-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathchallenge32_server.py
75 lines (65 loc) · 2.77 KB
/
challenge32_server.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
from http.server import BaseHTTPRequestHandler, HTTPServer
import time
from hashing import sha1
from utils import xor, bitstring_to_bytes
import struct
from urllib.parse import urlparse, parse_qs
hostName = "localhost"
serverPort = 8888
key = b'mangobay'
# --------------------------------------------------------
# ---------------------- functions -----------------------
# --------------------------------------------------------
def hmac(key: bytes, message: bytes, hash, blockSize: int, outputsize: int) -> str:
block_sized_key = computeBlockSizedKey(key, hash, blockSize, outputsize)
o_key_pad = xor(block_sized_key, b'\x5c' * blockSize) # Outer padded key
i_key_pad = xor(block_sized_key, b'\x36' * blockSize) # Inner padded key
return hash(o_key_pad + in_bytes(hash(i_key_pad + message).hexdigest(), outputsize)).hexdigest()
def computeBlockSizedKey(key, hash, blockSize, outputsize):
# Keys longer than blockSize are shortened by hashing them
if (len(key) > blockSize):
key = in_bytes(hash(key).hexdigest(), outputsize)
# Keys shorter than blockSize are padded to blockSize by padding with zeros on the right
if (len(key) < blockSize):
return key + b'\x00'*(blockSize-len(key))
return key
def in_bytes(hexstr, outputsize):
# takes a hex-string and returns bytes representation of it
# inefficient, there are easier ways
hexint = int(hexstr, 16)
hexbin = bin(hexint)[2:].rjust(outputsize*8, '0')
return bitstring_to_bytes(hexbin)
class MyServer(BaseHTTPRequestHandler):
def do_GET(self):
try:
params = parse_qs(urlparse(self.path).query)
filename = params.get('file')[0].encode()
given_signature = params.get('signature')[0]
valid_signature = hmac(key, filename, sha1, 64, 20)
print(f"{filename = }\n{given_signature = }\n{valid_signature = }")
valid = self.insecure_compare(given_signature, valid_signature)
if valid:
self.send_response(200)
else:
self.send_response(500)
self.send_header('Content-Type', 'text/html' )
self.end_headers()
except:
self.send_response(400)
def insecure_compare(self, sig_a, sig_b):
if len(sig_b) != len(sig_a):
return False
for byte_index in range(len(sig_a)):
if sig_a[byte_index] != sig_b[byte_index]:
return False
time.sleep(0.0033)
return True
if __name__ == "__main__":
webServer = HTTPServer((hostName, serverPort), MyServer)
print("Server started http://%s:%s" % (hostName, serverPort))
try:
webServer.serve_forever()
except KeyboardInterrupt:
pass
webServer.server_close()
print("Server stopped.")