def quarter_round(X, a, b, c, d):
"ChaCha quarter round, used as a subroutine of a the ChaCha cipher"
# a,b,c,d are indexes to 32-bit integers in X
X[a] = _i32(X[a] + X[b])
X[d] = rotl_i32(X[d] ^ X[a], 16)
X[c] = _i32(X[c] + X[d])
X[b] = rotl_i32(X[b] ^ X[c], 12)
X[a] = _i32(X[a] + X[b])
X[d] = rotl_i32(X[d] ^ X[a], 8)
X[c] = _i32(X[c] + X[d])
X[b] = rotl_i32(X[b] ^ X[c], 7)
def chacha20_decrypt(data, key, counter=1):
"Decrypt a string using a key"
key = fixed_length_key(key, 32)
key_words = [littleendian2int(key[i:i + 4]) for i in range(0, 32, 4)]
nonce_words = [littleendian2int(data[i:i + 4]) for i in range(0, 12, 4)]
ciphertext = data[12:]
plaintext = ""
for i in range(0, len(ciphertext), 64):
j = _i32(i // 64)
key_stream = chacha20_block(key_words, [_i32(counter + j)],
nonce_words)
block = ciphertext[i:i + 64]
plaintext += xor_str(block, key_stream)
return plaintext
def chacha20_encrypt(plaintext, key, counter=1):
"Encrypt a string using a key"
key = fixed_length_key(key, 32)
key_words = [littleendian2int(key[i:i + 4]) for i in range(0, 32, 4)]
nonce_words = [littleendian2int(urandom(4)) for _ in range(3)]
ciphertext = "".join([int2littleendian(n, 4) for n in nonce_words])
for i in range(0, len(plaintext), 64):
j = _i32(i // 64)
key_stream = chacha20_block(key_words, [_i32(counter + j)],
nonce_words)
block = plaintext[i:i + 64]
ciphertext += xor_str(block, key_stream)
return ciphertext
def chacha20_block(key, counter, nonce):
"apply 20 rounds of ChaCha (10 vertical + 10 diagonal) to a block"
state = constants + key + counter + nonce
# Make a copy of the initial state for later
state_init = [state[i] for i in range(16)]
# We do 2 "full" rounds per inner loop
for i in range(10):
# Apply the quarter round routine to columns
quarter_round(state, 0, 4, 8, 12)
quarter_round(state, 1, 5, 9, 13)
quarter_round(state, 2, 6, 10, 14)
quarter_round(state, 3, 7, 11, 15)
# Apply the quarter round routine to diagonals
quarter_round(state, 0, 5, 10, 15)
quarter_round(state, 1, 6, 11, 12)
quarter_round(state, 2, 7, 8, 13)
quarter_round(state, 3, 4, 9, 14)
# Mix in the original state to make it infeasable to invert this function
for i in range(16):
state[i] = _i32(state[i] + state_init[i])
# Encode everythin as a string
return "".join([int2littleendian(state[i], 4) for i in range(16)])
def __init__(self, seed=0):
self.buf = []
self.index = 624
self.mt = [0] * 624
self.mt[0] = seed
for i in range(1, 624):
self.mt[i] = _i32(1812433253 *
(self.mt[i - 1] ^ self.mt[i - 1] >> 30) + i)
def twist(self):
for i in range(624):
y = _i32((self.mt[i] & 0x80000000) +
(self.mt[(i + 1) % 624] & 0x7fffffff))
self.mt[i] = self.mt[(i + 397) % 624] ^ y >> 1
if y % 2 != 0:
self.mt[i] = self.mt[i] ^ 0x9908b0df
self.index = 0
def sha1(m):
h0 = 0x67452301
h1 = 0xefcdab89
h2 = 0x98badcfe
h3 = 0x10325476
h4 = 0xc3d2e1f0
m = sha_add_length_padding(m)
for offset in range(0, len(m), 64):
chunk = m[offset:offset + 64]
w = [0 for _ in range(80)]
for i in range(0, 16):
w[i] = ((ord(chunk[i * 4 + 0]) << 24) +
(ord(chunk[i * 4 + 1]) << 16) +
(ord(chunk[i * 4 + 2]) << 8) +
(ord(chunk[i * 4 + 3]) << 0))
for i in range(16, 80):
w[i] = rotl(w[i - 3] ^ w[i - 8] ^ w[i - 14] ^ w[i - 16], 1)
a = h0
b = h1
c = h2
d = h3
e = h4
for i in range(0, 80):
if i >= 0 and i < 20:
f = (b & c) | ((~b) & d)
k = 0x5A827999
elif i >= 20 and i < 40:
f = b ^ c ^ d
k = 0x6ED9EBA1
elif i >= 40 and i < 60:
f = (b & c) | (b & d) | (c & d)
k = 0x8F1BBCDC
elif i >= 60 and i < 80:
f = b ^ c ^ d
k = 0xCA62C1D6
temp = _i32(rotl(a, 5) + f + e + k + w[i])
e = d
d = c
c = rotl(b, 30)
b = a
a = temp
h0 = _i32(h0 + a)
h1 = _i32(h1 + b)
h2 = _i32(h2 + c)
h3 = _i32(h3 + d)
h4 = _i32(h4 + e)
return (int2bigendian(h0,4)+
int2bigendian(h1,4)+
int2bigendian(h2,4)+
int2bigendian(h3,4)+
int2bigendian(h4,4))
def md4(m):
"MD4 on a complete message"
A = 0x67452301
B = 0xefcdab89
C = 0x98badcfe
D = 0x10325476
m = md4_add_length_padding(m)
for offset in range(0, len(m), 64):
chunk = m[offset:offset + 64]
X = [0 for _ in range(16)]
for i in range(0, 16):
X[i] = ((ord(chunk[i * 4 + 0]) << 0) +
(ord(chunk[i * 4 + 1]) << 8) +
(ord(chunk[i * 4 + 2]) << 16) +
(ord(chunk[i * 4 + 3]) << 24))
AA = A
BB = B
CC = C
DD = D
A = round1(A, B, C, D, 0, 3, X)
D = round1(D, A, B, C, 1, 7, X)
C = round1(C, D, A, B, 2, 11, X)
B = round1(B, C, D, A, 3, 19, X)
A = round1(A, B, C, D, 4, 3, X)
D = round1(D, A, B, C, 5, 7, X)
C = round1(C, D, A, B, 6, 11, X)
B = round1(B, C, D, A, 7, 19, X)
A = round1(A, B, C, D, 8, 3, X)
D = round1(D, A, B, C, 9, 7, X)
C = round1(C, D, A, B, 10, 11, X)
B = round1(B, C, D, A, 11, 19, X)
A = round1(A, B, C, D, 12, 3, X)
D = round1(D, A, B, C, 13, 7, X)
C = round1(C, D, A, B, 14, 11, X)
B = round1(B, C, D, A, 15, 19, X)
A = round2(A, B, C, D, 0, 3, X)
D = round2(D, A, B, C, 4, 5, X)
C = round2(C, D, A, B, 8, 9, X)
B = round2(B, C, D, A, 12, 13, X)
A = round2(A, B, C, D, 1, 3, X)
D = round2(D, A, B, C, 5, 5, X)
C = round2(C, D, A, B, 9, 9, X)
B = round2(B, C, D, A, 13, 13, X)
A = round2(A, B, C, D, 2, 3, X)
D = round2(D, A, B, C, 6, 5, X)
C = round2(C, D, A, B, 10, 9, X)
B = round2(B, C, D, A, 14, 13, X)
A = round2(A, B, C, D, 3, 3, X)
D = round2(D, A, B, C, 7, 5, X)
C = round2(C, D, A, B, 11, 9, X)
B = round2(B, C, D, A, 15, 13, X)
A = round3(A, B, C, D, 0, 3, X)
D = round3(D, A, B, C, 8, 9, X)
C = round3(C, D, A, B, 4, 11, X)
B = round3(B, C, D, A, 12, 15, X)
A = round3(A, B, C, D, 2, 3, X)
D = round3(D, A, B, C, 10, 9, X)
C = round3(C, D, A, B, 6, 11, X)
B = round3(B, C, D, A, 14, 15, X)
A = round3(A, B, C, D, 1, 3, X)
D = round3(D, A, B, C, 9, 9, X)
C = round3(C, D, A, B, 5, 11, X)
B = round3(B, C, D, A, 13, 15, X)
A = round3(A, B, C, D, 3, 3, X)
D = round3(D, A, B, C, 11, 9, X)
C = round3(C, D, A, B, 7, 11, X)
B = round3(B, C, D, A, 15, 15, X)
A = _i32(A + AA)
B = _i32(B + BB)
C = _i32(C + CC)
D = _i32(D + DD)
# Produce the final hash value (little-endian):
return (int2littleendian(A, 4) + int2littleendian(B, 4) +
int2littleendian(C, 4) + int2littleendian(D, 4))
def sha256(m):
"Sha256 on a complete message"
h0 = 0x6a09e667
h1 = 0xbb67ae85
h2 = 0x3c6ef372
h3 = 0xa54ff53a
h4 = 0x510e527f
h5 = 0x9b05688c
h6 = 0x1f83d9ab
h7 = 0x5be0cd19
k = [
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2]
# padd to blocks of 64 bytes
m = sha_add_length_padding(m)
for offset in range(0, len(m), 64):
chunk = m[offset:offset + 64]
w = [0 for _ in range(64)]
for i in range(0, 16):
w[i] = ((ord(chunk[i * 4 + 0]) << 24) +
(ord(chunk[i * 4 + 1]) << 16) +
(ord(chunk[i * 4 + 2]) << 8) +
(ord(chunk[i * 4 + 3]) << 0))
for i in range(16, 64):
s0 = rotr(w[i - 15], 7) ^ rotr(
w[i - 15], 18) ^ shiftr(w[i - 15], 3)
s1 = rotr(w[i - 2], 17) ^ rotr(w[i - 2], 19) ^ shiftr(w[i - 2], 10)
w[i] = _i32(w[i - 16] + s0 + w[i - 7] + s1)
# Initialize working variables to current hash value:
a = h0
b = h1
c = h2
d = h3
e = h4
f = h5
g = h6
h = h7
# Compression function main loop:
for i in range(0, 64):
S1 = rotr(e, 6) ^ rotr(e, 11) ^ rotr(e, 25)
ch = (e & f) ^ ((~e) & g)
temp1 = h + S1 + ch + k[i] + w[i]
S0 = rotr(a, 2) ^ rotr(a, 13) ^ rotr(a, 22)
maj = (a & b) ^ (a & c) ^ (b & c)
temp2 = S0 + maj
h = g
g = f
f = e
e = _i32(d + temp1)
d = c
c = b
b = a
a = _i32(temp1 + temp2)
# Add the compressed chunk to the current hash value:
h0 = h0 + a
h1 = h1 + b
h2 = h2 + c
h3 = h3 + d
h4 = h4 + e
h5 = h5 + f
h6 = h6 + g
h7 = h7 + h
# Produce the final hash value (big-endian):
return (int2bigendian(h0,4)+
int2bigendian(h1,4)+
int2bigendian(h2,4)+
int2bigendian(h3,4)+
int2bigendian(h4,4)+
int2bigendian(h5,4)+
int2bigendian(h6,4)+
int2bigendian(h7,4))
def update_buffer(self):
self.buf += chacha20_block(self.key_words, [_i32(self.counter)],
self.nonce_words)
self.counter += 1
