-- Hoogle documentation, generated by Haddock
-- See Hoogle, http://www.haskell.org/hoogle/


-- | A generic interface for cryptographic operations (hashes, ciphers,
--   randomness). Maintainers of hash and cipher implementations are
--   encouraged to add instances for the classes defined in Crypto.Classes.
--   Crypto users are similarly encouraged to use the interfaces defined in
--   the Classes module. Any concepts or functions of general use to more
--   than one cryptographic algorithm (ex: padding) is within scope of this
--   package.
@package crypto-api
@version 0.13.3


-- | Type aliases used throughout the crypto-api modules.
module Crypto.Types

-- | Initilization Vectors for BlockCipher implementations (IV k) are used
--   for various modes and guarrenteed to be blockSize bits long. The
--   common ways to obtain an IV are to generate one (<tt>getIV</tt> or
--   <tt>getIVIO</tt>) or to use one provided with the ciphertext (using
--   the <tt>Serialize</tt> instance of IV).
--   
--   <tt>zeroIV</tt> also exists and is of particular use for starting
--   <tt>ctr</tt> mode with a fresh key.
data IV k
IV :: {-# UNPACK #-} !ByteString -> IV k
[initializationVector] :: IV k -> {-# UNPACK #-} !ByteString

-- | The length of a field (usually a ByteString) in bits
type BitLength = Int

-- | The length fo a field in bytes.
type ByteLength = Int
data BlockCipherError
InputTooLong :: String -> BlockCipherError
AuthenticationFailed :: String -> BlockCipherError
Other :: String -> BlockCipherError
instance GHC.Internal.Data.Data.Data Crypto.Types.BlockCipherError
instance GHC.Classes.Eq Crypto.Types.BlockCipherError
instance GHC.Classes.Eq (Crypto.Types.IV k)
instance GHC.Internal.Exception.Type.Exception Crypto.Types.BlockCipherError
instance GHC.Classes.Ord Crypto.Types.BlockCipherError
instance GHC.Classes.Ord (Crypto.Types.IV k)
instance GHC.Internal.Read.Read Crypto.Types.BlockCipherError
instance GHC.Internal.Show.Show Crypto.Types.BlockCipherError
instance GHC.Internal.Show.Show (Crypto.Types.IV k)


-- | A small selection of utilities that might be of use to others working
--   with bytestring/number combinations.
module Crypto.Util

-- | <tt>incBS bs</tt> inefficiently computes the value <tt>i2bs (8 *
--   B.length bs) (bs2i bs + 1)</tt>
incBS :: ByteString -> ByteString

-- | <tt>i2bs bitLen i</tt> converts <tt>i</tt> to a <tt>ByteString</tt> of
--   <tt>bitLen</tt> bits (must be a multiple of 8).
i2bs :: Int -> Integer -> ByteString

-- | <tt>i2bs_unsized i</tt> converts <tt>i</tt> to a <tt>ByteString</tt>
--   of sufficient bytes to express the integer. The integer must be
--   non-negative and a zero will be encoded in one byte.
i2bs_unsized :: Integer -> ByteString

-- | Useful utility to extract the result of a generator operation and
--   translate error results to exceptions.
throwLeft :: Exception e => Either e a -> a

-- | Obtain a tagged value for a particular instantiated type.
for :: Tagged a b -> a -> b

-- | Infix <a>for</a> operator
(.::.) :: Tagged a b -> a -> b

-- | Checks two bytestrings for equality without breaches for timing
--   attacks.
--   
--   Semantically, <tt>constTimeEq = (==)</tt>. However, <tt>x == y</tt>
--   takes less time when the first byte is different than when the first
--   byte is equal. This side channel allows an attacker to mount a timing
--   attack. On the other hand, <tt>constTimeEq</tt> always takes the same
--   time regardless of the bytestrings' contents, unless they are of
--   difference size.
--   
--   You should always use <tt>constTimeEq</tt> when comparing secrets,
--   otherwise you may leave a significant security hole (cf.
--   <a>http://codahale.com/a-lesson-in-timing-attacks/</a>).
constTimeEq :: ByteString -> ByteString -> Bool
c_constTimeEq :: Ptr CChar -> Ptr CChar -> CInt -> IO CInt

-- | Helper function to convert bytestrings to integers
bs2i :: ByteString -> Integer

-- | zipWith xor + Pack As a result of rewrite rules, this should
--   automatically be optimized (at compile time). to use the bytestring
--   libraries <tt>zipWith'</tt> function.
zwp' :: ByteString -> ByteString -> ByteString

-- | zipWith xor + Pack
--   
--   This is written intentionally to take advantage of the bytestring
--   libraries <tt>zipWith'</tt> rewrite rule but at the extra cost of the
--   resulting lazy bytestring being more fragmented than either of the two
--   inputs.
zwp :: ByteString -> ByteString -> ByteString
collect :: Int -> [ByteString] -> [ByteString]


-- | This module is for instantiating cryptographicly strong determinitic
--   random bit generators (DRBGs, aka PRNGs) For the simple use case of
--   using the system random number generator (<a>Entropy</a>) to seed the
--   DRBG:
--   
--   <pre>
--   g &lt;- newGenIO
--   </pre>
--   
--   Users needing to provide their own entropy can call <a>newGen</a>
--   directly
--   
--   <pre>
--   entropy &lt;- getEntropy nrBytes
--   let generator = newGen entropy
--   </pre>
module Crypto.Random

-- | A class of random bit generators that allows for the possibility of
--   failure, reseeding, providing entropy at the same time as requesting
--   bytes
--   
--   Minimum complete definition: <a>newGen</a>, <a>genSeedLength</a>,
--   <a>genBytes</a>, <a>reseed</a>, <a>reseedInfo</a>,
--   <a>reseedPeriod</a>.
class CryptoRandomGen g

-- | Instantiate a new random bit generator. The provided bytestring should
--   be of length &gt;= genSeedLength. If the bytestring is shorter then
--   the call may fail (suggested error: <a>NotEnoughEntropy</a>). If the
--   bytestring is of sufficent length the call should always succeed.
newGen :: CryptoRandomGen g => ByteString -> Either GenError g

-- | Length of input entropy necessary to instantiate or reseed a generator
genSeedLength :: CryptoRandomGen g => Tagged g ByteLength

-- | <tt>genBytes len g</tt> generates a random ByteString of length
--   <tt>len</tt> and new generator. The <a>MonadCryptoRandom</a> package
--   has routines useful for converting the ByteString to commonly needed
--   values (but "cereal" or other deserialization libraries would also
--   work).
--   
--   This routine can fail if the generator has gone too long without a
--   reseed (usually this is in the ball-park of 2^48 requests). Suggested
--   error in this cases is <a>NeedReseed</a>
genBytes :: CryptoRandomGen g => ByteLength -> g -> Either GenError (ByteString, g)

-- | Indicates how soon a reseed is needed
reseedInfo :: CryptoRandomGen g => g -> ReseedInfo

-- | Indicates the period between reseeds (constant for most generators).
reseedPeriod :: CryptoRandomGen g => g -> ReseedInfo

-- | <tt>genBytesWithEntropy g i entropy</tt> generates <tt>i</tt> random
--   bytes and use the additional input <tt>entropy</tt> in the generation
--   of the requested data to increase the confidence our generated data is
--   a secure random stream.
--   
--   Some generators use <tt>entropy</tt> to perturb the state of the
--   generator, meaning:
--   
--   <pre>
--   (_,g2') &lt;- genBytesWithEntropy len g1 ent
--   (_,g2 ) &lt;- genBytes len g1
--   g2 /= g2'
--   </pre>
--   
--   But this is not required.
--   
--   Default:
--   
--   <pre>
--   genBytesWithEntropy g bytes entropy = xor entropy (genBytes g bytes)
--   </pre>
genBytesWithEntropy :: CryptoRandomGen g => ByteLength -> ByteString -> g -> Either GenError (ByteString, g)

-- | If the generator has produced too many random bytes on its existing
--   seed it will return <a>NeedReseed</a>. In that case, reseed the
--   generator using this function and a new high-entropy seed of length
--   &gt;= <a>genSeedLength</a>. Using bytestrings that are too short can
--   result in an error (<a>NotEnoughEntropy</a>).
reseed :: CryptoRandomGen g => ByteString -> g -> Either GenError g

-- | By default this uses <a>System.Entropy</a> to obtain entropy for
--   <a>newGen</a>. WARNING: The default implementation opens a file handle
--   which will never be closed!
newGenIO :: CryptoRandomGen g => IO g

-- | Generator failures should always return the appropriate GenError. Note
--   <a>GenError</a> in an instance of exception but wether or not an
--   exception is thrown depends on if the selected generator (read: if you
--   don't want execptions from code that uses <a>throw</a> then pass in a
--   generator that never has an error for the used functions)
data GenError

-- | Misc
GenErrorOther :: String -> GenError

-- | Requested more bytes than a single pass can generate (The maximum
--   request is generator dependent)
RequestedTooManyBytes :: GenError

-- | When using <tt>genInteger g (l,h)</tt> and <tt>logBase 2 (h - l) &gt;
--   (maxBound :: Int)</tt>.
RangeInvalid :: GenError

-- | Some generators cease operation after too high a count without a
--   reseed (ex: NIST SP 800-90)
NeedReseed :: GenError

-- | For instantiating new generators (or reseeding)
NotEnoughEntropy :: GenError

-- | This generator can not be instantiated or reseeded with a finite seed
--   (ex: <a>SystemRandom</a>)
NeedsInfiniteSeed :: GenError
data ReseedInfo

-- | Generator needs reseeded in X bytes
InXBytes :: {-# UNPACK #-} !Word64 -> ReseedInfo

-- | Generator needs reseeded in X calls
InXCalls :: {-# UNPACK #-} !Word64 -> ReseedInfo

-- | The bound is over 2^64 bytes or calls
NotSoon :: ReseedInfo

-- | This generator never reseeds (ex: <a>SystemRandom</a>)
Never :: ReseedInfo

-- | While the safety and wisdom of a splitting function depends on the
--   properties of the generator being split, several arguments from
--   informed people indicate such a function is safe for NIST SP 800-90
--   generators. (see libraries@haskell.org discussion around Sept, Oct
--   2010). You can find implementations of such generators in the
--   <tt>DRBG</tt> package.
splitGen :: CryptoRandomGen g => g -> Either GenError (g, g)

-- | Useful utility to extract the result of a generator operation and
--   translate error results to exceptions.
throwLeft :: Exception e => Either e a -> a

-- | Not that it is technically correct as an instance of
--   <a>CryptoRandomGen</a>, but simply because it's a reasonable
--   engineering choice here is a CryptoRandomGen which streams the system
--   randoms. Take note:
--   
--   <ul>
--   <li>It uses the default definition of <tt>genByteWithEntropy</tt></li>
--   <li><a>newGen</a> will always fail!</li>
--   <li><a>reseed</a> will always fail!</li>
--   <li>the handle to the system random is never closed</li>
--   </ul>
data SystemRandom
instance Crypto.Random.CryptoRandomGen Crypto.Random.SystemRandom
instance GHC.Internal.Data.Data.Data Crypto.Random.GenError
instance GHC.Internal.Data.Data.Data Crypto.Random.ReseedInfo
instance GHC.Classes.Eq Crypto.Random.GenError
instance GHC.Classes.Eq Crypto.Random.ReseedInfo
instance GHC.Internal.Exception.Type.Exception Crypto.Random.GenError
instance GHC.Classes.Ord Crypto.Random.GenError
instance GHC.Classes.Ord Crypto.Random.ReseedInfo
instance GHC.Internal.Read.Read Crypto.Random.GenError
instance GHC.Internal.Read.Read Crypto.Random.ReseedInfo
instance GHC.Internal.Show.Show Crypto.Random.GenError
instance GHC.Internal.Show.Show Crypto.Random.ReseedInfo


-- | This is the heart of the crypto-api package. By making (or having) an
--   instance of Hash, AsymCipher, BlockCipher or StreamCipher you provide
--   (or obtain) access to any infrastructure built on these primitives
--   include block cipher modes of operation, hashing, hmac, signing, etc.
--   These classes allow users to build routines that are agnostic to the
--   algorithm used so changing algorithms is as simple as changing a type
--   signature.
module Crypto.Classes

-- | The Hash class is intended as the generic interface targeted by
--   maintainers of Haskell digest implementations. Using this generic
--   interface, higher level functions such as <a>hash</a> and <a>hash'</a>
--   provide a useful API for comsumers of hash implementations.
--   
--   Any instantiated implementation must handle unaligned data.
--   
--   Minimum complete definition: <a>outputLength</a>, <a>blockLength</a>,
--   <a>initialCtx</a>, <a>updateCtx</a>, and <a>finalize</a>.
class (Serialize d, Eq d, Ord d) => Hash ctx d | d -> ctx, ctx -> d
outputLength :: Hash ctx d => Tagged d BitLength
blockLength :: Hash ctx d => Tagged d BitLength
initialCtx :: Hash ctx d => ctx
updateCtx :: Hash ctx d => ctx -> ByteString -> ctx
finalize :: Hash ctx d => ctx -> ByteString -> d

-- | Hash a lazy ByteString, creating a digest
hash :: Hash ctx d => ByteString -> d

-- | Hash a strict ByteString, creating a digest
hash' :: Hash ctx d => ByteString -> d

-- | Obtain a strict hash function whose result is the same type as the
--   given digest, which is discarded. If the type is already inferred then
--   consider using the <a>hash'</a> function instead.
hashFunc' :: Hash c d => d -> ByteString -> d

-- | Obtain a lazy hash function whose result is the same type as the given
--   digest, which is discarded. If the type is already inferred then
--   consider using the <a>hash</a> function instead.
hashFunc :: Hash c d => d -> ByteString -> d

-- | The BlockCipher class is intended as the generic interface targeted by
--   maintainers of Haskell cipher implementations.
--   
--   Minimum complete definition: blockSize, encryptBlock, decryptBlock,
--   buildKey, and keyLength.
--   
--   Instances must handle unaligned data
class Serialize k => BlockCipher k
blockSize :: BlockCipher k => Tagged k BitLength
encryptBlock :: BlockCipher k => k -> ByteString -> ByteString
decryptBlock :: BlockCipher k => k -> ByteString -> ByteString
buildKey :: BlockCipher k => ByteString -> Maybe k
keyLength :: BlockCipher k => Tagged k BitLength

-- | Electronic Cookbook (encryption)
ecb :: BlockCipher k => k -> ByteString -> ByteString

-- | Electronic Cookbook (decryption)
unEcb :: BlockCipher k => k -> ByteString -> ByteString

-- | Cipherblock Chaining (encryption)
cbc :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Cipherblock Chaining (decryption)
unCbc :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Counter (encryption)
ctr :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Counter (decryption)
unCtr :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Counter (encryption)
ctrLazy :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Counter (decryption)
unCtrLazy :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Ciphertext feedback (encryption)
cfb :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Ciphertext feedback (decryption)
unCfb :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Output feedback (encryption)
ofb :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Output feedback (decryption)
unOfb :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Cipher block chaining encryption for lazy bytestrings
cbcLazy :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Cipher block chaining decryption for lazy bytestrings
unCbcLazy :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | SIV (Synthetic IV) mode for lazy bytestrings. The third argument is
--   the optional list of bytestrings to be authenticated but not encrypted
--   As required by the specification this algorithm may return nothing
--   when certain constraints aren't met.
sivLazy :: BlockCipher k => k -> k -> [ByteString] -> ByteString -> Maybe ByteString

-- | SIV (Synthetic IV) for lazy bytestrings. The third argument is the
--   optional list of bytestrings to be authenticated but not encrypted. As
--   required by the specification this algorithm may return nothing when
--   authentication fails.
unSivLazy :: BlockCipher k => k -> k -> [ByteString] -> ByteString -> Maybe ByteString

-- | SIV (Synthetic IV) mode for strict bytestrings. First argument is the
--   optional list of bytestrings to be authenticated but not encrypted. As
--   required by the specification this algorithm may return nothing when
--   certain constraints aren't met.
siv :: BlockCipher k => k -> k -> [ByteString] -> ByteString -> Maybe ByteString

-- | SIV (Synthetic IV) for strict bytestrings First argument is the
--   optional list of bytestrings to be authenticated but not encrypted As
--   required by the specification this algorithm may return nothing when
--   authentication fails.
unSiv :: BlockCipher k => k -> k -> [ByteString] -> ByteString -> Maybe ByteString

-- | Cook book mode - not really a mode at all. If you don't know what
--   you're doing, don't use this mode^H^H^H^H library.
ecbLazy :: BlockCipher k => k -> ByteString -> ByteString

-- | ECB decrypt, complementary to <a>ecb</a>.
unEcbLazy :: BlockCipher k => k -> ByteString -> ByteString

-- | Ciphertext feed-back encryption mode for lazy bytestrings (with s ==
--   blockSize)
cfbLazy :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Ciphertext feed-back decryption mode for lazy bytestrings (with s ==
--   blockSize)
unCfbLazy :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Output feedback mode for lazy bytestrings
ofbLazy :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Output feedback mode for lazy bytestrings
unOfbLazy :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | The number of bytes in a block cipher block
blockSizeBytes :: BlockCipher k => Tagged k ByteLength

-- | The number of bytes in a block cipher key (assuming it is an even
--   multiple of 8 bits)
keyLengthBytes :: BlockCipher k => Tagged k ByteLength

-- | Build a symmetric key using the system entropy (see <a>Entropy</a>)
buildKeyIO :: BlockCipher k => IO k

-- | Build a symmetric key using a given <a>CryptoRandomGen</a>
buildKeyGen :: (BlockCipher k, CryptoRandomGen g) => g -> Either GenError (k, g)

-- | A stream cipher class. Instance are expected to work on messages as
--   small as one byte The length of the resulting cipher text should be
--   equal to the length of the input message.
class Serialize k => StreamCipher k iv | k -> iv
buildStreamKey :: StreamCipher k iv => ByteString -> Maybe k
encryptStream :: StreamCipher k iv => k -> iv -> ByteString -> (ByteString, iv)
decryptStream :: StreamCipher k iv => k -> iv -> ByteString -> (ByteString, iv)
streamKeyLength :: StreamCipher k iv => Tagged k BitLength

-- | Build a stream key using the system random generator
buildStreamKeyIO :: StreamCipher k iv => IO k

-- | Build a stream key using the provided random generator
buildStreamKeyGen :: (StreamCipher k iv, CryptoRandomGen g) => g -> Either GenError (k, g)

-- | Asymetric ciphers (common ones being RSA or EC based)
class AsymCipher p v | p -> v, v -> p
buildKeyPair :: (AsymCipher p v, CryptoRandomGen g) => g -> BitLength -> Either GenError ((p, v), g)
encryptAsym :: (AsymCipher p v, CryptoRandomGen g) => g -> p -> ByteString -> Either GenError (ByteString, g)
decryptAsym :: (AsymCipher p v, CryptoRandomGen g) => g -> v -> ByteString -> Either GenError (ByteString, g)
publicKeyLength :: AsymCipher p v => p -> BitLength
privateKeyLength :: AsymCipher p v => v -> BitLength

-- | Build a pair of asymmetric keys using the system random generator.
--   WARNING: This function opens a file handle which will never be closed!
buildKeyPairIO :: AsymCipher p v => BitLength -> IO (Either GenError (p, v))

-- | Flipped <a>buildKeyPair</a> for ease of use with state monads.
buildKeyPairGen :: (CryptoRandomGen g, AsymCipher p v) => BitLength -> g -> Either GenError ((p, v), g)

-- | A class for signing operations which inherently can not be as generic
--   as asymetric ciphers (ex: DSA).
class (Serialize p, Serialize v) => Signing p v | p -> v, v -> p
sign :: (Signing p v, CryptoRandomGen g) => g -> v -> ByteString -> Either GenError (ByteString, g)
verify :: Signing p v => p -> ByteString -> ByteString -> Bool
buildSigningPair :: (Signing p v, CryptoRandomGen g) => g -> BitLength -> Either GenError ((p, v), g)
signingKeyLength :: Signing p v => v -> BitLength
verifyingKeyLength :: Signing p v => p -> BitLength

-- | Build a signing key using the system random generator WARNING: This
--   function opens a file handle which will never be closed!
buildSigningKeyPairIO :: Signing p v => BitLength -> IO (Either GenError (p, v))

-- | Flipped <a>buildSigningPair</a> for ease of use with state monads.
buildSigningKeyPairGen :: (Signing p v, CryptoRandomGen g) => BitLength -> g -> Either GenError ((p, v), g)
encode :: Serialize a => a -> ByteString

-- | Obtain an <a>IV</a> made only of zeroes
zeroIV :: BlockCipher k => IV k

-- | Increase an <a>IV</a> by one. This is way faster than decoding,
--   increasing, encoding
incIV :: BlockCipher k => IV k -> IV k

-- | Obtain an <a>IV</a> using the provided CryptoRandomGenerator.
getIV :: (BlockCipher k, CryptoRandomGen g) => g -> Either GenError (IV k, g)

-- | Obtain an <a>IV</a> using the system entropy (see <a>Entropy</a>)
getIVIO :: BlockCipher k => IO (IV k)
chunkFor :: BlockCipher k => k -> ByteString -> [ByteString]
chunkFor' :: BlockCipher k => k -> ByteString -> [ByteString]
instance Crypto.Classes.BlockCipher k => Data.Serialize.Serialize (Crypto.Types.IV k)


-- | PKCS5 (RFC 1423) and IPSec ESP (RFC 4303) padding methods are
--   implemented both as trivial functions operating on bytestrings and as
--   <a>Put</a> routines usable from the <a>Data.Serialize</a> module.
--   These methods do not work for algorithms or pad sizes in excess of 255
--   bytes (2040 bits, so extremely large as far as cipher needs are
--   concerned).
module Crypto.Padding

-- | PKCS5 (aka RFC1423) padding method. This method will not work properly
--   for pad modulos &gt; 256
padPKCS5 :: ByteLength -> ByteString -> ByteString

-- | PKCS5 (aka RFC1423) padding method using the BlockCipher instance to
--   determine the pad size.
padBlockSize :: BlockCipher k => k -> ByteString -> ByteString

-- | Ex:
--   
--   <pre>
--   putPaddedPKCS5 m bs
--   </pre>
--   
--   Will pad out <tt>bs</tt> to a byte multiple of <tt>m</tt> and put both
--   the bytestring and it's padding via <a>Put</a> (this saves on copying
--   if you are already using Cereal).
putPaddedPKCS5 :: ByteLength -> ByteString -> Put

-- | unpad a strict bytestring padded in the typical PKCS5 manner. This
--   routine verifies all pad bytes and pad length match correctly.
unpadPKCS5safe :: ByteString -> Maybe ByteString

-- | unpad a strict bytestring without checking the pad bytes and length
--   any more than necessary.
unpadPKCS5 :: ByteString -> ByteString

-- | Pad a bytestring to the IPSEC esp specification
--   
--   <pre>
--   padESP m payload
--   </pre>
--   
--   is equivilent to:
--   
--   <pre>
--             (msg)       (padding)       (length field)
--   B.concat [payload, B.pack [1,2,3,4..], B.pack [padLen]]
--   </pre>
--   
--   Where:
--   
--   <ul>
--   <li>the msg is any payload, including TFC.</li>
--   <li>the padding is &lt;= 255</li>
--   <li>the length field is one byte.</li>
--   </ul>
--   
--   Notice the result bytesting length remainder <tt>r</tt> equals zero.
--   The lack of a "next header" field means this function is not directly
--   useable for an IPSec implementation (copy/paste the 4 line function
--   and add in a "next header" field if you are making IPSec ESP).
padESP :: Int -> ByteString -> ByteString

-- | unpad and return the padded message (<a>Nothing</a> is returned if the
--   padding is invalid)
unpadESP :: ByteString -> Maybe ByteString

-- | Like padESP but use the BlockCipher instance to determine padding size
padESPBlockSize :: BlockCipher k => k -> ByteString -> ByteString

-- | Like putPadESP but using the BlockCipher instance to determine padding
--   size
putPadESPBlockSize :: BlockCipher k => k -> ByteString -> Put

-- | Pad a bytestring to the IPSEC ESP specification using <a>Put</a>. This
--   can reduce copying if you are already using <a>Put</a>.
putPadESP :: Int -> ByteString -> Put


module Crypto.Modes

-- | Perform doubling as defined by the CMAC and SIV papers
dblIV :: BlockCipher k => IV k -> IV k

-- | Cipher block chaining message authentication
cbcMac' :: BlockCipher k => k -> ByteString -> ByteString

-- | Cipher block chaining message authentication
cbcMac :: BlockCipher k => k -> ByteString -> ByteString

-- | Obtain the cmac for lazy bytestrings
cMac :: BlockCipher k => k -> ByteString -> ByteString

-- | Obtain the cmac for strict bytestrings
cMac' :: BlockCipher k => k -> ByteString -> ByteString
cMacStar :: BlockCipher k => k -> [ByteString] -> ByteString

-- | Obtain the CMAC* on strict bytestrings
cMacStar' :: BlockCipher k => k -> [ByteString] -> ByteString


module Crypto.HMAC

-- | Message authentication code calculation for lazy bytestrings. <tt>hmac
--   k msg</tt> will compute an authentication code for <tt>msg</tt> using
--   key <tt>k</tt>
hmac :: Hash c d => MacKey c d -> ByteString -> d

-- | <tt>hmac k msg</tt> will compute an authentication code for
--   <tt>msg</tt> using key <tt>k</tt>
hmac' :: Hash c d => MacKey c d -> ByteString -> d

-- | A key carrying phantom types <tt>c</tt> and <tt>d</tt>, forcing the
--   key data to only be used by particular hash algorithms.
newtype MacKey c d
MacKey :: ByteString -> MacKey c d
instance GHC.Classes.Eq (Crypto.HMAC.MacKey c d)
instance GHC.Classes.Ord (Crypto.HMAC.MacKey c d)
instance GHC.Internal.Show.Show (Crypto.HMAC.MacKey c d)


-- | The module mirrors <a>Crypto.Classes</a> except that errors are thrown
--   as exceptions instead of having returning types of <tt>Either error
--   result</tt> or <tt>Maybe result</tt>.
--   
--   NB This module is experimental and might go away or be re-arranged.
module Crypto.Classes.Exceptions

-- | The Hash class is intended as the generic interface targeted by
--   maintainers of Haskell digest implementations. Using this generic
--   interface, higher level functions such as <a>hash</a> and <a>hash'</a>
--   provide a useful API for comsumers of hash implementations.
--   
--   Any instantiated implementation must handle unaligned data.
--   
--   Minimum complete definition: <a>outputLength</a>, <a>blockLength</a>,
--   <a>initialCtx</a>, <a>updateCtx</a>, and <a>finalize</a>.
class (Serialize d, Eq d, Ord d) => Hash ctx d | d -> ctx, ctx -> d
outputLength :: Hash ctx d => Tagged d BitLength
blockLength :: Hash ctx d => Tagged d BitLength
initialCtx :: Hash ctx d => ctx
updateCtx :: Hash ctx d => ctx -> ByteString -> ctx
finalize :: Hash ctx d => ctx -> ByteString -> d

-- | Hash a lazy ByteString, creating a digest
hash :: Hash ctx d => ByteString -> d

-- | Hash a strict ByteString, creating a digest
hash' :: Hash ctx d => ByteString -> d

-- | Asymetric ciphers (common ones being RSA or EC based)
class AsymCipher p v | p -> v, v -> p

-- | A class of random bit generators that allows for the possibility of
--   failure, reseeding, providing entropy at the same time as requesting
--   bytes
--   
--   Minimum complete definition: <a>newGen</a>, <a>genSeedLength</a>,
--   <a>genBytes</a>, <a>reseed</a>, <a>reseedInfo</a>,
--   <a>reseedPeriod</a>.
class CryptoRandomGen g

-- | The BlockCipher class is intended as the generic interface targeted by
--   maintainers of Haskell cipher implementations.
--   
--   Minimum complete definition: blockSize, encryptBlock, decryptBlock,
--   buildKey, and keyLength.
--   
--   Instances must handle unaligned data
class Serialize k => BlockCipher k

-- | Obtain a strict hash function whose result is the same type as the
--   given digest, which is discarded. If the type is already inferred then
--   consider using the <a>hash'</a> function instead.
hashFunc' :: Hash c d => d -> ByteString -> d

-- | Obtain a lazy hash function whose result is the same type as the given
--   digest, which is discarded. If the type is already inferred then
--   consider using the <a>hash</a> function instead.
hashFunc :: Hash c d => d -> ByteString -> d
blockSize :: BlockCipher k => Tagged k BitLength

-- | The number of bytes in a block cipher block
blockSizeBytes :: BlockCipher k => Tagged k ByteLength
keyLength :: BlockCipher k => Tagged k BitLength

-- | The number of bytes in a block cipher key (assuming it is an even
--   multiple of 8 bits)
keyLengthBytes :: BlockCipher k => Tagged k ByteLength

-- | Increase an <a>IV</a> by one. This is way faster than decoding,
--   increasing, encoding
incIV :: BlockCipher k => IV k -> IV k
encryptBlock :: BlockCipher k => k -> ByteString -> ByteString
decryptBlock :: BlockCipher k => k -> ByteString -> ByteString

-- | Key construction from raw material (typically including key expansion)
--   
--   This is a wrapper that can throw a <a>CipherError</a> on exception.
buildKey :: BlockCipher k => ByteString -> k

-- | Build a symmetric key using the system entropy (see <a>Entropy</a>)
buildKeyIO :: BlockCipher k => IO k

-- | Symmetric key generation
--   
--   This is a wrapper that can throw a <a>GenError</a> on exception.
buildKeyGen :: (CryptoRandomGen g, BlockCipher k) => g -> (k, g)

-- | Random <a>IV</a> generation
--   
--   This is a wrapper that can throw a <a>GenError</a> on exception.
getIV :: (BlockCipher k, CryptoRandomGen g) => g -> (IV k, g)

-- | Obtain an <a>IV</a> using the system entropy (see <a>Entropy</a>)
getIVIO :: BlockCipher k => IO (IV k)

-- | Obtain an <a>IV</a> made only of zeroes
zeroIV :: BlockCipher k => IV k

-- | Electronic Cookbook (encryption)
ecb :: BlockCipher k => k -> ByteString -> ByteString

-- | Electronic Cookbook (decryption)
unEcb :: BlockCipher k => k -> ByteString -> ByteString

-- | Cipherblock Chaining (encryption)
cbc :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Cipherblock Chaining (decryption)
unCbc :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Counter (encryption)
ctr :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Counter (decryption)
unCtr :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Counter (encryption)
ctrLazy :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Counter (decryption)
unCtrLazy :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Ciphertext feedback (encryption)
cfb :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Ciphertext feedback (decryption)
unCfb :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Output feedback (encryption)
ofb :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Output feedback (decryption)
unOfb :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Cipher block chaining encryption for lazy bytestrings
cbcLazy :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Cipher block chaining decryption for lazy bytestrings
unCbcLazy :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | SIV (Synthetic IV) mode for lazy bytestrings. The third argument is
--   the optional list of bytestrings to be authenticated but not encrypted
--   As required by the specification this algorithm may return nothing
--   when certain constraints aren't met.
sivLazy :: BlockCipher k => k -> k -> [ByteString] -> ByteString -> Maybe ByteString

-- | SIV (Synthetic IV) for lazy bytestrings. The third argument is the
--   optional list of bytestrings to be authenticated but not encrypted. As
--   required by the specification this algorithm may return nothing when
--   authentication fails.
unSivLazy :: BlockCipher k => k -> k -> [ByteString] -> ByteString -> Maybe ByteString

-- | SIV (Synthetic IV) mode for strict bytestrings. First argument is the
--   optional list of bytestrings to be authenticated but not encrypted. As
--   required by the specification this algorithm may return nothing when
--   certain constraints aren't met.
siv :: BlockCipher k => k -> k -> [ByteString] -> ByteString -> Maybe ByteString

-- | SIV (Synthetic IV) for strict bytestrings First argument is the
--   optional list of bytestrings to be authenticated but not encrypted As
--   required by the specification this algorithm may return nothing when
--   authentication fails.
unSiv :: BlockCipher k => k -> k -> [ByteString] -> ByteString -> Maybe ByteString

-- | Cook book mode - not really a mode at all. If you don't know what
--   you're doing, don't use this mode^H^H^H^H library.
ecbLazy :: BlockCipher k => k -> ByteString -> ByteString

-- | ECB decrypt, complementary to <a>ecb</a>.
unEcbLazy :: BlockCipher k => k -> ByteString -> ByteString

-- | Ciphertext feed-back encryption mode for lazy bytestrings (with s ==
--   blockSize)
cfbLazy :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Ciphertext feed-back decryption mode for lazy bytestrings (with s ==
--   blockSize)
unCfbLazy :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Output feedback mode for lazy bytestrings
ofbLazy :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Output feedback mode for lazy bytestrings
unOfbLazy :: BlockCipher k => k -> IV k -> ByteString -> (ByteString, IV k)

-- | Instantiate a new random bit generator. The provided bytestring should
--   be of length &gt;= genSeedLength. If the bytestring is shorter then
--   the call may fail (suggested error: <tt>NotEnoughEntropy</tt>). If the
--   bytestring is of sufficent length the call should always succeed.
--   
--   This is a wrapper that can throw <a>GenError</a> types as exceptions.
newGen :: CryptoRandomGen g => ByteString -> g

-- | <tt>genBytes len g</tt> generates a random ByteString of length
--   <tt>len</tt> and new generator. The <tt>MonadCryptoRandom</tt> package
--   has routines useful for converting the ByteString to commonly needed
--   values (but <tt>cereal</tt> or other deserialization libraries would
--   also work).
--   
--   This is a wrapper that can throw <a>GenError</a> types as exceptions.
genBytes :: CryptoRandomGen g => ByteLength -> g -> (ByteString, g)

-- | <tt>genBytesWithEntropy g i entropy</tt> generates <tt>i</tt> random
--   bytes and use the additional input <tt>entropy</tt> in the generation
--   of the requested data to increase the confidence our generated data is
--   a secure random stream.
--   
--   This is a wrapper that can throw <a>GenError</a> types as exceptions.
genBytesWithEntropy :: CryptoRandomGen g => ByteLength -> ByteString -> g -> (ByteString, g)

-- | If the generator has produced too many random bytes on its existing
--   seed it will throw a <tt>NeedReseed</tt> exception. In that case,
--   reseed the generator using this function and a new high-entropy seed
--   of length &gt;= <tt>genSeedLength</tt>. Using bytestrings that are too
--   short can result in an exception (<tt>NotEnoughEntropy</tt>).
reseed :: CryptoRandomGen g => ByteString -> g -> g

-- | While the safety and wisdom of a splitting function depends on the
--   properties of the generator being split, several arguments from
--   informed people indicate such a function is safe for NIST SP 800-90
--   generators. (see libraries@haskell.org discussion around Sept, Oct
--   2010). You can find implementations of such generators in the
--   <tt>DRBG</tt> package.
--   
--   This is a wrapper for <a>splitGen</a> which throws errors as
--   exceptions.
splitGen :: CryptoRandomGen g => g -> (g, g)

-- | Length of input entropy necessary to instantiate or reseed a generator
genSeedLength :: CryptoRandomGen g => Tagged g ByteLength

-- | Indicates how soon a reseed is needed
reseedInfo :: CryptoRandomGen g => g -> ReseedInfo

-- | Indicates the period between reseeds (constant for most generators).
reseedPeriod :: CryptoRandomGen g => g -> ReseedInfo

-- | By default this uses <a>System.Entropy</a> to obtain entropy for
--   <a>newGen</a>. WARNING: The default implementation opens a file handle
--   which will never be closed!
newGenIO :: CryptoRandomGen g => IO g

-- | Generator failures should always return the appropriate GenError. Note
--   <a>GenError</a> in an instance of exception but wether or not an
--   exception is thrown depends on if the selected generator (read: if you
--   don't want execptions from code that uses <a>throw</a> then pass in a
--   generator that never has an error for the used functions)
data GenError

-- | Misc
GenErrorOther :: String -> GenError

-- | Requested more bytes than a single pass can generate (The maximum
--   request is generator dependent)
RequestedTooManyBytes :: GenError

-- | When using <tt>genInteger g (l,h)</tt> and <tt>logBase 2 (h - l) &gt;
--   (maxBound :: Int)</tt>.
RangeInvalid :: GenError

-- | Some generators cease operation after too high a count without a
--   reseed (ex: NIST SP 800-90)
NeedReseed :: GenError

-- | For instantiating new generators (or reseeding)
NotEnoughEntropy :: GenError

-- | This generator can not be instantiated or reseeded with a finite seed
--   (ex: <a>SystemRandom</a>)
NeedsInfiniteSeed :: GenError
data ReseedInfo

-- | Generator needs reseeded in X bytes
InXBytes :: {-# UNPACK #-} !Word64 -> ReseedInfo

-- | Generator needs reseeded in X calls
InXCalls :: {-# UNPACK #-} !Word64 -> ReseedInfo

-- | The bound is over 2^64 bytes or calls
NotSoon :: ReseedInfo

-- | This generator never reseeds (ex: <a>SystemRandom</a>)
Never :: ReseedInfo
data CipherError
GenError :: GenError -> CipherError
KeyGenFailure :: CipherError

-- | Asymetric key generation
--   
--   This is a wrapper that can throw a <a>GenError</a> on exception.
buildKeyPair :: (CryptoRandomGen g, AsymCipher p v) => g -> BitLength -> ((p, v), g)

-- | Asymmetric encryption
--   
--   This is a wrapper that can throw a <a>GenError</a> on exception.
encryptAsym :: (CryptoRandomGen g, AsymCipher p v) => g -> p -> ByteString -> (ByteString, g)

-- | Asymmetric decryption
--   
--   This is a wrapper that can throw a GenError on exception.
decryptAsym :: (CryptoRandomGen g, AsymCipher p v) => g -> v -> ByteString -> (ByteString, g)

-- | A class for signing operations which inherently can not be as generic
--   as asymetric ciphers (ex: DSA).
class (Serialize p, Serialize v) => Signing p v | p -> v, v -> p
signingKeyLength :: Signing p v => v -> BitLength
verifyingKeyLength :: Signing p v => p -> BitLength
verify :: Signing p v => p -> ByteString -> ByteString -> Bool
publicKeyLength :: AsymCipher p v => p -> BitLength
privateKeyLength :: AsymCipher p v => v -> BitLength

-- | Build a pair of asymmetric keys using the system random generator.
--   WARNING: This function opens a file handle which will never be closed!
buildKeyPairIO :: AsymCipher p v => BitLength -> IO (Either GenError (p, v))
instance GHC.Internal.Data.Data.Data Crypto.Classes.Exceptions.CipherError
instance GHC.Classes.Eq Crypto.Classes.Exceptions.CipherError
instance GHC.Internal.Exception.Type.Exception Crypto.Classes.Exceptions.CipherError
instance GHC.Classes.Ord Crypto.Classes.Exceptions.CipherError
instance GHC.Internal.Read.Read Crypto.Classes.Exceptions.CipherError
instance GHC.Internal.Show.Show Crypto.Classes.Exceptions.CipherError
