*.c: Introduce a new input conversion for binary strings.

[catacomb-python] / pubkey.c

/* -*-c-*-
 *
 * Public-key cryptography
 *
 * (c) 2004 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of the Python interface to Catacomb.
 *
 * Catacomb/Python is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * Catacomb/Python is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with Catacomb/Python; if not, write to the Free Software Foundation,
 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 */

/*----- Header files ------------------------------------------------------*/

#include "catacomb-python.h"

/*----- DSA and similar ---------------------------------------------------*/

typedef struct dsa_pyobj {
  PyObject_HEAD
  PyObject *G, *u, *p, *rng, *hash;
  gdsa d;
} dsa_pyobj;

static PyTypeObject *dsapub_pytype, *dsapriv_pytype;
static PyTypeObject *kcdsapub_pytype, *kcdsapriv_pytype;
#define DSA_D(o) (&((dsa_pyobj *)(o))->d)
#define DSA_G(o) (((dsa_pyobj *)(o))->G)
#define DSA_U(o) (((dsa_pyobj *)(o))->u)
#define DSA_P(o) (((dsa_pyobj *)(o))->p)
#define DSA_RNG(o) (((dsa_pyobj *)(o))->rng)
#define DSA_HASH(o) (((dsa_pyobj *)(o))->hash)

static void dsa_pydealloc(PyObject *me)
{
  dsa_pyobj *g = (dsa_pyobj *)me;
  Py_DECREF(g->G); Py_DECREF(g->u); Py_DECREF(g->p);
  Py_DECREF(g->rng); Py_DECREF(g->hash);
  FREEOBJ(me);
}

static PyObject *dsa_setup(PyTypeObject *ty, PyObject *G, PyObject *u,
                           PyObject *p, PyObject *rng, PyObject *hash,
                           void (*calcpub)(group *, ge *, mp *))
{
  dsa_pyobj *g;
  ge *pp;

  g = PyObject_New(dsa_pyobj, ty);
  if (p) Py_INCREF(p);
  if (!u) {
    g->d.u = 0;
    u = Py_None;
  } else {
    if ((g->d.u = getmp(u)) == 0)
      goto end;
    if (MP_PYCHECK(u)) Py_INCREF(u);
    else u = mp_pywrap(g->d.u);
  }
  if (!p) {
    assert(g->d.u); assert(calcpub);
    pp = G_CREATE(GROUP_G(G));
    calcpub(GROUP_G(G), pp, g->d.u);
    p = ge_pywrap(G, pp);
  } else if (GROUP_G(G) != GE_G(p) && !group_samep(GROUP_G(G), GE_G(p)))
    TYERR("public key not from group");
  g->d.g = GROUP_G(G);
  g->d.p = GE_X(p);
  g->d.r = GRAND_R(rng);
  g->d.h = GCHASH_CH(hash);
  g->G = G; Py_INCREF(G); g->u = u; g->p = p;
  g->rng = rng; Py_INCREF(rng); g->hash = hash; Py_INCREF(hash);
  return ((PyObject *)g);
end:
  Py_XDECREF(p); FREEOBJ(g);
  return (0);
}

static PyObject *dsapub_pynew(PyTypeObject *ty,
                              PyObject *arg, PyObject *kw)
{
  PyObject *G, *p, *rng = rand_pyobj, *hash = sha_pyobj;
  PyObject *rc = 0;
  static const char *const kwlist[] = { "G", "p", "hash", "rng", 0 };

  if (!PyArg_ParseTupleAndKeywords(arg, kw, "O!O!|O!O!:new", KWLIST,
                                   group_pytype, &G,
                                   ge_pytype, &p,
                                   gchash_pytype, &hash,
                                   grand_pytype, &rng) ||
      (rc = dsa_setup(dsapub_pytype, G, 0, p, rng, hash, 0)) == 0)
    goto end;
end:
  return (rc);
}

static PyObject *dsameth_beginhash(PyObject *me)
  { return (ghash_pywrap(DSA_HASH(me), gdsa_beginhash(DSA_D(me)))); }

static PyObject *dsameth_endhash(PyObject *me, PyObject *arg)
{
  ghash *h;
  PyObject *rc;
  if (!PyArg_ParseTuple(arg, "O&:endhash", convghash, &h)) return (0);
  gdsa_endhash(DSA_D(me), h);
  h = GH_COPY(h);
  rc = bytestring_pywrap(0, GH_CLASS(h)->hashsz);
  GH_DONE(h, PyString_AS_STRING(rc));
  GH_DESTROY(h);
  return (rc);
}

static PyObject *dsameth_sign(PyObject *me, PyObject *arg, PyObject *kw)
{
  gdsa_sig s = GDSA_SIG_INIT;
  struct bin h;
  mp *k = 0;
  PyObject *rc = 0;
  static const char *const kwlist[] = { "msg", "k", 0 };

  if (!PyArg_ParseTupleAndKeywords(arg, kw, "O&|O&:sign", KWLIST,
                                   convbin, &h, convmp, &k))
    goto end;
  if (h.sz != DSA_D(me)->h->hashsz)
    VALERR("bad message length (doesn't match hash size)");
  gdsa_sign(DSA_D(me), &s, h.p, k);
  rc = Py_BuildValue("(NN)", mp_pywrap(s.r), mp_pywrap(s.s));
end:
  mp_drop(k);
  return (rc);
}

static PyObject *dsameth_verify(PyObject *me, PyObject *arg)
{
  struct bin h;
  gdsa_sig s = GDSA_SIG_INIT;
  PyObject *rc = 0;

  if (!PyArg_ParseTuple(arg, "O&(O&O&):verify",
                        convbin, &h, convmp, &s.r, convmp, &s.s))
    goto end;
  if (h.sz != DSA_D(me)->h->hashsz)
    VALERR("bad message length (doesn't match hash size)");
  rc = getbool(!gdsa_verify(DSA_D(me), &s, h.p));
end:
  mp_drop(s.r);
  mp_drop(s.s);
  return (rc);
}

static void dsa_calcpub(group *g, ge *p, mp *u) { G_EXP(g, p, g->g, u); }

static PyObject *dsapriv_pynew(PyTypeObject *ty,
                               PyObject *arg, PyObject *kw)
{
  PyObject *G, *p = 0, *u, *rng = rand_pyobj, *hash = sha_pyobj;
  PyObject *rc = 0;
  static const char *const kwlist[] = { "G", "u", "p", "hash", "rng", 0 };

  if (!PyArg_ParseTupleAndKeywords(arg, kw, "O!O|O!O!O!:new", KWLIST,
                                   group_pytype, &G,
                                   &u,
                                   ge_pytype, &p,
                                   gchash_pytype, &hash,
                                   grand_pytype, &rng) ||
      (rc = dsa_setup(dsapriv_pytype, G, u, p, rng, hash, dsa_calcpub)) == 0)
    goto end;
end:
  return (rc);
}

static const PyMethodDef dsapub_pymethods[] = {
#define METHNAME(name) dsameth_##name
  NAMETH(beginhash,     "D.beginhash() -> hash object")
  METH  (endhash,       "D.endhash(H) -> BYTES")
  METH  (verify,        "D.verify(MSG, (R, S)) -> true/false")
#undef METHNAME
  { 0 }
};

static const PyMethodDef dsapriv_pymethods[] = {
#define METHNAME(name) dsameth_##name
  KWMETH(sign,          "D.sign(MSG, [k = K]) -> R, S")
#undef METHNAME
  { 0 }
};

static const PyMemberDef dsapub_pymembers[] = {
#define MEMBERSTRUCT dsa_pyobj
  MEMBER(G,     T_OBJECT, READONLY, "D.G -> group to work in")
  MEMBER(p,     T_OBJECT, READONLY, "D.p -> public key (group element")
  MEMBER(rng,   T_OBJECT, READONLY, "D.rng -> random number generator")
  MEMBER(hash,  T_OBJECT, READONLY, "D.hash -> hash class")
#undef MEMBERSTRUCT
  { 0 }
};

static const PyMemberDef dsapriv_pymembers[] = {
#define MEMBERSTRUCT dsa_pyobj
  MEMBER(u,     T_OBJECT, READONLY, "D.u -> private key (exponent)")
#undef MEMBERSTRUCT
  { 0 }
};

static const PyTypeObject dsapub_pytype_skel = {
  PyVarObject_HEAD_INIT(0, 0)           /* Header */
  "DSAPub",                             /* @tp_name@ */
  sizeof(dsa_pyobj),                    /* @tp_basicsize@ */
  0,                                    /* @tp_itemsize@ */

  dsa_pydealloc,                        /* @tp_dealloc@ */
  0,                                    /* @tp_print@ */
  0,                                    /* @tp_getattr@ */
  0,                                    /* @tp_setattr@ */
  0,                                    /* @tp_compare@ */
  0,                                    /* @tp_repr@ */
  0,                                    /* @tp_as_number@ */
  0,                                    /* @tp_as_sequence@ */
  0,                                    /* @tp_as_mapping@ */
  0,                                    /* @tp_hash@ */
  0,                                    /* @tp_call@ */
  0,                                    /* @tp_str@ */
  0,                                    /* @tp_getattro@ */
  0,                                    /* @tp_setattro@ */
  0,                                    /* @tp_as_buffer@ */
  Py_TPFLAGS_DEFAULT |                  /* @tp_flags@ */
    Py_TPFLAGS_BASETYPE,

  /* @tp_doc@ */
  "DSAPub(GROUP, P, [hash = sha], [rng = rand]): DSA public key.",

  0,                                    /* @tp_traverse@ */
  0,                                    /* @tp_clear@ */
  0,                                    /* @tp_richcompare@ */
  0,                                    /* @tp_weaklistoffset@ */
  0,                                    /* @tp_iter@ */
  0,                                    /* @tp_iternext@ */
  PYMETHODS(dsapub),                    /* @tp_methods@ */
  PYMEMBERS(dsapub),                    /* @tp_members@ */
  0,                                    /* @tp_getset@ */
  0,                                    /* @tp_base@ */
  0,                                    /* @tp_dict@ */
  0,                                    /* @tp_descr_get@ */
  0,                                    /* @tp_descr_set@ */
  0,                                    /* @tp_dictoffset@ */
  0,                                    /* @tp_init@ */
  PyType_GenericAlloc,                  /* @tp_alloc@ */
  dsapub_pynew,                         /* @tp_new@ */
  0,                                    /* @tp_free@ */
  0                                     /* @tp_is_gc@ */
};

static const PyTypeObject dsapriv_pytype_skel = {
  PyVarObject_HEAD_INIT(0, 0)           /* Header */
  "DSAPriv",                            /* @tp_name@ */
  sizeof(dsa_pyobj),                    /* @tp_basicsize@ */
  0,                                    /* @tp_itemsize@ */

  0,                                    /* @tp_dealloc@ */
  0,                                    /* @tp_print@ */
  0,                                    /* @tp_getattr@ */
  0,                                    /* @tp_setattr@ */
  0,                                    /* @tp_compare@ */
  0,                                    /* @tp_repr@ */
  0,                                    /* @tp_as_number@ */
  0,                                    /* @tp_as_sequence@ */
  0,                                    /* @tp_as_mapping@ */
  0,                                    /* @tp_hash@ */
  0,                                    /* @tp_call@ */
  0,                                    /* @tp_str@ */
  0,                                    /* @tp_getattro@ */
  0,                                    /* @tp_setattro@ */
  0,                                    /* @tp_as_buffer@ */
  Py_TPFLAGS_DEFAULT |                  /* @tp_flags@ */
    Py_TPFLAGS_BASETYPE,

  /* @tp_doc@ */
  "DSAPriv(GROUP, U, [p = u G], [hash = sha], [rng = rand]): "
                                                          "DSA private key.",

  0,                                    /* @tp_traverse@ */
  0,                                    /* @tp_clear@ */
  0,                                    /* @tp_richcompare@ */
  0,                                    /* @tp_weaklistoffset@ */
  0,                                    /* @tp_iter@ */
  0,                                    /* @tp_iternext@ */
  PYMETHODS(dsapriv),                   /* @tp_methods@ */
  PYMEMBERS(dsapriv),                   /* @tp_members@ */
  0,                                    /* @tp_getset@ */
  0,                                    /* @tp_base@ */
  0,                                    /* @tp_dict@ */
  0,                                    /* @tp_descr_get@ */
  0,                                    /* @tp_descr_set@ */
  0,                                    /* @tp_dictoffset@ */
  0,                                    /* @tp_init@ */
  PyType_GenericAlloc,                  /* @tp_alloc@ */
  dsapriv_pynew,                        /* @tp_new@ */
  0,                                    /* @tp_free@ */
  0                                     /* @tp_is_gc@ */
};

static PyObject *kcdsapub_pynew(PyTypeObject *ty,
                                PyObject *arg, PyObject *kw)
{
  PyObject *G, *p, *rng = rand_pyobj, *hash = has160_pyobj;
  PyObject *rc = 0;
  static const char *const kwlist[] = { "G", "p", "hash", "rng", 0 };

  if (!PyArg_ParseTupleAndKeywords(arg, kw, "O!O!|O!O!:new", KWLIST,
                                   group_pytype, &G,
                                   ge_pytype, &p,
                                   gchash_pytype, &hash,
                                   grand_pytype, &rng) ||
      (rc = dsa_setup(kcdsapub_pytype, G, 0, p, rng, hash, 0)) == 0)
    goto end;
end:
  return (rc);
}

static void kcdsa_calcpub(group *g, ge *p, mp *u)
{
  mp *uinv = mp_modinv(MP_NEW, u, g->r);
  G_EXP(g, p, g->g, uinv);
  mp_drop(uinv);
}

static PyObject *kcdsapriv_pynew(PyTypeObject *ty,
                                 PyObject *arg, PyObject *kw)
{
  PyObject *G, *u, *p = 0, *rng = rand_pyobj, *hash = has160_pyobj;
  PyObject *rc = 0;
  static const char *const kwlist[] = { "G", "u", "p", "hash", "rng", 0 };

  if (!PyArg_ParseTupleAndKeywords(arg, kw, "O!O|O!O!O!:new", KWLIST,
                                   group_pytype, &G,
                                   &u,
                                   ge_pytype, &p,
                                   gchash_pytype, &hash,
                                   grand_pytype, &rng) ||
      (rc = dsa_setup(kcdsapriv_pytype, G, u, p,
                      rng, hash, kcdsa_calcpub)) == 0)
    goto end;
end:
  return (rc);
}

static PyObject *kcdsameth_beginhash(PyObject *me)
  { return (ghash_pywrap(DSA_HASH(me), gkcdsa_beginhash(DSA_D(me)))); }

static PyObject *kcdsameth_endhash(PyObject *me, PyObject *arg)
{
  ghash *h;
  PyObject *rc;
  if (!PyArg_ParseTuple(arg, "O&:endhash", convghash, &h)) return (0);
  gkcdsa_endhash(DSA_D(me), h);
  h = GH_COPY(h);
  rc = bytestring_pywrap(0, GH_CLASS(h)->hashsz);
  GH_DONE(h, PyString_AS_STRING(rc));
  GH_DESTROY(h);
  return (rc);
}

static PyObject *kcdsameth_sign(PyObject *me, PyObject *arg, PyObject *kw)
{
  gkcdsa_sig s = GKCDSA_SIG_INIT;
  struct bin h;
  mp *k = 0;
  PyObject *r = 0, *rc = 0;
  static const char *const kwlist[] = { "msg", "k", 0 };

  if (!PyArg_ParseTupleAndKeywords(arg, kw, "O&|O&:sign", KWLIST,
                                   convbin, &h, convmp, &k))
    goto end;
  if (h.sz != DSA_D(me)->h->hashsz)
    VALERR("bad message length (doesn't match hash size)");
  r = bytestring_pywrap(0, DSA_D(me)->h->hashsz);
  s.r = (octet *)PyString_AS_STRING(r);
  gkcdsa_sign(DSA_D(me), &s, h.p, k);
  rc = Py_BuildValue("(ON)", r, mp_pywrap(s.s));
end:
  Py_XDECREF(r);
  mp_drop(k);
  return (rc);
}

static PyObject *kcdsameth_verify(PyObject *me, PyObject *arg)
{
  struct bin h, sr;
  gkcdsa_sig s = GKCDSA_SIG_INIT;
  PyObject *rc = 0;

  if (!PyArg_ParseTuple(arg, "O&(O&O&):verify",
                        convbin, &h, convbin, &sr, convmp, &s.s))
    goto end;
  if (h.sz != DSA_D(me)->h->hashsz)
    VALERR("bad message length (doesn't match hash size)");
  if (sr.sz != DSA_D(me)->h->hashsz)
    VALERR("bad signature `r' length (doesn't match hash size)");
  s.r = (/*unconst*/ octet *)sr.p;
  rc = getbool(!gkcdsa_verify(DSA_D(me), &s, h.p));
end:
  mp_drop(s.s);
  return (rc);
}

static const PyMethodDef kcdsapub_pymethods[] = {
#define METHNAME(name) kcdsameth_##name
  NAMETH(beginhash,     "D.beginhash() -> hash object")
  METH  (endhash,       "D.endhash(H) -> BYTES")
  METH  (verify,        "D.verify(MSG, (R, S)) -> true/false")
#undef METHNAME
  { 0 }
};

static const PyMethodDef kcdsapriv_pymethods[] = {
#define METHNAME(name) kcdsameth_##name
  KWMETH(sign,          "D.sign(MSG, [k = K]) -> R, S")
#undef METHNAME
  { 0 }
};

static const PyTypeObject kcdsapub_pytype_skel = {
  PyVarObject_HEAD_INIT(0, 0)           /* Header */
  "KCDSAPub",                           /* @tp_name@ */
  sizeof(dsa_pyobj),                    /* @tp_basicsize@ */
  0,                                    /* @tp_itemsize@ */

  dsa_pydealloc,                        /* @tp_dealloc@ */
  0,                                    /* @tp_print@ */
  0,                                    /* @tp_getattr@ */
  0,                                    /* @tp_setattr@ */
  0,                                    /* @tp_compare@ */
  0,                                    /* @tp_repr@ */
  0,                                    /* @tp_as_number@ */
  0,                                    /* @tp_as_sequence@ */
  0,                                    /* @tp_as_mapping@ */
  0,                                    /* @tp_hash@ */
  0,                                    /* @tp_call@ */
  0,                                    /* @tp_str@ */
  0,                                    /* @tp_getattro@ */
  0,                                    /* @tp_setattro@ */
  0,                                    /* @tp_as_buffer@ */
  Py_TPFLAGS_DEFAULT |                  /* @tp_flags@ */
    Py_TPFLAGS_BASETYPE,

  /* @tp_doc@ */
  "KCDSAPub(GROUP, P, [hash = sha], [rng = rand]): KCDSA public key.",

  0,                                    /* @tp_traverse@ */
  0,                                    /* @tp_clear@ */
  0,                                    /* @tp_richcompare@ */
  0,                                    /* @tp_weaklistoffset@ */
  0,                                    /* @tp_iter@ */
  0,                                    /* @tp_iternext@ */
  PYMETHODS(kcdsapub),                  /* @tp_methods@ */
  PYMEMBERS(dsapub),                    /* @tp_members@ */
  0,                                    /* @tp_getset@ */
  0,                                    /* @tp_base@ */
  0,                                    /* @tp_dict@ */
  0,                                    /* @tp_descr_get@ */
  0,                                    /* @tp_descr_set@ */
  0,                                    /* @tp_dictoffset@ */
  0,                                    /* @tp_init@ */
  PyType_GenericAlloc,                  /* @tp_alloc@ */
  kcdsapub_pynew,                       /* @tp_new@ */
  0,                                    /* @tp_free@ */
  0                                     /* @tp_is_gc@ */
};

static const PyTypeObject kcdsapriv_pytype_skel = {
  PyVarObject_HEAD_INIT(0, 0)           /* Header */
  "KCDSAPriv",                          /* @tp_name@ */
  sizeof(dsa_pyobj),                    /* @tp_basicsize@ */
  0,                                    /* @tp_itemsize@ */

  0,                                    /* @tp_dealloc@ */
  0,                                    /* @tp_print@ */
  0,                                    /* @tp_getattr@ */
  0,                                    /* @tp_setattr@ */
  0,                                    /* @tp_compare@ */
  0,                                    /* @tp_repr@ */
  0,                                    /* @tp_as_number@ */
  0,                                    /* @tp_as_sequence@ */
  0,                                    /* @tp_as_mapping@ */
  0,                                    /* @tp_hash@ */
  0,                                    /* @tp_call@ */
  0,                                    /* @tp_str@ */
  0,                                    /* @tp_getattro@ */
  0,                                    /* @tp_setattro@ */
  0,                                    /* @tp_as_buffer@ */
  Py_TPFLAGS_DEFAULT |                  /* @tp_flags@ */
    Py_TPFLAGS_BASETYPE,

  /* @tp_doc@ */
  "KCDSAPriv(GROUP, U, [p = u G], [hash = sha], [rng = rand]): "
                                                        "KCDSA private key.",

  0,                                    /* @tp_traverse@ */
  0,                                    /* @tp_clear@ */
  0,                                    /* @tp_richcompare@ */
  0,                                    /* @tp_weaklistoffset@ */
  0,                                    /* @tp_iter@ */
  0,                                    /* @tp_iternext@ */
  PYMETHODS(kcdsapriv),                 /* @tp_methods@ */
  PYMEMBERS(dsapriv),                   /* @tp_members@ */
  0,                                    /* @tp_getset@ */
  0,                                    /* @tp_base@ */
  0,                                    /* @tp_dict@ */
  0,                                    /* @tp_descr_get@ */
  0,                                    /* @tp_descr_set@ */
  0,                                    /* @tp_dictoffset@ */
  0,                                    /* @tp_init@ */
  PyType_GenericAlloc,                  /* @tp_alloc@ */
  kcdsapriv_pynew,                      /* @tp_new@ */
  0,                                    /* @tp_free@ */
  0                                     /* @tp_is_gc@ */
};

/*----- RSA ---------------------------------------------------------------*/

typedef struct rsapub_pyobj {
  PyObject_HEAD
  rsa_pub pub;
  rsa_pubctx pubctx;
} rsapub_pyobj;

#define RSA_PUB(o) (&((rsapub_pyobj *)(o))->pub)
#define RSA_PUBCTX(o) (&((rsapub_pyobj *)(o))->pubctx)

typedef struct rsapriv_pyobj {
  PyObject_HEAD
  rsa_pub pub;
  rsa_pubctx pubctx;
  rsa_priv priv;
  rsa_privctx privctx;
  PyObject *rng;
} rsapriv_pyobj;

#define RSA_PRIV(o) (&((rsapriv_pyobj *)(o))->priv)
#define RSA_PRIVCTX(o) (&((rsapriv_pyobj *)(o))->privctx)
#define RSA_RNG(o) (((rsapriv_pyobj *)(o))->rng)

static PyTypeObject *rsapub_pytype, *rsapriv_pytype;

static PyObject *rsapub_pynew(PyTypeObject *ty,
                              PyObject *arg, PyObject *kw)
{
  rsa_pub rp = { 0 };
  rsapub_pyobj *o;
  static const char *const kwlist[] = { "n", "e", 0 };

  if (!PyArg_ParseTupleAndKeywords(arg, kw, "O&O&:new", KWLIST,
                                   convmp, &rp.n, convmp, &rp.e))
    goto end;
  if (!MP_ODDP(rp.n)) VALERR("RSA modulus must be even");
  o = (rsapub_pyobj *)ty->tp_alloc(ty, 0);
  o->pub = rp;
  rsa_pubcreate(&o->pubctx, &o->pub);
  return ((PyObject *)o);
end:
  rsa_pubfree(&rp);
  return (0);
}

static void rsapub_pydealloc(PyObject *me)
{
  rsa_pubdestroy(RSA_PUBCTX(me));
  rsa_pubfree(RSA_PUB(me));
  FREEOBJ(me);
}

static PyObject *rsaget_n(PyObject *me, void *hunoz)
  { return mp_pywrap(MP_COPY(RSA_PUB(me)->n)); }

static PyObject *rsaget_e(PyObject *me, void *hunoz)
  { return mp_pywrap(MP_COPY(RSA_PUB(me)->e)); }

static PyObject *rsameth_pubop(PyObject *me, PyObject *arg)
{
  mp *x = 0;
  PyObject *rc = 0;

  if (!PyArg_ParseTuple(arg, "O&:pubop", convmp, &x)) goto end;
  rc = mp_pywrap(rsa_pubop(RSA_PUBCTX(me), MP_NEW, x));
end:
  mp_drop(x);
  return (rc);
}

static PyObject *rsapriv_dopywrap(PyTypeObject *ty,
                                  rsa_priv *rp, PyObject *rng)
{
  rsapriv_pyobj *o;

  o = (rsapriv_pyobj *)ty->tp_alloc(ty, 0);
  o->priv = *rp;
  o->pub.n = rp->n;
  o->pub.e = rp->e;
  rsa_privcreate(&o->privctx, &o->priv, &rand_global);
  rsa_pubcreate(&o->pubctx, &o->pub);
  if (!rng) {
    rng = Py_None;
    Py_INCREF(rng);
  }
  o->rng = rng;
  return ((PyObject *)o);
}

PyObject *rsapriv_pywrap(rsa_priv *rp)
  { return rsapriv_dopywrap(rsapriv_pytype, rp, 0); }

static PyObject *rsapriv_pynew(PyTypeObject *ty,
                               PyObject *arg, PyObject *kw)
{
  rsa_priv rp = { 0 };
  PyObject *rng = Py_None;
  static const char *const kwlist[] =
    { "n", "e", "d", "p", "q", "dp", "dq", "q_inv", "rng", 0 };

  if (!PyArg_ParseTupleAndKeywords(arg, kw, "|O&O&O&O&O&O&O&O&O:new", KWLIST,
                                   convmp, &rp.n, convmp, &rp.e,
                                   convmp, &rp.d,
                                   convmp, &rp.p, convmp, &rp.q,
                                   convmp, &rp.dp, convmp, &rp.dq,
                                   convmp, &rp.q_inv,
                                   &rng))
    goto end;
  if ((rp.n && !MP_ODDP(rp.n)) ||
      (rp.p && !MP_ODDP(rp.p)) ||
      (rp.q && !MP_ODDP(rp.q)))
    VALERR("RSA modulus and factors must be odd");
  if (rsa_recover(&rp)) VALERR("couldn't construct private key");
  if (rng != Py_None && !GRAND_PYCHECK(rng))
    TYERR("not a random number source");
  Py_INCREF(rng);
  return (rsapriv_dopywrap(ty, &rp, rng));
end:
  rsa_privfree(&rp);
  return (0);
}

static void rsapriv_pydealloc(PyObject *me)
{
  RSA_PRIVCTX(me)->r = &rand_global;
  rsa_privdestroy(RSA_PRIVCTX(me));
  rsa_privfree(RSA_PRIV(me));
  Py_DECREF(RSA_RNG(me));
  FREEOBJ(me);
}

static PyObject *rsaget_d(PyObject *me, void *hunoz)
  { return mp_pywrap(MP_COPY(RSA_PRIV(me)->d)); }

static PyObject *rsaget_p(PyObject *me, void *hunoz)
  { return mp_pywrap(MP_COPY(RSA_PRIV(me)->p)); }

static PyObject *rsaget_q(PyObject *me, void *hunoz)
  { return mp_pywrap(MP_COPY(RSA_PRIV(me)->q)); }

static PyObject *rsaget_dp(PyObject *me, void *hunoz)
  { return mp_pywrap(MP_COPY(RSA_PRIV(me)->dp)); }

static PyObject *rsaget_dq(PyObject *me, void *hunoz)
  { return mp_pywrap(MP_COPY(RSA_PRIV(me)->dq)); }

static PyObject *rsaget_q_inv(PyObject *me, void *hunoz)
  { return mp_pywrap(MP_COPY(RSA_PRIV(me)->q_inv)); }

static PyObject *rsaget_rng(PyObject *me, void *hunoz)
  { RETURN_OBJ(RSA_RNG(me)); }

static int rsaset_rng(PyObject *me, PyObject *val, void *hunoz)
{
  int rc = -1;
  if (!val)
    val = Py_None;
  else if (val != Py_None && !GRAND_PYCHECK(val))
    TYERR("expected grand or None");
  Py_DECREF(RSA_RNG(me));
  RSA_RNG(me) = val;
  Py_INCREF(val);
  rc = 0;
end:
  return (rc);
}

static PyObject *rsameth_privop(PyObject *me, PyObject *arg, PyObject *kw)
{
  PyObject *rng = RSA_RNG(me);
  mp *x = 0;
  PyObject *rc = 0;
  static const char *const kwlist[] = { "x", "rng", 0 };

  if (!PyArg_ParseTupleAndKeywords(arg, kw, "O&|O:privop", KWLIST,
                                   convmp, &x, &rng))
    goto end;
  if (rng != Py_None && !GRAND_PYCHECK(rng))
    TYERR("not a random number source");
  RSA_PRIVCTX(me)->r = (rng == Py_None) ? 0 : GRAND_R(rng);
  rc = mp_pywrap(rsa_privop(RSA_PRIVCTX(me), MP_NEW, x));
end:
  mp_drop(x);
  return (rc);
}

static PyObject *rsameth_generate(PyObject *me, PyObject *arg, PyObject *kw)
{
  grand *r = &rand_global;
  unsigned nbits;
  unsigned n = 0;
  rsa_priv rp;
  mp *e = 0;
  struct excinfo exc = EXCINFO_INIT;
  pypgev evt = { { 0 } };
  static const char *const kwlist[] =
    { "nbits", "event", "rng", "nsteps", "e", 0 };
  PyObject *rc = 0;

  evt.exc = &exc;
  if (!PyArg_ParseTupleAndKeywords(arg, kw, "O&|O&O&O&O&:generate", KWLIST,
                                   convuint, &nbits, convpgev, &evt,
                                   convgrand, &r, convuint, &n,
                                   convmp, &e))
    goto end;
  if (e) MP_COPY(e);
  else e = mp_fromulong(MP_NEW, 65537);
  if (rsa_gen_e(&rp, nbits, e, r, n, evt.ev.proc, evt.ev.ctx))
    PGENERR(&exc);
  rc = rsapriv_pywrap(&rp);
end:
  droppgev(&evt);
  mp_drop(e);
  return (rc);
}

static const PyGetSetDef rsapub_pygetset[] = {
#define GETSETNAME(op, name) rsa##op##_##name
  GET   (n,             "R.n -> N")
  GET   (e,             "R.e -> E")
#undef GETSETNAME
  { 0 }
};

static const PyMethodDef rsapub_pymethods[] = {
#define METHNAME(name) rsameth_##name
  METH  (pubop,         "R.pubop(X) -> X^E (mod N)")
#undef METHNAME
  { 0 }
};

static const PyGetSetDef rsapriv_pygetset[] = {
#define GETSETNAME(op, name) rsa##op##_##name
  GET   (d,             "R.d -> D")
  GET   (p,             "R.p -> P")
  GET   (q,             "R.q -> Q")
  GET   (dp,            "R.dp -> D mod (P - 1)")
  GET   (dq,            "R.dq -> D mod (Q - 1)")
  GET   (q_inv,         "R.q_inv -> Q^{-1} mod P")
  GETSET(rng,           "R.rng -> random number source for blinding")
#undef GETSETNAME
  { 0 }
};

static const PyMethodDef rsapriv_pymethods[] = {
#define METHNAME(name) rsameth_##name
  KWMETH(privop,        "R.privop(X, [rng = None]) -> X^D (mod N)")
  KWSMTH(generate, "generate(NBITS, [event = pgen_nullev], [rng = rand], "
                                                        "[nsteps = 0]) -> R")
#undef METHNAME
  { 0 }
};

static const PyTypeObject rsapub_pytype_skel = {
  PyVarObject_HEAD_INIT(0, 0)           /* Header */
  "RSAPub",                             /* @tp_name@ */
  sizeof(rsapub_pyobj),                 /* @tp_basicsize@ */
  0,                                    /* @tp_itemsize@ */

  rsapub_pydealloc,                     /* @tp_dealloc@ */
  0,                                    /* @tp_print@ */
  0,                                    /* @tp_getattr@ */
  0,                                    /* @tp_setattr@ */
  0,                                    /* @tp_compare@ */
  0,                                    /* @tp_repr@ */
  0,                                    /* @tp_as_number@ */
  0,                                    /* @tp_as_sequence@ */
  0,                                    /* @tp_as_mapping@ */
  0,                                    /* @tp_hash@ */
  0,                                    /* @tp_call@ */
  0,                                    /* @tp_str@ */
  0,                                    /* @tp_getattro@ */
  0,                                    /* @tp_setattro@ */
  0,                                    /* @tp_as_buffer@ */
  Py_TPFLAGS_DEFAULT |                  /* @tp_flags@ */
    Py_TPFLAGS_BASETYPE,

  /* @tp_doc@ */
  "RSAPub(N, E): RSA public key.",

  0,                                    /* @tp_traverse@ */
  0,                                    /* @tp_clear@ */
  0,                                    /* @tp_richcompare@ */
  0,                                    /* @tp_weaklistoffset@ */
  0,                                    /* @tp_iter@ */
  0,                                    /* @tp_iternext@ */
  PYMETHODS(rsapub),                    /* @tp_methods@ */
  0,                                    /* @tp_members@ */
  PYGETSET(rsapub),                     /* @tp_getset@ */
  0,                                    /* @tp_base@ */
  0,                                    /* @tp_dict@ */
  0,                                    /* @tp_descr_get@ */
  0,                                    /* @tp_descr_set@ */
  0,                                    /* @tp_dictoffset@ */
  0,                                    /* @tp_init@ */
  PyType_GenericAlloc,                  /* @tp_alloc@ */
  rsapub_pynew,                         /* @tp_new@ */
  0,                                    /* @tp_free@ */
  0                                     /* @tp_is_gc@ */
};

static const PyTypeObject rsapriv_pytype_skel = {
  PyVarObject_HEAD_INIT(0, 0)           /* Header */
  "RSAPriv",                            /* @tp_name@ */
  sizeof(rsapriv_pyobj),                /* @tp_basicsize@ */
  0,                                    /* @tp_itemsize@ */

  rsapriv_pydealloc,                    /* @tp_dealloc@ */
  0,                                    /* @tp_print@ */
  0,                                    /* @tp_getattr@ */
  0,                                    /* @tp_setattr@ */
  0,                                    /* @tp_compare@ */
  0,                                    /* @tp_repr@ */
  0,                                    /* @tp_as_number@ */
  0,                                    /* @tp_as_sequence@ */
  0,                                    /* @tp_as_mapping@ */
  0,                                    /* @tp_hash@ */
  0,                                    /* @tp_call@ */
  0,                                    /* @tp_str@ */
  0,                                    /* @tp_getattro@ */
  0,                                    /* @tp_setattro@ */
  0,                                    /* @tp_as_buffer@ */
  Py_TPFLAGS_DEFAULT |                  /* @tp_flags@ */
    Py_TPFLAGS_BASETYPE,

  /* @tp_doc@ */
  "RSAPriv(..., [rng = rand]): RSA private key.\n"
  "  Keywords: n, e, d, p, q, dp, dq, q_inv; must provide enough",

  0,                                    /* @tp_traverse@ */
  0,                                    /* @tp_clear@ */
  0,                                    /* @tp_richcompare@ */
  0,                                    /* @tp_weaklistoffset@ */
  0,                                    /* @tp_iter@ */
  0,                                    /* @tp_iternext@ */
  PYMETHODS(rsapriv),                   /* @tp_methods@ */
  0,                                    /* @tp_members@ */
  PYGETSET(rsapriv),                    /* @tp_getset@ */
  0,                                    /* @tp_base@ */
  0,                                    /* @tp_dict@ */
  0,                                    /* @tp_descr_get@ */
  0,                                    /* @tp_descr_set@ */
  0,                                    /* @tp_dictoffset@ */
  0,                                    /* @tp_init@ */
  PyType_GenericAlloc,                  /* @tp_alloc@ */
  rsapriv_pynew,                        /* @tp_new@ */
  0,                                    /* @tp_free@ */
  0                                     /* @tp_is_gc@ */
};

/*----- RSA padding schemes -----------------------------------------------*/

static PyObject *meth__p1crypt_encode(PyObject *me,
                                      PyObject *arg, PyObject *kw)
{
  pkcs1 p1;
  struct bin m, ep = { 0, 0 };
  unsigned long nbits;
  PyObject *rc = 0;
  octet *b = 0;
  size_t sz;
  mp *x;
  static const char *const kwlist[] = { "msg", "nbits", "ep", "rng", 0 };

  p1.r = &rand_global;
  if (!PyArg_ParseTupleAndKeywords(arg, kw, "O&O&|O&O&:encode", KWLIST,
                                   convbin, &m, convulong, &nbits,
                                   convbin, &ep, convgrand, &p1.r))
    goto end;
  sz = (nbits + 7)/8;
  p1.ep = ep.p; p1.epsz = ep.sz;
  if (ep.sz + m.sz + 11 > sz) VALERR("buffer underflow");
  b = xmalloc(sz);
  x = pkcs1_cryptencode(MP_NEW, m.p, m.sz, b, sz, nbits, &p1);
  rc = mp_pywrap(x);
end:
  xfree(b);
  return (rc);
}

static PyObject *meth__p1crypt_decode(PyObject *me,
                                      PyObject *arg, PyObject *kw)
{
  pkcs1 p1;
  struct bin ep = { 0, 0 };
  unsigned long nbits;
  int n;
  PyObject *rc = 0;
  octet *b = 0;
  size_t sz;
  mp *x = 0;
  static const char *const kwlist[] = { "ct", "nbits", "ep", "rng", 0 };

  p1.r = &rand_global;
  if (!PyArg_ParseTupleAndKeywords(arg, kw, "O&O&|O&O&:decode", KWLIST,
                                   convmp, &x, convulong, &nbits,
                                   convbin, &ep, convgrand, &p1.r))
    goto end;
  sz = (nbits + 7)/8;
  p1.ep = ep.p; p1.epsz = ep.sz;
  if (ep.sz + 11 > sz) VALERR("buffer underflow");
  b = xmalloc(sz);
  if ((n = pkcs1_cryptdecode(x, b, sz, nbits, &p1)) < 0)
    VALERR("decryption failed");
  rc = bytestring_pywrap(b, n);
end:
  mp_drop(x);
  xfree(b);
  return (rc);
}

static PyObject *meth__p1sig_encode(PyObject *me,
                                    PyObject *arg, PyObject *kw)
{
  pkcs1 p1;
  struct bin m, ep = { 0, 0 };
  unsigned long nbits;
  PyObject *rc = 0;
  octet *b = 0;
  size_t sz;
  mp *x;
  static const char *const kwlist[] = { "msg", "nbits", "ep", "rng", 0 };

  p1.r = &rand_global;
  if (!PyArg_ParseTupleAndKeywords(arg, kw, "O&O&|O&O&:encode", KWLIST,
                                   convbin, &m, convulong, &nbits,
                                   convbin, &ep, convgrand, &p1.r))
    goto end;
  sz = (nbits + 7)/8;
  p1.ep = ep.p; p1.epsz = ep.sz;
  if (ep.sz + m.sz + 11 > sz) VALERR("buffer underflow");
  b = xmalloc(sz);
  x = pkcs1_sigencode(MP_NEW, m.p, m.sz, b, sz, nbits, &p1);
  rc = mp_pywrap(x);
end:
  xfree(b);
  return (rc);
}

static PyObject *meth__p1sig_decode(PyObject *me,
                                    PyObject *arg, PyObject *kw)
{
  pkcs1 p1;
  struct bin ep = { 0, 0 };
  unsigned long nbits;
  int n;
  PyObject *hukairz;
  PyObject *rc = 0;
  octet *b = 0;
  size_t sz;
  mp *x = 0;
  static const char *const kwlist[] =
    { "msg", "sig", "nbits", "ep", "rng", 0 };

  p1.r = &rand_global;
  if (!PyArg_ParseTupleAndKeywords(arg, kw, "OO&O&|O&O&:decode", KWLIST,
                                   &hukairz, convmp, &x, convulong, &nbits,
                                   convbin, &ep, convgrand, &p1.r))
    goto end;
  sz = (nbits + 7)/8;
  p1.ep = ep.p; p1.epsz = ep.sz;
  if (ep.sz + 10 > sz) VALERR("buffer underflow");
  b = xmalloc(sz);
  if ((n = pkcs1_sigdecode(x, 0, 0, b, sz, nbits, &p1)) < 0)
    VALERR("verification failed");
  rc = bytestring_pywrap(b, n);
end:
  mp_drop(x);
  xfree(b);
  return (rc);
}

static PyObject *meth__oaep_encode(PyObject *me,
                                   PyObject *arg, PyObject *kw)
{
  oaep o;
  struct bin m, ep = { 0, 0 };
  unsigned long nbits;
  PyObject *rc = 0;
  octet *b = 0;
  size_t sz;
  mp *x;
  static const char *const kwlist[] =
    { "msg", "nbits", "mgf", "hash", "ep", "rng", 0 };

  o.r = &rand_global; o.cc = &sha_mgf; o.ch = &sha;
  if (!PyArg_ParseTupleAndKeywords(arg, kw, "O&O&|O&O&O&O&:encode",
                                   KWLIST,
                                   convbin, &m, convulong, &nbits,
                                   convgccipher, &o.cc,
                                   convgchash, &o.ch,
                                   convbin, &ep,
                                   convgrand, &o.r))
    goto end;
  sz = (nbits + 7)/8;
  o.ep = ep.p; o.epsz = ep.sz;
  if (2 * o.ch->hashsz + 2 + m.sz > sz) VALERR("buffer underflow");
  b = xmalloc(sz);
  x = oaep_encode(MP_NEW, m.p, m.sz, b, sz, nbits, &o);
  rc = mp_pywrap(x);
end:
  xfree(b);
  return (rc);
}

static PyObject *meth__oaep_decode(PyObject *me,
                                   PyObject *arg, PyObject *kw)
{
  oaep o;
  struct bin ep = { 0, 0 };
  unsigned long nbits;
  int n;
  PyObject *rc = 0;
  octet *b = 0;
  size_t sz;
  mp *x = 0;
  static const char *const kwlist[] =
    { "ct", "nbits", "mgf", "hash", "ep", "rng", 0 };

  o.r = &rand_global; o.cc = &sha_mgf; o.ch = &sha;
  if (!PyArg_ParseTupleAndKeywords(arg, kw, "O&O&|O&O&O&O&:decode", KWLIST,
                                   convmp, &x, convulong, &nbits,
                                   convgccipher, &o.cc,
                                   convgchash, &o.ch,
                                   convbin, &ep,
                                   convgrand, &o.r))
    goto end;
  sz = (nbits + 7)/8;
  o.ep = ep.p; o.epsz = ep.sz;
  if (2 * o.ch->hashsz > sz) VALERR("buffer underflow");
  b = xmalloc(sz);
  if ((n = oaep_decode(x, b, sz, nbits, &o)) < 0)
    VALERR("decryption failed");
  rc = bytestring_pywrap(b, n);
end:
  mp_drop(x);
  xfree(b);
  return (rc);
}

static PyObject *meth__pss_encode(PyObject *me,
                                  PyObject *arg, PyObject *kw)
{
  pss p;
  struct bin m;
  unsigned long nbits;
  PyObject *rc = 0;
  octet *b = 0;
  size_t sz;
  mp *x = 0;
  static const char *const kwlist[] =
    { "msg", "nbits", "mgf", "hash", "saltsz", "rng", 0 };

  p.cc = &sha_mgf; p.ch = &sha; p.r = &rand_global; p.ssz = (size_t)-1;
  if (!PyArg_ParseTupleAndKeywords(arg, kw, "O&O&|O&O&O&O&:encode", KWLIST,
                                   convbin, &m, convulong, &nbits,
                                   convgccipher, &p.cc,
                                   convgchash, &p.ch,
                                   convszt, &p.ssz,
                                   convgrand, &p.r))
    goto end;
  sz = (nbits + 7)/8;
  if (p.ssz == (size_t)-1) p.ssz = p.ch->hashsz;
  if (p.ch->hashsz + p.ssz + 2 > sz) VALERR("buffer underflow");
  b = xmalloc(sz);
  x = pss_encode(MP_NEW, m.p, m.sz, b, sz, nbits, &p);
  rc = mp_pywrap(x);
end:
  xfree(b);
  return (rc);
}

static PyObject *meth__pss_decode(PyObject *me,
                                  PyObject *arg, PyObject *kw)
{
  pss p;
  struct bin m;
  unsigned long nbits;
  PyObject *rc = 0;
  octet *b = 0;
  size_t sz;
  int n;
  mp *x = 0;
  static const char *const kwlist[] =
    { "msg", "sig", "nbits", "mgf", "hash", "saltsz", "rng", 0 };

  p.cc = &sha_mgf; p.ch = &sha; p.r = &rand_global; p.ssz = (size_t)-1;
  if (!PyArg_ParseTupleAndKeywords(arg, kw, "O&O&O&|O&O&O&O&:decode",
                                   KWLIST,
                                   convbin, &m, convmp, &x,
                                   convulong, &nbits,
                                   convgccipher, &p.cc,
                                   convgchash, &p.ch,
                                   convszt, &p.ssz,
                                   convgrand, &p.r))
    goto end;
  sz = (nbits + 7)/8;
  if (p.ssz == (size_t)-1) p.ssz = p.ch->hashsz;
  if (p.ch->hashsz + p.ssz + 2 > sz) VALERR("buffer underflow");
  b = xmalloc(sz);
  if ((n = pss_decode(x, m.p, m.sz, b, sz, nbits, &p)) < 0)
    VALERR("verification failed");
  rc = Py_None; Py_INCREF(rc);
end:
  mp_drop(x);
  xfree(b);
  return (rc);
}

/*----- X25519 and related algorithms -------------------------------------*/

#define XDHS(_)                                                         \
  _(X25519, x25519)                                                     \
  _(X448, x448)

#define DEFXDH(X, x)                                                    \
  static PyObject *meth_##x(PyObject *me, PyObject *arg)                \
  {                                                                     \
    struct bin k, p;                                                    \
    PyObject *rc = 0;                                                   \
    if (!PyArg_ParseTuple(arg, "O&O&:" #x, convbin, &k, convbin, &p))   \
      goto end;                                                         \
    if (k.sz != X##_KEYSZ) VALERR("bad key length");                    \
    if (p.sz != X##_PUBSZ) VALERR("bad public length");                 \
    rc = bytestring_pywrap(0, X##_OUTSZ);                               \
    x((octet *)PyString_AS_STRING(rc), k.p, p.p);                       \
    return (rc);                                                        \
  end:                                                                  \
    return (0);                                                         \
  }
XDHS(DEFXDH)
#undef DEFXDH

/*----- Ed25519 and related algorithms ------------------------------------*/

#define EDDSAS(_)                                                       \
  _(ED25519, ed25519, -1, ctx)                                          \
  _(ED448, ed448, 0, )

#define DEFEDDSA(ED, ed, phdflt, sigver)                                \
                                                                        \
  static PyObject *meth_##ed##_pubkey(PyObject *me, PyObject *arg)      \
  {                                                                     \
   struct bin k;                                                        \
    PyObject *rc = 0;                                                   \
    if (!PyArg_ParseTuple(arg, "O&:" #ed "_pubkey", convbin, &k))       \
      goto end;                                                         \
    rc = bytestring_pywrap(0, ED##_PUBSZ);                              \
    ed##_pubkey((octet *)PyString_AS_STRING(rc), k.p, k.sz);            \
    return (rc);                                                        \
  end:                                                                  \
    return (0);                                                         \
  }                                                                     \
                                                                        \
  static PyObject *meth_##ed##_sign(PyObject *me, PyObject *arg,        \
                                    PyObject *kw)                       \
  {                                                                     \
    struct bin k, p = { 0, 0}, c = { 0, 0 }, m;                         \
    int ph = phdflt;                                                    \
    PyObject *rc = 0;                                                   \
    octet pp[ED##_PUBSZ];                                               \
    static const char *const kwlist[] =                                 \
      { "key", "msg", "pub", "perso", "phflag", 0 };                    \
    if (!PyArg_ParseTupleAndKeywords(arg, kw,                           \
                                     "O&O&|O&O&O&:" #ed "_sign",        \
                                     KWLIST,                            \
                                     convbin, &k, convbin, &m,          \
                                     convbin, &p, convbin, &c,          \
                                     convbool, &ph))                    \
      goto end;                                                         \
    if (p.p && p.sz != ED##_PUBSZ) VALERR("bad public length");         \
    if (c.p && c.sz > ED##_MAXPERSOSZ)                                  \
      VALERR("personalization string too long");                        \
    if (c.p && ph == -1) ph = 0;                                        \
    if (!p.p) { p.p = pp; ed##_pubkey(pp, k.p, k.sz); }                 \
    rc = bytestring_pywrap(0, ED##_SIGSZ);                              \
    ed##sigver##_sign((octet *)PyString_AS_STRING(rc), k.p, k.sz,       \
                      p.p, ph, c.p, c.sz, m.p, m.sz);                   \
    return (rc);                                                        \
  end:                                                                  \
    return (0);                                                         \
  }                                                                     \
                                                                        \
  static PyObject *meth_##ed##_verify(PyObject *me,                     \
                                      PyObject *arg, PyObject *kw)      \
  {                                                                     \
    struct bin p, c = { 0, 0 }, m, s;                                   \
    int ph = phdflt;                                                    \
    PyObject *rc = 0;                                                   \
    static const char *const kwlist[] =                                 \
      { "pub", "msg", "sig", "perso", "phflag", 0 };                    \
    if (!PyArg_ParseTupleAndKeywords(arg, kw,                           \
                                     "O&O&O&|O&O&:" #ed "_verify",      \
                                     KWLIST,                            \
                                     convbin, &p, convbin, &m,          \
                                     convbin, &s,                       \
                                     convbin, &c, convbool, &ph))       \
      goto end;                                                         \
    if (p.sz != ED##_PUBSZ) VALERR("bad public length");                \
    if (s.sz != ED##_SIGSZ) VALERR("bad signature length");             \
    if (c.p && c.sz > ED##_MAXPERSOSZ)                                  \
      VALERR("personalization string too long");                        \
    if (c.p && ph == -1) ph = 0;                                        \
    rc = getbool(!ed##sigver##_verify(p.p, ph, c.p, c.sz,               \
                                      m.p, m.sz, s.p));                 \
    return (rc);                                                        \
  end:                                                                  \
    return (0);                                                         \
  }
EDDSAS(DEFEDDSA)
#undef DEFEDDSA

/*----- Global stuff ------------------------------------------------------*/

static const struct nameval consts[] = {
  CONST(X25519_KEYSZ), CONST(X25519_PUBSZ), CONST(X25519_OUTSZ),
  CONST(X448_KEYSZ), CONST(X448_PUBSZ), CONST(X448_OUTSZ),
  CONST(ED25519_KEYSZ), CONST(ED25519_PUBSZ), CONST(ED25519_SIGSZ),
    CONST(ED25519_MAXPERSOSZ),
  CONST(ED448_KEYSZ), CONST(ED448_PUBSZ), CONST(ED448_SIGSZ),
    CONST(ED448_MAXPERSOSZ),
  { 0 }
};

static const PyMethodDef methods[] = {
#define METHNAME(name) meth_##name
  KWMETH(_p1crypt_encode, 0)
  KWMETH(_p1crypt_decode, 0)
  KWMETH(_p1sig_encode, 0)
  KWMETH(_p1sig_decode, 0)
  KWMETH(_oaep_encode,  0)
  KWMETH(_oaep_decode,  0)
  KWMETH(_pss_encode,   0)
  KWMETH(_pss_decode,   0)
#define DEFMETH(X, x)                                                   \
  METH  (x,             "" #x "(KEY, PUBLIC) -> SHARED")
  XDHS(DEFMETH)
#undef DEFMETH
#define DEFMETH(ED, ed, phdflt, sigver)                                 \
  METH  (ed##_pubkey,   "" #ed "_pubkey(KEY) -> PUBLIC")                \
  KWMETH(ed##_sign,     "" #ed "_sign(KEY, MSG, [pub = PUBLIC], "       \
                           "[perso = STRING], [phflag = BOOL]) -> SIG") \
  KWMETH(ed##_verify,   "" #ed "_verify(PUBLIC, MSG, SIG, "             \
                          "[perso = STRING], [phflag = BOOL]) -> BOOL")
  EDDSAS(DEFMETH)
#undef DEFMETH
#undef METHNAME
  { 0 }
};

void pubkey_pyinit(void)
{
  INITTYPE(dsapub, root);
  INITTYPE(dsapriv, dsapub);
  INITTYPE(kcdsapub, root);
  INITTYPE(kcdsapriv, kcdsapub);
  INITTYPE(rsapub, root);
  INITTYPE(rsapriv, rsapub);
  addmethods(methods);
}

void pubkey_pyinsert(PyObject *mod)
{
  INSERT("DSAPub", dsapub_pytype);
  INSERT("DSAPriv", dsapriv_pytype);
  INSERT("KCDSAPub", kcdsapub_pytype);
  INSERT("KCDSAPriv", kcdsapriv_pytype);
  INSERT("RSAPub", rsapub_pytype);
  INSERT("RSAPriv", rsapriv_pytype);
  setconstants(mod, consts);
}

/*----- That's all, folks -------------------------------------------------*/