-- Hoogle documentation, generated by Haddock
-- See Hoogle, http://www.haskell.org/hoogle/


-- | safe nettle binding
--   
--   safe binding for the nettle
--   (<a>http://www.lysator.liu.se/~nisse/nettle/nettle.html</a>) library.
--   Tested with 3.1.1, might work with 3.0, does NOT WORK with 2.x.
@package nettle
@version 0.2.0


-- | Generic interface to calculate key based hashes.
module Crypto.Nettle.KeyedHash

-- | <a>KeyedHashAlgorithm</a> is a class for keyed hash algorithms that
--   take a key and a message to produce a digest. The most popular example
--   is <a>HMAC</a>.
class KeyedHashAlgorithm k where implKeyedHashUpdateLazy k = foldl' implKeyedHashUpdate k . toChunks

-- | Digest size in bytes the keyed hash algorithm returns
implKeyedHashDigestSize :: KeyedHashAlgorithm k => Tagged k Int

-- | Name
implKeyedHashName :: KeyedHashAlgorithm k => Tagged k String

-- | Initialize state from a key
implKeyedHashInit :: KeyedHashAlgorithm k => ByteString -> k

-- | Add more message data to the state
implKeyedHashUpdate :: KeyedHashAlgorithm k => k -> ByteString -> k

-- | Add more lazy message data to the state
implKeyedHashUpdateLazy :: KeyedHashAlgorithm k => k -> ByteString -> k

-- | Produce final digest
implKeyedHashFinalize :: KeyedHashAlgorithm k => k -> ByteString

-- | <a>KeyedHash</a> hides the <a>KeyedHashAlgorithm</a> implementation.
data KeyedHash
KeyedHash :: !k -> KeyedHash

-- | Untagged variant of <a>implKeyedHashDigestSize</a>; takes a (possible
--   <a>undefined</a>) key typed value from a <a>KeyedHashAlgorithm</a>
--   instance as parameter.
keyedHashDigestSize :: KeyedHashAlgorithm k => k -> Int

-- | Get <a>implKeyedHashDigestSize</a> from a <a>KeyedHash</a>
keyedHashDigestSize' :: KeyedHash -> Int

-- | Untagged variant of <a>implKeyedHashName</a>; takes a (possible
--   <a>undefined</a>) key typed value from a <a>KeyedHashAlgorithm</a>
--   instance as parameter.
keyedHashName :: KeyedHashAlgorithm k => k -> String

-- | Get <a>implKeyedHashName</a> from a <a>KeyedHash</a>
keyedHashName' :: KeyedHash -> String

-- | Initialize a <a>KeyedHash</a> context from a <tt>key</tt>
keyedHashInit :: KeyedHashAlgorithm k => ByteString -> Tagged k KeyedHash

-- | Untagged variant of <a>keyedHashInit</a>; takes a (possible
--   <a>undefined</a>) key typed value from a <a>KeyedHashAlgorithm</a>
--   instance as parameter.
keyedHashInit' :: KeyedHashAlgorithm k => k -> ByteString -> KeyedHash

-- | Add more message data to the context
keyedHashUpdate :: KeyedHash -> ByteString -> KeyedHash

-- | Add more lazy message data to the context
keyedHashUpdateLazy :: KeyedHash -> ByteString -> KeyedHash

-- | Produce final digest
keyedHashFinalize :: KeyedHash -> ByteString

-- | Helper to hash <tt>key</tt> and <tt>message</tt> in one step
--   
--   Example:
--   
--   <pre>
--   untag (keyedHash (fromString "secretkey") (fromString "secret message") :: Tagged (HMAC SHA256) B.ByteString)
--   </pre>
keyedHash :: KeyedHashAlgorithm k => ByteString -> ByteString -> Tagged k ByteString

-- | Untagged variant of <a>keyedHash</a>; takes a (possible
--   <a>undefined</a>) key typed value from a <a>KeyedHashAlgorithm</a>
--   instance as parameter.
--   
--   Example:
--   
--   <pre>
--   keyedHash' (undefined :: HMAC SHA256) (fromString "secretkey") (fromString "secret message")
--   </pre>
keyedHash' :: KeyedHashAlgorithm k => k -> ByteString -> ByteString -> ByteString

-- | Helper to hash <tt>key</tt> and lazy <tt>message</tt> in one step
--   
--   Example:
--   
--   <pre>
--   untag (keyedHashLazy (fromString "secretkey") (fromString "secret message") :: Tagged (HMAC SHA256) B.ByteString)
--   </pre>
keyedHashLazy :: KeyedHashAlgorithm k => ByteString -> ByteString -> Tagged k ByteString

-- | Untagged variant of <a>keyedHashLazy</a>; takes a (possible
--   <a>undefined</a>) key typed value from a <a>KeyedHashAlgorithm</a>
--   instance as parameter.
--   
--   Example:
--   
--   <pre>
--   keyedHashLazy' (undefined :: HMAC SHA256) (fromString "secretkey") (fromString "secret message")
--   </pre>
keyedHashLazy' :: KeyedHashAlgorithm k => k -> ByteString -> ByteString -> ByteString


-- | Generic HMAC implementation based on the <a>HashAlgorithm</a> class,
--   implementing the <a>KeyedHashAlgorithm</a> class.
module Crypto.Nettle.HMAC

-- | <a>HMAC</a> is a generic <a>KeyedHashAlgorithm</a> instance to
--   calculate the <a>HMAC</a> based on a <a>HashAlgorithm</a>
data HMAC a

-- | <a>hmacInit</a> is the default implementation for <a>hashHMAC</a> and
--   initializes a <a>KeyedHash</a> to calculate the HMAC for a message
--   with the given <tt>key</tt>.
--   
--   Example:
--   
--   <pre>
--   let c = untag (hmacInit (fromString "secretkey") :: Tagged SHA256 KeyedHash) in keyedHashFinalize $ keyedHashUpdate c (fromString "secret message")
--   </pre>
hmacInit :: HashAlgorithm a => ByteString -> Tagged a KeyedHash

-- | Untagged variant of <a>hmacInit</a>; takes a (possible
--   <a>undefined</a>) typed <a>HashAlgorithm</a> context as parameter.
--   
--   Example:
--   
--   <pre>
--   keyedHashFinalize $ flip keyedHashUpdate (fromString "secret message") $ hmacInit' (undefined :: SHA256) (fromString "secretkey")
--   </pre>
hmacInit' :: HashAlgorithm a => a -> ByteString -> KeyedHash

-- | calculate HMAC with a <a>HashAlgorithm</a> for a <tt>key</tt> and
--   <tt>message</tt>
--   
--   Example:
--   
--   <pre>
--   untag (hmac (fromString "secretkey") (fromString "secret message") :: Tagged SHA256 B.ByteString)
--   </pre>
hmac :: HashAlgorithm a => ByteString -> ByteString -> Tagged a ByteString

-- | Untagged variant of <a>hmac</a>; takes a (possible <a>undefined</a>)
--   typed <a>HashAlgorithm</a> context as parameter.
--   
--   Example:
--   
--   <pre>
--   hmac' (undefined :: SHA256) (fromString "secretkey") (fromString "secret message")
--   </pre>
hmac' :: HashAlgorithm a => a -> ByteString -> ByteString -> ByteString

-- | calculate HMAC with a <a>HashAlgorithm</a> for a <tt>key</tt> and lazy
--   <tt>message</tt>
--   
--   Example:
--   
--   <pre>
--   untag (hmacLazy (fromString "secretkey") (fromString "secret message") :: Tagged SHA256 B.ByteString)
--   </pre>
hmacLazy :: HashAlgorithm a => ByteString -> ByteString -> Tagged a ByteString

-- | Untagged variant of <a>hmacLazy</a>; takes a (possible
--   <a>undefined</a>) typed <a>HashAlgorithm</a> context as parameter.
--   
--   Example:
--   
--   <pre>
--   hmacLazy' (undefined :: SHA256) (fromString "secretkey") (fromString "secret message")
--   </pre>
hmacLazy' :: HashAlgorithm a => a -> ByteString -> ByteString -> ByteString


-- | (This is not a binding to nettle; it is implemented in pure haskell)
--   
--   This module adds CCM support to all 128-bit block ciphers:
--   
--   <pre>
--   aeadInit AEAD_CCM = ccmInitTLS
--   </pre>
--   
--   CCM uses 2 parameters t and q: t is the tag length
--   (2,4,6,8,10,12,14,16) and q (2..8) is the length in bytes that the
--   length of the message is stored in (and the length of the counter
--   variable). Maximum message length is <tt>2^(8*q) - 1</tt>.
--   
--   CCM requires a nonce of length (15 - q). TLS uses CCM with <tt>t =
--   16</tt> and <tt>q = 3</tt>, and a nonce length of 12 (the first 4
--   bytes are fixed from the handshake, the other 8 usually represent the
--   sequence counter).
--   
--   CCM encrypts with a CTR mode, the start IV is based on the (t,q,nonce)
--   parameters; the tag is encrypted with counter value = 0, then the
--   message follows.
--   
--   Calculating the tag needs the message length first - so this
--   implementation needs to gather all data before calculating it.
--   
--   In RFC 3610 <tt>t</tt> is called <tt>M</tt>, and <tt>q</tt> is called
--   <tt>L</tt>.
module Crypto.Nettle.CCM

-- | Start a CCM encryption with specified tag length <tt>t</tt>, length
--   <tt>q</tt> of the message length field and a <tt>15-q</tt> bytes long
--   <tt>nonce</tt>. Fails if any parameter is invalid or the block cipher
--   doesn't use a 16-byte <a>blockSize</a>.
ccmInit :: (BlockCipher cipher, Byteable iv) => Int -> Int -> cipher -> iv -> Maybe (AEAD cipher)

-- | Start a CCM encryption with specified tag length <tt>t = 16</tt>,
--   length <tt>q = 3</tt> for the message length field and a <tt>8</tt>
--   bytes long <tt>nonce</tt>. Fails if any parameter is invalid or the
--   block cipher doesn't use a 16-byte <a>blockSize</a>. This are the
--   parameters used for TLS.
ccmInitTLS :: (BlockCipher cipher, Byteable iv) => cipher -> iv -> Maybe (AEAD cipher)
instance Crypto.Cipher.Types.Block.BlockCipher cipher => Crypto.Cipher.Types.Block.AEADModeImpl cipher (Crypto.Nettle.CCM.CCM cipher)


-- | This module exports hash algorithms supported by nettle:
--   <a>http://www.lysator.liu.se/~nisse/nettle/</a>
module Crypto.Nettle.Hash

-- | <a>HashAlgorithm</a> is a class that hash algorithms will implement.
--   generating a digest is a 3 step procedure:
--   
--   <ul>
--   <li><a>hashInit</a> to create a new context</li>
--   <li><a>hashUpdate</a> to hash data</li>
--   <li><a>hashFinalize</a> to extract the final digest</li>
--   </ul>
--   
--   The final digest has <a>hashDigestSize</a> bytes, and the algorithm
--   uses <a>hashBlockSize</a> as internal block size.
class HashAlgorithm a where hashUpdateLazy a = foldl' hashUpdate a . toChunks hashHMAC = hmacInit

-- | Block size in bytes the hash algorithm operates on
hashBlockSize :: HashAlgorithm a => Tagged a Int

-- | Digest size in bytes the hash algorithm returns
hashDigestSize :: HashAlgorithm a => Tagged a Int

-- | Name of the hash algorithm
hashName :: HashAlgorithm a => Tagged a String

-- | Initialize a new context for this hash algorithm
hashInit :: HashAlgorithm a => a

-- | Update the context with bytestring, and return a new context with the
--   updates.
hashUpdate :: HashAlgorithm a => a -> ByteString -> a

-- | Update the context with a lazy bytestring, and return a new context
--   with the updates.
hashUpdateLazy :: HashAlgorithm a => a -> ByteString -> a

-- | Finalize a context and return a digest.
hashFinalize :: HashAlgorithm a => a -> ByteString

-- | Use <a>HashAlgorithm</a> for HMAC; can use a optimized variant or the
--   default <a>hmacInit</a> one
hashHMAC :: HashAlgorithm a => ByteString -> Tagged a KeyedHash

-- | Helper to hash a single (strict) <a>ByteString</a> in one step.
--   
--   Example:
--   
--   <pre>
--   untag (hash (fromString "abc") :: Tagged SHA256 B.ByteString)
--   </pre>
hash :: HashAlgorithm a => ByteString -> Tagged a ByteString

-- | Untagged variant of <a>hash</a>; takes a (possible <a>undefined</a>)
--   typed <a>HashAlgorithm</a> context as parameter.
--   
--   Example:
--   
--   <pre>
--   hash' (undefined :: SHA256) $ fromString "abc"
--   </pre>
hash' :: HashAlgorithm a => a -> ByteString -> ByteString

-- | Helper to hash a single (lazy) <a>ByteString</a> in one step.
--   
--   Example:
--   
--   <pre>
--   untag (hashLazy (fromString "abc") :: Tagged SHA256 L.ByteString)
--   </pre>
hashLazy :: HashAlgorithm a => ByteString -> Tagged a ByteString

-- | Untagged variant of <a>hashLazy</a>; takes a (possible
--   <a>undefined</a>) typed <a>HashAlgorithm</a> context as parameter.
--   
--   Example:
--   
--   <pre>
--   hashLazy' (undefined :: SHA256) $ fromString "abc"
--   </pre>
hashLazy' :: HashAlgorithm a => a -> ByteString -> ByteString

-- | The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm
--   used in Russian government standards (see RFC 4357). It outputs
--   message digests of 32 bytes (256 bits).
data GOSTHASH94

-- | <a>MD2</a> is a hash function of Ronald Rivest's, described in RFC
--   1319. It outputs message digests of 16 bytes (128 bits).
data MD2

-- | <a>MD4</a> is a hash function of Ronald Rivest's, described in RFC
--   1320. It outputs message digests of 16 bytes (128 bits).
data MD4

-- | <a>MD5</a> is a hash function of Ronald Rivest's, described in RFC
--   1321. It outputs message digests of 16 bytes (128 bits).
data MD5

-- | <a>RIPEMD160</a> is a hash function designed by Hans Dobbertin, Antoon
--   Bosselaers, and Bart Preneel, as a strengthened version of RIPEMD. It
--   produces message digests of 20 bytes (160 bits).
data RIPEMD160

-- | <a>SHA1</a> is a hash function specified by NIST (The U.S. National
--   Institute for Standards and Technology). It produces message digests
--   of 20 bytes (160 bits).
data SHA1

-- | <a>SHA224</a> is a member of the SHA2 family which outputs messages
--   digests of 28 bytes (224 bits).
data SHA224

-- | <a>SHA256</a> is a member of the SHA2 family which outputs messages
--   digests of 32 bytes (256 bits).
data SHA256

-- | <a>SHA384</a> is a member of the SHA2 family which outputs messages
--   digests of 48 bytes (384 bits).
data SHA384

-- | <a>SHA512</a> is a member of the SHA2 family which outputs messages
--   digests of 64 bytes (512 bits).
data SHA512

-- | <a>SHA3_224</a> is a member of the SHA3 family which outputs messages
--   digests of 28 bytes (224 bits).
data SHA3_224

-- | <a>SHA3_256</a> is a member of the SHA3 family which outputs messages
--   digests of 32 bytes (256 bits).
data SHA3_256

-- | <a>SHA3_384</a> is a member of the SHA3 family which outputs messages
--   digests of 48 bytes (384 bits).
data SHA3_384

-- | <a>SHA3_512</a> is a member of the SHA3 family which outputs messages
--   digests of 64 bytes (512 bits).
data SHA3_512
instance Crypto.Nettle.Hash.NettleHashAlgorithm Crypto.Nettle.Hash.GOSTHASH94
instance Crypto.Nettle.Hash.Types.HashAlgorithm Crypto.Nettle.Hash.GOSTHASH94
instance Crypto.Nettle.Hash.NettleHashAlgorithm Crypto.Nettle.Hash.MD2
instance Crypto.Nettle.Hash.Types.HashAlgorithm Crypto.Nettle.Hash.MD2
instance Crypto.Nettle.Hash.NettleHashAlgorithm Crypto.Nettle.Hash.MD4
instance Crypto.Nettle.Hash.Types.HashAlgorithm Crypto.Nettle.Hash.MD4
instance Crypto.Nettle.Hash.NettleHashAlgorithm Crypto.Nettle.Hash.MD5
instance Crypto.Nettle.Hash.Types.HashAlgorithm Crypto.Nettle.Hash.MD5
instance Crypto.Nettle.Hash.NettleHashAlgorithm Crypto.Nettle.Hash.RIPEMD160
instance Crypto.Nettle.Hash.Types.HashAlgorithm Crypto.Nettle.Hash.RIPEMD160
instance Crypto.Nettle.Hash.NettleHashAlgorithm Crypto.Nettle.Hash.SHA1
instance Crypto.Nettle.Hash.Types.HashAlgorithm Crypto.Nettle.Hash.SHA1
instance Crypto.Nettle.Hash.NettleHashAlgorithm Crypto.Nettle.Hash.SHA224
instance Crypto.Nettle.Hash.Types.HashAlgorithm Crypto.Nettle.Hash.SHA224
instance Crypto.Nettle.Hash.NettleHashAlgorithm Crypto.Nettle.Hash.SHA256
instance Crypto.Nettle.Hash.Types.HashAlgorithm Crypto.Nettle.Hash.SHA256
instance Crypto.Nettle.Hash.NettleHashAlgorithm Crypto.Nettle.Hash.SHA384
instance Crypto.Nettle.Hash.Types.HashAlgorithm Crypto.Nettle.Hash.SHA384
instance Crypto.Nettle.Hash.NettleHashAlgorithm Crypto.Nettle.Hash.SHA512
instance Crypto.Nettle.Hash.Types.HashAlgorithm Crypto.Nettle.Hash.SHA512
instance Crypto.Nettle.Hash.NettleHashAlgorithm Crypto.Nettle.Hash.SHA3_224
instance Crypto.Nettle.Hash.Types.HashAlgorithm Crypto.Nettle.Hash.SHA3_224
instance Crypto.Nettle.Hash.NettleHashAlgorithm Crypto.Nettle.Hash.SHA3_256
instance Crypto.Nettle.Hash.Types.HashAlgorithm Crypto.Nettle.Hash.SHA3_256
instance Crypto.Nettle.Hash.NettleHashAlgorithm Crypto.Nettle.Hash.SHA3_384
instance Crypto.Nettle.Hash.Types.HashAlgorithm Crypto.Nettle.Hash.SHA3_384
instance Crypto.Nettle.Hash.NettleHashAlgorithm Crypto.Nettle.Hash.SHA3_512
instance Crypto.Nettle.Hash.Types.HashAlgorithm Crypto.Nettle.Hash.SHA3_512


-- | This module exports the UMAC algorithms supported by nettle:
--   <a>http://www.lysator.liu.se/~nisse/nettle/</a>
module Crypto.Nettle.UMAC

-- | <a>UMAC</a> is a class of keyed hash algorithms that take an
--   additional nonce.
--   
--   Keys for <a>UMAC</a> are always 16 bytes; there are different digest
--   sizes: 4, 8, 12 and 16 bytes (32, 64, 96 and 128 bits), and the
--   variants are named after the digest length in bits.
--   
--   On initialization the nonce is set to 0; each finalize returns a new
--   state with an incremented nonce. The nonce is interpreted as 16-byte
--   (128-bit) big-endian integer (and for string shorter than 16 bytes
--   padded with zeroes <i>on the left</i>; setting empty nonces is not
--   allowed).
class UMAC u where umacName = (("UMAC" ++) . show . (8 *)) <$> umacDigestSize umacUpdateLazy u = foldl' umacUpdate u . toChunks

-- | digest size in bytes
umacDigestSize :: UMAC u => Tagged u Int

-- | umac name (<a>UMAC</a> ++ digest size in bits)
umacName :: UMAC u => Tagged u String

-- | initialize a new context from a <tt>key</tt> with a zero
--   <tt>nonce</tt>
umacInit :: UMAC u => ByteString -> u

-- | set a <tt>nonce</tt>; can be called anytime before producing the
--   digest
umacSetNonce :: UMAC u => u -> ByteString -> u

-- | append <tt>message</tt> data to be hashed
umacUpdate :: UMAC u => u -> ByteString -> u

-- | append lazy <tt>message</tt> data to be hashed
umacUpdateLazy :: UMAC u => u -> ByteString -> u

-- | produce a digest, and return a new state with incremented nonce
umacFinalize :: UMAC u => u -> (ByteString, u)

-- | <a>UMAC32</a> is the 32-bit (4 byte) digest variant. See
--   <a>umacInitKeyedHash</a> for the <a>KeyedHashAlgorithm</a> instance.
data UMAC32

-- | <a>UMAC64</a> is the 32-bit (4 byte) digest variant. See
--   <a>umacInitKeyedHash</a> for the <a>KeyedHashAlgorithm</a> instance.
data UMAC64

-- | <a>UMAC96</a> is the 32-bit (4 byte) digest variant. See
--   <a>umacInitKeyedHash</a> for the <a>KeyedHashAlgorithm</a> instance.
data UMAC96

-- | <a>UMAC128</a> is the 32-bit (4 byte) digest variant. See
--   <a>umacInitKeyedHash</a> for the <a>KeyedHashAlgorithm</a> instance.
data UMAC128

-- | The default <a>KeyedHash</a> generated for UMAC
--   <a>KeyedHashAlgorithm</a> instances use a zero nonce; to set a
--   different nonce you need to use this initialization function (or use
--   the <a>UMAC</a> interface).
--   
--   Once the UMAC lives as <a>KeyedHash</a> the nonce cannot be changed
--   anymore, as <a>KeyedHash</a> hides all internal state.
umacInitKeyedHash :: (UMAC u, KeyedHashAlgorithm u) => ByteString -> ByteString -> Tagged u KeyedHash
instance Crypto.Nettle.UMAC.NettleUMAC Crypto.Nettle.UMAC.UMAC32
instance Crypto.Nettle.UMAC.UMAC Crypto.Nettle.UMAC.UMAC32
instance Crypto.Nettle.Hash.Types.KeyedHashAlgorithm Crypto.Nettle.UMAC.UMAC32
instance Crypto.Nettle.UMAC.NettleUMAC Crypto.Nettle.UMAC.UMAC64
instance Crypto.Nettle.UMAC.UMAC Crypto.Nettle.UMAC.UMAC64
instance Crypto.Nettle.Hash.Types.KeyedHashAlgorithm Crypto.Nettle.UMAC.UMAC64
instance Crypto.Nettle.UMAC.NettleUMAC Crypto.Nettle.UMAC.UMAC96
instance Crypto.Nettle.UMAC.UMAC Crypto.Nettle.UMAC.UMAC96
instance Crypto.Nettle.Hash.Types.KeyedHashAlgorithm Crypto.Nettle.UMAC.UMAC96
instance Crypto.Nettle.UMAC.NettleUMAC Crypto.Nettle.UMAC.UMAC128
instance Crypto.Nettle.UMAC.UMAC Crypto.Nettle.UMAC.UMAC128
instance Crypto.Nettle.Hash.Types.KeyedHashAlgorithm Crypto.Nettle.UMAC.UMAC128


-- | This module exports ciphers supported by nettle:
--   <a>http://www.lysator.liu.se/~nisse/nettle/</a>
module Crypto.Nettle.Ciphers

-- | <a>AES</a> is the generic cipher context for the AES cipher,
--   supporting key sizes of 128, 196 and 256 bits (16, 24 and 32 bytes).
--   The <a>blockSize</a> is always 128 bits (16 bytes).
--   
--   <a>aeadInit</a> only supports the <a>AEAD_GCM</a> mode for now.
data AES

-- | <a>AES128</a> provides the same interface as <a>AES</a>, but is
--   restricted to 128-bit keys.
data AES128

-- | <a>AES192</a> provides the same interface as <a>AES</a>, but is
--   restricted to 192-bit keys.
data AES192

-- | <a>AES256</a> provides the same interface as <a>AES</a>, but is
--   restricted to 256-bit keys.
data AES256

-- | <a>ARCTWO</a> (also known as the trade marked name RC2) is a block
--   cipher specified in RFC 2268.
--   
--   The default <a>cipherInit</a> uses <tt>ekb = bit-length of the
--   key</tt>; <a>arctwoInitEKB</a> allows to specify ekb manually.
--   <a>arctwoInitGutmann</a> uses <tt>ekb = 1024</tt> (the maximum).
--   
--   <a>ARCTWO</a> uses keysizes from 1 to 128 bytes, and uses a
--   <a>blockSize</a> of 64 bits (8 bytes).
data ARCTWO

-- | Initialize cipher with an explicit <tt>ekb</tt> value (valid values
--   from 1 to 1024, 0 meaning the same as 1024).
arctwoInitEKB :: Key ARCTWO -> Word -> ARCTWO

-- | Initialize cipher with <tt>ekb = 1024</tt>.
arctwoInitGutmann :: Key ARCTWO -> ARCTWO

-- | <a>BLOWFISH</a> is a block cipher designed by Bruce Schneier. It uses
--   a <a>blockSize</a> of 64 bits (8 bytes), and a variable key size from
--   64 to 448 bits (8 to 56 bytes).
data BLOWFISH

-- | Camellia is a block cipher developed by Mitsubishi and Nippon
--   Telegraph and Telephone Corporation, described in RFC3713, and
--   recommended by some Japanese and European authorities as an
--   alternative to AES. The algorithm is patented (details see
--   <a>http://www.lysator.liu.se/~nisse/nettle/nettle.html</a>).
--   
--   Camellia uses a the same <a>blockSize</a> and key sizes as <a>AES</a>.
--   
--   <a>aeadInit</a> only supports the <a>AEAD_GCM</a> mode for now.
data Camellia

-- | <a>Camellia128</a> provides the same interface as <a>Camellia</a>, but
--   is restricted to 128-bit keys.
data Camellia128

-- | <a>Camellia192</a> provides the same interface as <a>Camellia</a>, but
--   is restricted to 192-bit keys.
data Camellia192

-- | <a>Camellia256</a> provides the same interface as <a>Camellia</a>, but
--   is restricted to 256-bit keys.
data Camellia256

-- | <a>CAST128</a> is a block cipher specified in RFC 2144. It uses a 64
--   bit (8 bytes) <a>blockSize</a>, and a variable key size of 40 up to
--   128 bits (5 to 16 bytes).
data CAST128

-- | <a>DES</a> is the old Data Encryption Standard, specified by NIST. It
--   uses a <a>blockSize</a> of 64 bits (8 bytes), and a key size of 56
--   bits.
--   
--   The key is given as 8 bytes, as one bit per byte is used as a parity
--   bit. The parity bit is ignored by this implementation.
data DES

-- | <a>DES_EDE3</a> uses 3 <a>DES</a> keys <tt>k1 || k2 || k3</tt>.
--   Encryption first encrypts with k1, then decrypts with k2, then
--   encrypts with k3.
--   
--   The <a>blockSize</a> is the same as for <a>DES</a>: 64 bits (8 bytes),
--   and the keys are simply concatenated, forming a 24 byte key string
--   (with 168 bits actually getting used).
data DES_EDE3

-- | <a>TWOFISH</a> is another AES finalist, designed by Bruce Schneier and
--   others.
--   
--   <a>TWOFISH</a> uses a the same <a>blockSize</a> and key sizes as
--   <a>AES</a>.
--   
--   <a>aeadInit</a> only supports the <a>AEAD_GCM</a> mode for now.
data TWOFISH

-- | <a>SERPENT</a> is one of the AES finalists, designed by Ross Anderson,
--   Eli Biham and Lars Knudsen.
--   
--   The <a>blockSize</a> is 128 bits (16 bytes), and the valid key sizes
--   are from 128 bits to 256 bits (16 to 32 bytes), although smaller bits
--   are just padded with zeroes.
--   
--   <a>aeadInit</a> only supports the <a>AEAD_GCM</a> mode for now.
data SERPENT

-- | <a>StreamNonceCipher</a> are special stream ciphers that can encrypt
--   many messages with the same key; setting a nonce restarts the cipher.
--   
--   A good value for the nonce is a message/packet counter. Usually a
--   nonce should not be reused with the same key.
class StreamCipher cipher => StreamNonceCipher cipher
streamNonceSize :: StreamNonceCipher cipher => cipher -> KeySizeSpecifier
streamSetNonce :: StreamNonceCipher cipher => cipher -> ByteString -> Maybe cipher

-- | Sets a <a>Word64</a> as 8-byte nonce (bigendian encoded)
streamSetNonceWord64 :: StreamNonceCipher cipher => cipher -> Word64 -> Maybe cipher

-- | <a>ARCFOUR</a> is a stream cipher, also known under the trade marked
--   name RC4.
--   
--   Valid key sizes are from 1 to 256 bytes.
data ARCFOUR

-- | <a>CHACHA</a> is a variant of the <a>SALSA20</a> stream cipher, both
--   designed by D. J. Bernstein.
--   
--   Key size is 256 bits (32 bytes).
--   
--   <a>CHACHA</a> works similar to <a>SALSA20</a>; it could theoretically
--   also support 128-bit keys, but there is no need for it as they share
--   the same performance.
--   
--   ChaCha uses a blocksize of 64 bytes internally; if crpyted input isn't
--   aligned to 64 bytes it will pad it with 0 and store the encrypted
--   padding to xor with future input data.
--   
--   Each message also requires a 8-byte (<a>Word64</a>) nonce (which is
--   initialized to 0; you can use a message sequence number). Don't reuse
--   a nonce with the same key.
--   
--   Setting a nonce also resets the remaining padding data.
data CHACHA

-- | <a>SALSA20</a> is a fairly recent stream cipher designed by D. J.
--   Bernstein.
--   
--   Valid key sizes are 128 and 256 bits (16 and 32 bytes).
--   
--   Salsa20 uses a blocksize of 64 bytes internally; if crpyted input
--   isn't aligned to 64 bytes it will pad it with 0 and store the
--   encrypted padding to xor with future input data.
--   
--   Each message also requires a 8-byte (<a>Word64</a>) nonce (which is
--   initialized to 0; you can use a message sequence number). Don't reuse
--   a nonce with the same key.
--   
--   Setting a nonce also resets the remaining padding data.
data SALSA20

-- | <a>ESTREAM_SALSA20</a> is the same as <a>SALSA20</a>, but uses only 12
--   instead of 20 rounds in mixing.
data ESTREAM_SALSA20
instance Crypto.Nettle.Ciphers.Internal.NettleCipher Crypto.Nettle.Ciphers.AES
instance Crypto.Nettle.Ciphers.Internal.NettleBlockCipher Crypto.Nettle.Ciphers.AES
instance Crypto.Cipher.Types.Base.Cipher Crypto.Nettle.Ciphers.AES
instance Crypto.Cipher.Types.Block.BlockCipher Crypto.Nettle.Ciphers.AES
instance Crypto.Cipher.Types.Block.AEADModeImpl Crypto.Nettle.Ciphers.AES Crypto.Nettle.Ciphers.Internal.NettleGCM
instance Crypto.Nettle.Ciphers.Internal.NettleCipher Crypto.Nettle.Ciphers.AES128
instance Crypto.Nettle.Ciphers.Internal.NettleBlockCipher Crypto.Nettle.Ciphers.AES128
instance Crypto.Cipher.Types.Base.Cipher Crypto.Nettle.Ciphers.AES128
instance Crypto.Cipher.Types.Block.BlockCipher Crypto.Nettle.Ciphers.AES128
instance Crypto.Cipher.Types.Block.AEADModeImpl Crypto.Nettle.Ciphers.AES128 Crypto.Nettle.Ciphers.Internal.NettleGCM
instance Crypto.Nettle.Ciphers.Internal.NettleCipher Crypto.Nettle.Ciphers.AES192
instance Crypto.Nettle.Ciphers.Internal.NettleBlockCipher Crypto.Nettle.Ciphers.AES192
instance Crypto.Cipher.Types.Base.Cipher Crypto.Nettle.Ciphers.AES192
instance Crypto.Cipher.Types.Block.BlockCipher Crypto.Nettle.Ciphers.AES192
instance Crypto.Cipher.Types.Block.AEADModeImpl Crypto.Nettle.Ciphers.AES192 Crypto.Nettle.Ciphers.Internal.NettleGCM
instance Crypto.Nettle.Ciphers.Internal.NettleCipher Crypto.Nettle.Ciphers.AES256
instance Crypto.Nettle.Ciphers.Internal.NettleBlockCipher Crypto.Nettle.Ciphers.AES256
instance Crypto.Cipher.Types.Base.Cipher Crypto.Nettle.Ciphers.AES256
instance Crypto.Cipher.Types.Block.BlockCipher Crypto.Nettle.Ciphers.AES256
instance Crypto.Cipher.Types.Block.AEADModeImpl Crypto.Nettle.Ciphers.AES256 Crypto.Nettle.Ciphers.Internal.NettleGCM
instance Crypto.Nettle.Ciphers.Internal.NettleCipher Crypto.Nettle.Ciphers.ARCTWO
instance Crypto.Nettle.Ciphers.Internal.NettleBlockCipher Crypto.Nettle.Ciphers.ARCTWO
instance Crypto.Cipher.Types.Base.Cipher Crypto.Nettle.Ciphers.ARCTWO
instance Crypto.Cipher.Types.Block.BlockCipher Crypto.Nettle.Ciphers.ARCTWO
instance Crypto.Cipher.Types.Block.AEADModeImpl Crypto.Nettle.Ciphers.ARCTWO Crypto.Nettle.Ciphers.Internal.NettleGCM
instance Crypto.Nettle.Ciphers.Internal.NettleCipher Crypto.Nettle.Ciphers.BLOWFISH
instance Crypto.Nettle.Ciphers.Internal.NettleBlockCipher Crypto.Nettle.Ciphers.BLOWFISH
instance Crypto.Cipher.Types.Base.Cipher Crypto.Nettle.Ciphers.BLOWFISH
instance Crypto.Cipher.Types.Block.BlockCipher Crypto.Nettle.Ciphers.BLOWFISH
instance Crypto.Cipher.Types.Block.AEADModeImpl Crypto.Nettle.Ciphers.BLOWFISH Crypto.Nettle.Ciphers.Internal.NettleGCM
instance Crypto.Nettle.Ciphers.Internal.NettleCipher Crypto.Nettle.Ciphers.Camellia
instance Crypto.Nettle.Ciphers.Internal.NettleBlockCipher Crypto.Nettle.Ciphers.Camellia
instance Crypto.Cipher.Types.Base.Cipher Crypto.Nettle.Ciphers.Camellia
instance Crypto.Cipher.Types.Block.BlockCipher Crypto.Nettle.Ciphers.Camellia
instance Crypto.Cipher.Types.Block.AEADModeImpl Crypto.Nettle.Ciphers.Camellia Crypto.Nettle.Ciphers.Internal.NettleGCM
instance Crypto.Nettle.Ciphers.Internal.NettleCipher Crypto.Nettle.Ciphers.Camellia128
instance Crypto.Nettle.Ciphers.Internal.NettleBlockCipher Crypto.Nettle.Ciphers.Camellia128
instance Crypto.Cipher.Types.Base.Cipher Crypto.Nettle.Ciphers.Camellia128
instance Crypto.Cipher.Types.Block.BlockCipher Crypto.Nettle.Ciphers.Camellia128
instance Crypto.Cipher.Types.Block.AEADModeImpl Crypto.Nettle.Ciphers.Camellia128 Crypto.Nettle.Ciphers.Internal.NettleGCM
instance Crypto.Nettle.Ciphers.Internal.NettleCipher Crypto.Nettle.Ciphers.Camellia192
instance Crypto.Nettle.Ciphers.Internal.NettleBlockCipher Crypto.Nettle.Ciphers.Camellia192
instance Crypto.Cipher.Types.Base.Cipher Crypto.Nettle.Ciphers.Camellia192
instance Crypto.Cipher.Types.Block.BlockCipher Crypto.Nettle.Ciphers.Camellia192
instance Crypto.Cipher.Types.Block.AEADModeImpl Crypto.Nettle.Ciphers.Camellia192 Crypto.Nettle.Ciphers.Internal.NettleGCM
instance Crypto.Nettle.Ciphers.Internal.NettleCipher Crypto.Nettle.Ciphers.Camellia256
instance Crypto.Nettle.Ciphers.Internal.NettleBlockCipher Crypto.Nettle.Ciphers.Camellia256
instance Crypto.Cipher.Types.Base.Cipher Crypto.Nettle.Ciphers.Camellia256
instance Crypto.Cipher.Types.Block.BlockCipher Crypto.Nettle.Ciphers.Camellia256
instance Crypto.Cipher.Types.Block.AEADModeImpl Crypto.Nettle.Ciphers.Camellia256 Crypto.Nettle.Ciphers.Internal.NettleGCM
instance Crypto.Nettle.Ciphers.Internal.NettleCipher Crypto.Nettle.Ciphers.CAST128
instance Crypto.Nettle.Ciphers.Internal.NettleBlockCipher Crypto.Nettle.Ciphers.CAST128
instance Crypto.Cipher.Types.Base.Cipher Crypto.Nettle.Ciphers.CAST128
instance Crypto.Cipher.Types.Block.BlockCipher Crypto.Nettle.Ciphers.CAST128
instance Crypto.Cipher.Types.Block.AEADModeImpl Crypto.Nettle.Ciphers.CAST128 Crypto.Nettle.Ciphers.Internal.NettleGCM
instance Crypto.Nettle.Ciphers.Internal.NettleCipher Crypto.Nettle.Ciphers.DES
instance Crypto.Nettle.Ciphers.Internal.NettleBlockCipher Crypto.Nettle.Ciphers.DES
instance Crypto.Cipher.Types.Base.Cipher Crypto.Nettle.Ciphers.DES
instance Crypto.Cipher.Types.Block.BlockCipher Crypto.Nettle.Ciphers.DES
instance Crypto.Cipher.Types.Block.AEADModeImpl Crypto.Nettle.Ciphers.DES Crypto.Nettle.Ciphers.Internal.NettleGCM
instance Crypto.Nettle.Ciphers.Internal.NettleCipher Crypto.Nettle.Ciphers.DES_EDE3
instance Crypto.Nettle.Ciphers.Internal.NettleBlockCipher Crypto.Nettle.Ciphers.DES_EDE3
instance Crypto.Cipher.Types.Base.Cipher Crypto.Nettle.Ciphers.DES_EDE3
instance Crypto.Cipher.Types.Block.BlockCipher Crypto.Nettle.Ciphers.DES_EDE3
instance Crypto.Cipher.Types.Block.AEADModeImpl Crypto.Nettle.Ciphers.DES_EDE3 Crypto.Nettle.Ciphers.Internal.NettleGCM
instance Crypto.Nettle.Ciphers.Internal.NettleCipher Crypto.Nettle.Ciphers.SERPENT
instance Crypto.Nettle.Ciphers.Internal.NettleBlockCipher Crypto.Nettle.Ciphers.SERPENT
instance Crypto.Cipher.Types.Base.Cipher Crypto.Nettle.Ciphers.SERPENT
instance Crypto.Cipher.Types.Block.BlockCipher Crypto.Nettle.Ciphers.SERPENT
instance Crypto.Cipher.Types.Block.AEADModeImpl Crypto.Nettle.Ciphers.SERPENT Crypto.Nettle.Ciphers.Internal.NettleGCM
instance Crypto.Nettle.Ciphers.Internal.NettleCipher Crypto.Nettle.Ciphers.TWOFISH
instance Crypto.Nettle.Ciphers.Internal.NettleBlockCipher Crypto.Nettle.Ciphers.TWOFISH
instance Crypto.Cipher.Types.Base.Cipher Crypto.Nettle.Ciphers.TWOFISH
instance Crypto.Cipher.Types.Block.BlockCipher Crypto.Nettle.Ciphers.TWOFISH
instance Crypto.Cipher.Types.Block.AEADModeImpl Crypto.Nettle.Ciphers.TWOFISH Crypto.Nettle.Ciphers.Internal.NettleGCM
instance Crypto.Nettle.Ciphers.Internal.NettleCipher Crypto.Nettle.Ciphers.ARCFOUR
instance Crypto.Nettle.Ciphers.Internal.NettleStreamCipher Crypto.Nettle.Ciphers.ARCFOUR
instance Crypto.Cipher.Types.Base.Cipher Crypto.Nettle.Ciphers.ARCFOUR
instance Crypto.Cipher.Types.Stream.StreamCipher Crypto.Nettle.Ciphers.ARCFOUR
instance Crypto.Nettle.Ciphers.Internal.NettleCipher Crypto.Nettle.Ciphers.CHACHA
instance Crypto.Nettle.Ciphers.Internal.NettleBlockedStreamCipher Crypto.Nettle.Ciphers.CHACHA
instance Crypto.Cipher.Types.Base.Cipher Crypto.Nettle.Ciphers.CHACHA
instance Crypto.Cipher.Types.Stream.StreamCipher Crypto.Nettle.Ciphers.CHACHA
instance Crypto.Nettle.Ciphers.StreamNonceCipher Crypto.Nettle.Ciphers.CHACHA
instance Crypto.Nettle.Ciphers.Internal.NettleCipher Crypto.Nettle.Ciphers.SALSA20
instance Crypto.Nettle.Ciphers.Internal.NettleBlockedStreamCipher Crypto.Nettle.Ciphers.SALSA20
instance Crypto.Cipher.Types.Base.Cipher Crypto.Nettle.Ciphers.SALSA20
instance Crypto.Cipher.Types.Stream.StreamCipher Crypto.Nettle.Ciphers.SALSA20
instance Crypto.Nettle.Ciphers.StreamNonceCipher Crypto.Nettle.Ciphers.SALSA20
instance Crypto.Nettle.Ciphers.Internal.NettleCipher Crypto.Nettle.Ciphers.ESTREAM_SALSA20
instance Crypto.Nettle.Ciphers.Internal.NettleBlockedStreamCipher Crypto.Nettle.Ciphers.ESTREAM_SALSA20
instance Crypto.Cipher.Types.Base.Cipher Crypto.Nettle.Ciphers.ESTREAM_SALSA20
instance Crypto.Cipher.Types.Stream.StreamCipher Crypto.Nettle.Ciphers.ESTREAM_SALSA20
instance Crypto.Nettle.Ciphers.StreamNonceCipher Crypto.Nettle.Ciphers.ESTREAM_SALSA20


-- | This module exports the ChaCha-Poly1305 AEAD cipher supported by
--   nettle: <a>http://www.lysator.liu.se/~nisse/nettle/</a>
--   
--   Both ChaCha (the underlying cipher) and Poly1305 (the keyed hash) were
--   designed by D. J. Bernstein.
module Crypto.Nettle.ChaChaPoly1305

-- | Encrypt plain text and create a verification tag for the encrypted
--   text and some additional data. <tt>key</tt> and <tt>nonce</tt> must
--   not be reused together. The returned tag is 16 bytes long, but may be
--   shortened for verification (loosing security).
chaChaPoly1305Encrypt :: ByteString -> ByteString -> ByteString -> ByteString -> (ByteString, ByteString)

-- | Decrypt cipher text and verify a (possible shortened) tag for the
--   encrypted text and some additional data. <tt>key</tt> and
--   <tt>nonce</tt> must not be reused together.
chaChaPoly1305Decrypt :: ByteString -> ByteString -> ByteString -> ByteString -> ByteString -> Maybe ByteString
