd25519 PubKeyX448 PubKeyX25519PubKeyECPubKeyDH PubKeyDSA PubKeyRSAPubKey-x509-validation-1.6.11-Hs27ZJXTONT40yEPj2M3M5Data.X509.Validation checkFQHNcheckLeafKeyPurposecheckLeafKeyUsage checkLeafV3checkExhaustivecheckCAConstraintscheckStrictOrdering checkAtTimecheckTimeValidityValidationCheckshookFilterReasonhookValidateNamehookValidateTimehookMatchSubjectIssuerValidationHooksData.X509.Validation.CacheexceptionValidationCacheValidationCacheUnknownValidationCacheDeniedValidationCachePassValidationCacheResultcacheAdd cacheQueryValidationCacheGroupP256P384P521X25519X448 FFDHE2048 FFDHE3072 FFDHE4096 FFDHE6144 FFDHE8192 HasBackendinitializeBackend getBackendBackend backendFlush backendClose backendSend backendRecv Measurement nbHandshakes bytesReceived bytesSentDHParamsDHPublic ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192 CompressionIDCipherIDTLS13TicketInfo SessionDatasessionVersion sessionCiphersessionCompressionsessionClientSNI sessionSecret sessionGroupsessionTicketInfo sessionALPNsessionMaxEarlyDataSize SessionIDVersionSSL2SSL3TLS10TLS11TLS12TLS13HostNameSessionManager sessionResumesessionResumeOnlyOncesessionEstablishsessionInvalidatenoSessionManager Compression CompressionCcompressionCIDcompressionCDeflatecompressionCInflatenullCompressionHashMD5SHA1SHA224SHA256SHA384SHA512SHA1_MD5KxErrorRSAError KxUnsupported HandshakeAlertDescription CloseNotifyUnexpectedMessage BadRecordMacDecryptionFailedRecordOverflowDecompressionFailureHandshakeFailureBadCertificateUnsupportedCertificateCertificateRevokedCertificateExpiredCertificateUnknownIllegalParameter UnknownCa AccessDenied DecodeError DecryptErrorExportRestrictionProtocolVersionInsufficientSecurity InternalErrorInappropriateFallback UserCanceledNoRenegotiationMissingExtensionUnsupportedExtensionCertificateUnobtainableUnrecognizedNameBadCertificateStatusResponseBadCertificateHashValueUnknownPskIdentityCertificateRequiredNoApplicationProtocol ClientRandomunClientRandom ServerRandomunServerRandomHeader TLSException TerminatedHandshakeFailedConnectionNotEstablishedTLSError Error_MiscError_ProtocolError_CertificateError_HandshakePolicy Error_EOF Error_PacketError_Packet_unexpectedError_Packet_Parsing ProtocolTypeProtocolType_ChangeCipherSpecProtocolType_AlertProtocolType_HandshakeProtocolType_AppData ProtocolType_DeprecatedHandshakeHashAndSignatureAlgorithmSignatureAlgorithmSignatureAnonymous SignatureRSA SignatureDSSSignatureECDSASignatureRSApssRSAeSHA256SignatureRSApssRSAeSHA384SignatureRSApssRSAeSHA512SignatureEd25519SignatureEd448SignatureRSApsspssSHA256SignatureRSApsspssSHA384SignatureRSApsspssSHA512SignatureOther HashAlgorithmHashNoneHashMD5HashSHA1 HashSHA224 HashSHA256 HashSHA384 HashSHA512 HashIntrinsic HashOtherCertificateTypeCertificateType_RSA_SignCertificateType_DSS_SignCertificateType_ECDSA_SignCertificateType_Ed25519_SignCertificateType_Ed448_SignCertificateType_RSA_Fixed_DHCertificateType_DSS_Fixed_DH CertificateType_RSA_Ephemeral_DH CertificateType_DSS_Ephemeral_DHCertificateType_fortezza_dmsCertificateType_RSA_Fixed_ECDH CertificateType_ECDSA_Fixed_ECDHCertificateType_UnknownCiphercipherID cipherName cipherHash cipherBulkcipherKeyExchange cipherMinVer cipherPRFHashBulkbulkName bulkKeySize bulkIVSizebulkExplicitIVbulkAuthTagLen bulkBlockSizebulkFCipherKeyExchangeTypeCipherKeyExchange_RSACipherKeyExchange_DH_AnonCipherKeyExchange_DHE_RSACipherKeyExchange_ECDHE_RSACipherKeyExchange_DHE_DSSCipherKeyExchange_DH_DSSCipherKeyExchange_DH_RSACipherKeyExchange_ECDH_ECDSACipherKeyExchange_ECDH_RSACipherKeyExchange_ECDHE_ECDSACipherKeyExchange_TLS13 BulkFunctions BulkBlockF BulkStreamF BulkAeadF BulkDirection BulkEncrypt BulkDecryptBulkAEAD BulkBlock BulkStream BulkStateBulkStateStreamBulkStateBlock BulkStateAEADBulkStateUninitializedBulkAdditionalData BulkNonceBulkIVBulkKeybulkInithasMAC hasRecordIVcipherKeyBlockSizecipherAllowedForVersionciphersuite_allciphersuite_mediumciphersuite_strongciphersuite_dhe_rsaciphersuite_dhe_dssciphersuite_unencryptedcipher_null_MD5cipher_null_SHA1cipher_RC4_128_MD5cipher_RC4_128_SHA1cipher_RSA_3DES_EDE_CBC_SHA1cipher_AES128_SHA1cipher_DHE_DSS_AES128_SHA1cipher_DHE_RSA_AES128_SHA1cipher_AES256_SHA1cipher_DHE_DSS_AES256_SHA1cipher_DHE_RSA_AES256_SHA1cipher_AES128_SHA256cipher_AES256_SHA256cipher_DHE_DSS_RC4_SHA1cipher_DHE_RSA_AES128_SHA256cipher_DHE_RSA_AES256_SHA256cipher_AES128CCM_SHA256cipher_AES128CCM8_SHA256cipher_AES128GCM_SHA256cipher_AES256CCM_SHA256cipher_AES256CCM8_SHA256cipher_AES256GCM_SHA384cipher_DHE_RSA_AES128CCM_SHA256 cipher_DHE_RSA_AES128CCM8_SHA256cipher_DHE_RSA_AES128GCM_SHA256cipher_DHE_RSA_AES256CCM_SHA256 cipher_DHE_RSA_AES256CCM8_SHA256cipher_DHE_RSA_AES256GCM_SHA384(cipher_ECDHE_RSA_CHACHA20POLY1305_SHA256*cipher_ECDHE_ECDSA_CHACHA20POLY1305_SHA256&cipher_DHE_RSA_CHACHA20POLY1305_SHA256cipher_TLS13_AES128GCM_SHA256cipher_TLS13_AES256GCM_SHA384$cipher_TLS13_CHACHA20POLY1305_SHA256cipher_TLS13_AES128CCM_SHA256cipher_TLS13_AES128CCM8_SHA256 cipher_ECDHE_ECDSA_AES128CBC_SHA cipher_ECDHE_ECDSA_AES256CBC_SHAcipher_ECDHE_RSA_AES128CBC_SHAcipher_ECDHE_RSA_AES256CBC_SHA!cipher_ECDHE_RSA_AES128CBC_SHA256!cipher_ECDHE_RSA_AES256CBC_SHA384#cipher_ECDHE_ECDSA_AES128CBC_SHA256#cipher_ECDHE_ECDSA_AES256CBC_SHA384#cipher_ECDHE_ECDSA_AES128CCM_SHA256$cipher_ECDHE_ECDSA_AES128CCM8_SHA256#cipher_ECDHE_ECDSA_AES128GCM_SHA256#cipher_ECDHE_ECDSA_AES256CCM_SHA256$cipher_ECDHE_ECDSA_AES256CCM8_SHA256#cipher_ECDHE_ECDSA_AES256GCM_SHA384!cipher_ECDHE_RSA_AES128GCM_SHA256!cipher_ECDHE_RSA_AES256GCM_SHA384HandshakeMode13 FullHandshakeHelloRetryRequest PreSharedKeyRTT0MaxFragmentEnumMaxFragment512MaxFragment1024MaxFragment2048MaxFragment4096CertificateUsageCertificateUsageAcceptCertificateUsageRejectCertificateRejectReasonCertificateRejectExpiredCertificateRejectRevokedCertificateRejectUnknownCACertificateRejectAbsentCertificateRejectOtherHookshookRecvHandshakehookRecvHandshake13hookRecvCertificates hookLoggingLoggingloggingPacketSentloggingPacketRecv loggingIOSent loggingIORecv Credentials CredentialcredentialLoadX509credentialLoadX509FromMemorycredentialLoadX509Chain!credentialLoadX509ChainFromMemory ServerHooksonClientCertificateonUnverifiedClientCertonCipherChoosingonServerNameIndicationonNewHandshakeonALPNClientSuggest ClientHooksonCertificateRequestonServerCertificate onSuggestALPNonCustomFFDHEGroupOnServerCertificateOnCertificateRequest GroupUsageGroupUsageValidGroupUsageInsecureGroupUsageUnsupportedGroupUsageInvalidPublicSharedsharedCredentialssharedSessionManager sharedCAStoresharedValidationCache SupportedsupportedVersionssupportedCipherssupportedCompressionssupportedHashSignaturessupportedSecureRenegotiation%supportedClientInitiatedRenegotiationsupportedSessionsupportedFallbackScsvsupportedEmptyPacketsupportedGroups ServerParamsserverWantClientCertserverCACertificatesserverDHEParams serverShared serverHooksserverSupported serverDebugserverEarlyDataSizeserverTicketLifetime ClientParamsclientUseMaxFragmentLengthclientServerIdentificationclientUseServerNameIndicationclientWantSessionResume clientShared clientHooksclientSupported clientDebugclientEarlyData DebugParams debugSeeddebugPrintSeeddebugVersionForceddebugKeyLoggerdefaultParamsClientContext ctxConnection Information infoVersion infoCipherinfoCompressioninfoMasterSecretinfoClientRandominfoServerRandominfoNegotiatedGroupinfoTLS13HandshakeModeinfoIsEarlyDataAccepted contextFlush contextClosecontextGetInformationcontextModifyHooksrequestCertificate handshake TLSParams contextNewcontextNewOnHandlecontextNewOnSocketcontextHookSetHandshakeRecvcontextHookSetHandshake13RecvcontextHookSetCertificateRecvcontextHookSetLoggingKeyUpdateRequestOneWayTwoWaybyegetNegotiatedProtocol getClientSNIsendDatarecvData recvData' updateKeyBytesKeyExchangeSignatureAlgKX_ECDSAKX_DSSKX_RSAavailableFFGroupsavailableECGroups mtl-2.2.2Control.Monad.Error.Class MonadError throwError catchErrortransformers-0.5.5.0Control.Monad.Trans.ErrorErrorstrMsgnoMsgErrTrunErrTbaseGHC.Base++GHC.Listfilterzipmap Control.MonadguardjoinMonad>>=>>returnfailFunctorfmap<$ghc-prim GHC.ClassesOrd>=minmax><compare<=Control.Monad.Fail MonadFail Applicativepure<*>*>liftA2<* Data.Foldablefoldrnulllengthfoldlfoldl'foldl1sumproductfoldr1maximumminimumelemData.TraversablemapMsequence Semigroup<>sconcatstimes GHC.MaybeMaybeNothingJust GHC.TypesOrderingLTEQGTWordGHC.WordWord8Word16Word32Word64bytestring-0.10.8.2Data.ByteString.Internal ByteStringData.Semigroupoption mtimesDefaultdiffcycle1MingetMinMaxgetMaxArgArgMinArgMaxFirstgetFirstLastgetLast WrappedMonoid WrapMonoid unwrapMonoidOption getOptionmfilter<$!>unless replicateM_ replicateMfoldM_foldM zipWithM_zipWithM mapAndUnzipMforever<=<>=>filterM Data.ListisSubsequenceOf mapAccumR mapAccumLforMControl.Applicativeoptional WrappedMonad WrapMonad unwrapMonad WrappedArrow WrapArrow unwrapArrowZipList getZipListData.Functor.ConstConstgetConstfindnotElem minimumBy maximumByallanyorand concatMapconcatmsum sequence_forM_mapM_Data.Semigroup.Internal stimesMonoidstimesIdempotentDualgetDualEndoappEndoAllgetAllAnygetAnySumgetSumProduct getProduct Data.OldListunwordswordsunlineslinesunfoldrsortOnsortBysort permutations subsequencestailsinitsgroupBygroupdeleteFirstsByunzip7unzip6unzip5unzip4zipWith7zipWith6zipWith5zipWith4zip7zip6zip5zip4genericReplicate genericIndexgenericSplitAt genericDrop genericTake genericLengthinsertByinsert partition transpose intercalate intersperse intersectBy intersectunionByunion\\deleteBydeletenubBynub isInfixOf isSuffixOf isPrefixOf findIndices findIndex elemIndices elemIndex stripPrefix dropWhileEndData.Ord comparingDown byteSwap64 byteSwap32 byteSwap16 Data.BitstoIntegralSizedpopCountDefaulttestBitDefault bitDefaultBits.&..|.xor complementshiftrotatezeroBitsbitsetBitclearBit complementBittestBit bitSizeMaybebitSizeisSignedshiftL unsafeShiftLshiftR unsafeShiftRrotateLrotateRpopCount FiniteBits finiteBitSizecountLeadingZeroscountTrailingZeros Data.Functorvoid<$>unzip3unzipzipWith3zipWithzip3!!lookupreversebreakspansplitAtdroptake dropWhile takeWhilecycle replicaterepeatiterate'iteratescanr1scanrscanl'scanl1scanlfoldl1'initlasttailunconshead Data.MaybemapMaybe catMaybes listToMaybe maybeToList fromMaybe isNothingisJustmaybeapliftM5liftM4liftM3liftM2liftMwhen=<<liftA3liftA<**> Alternativeempty<|>somemany MonadPlusmzeromplusstimesIdempotentMonoid showBytesHexnewMeasurementaddBytesReceived addBytesSentresetBytesCountersincrementNbHandshakes&cryptonite-0.26-IijLzbS4q70FSbXhABK4Xr Crypto.RandomseedFromInteger seedToIntegerseedNewSeedCrypto.Random.Types MonadRandomgetRandomBytesStateRNG withTLSRNG newStateRNGDHKey DHPrivatedhPublic dhPrivatedhParamsdhGenerateKeyPair dhGetShareddhValiddhUnwrap dhParamsGetP dhParamsGetGdhParamsGetBitsdhUnwrapPublic DirectionRoleCertReqContext MasterSecret SecretPairpairBase pairClient SecretTripletriBase triClient triServerServerTrafficSecretClientTrafficSecret BaseSecretResumptionSecretApplicationSecretHandshakeSecret EarlySecretTxRx ClientRole ServerRolelifetimeageAddtxrxTime estimatedRTT MillisecondSecond invertRoleNullCompression compressionIDcompressionDeflatecompressionInflatecompressionIntersectIDhasHelloExtensionshasExplicitBlockIVSaved&&!bytesEqsaveMVarGHC.MVarMVar restoreMVarsubtakelast partition3 partition6fromJust fmapEithercatchException forEitherM mapChunks_ getChunksdecodeASN1ObjectencodeASN1ObjectCrypto.Number.Serializei2ospOf_i2ospos2ip lengthBytesGroupKey GroupPublic GroupPrivatedhParamsForGroupgroupGenerateKeyPairdhGroupGenerateKeyPairgroupGetPubShareddhGroupGetPubSharedgroupGetSharedencodeGroupPublicdecodeGroupPublickxCanUseRSApkcs1kxCanUseRSApss hashUpdateSSLSignatureParams RSAParams DSSParams ECDSAParams Ed25519Params Ed448Params RSAEncodingRSApkcs1RSApssHashCtx HashContext PrivateKey PublicKeyisKeyExchangeSignatureKeyfindKeyExchangeSignatureAlgfindFiniteFieldGrouphashInit hashUpdate hashFinalhashhashNamehashDigestSize hashBlockSize kxEncrypt kxDecryptkxVerifykxSignlastSupportedCertificateTypeData.X509.DistinguishedNameDistinguishedName EnumSafe16fromEnumSafe16 toEnumSafe16 EnumSafe8 fromEnumSafe8 toEnumSafe8 TypeValuable valToType valOfTypeFinished ClientHello ServerHello Certificates HelloRequestServerHelloDone ClientKeyXchg ServerKeyXchg CertRequest CertVerifyClientKeyXchgAlgorithmDataCKX_RSACKX_DHCKX_ECDHServerKeyXchgAlgorithmData SKX_DH_Anon SKX_DHE_DSS SKX_DHE_RSA SKX_ECDHE_RSASKX_ECDHE_ECDSASKX_RSA SKX_DH_DSS SKX_DH_RSA SKX_Unparsed SKX_UnknownServerRSAParams rsa_modulus rsa_exponentServerECDHParamsServerDHParamsserverDHParams_pserverDHParams_gserverDHParams_yBigNum HandshakeTypeHandshakeType_HelloRequestHandshakeType_ClientHelloHandshakeType_ServerHelloHandshakeType_CertificateHandshakeType_ServerKeyXchgHandshakeType_CertRequestHandshakeType_ServerHelloDoneHandshakeType_CertVerifyHandshakeType_ClientKeyXchgHandshakeType_Finished AlertLevelAlertLevel_WarningAlertLevel_Fatal ExtensionRaw ExtensionID FinishedDataSessionPacketAlertChangeCipherSpecAppDataDigitallySigned Signature CipherDatacipherDataContent cipherDataMACcipherDataPadding CipherType CipherStream CipherBlock CipherAEAD ConnectionEndConnectionServerConnectionClientbigNumToIntegerbigNumFromIntegerserverDHParamsFromserverDHParamsToParamsserverDHParamsToPublic packetTypetypeOfHandshake numericalVerverOfNumHandshakeType13HandshakeType_ClientHello13HandshakeType_ServerHello13HandshakeType_EndOfEarlyData13 HandshakeType_NewSessionTicket13#HandshakeType_EncryptedExtensions13HandshakeType_CertRequest13HandshakeType_Certificate13HandshakeType_CertVerify13HandshakeType_Finished13HandshakeType_KeyUpdate13 Handshake13 ClientHello13 ServerHello13NewSessionTicket13EndOfEarlyData13EncryptedExtensions13 CertRequest13 Certificate13 CertVerify13 Finished13 KeyUpdate13 KeyUpdateUpdateNotRequestedUpdateRequestedPacket13Alert13ChangeCipherSpec13 AppData13typeOfHandshake13 contentTypeprf_TLSmacSSLhmacprf_SHA1prf_MD5 prf_MD5SHA1 prf_SHA256%cereal-0.5.8.1-KRPM4Pfa6l3HK7sjbDz33xData.Serialize.PutputWord8runPutPutData.Serialize.GetgetWord8getBytesisEmpty remainingGet GetResultGotError GotPartial GotSuccessGotSuccessRemainingGetContinuationrunGet runGetErr runGetMaybetryGet getWords8 getWord16 getWords16 getWord24 getWord32 getWord64 getOpaque8 getOpaque16 getOpaque24 getInteger16 getBigNum16getList processBytes putWords8 putWord16 putWord32 putWord64 putWords16 putWord24putBytes putOpaque8 putOpaque16 putOpaque24 putInteger16 putBigNum16 encodeWord16 encodeWord32 encodeWord64cParamsVersioncParamsKeyXchgType getDNames putDNames&decodeReallyServerKeyXchgAlgorithmDatagetPRF CurrentParamsgetBinaryVersionputBinaryVersion decodeHeaderdecodeDeprecatedHeaderLengthdecodeDeprecatedHeader encodeHeaderencodeHeaderNoVer decodeAlert decodeAlerts encodeAlertsdecodeHandshakeRecorddecodeHandshakedecodeDeprecatedHandshakeencodeHandshakeencodeHandshakesencodeHandshakeHeaderencodeHandshakeContentgetServerRandom32getClientRandom32putClientRandom32putServerRandom32 getSession putSession getExtensions putExtensiongetSignatureHashAlgorithmputSignatureHashAlgorithmdecodeChangeCipherSpecencodeChangeCipherSpecdecodePreMasterSecretencodePreMasterSecretgenerateMasterSecretgenerateKeyBlockgenerateClientFinishedgenerateServerFinishedgenerateCertificateVerify_SSL!generateCertificateVerify_SSL_DSSencodeSignedDHParamsencodeSignedECDHParamsRecordM runRecordM RecordStatestCipher stCompression stCryptState stMacState RecordOptions recordVersion recordTLS13MacState msSequence CryptStatecstKeycstIV cstMacSecretgetRecordOptionsgetRecordVersionnewRecordStateincrRecordState setRecordIVwithCompression computeDigest makeDigestgetBulkgetMacSequenceRecordfragmentCompressfragmentCipherfragmentUncipherfragmentUncompress recordToRaw rawToRecordrecordToHeader Ciphertext Compressed PlaintextFragmentfragmentGetBytesfragmentPlaintextfragmentCompressedfragmentCiphertextonRecordFragment engageRecorddisengageRecordencodeHandshakes13encodeHandshake13decodeHandshakes13getHandshakeType13decodeHandshakeRecord13decodeHandshake13 CertReqCBdatahstCertReqTokenhstCertReqCBdatahstCertReqSigAlgsCerthstClientCertSenthstCertReqSentfoldHandshakeDigestsetMasterSecretFromPresetMasterSecretsetServerHelloParameters RTT0StatusRTT0NoneRTT0Sent RTT0Accepted RTT0Rejected HandshakeMHandshakeStatehstClientVersionhstClientRandomhstServerRandomhstMasterSecret hstKeyStatehstServerDHParams hstDHPrivatehstServerECDHParamshstGroupPrivatehstHandshakeDigesthstHandshakeMessageshstClientCertChainhstPendingTxStatehstPendingRxStatehstPendingCipherhstPendingCompressionhstNegotiatedGrouphstTLS13HandshakeModehstTLS13RTT0StatushstTLS13EarlySecrethstTLS13ResumptionSecret hstCCS13SentHandshakeDigestHandshakeMessagesHandshakeDigestContextnewEmptyHandshake runHandshake setPublicKeysetPublicPrivateKeysgetRemotePublicKeygetLocalPublicPrivateKeyssetServerDHParamsgetServerDHParamssetServerECDHParamsgetServerECDHParams setDHPrivate getDHPrivategetGroupPrivatesetGroupPrivatesetNegotiatedGroupgetNegotiatedGroupsetTLS13HandshakeModegetTLS13HandshakeModesetTLS13RTT0StatusgetTLS13RTT0StatussetTLS13EarlySecretgetTLS13EarlySecretsetTLS13ResumptionSecretgetTLS13ResumptionSecret setCCS13Sent getCCS13SentsetCertReqSentgetCertReqSentsetClientCertSentgetClientCertSentsetClientCertChaingetClientCertChainsetCertReqTokengetCertReqTokensetCertReqCBdatagetCertReqCBdatasetCertReqSigAlgsCertgetCertReqSigAlgsCertgetPendingCipheraddHandshakeMessagegetHandshakeMessagesgetHandshakeMessagesRevupdateHandshakeDigestgetHandshakeDigest hkdfExtract deriveSecrethkdfExpandLabel#ApplicationLayerProtocolNegotiationSecureRenegotiationMaxFragmentLength ServerName ExtensionsupportedExtensionsCertificateAuthoritiesCookieEarlyDataIndicationPreSharedKeyClientHelloPreSharedKeyServerHello PskIdentityPskKeyExchangeModes PskKexModePSK_KE PSK_DHE_KEKeyShareKeyShareClientHelloKeyShareServerHello KeyShareHRR KeyShareEntrykeyShareEntryGroupkeySHareEntryKeyExchangeSupportedVersionsSupportedVersionsClientHelloSupportedVersionsServerHelloSignatureAlgorithmsCertPostHandshakeAuthSignatureAlgorithms HeartBeatModeHeartBeat_PeerAllowedToSendHeartBeat_PeerNotAllowedToSend HeartBeat SessionTicket EcPointFormatEcPointFormat_Uncompressed'EcPointFormat_AnsiX962_compressed_prime'EcPointFormat_AnsiX962_compressed_char2EcPointFormatsSupportedNegotiatedGroupsMaxFragmentLengthOtherServerNameTypeServerNameHostNameServerNameOtherextensionDecodeextensionEncode extensionID MessageTypeMsgTClientHelloMsgTServerHelloMsgTHelloRetryRequestMsgTEncryptedExtensionsMsgTNewSessionTicketMsgTCertificateRequestextensionID_ServerNameextensionID_MaxFragmentLengthextensionID_NegotiatedGroupsextensionID_EcPointFormatsextensionID_SignatureAlgorithmsextensionID_Heartbeat/extensionID_ApplicationLayerProtocolNegotiationextensionID_PreSharedKeyextensionID_EarlyDataextensionID_SupportedVersionsextensionID_CookieextensionID_PskKeyExchangeModes"extensionID_CertificateAuthoritiesextensionID_OidFiltersextensionID_PostHandshakeAuth#extensionID_SignatureAlgorithmsCertextensionID_KeyShareextensionID_SecureRenegotiationdefinedExtensionsTLSStTLSState stSessionstSessionResumingstSecureRenegotiationstClientVerifiedDatastServerVerifiedDatastExtensionALPNstHandshakeRecordContstNegotiatedProtocolstHandshakeRecordCont13stClientALPNSuggeststClientGroupSuggeststClientEcPointFormatSuggeststClientCertificateChain stClientSNI stRandomGen stVersionstClientContextstTLS13KeySharestTLS13PreSharedKey stTLS13HRR stTLS13CookiestExporterMasterSecretstClientSupportsPHA runTLSState newTLSStateupdateVerifiedDatafinishHandshakeTypeMaterialfinishHandshakeMaterialcertVerifyHandshakeTypeMaterialcertVerifyHandshakeMaterial setSessionisSessionResuming setVersionsetVersionIfUnset getVersiongetVersionWithDefaultsetSecureRenegotiationgetSecureRenegotiationsetExtensionALPNgetExtensionALPNsetNegotiatedProtocolsetClientALPNSuggestgetClientALPNSuggestsetClientEcPointFormatSuggestgetClientEcPointFormatSuggestsetClientCertificateChaingetClientCertificateChain setClientSNIgetVerifiedDataisClientContext genRandomwithRNGsetExporterMasterSecretgetExporterMasterSecretsetTLS13KeySharegetTLS13KeySharesetTLS13PreSharedKeygetTLS13PreSharedKey setTLS13HRR getTLS13HRRsetTLS13CookiegetTLS13CookiesetClientSupportsPHAgetClientSupportsPHA Data.X509getCertificateSignedCertificateData.X509.CertificateChainCertificateChainData.X509.Cert Certificate certVersion certSerialcertSignatureAlg certIssuerDN certValidity certSubjectDN certPubKeycertExtensions'x509-store-1.6.7-2KfjVmmP1gdLOkQn9lhp8cData.X509.CertificateStoreCertificateStorevalidateDefault FailedReasonData.X509.Validation.Types ServiceIDisNullCertificateChaingetCertificateChainLeafwrapCertificateChecks pubkeyType defaultHookscredentialMatchesHashSignatures credentialsListSigningAlgorithmscredentialsFindForSigningcredentialsFindForDecryptingcredentialPublicPrivateKeysTrueFalse CommonParams PendingActionPendingActionHashctxEOF_ctxEstablished_ctxNeedEmptyPacketctxSSLv2ClientHello ctxTxState ctxRxState ctxHandshakectxHooks ctxLockWrite ctxLockRead ctxLockStatectxCertRequests EstablishedNotEstablishedEarlyDataAllowedEarlyDataNotAllowed ctxSupported ctxSharedctxStatectxMeasurementctxDoHandshakectxDoHandshakeWithctxDoRequestCertificatectxDoPostHandshakeAuthWithctxPendingActions ctxKeyLogger updateMeasure withMeasure contextSend contextRecvctxEOFctxHasSSLv2ClientHelloctxDisableSSLv2ClientHellosetEOFctxEstablished ctxWithHookssetEstablishedwithLog throwCorefailOnEitherError usingState usingState_ usingHState getHState saveHState restoreHState runTxState runRxState getStateRNG withReadLock withWriteLock withRWLock withStateLock tls13orLateraddCertRequest13getCertRequest13 encodeRecord writePacketprocessPacket13 processPacket getTxState getRxState setTxState setRxState clearTxState clearRxStatesetHelloParameters13wrapAsMessageHash13transcriptHashsetPendingActionspopPendingAction serverRandom isDowngraded clientRandom hrrRandomisHelloRetryRequest writePacket13updateHandshake13 PacketFlightM recvRecord recvPacket sendPacket checkValid sendPacket13 recvPacket13isRecvCompleterunPacketFlight loadPacket13checkDigitalSignatureKeyisDigitalSignaturePair encryptRSA signPrivate decryptRSA verifyPublic generateDHE generateECDHEgenerateECDHEShared generateFFDHEgenerateFFDHESharedgetLocalPublicKeylogKeycertificateCompatiblehashSigToCertType decryptErrorsignatureCompatiblecheckCertificateVerifycreateCertificateVerifysignatureParamsdigitallySignDHParamsdigitallySignECDHParamsdigitallySignDHParamsVerifydigitallySignECDHParamsVerifycheckSupportedHashSignatureprocessHandshakeprocessHandshake13startHandshakehandshakeTerminateonRecvStateHandshake storePrivInfo RecvState RecvStateNextRecvStateHandshake RecvStateDonehandshakeFailedhandleException unexpected newSessionsendChangeCipherAndFinishrecvChangeCipherAndFinishrecvPacketHandshake runRecvStateensureRecvCompletegetSessionDataextensionLookupcheckSupportedGroupisSupportedGroupcertificateRejectedbadCertificaterejectOnExceptionverifyLeafKeyUsage extractCAnamehandshakeTerminate13 CipherChoicecVersioncCiphercHashcZeroRecvHandshake13M makeFinished checkFinishedmakeServerKeySharemakeClientKeySharefromServerKeySharemakeCertVerifycheckCertVerify makePSKBinderreplacePSKBindersendChangeCipherSpec13makeCertRequestcreateTLS13TicketInfoageToObfuscatedAge isAgeValidgetAgecheckFreshnessgetCurrentTimeFromBasegetSessionData13ensureNullCompressionsafeNonNegative32recvHandshake13recvHandshake13hashrunRecvHandshake13isHashSignatureValid13makeCipherChoicecalculateEarlySecretinitEarlySecretcalculateHandshakeSecretcalculateApplicationSecretcalculateResumptionSecret derivePSKhandshakeServerWithrecvClientDatahandshakeServerrequestCertificateServerpostHandshakeAuthServerWithstorePrivInfoClient clientChaingetLocalHashSigAlgsupportedCtypessendClientData onServerHellohandshakeClientWithhandshakeClientpostHandshakeAuthClientWithpostHandshakeAuthWith handshakeWith