def HMAC(message, key):
if len(key) > 64:
key = sha1(key)
elif len(key) < 64:
key += '\x00'*(64 - len(key))
inner_pad = fixedXOR(key, '\x36'*64)
outer_pad = fixedXOR(key, '\x5C'*64)
return sha1(outerpad + sha1(inner_pad + message))
def HMAC(message, key):
if len(key) > 64:
key = hashlib.sha256(key).hexdigest()
elif len(key) < 64:
key += '\x00' * (64 - len(key))
inner_pad = fixedXOR(key, '\x36' * 64)
outer_pad = fixedXOR(key, '\x5C' * 64)
return hashlib.sha256(outer_pad +
hashlib.sha256(inner_pad +
message).hexdigest()).hexdigest()
def decAESCBC_keep_padding(ctext, key):
blocks = make_segments(ctext, 16)
IV = chr(0) * 16
cipher = AES.new(key, AES.MODE_ECB)
ptext = ''
for block in blocks:
ptext += fixedXOR(IV, cipher.decrypt(block))
IV = block
return ptext
def decAESCBC(ctext, key):
blocks = make_segments(ctext, 16)
IV = key
cipher = AES.new(key, AES.MODE_ECB)
ptext = ''
for block in blocks:
ptext += fixedXOR(IV, cipher.decrypt(block))
IV = block
return check_and_strip_PKCS(ptext)
def force_admin():
data = "Gotch;dmi=rue"
ctext = generate_and_encrypt_usrdata(data)
maul = '\x00'*32 + '\x00\x00\x00\x00\x00F\x00F\x00\x00\x00I\x00S\x00\x00\x00' + '\x00'*42
submission = fixedXOR(ctext, maul)
if is_admin(submission):
print 'Yessssss'
else:
print 'Aw, peas.'
def decrypt_and_validate(ctext):
blocks = make_segments(ctext, 16)
IV = fixed_oracle_key
cipher = AES.new(fixed_oracle_key, AES.MODE_ECB)
ptext = ''
for block in blocks:
ptext += fixedXOR(IV, cipher.decrypt(block))
IV = block
ascii_compliant(ptext)
return check_and_strip_PKCS(ptext)
def AESCTR(ptext, key, nonce=None): # nonce should be little endian bytestring
if nonce is None:
nonce = chr(0) * 8
cipher = AES.new(key, AES.MODE_ECB)
ctext = ''
counter = 0
IV = nonce + struct.pack('<q', counter)
for i in xrange(0, len(ptext), 16):
ctext += fixedXOR(ptext[i:i + 16], cipher.encrypt(IV))
counter += 1
IV = nonce + struct.pack('<q', counter)
return ctext
def recover_key():
ptext = 'A'*16 + 'B'*16 + 'C'*16
ctext = encAESCBC(ptext, fixed_oracle_key)
maul = ctext[:16] + '\x00'*16 + ctext[:16]
try:
ptext2 = decrypt_and_validate(maul)
except ValueError as e:
ptext = e.message[30:]
block1 = ptext[:16]
block3 = ptext[32:]
key = fixedXOR(block1, block3)
print 'Key recovered: ' + repr(key)
print 'Actual key: ' + repr(fixed_oracle_key)
def encAESCBC(ptext, key):
"""
Encrypts ptext under key with AES in CBC mode. Rules for input and output are the same as for the pycrypto function used as primitive (i.e., bytestrings).
"""
cipher = AES.new(key, AES.MODE_ECB)
pad_length = 16 - (len(ptext) % 16)
ptext = PKCS(ptext, pad_length)
blocks = make_segments(ptext, 16)
IV = key
ctext = ''
for block in blocks:
output = cipher.encrypt(fixedXOR(IV, block)) # needs to be string or read-only buffer
ctext += output
IV = output
return ctext
def MTCTR(ptext, seed):
t = MT19937(seed)
ctext = ''
for i in xrange(0, len(ptext), 4):
ctext += fixedXOR(ptext[i:i + 4], struct.pack('l', t.extract_number()))
return ctext
def recover_plaintext():
ctext = get_ctext()
keystream = edit(ctext, 0, chr(0)*len(ctext))
return fixedXOR(keystream, ctext)