1 files changed, 39 insertions, 0 deletions

diff --git a/app.py b/app.py
new file mode 100644
index 0000000..2177e9c
--- /dev/null
+++ b/app.py
@@ -0,0 +1,39 @@
+import binascii
+
+from flask import Flask, render_template, request, redirect, url_for
+
+from aesgcmanalysis import xor, gmac, gcm_encrypt, nonce_reuse_recover_secrets, gf128_to_bytes
+
+app = Flask(__name__)
+
+@app.route('/')
+def index():
+    return render_template('index.html')
+
+@app.route('/nonce-reuse', methods=['GET', 'POST'])
+def nonce_reuse():
+    key = nonce = c_forged = macs = None
+    m1 = m2 = mf = ''
+    if request.method == 'POST':
+        key = binascii.unhexlify(request.form['key'])
+        nonce = binascii.unhexlify(request.form['nonce'])
+        m1 = request.form['m1']
+        m2 = request.form['m2']
+        mf = request.form['mf']
+        c_forged, macs = solve(key, nonce, bytes(m1, 'ascii'), bytes(m2, 'ascii'), bytes(mf, 'ascii'))
+    return render_template('nonce-reuse.html', key=key, nonce=nonce, m1=m1, m2=m2, mf=mf, c_forged=c_forged, macs=macs)
+
+def solve(k, nonce, m1, m2, mf):
+    aad1 = aad2 = b""
+    c1, mac1 = gcm_encrypt(k, nonce, aad1, m1)
+    c2, mac2 = gcm_encrypt(k, nonce, aad2, m2)
+
+    possible_secrets = nonce_reuse_recover_secrets(nonce, aad1, aad2, c1, c2, mac1, mac2)
+    c_forged = xor(c1, xor(m1, mf))
+    aad_forged = b""
+    macs = []
+    for h, s in possible_secrets:
+        mac = gmac(h, s, aad_forged, c_forged)
+        macs.append((gf128_to_bytes(h), s, mac))
+    return c_forged, macs
+