-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path31.py
87 lines (70 loc) · 2.15 KB
/
31.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# HMAC-SHA1
import os
import hashlib
import base64
import binascii
import numpy as np
def to_bytes(d, format):
if isinstance(d, (bytes, bytearray)):
return d
elif format == 'hex':
return bytes(bytearray.fromhex(d))
elif format == 'base64':
return base64.b64decode(d)
elif format == 'str' or format == 'bytes':
return d.encode()
elif format == 'int':
return to_bytes(hex(d)[2:], 'hex')
def bytes_to(b, format):
if not isinstance(b, (bytes, bytearray)):
return b
elif format == 'hex':
return binascii.hexlify(b).decode()
elif format == 'base64':
return base64.b64encode(b).decode()
elif format == 'str':
return b.decode()
elif format == 'bytes':
return b
elif format == 'int':
return int(bytes_to(b, 'hex')[2:], 16)
def xor(d1, d2, format):
b1,b2 = to_bytes(d1, format), to_bytes(d2, format)
return bytes_to(bytes(char1 ^ char2 for char1,char2 in zip(b1,b2)), format)
class HMACSHA1:
def __init__(self, key=None):
# Generate a key at init
self._key = key
if key is None:
self._key = os.urandom(16)
# Padded key :
self._paddedkey = self._key + b'\x00'*(64-len(self._key))
def generate(self, m):
# Generate a MAC
hasher = hashlib.sha1()
block1 = xor(self._paddedkey, b'\x36'*64, 'bytes')
hasher.update(block1 + m)
hash1 = hasher.digest()
block2 = xor(self._paddedkey, b'\x5c'*64, 'bytes')
hasher = hashlib.sha1()
hasher.update(block2 + hash1)
return hasher.digest()
# Webserver
import time
from flask import Flask, request
app = Flask(__name__)
hmac_oracle = HMACSHA1()
@app.route("/")
def hashmac():
signature = request.args.get('signature')
content = to_bytes(request.args.get('content'), 'hex')
hmac = to_bytes(signature, 'hex')
real_hmac = hmac_oracle.generate(content)
# Insecure compare
for i in range(len(real_hmac)):
if real_hmac[i] != hmac[i]:
return "false"
time.sleep(0.05)
return "true"
if __name__ == '__main__':
app.run('127.0.0.1', 9999)