From 6a5b0c821e34ea9f2abd1b93231729fbbb7d3006 Mon Sep 17 00:00:00 2001 From: "R. Yushaev" <44146334+Naufragous@users.noreply.github.com> Date: Thu, 6 Dec 2018 18:00:09 +0100 Subject: [PATCH] Add support for Open Document Format 1.2 Contains a kernel for the latest ODF 1.2 encryption implemented in LibreOffice. The algorithm uses a SHA-256 checksum, a PBKDF2-HMAC-SHA1 key derivation with 100000 iterations and key stretching and AES-CBC encryption. Valid hashes can be extracted with the libreoffice2john.py script, available from the John the Ripper Jumbo repository at https://github.com/magnumripper/JohnTheRipper/blob/bleeding-jumbo/run/libreoffice2john.py You have to remove the filename suffix at the end of the hash before passing it to hashcat. Also see 'hashcat -m18400 --example-hashes'. You can leave the filename prefix if you use the --username option to process those hashes. - Add hash-mode 18400 (Open Document Format (ODF) 1.2 (SHA-256, AES)) - Tests: add hash-mode 18400 (Open Document Format (ODF) 1.2 (SHA-256, AES)) --- OpenCL/inc_types.cl | 19 ++ OpenCL/m18400-pure.cl | 452 ++++++++++++++++++++++++++++++++ docs/changes.txt | 12 + docs/readme.txt | 1 + extra/tab_completion/hashcat.sh | 2 +- include/interface.h | 22 ++ src/interface.c | 230 ++++++++++++++++ src/usage.c | 1 + tools/test.pl | 135 +++++++++- tools/test.sh | 4 +- 10 files changed, 874 insertions(+), 4 deletions(-) create mode 100644 OpenCL/m18400-pure.cl diff --git a/OpenCL/inc_types.cl b/OpenCL/inc_types.cl index 8ec01125f..6d56ebb12 100644 --- a/OpenCL/inc_types.cl +++ b/OpenCL/inc_types.cl @@ -1403,6 +1403,25 @@ typedef struct oldoffice34 } oldoffice34_t; +typedef struct odf12_tmp +{ + u32 ipad[5]; + u32 opad[5]; + + u32 dgst[10]; + u32 out[10]; + +} odf12_tmp_t; + +typedef struct odf12 +{ + u32 iterations; + u32 iv[4]; + u32 checksum[8]; + u32 encrypted_data[256]; + +} odf12_t; + typedef struct pstoken { u32 salt_buf[128]; diff --git a/OpenCL/m18400-pure.cl b/OpenCL/m18400-pure.cl new file mode 100644 index 000000000..a2377649b --- /dev/null +++ b/OpenCL/m18400-pure.cl @@ -0,0 +1,452 @@ +/** + * Author......: See docs/credits.txt + * License.....: MIT + */ + +#define NEW_SIMD_CODE + +#include "inc_vendor.cl" +#include "inc_hash_constants.h" +#include "inc_hash_functions.cl" +#include "inc_types.cl" +#include "inc_common.cl" +#include "inc_simd.cl" +#include "inc_hash_sha1.cl" +#include "inc_hash_sha256.cl" +#include "inc_cipher_aes.cl" + +#define COMPARE_S "inc_comp_single.cl" +#define COMPARE_M "inc_comp_multi.cl" + +DECLSPEC void hmac_sha1_run_V (u32x *w0, u32x *w1, u32x *w2, u32x *w3, u32x *ipad, u32x *opad, u32x *digest) +{ + digest[0] = ipad[0]; + digest[1] = ipad[1]; + digest[2] = ipad[2]; + digest[3] = ipad[3]; + digest[4] = ipad[4]; + + sha1_transform_vector (w0, w1, w2, w3, digest); + + w0[0] = digest[0]; + w0[1] = digest[1]; + w0[2] = digest[2]; + w0[3] = digest[3]; + w1[0] = digest[4]; + w1[1] = 0x80000000; + w1[2] = 0; + w1[3] = 0; + w2[0] = 0; + w2[1] = 0; + w2[2] = 0; + w2[3] = 0; + w3[0] = 0; + w3[1] = 0; + w3[2] = 0; + w3[3] = (64 + 20) * 8; + + digest[0] = opad[0]; + digest[1] = opad[1]; + digest[2] = opad[2]; + digest[3] = opad[3]; + digest[4] = opad[4]; + + sha1_transform_vector (w0, w1, w2, w3, digest); +} + +__kernel void m18400_init (KERN_ATTR_TMPS_ESALT (odf12_tmp_t, odf12_t)) +{ + /** + * base + */ + + const u64 gid = get_global_id (0); + + if (gid >= gid_max) return; + + sha256_ctx_t sha256_ctx; + + sha256_init (&sha256_ctx); + + sha256_update_global_swap (&sha256_ctx, pws[gid].i, pws[gid].pw_len); + + sha256_final (&sha256_ctx); + + // hmac key = hashed passphrase + u32 k0[4]; + u32 k1[4]; + u32 k2[4]; + u32 k3[4]; + + k0[0] = sha256_ctx.h[0]; + k0[1] = sha256_ctx.h[1]; + k0[2] = sha256_ctx.h[2]; + k0[3] = sha256_ctx.h[3]; + k1[0] = sha256_ctx.h[4]; + k1[1] = sha256_ctx.h[5]; + k1[2] = sha256_ctx.h[6]; + k1[3] = sha256_ctx.h[7]; + k2[0] = 0; + k2[1] = 0; + k2[2] = 0; + k2[3] = 0; + k3[0] = 0; + k3[1] = 0; + k3[2] = 0; + k3[3] = 0; + + // hmac message = salt + u32 m0[4]; + u32 m1[4]; + u32 m2[4]; + u32 m3[4]; + + m0[0] = swap32_S (salt_bufs[digests_offset].salt_buf[0]); + m0[1] = swap32_S (salt_bufs[digests_offset].salt_buf[1]); + m0[2] = swap32_S (salt_bufs[digests_offset].salt_buf[2]); + m0[3] = swap32_S (salt_bufs[digests_offset].salt_buf[3]); + m1[0] = 0; + m1[1] = 0; + m1[2] = 0; + m1[3] = 0; + m2[0] = 0; + m2[1] = 0; + m2[2] = 0; + m2[3] = 0; + m3[0] = 0; + m3[1] = 0; + m3[2] = 0; + m3[3] = 0; + + sha1_hmac_ctx_t sha1_hmac_ctx; + + sha1_hmac_init_64 (&sha1_hmac_ctx, k0, k1, k2, k3); + + tmps[gid].ipad[0] = sha1_hmac_ctx.ipad.h[0]; + tmps[gid].ipad[1] = sha1_hmac_ctx.ipad.h[1]; + tmps[gid].ipad[2] = sha1_hmac_ctx.ipad.h[2]; + tmps[gid].ipad[3] = sha1_hmac_ctx.ipad.h[3]; + tmps[gid].ipad[4] = sha1_hmac_ctx.ipad.h[4]; + + tmps[gid].opad[0] = sha1_hmac_ctx.opad.h[0]; + tmps[gid].opad[1] = sha1_hmac_ctx.opad.h[1]; + tmps[gid].opad[2] = sha1_hmac_ctx.opad.h[2]; + tmps[gid].opad[3] = sha1_hmac_ctx.opad.h[3]; + tmps[gid].opad[4] = sha1_hmac_ctx.opad.h[4]; + + // first pbkdf iteration; key stretching + for (u32 i = 0, j = 1; i < 8; i += 5, j += 1) + { + m1[0] = j; + + sha1_hmac_ctx_t sha1_hmac_ctx_loop = sha1_hmac_ctx; + + sha1_hmac_update_64 (&sha1_hmac_ctx_loop, m0, m1, m2, m3, 20); + + sha1_hmac_final (&sha1_hmac_ctx_loop); + + tmps[gid].dgst[i + 0] = sha1_hmac_ctx_loop.opad.h[0]; + tmps[gid].dgst[i + 1] = sha1_hmac_ctx_loop.opad.h[1]; + tmps[gid].dgst[i + 2] = sha1_hmac_ctx_loop.opad.h[2]; + tmps[gid].dgst[i + 3] = sha1_hmac_ctx_loop.opad.h[3]; + tmps[gid].dgst[i + 4] = sha1_hmac_ctx_loop.opad.h[4]; + + tmps[gid].out[i + 0] = tmps[gid].dgst[i + 0]; + tmps[gid].out[i + 1] = tmps[gid].dgst[i + 1]; + tmps[gid].out[i + 2] = tmps[gid].dgst[i + 2]; + tmps[gid].out[i + 3] = tmps[gid].dgst[i + 3]; + tmps[gid].out[i + 4] = tmps[gid].dgst[i + 4]; + } +} + +__kernel void m18400_loop (KERN_ATTR_TMPS_ESALT (odf12_tmp_t, odf12_t)) +{ + const u64 gid = get_global_id (0); + + if ((gid * VECT_SIZE) >= gid_max) return; + + u32x ipad[5]; + u32x opad[5]; + + ipad[0] = packv (tmps, ipad, gid, 0); + ipad[1] = packv (tmps, ipad, gid, 1); + ipad[2] = packv (tmps, ipad, gid, 2); + ipad[3] = packv (tmps, ipad, gid, 3); + ipad[4] = packv (tmps, ipad, gid, 4); + + opad[0] = packv (tmps, opad, gid, 0); + opad[1] = packv (tmps, opad, gid, 1); + opad[2] = packv (tmps, opad, gid, 2); + opad[3] = packv (tmps, opad, gid, 3); + opad[4] = packv (tmps, opad, gid, 4); + + // key stretching + for (u32 i = 0; i < 8; i += 5) + { + u32x dgst[5]; + u32x out[5]; + + dgst[0] = packv (tmps, dgst, gid, i + 0); + dgst[1] = packv (tmps, dgst, gid, i + 1); + dgst[2] = packv (tmps, dgst, gid, i + 2); + dgst[3] = packv (tmps, dgst, gid, i + 3); + dgst[4] = packv (tmps, dgst, gid, i + 4); + + out[0] = packv (tmps, out, gid, i + 0); + out[1] = packv (tmps, out, gid, i + 1); + out[2] = packv (tmps, out, gid, i + 2); + out[3] = packv (tmps, out, gid, i + 3); + out[4] = packv (tmps, out, gid, i + 4); + + for (u32 j = 0; j < loop_cnt; j++) + { + u32x w0[4]; + u32x w1[4]; + u32x w2[4]; + u32x w3[4]; + + w0[0] = dgst[0]; + w0[1] = dgst[1]; + w0[2] = dgst[2]; + w0[3] = dgst[3]; + w1[0] = dgst[4]; + w1[1] = 0x80000000; + w1[2] = 0; + w1[3] = 0; + w2[0] = 0; + w2[1] = 0; + w2[2] = 0; + w2[3] = 0; + w3[0] = 0; + w3[1] = 0; + w3[2] = 0; + w3[3] = (64 + 20) * 8; + + hmac_sha1_run_V (w0, w1, w2, w3, ipad, opad, dgst); + + out[0] ^= dgst[0]; + out[1] ^= dgst[1]; + out[2] ^= dgst[2]; + out[3] ^= dgst[3]; + out[4] ^= dgst[4]; + } + + unpackv (tmps, dgst, gid, i + 0, dgst[0]); + unpackv (tmps, dgst, gid, i + 1, dgst[1]); + unpackv (tmps, dgst, gid, i + 2, dgst[2]); + unpackv (tmps, dgst, gid, i + 3, dgst[3]); + unpackv (tmps, dgst, gid, i + 4, dgst[4]); + + unpackv (tmps, out, gid, i + 0, out[0]); + unpackv (tmps, out, gid, i + 1, out[1]); + unpackv (tmps, out, gid, i + 2, out[2]); + unpackv (tmps, out, gid, i + 3, out[3]); + unpackv (tmps, out, gid, i + 4, out[4]); + } +} + +__kernel void m18400_comp (KERN_ATTR_TMPS_ESALT (odf12_tmp_t, odf12_t)) +{ + const u64 gid = get_global_id (0); + const u64 lid = get_local_id (0); + const u64 lsz = get_local_size (0); + + /** + * aes shared + */ + + #ifdef REAL_SHM + + __local u32 s_td0[256]; + __local u32 s_td1[256]; + __local u32 s_td2[256]; + __local u32 s_td3[256]; + __local u32 s_td4[256]; + + __local u32 s_te0[256]; + __local u32 s_te1[256]; + __local u32 s_te2[256]; + __local u32 s_te3[256]; + __local u32 s_te4[256]; + + for (MAYBE_VOLATILE u32 i = lid; i < 256; i += lsz) + { + s_td0[i] = td0[i]; + s_td1[i] = td1[i]; + s_td2[i] = td2[i]; + s_td3[i] = td3[i]; + s_td4[i] = td4[i]; + + s_te0[i] = te0[i]; + s_te1[i] = te1[i]; + s_te2[i] = te2[i]; + s_te3[i] = te3[i]; + s_te4[i] = te4[i]; + } + + barrier (CLK_LOCAL_MEM_FENCE); + + #else + + __constant u32a *s_td0 = td0; + __constant u32a *s_td1 = td1; + __constant u32a *s_td2 = td2; + __constant u32a *s_td3 = td3; + __constant u32a *s_td4 = td4; + + __constant u32a *s_te0 = te0; + __constant u32a *s_te1 = te1; + __constant u32a *s_te2 = te2; + __constant u32a *s_te3 = te3; + __constant u32a *s_te4 = te4; + + #endif + + if (gid >= gid_max) return; + + /** + * base + */ + + u32 ukey[8]; + + ukey[0] = swap32_S (tmps[gid].out[0]); + ukey[1] = swap32_S (tmps[gid].out[1]); + ukey[2] = swap32_S (tmps[gid].out[2]); + ukey[3] = swap32_S (tmps[gid].out[3]); + ukey[4] = swap32_S (tmps[gid].out[4]); + ukey[5] = swap32_S (tmps[gid].out[5]); + ukey[6] = swap32_S (tmps[gid].out[6]); + ukey[7] = swap32_S (tmps[gid].out[7]); + + u32 ks[60]; + + aes256_set_decrypt_key (ks, ukey, s_te0, s_te1, s_te2, s_te3, s_te4, s_td0, s_td1, s_td2, s_td3, s_td4); + + __global const odf12_t *es = &esalt_bufs[digests_offset]; + + u32 iv[4]; + + iv[0] = es->iv[0]; + iv[1] = es->iv[1]; + iv[2] = es->iv[2]; + iv[3] = es->iv[3]; + + u32 ct[4]; + + u32 pt1[4]; + u32 pt2[4]; + u32 pt3[4]; + u32 pt4[4]; + + sha256_ctx_t sha256_ctx; + + sha256_init (&sha256_ctx); + + // decrypt aes-cbc and calculate plaintext checksum at the same time + for (int i = 0; i < 16; i++) + { + const int i16 = i * 16; + + ct[0] = es->encrypted_data[i16 + 0]; + ct[1] = es->encrypted_data[i16 + 1]; + ct[2] = es->encrypted_data[i16 + 2]; + ct[3] = es->encrypted_data[i16 + 3]; + + aes256_decrypt (ks, ct, pt1, s_td0, s_td1, s_td2, s_td3, s_td4); + + pt1[0] ^= iv[0]; + pt1[1] ^= iv[1]; + pt1[2] ^= iv[2]; + pt1[3] ^= iv[3]; + + iv[0] = ct[0]; + iv[1] = ct[1]; + iv[2] = ct[2]; + iv[3] = ct[3]; + + ct[0] = es->encrypted_data[i16 + 4]; + ct[1] = es->encrypted_data[i16 + 5]; + ct[2] = es->encrypted_data[i16 + 6]; + ct[3] = es->encrypted_data[i16 + 7]; + + aes256_decrypt (ks, ct, pt2, s_td0, s_td1, s_td2, s_td3, s_td4); + + pt2[0] ^= iv[0]; + pt2[1] ^= iv[1]; + pt2[2] ^= iv[2]; + pt2[3] ^= iv[3]; + + iv[0] = ct[0]; + iv[1] = ct[1]; + iv[2] = ct[2]; + iv[3] = ct[3]; + + ct[0] = es->encrypted_data[i16 + 8]; + ct[1] = es->encrypted_data[i16 + 9]; + ct[2] = es->encrypted_data[i16 + 10]; + ct[3] = es->encrypted_data[i16 + 11]; + + aes256_decrypt (ks, ct, pt3, s_td0, s_td1, s_td2, s_td3, s_td4); + + pt3[0] ^= iv[0]; + pt3[1] ^= iv[1]; + pt3[2] ^= iv[2]; + pt3[3] ^= iv[3]; + + iv[0] = ct[0]; + iv[1] = ct[1]; + iv[2] = ct[2]; + iv[3] = ct[3]; + + ct[0] = es->encrypted_data[i16 + 12]; + ct[1] = es->encrypted_data[i16 + 13]; + ct[2] = es->encrypted_data[i16 + 14]; + ct[3] = es->encrypted_data[i16 + 15]; + + aes256_decrypt (ks, ct, pt4, s_td0, s_td1, s_td2, s_td3, s_td4); + + pt4[0] ^= iv[0]; + pt4[1] ^= iv[1]; + pt4[2] ^= iv[2]; + pt4[3] ^= iv[3]; + + iv[0] = ct[0]; + iv[1] = ct[1]; + iv[2] = ct[2]; + iv[3] = ct[3]; + + pt1[0] = swap32_S (pt1[0]); + pt1[1] = swap32_S (pt1[1]); + pt1[2] = swap32_S (pt1[2]); + pt1[3] = swap32_S (pt1[3]); + + pt2[0] = swap32_S (pt2[0]); + pt2[1] = swap32_S (pt2[1]); + pt2[2] = swap32_S (pt2[2]); + pt2[3] = swap32_S (pt2[3]); + + pt3[0] = swap32_S (pt3[0]); + pt3[1] = swap32_S (pt3[1]); + pt3[2] = swap32_S (pt3[2]); + pt3[3] = swap32_S (pt3[3]); + + pt4[0] = swap32_S (pt4[0]); + pt4[1] = swap32_S (pt4[1]); + pt4[2] = swap32_S (pt4[2]); + pt4[3] = swap32_S (pt4[3]); + + sha256_update_64 (&sha256_ctx, pt1, pt2, pt3, pt4, 64); + } + + sha256_final (&sha256_ctx); + + const u32 r0 = swap32_S (sha256_ctx.h[0]); + const u32 r1 = swap32_S (sha256_ctx.h[1]); + const u32 r2 = swap32_S (sha256_ctx.h[2]); + const u32 r3 = swap32_S (sha256_ctx.h[3]); + + #define il_pos 0 + + #include COMPARE_M +} diff --git a/docs/changes.txt b/docs/changes.txt index a8b1cfbf4..5f0f7ee87 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -1,11 +1,23 @@ * changes v5.1.0 -> v5.x.x +## +## Algorithms +## + +- Added hash-mode 18400 (Open Document Format (ODF) 1.2 (SHA-256, AES)) + ## ## Bugs ## - Fixed output of IKE PSK (mode 5300 and 5400) hashes to have separators at right position +## +## Technical +## + +- Tests: Added hash-mode 18400 (Open Document Format (ODF) 1.2 (SHA-256, AES)) + * changes v5.0.0 -> v5.1.0 ## diff --git a/docs/readme.txt b/docs/readme.txt index 788ef9ad1..310d47c8d 100644 --- a/docs/readme.txt +++ b/docs/readme.txt @@ -244,6 +244,7 @@ NVIDIA GPUs require "NVIDIA Driver" (367.x or later) - PDF 1.7 Level 3 (Acrobat 9) - PDF 1.7 Level 8 (Acrobat 10 - 11) - Apple Secure Notes +- Open Document Format (ODF) 1.2 (SHA-256, AES) - Password Safe v2 - Password Safe v3 - LastPass + LastPass sniffed diff --git a/extra/tab_completion/hashcat.sh b/extra/tab_completion/hashcat.sh index 17ebbfce4..7a28aa247 100644 --- a/extra/tab_completion/hashcat.sh +++ b/extra/tab_completion/hashcat.sh @@ -176,7 +176,7 @@ _hashcat () { local VERSION=5.1.0 - local HASH_MODES="0 10 11 12 20 21 22 23 30 40 50 60 100 101 110 111 112 120 121 122 124 130 131 132 133 140 141 150 160 200 300 400 500 501 600 900 1000 1100 1400 1410 1411 1420 1421 1430 1440 1441 1450 1460 1500 1600 1700 1710 1711 1720 1722 1730 1731 1740 1750 1760 1800 2100 2400 2410 2500 2501 2600 2611 2612 2711 2811 3000 3100 3200 3710 3711 3800 3910 4010 4110 4300 4400 4500 4520 4521 4522 4700 4800 4900 5100 5200 5300 5400 5500 5600 5700 5800 6000 6100 6211 6212 6213 6221 6222 6223 6231 6232 6233 6241 6242 6243 6300 6400 6500 6600 6700 6800 6900 7000 7100 7200 7300 7400 7500 7700 7800 7900 8000 8100 8200 8300 8400 8500 8600 8700 8800 8900 9000 9100 9200 9300 9400 9500 9600 9700 9710 9720 9800 9810 9820 9900 10000 10100 10200 10300 10400 10410 10420 10500 10600 10700 10800 10900 11000 11100 11200 11300 11400 11500 11600 11700 11800 11850 11860 11900 12000 12001 12100 12200 12300 12400 12500 12600 12700 12800 12900 13000 13100 13200 13300 13400 13500 13600 13800 13900 14000 14100 14700 14800 14900 15000 15100 15200 15300 15400 15500 15600 15700 15900 16000 16100 16200 16300 16400 16500 16600 16700 16800 16801 16900 17300 17400 17500 17600 17700 17800 17900 18000 18100 18200 18300" + local HASH_MODES="0 10 11 12 20 21 22 23 30 40 50 60 100 101 110 111 112 120 121 122 124 130 131 132 133 140 141 150 160 200 300 400 500 501 600 900 1000 1100 1400 1410 1411 1420 1421 1430 1440 1441 1450 1460 1500 1600 1700 1710 1711 1720 1722 1730 1731 1740 1750 1760 1800 2100 2400 2410 2500 2501 2600 2611 2612 2711 2811 3000 3100 3200 3710 3711 3800 3910 4010 4110 4300 4400 4500 4520 4521 4522 4700 4800 4900 5100 5200 5300 5400 5500 5600 5700 5800 6000 6100 6211 6212 6213 6221 6222 6223 6231 6232 6233 6241 6242 6243 6300 6400 6500 6600 6700 6800 6900 7000 7100 7200 7300 7400 7500 7700 7800 7900 8000 8100 8200 8300 8400 8500 8600 8700 8800 8900 9000 9100 9200 9300 9400 9500 9600 9700 9710 9720 9800 9810 9820 9900 10000 10100 10200 10300 10400 10410 10420 10500 10600 10700 10800 10900 11000 11100 11200 11300 11400 11500 11600 11700 11800 11850 11860 11900 12000 12001 12100 12200 12300 12400 12500 12600 12700 12800 12900 13000 13100 13200 13300 13400 13500 13600 13800 13900 14000 14100 14700 14800 14900 15000 15100 15200 15300 15400 15500 15600 15700 15900 16000 16100 16200 16300 16400 16500 16600 16700 16800 16801 16900 17300 17400 17500 17600 17700 17800 17900 18000 18100 18200 18300 18400" local ATTACK_MODES="0 1 3 6 7" local HCCAPX_MESSAGE_PAIRS="0 1 2 3 4 5" local OUTFILE_FORMATS="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15" diff --git a/include/interface.h b/include/interface.h index 0685ede9f..4b9c3215b 100644 --- a/include/interface.h +++ b/include/interface.h @@ -423,6 +423,25 @@ typedef struct oldoffice34 } oldoffice34_t; +typedef struct odf12_tmp +{ + u32 ipad[5]; + u32 opad[5]; + + u32 dgst[10]; + u32 out[10]; + +} odf12_tmp_t; + +typedef struct odf12 +{ + u32 iterations; + u32 iv[4]; + u32 checksum[8]; + u32 encrypted_data[256]; + +} odf12_t; + typedef struct pstoken { u32 salt_buf[128]; @@ -1149,6 +1168,7 @@ typedef enum hash_type HASH_TYPE_WPA_PMKID_PMK = 69, HASH_TYPE_ANSIBLE_VAULT = 70, HASH_TYPE_KRB5ASREP = 71, + HASH_TYPE_ODF12 = 72, } hash_type_t; @@ -1376,6 +1396,7 @@ typedef enum kern_type KERN_TYPE_TOTP_HMACSHA1 = 18100, KERN_TYPE_KRB5ASREP = 18200, KERN_TYPE_APFS = 18300, + KERN_TYPE_ODF12 = 18400, KERN_TYPE_PLAINTEXT = 99999, } kern_type_t; @@ -1419,6 +1440,7 @@ typedef enum rounds_count ROUNDS_OFFICE2007 = 50000, ROUNDS_OFFICE2010 = 100000, ROUNDS_OFFICE2013 = 100000, + ROUNDS_LIBREOFFICE = 100000, ROUNDS_DJANGOPBKDF2 = 20000, ROUNDS_SAPH_SHA1 = 1024, ROUNDS_PDF14 = (50 + 20), diff --git a/src/interface.c b/src/interface.c index 4eec6b01f..b20f96307 100644 --- a/src/interface.c +++ b/src/interface.c @@ -299,6 +299,7 @@ static const char *ST_HASH_18000 = "2fbf5c9080f0a704de2e915ba8fdae6ab00bbc026b2c static const char *ST_HASH_18100 = "597056:3600"; static const char *ST_HASH_18200 = "$krb5asrep$23$user@domain.com:3e156ada591263b8aab0965f5aebd837$007497cb51b6c8116d6407a782ea0e1c5402b17db7afa6b05a6d30ed164a9933c754d720e279c6c573679bd27128fe77e5fea1f72334c1193c8ff0b370fadc6368bf2d49bbfdba4c5dccab95e8c8ebfdc75f438a0797dbfb2f8a1a5f4c423f9bfc1fea483342a11bd56a216f4d5158ccc4b224b52894fadfba3957dfe4b6b8f5f9f9fe422811a314768673e0c924340b8ccb84775ce9defaa3baa0910b676ad0036d13032b0dd94e3b13903cc738a7b6d00b0b3c210d1f972a6c7cae9bd3c959acf7565be528fc179118f28c679f6deeee1456f0781eb8154e18e49cb27b64bf74cd7112a0ebae2102ac"; static const char *ST_HASH_18300 = "$fvde$2$16$58778104701476542047675521040224$20000$39602e86b7cea4a34f4ff69ff6ed706d68954ee474de1d2a9f6a6f2d24d172001e484c1d4eaa237d"; +static const char *ST_HASH_18400 = "$odf$*1*1*100000*32*751854d8b90731ce0579f96bea6f0d4ac2fb2f546b31f1b6af9a5f66952a0bf4*16*2185a966155baa9e2fb597298febecbc*16*c18eaae34bcbbe9119be017fe5f8b52d*0*051e0f1ce0e866f2b771029e03a6c7119aad132af54c4e45824f16f61f357a40407ab82744fe6370c7b2346075fcd4c2e58ab244411b3ab1d532a46e2321599ef13c3d3472fc2f14d480d8c33215e473da67f90540279d3ef1f62dde314fa222796046e496c951235ddf88aa754620b7810d22ebc8835c90dce9276946f52b8ea7d95d2f86e4cc725366a8b3edacc2ce88518e535991a5f84d5ea8795dc02bfb731b5f202ecaf7d4b245d928c4248709fcdf3fba2acf1a08be0c1eee7dbeda07e8c3a6983565635e99952b8ad79d31c965f245ae90b5cc3dba6387898c66fa35cad9ac9595c41b62e68efcdd73185b38e220cf004269b77ec6974474b03b7569afc3b503a2bf8b2d035756f3f4cb880d9ba815e5c944508a0bde214076c35bf0e0814a96d21ccaa744c9056948ed935209f5c7933841d2ede3d28dd84da89d477d4a0041ce6d8ddab891d929340db6daa921d69b46fd5aee306d0bcef88c38acbb495d0466df7e2f744e3d10201081215c02db5dd479a4cda15a3338969c7baec9d3d2c378a8dd30449319b149dc3b4e7f00996a59fcb5f243d0df2cbaf749241033f7865aefa960adfeb8ebf205b270f90b1f82c34f80d5a8a0db7aec89972a32f5daa2a73c5895d1fced01b3ab8e576bd2630eff01cad97781f4966d4b528e1b15f011f28ae907a352073c96b203adc7742d2b79b2e2f440b17e7856ae119e08d15d8bdf951f6d4a3f9b516da2d9a8f9dd93488f8e0119f3da19138ab787f0d7098a652cccd914aa0ff81d375bd6a5a165acc936f591639059287975cfc3ca4342e5f9501b3249a76d14e56d6d56b319e036bc0449ac7b5afa24ffbea11babed8183edf8d4fdca1c3f0d23bfd4a02797627d556634f1a9304e03737604bd86f6b5a26aa687d6df73383e0f7dfe62a131e8dbb8c3f4f13d24857dd29d76984eac6c45df7428fc79323ffa1f4e7962d705df74320141ed1f16d1ad483b872168df60315ffadbfa1b7f4afaed8a0017421bf5e05348cb5c707a5e852d6fee6077ec1c33bc707bcd97b7701ee05a03d6fa78b0d31c8c97ea16e0edf434961bd5cc7cbb7eb2553730f0405c9bd21cee09b3f7c1bc57779fdfc15f3935985737a1b522004c4436b631a39a66e8577a03f5020e6aa41952c0662c8c57f66caa483b47af38b8cb5d457245fd3241749e17433e6f929233e8862d7c584111b1991b2d6e94278e7e6e1908cee5a83d94c78b75a84a695d25aeb9fdde72174fe6dd75e8d406671f44892a385a4a1e249f61ebc993e985607423a0a5742e668d52c1ebf5cecae7c2b7908f4627b92ec49354a9ccff8cb5763ad074a00e65a485a41bf4c25ce7e6fae49358a58547b1c0ca79713e297310c0a367c3de196f1dd685ca4be643bdf1e4f6b034211d020557e37a3b6614d061010b4a3416b6b279728c245d3322"; static const char *ST_HASH_99999 = "hashcat"; static const char *OPTI_STR_OPTIMIZED_KERNEL = "Optimized-Kernel"; @@ -561,6 +562,7 @@ static const char *HT_18000 = "Keccak-512"; static const char *HT_18100 = "TOTP (HMAC-SHA1)"; static const char *HT_18200 = "Kerberos 5 AS-REP etype 23"; static const char *HT_18300 = "Apple File System (APFS)"; +static const char *HT_18400 = "Open Document Format (ODF) 1.2 (SHA-256, AES)"; static const char *HT_99999 = "Plaintext"; static const char *HT_00011 = "Joomla < 2.5.18"; @@ -661,6 +663,7 @@ static const char *SIGNATURE_MYSQL_AUTH = "$mysqlna$"; static const char *SIGNATURE_MYWALLET = "$blockchain$"; static const char *SIGNATURE_MYWALLETV2 = "$blockchain$v2$"; static const char *SIGNATURE_NETSCALER = "1"; +static const char *SIGNATURE_ODF = "$odf$"; static const char *SIGNATURE_OFFICE2007 = "$office$"; static const char *SIGNATURE_OFFICE2010 = "$office$"; static const char *SIGNATURE_OFFICE2013 = "$office$"; @@ -10987,6 +10990,165 @@ int oldoffice34cm2_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, M return (PARSER_OK); } +int odf12_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig) +{ + u32 *digest = (u32 *) hash_buf->digest; + + salt_t *salt_s = hash_buf->salt; + + odf12_t *odf12 = (odf12_t *) hash_buf->esalt; + + token_t token; + + token.token_cnt = 12; + + token.signatures_cnt = 1; + token.signatures_buf[0] = SIGNATURE_ODF; + + token.len_min[0] = 5; + token.len_max[0] = 5; + token.sep[0] = '*'; + token.attr[0] = TOKEN_ATTR_VERIFY_LENGTH + | TOKEN_ATTR_VERIFY_SIGNATURE; + + token.len_min[1] = 1; + token.len_max[1] = 1; + token.sep[1] = '*'; + token.attr[1] = TOKEN_ATTR_VERIFY_LENGTH + | TOKEN_ATTR_VERIFY_DIGIT; + + token.len_min[2] = 1; + token.len_max[2] = 1; + token.sep[2] = '*'; + token.attr[2] = TOKEN_ATTR_VERIFY_LENGTH + | TOKEN_ATTR_VERIFY_DIGIT; + + token.len_min[3] = 4; + token.len_max[3] = 6; + token.sep[3] = '*'; + token.attr[3] = TOKEN_ATTR_VERIFY_LENGTH + | TOKEN_ATTR_VERIFY_DIGIT; + + token.len_min[4] = 2; + token.len_max[4] = 2; + token.sep[4] = '*'; + token.attr[4] = TOKEN_ATTR_VERIFY_LENGTH + | TOKEN_ATTR_VERIFY_DIGIT; + + token.len_min[5] = 64; + token.len_max[5] = 64; + token.sep[5] = '*'; + token.attr[5] = TOKEN_ATTR_VERIFY_LENGTH + | TOKEN_ATTR_VERIFY_HEX; + + token.len_min[6] = 2; + token.len_max[6] = 2; + token.sep[6] = '*'; + token.attr[6] = TOKEN_ATTR_VERIFY_LENGTH + | TOKEN_ATTR_VERIFY_DIGIT; + + token.len_min[7] = 32; + token.len_max[7] = 32; + token.sep[7] = '*'; + token.attr[7] = TOKEN_ATTR_VERIFY_LENGTH + | TOKEN_ATTR_VERIFY_HEX; + + token.len_min[8] = 2; + token.len_max[8] = 2; + token.sep[8] = '*'; + token.attr[8] = TOKEN_ATTR_VERIFY_LENGTH + | TOKEN_ATTR_VERIFY_DIGIT; + + token.len_min[9] = 32; + token.len_max[9] = 32; + token.sep[9] = '*'; + token.attr[9] = TOKEN_ATTR_VERIFY_LENGTH + | TOKEN_ATTR_VERIFY_HEX; + + token.len_min[10] = 1; + token.len_max[10] = 1; + token.sep[10] = '*'; + token.attr[10] = TOKEN_ATTR_VERIFY_LENGTH + | TOKEN_ATTR_VERIFY_DIGIT; + + token.len[11] = 2048; + token.attr[11] = TOKEN_ATTR_FIXED_LENGTH + | TOKEN_ATTR_VERIFY_HEX; + + const int rc_tokenizer = input_tokenizer (input_buf, input_len, &token); + + if (rc_tokenizer != PARSER_OK) return (rc_tokenizer); + + u8 *checksum = token.buf[5]; + u8 *iv = token.buf[7]; + u8 *salt = token.buf[9]; + u8 *encrypted_data = token.buf[11]; + + const u32 cipher_type = strtol ((const char *) token.buf[1], NULL, 10); + const u32 checksum_type = strtol ((const char *) token.buf[2], NULL, 10); + const u32 iterations = strtol ((const char *) token.buf[3], NULL, 10); + const u32 key_size = strtol ((const char *) token.buf[4], NULL, 10); + const u32 iv_len = strtol ((const char *) token.buf[6], NULL, 10); + const u32 salt_len = strtol ((const char *) token.buf[8], NULL, 10); + const u32 unused = strtol ((const char *) token.buf[10], NULL, 10); + + if (cipher_type != 1) return (PARSER_SALT_VALUE); + if (checksum_type != 1) return (PARSER_SALT_VALUE); + if (key_size != 32) return (PARSER_SALT_VALUE); + if (iv_len != 16) return (PARSER_SALT_VALUE); + if (salt_len != 16) return (PARSER_SALT_VALUE); + if (unused != 0) return (PARSER_SALT_VALUE); + + // esalt + + odf12->iterations = iterations; + + odf12->checksum[0] = hex_to_u32 (&checksum[0]); + odf12->checksum[1] = hex_to_u32 (&checksum[8]); + odf12->checksum[2] = hex_to_u32 (&checksum[16]); + odf12->checksum[3] = hex_to_u32 (&checksum[24]); + odf12->checksum[4] = hex_to_u32 (&checksum[32]); + odf12->checksum[5] = hex_to_u32 (&checksum[40]); + odf12->checksum[6] = hex_to_u32 (&checksum[48]); + odf12->checksum[7] = hex_to_u32 (&checksum[56]); + + odf12->iv[0] = hex_to_u32 (&iv[0]); + odf12->iv[1] = hex_to_u32 (&iv[8]); + odf12->iv[2] = hex_to_u32 (&iv[16]); + odf12->iv[3] = hex_to_u32 (&iv[24]); + + for (int i = 0; i < 256; i++) + { + odf12->encrypted_data[i] = hex_to_u32 (&encrypted_data[8 * i]); + } + + // salt + + salt_s->salt_len = salt_len; + + salt_s->salt_iter = iterations - 1; + + salt_s->salt_buf[0] = hex_to_u32 (&salt[0]); + salt_s->salt_buf[1] = hex_to_u32 (&salt[8]); + salt_s->salt_buf[2] = hex_to_u32 (&salt[16]); + salt_s->salt_buf[3] = hex_to_u32 (&salt[24]); + + /** + * digest + */ + + digest[0] = odf12->checksum[0]; + digest[1] = odf12->checksum[1]; + digest[2] = odf12->checksum[2]; + digest[3] = odf12->checksum[3]; + digest[4] = odf12->checksum[4]; + digest[5] = odf12->checksum[5]; + digest[6] = odf12->checksum[6]; + digest[7] = odf12->checksum[7]; + + return (PARSER_OK); +} + int radmin2_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig) { u32 *digest = (u32 *) hash_buf->digest; @@ -19052,6 +19214,7 @@ const char *strhashtype (const u32 hash_mode) case 18100: return HT_18100; case 18200: return HT_18200; case 18300: return HT_18300; + case 18400: return HT_18400; case 99999: return HT_99999; } @@ -22906,6 +23069,49 @@ int ascii_digest (hashcat_ctx_t *hashcat_ctx, char *out_buf, const size_t out_le byte_swap_32 (apple_secure_notes->ZCRYPTOWRAPPEDKEY[8]), byte_swap_32 (apple_secure_notes->ZCRYPTOWRAPPEDKEY[9])); } + else if (hash_mode == 18400) + { + odf12_t *odf12s = (odf12_t *) esalts_buf; + + odf12_t *odf12 = &odf12s[digest_cur]; + + size_t pos = 0; + + snprintf (out_buf, out_len - 1, "%s*1*1*%d*32*%08x%08x%08x%08x%08x%08x%08x%08x*16*%08x%08x%08x%08x*16*%08x%08x%08x%08x*0*", + SIGNATURE_ODF, + odf12->iterations, + byte_swap_32 (odf12->checksum[0]), + byte_swap_32 (odf12->checksum[1]), + byte_swap_32 (odf12->checksum[2]), + byte_swap_32 (odf12->checksum[3]), + byte_swap_32 (odf12->checksum[4]), + byte_swap_32 (odf12->checksum[5]), + byte_swap_32 (odf12->checksum[6]), + byte_swap_32 (odf12->checksum[7]), + byte_swap_32 (odf12->iv[0]), + byte_swap_32 (odf12->iv[1]), + byte_swap_32 (odf12->iv[2]), + byte_swap_32 (odf12->iv[3]), + byte_swap_32 (salt.salt_buf[0]), + byte_swap_32 (salt.salt_buf[1]), + byte_swap_32 (salt.salt_buf[2]), + byte_swap_32 (salt.salt_buf[3])); + + pos += strlen (out_buf); + + for (int i = 0; i < 256; i += 8, pos += 64) + { + snprintf (&out_buf[pos], out_len - pos - 1, "%08x%08x%08x%08x%08x%08x%08x%08x", + byte_swap_32 (odf12->encrypted_data[i + 0]), + byte_swap_32 (odf12->encrypted_data[i + 1]), + byte_swap_32 (odf12->encrypted_data[i + 2]), + byte_swap_32 (odf12->encrypted_data[i + 3]), + byte_swap_32 (odf12->encrypted_data[i + 4]), + byte_swap_32 (odf12->encrypted_data[i + 5]), + byte_swap_32 (odf12->encrypted_data[i + 6]), + byte_swap_32 (odf12->encrypted_data[i + 7])); + } + } else if (hash_mode == 99999) { char *ptr = (char *) digest_buf; @@ -28382,6 +28588,23 @@ int hashconfig_init (hashcat_ctx_t *hashcat_ctx) hashconfig->st_pass = ST_PASS_HASHCAT_PLAIN; break; + case 18400: hashconfig->hash_type = HASH_TYPE_ODF12; + hashconfig->salt_type = SALT_TYPE_EMBEDDED; + hashconfig->attack_exec = ATTACK_EXEC_OUTSIDE_KERNEL; + hashconfig->opts_type = OPTS_TYPE_PT_GENERATE_LE; + hashconfig->kern_type = KERN_TYPE_ODF12; + hashconfig->dgst_size = DGST_SIZE_4_8; + hashconfig->parse_func = odf12_parse_hash; + hashconfig->opti_type = OPTI_TYPE_ZERO_BYTE + | OPTI_TYPE_SLOW_HASH_SIMD_LOOP; + hashconfig->dgst_pos0 = 0; + hashconfig->dgst_pos1 = 1; + hashconfig->dgst_pos2 = 2; + hashconfig->dgst_pos3 = 3; + hashconfig->st_hash = ST_HASH_18400; + hashconfig->st_pass = ST_PASS_HASHCAT_PLAIN; + break; + case 99999: hashconfig->hash_type = HASH_TYPE_PLAINTEXT; hashconfig->salt_type = SALT_TYPE_NONE; hashconfig->attack_exec = ATTACK_EXEC_INSIDE_KERNEL; @@ -28622,6 +28845,7 @@ int hashconfig_init (hashcat_ctx_t *hashcat_ctx) case 16900: hashconfig->esalt_size = sizeof (ansible_vault_t); break; case 18200: hashconfig->esalt_size = sizeof (krb5asrep_t); break; case 18300: hashconfig->esalt_size = sizeof (apple_secure_notes_t); break; + case 18400: hashconfig->esalt_size = sizeof (odf12_t); break; } // hook_salt_size @@ -28739,6 +28963,7 @@ int hashconfig_init (hashcat_ctx_t *hashcat_ctx) case 16801: hashconfig->tmp_size = sizeof (wpa_pmk_tmp_t); break; case 16900: hashconfig->tmp_size = sizeof (pbkdf2_sha256_tmp_t); break; case 18300: hashconfig->tmp_size = sizeof (apple_secure_notes_tmp_t); break; + case 18400: hashconfig->tmp_size = sizeof (odf12_tmp_t); break; }; // hook_size @@ -29191,6 +29416,7 @@ int hashconfig_get_pw_max (hashcat_ctx_t *hashcat_ctx, const bool optimized_kern case 16800: pw_max = 63; break; // WPA-PMKID-PBKDF2: limits itself to 63 by RFC case 16801: pw_max = 64; break; // WPA-PMKID-PMK: fixed length case 16900: pw_max = PW_MAX; break; + case 18400: pw_max = PW_MAX; break; } return pw_max; @@ -29508,6 +29734,8 @@ void hashconfig_benchmark_defaults (hashcat_ctx_t *hashcat_ctx, salt_t *salt, vo break; case 18300: salt->salt_len = 16; break; + case 18400: salt->salt_len = 16; + break; } // special esalt handling @@ -29805,6 +30033,8 @@ void hashconfig_benchmark_defaults (hashcat_ctx_t *hashcat_ctx, salt_t *salt, vo break; case 18300: salt->salt_iter = ROUNDS_APPLE_SECURE_NOTES - 1; break; + case 18400: salt->salt_iter = ROUNDS_LIBREOFFICE - 1; + break; } } diff --git a/src/usage.c b/src/usage.c index 45f43a1fe..b3c16931a 100644 --- a/src/usage.c +++ b/src/usage.c @@ -393,6 +393,7 @@ static const char *const USAGE_BIG[] = " 10600 | PDF 1.7 Level 3 (Acrobat 9) | Documents", " 10700 | PDF 1.7 Level 8 (Acrobat 10 - 11) | Documents", " 16200 | Apple Secure Notes | Documents", + " 18400 | Open Document Format (ODF) 1.2 (SHA-256, AES) | Documents", " 9000 | Password Safe v2 | Password Managers", " 5200 | Password Safe v3 | Password Managers", " 6800 | LastPass + LastPass sniffed | Password Managers", diff --git a/tools/test.pl b/tools/test.pl index 0d2194d43..2db499001 100755 --- a/tools/test.pl +++ b/tools/test.pl @@ -29,6 +29,7 @@ use Crypt::Digest::RIPEMD160 qw (ripemd160_hex); use Crypt::Digest::Whirlpool qw (whirlpool_hex); use Crypt::ECB qw (encrypt); use Crypt::Eksblowfish::Bcrypt qw (bcrypt en_base64); +use Crypt::Mode::CBC; use Crypt::Mode::ECB; use Crypt::MySQL qw (password41); use Crypt::OpenSSH::ChachaPoly; @@ -93,7 +94,7 @@ my $MODES = 13400, 13500, 13600, 13800, 13900, 14000, 14100, 14400, 14700, 14800, 14900, 15000, 15100, 15200, 15300, 15400, 15500, 15600, 15700, 15900, 16000, 16100, 16200, 16300, 16400, 16500, 16600, 16700, 16800, 16900, 17300, 17400, 17500, - 17600, 17700, 17800, 17900, 18000, 18100, 18200, 18300, 99999 + 17600, 17700, 17800, 17900, 18000, 18100, 18200, 18300, 18400, 99999 ]; ## STEP 2a: If your hash mode does not need a salt, add it to this array. @@ -3166,6 +3167,65 @@ sub verify next unless (exists ($db->{$hash_in}) and (! defined ($db->{$hash_in}))); } + elsif ($mode == 18400) + { + ($hash_in, $word) = split ":", $line; + + next unless defined $hash_in; + next unless defined $word; + + # tokenize + my @data = split ('\*', $hash_in); + + next unless scalar @data == 12; + + my $signature = shift @data; + my $cipher_type = shift @data; + my $cs_type = shift @data; + $iter = shift @data; + my $cs_len = shift @data; + my $cs = shift @data; + my $iv_len = shift @data; + my $iv = shift @data; + my $salt_len = shift @data; + $salt = shift @data; + my $unused = shift @data; + my $ciphertext = shift @data; + + # validate + next unless ($signature eq '$odf$'); + next unless ($cipher_type eq '1'); + next unless ($cs_type eq '1'); + next unless ($cs_len eq '32'); + next unless ($iv_len eq '16'); + next unless ($salt_len eq '16'); + next unless ($unused eq '0'); + next unless defined $ciphertext; + + # decrypt + my $b_iv = pack ("H*", $iv); + my $b_salt = pack ("H*", $salt); + my $b_ciphertext = pack ("H*", $ciphertext); + + my $kdf = Crypt::PBKDF2->new + ( + hash_class => 'HMACSHA1', + iterations => $iter, + output_len => 32, + ); + + my $pass_hash = sha256 ($word); + my $derived_key = $kdf->PBKDF2 ($b_salt, $pass_hash); + my $cbc = Crypt::Mode::CBC->new('AES', 0); + my $b_plaintext = $cbc->decrypt($b_ciphertext, $derived_key, $b_iv); + + my $plaintext = unpack ("H*", $b_plaintext); + + $param = $iv; + $param2 = $plaintext; + + next unless (exists ($db->{$hash_in}) and (! defined ($db->{$hash_in}))); + } ## STEP 2c: Add your custom salt branch here else { @@ -3654,6 +3714,15 @@ sub verify return unless (substr ($line, 0, $len) eq $hash_out); } + elsif ($mode == 18400) + { + $hash_out = gen_hash ($mode, $word, $salt, $iter, $param, $param2); + + $len = length $hash_out; + + return unless (substr ($line, 0, $len) eq $hash_out); + } + ## STEP 2c: Add your custom gen_hash call here else { $hash_out = gen_hash ($mode, $word, $salt, $iter); @@ -4257,6 +4326,10 @@ sub passthrough { $tmp_hash = gen_hash ($mode, $word_buf, substr ($salt_buf, 0, 32)); } + elsif ($mode == 18400) + { + $tmp_hash = gen_hash ($mode, $word_buf, substr ($salt_buf, 0, 32)); + } ## STEP 2c: Add your custom salt branch here else { @@ -5429,6 +5502,20 @@ sub single } } } + elsif ($mode == 18400) + { + for (my $i = 1; $i < 32; $i++) + { + if ($len != 0) + { + rnd ($mode, $len, 32); + } + else + { + rnd ($mode, $i, 32); + } + } + } ## STEP 2c: Add your custom salt branch here } } @@ -10597,6 +10684,52 @@ END_CODE $tmp_hash = sprintf ('$fvde$%d$%d$%s$%d$%s', $Z_PK, length ($salt_bin), unpack ("H*", $salt_bin), $iterations, unpack ("H*", $blob_bin)); } + elsif ($mode == 18400) + { + # defaults for single mode + my $iterations = 100000; + my $iv = "aa" x 16; + my $plaintext = "bb" x 1024; + + # parameters for verify mode + if (defined $iter) + { + $iterations = $iter; + } + + if (defined $additional_param) + { + $iv = $additional_param; + } + + if (defined $additional_param2) + { + $plaintext = $additional_param2; + } + + # binary buffers + my $b_iv = pack ("H*", $iv); + my $b_salt = pack ("H*", $salt_buf); + my $b_plaintext = pack ("H*", $plaintext); + + my $kdf = Crypt::PBKDF2->new + ( + hash_class => 'HMACSHA1', + iterations => $iterations, + output_len => 32, + ); + + my $checksum = sha256_hex ($b_plaintext); + + my $pass_hash = sha256 ($word_buf); + my $derived_key = $kdf->PBKDF2 ($b_salt, $pass_hash); + my $cbc = Crypt::Mode::CBC->new('AES', 0); + my $b_ciphertext = $cbc->encrypt($b_plaintext, $derived_key, $b_iv); + + my $ciphertext = unpack ("H*", $b_ciphertext); + + $tmp_hash = '$odf$'."*1*1*$iterations*32*$checksum*16*$iv*16*$salt_buf*0*$ciphertext"; + } elsif ($mode == 99999) { $tmp_hash = sprintf ("%s", $word_buf); diff --git a/tools/test.sh b/tools/test.sh index f2fae7fb8..4250ec6af 100755 --- a/tools/test.sh +++ b/tools/test.sh @@ -30,7 +30,7 @@ HASH_TYPES="0 10 11 12 20 21 22 23 30 40 50 60\ 13751 13752 13753 13771 13772 13773 13800 13900 14000 14100 14400 14600 14700\ 14800 14900 15000 15100 15200 15300 15400 15500 15600 15700 15900 16000 16100\ 16200 16300 16400 16500 16600 16700 16800 16900 17300 17400 17500 17600 17700\ - 17800 17900 18000 18100 18200 18300 99999" + 17800 17900 18000 18100 18200 18300 18400 99999" VECTOR_WIDTHS="1 2 4 8 16" @@ -48,7 +48,7 @@ SLOW_ALGOS=" 400 500 501 1600 1800 2100 2500 3200 5200 5800 6211\ 12900 13000 13200 13400 13600 13711 13712 13713 13721 13722 13723 13731 13732\ 13733 13751 13752 13753 13771 13772 13773 14600 14611 14612 14613 14621 14622\ 14623 14631 14632 14633 14641 14642 14643 14700 14800 15100 15200 15300 15600\ - 15700 15900 16000 16200 16300 16800 16900" + 15700 15900 16000 16200 16300 16800 16900 18400" # List of VeraCrypt modes which have test containers VC_MODES="13711 13712 13713 13721 13722 13723 13731 13732 13733 13751 13752\