-
Notifications
You must be signed in to change notification settings - Fork 124
/
padding_oracle.py
34 lines (27 loc) · 1.01 KB
/
padding_oracle.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import logging
from Crypto.Util.strxor import strxor
def _attack_block(padding_oracle, iv, c):
logging.info(f"Attacking block {c.hex()}...")
r = bytes()
for i in reversed(range(16)):
s = bytes([16 - i] * (16 - i))
for b in range(256):
iv_ = bytes(i) + strxor(s, bytes([b]) + r)
if padding_oracle(iv_, c):
r = bytes([b]) + r
break
else:
raise ValueError(f"Unable to find decryption for {s}, {iv}, and {c}")
return strxor(iv, r)
def attack(padding_oracle, iv, c):
"""
Recovers the plaintext using the padding oracle attack.
:param padding_oracle: the padding oracle, returns True if the padding is correct, False otherwise
:param iv: the initialization vector
:param c: the ciphertext
:return: the (padded) plaintext
"""
p = _attack_block(padding_oracle, iv, c[0:16])
for i in range(16, len(c), 16):
p += _attack_block(padding_oracle, c[i - 16:i], c[i:i + 16])
return p