[catacomb-python] / catacomb / __init__.py

### -*-python-*-
###
### Setup for Catacomb/Python bindings
###
### (c) 2004 Straylight/Edgeware
###

###----- Licensing notice ---------------------------------------------------
###
### This file is part of the Python interface to Catacomb.
###
### Catacomb/Python is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### Catacomb/Python is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with Catacomb/Python; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

from __future__ import with_statement

from binascii import hexlify as _hexify, unhexlify as _unhexify
from contextlib import contextmanager as _ctxmgr
try: import DLFCN as _dlfcn
except ImportError: _dlfcn = None
import os as _os
from struct import pack as _pack
import sys as _sys
import types as _types

###--------------------------------------------------------------------------
### Import the main C extension module.

try:
  _dlflags = _odlflags = _sys.getdlopenflags()
except AttributeError:
  _dlflags = _odlflags = -1

## Set the `deep binding' flag.  Python has its own different MD5
## implementation, and some distributions export `md5_init' and friends so
## they override our versions, which doesn't end well.  Figure out how to
## turn this flag on so we don't have the problem.
if _dlflags >= 0:
  try: _dlflags |= _dlfcn.RTLD_DEEPBIND
  except AttributeError:
    try: _dlflags |= _os.RTLD_DEEPBIND
    except AttributeError:
      if _os.uname()[0] == 'Linux': _dlflags |= 8 # magic knowledge
      else: pass # can't do this.
  _sys.setdlopenflags(_dlflags)

import _base

if _odlflags >= 0:
  _sys.setdlopenflags(_odlflags)

del _dlflags, _odlflags

###--------------------------------------------------------------------------
### Basic stuff.

## For the benefit of the default keyreporter, we need the program name.
_base._ego(_sys.argv[0])

## Register our module.
_base._set_home_module(_sys.modules[__name__])
def default_lostexchook(why, ty, val, tb):
  """`catacomb.lostexchook(WHY, TY, VAL, TB)' reports lost exceptions."""
  _sys.stderr.write("\n\n!!! LOST EXCEPTION: %s\n" % why)
  _sys.excepthook(ty, val, tb)
  _sys.stderr.write("\n")
lostexchook = default_lostexchook

## How to fix a name back into the right identifier.  Alas, the rules are not
## consistent.
def _fixname(name):

  ## Hyphens consistently become underscores.
  name = name.replace('-', '_')

  ## But slashes might become underscores or just vanish.
  if name.startswith('salsa20'): name = name.replace('/', '')
  else: name = name.replace('/', '_')

  ## Done.
  return name

## Initialize the module.  Drag in the static methods of the various
## classes; create names for the various known crypto algorithms.
def _init():
  d = globals()
  b = _base.__dict__;
  for i in b:
    if i[0] != '_':
      d[i] = b[i];
  for i in ['ByteString',
            'MP', 'GF', 'Field',
            'ECPt', 'ECPtCurve', 'ECCurve', 'ECInfo',
            'DHInfo', 'BinDHInfo', 'RSAPriv', 'BBSPriv',
            'PrimeFilter', 'RabinMiller',
            'Group', 'GE',
            'KeySZ', 'KeyData']:
    c = d[i]
    pre = '_' + i + '_'
    plen = len(pre)
    for j in b:
      if j[:plen] == pre:
        setattr(c, j[plen:], classmethod(b[j]))
  for i in [gcciphers, gchashes, gcmacs, gcprps]:
    for c in i.itervalues():
      d[_fixname(c.name)] = c
  for c in gccrands.itervalues():
    d[_fixname(c.name + 'rand')] = c
_init()

## A handy function for our work: add the methods of a named class to an
## existing class.  This is how we write the Python-implemented parts of our
## mostly-C types.
def _augment(c, cc):
  for i in cc.__dict__:
    a = cc.__dict__[i]
    if type(a) is _types.MethodType:
      a = a.im_func
    elif type(a) not in (_types.FunctionType, staticmethod, classmethod):
      continue
    setattr(c, i, a)

## Parsing functions tend to return the object parsed and the remainder of
## the input.  This checks that the remainder is input and, if so, returns
## just the object.
def _checkend(r):
  x, rest = r
  if rest != '':
    raise SyntaxError, 'junk at end of string'
  return x

## Some pretty-printing utilities.
PRINT_SECRETS = False
def _clsname(me): return type(me).__name__
def _repr_secret(thing, secretp = True):
  if not secretp or PRINT_SECRETS: return repr(thing)
  else: return '#<SECRET>'
def _pp_str(me, pp, cyclep): pp.text(cyclep and '...' or str(me))
def _pp_secret(pp, thing, secretp = True):
  if not secretp or PRINT_SECRETS: pp.pretty(thing)
  else: pp.text('#<SECRET>')
def _pp_bgroup(pp, text):
  ind = len(text)
  pp.begin_group(ind, text)
  return ind
def _pp_bgroup_tyname(pp, obj, open = '('):
  return _pp_bgroup(pp, _clsname(obj) + open)
def _pp_kv(pp, k, v, secretp = False):
  ind = _pp_bgroup(pp, k + ' = ')
  _pp_secret(pp, v, secretp)
  pp.end_group(ind, '')
def _pp_commas(pp, printfn, items):
  firstp = True
  for i in items:
    if firstp: firstp = False
    else: pp.text(','); pp.breakable()
    printfn(i)
def _pp_dict(pp, items):
  def p((k, v)):
    pp.begin_group(0)
    pp.pretty(k)
    pp.text(':')
    pp.begin_group(2)
    pp.breakable()
    pp.pretty(v)
    pp.end_group(2)
    pp.end_group(0)
  _pp_commas(pp, p, items)

###--------------------------------------------------------------------------
### Bytestrings.

class _tmp:
  def fromhex(x):
    return ByteString(_unhexify(x))
  fromhex = staticmethod(fromhex)
  def __hex__(me):
    return _hexify(me)
  def __repr__(me):
    return 'bytes(%r)' % hex(me)
_augment(ByteString, _tmp)
ByteString.__hash__ = str.__hash__
bytes = ByteString.fromhex

###--------------------------------------------------------------------------
### Hashing.

class _tmp:
  def check(me, h):
    hh = me.done()
    return ctstreq(h, hh)
_augment(GHash, _tmp)
_augment(Poly1305Hash, _tmp)

class _HashBase (object):
  ## The standard hash methods.  Assume that `hash' is defined and returns
  ## the receiver.
  def hashu8(me, n): return me.hash(_pack('B', n))
  def hashu16l(me, n): return me.hash(_pack('<H', n))
  def hashu16b(me, n): return me.hash(_pack('>H', n))
  hashu16 = hashu16b
  def hashu32l(me, n): return me.hash(_pack('<L', n))
  def hashu32b(me, n): return me.hash(_pack('>L', n))
  hashu32 = hashu32b
  def hashu64l(me, n): return me.hash(_pack('<Q', n))
  def hashu64b(me, n): return me.hash(_pack('>Q', n))
  hashu64 = hashu64b
  def hashbuf8(me, s): return me.hashu8(len(s)).hash(s)
  def hashbuf16l(me, s): return me.hashu16l(len(s)).hash(s)
  def hashbuf16b(me, s): return me.hashu16b(len(s)).hash(s)
  hashbuf16 = hashbuf16b
  def hashbuf32l(me, s): return me.hashu32l(len(s)).hash(s)
  def hashbuf32b(me, s): return me.hashu32b(len(s)).hash(s)
  hashbuf32 = hashbuf32b
  def hashbuf64l(me, s): return me.hashu64l(len(s)).hash(s)
  def hashbuf64b(me, s): return me.hashu64b(len(s)).hash(s)
  hashbuf64 = hashbuf64b
  def hashstrz(me, s): return me.hash(s).hashu8(0)

class _ShakeBase (_HashBase):

  ## Python gets really confused if I try to augment `__new__' on native
  ## classes, so wrap and delegate.  Sorry.
  def __init__(me, perso = '', *args, **kw):
    super(_ShakeBase, me).__init__(*args, **kw)
    me._h = me._SHAKE(perso = perso, func = me._FUNC)

  ## Delegate methods...
  def copy(me): new = me.__class__(); new._copy(me)
  def _copy(me, other): me._h = other._h.copy()
  def hash(me, m): me._h.hash(m); return me
  def xof(me): me._h.xof(); return me
  def get(me, n): return me._h.get(n)
  def mask(me, m): return me._h.mask(m)
  def done(me, n): return me._h.done(n)
  def check(me, h): return ctstreq(h, me.done(len(h)))
  @property
  def state(me): return me._h.state
  @property
  def buffered(me): return me._h.buffered
  @property
  def rate(me): return me._h.rate

class _tmp:
  def check(me, h):
    return ctstreq(h, me.done(len(h)))
  def leftenc(me, n):
    nn = MP(n).storeb()
    return me.hashu8(len(nn)).hash(nn)
  def rightenc(me, n):
    nn = MP(n).storeb()
    return me.hash(nn).hashu8(len(nn))
  def stringenc(me, str):
    return me.leftenc(8*len(str)).hash(str)
  def bytepad_before(me):
    return me.leftenc(me.rate)
  def bytepad_after(me):
    if me.buffered: me.hash(me._Z[:me.rate - me.buffered])
    return me
  @_ctxmgr
  def bytepad(me):
    me.bytepad_before()
    yield me
    me.bytepad_after()
_augment(Shake, _tmp)
_augment(_ShakeBase, _tmp)
Shake._Z = _ShakeBase._Z = ByteString(200*'\0')

class KMAC (_ShakeBase):
  _FUNC = 'KMAC'
  def __init__(me, k, *arg, **kw):
    super(KMAC, me).__init__(*arg, **kw)
    with me.bytepad(): me.stringenc(k)
  def done(me, n = -1):
    if n < 0: n = me._TAGSZ
    me.rightenc(8*n)
    return super(KMAC, me).done(n)
  def xof(me):
    me.rightenc(0)
    return super(KMAC, me).xof()

class KMAC128 (KMAC): _SHAKE = Shake128; _TAGSZ = 16
class KMAC256 (KMAC): _SHAKE = Shake256; _TAGSZ = 32

###--------------------------------------------------------------------------
### NaCl `secretbox'.

def secret_box(k, n, m):
  E = xsalsa20(k).setiv(n)
  r = E.enczero(poly1305.keysz.default)
  s = E.enczero(poly1305.masksz)
  y = E.encrypt(m)
  t = poly1305(r)(s).hash(y).done()
  return ByteString(t + y)

def secret_unbox(k, n, c):
  E = xsalsa20(k).setiv(n)
  r = E.enczero(poly1305.keysz.default)
  s = E.enczero(poly1305.masksz)
  y = c[poly1305.tagsz:]
  if not poly1305(r)(s).hash(y).check(c[0:poly1305.tagsz]):
    raise ValueError, 'decryption failed'
  return E.decrypt(c[poly1305.tagsz:])

###--------------------------------------------------------------------------
### Multiprecision integers and binary polynomials.

def _split_rat(x):
  if isinstance(x, BaseRat): return x._n, x._d
  else: return x, 1
class BaseRat (object):
  """Base class implementing fields of fractions over Euclidean domains."""
  def __new__(cls, a, b):
    a, b = cls.RING(a), cls.RING(b)
    q, r = divmod(a, b)
    if r == 0: return q
    g = b.gcd(r)
    me = super(BaseRat, cls).__new__(cls)
    me._n = a//g
    me._d = b//g
    return me
  @property
  def numer(me): return me._n
  @property
  def denom(me): return me._d
  def __str__(me): return '%s/%s' % (me._n, me._d)
  def __repr__(me): return '%s(%s, %s)' % (_clsname(me), me._n, me._d)
  _repr_pretty_ = _pp_str

  def __add__(me, you):
    n, d = _split_rat(you)
    return type(me)(me._n*d + n*me._d, d*me._d)
  __radd__ = __add__
  def __sub__(me, you):
    n, d = _split_rat(you)
    return type(me)(me._n*d - n*me._d, d*me._d)
  def __rsub__(me, you):
    n, d = _split_rat(you)
    return type(me)(n*me._d - me._n*d, d*me._d)
  def __mul__(me, you):
    n, d = _split_rat(you)
    return type(me)(me._n*n, me._d*d)
  __rmul__ = __mul__
  def __truediv__(me, you):
    n, d = _split_rat(you)
    return type(me)(me._n*d, me._d*n)
  def __rtruediv__(me, you):
    n, d = _split_rat(you)
    return type(me)(me._d*n, me._n*d)
  __div__ = __truediv__
  __rdiv__ = __rtruediv__
  def __cmp__(me, you):
    n, d = _split_rat(you)
    return cmp(me._n*d, n*me._d)
  def __rcmp__(me, you):
    n, d = _split_rat(you)
    return cmp(n*me._d, me._n*d)

class IntRat (BaseRat):
  RING = MP

class GFRat (BaseRat):
  RING = GF

class _tmp:
  def negp(x): return x < 0
  def posp(x): return x > 0
  def zerop(x): return x == 0
  def oddp(x): return x.testbit(0)
  def evenp(x): return not x.testbit(0)
  def mont(x): return MPMont(x)
  def barrett(x): return MPBarrett(x)
  def reduce(x): return MPReduce(x)
  def __truediv__(me, you): return IntRat(me, you)
  def __rtruediv__(me, you): return IntRat(you, me)
  __div__ = __truediv__
  __rdiv__ = __rtruediv__
  _repr_pretty_ = _pp_str
_augment(MP, _tmp)

class _tmp:
  def zerop(x): return x == 0
  def reduce(x): return GFReduce(x)
  def trace(x, y): return x.reduce().trace(y)
  def halftrace(x, y): return x.reduce().halftrace(y)
  def modsqrt(x, y): return x.reduce().sqrt(y)
  def quadsolve(x, y): return x.reduce().quadsolve(y)
  def __truediv__(me, you): return GFRat(me, you)
  def __rtruediv__(me, you): return GFRat(you, me)
  __div__ = __truediv__
  __rdiv__ = __rtruediv__
  _repr_pretty_ = _pp_str
_augment(GF, _tmp)

class _tmp:
  def product(*arg):
    'product(ITERABLE) or product(I, ...) -> PRODUCT'
    return MPMul(*arg).done()
  product = staticmethod(product)
_augment(MPMul, _tmp)

###--------------------------------------------------------------------------
### Abstract fields.

class _tmp:
  def fromstring(str): return _checkend(Field.parse(str))
  fromstring = staticmethod(fromstring)
_augment(Field, _tmp)

class _tmp:
  def __repr__(me): return '%s(%sL)' % (_clsname(me), me.p)
  def __hash__(me): return 0x114401de ^ hash(me.p)
  def _repr_pretty_(me, pp, cyclep):
    ind = _pp_bgroup_tyname(pp, me)
    if cyclep: pp.text('...')
    else: pp.pretty(me.p)
    pp.end_group(ind, ')')
  def ec(me, a, b): return ECPrimeProjCurve(me, a, b)
_augment(PrimeField, _tmp)

class _tmp:
  def __repr__(me): return '%s(%#xL)' % (_clsname(me), me.p)
  def ec(me, a, b): return ECBinProjCurve(me, a, b)
  def _repr_pretty_(me, pp, cyclep):
    ind = _pp_bgroup_tyname(pp, me)
    if cyclep: pp.text('...')
    else: pp.text('%#x' % me.p)
    pp.end_group(ind, ')')
_augment(BinField, _tmp)

class _tmp:
  def __hash__(me): return 0x23e4701c ^ hash(me.p)
_augment(BinPolyField, _tmp)

class _tmp:
  def __hash__(me):
    h = 0x9a7d6240
    h ^=   hash(me.p)
    h ^= 2*hash(me.beta) & 0xffffffff
    return h
_augment(BinNormField, _tmp)

class _tmp:
  def __str__(me): return str(me.value)
  def __repr__(me): return '%s(%s)' % (repr(me.field), repr(me.value))
  _repr_pretty_ = _pp_str
_augment(FE, _tmp)

###--------------------------------------------------------------------------
### Elliptic curves.

class _tmp:
  def __repr__(me):
    return '%s(%r, %s, %s)' % (_clsname(me), me.field, me.a, me.b)
  def _repr_pretty_(me, pp, cyclep):
    ind = _pp_bgroup_tyname(pp, me)
    if cyclep:
      pp.text('...')
    else:
      pp.pretty(me.field); pp.text(','); pp.breakable()
      pp.pretty(me.a); pp.text(','); pp.breakable()
      pp.pretty(me.b)
    pp.end_group(ind, ')')
  def frombuf(me, s):
    return ecpt.frombuf(me, s)
  def fromraw(me, s):
    return ecpt.fromraw(me, s)
  def pt(me, *args):
    return me(*args)
_augment(ECCurve, _tmp)

class _tmp:
  def __hash__(me):
    h = 0x6751d341
    h ^=   hash(me.field)
    h ^= 2*hash(me.a) ^ 0xffffffff
    h ^= 5*hash(me.b) ^ 0xffffffff
    return h
_augment(ECPrimeCurve, _tmp)

class _tmp:
  def __hash__(me):
    h = 0x2ac203c5
    h ^=   hash(me.field)
    h ^= 2*hash(me.a) ^ 0xffffffff
    h ^= 5*hash(me.b) ^ 0xffffffff
    return h
_augment(ECBinCurve, _tmp)

class _tmp:
  def __repr__(me):
    if not me: return '%s()' % _clsname(me)
    return '%s(%s, %s)' % (_clsname(me), me.ix, me.iy)
  def __str__(me):
    if not me: return 'inf'
    return '(%s, %s)' % (me.ix, me.iy)
  def _repr_pretty_(me, pp, cyclep):
    if cyclep:
      pp.text('...')
    elif not me:
      pp.text('inf')
    else:
      ind = _pp_bgroup(pp, '(')
      pp.pretty(me.ix); pp.text(','); pp.breakable()
      pp.pretty(me.iy)
      pp.end_group(ind, ')')
_augment(ECPt, _tmp)

class _tmp:
  def __repr__(me):
    return '%s(curve = %r, G = %r, r = %s, h = %s)' % \
           (_clsname(me), me.curve, me.G, me.r, me.h)
  def _repr_pretty_(me, pp, cyclep):
    ind = _pp_bgroup_tyname(pp, me)
    if cyclep:
      pp.text('...')
    else:
      _pp_kv(pp, 'curve', me.curve); pp.text(','); pp.breakable()
      _pp_kv(pp, 'G', me.G); pp.text(','); pp.breakable()
      _pp_kv(pp, 'r', me.r); pp.text(','); pp.breakable()
      _pp_kv(pp, 'h', me.h)
    pp.end_group(ind, ')')
  def __hash__(me):
    h = 0x9bedb8de
    h ^=   hash(me.curve)
    h ^= 2*hash(me.G) & 0xffffffff
    return h
  def group(me):
    return ECGroup(me)
_augment(ECInfo, _tmp)

class _tmp:
  def __repr__(me):
    if not me: return '%r()' % (me.curve)
    return '%r(%s, %s)' % (me.curve, me.x, me.y)
  def __str__(me):
    if not me: return 'inf'
    return '(%s, %s)' % (me.x, me.y)
  def _repr_pretty_(me, pp, cyclep):
    if cyclep:
      pp.text('...')
    elif not me:
      pp.text('inf')
    else:
      ind = _pp_bgroup(pp, '(')
      pp.pretty(me.x); pp.text(','); pp.breakable()
      pp.pretty(me.y)
      pp.end_group(ind, ')')
_augment(ECPtCurve, _tmp)

###--------------------------------------------------------------------------
### Key sizes.

class _tmp:
  def __repr__(me): return '%s(%d)' % (_clsname(me), me.default)
  def check(me, sz): return True
  def best(me, sz): return sz
_augment(KeySZAny, _tmp)

class _tmp:
  def __repr__(me):
    return '%s(%d, %d, %d, %d)' % \
           (_clsname(me), me.default, me.min, me.max, me.mod)
  def _repr_pretty_(me, pp, cyclep):
    ind = _pp_bgroup_tyname(pp, me)
    if cyclep:
      pp.text('...')
    else:
      pp.pretty(me.default); pp.text(','); pp.breakable()
      pp.pretty(me.min); pp.text(','); pp.breakable()
      pp.pretty(me.max); pp.text(','); pp.breakable()
      pp.pretty(me.mod)
    pp.end_group(ind, ')')
  def check(me, sz): return me.min <= sz <= me.max and sz % me.mod == 0
  def best(me, sz):
    if sz < me.min: raise ValueError, 'key too small'
    elif sz > me.max: return me.max
    else: return sz - (sz % me.mod)
_augment(KeySZRange, _tmp)

class _tmp:
  def __repr__(me): return '%s(%d, %s)' % (_clsname(me), me.default, me.set)
  def _repr_pretty_(me, pp, cyclep):
    ind = _pp_bgroup_tyname(pp, me)
    if cyclep:
      pp.text('...')
    else:
      pp.pretty(me.default); pp.text(','); pp.breakable()
      ind1 = _pp_bgroup(pp, '{')
      _pp_commas(pp, pp.pretty, me.set)
      pp.end_group(ind1, '}')
    pp.end_group(ind, ')')
  def check(me, sz): return sz in me.set
  def best(me, sz):
    found = -1
    for i in me.set:
      if found < i <= sz: found = i
    if found < 0: raise ValueError, 'key too small'
    return found
_augment(KeySZSet, _tmp)

###--------------------------------------------------------------------------
### Key data objects.

class _tmp:
  def __repr__(me): return '%s(%r)' % (_clsname(me), me.name)
_augment(KeyFile, _tmp)

class _tmp:
  def __repr__(me): return '%s(%r)' % (_clsname(me), me.fulltag)
_augment(Key, _tmp)

class _tmp:
  def __repr__(me):
    return '%s({%s})' % (_clsname(me),
                         ', '.join(['%r: %r' % kv for kv in me.iteritems()]))
  def _repr_pretty_(me, pp, cyclep):
    ind = _pp_bgroup_tyname(pp, me)
    if cyclep: pp.text('...')
    else: _pp_dict(pp, me.iteritems())
    pp.end_group(ind, ')')
_augment(KeyAttributes, _tmp)

class _tmp:
  def __repr__(me):
    return '%s(%s, %r)' % (_clsname(me),
                           _repr_secret(me._guts(),
                                        not (me.flags & KF_NONSECRET)),
                           me.writeflags(me.flags))
  def _repr_pretty_(me, pp, cyclep):
    ind = _pp_bgroup_tyname(pp, me)
    if cyclep:
      pp.text('...')
    else:
      _pp_secret(pp, me._guts(), not (me.flags & KF_NONSECRET))
      pp.text(','); pp.breakable()
      pp.pretty(me.writeflags(me.flags))
    pp.end_group(ind, ')')
_augment(KeyData, _tmp)

class _tmp:
  def _guts(me): return me.bin
_augment(KeyDataBinary, _tmp)

class _tmp:
  def _guts(me): return me.ct
_augment(KeyDataEncrypted, _tmp)

class _tmp:
  def _guts(me): return me.mp
_augment(KeyDataMP, _tmp)

class _tmp:
  def _guts(me): return me.str
_augment(KeyDataString, _tmp)

class _tmp:
  def _guts(me): return me.ecpt
_augment(KeyDataECPt, _tmp)

class _tmp:
  def __repr__(me):
    return '%s({%s})' % (_clsname(me),
                         ', '.join(['%r: %r' % kv for kv in me.iteritems()]))
  def _repr_pretty_(me, pp, cyclep):
    ind = _pp_bgroup_tyname(pp, me, '({ ')
    if cyclep: pp.text('...')
    else: _pp_dict(pp, me.iteritems())
    pp.end_group(ind, ' })')
_augment(KeyDataStructured, _tmp)

###--------------------------------------------------------------------------
### Abstract groups.

class _tmp:
  def __repr__(me):
    return '%s(p = %s, r = %s, g = %s)' % (_clsname(me), me.p, me.r, me.g)
  def _repr_pretty_(me, pp, cyclep):
    ind = _pp_bgroup_tyname(pp, me)
    if cyclep:
      pp.text('...')
    else:
      _pp_kv(pp, 'p', me.p); pp.text(','); pp.breakable()
      _pp_kv(pp, 'r', me.r); pp.text(','); pp.breakable()
      _pp_kv(pp, 'g', me.g)
    pp.end_group(ind, ')')
_augment(FGInfo, _tmp)

class _tmp:
  def group(me): return PrimeGroup(me)
_augment(DHInfo, _tmp)

class _tmp:
  def group(me): return BinGroup(me)
_augment(BinDHInfo, _tmp)

class _tmp:
  def __repr__(me):
    return '%s(%r)' % (_clsname(me), me.info)
  def _repr_pretty_(me, pp, cyclep):
    ind = _pp_bgroup_tyname(pp, me)
    if cyclep: pp.text('...')
    else: pp.pretty(me.info)
    pp.end_group(ind, ')')
_augment(Group, _tmp)

class _tmp:
  def __hash__(me):
    info = me.info
    h = 0xbce3cfe6
    h ^=   hash(info.p)
    h ^= 2*hash(info.r) & 0xffffffff
    h ^= 5*hash(info.g) & 0xffffffff
    return h
  def _get_geval(me, x): return MP(x)
_augment(PrimeGroup, _tmp)

class _tmp:
  def __hash__(me):
    info = me.info
    h = 0x80695949
    h ^=   hash(info.p)
    h ^= 2*hash(info.r) & 0xffffffff
    h ^= 5*hash(info.g) & 0xffffffff
    return h
  def _get_geval(me, x): return GF(x)
_augment(BinGroup, _tmp)

class _tmp:
  def __hash__(me): return 0x0ec23dab ^ hash(me.info)
  def _get_geval(me, x): return x.toec()
_augment(ECGroup, _tmp)

class _tmp:
  def __repr__(me):
    return '%r(%r)' % (me.group, str(me))
  def _repr_pretty_(me, pp, cyclep):
    pp.pretty(type(me)._get_geval(me))
_augment(GE, _tmp)

###--------------------------------------------------------------------------
### RSA encoding techniques.

class PKCS1Crypt (object):
  def __init__(me, ep = '', rng = rand):
    me.ep = ep
    me.rng = rng
  def encode(me, msg, nbits):
    return _base._p1crypt_encode(msg, nbits, me.ep, me.rng)
  def decode(me, ct, nbits):
    return _base._p1crypt_decode(ct, nbits, me.ep, me.rng)

class PKCS1Sig (object):
  def __init__(me, ep = '', rng = rand):
    me.ep = ep
    me.rng = rng
  def encode(me, msg, nbits):
    return _base._p1sig_encode(msg, nbits, me.ep, me.rng)
  def decode(me, msg, sig, nbits):
    return _base._p1sig_decode(msg, sig, nbits, me.ep, me.rng)

class OAEP (object):
  def __init__(me, mgf = sha_mgf, hash = sha, ep = '', rng = rand):
    me.mgf = mgf
    me.hash = hash
    me.ep = ep
    me.rng = rng
  def encode(me, msg, nbits):
    return _base._oaep_encode(msg, nbits, me.mgf, me.hash, me.ep, me.rng)
  def decode(me, ct, nbits):
    return _base._oaep_decode(ct, nbits, me.mgf, me.hash, me.ep, me.rng)

class PSS (object):
  def __init__(me, mgf = sha_mgf, hash = sha, saltsz = None, rng = rand):
    me.mgf = mgf
    me.hash = hash
    if saltsz is None:
      saltsz = hash.hashsz
    me.saltsz = saltsz
    me.rng = rng
  def encode(me, msg, nbits):
    return _base._pss_encode(msg, nbits, me.mgf, me.hash, me.saltsz, me.rng)
  def decode(me, msg, sig, nbits):
    return _base._pss_decode(msg, sig, nbits,
                             me.mgf, me.hash, me.saltsz, me.rng)

class _tmp:
  def encrypt(me, msg, enc):
    return me.pubop(enc.encode(msg, me.n.nbits))
  def verify(me, msg, sig, enc):
    if msg is None: return enc.decode(msg, me.pubop(sig), me.n.nbits)
    try:
      x = enc.decode(msg, me.pubop(sig), me.n.nbits)
      return x is None or x == msg
    except ValueError:
      return False
  def __repr__(me):
    return '%s(n = %r, e = %r)' % (_clsname(me), me.n, me.e)
  def _repr_pretty_(me, pp, cyclep):
    ind = _pp_bgroup_tyname(pp, me)
    if cyclep:
      pp.text('...')
    else:
      _pp_kv(pp, 'n', me.n); pp.text(','); pp.breakable()
      _pp_kv(pp, 'e', me.e)
    pp.end_group(ind, ')')
_augment(RSAPub, _tmp)

class _tmp:
  def decrypt(me, ct, enc): return enc.decode(me.privop(ct), me.n.nbits)
  def sign(me, msg, enc): return me.privop(enc.encode(msg, me.n.nbits))
  def __repr__(me):
    return '%s(n = %r, e = %r, d = %s, ' \
      'p = %s, q = %s, dp = %s, dq = %s, q_inv = %s)' % \
      (_clsname(me), me.n, me.e,
       _repr_secret(me.d), _repr_secret(me.p), _repr_secret(me.q),
       _repr_secret(me.dp), _repr_secret(me.dq), _repr_secret(me.q_inv))
  def _repr_pretty_(me, pp, cyclep):
    ind = _pp_bgroup_tyname(pp, me)
    if cyclep:
      pp.text('...')
    else:
      _pp_kv(pp, 'n', me.n); pp.text(','); pp.breakable()
      _pp_kv(pp, 'e', me.e); pp.text(','); pp.breakable()
      _pp_kv(pp, 'd', me.d, secretp = True); pp.text(','); pp.breakable()
      _pp_kv(pp, 'p', me.p, secretp = True); pp.text(','); pp.breakable()
      _pp_kv(pp, 'q', me.q, secretp = True); pp.text(','); pp.breakable()
      _pp_kv(pp, 'dp', me.dp, secretp = True); pp.text(','); pp.breakable()
      _pp_kv(pp, 'dq', me.dq, secretp = True); pp.text(','); pp.breakable()
      _pp_kv(pp, 'q_inv', me.q_inv, secretp = True)
    pp.end_group(ind, ')')
_augment(RSAPriv, _tmp)

###--------------------------------------------------------------------------
### DSA and related schemes.

class _tmp:
  def __repr__(me): return '%s(G = %r, p = %r)' % (_clsname(me), me.G, me.p)
  def _repr_pretty_(me, pp, cyclep):
    ind = _pp_bgroup_tyname(pp, me)
    if cyclep:
      pp.text('...')
    else:
      _pp_kv(pp, 'G', me.G); pp.text(','); pp.breakable()
      _pp_kv(pp, 'p', me.p)
    pp.end_group(ind, ')')
_augment(DSAPub, _tmp)
_augment(KCDSAPub, _tmp)

class _tmp:
  def __repr__(me): return '%s(G = %r, u = %s, p = %r)' % \
      (_clsname(me), me.G, _repr_secret(me.u), me.p)
  def _repr_pretty_(me, pp, cyclep):
    ind = _pp_bgroup_tyname(pp, me)
    if cyclep:
      pp.text('...')
    else:
      _pp_kv(pp, 'G', me.G); pp.text(','); pp.breakable()
      _pp_kv(pp, 'u', me.u, True); pp.text(','); pp.breakable()
      _pp_kv(pp, 'p', me.p)
    pp.end_group(ind, ')')
_augment(DSAPriv, _tmp)
_augment(KCDSAPriv, _tmp)

###--------------------------------------------------------------------------
### Bernstein's elliptic curve crypto and related schemes.

X25519_BASE = MP(9).storel(32)
X448_BASE = MP(5).storel(56)

Z128 = ByteString.zero(16)

class _BasePub (object):
  def __init__(me, pub, *args, **kw):
    if not me._PUBSZ.check(len(pub)): raise ValueError, 'bad public key'
    super(_BasePub, me).__init__(*args, **kw)
    me.pub = pub
  def __repr__(me): return '%s(pub = %r)' % (_clsname(me), me.pub)
  def _pp(me, pp): _pp_kv(pp, 'pub', me.pub)
  def _repr_pretty_(me, pp, cyclep):
    ind = _pp_bgroup_tyname(pp, me)
    if cyclep: pp.text('...')
    else: me._pp(pp)
    pp.end_group(ind, ')')

class _BasePriv (object):
  def __init__(me, priv, pub = None, *args, **kw):
    if not me._KEYSZ.check(len(priv)): raise ValueError, 'bad private key'
    if pub is None: pub = me._pubkey(priv)
    super(_BasePriv, me).__init__(pub = pub, *args, **kw)
    me.priv = priv
  @classmethod
  def generate(cls, rng = rand):
    return cls(rng.block(cls._KEYSZ.default))
  def __repr__(me):
    return '%s(priv = %d, pub = %r)' % \
        (_clsname(me), _repr_secret(me.priv), me.pub)
  def _pp(me, pp):
    _pp_kv(pp, 'priv', me.priv, secretp = True); pp.text(','); pp.breakable()
    super(_BasePriv, me)._pp(pp)

class _XDHPub (_BasePub):  pass

class _XDHPriv (_BasePriv):
  def _pubkey(me, priv): return me._op(priv, me._BASE)
  def agree(me, you): return me._op(me.priv, you.pub)
  def boxkey(me, recip): return me._hashkey(me.agree(recip))
  def box(me, recip, n, m): return secret_box(me.boxkey(recip), n, m)
  def unbox(me, recip, n, c): return secret_unbox(me.boxkey(recip), n, c)

class X25519Pub (_XDHPub):
  _PUBSZ = KeySZSet(X25519_PUBSZ)
  _BASE = X25519_BASE

class X25519Priv (_XDHPriv, X25519Pub):
  _KEYSZ = KeySZSet(X25519_KEYSZ)
  def _op(me, k, X): return x25519(k, X)
  def _hashkey(me, z): return hsalsa20_prf(z, Z128)

class X448Pub (_XDHPub):
  _PUBSZ = KeySZSet(X448_PUBSZ)
  _BASE = X448_BASE

class X448Priv (_XDHPriv, X448Pub):
  _KEYSZ = KeySZSet(X448_KEYSZ)
  def _op(me, k, X): return x448(k, X)
  def _hashkey(me, z): return Shake256().hash(z).done(salsa20.keysz.default)

class _EdDSAPub (_BasePub):
  def beginhash(me): return me._HASH()
  def endhash(me, h): return h.done()

class _EdDSAPriv (_BasePriv, _EdDSAPub):
  pass

class Ed25519Pub (_EdDSAPub):
  _PUBSZ = KeySZSet(ED25519_PUBSZ)
  _HASH = sha512
  def verify(me, msg, sig, **kw):
    return ed25519_verify(me.pub, msg, sig, **kw)

class Ed25519Priv (_EdDSAPriv, Ed25519Pub):
  _KEYSZ = KeySZAny(ED25519_KEYSZ)
  def _pubkey(me, priv): return ed25519_pubkey(priv)
  def sign(me, msg, **kw):
    return ed25519_sign(me.priv, msg, pub = me.pub, **kw)

class Ed448Pub (_EdDSAPub):
  _PUBSZ = KeySZSet(ED448_PUBSZ)
  _HASH = shake256
  def verify(me, msg, sig, **kw):
    return ed448_verify(me.pub, msg, sig, **kw)

class Ed448Priv (_EdDSAPriv, Ed448Pub):
  _KEYSZ = KeySZAny(ED448_KEYSZ)
  def _pubkey(me, priv): return ed448_pubkey(priv)
  def sign(me, msg, **kw):
    return ed448_sign(me.priv, msg, pub = me.pub, **kw)

###--------------------------------------------------------------------------
### Built-in named curves and prime groups.

class _groupmap (object):
  def __init__(me, map, nth):
    me.map = map
    me.nth = nth
    me._n = max(map.values()) + 1
    me.i = me._n*[None]
  def __repr__(me):
    return '{%s}' % ', '.join(['%r: %r' % kv for kv in me.iteritems()])
  def _repr_pretty_(me, pp, cyclep):
    ind = _pp_bgroup(pp, '{ ')
    if cyclep: pp.text('...')
    else: _pp_dict(pp, me.iteritems())
    pp.end_group(ind, ' }')
  def __len__(me):
    return me._n
  def __contains__(me, k):
    return k in me.map
  def __getitem__(me, k):
    i = me.map[k]
    if me.i[i] is None:
      me.i[i] = me.nth(i)
    return me.i[i]
  def __setitem__(me, k, v):
    raise TypeError, "immutable object"
  def __iter__(me):
    return iter(me.map)
  def iterkeys(me):
    return iter(me.map)
  def itervalues(me):
    for k in me:
      yield me[k]
  def iteritems(me):
    for k in me:
      yield k, me[k]
  def keys(me):
    return [k for k in me]
  def values(me):
    return [me[k] for k in me]
  def items(me):
    return [(k, me[k]) for k in me]
eccurves = _groupmap(_base._eccurves, ECInfo._curven)
primegroups = _groupmap(_base._pgroups, DHInfo._groupn)
bingroups = _groupmap(_base._bingroups, BinDHInfo._groupn)

###--------------------------------------------------------------------------
### Prime number generation.

class PrimeGenEventHandler (object):
  def pg_begin(me, ev):
    return me.pg_try(ev)
  def pg_done(me, ev):
    return PGEN_DONE
  def pg_abort(me, ev):
    return PGEN_TRY
  def pg_fail(me, ev):
    return PGEN_TRY
  def pg_pass(me, ev):
    return PGEN_TRY

class SophieGermainStepJump (object):
  def pg_begin(me, ev):
    me.lf = PrimeFilter(ev.x)
    me.hf = me.lf.muladd(2, 1)
    return me.cont(ev)
  def pg_try(me, ev):
    me.step()
    return me.cont(ev)
  def cont(me, ev):
    while me.lf.status == PGEN_FAIL or me.hf.status == PGEN_FAIL:
      me.step()
    if me.lf.status == PGEN_ABORT or me.hf.status == PGEN_ABORT:
      return PGEN_ABORT
    ev.x = me.lf.x
    if me.lf.status == PGEN_DONE and me.hf.status == PGEN_DONE:
      return PGEN_DONE
    return PGEN_TRY
  def pg_done(me, ev):
    del me.lf
    del me.hf

class SophieGermainStepper (SophieGermainStepJump):
  def __init__(me, step):
    me.lstep = step;
    me.hstep = 2 * step
  def step(me):
    me.lf.step(me.lstep)
    me.hf.step(me.hstep)

class SophieGermainJumper (SophieGermainStepJump):
  def __init__(me, jump):
    me.ljump = PrimeFilter(jump);
    me.hjump = me.ljump.muladd(2, 0)
  def step(me):
    me.lf.jump(me.ljump)
    me.hf.jump(me.hjump)
  def pg_done(me, ev):
    del me.ljump
    del me.hjump
    SophieGermainStepJump.pg_done(me, ev)

class SophieGermainTester (object):
  def __init__(me):
    pass
  def pg_begin(me, ev):
    me.lr = RabinMiller(ev.x)
    me.hr = RabinMiller(2 * ev.x + 1)
  def pg_try(me, ev):
    lst = me.lr.test(ev.rng.range(me.lr.x))
    if lst != PGEN_PASS and lst != PGEN_DONE:
      return lst
    rst = me.hr.test(ev.rng.range(me.hr.x))
    if rst != PGEN_PASS and rst != PGEN_DONE:
      return rst
    if lst == PGEN_DONE and rst == PGEN_DONE:
      return PGEN_DONE
    return PGEN_PASS
  def pg_done(me, ev):
    del me.lr
    del me.hr

class PrimitiveStepper (PrimeGenEventHandler):
  def __init__(me):
    pass
  def pg_try(me, ev):
    ev.x = me.i.next()
    return PGEN_TRY
  def pg_begin(me, ev):
    me.i = iter(smallprimes)
    return me.pg_try(ev)

class PrimitiveTester (PrimeGenEventHandler):
  def __init__(me, mod, hh = [], exp = None):
    me.mod = MPMont(mod)
    me.exp = exp
    me.hh = hh
  def pg_try(me, ev):
    x = ev.x
    if me.exp is not None:
      x = me.mod.exp(x, me.exp)
      if x == 1: return PGEN_FAIL
    for h in me.hh:
      if me.mod.exp(x, h) == 1: return PGEN_FAIL
    ev.x = x
    return PGEN_DONE

class SimulStepper (PrimeGenEventHandler):
  def __init__(me, mul = 2, add = 1, step = 2):
    me.step = step
    me.mul = mul
    me.add = add
  def _stepfn(me, step):
    if step <= 0:
      raise ValueError, 'step must be positive'
    if step <= MPW_MAX:
      return lambda f: f.step(step)
    j = PrimeFilter(step)
    return lambda f: f.jump(j)
  def pg_begin(me, ev):
    x = ev.x
    me.lf = PrimeFilter(x)
    me.hf = PrimeFilter(x * me.mul + me.add)
    me.lstep = me._stepfn(me.step)
    me.hstep = me._stepfn(me.step * me.mul)
    SimulStepper._cont(me, ev)
  def pg_try(me, ev):
    me._step()
    me._cont(ev)
  def _step(me):
    me.lstep(me.lf)
    me.hstep(me.hf)
  def _cont(me, ev):
    while me.lf.status == PGEN_FAIL or me.hf.status == PGEN_FAIL:
      me._step()
    if me.lf.status == PGEN_ABORT or me.hf.status == PGEN_ABORT:
      return PGEN_ABORT
    ev.x = me.lf.x
    if me.lf.status == PGEN_DONE and me.hf.status == PGEN_DONE:
      return PGEN_DONE
    return PGEN_TRY
  def pg_done(me, ev):
    del me.lf
    del me.hf
    del me.lstep
    del me.hstep

class SimulTester (PrimeGenEventHandler):
  def __init__(me, mul = 2, add = 1):
    me.mul = mul
    me.add = add
  def pg_begin(me, ev):
    x = ev.x
    me.lr = RabinMiller(x)
    me.hr = RabinMiller(x * me.mul + me.add)
  def pg_try(me, ev):
    lst = me.lr.test(ev.rng.range(me.lr.x))
    if lst != PGEN_PASS and lst != PGEN_DONE:
      return lst
    rst = me.hr.test(ev.rng.range(me.hr.x))
    if rst != PGEN_PASS and rst != PGEN_DONE:
      return rst
    if lst == PGEN_DONE and rst == PGEN_DONE:
      return PGEN_DONE
    return PGEN_PASS
  def pg_done(me, ev):
    del me.lr
    del me.hr

def sgprime(start, step = 2, name = 'p', event = pgen_nullev, nsteps = 0):
  start = MP(start)
  return pgen(start, name, SimulStepper(step = step), SimulTester(), event,
              nsteps, RabinMiller.iters(start.nbits))

def findprimitive(mod, hh = [], exp = None, name = 'g', event = pgen_nullev):
  return pgen(0, name, PrimitiveStepper(), PrimitiveTester(mod, hh, exp),
              event, 0, 1)

def kcdsaprime(pbits, qbits, rng = rand,
               event = pgen_nullev, name = 'p', nsteps = 0):
  hbits = pbits - qbits
  h = pgen(rng.mp(hbits, 1), name + ' [h]',
           PrimeGenStepper(2), PrimeGenTester(),
           event, nsteps, RabinMiller.iters(hbits))
  q = pgen(rng.mp(qbits, 1), name, SimulStepper(2 * h, 1, 2),
           SimulTester(2 * h, 1), event, nsteps, RabinMiller.iters(qbits))
  p = 2 * q * h + 1
  return p, q, h

#----- That's all, folks ----------------------------------------------------