#!/usr/bin/env python3
# -*- coding: utf-8 -*-
'''
sha3sum – SHA-3 (Keccak) checksum calculator
Copyright © 2013 Mattias Andrée (maandree@member.fsf.org)
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
'''
import sys
import os
def printerr(text, end = '\n'):
sys.stderr.buffer.write((text + end).encode('utf-8'))
sys.stderr.buffer.flush()
class SHA3:
'''
SHA-3/Keccak hash algorithm implementation
@author Mattias Andrée (maandree@member.fsf.org)
'''
RC = [0x0000000000000001, 0x0000000000008082, 0x800000000000808A, 0x8000000080008000,
0x000000000000808B, 0x0000000080000001, 0x8000000080008081, 0x8000000000008009,
0x000000000000008A, 0x0000000000000088, 0x0000000080008009, 0x000000008000000A,
0x000000008000808B, 0x800000000000008B, 0x8000000000008089, 0x8000000000008003,
0x8000000000008002, 0x8000000000000080, 0x000000000000800A, 0x800000008000000A,
0x8000000080008081, 0x8000000000008080, 0x0000000080000001, 0x8000000080008008]
'''
:list<int> Round contants
'''
B = [0] * 25
'''
:list<int> Keccak-f round temporary
'''
C = [0] * 5
'''
:list<int> Keccak-f round temporary
'''
(r, c, n, b, w, wmod, l, nr) = (0, 0, 0, 0, 0, 0, 0, 0)
'''
r:int The bitrate
c:int The capacity
n:int The output size
b:int The state size
w:int The word size
wmod:int The word mask
l:int ℓ, the binary logarithm of the word size
nr:int 12 + 2ℓ, the number of rounds
'''
S = None
'''
:list<int> The current state
'''
M = None
'''
:bytes Left over water to fill the sponge with at next update
'''
@staticmethod
def rotate(x, n):
'''
Rotate a word
@param x:int The value to rotate
@param n:int Rotation steps
@return :int The value rotated
'''
m = n % SHA3.w
return ((x >> (SHA3.w - m)) + (x << m)) & SHA3.wmod
@staticmethod
def rotate64(x, n):
'''
Rotate a 64-bit word
@param x:int The value to rotate
@param n:int Rotation steps
@return :int The value rotated
'''
return ((x >> (64 - n)) + (x << n)) & 0xFFFFFFFFFFFFFFFF
@staticmethod
def lb(x):
'''
Binary logarithm
@param x:int The value of which to calculate the binary logarithm
@return :int The binary logarithm
'''
rc = 0
if (x & 0xFF00) != 0: rc += 8 ; x >>= 8
if (x & 0x00F0) != 0: rc += 4 ; x >>= 4
if (x & 0x000C) != 0: rc += 2 ; x >>= 2
if (x & 0x0002) != 0: rc += 1
return rc
@staticmethod
def keccakFRound(A, rc):
'''
Perform one round of computation
@param A:list<int> The current state
@param rc:int Round constant
'''
if SHA3.w == 64:
# θ step (step 1 and 2 of 3)
SHA3.C[0] = (A[0] ^ A[1]) ^ (A[2] ^ A[3]) ^ A[4]
SHA3.C[2] = (A[10] ^ A[11]) ^ (A[12] ^ A[13]) ^ A[14]
db = SHA3.C[0] ^ SHA3.rotate64(SHA3.C[2], 1)
SHA3.C[4] = (A[20] ^ A[21]) ^ (A[22] ^ A[23]) ^ A[24]
dd = SHA3.C[2] ^ SHA3.rotate64(SHA3.C[4], 1)
SHA3.C[1] = (A[5] ^ A[6]) ^ (A[7] ^ A[8]) ^ A[9]
da = SHA3.C[4] ^ SHA3.rotate64(SHA3.C[1], 1)
SHA3.C[3] = (A[15] ^ A[16]) ^ (A[17] ^ A[18]) ^ A[19]
dc = SHA3.C[1] ^ SHA3.rotate64(SHA3.C[3], 1)
de = SHA3.C[3] ^ SHA3.rotate64(SHA3.C[0], 1)
# ρ and π steps, with last part of θ
SHA3.B[0] = SHA3.rotate64(A[0] ^ da, 0)
SHA3.B[1] = SHA3.rotate64(A[15] ^ dd, 28)
SHA3.B[2] = SHA3.rotate64(A[5] ^ db, 1)
SHA3.B[3] = SHA3.rotate64(A[20] ^ de, 27)
SHA3.B[4] = SHA3.rotate64(A[10] ^ dc, 62)
SHA3.B[5] = SHA3.rotate64(A[6] ^ db, 44)
SHA3.B[6] = SHA3.rotate64(A[21] ^ de, 20)
SHA3.B[7] = SHA3.rotate64(A[11] ^ dc, 6)
SHA3.B[8] = SHA3.rotate64(A[1] ^ da, 36)
SHA3.B[9] = SHA3.rotate64(A[16] ^ dd, 55)
SHA3.B[10] = SHA3.rotate64(A[12] ^ dc, 43)
SHA3.B[11] = SHA3.rotate64(A[2] ^ da, 3)
SHA3.B[12] = SHA3.rotate64(A[17] ^ dd, 25)
SHA3.B[13] = SHA3.rotate64(A[7] ^ db, 10)
SHA3.B[14] = SHA3.rotate64(A[22] ^ de, 39)
SHA3.B[15] = SHA3.rotate64(A[18] ^ dd, 21)
SHA3.B[16] = SHA3.rotate64(A[8] ^ db, 45)
SHA3.B[17] = SHA3.rotate64(A[23] ^ de, 8)
SHA3.B[18] = SHA3.rotate64(A[13] ^ dc, 15)
SHA3.B[19] = SHA3.rotate64(A[3] ^ da, 41)
SHA3.B[20] = SHA3.rotate64(A[24] ^ de, 14)
SHA3.B[21] = SHA3.rotate64(A[14] ^ dc, 61)
SHA3.B[22] = SHA3.rotate64(A[4] ^ da, 18)
SHA3.B[23] = SHA3.rotate64(A[19] ^ dd, 56)
SHA3.B[24] = SHA3.rotate64(A[9] ^ db, 2)
else:
# θ step (step 1 and 2 of 3)
SHA3.C[0] = (A[0] ^ A[1]) ^ (A[2] ^ A[3]) ^ A[4]
SHA3.C[2] = (A[10] ^ A[11]) ^ (A[12] ^ A[13]) ^ A[14]
db = SHA3.C[0] ^ SHA3.rotate(SHA3.C[2], 1)
SHA3.C[4] = (A[20] ^ A[21]) ^ (A[22] ^ A[23]) ^ A[24]
dd = SHA3.C[2] ^ SHA3.rotate(SHA3.C[4], 1)
SHA3.C[1] = (A[5] ^ A[6]) ^ (A[7] ^ A[8]) ^ A[9]
da = SHA3.C[4] ^ SHA3.rotate(SHA3.C[1], 1)
SHA3.C[3] = (A[15] ^ A[16]) ^ (A[17] ^ A[18]) ^ A[19]
dc = SHA3.C[1] ^ SHA3.rotate(SHA3.C[3], 1)
de = SHA3.C[3] ^ SHA3.rotate(SHA3.C[0], 1)
# ρ and π steps, with last part of θ
SHA3.B[0] = SHA3.rotate(A[0] ^ da, 0)
SHA3.B[1] = SHA3.rotate(A[15] ^ dd, 28)
SHA3.B[2] = SHA3.rotate(A[5] ^ db, 1)
SHA3.B[3] = SHA3.rotate(A[20] ^ de, 27)
SHA3.B[4] = SHA3.rotate(A[10] ^ dc, 62)
SHA3.B[5] = SHA3.rotate(A[6] ^ db, 44)
SHA3.B[6] = SHA3.rotate(A[21] ^ de, 20)
SHA3.B[7] = SHA3.rotate(A[11] ^ dc, 6)
SHA3.B[8] = SHA3.rotate(A[1] ^ da, 36)
SHA3.B[9] = SHA3.rotate(A[16] ^ dd, 55)
SHA3.B[10] = SHA3.rotate(A[12] ^ dc, 43)
SHA3.B[11] = SHA3.rotate(A[2] ^ da, 3)
SHA3.B[12] = SHA3.rotate(A[17] ^ dd, 25)
SHA3.B[13] = SHA3.rotate(A[7] ^ db, 10)
SHA3.B[14] = SHA3.rotate(A[22] ^ de, 39)
SHA3.B[15] = SHA3.rotate(A[18] ^ dd, 21)
SHA3.B[16] = SHA3.rotate(A[8] ^ db, 45)
SHA3.B[17] = SHA3.rotate(A[23] ^ de, 8)
SHA3.B[18] = SHA3.rotate(A[13] ^ dc, 15)
SHA3.B[19] = SHA3.rotate(A[3] ^ da, 41)
SHA3.B[20] = SHA3.rotate(A[24] ^ de, 14)
SHA3.B[21] = SHA3.rotate(A[14] ^ dc, 61)
SHA3.B[22] = SHA3.rotate(A[4] ^ da, 18)
SHA3.B[23] = SHA3.rotate(A[19] ^ dd, 56)
SHA3.B[24] = SHA3.rotate(A[9] ^ db, 2)
# ξ step
A[0] = SHA3.B[0] ^ ((~(SHA3.B[5])) & SHA3.B[10])
A[1] = SHA3.B[1] ^ ((~(SHA3.B[6])) & SHA3.B[11])
A[2] = SHA3.B[2] ^ ((~(SHA3.B[7])) & SHA3.B[12])
A[3] = SHA3.B[3] ^ ((~(SHA3.B[8])) & SHA3.B[13])
A[4] = SHA3.B[4] ^ ((~(SHA3.B[9])) & SHA3.B[14])
A[5] = SHA3.B[5] ^ ((~(SHA3.B[10])) & SHA3.B[15])
A[6] = SHA3.B[6] ^ ((~(SHA3.B[11])) & SHA3.B[16])
A[7] = SHA3.B[7] ^ ((~(SHA3.B[12])) & SHA3.B[17])
A[8] = SHA3.B[8] ^ ((~(SHA3.B[13])) & SHA3.B[18])
A[9] = SHA3.B[9] ^ ((~(SHA3.B[14])) & SHA3.B[19])
A[10] = SHA3.B[10] ^ ((~(SHA3.B[15])) & SHA3.B[20])
A[11] = SHA3.B[11] ^ ((~(SHA3.B[16])) & SHA3.B[21])
A[12] = SHA3.B[12] ^ ((~(SHA3.B[17])) & SHA3.B[22])
A[13] = SHA3.B[13] ^ ((~(SHA3.B[18])) & SHA3.B[23])
A[14] = SHA3.B[14] ^ ((~(SHA3.B[19])) & SHA3.B[24])
A[15] = SHA3.B[15] ^ ((~(SHA3.B[20])) & SHA3.B[0])
A[16] = SHA3.B[16] ^ ((~(SHA3.B[21])) & SHA3.B[1])
A[17] = SHA3.B[17] ^ ((~(SHA3.B[22])) & SHA3.B[2])
A[18] = SHA3.B[18] ^ ((~(SHA3.B[23])) & SHA3.B[3])
A[19] = SHA3.B[19] ^ ((~(SHA3.B[24])) & SHA3.B[4])
A[20] = SHA3.B[20] ^ ((~(SHA3.B[0])) & SHA3.B[5])
A[21] = SHA3.B[21] ^ ((~(SHA3.B[1])) & SHA3.B[6])
A[22] = SHA3.B[22] ^ ((~(SHA3.B[2])) & SHA3.B[7])
A[23] = SHA3.B[23] ^ ((~(SHA3.B[3])) & SHA3.B[8])
A[24] = SHA3.B[24] ^ ((~(SHA3.B[4])) & SHA3.B[9])
# ι step
A[0] ^= rc
@staticmethod
def keccakF(A):
'''
Perform Keccak-f function
@param A:list<int> The current state
'''
if (SHA3.nr == 24):
SHA3.keccakFRound(A, 0x0000000000000001)
SHA3.keccakFRound(A, 0x0000000000008082)
SHA3.keccakFRound(A, 0x800000000000808A)
SHA3.keccakFRound(A, 0x8000000080008000)
SHA3.keccakFRound(A, 0x000000000000808B)
SHA3.keccakFRound(A, 0x0000000080000001)
SHA3.keccakFRound(A, 0x8000000080008081)
SHA3.keccakFRound(A, 0x8000000000008009)
SHA3.keccakFRound(A, 0x000000000000008A)
SHA3.keccakFRound(A, 0x0000000000000088)
SHA3.keccakFRound(A, 0x0000000080008009)
SHA3.keccakFRound(A, 0x000000008000000A)
SHA3.keccakFRound(A, 0x000000008000808B)
SHA3.keccakFRound(A, 0x800000000000008B)
SHA3.keccakFRound(A, 0x8000000000008089)
SHA3.keccakFRound(A, 0x8000000000008003)
SHA3.keccakFRound(A, 0x8000000000008002)
SHA3.keccakFRound(A, 0x8000000000000080)
SHA3.keccakFRound(A, 0x000000000000800A)
SHA3.keccakFRound(A, 0x800000008000000A)
SHA3.keccakFRound(A, 0x8000000080008081)
SHA3.keccakFRound(A, 0x8000000000008080)
SHA3.keccakFRound(A, 0x0000000080000001)
SHA3.keccakFRound(A, 0x8000000080008008)
else:
for i in range(SHA3.nr):
SHA3.keccakFRound(A, SHA3.RC[i] & SHA3.wmod)
@staticmethod
def toLane(message, rr, ww, off):
'''
Convert a chunk of char:s to a word
@param message:bytes The message
@param rr:int Bitrate in bytes
@param ww:int Word size in bytes
@param off:int The offset in the message
@return :int Lane
'''
rc = 0
i = off + ww - 1
n = min(len(message), rr)
while i >= off:
rc = (rc << 8) | (message[i] if (i < n) else 0)
i -= 1
return rc
@staticmethod
def toLane64(message, rr, off):
'''
Convert a chunk of char:s to a 64-bit word
@param message:bytes The message
@param rr:int Bitrate in bytes
@param off:int The offset in the message
@return :int Lane
'''
n = min(len(message), rr)
return ((message[off + 7] << 56) if (off + 7 < n) else 0) | ((message[off + 6] << 48) if (off + 6 < n) else 0) | ((message[off + 5] << 40) if (off + 5 < n) else 0) | ((message[off + 4] << 32) if (off + 4 < n) else 0) | ((message[off + 3] << 24) if (off + 3 < n) else 0) | ((message[off + 2] << 16) if (off + 2 < n) else 0) | ((message[off + 1] << 8) if (off + 1 < n) else 0) | ((message[off]) if (off < n) else 0)
@staticmethod
def pad10star1(msg, r):
'''
pad 10*1
@param msg:bytes The message to pad
@param r:int The bitrate
@return :str The message padded
'''
nnn = len(msg) << 3
nrf = nnn >> 3
nbrf = nnn & 7
ll = nnn % r
bbbb = 1 if nbrf == 0 else ((msg[nrf] >> (8 - nbrf)) | (1 << nbrf))
message = None
if ((r - 8 <= ll) and (ll <= r - 2)):
message = [bbbb ^ 128]
else:
nnn = (nrf + 1) << 3
nnn = ((nnn - (nnn % r) + (r - 8)) >> 3) + 1
message = [0] * (nnn - nrf)
message[0] = bbbb
nnn -= nrf
message[nnn - 1] = 0x80
return msg[:nrf] + bytes(message)
@staticmethod
def initialise(r, c, n):
'''
Initialise Keccak sponge
@param r:int The bitrate
@param c:int The capacity
@param n:int The output size
'''
SHA3.r = r
SHA3.c = c
SHA3.n = n
SHA3.b = r + c
SHA3.w = SHA3.b // 25
SHA3.l = SHA3.lb(SHA3.w)
SHA3.nr = 12 + (SHA3.l << 1)
SHA3.wmod = (1 << SHA3.w) - 1
SHA3.S = [0] * 25
SHA3.M = bytes([])
@staticmethod
def update(msg, msglen = None):
'''
Absorb the more of the message message to the Keccak sponge
@param msg:bytes The partial message
@param msglen:int The length of the partial message
'''
if msglen is not None:
msg = msg[:msglen]
rr = SHA3.r >> 3
ww = SHA3.w >> 3
SHA3.M += msg
nnn = len(SHA3.M)
nnn -= nnn % ((SHA3.r * SHA3.b) >> 3)
message = SHA3.M[:nnn]
SHA3.M = SHA3.M[nnn:]
# Absorbing phase
if ww == 8:
for i in range(0, nnn, rr):
SHA3.S[ 0] ^= SHA3.toLane64(message, rr, 0)
SHA3.S[ 5] ^= SHA3.toLane64(message, rr, 8)
SHA3.S[10] ^= SHA3.toLane64(message, rr, 16)
SHA3.S[15] ^= SHA3.toLane64(message, rr, 24)
SHA3.S[20] ^= SHA3.toLane64(message, rr, 32)
SHA3.S[ 1] ^= SHA3.toLane64(message, rr, 40)
SHA3.S[ 6] ^= SHA3.toLane64(message, rr, 48)
SHA3.S[11] ^= SHA3.toLane64(message, rr, 56)
SHA3.S[16] ^= SHA3.toLane64(message, rr, 64)
SHA3.S[21] ^= SHA3.toLane64(message, rr, 72)
SHA3.S[ 2] ^= SHA3.toLane64(message, rr, 80)
SHA3.S[ 7] ^= SHA3.toLane64(message, rr, 88)
SHA3.S[12] ^= SHA3.toLane64(message, rr, 96)
SHA3.S[17] ^= SHA3.toLane64(message, rr, 104)
SHA3.S[22] ^= SHA3.toLane64(message, rr, 112)
SHA3.S[ 3] ^= SHA3.toLane64(message, rr, 120)
SHA3.S[ 8] ^= SHA3.toLane64(message, rr, 128)
SHA3.S[13] ^= SHA3.toLane64(message, rr, 136)
SHA3.S[18] ^= SHA3.toLane64(message, rr, 144)
SHA3.S[23] ^= SHA3.toLane64(message, rr, 152)
SHA3.S[ 4] ^= SHA3.toLane64(message, rr, 160)
SHA3.S[ 9] ^= SHA3.toLane64(message, rr, 168)
SHA3.S[14] ^= SHA3.toLane64(message, rr, 176)
SHA3.S[19] ^= SHA3.toLane64(message, rr, 184)
SHA3.S[24] ^= SHA3.toLane64(message, rr, 192)
SHA3.keccakF(SHA3.S)
message = message[rr:]
else:
for i in range(0, nnn, rr):
SHA3.S[ 0] ^= SHA3.toLane(message, rr, ww, 0)
SHA3.S[ 5] ^= SHA3.toLane(message, rr, ww, ww)
SHA3.S[10] ^= SHA3.toLane(message, rr, ww, 2 * ww)
SHA3.S[15] ^= SHA3.toLane(message, rr, ww, 3 * ww)
SHA3.S[20] ^= SHA3.toLane(message, rr, ww, 4 * ww)
SHA3.S[ 1] ^= SHA3.toLane(message, rr, ww, 5 * ww)
SHA3.S[ 6] ^= SHA3.toLane(message, rr, ww, 6 * ww)
SHA3.S[11] ^= SHA3.toLane(message, rr, ww, 7 * ww)
SHA3.S[16] ^= SHA3.toLane(message, rr, ww, 8 * ww)
SHA3.S[21] ^= SHA3.toLane(message, rr, ww, 9 * ww)
SHA3.S[ 2] ^= SHA3.toLane(message, rr, ww, 10 * ww)
SHA3.S[ 7] ^= SHA3.toLane(message, rr, ww, 11 * ww)
SHA3.S[12] ^= SHA3.toLane(message, rr, ww, 12 * ww)
SHA3.S[17] ^= SHA3.toLane(message, rr, ww, 13 * ww)
SHA3.S[22] ^= SHA3.toLane(message, rr, ww, 14 * ww)
SHA3.S[ 3] ^= SHA3.toLane(message, rr, ww, 15 * ww)
SHA3.S[ 8] ^= SHA3.toLane(message, rr, ww, 16 * ww)
SHA3.S[13] ^= SHA3.toLane(message, rr, ww, 17 * ww)
SHA3.S[18] ^= SHA3.toLane(message, rr, ww, 18 * ww)
SHA3.S[23] ^= SHA3.toLane(message, rr, ww, 19 * ww)
SHA3.S[ 4] ^= SHA3.toLane(message, rr, ww, 20 * ww)
SHA3.S[ 9] ^= SHA3.toLane(message, rr, ww, 21 * ww)
SHA3.S[14] ^= SHA3.toLane(message, rr, ww, 22 * ww)
SHA3.S[19] ^= SHA3.toLane(message, rr, ww, 23 * ww)
SHA3.S[24] ^= SHA3.toLane(message, rr, ww, 24 * ww)
message = message[rr:]
SHA3.keccakF(SHA3.S)
@staticmethod
def digest(msg = None, msglen = None, withReturn = None):
'''
Absorb the last part of the message and squeeze the Keccak sponge
@param msg:bytes? The rest of the message
@param msglen:int The length of the partial message
@param withReturn:bool Whether to return the hash instead of just do a quick squeeze phrase and return `None`
@return :bytes? The hash sum, or `None` if `withReturn` is `False`
'''
if (msg is not None) and isinstance(msg, bool):
(msg, withReturn) = (withReturn, msg)
elif (msglen is not None) and isinstance(msglen, bool):
(msglen, withReturn) = (withReturn, msglen)
if msg is None:
msg = bytes([])
elif msglen is not None:
msg = msg[:msglen]
message = SHA3.pad10star1(SHA3.M + msg, SHA3.r)
SHA3.M = None
nnn = len(message)
rr = SHA3.r >> 3
nn = (SHA3.n + 7) >> 3
ww = SHA3.w >> 3
# Absorbing phase
if ww == 8:
for i in range(0, nnn, rr):
SHA3.S[ 0] ^= SHA3.toLane64(message, rr, 0)
SHA3.S[ 5] ^= SHA3.toLane64(message, rr, 8)
SHA3.S[10] ^= SHA3.toLane64(message, rr, 16)
SHA3.S[15] ^= SHA3.toLane64(message, rr, 24)
SHA3.S[20] ^= SHA3.toLane64(message, rr, 32)
SHA3.S[ 1] ^= SHA3.toLane64(message, rr, 40)
SHA3.S[ 6] ^= SHA3.toLane64(message, rr, 48)
SHA3.S[11] ^= SHA3.toLane64(message, rr, 56)
SHA3.S[16] ^= SHA3.toLane64(message, rr, 64)
SHA3.S[21] ^= SHA3.toLane64(message, rr, 72)
SHA3.S[ 2] ^= SHA3.toLane64(message, rr, 80)
SHA3.S[ 7] ^= SHA3.toLane64(message, rr, 88)
SHA3.S[12] ^= SHA3.toLane64(message, rr, 96)
SHA3.S[17] ^= SHA3.toLane64(message, rr, 104)
SHA3.S[22] ^= SHA3.toLane64(message, rr, 112)
SHA3.S[ 3] ^= SHA3.toLane64(message, rr, 120)
SHA3.S[ 8] ^= SHA3.toLane64(message, rr, 128)
SHA3.S[13] ^= SHA3.toLane64(message, rr, 136)
SHA3.S[18] ^= SHA3.toLane64(message, rr, 144)
SHA3.S[23] ^= SHA3.toLane64(message, rr, 152)
SHA3.S[ 4] ^= SHA3.toLane64(message, rr, 160)
SHA3.S[ 9] ^= SHA3.toLane64(message, rr, 168)
SHA3.S[14] ^= SHA3.toLane64(message, rr, 176)
SHA3.S[19] ^= SHA3.toLane64(message, rr, 184)
SHA3.S[24] ^= SHA3.toLane64(message, rr, 192)
SHA3.keccakF(SHA3.S)
message = message[rr:]
else:
for i in range(0, nnn, rr):
SHA3.S[ 0] ^= SHA3.toLane(message, rr, ww, 0)
SHA3.S[ 5] ^= SHA3.toLane(message, rr, ww, ww)
SHA3.S[10] ^= SHA3.toLane(message, rr, ww, 2 * ww)
SHA3.S[15] ^= SHA3.toLane(message, rr, ww, 3 * ww)
SHA3.S[20] ^= SHA3.toLane(message, rr, ww, 4 * ww)
SHA3.S[ 1] ^= SHA3.toLane(message, rr, ww, 5 * ww)
SHA3.S[ 6] ^= SHA3.toLane(message, rr, ww, 6 * ww)
SHA3.S[11] ^= SHA3.toLane(message, rr, ww, 7 * ww)
SHA3.S[16] ^= SHA3.toLane(message, rr, ww, 8 * ww)
SHA3.S[21] ^= SHA3.toLane(message, rr, ww, 9 * ww)
SHA3.S[ 2] ^= SHA3.toLane(message, rr, ww, 10 * ww)
SHA3.S[ 7] ^= SHA3.toLane(message, rr, ww, 11 * ww)
SHA3.S[12] ^= SHA3.toLane(message, rr, ww, 12 * ww)
SHA3.S[17] ^= SHA3.toLane(message, rr, ww, 13 * ww)
SHA3.S[22] ^= SHA3.toLane(message, rr, ww, 14 * ww)
SHA3.S[ 3] ^= SHA3.toLane(message, rr, ww, 15 * ww)
SHA3.S[ 8] ^= SHA3.toLane(message, rr, ww, 16 * ww)
SHA3.S[13] ^= SHA3.toLane(message, rr, ww, 17 * ww)
SHA3.S[18] ^= SHA3.toLane(message, rr, ww, 18 * ww)
SHA3.S[23] ^= SHA3.toLane(message, rr, ww, 19 * ww)
SHA3.S[ 4] ^= SHA3.toLane(message, rr, ww, 20 * ww)
SHA3.S[ 9] ^= SHA3.toLane(message, rr, ww, 21 * ww)
SHA3.S[14] ^= SHA3.toLane(message, rr, ww, 22 * ww)
SHA3.S[19] ^= SHA3.toLane(message, rr, ww, 23 * ww)
SHA3.S[24] ^= SHA3.toLane(message, rr, ww, 24 * ww)
message = message[rr:]
SHA3.keccakF(SHA3.S)
# Squeezing phase
if withReturn:
rc = [0] * ((SHA3.n + 7) >> 3)
ptr = 0
olen = SHA3.n
j = 0
ni = min(25, rr)
while olen > 0:
i = 0
while (i < ni) and (j < nn):
v = SHA3.S[(i % 5) * 5 + i // 5]
for _ in range(ww):
if j < nn:
rc[ptr] = v & 255
ptr += 1
v >>= 8
j += 1
i += 1
olen -= SHA3.r
if olen > 0:
SHA3.keccakF(SHA3.S)
if (SHA3.n & 7) != 0:
rc[len(rc) - 1] &= (1 << (SHA3.n & 7)) - 1
return bytes(rc)
olen = SHA3.n
while olen > SHA3.r:
olen -= SHA3.r
SHA3.keccakF(SHA3.S)
return None
def simpleSqueeze(times = 1):
'''
Force some rounds of Keccak-f
@param times:int The number of rounds
'''
for i in range(times):
SHA3.keccakF(SHA3.S)
def fastSqueeze(times = 1):
'''
Squeeze as much as is needed to get a digest a number of times
@param times:int The number of digests
'''
for i in range(times):
SHA3.keccakF(SHA3.S) # Last squeeze did not do a ending squeeze
olen = SHA3.n
while olen > SHA3.r:
olen -= SHA3.r
SHA3.keccakF(SHA3.S)
def squeeze():
'''
Squeeze out another digest
@return :bytes The hash sum
'''
SHA3.keccakF(SHA3.S) # Last squeeze did not do a ending squeeze
nn = (SHA3.n + 7) >> 3
ww = SHA3.w >> 3
rc = [0] * nn
olen = SHA3.n
j = 0
ptr = 0
ni = min(25, SHA3.r >> 3)
while olen > 0:
i = 0
while (i < ni) and (j < nn):
v = SHA3.S[(i % 5) * 5 + i // 5]
for _ in range(ww):
if j < nn:
rc[ptr] = v
ptr += 1
v >>= 8
j += 1
i += 1
olen -= SHA3.r
if olen > 0:
SHA3.keccakF(SHA3.S)
if (SHA3.n & 7) != 0:
rc[len(rc) - 1] &= (1 << (SHA3.n & 7)) - 1
return bytes(rc)
if __name__ == '__main__':
cmd = sys.argv[0]
args = sys.argv[1:]
if '/' in cmd:
cmd = cmd[cmd.rfind('/') + 1:]
if cmd.endswith('.py'):
cmd = cmd[:-3]
(O, S, R, C, W, I, J) = (None, None, None, None, None, None, None)
(o, s, r, c, w, i, j) = (0, 0, 0, 0, 0, 0, 0)
_o = 512 # --outputsize
if cmd == 'sha3-224sum': _o = 224
elif cmd == 'sha3-256sum': _o = 256
elif cmd == 'sha3-384sum': _o = 384
elif cmd == 'sha3-512sum': _o = 512
_s = 1600 # --statesize
_c = _s - (_o << 1) # --capacity
_r = _s - _c # --bitrate
_w = _s / 25 # --wordsize
_i = 1 # --iterations
_j = 1 # --squeezes
(binary, hex, multi) = (False, False, 0)
files = []
dashed = False
linger = None
for arg in args + [None]:
if linger is not None:
if linger[0] in ('-h', '--help'):
sys.stderr.buffer.write(('''
SHA-3/Keccak checksum calculator
USAGE: sha3sum [option...] < file
sha3sum [option...] file...
OPTIONS:
-r BITRATE
--bitrate The bitrate to use for SHA-3. (default: %d)
-c CAPACITY
--capacity The capacity to use for SHA-3. (default: %d)
-w WORDSIZE
--wordsize The word size to use for SHA-3. (default: %d)
-o OUTPUTSIZE
--outputsize The output size to use for SHA-3. (default: %d)
-s STATESIZE
--statesize The state size to use for SHA-3. (default: %d)
-i ITERATIONS
--iterations The number of hash iterations to run. (default: %d)
-j SQUEEZES
--squeezes The number of hash squeezes to run. (default: %d)
-h
--hex Read the input in hexadecimal, rather than binary.
-b
--binary Print the checksum in binary, rather than hexadecimal.
-m
--multi Print the chechsum at all iterations.
COPYRIGHT:
Copyright © 2013 Mattias Andrée (maandree@member.fsf.org)
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
''' % (_r, _c, _w, _o, _s, _i, _j)).encode('utf-8'))
sys.stderr.buffer.flush()
exit(0)
else:
if linger[1] is None:
linger[1] = arg
arg = None
if linger[0] in ('-r', '--bitrate'):
R = int(linger[1])
elif linger[0] in ('-c', '--capacity'):
C = int(linger[1])
elif linger[0] in ('-w', '--wordsize'):
W = int(linger[1])
elif linger[0] in ('-o', '--outputsize'):
O = int(linger[1])
elif linger[0] in ('-s', '--statesize'):
S = int(linger[1])
elif linger[0] in ('-i', '--iterations'):
I = int(linger[1])
elif linger[0] in ('-j', '--squeezes'):
J = int(linger[1])
else:
printerr(sys.argv[0] + ': unrecognised option: ' + linger[0])
sys.exit(1)
linger = None
if arg is None:
continue
if arg is None:
continue
if dashed:
files.append(None if arg == '-' else arg)
elif arg == '--':
dashed = True
elif arg == '-':
files.append(None)
elif arg.startswith('--'):
if '=' in arg:
linger = (arg[:arg.find('=')], arg[arg.find('=') + 1:])
else:
if arg == '--binary':
binary = True
elif arg == '--multi':
multi += 1
elif arg == '--hex':
hex = True
else:
linger = [arg, None]
elif arg.startswith('-'):
arg = arg[1:]
if arg[0] == 'b':
binary = True
arg = arg[1:]
elif arg[0] == 'b':
multi += 1
arg = arg[1:]
elif arg[0] == 'h':
hex = True
arg = arg[1:]
elif len(arg) == 1:
linger = ['-' + arg, None]
else:
linger = ['-' + arg[0], arg[1:]]
else:
files.append(arg)
i = _i if I is None else I
j = _j if J is None else J
if S is not None:
s = S
if ((s <= 0) or (s > 1600) or (s % 25 != 0)):
printerr(cmd + ': the state size must be a positive multiple of 25 and is limited to 1600.')
sys.exit(6)
if W is not None:
w = W
if (w <= 0) or (w > 64):
printerr(cmd + ': the word size must be positive and is limited to 64.')
sys.exit(6)
if (S is not None) and (s != w * 25):
printerr(cmd + ': the state size must be 25 times of the word size.')
sys.exit(6)
elif S is None:
S = w * 25
if C is not None:
c = C
if (c <= 0) or ((c & 7) != 0):
printerr(cmd + ': the capacity must be a positive multiple of 8.')
sys.exit(6)
if R is not None:
r = R
if (r <= 0) or ((r & 7) != 0):
printerr(cmd + ': the bitrate must be a positive multiple of 8.')
sys.exit(6)
if O is not None:
o = O
if o <= 0:
printerr(cmd + ': the output size must be positive.')
sys.exit(6)
if (R is None) and (C is None) and (O is None): ## s?
s = _s if S is None else s
o = (((s << 5) // 100 + 7) >> 3) << 3
r = o << 1
c = s - r
o = 8 if o < 8 else o
elif (R is None) and (C is None): ## !o s?
r = _r
c = _c
s = (r + c) if S is None else s
elif R is None: ## !c o? s?
s = _s if S is None else s
r = s - c
o = (8 if c == 8 else (c << 1)) if O is None else o
elif C is None: ## !r o? s?
s = _s if S is None else s
c = s - r
o = (8 if c == 8 else (c << 1)) if O is None else o
else: ## !r !c o? s?
s = (r + c) if S is None else s
o = (8 if c == 8 else (c << 1)) if O is None else o
printerr('Bitrate: %d' % r)
printerr('Capacity: %d' % c)
printerr('Word size: %d' % w)
printerr('State size: %d' % s)
printerr('Output size: %d' % o)
printerr('Iterations: %d' % i)
printerr('Squeezes: %d' % j)
if r > s:
printerr(cmd + ': the bitrate must not be higher than the state size.')
sys.exit(6)
if c > s:
printerr(cmd + ': the capacity must not be higher than the state size.')
sys.exit(6)
if r + c != s:
printerr(cmd + ': the sum of the bitrate and the capacity must equal the state size.')
sys.exit(6)
if len(files) == 0:
files.append(None)
if i < 1:
printerr(cmd + ': sorry, I will only do at least one hash iteration!\n')
sys.exit(3)
if j < 1:
printerr(cmd + ': sorry, I will only do at least one squeeze iteration!\n')
sys.exit(3)
stdin = None
fail = False
for filename in files:
rc = ''
fn = '/dev/stdin' if filename is None else filename
with open(fn, 'rb') as file:
try:
if (filename is not None) or (stdin is None):
SHA3.initialise(r, c, o)
blksize = 4096
try:
blksize = os.stat(os.path.realpath(fn)).st_blksize
except:
pass
while True:
chunk = file.read(blksize)
if len(chunk) == 0:
break
if not hex:
SHA3.update(chunk)
else:
chunk = list(chunk)
n = len(chunk) >> 1
for _ in range(n):
(a, b) = (chunk[_ << 1], chunk[(_ << 1 | 1)])
a = ((a & 15) + (0 if a <= '9' else 9)) << 4
b = (b & 15) + (0 if b <= '9' else 0)
chunk[_] = a | b
SHA3.update(bytes(chunk), n)
bs = SHA3.digest(j == 1)
if j > 2:
SHA3.fastSqueeze(j - 2)
if j > 1:
bs = SHA3.squeeze();
if filename is None:
stdin = bs
else:
bs = stdin
if multi == 0:
for _ in range(i - 1):
SHA3.initialise(r, c, o)
bs = SHA3.digest(bs, j == 1)
if j > 2:
SHA3.fastSqueeze(j - 2)
if j > 1:
bs = SHA3.squeeze();
if binary:
sys.stdout.buffer.write(bs)
else:
for b in bs:
rc += "0123456789ABCDEF"[b >> 4]
rc += "0123456789ABCDEF"[b & 15]
rc += ' ' + ('-' if filename is None else filename) + '\n'
sys.stdout.buffer.write(rc.encode('utf-8'))
elif multi == 1:
if binary:
sys.stdout.buffer.write(bs)
else:
for b in bs:
rc += "0123456789ABCDEF"[b >> 4]
rc += "0123456789ABCDEF"[b & 15]
rc += '\n'
sys.stdout.buffer.write(rc.encode('UTF-8'))
for _ in range(i - 1):
SHA3.initialise(r, c, o)
bs = SHA3.digest(bs, j == 1)
if j > 2:
SHA3.fastSqueeze(j - 2)
if j > 1:
bs = SHA3.squeeze();
if binary:
sys.stdout.buffer.write(bs);
else:
rc = ''
for b in bs:
rc += "0123456789ABCDEF"[b >> 4]
rc += "0123456789ABCDEF"[b & 15]
rc += '\n'
sys.stdout.buffer.write(rc.encode('UTF-8'))
else:
got = set()
loop = None
for _ in range(i):
if _ > 0:
pass
rc = ''
for b in bs:
rc += "0123456789ABCDEF"[b >> 4]
rc += "0123456789ABCDEF"[b & 15]
if loop is None:
if rc in got:
loop = rc
else:
got.add(rc)
if loop == rc:
rc = '\033[31m%s\033[00m' % rc;
sys.stdout.buffer.write(rc.encode('utf-8'))
sys.stdout.buffer.flush()
if loop is not None:
printerr('\033[01;31mLoop found\033[00m')
sys.stdout.buffer.flush()
except Exception as err:
printerr(cmd + ': connot read file: ' + fn + ': ' + str(err))
fail = True
sys.stdout.buffer.flush()
if fail:
sys.exit(5)