mirror of https://github.com/hashcat/hashcat.git
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1102 lines
34 KiB
1102 lines
34 KiB
/**
|
|
* Author......: See docs/credits.txt
|
|
* License.....: MIT
|
|
*/
|
|
|
|
#define NEW_SIMD_CODE
|
|
|
|
#ifdef KERNEL_STATIC
|
|
#include M2S(INCLUDE_PATH/inc_vendor.h)
|
|
#include M2S(INCLUDE_PATH/inc_types.h)
|
|
#include M2S(INCLUDE_PATH/inc_platform.cl)
|
|
#include M2S(INCLUDE_PATH/inc_common.cl)
|
|
#include M2S(INCLUDE_PATH/inc_simd.cl)
|
|
#include M2S(INCLUDE_PATH/inc_hash_sha1.cl)
|
|
#include M2S(INCLUDE_PATH/inc_cipher_aes.cl)
|
|
#endif
|
|
|
|
typedef struct krb5asrep_18
|
|
{
|
|
u32 user[128];
|
|
u32 domain[128];
|
|
u32 account_info[512];
|
|
u32 account_info_len;
|
|
|
|
u32 checksum[3];
|
|
u32 edata2[5120];
|
|
u32 edata2_len;
|
|
u32 format;
|
|
|
|
} krb5asrep_18_t;
|
|
|
|
typedef struct krb5asrep_18_tmp
|
|
{
|
|
u32 ipad[5];
|
|
u32 opad[5];
|
|
u32 dgst[16];
|
|
u32 out[16];
|
|
|
|
} krb5asrep_18_tmp_t;
|
|
|
|
DECLSPEC void aes256_encrypt_cbc (PRIVATE_AS const u32 *aes_ks, PRIVATE_AS u32 *aes_iv, PRIVATE_AS const u32 *in, PRIVATE_AS u32 *out, SHM_TYPE u32 *s_te0, SHM_TYPE u32 *s_te1, SHM_TYPE u32 *s_te2, SHM_TYPE u32 *s_te3, SHM_TYPE u32 *s_te4)
|
|
{
|
|
u32 data[4];
|
|
|
|
data[0] = hc_swap32_S (in[0]);
|
|
data[1] = hc_swap32_S (in[1]);
|
|
data[2] = hc_swap32_S (in[2]);
|
|
data[3] = hc_swap32_S (in[3]);
|
|
|
|
data[0] ^= aes_iv[0];
|
|
data[1] ^= aes_iv[1];
|
|
data[2] ^= aes_iv[2];
|
|
data[3] ^= aes_iv[3];
|
|
|
|
aes256_encrypt (aes_ks, data, out, s_te0, s_te1, s_te2, s_te3, s_te4);
|
|
|
|
aes_iv[0] = out[0];
|
|
aes_iv[1] = out[1];
|
|
aes_iv[2] = out[2];
|
|
aes_iv[3] = out[3];
|
|
|
|
out[0] = hc_swap32_S (out[0]);
|
|
out[1] = hc_swap32_S (out[1]);
|
|
out[2] = hc_swap32_S (out[2]);
|
|
out[3] = hc_swap32_S (out[3]);
|
|
}
|
|
|
|
DECLSPEC void aes256_decrypt_cbc (PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *in, PRIVATE_AS u32 *out, PRIVATE_AS u32 *essiv, SHM_TYPE u32 *s_td0, SHM_TYPE u32 *s_td1, SHM_TYPE u32 *s_td2, SHM_TYPE u32 *s_td3, SHM_TYPE u32 *s_td4)
|
|
{
|
|
aes256_decrypt (ks1, in, out, s_td0, s_td1, s_td2, s_td3, s_td4);
|
|
|
|
out[0] ^= essiv[0];
|
|
out[1] ^= essiv[1];
|
|
out[2] ^= essiv[2];
|
|
out[3] ^= essiv[3];
|
|
|
|
essiv[0] = in[0];
|
|
essiv[1] = in[1];
|
|
essiv[2] = in[2];
|
|
essiv[3] = in[3];
|
|
}
|
|
|
|
DECLSPEC void hmac_sha1_run_V (PRIVATE_AS u32x *w0, PRIVATE_AS u32x *w1, PRIVATE_AS u32x *w2, PRIVATE_AS u32x *w3, PRIVATE_AS u32x *ipad, PRIVATE_AS u32x *opad, PRIVATE_AS u32x *digest)
|
|
{
|
|
digest[0] = ipad[0];
|
|
digest[1] = ipad[1];
|
|
digest[2] = ipad[2];
|
|
digest[3] = ipad[3];
|
|
digest[4] = ipad[4];
|
|
|
|
sha1_transform_vector (w0, w1, w2, w3, digest);
|
|
|
|
w0[0] = digest[0];
|
|
w0[1] = digest[1];
|
|
w0[2] = digest[2];
|
|
w0[3] = digest[3];
|
|
w1[0] = digest[4];
|
|
w1[1] = 0x80000000;
|
|
w1[2] = 0;
|
|
w1[3] = 0;
|
|
w2[0] = 0;
|
|
w2[1] = 0;
|
|
w2[2] = 0;
|
|
w2[3] = 0;
|
|
w3[0] = 0;
|
|
w3[1] = 0;
|
|
w3[2] = 0;
|
|
w3[3] = (64 + 20) * 8;
|
|
|
|
digest[0] = opad[0];
|
|
digest[1] = opad[1];
|
|
digest[2] = opad[2];
|
|
digest[3] = opad[3];
|
|
digest[4] = opad[4];
|
|
|
|
sha1_transform_vector (w0, w1, w2, w3, digest);
|
|
}
|
|
|
|
KERNEL_FQ void m32200_init (KERN_ATTR_TMPS_ESALT (krb5asrep_18_tmp_t, krb5asrep_18_t))
|
|
{
|
|
/**
|
|
* base
|
|
*/
|
|
|
|
const u64 gid = get_global_id (0);
|
|
|
|
if (gid >= GID_CNT) return;
|
|
|
|
/**
|
|
* main
|
|
*/
|
|
|
|
/* initialize hmac-sha1 for pbkdf2(password, account, 4096, account_len) */
|
|
|
|
sha1_hmac_ctx_t sha1_hmac_ctx;
|
|
|
|
sha1_hmac_init_global_swap (&sha1_hmac_ctx, pws[gid].i, pws[gid].pw_len);
|
|
|
|
tmps[gid].ipad[0] = sha1_hmac_ctx.ipad.h[0];
|
|
tmps[gid].ipad[1] = sha1_hmac_ctx.ipad.h[1];
|
|
tmps[gid].ipad[2] = sha1_hmac_ctx.ipad.h[2];
|
|
tmps[gid].ipad[3] = sha1_hmac_ctx.ipad.h[3];
|
|
tmps[gid].ipad[4] = sha1_hmac_ctx.ipad.h[4];
|
|
|
|
tmps[gid].opad[0] = sha1_hmac_ctx.opad.h[0];
|
|
tmps[gid].opad[1] = sha1_hmac_ctx.opad.h[1];
|
|
tmps[gid].opad[2] = sha1_hmac_ctx.opad.h[2];
|
|
tmps[gid].opad[3] = sha1_hmac_ctx.opad.h[3];
|
|
tmps[gid].opad[4] = sha1_hmac_ctx.opad.h[4];
|
|
|
|
sha1_hmac_update_global_swap (&sha1_hmac_ctx, esalt_bufs[DIGESTS_OFFSET_HOST].account_info, esalt_bufs[DIGESTS_OFFSET_HOST].account_info_len);
|
|
|
|
for (u32 i = 0, j = 1; i < 8; i += 5, j += 1)
|
|
{
|
|
sha1_hmac_ctx_t sha1_hmac_ctx2 = sha1_hmac_ctx;
|
|
|
|
u32 w0[4];
|
|
u32 w1[4];
|
|
u32 w2[4];
|
|
u32 w3[4];
|
|
|
|
w0[0] = j;
|
|
w0[1] = 0;
|
|
w0[2] = 0;
|
|
w0[3] = 0;
|
|
w1[0] = 0;
|
|
w1[1] = 0;
|
|
w1[2] = 0;
|
|
w1[3] = 0;
|
|
w2[0] = 0;
|
|
w2[1] = 0;
|
|
w2[2] = 0;
|
|
w2[3] = 0;
|
|
w3[0] = 0;
|
|
w3[1] = 0;
|
|
w3[2] = 0;
|
|
w3[3] = 0;
|
|
|
|
sha1_hmac_update_64 (&sha1_hmac_ctx2, w0, w1, w2, w3, 4);
|
|
|
|
sha1_hmac_final (&sha1_hmac_ctx2);
|
|
|
|
tmps[gid].dgst[i + 0] = sha1_hmac_ctx2.opad.h[0];
|
|
tmps[gid].dgst[i + 1] = sha1_hmac_ctx2.opad.h[1];
|
|
tmps[gid].dgst[i + 2] = sha1_hmac_ctx2.opad.h[2];
|
|
tmps[gid].dgst[i + 3] = sha1_hmac_ctx2.opad.h[3];
|
|
tmps[gid].dgst[i + 4] = sha1_hmac_ctx2.opad.h[4];
|
|
|
|
tmps[gid].out[i + 0] = tmps[gid].dgst[i + 0];
|
|
tmps[gid].out[i + 1] = tmps[gid].dgst[i + 1];
|
|
tmps[gid].out[i + 2] = tmps[gid].dgst[i + 2];
|
|
tmps[gid].out[i + 3] = tmps[gid].dgst[i + 3];
|
|
tmps[gid].out[i + 4] = tmps[gid].dgst[i + 4];
|
|
}
|
|
}
|
|
|
|
KERNEL_FQ void m32200_loop (KERN_ATTR_TMPS_ESALT (krb5asrep_18_tmp_t, krb5asrep_18_t))
|
|
{
|
|
/**
|
|
* base
|
|
*/
|
|
const u64 gid = get_global_id (0);
|
|
|
|
if ((gid * VECT_SIZE) >= GID_CNT) return;
|
|
|
|
u32x ipad[5];
|
|
u32x opad[5];
|
|
|
|
ipad[0] = packv (tmps, ipad, gid, 0);
|
|
ipad[1] = packv (tmps, ipad, gid, 1);
|
|
ipad[2] = packv (tmps, ipad, gid, 2);
|
|
ipad[3] = packv (tmps, ipad, gid, 3);
|
|
ipad[4] = packv (tmps, ipad, gid, 4);
|
|
|
|
opad[0] = packv (tmps, opad, gid, 0);
|
|
opad[1] = packv (tmps, opad, gid, 1);
|
|
opad[2] = packv (tmps, opad, gid, 2);
|
|
opad[3] = packv (tmps, opad, gid, 3);
|
|
opad[4] = packv (tmps, opad, gid, 4);
|
|
|
|
for (u32 i = 0; i < 8; i += 5)
|
|
{
|
|
u32x dgst[5];
|
|
u32x out[5];
|
|
|
|
dgst[0] = packv (tmps, dgst, gid, i + 0);
|
|
dgst[1] = packv (tmps, dgst, gid, i + 1);
|
|
dgst[2] = packv (tmps, dgst, gid, i + 2);
|
|
dgst[3] = packv (tmps, dgst, gid, i + 3);
|
|
dgst[4] = packv (tmps, dgst, gid, i + 4);
|
|
|
|
out[0] = packv (tmps, out, gid, i + 0);
|
|
out[1] = packv (tmps, out, gid, i + 1);
|
|
out[2] = packv (tmps, out, gid, i + 2);
|
|
out[3] = packv (tmps, out, gid, i + 3);
|
|
out[4] = packv (tmps, out, gid, i + 4);
|
|
|
|
for (u32 j = 0; j < LOOP_CNT; j++)
|
|
{
|
|
u32x w0[4];
|
|
u32x w1[4];
|
|
u32x w2[4];
|
|
u32x w3[4];
|
|
|
|
w0[0] = dgst[0];
|
|
w0[1] = dgst[1];
|
|
w0[2] = dgst[2];
|
|
w0[3] = dgst[3];
|
|
w1[0] = dgst[4];
|
|
w1[1] = 0x80000000;
|
|
w1[2] = 0;
|
|
w1[3] = 0;
|
|
w2[0] = 0;
|
|
w2[1] = 0;
|
|
w2[2] = 0;
|
|
w2[3] = 0;
|
|
w3[0] = 0;
|
|
w3[1] = 0;
|
|
w3[2] = 0;
|
|
w3[3] = (64 + 20) * 8;
|
|
|
|
hmac_sha1_run_V (w0, w1, w2, w3, ipad, opad, dgst);
|
|
|
|
out[0] ^= dgst[0];
|
|
out[1] ^= dgst[1];
|
|
out[2] ^= dgst[2];
|
|
out[3] ^= dgst[3];
|
|
out[4] ^= dgst[4];
|
|
}
|
|
|
|
unpackv (tmps, dgst, gid, i + 0, dgst[0]);
|
|
unpackv (tmps, dgst, gid, i + 1, dgst[1]);
|
|
unpackv (tmps, dgst, gid, i + 2, dgst[2]);
|
|
unpackv (tmps, dgst, gid, i + 3, dgst[3]);
|
|
unpackv (tmps, dgst, gid, i + 4, dgst[4]);
|
|
|
|
unpackv (tmps, out, gid, i + 0, out[0]);
|
|
unpackv (tmps, out, gid, i + 1, out[1]);
|
|
unpackv (tmps, out, gid, i + 2, out[2]);
|
|
unpackv (tmps, out, gid, i + 3, out[3]);
|
|
unpackv (tmps, out, gid, i + 4, out[4]);
|
|
}
|
|
}
|
|
|
|
KERNEL_FQ void m32200_comp (KERN_ATTR_TMPS_ESALT (krb5asrep_18_tmp_t, krb5asrep_18_t))
|
|
{
|
|
/**
|
|
* base
|
|
*/
|
|
|
|
const u64 gid = get_global_id (0);
|
|
const u64 lid = get_local_id (0);
|
|
const u64 lsz = get_local_size (0);
|
|
|
|
/**
|
|
* aes shared
|
|
*/
|
|
|
|
#ifdef REAL_SHM
|
|
|
|
LOCAL_VK u32 s_td0[256];
|
|
LOCAL_VK u32 s_td1[256];
|
|
LOCAL_VK u32 s_td2[256];
|
|
LOCAL_VK u32 s_td3[256];
|
|
LOCAL_VK u32 s_td4[256];
|
|
|
|
LOCAL_VK u32 s_te0[256];
|
|
LOCAL_VK u32 s_te1[256];
|
|
LOCAL_VK u32 s_te2[256];
|
|
LOCAL_VK u32 s_te3[256];
|
|
LOCAL_VK u32 s_te4[256];
|
|
|
|
for (u32 i = lid; i < 256; i += lsz)
|
|
{
|
|
s_td0[i] = td0[i];
|
|
s_td1[i] = td1[i];
|
|
s_td2[i] = td2[i];
|
|
s_td3[i] = td3[i];
|
|
s_td4[i] = td4[i];
|
|
|
|
s_te0[i] = te0[i];
|
|
s_te1[i] = te1[i];
|
|
s_te2[i] = te2[i];
|
|
s_te3[i] = te3[i];
|
|
s_te4[i] = te4[i];
|
|
}
|
|
|
|
SYNC_THREADS ();
|
|
|
|
#else
|
|
|
|
CONSTANT_AS u32a *s_td0 = td0;
|
|
CONSTANT_AS u32a *s_td1 = td1;
|
|
CONSTANT_AS u32a *s_td2 = td2;
|
|
CONSTANT_AS u32a *s_td3 = td3;
|
|
CONSTANT_AS u32a *s_td4 = td4;
|
|
|
|
CONSTANT_AS u32a *s_te0 = te0;
|
|
CONSTANT_AS u32a *s_te1 = te1;
|
|
CONSTANT_AS u32a *s_te2 = te2;
|
|
CONSTANT_AS u32a *s_te3 = te3;
|
|
CONSTANT_AS u32a *s_te4 = te4;
|
|
|
|
#endif
|
|
|
|
if (gid >= GID_CNT) return;
|
|
|
|
/*
|
|
at this point, the output ('seed') will be used to generate AES keys:
|
|
|
|
key_bytes = derive(seed, 'kerberos'.encode(), seedsize)
|
|
|
|
'key_bytes' will be the AES key used to generate 'ke' and 'ki'
|
|
'ke' will be the AES key to decrypt the ticket
|
|
'ki' will be the key to compute the final HMAC
|
|
*/
|
|
|
|
u32 nfolded[4];
|
|
|
|
// we can precompute _nfold('kerberos', 16)
|
|
nfolded[0] = 0x6b657262;
|
|
nfolded[1] = 0x65726f73;
|
|
nfolded[2] = 0x7b9b5b2b;
|
|
nfolded[3] = 0x93132b93;
|
|
|
|
// then aes_cbc encrypt this nfolded value with 'seed' as key along with a null IV
|
|
u32 aes_key[8];
|
|
|
|
aes_key[0] = hc_swap32_S (tmps[gid].out[0]);
|
|
aes_key[1] = hc_swap32_S (tmps[gid].out[1]);
|
|
aes_key[2] = hc_swap32_S (tmps[gid].out[2]);
|
|
aes_key[3] = hc_swap32_S (tmps[gid].out[3]);
|
|
aes_key[4] = hc_swap32_S (tmps[gid].out[4]);
|
|
aes_key[5] = hc_swap32_S (tmps[gid].out[5]);
|
|
aes_key[6] = hc_swap32_S (tmps[gid].out[6]);
|
|
aes_key[7] = hc_swap32_S (tmps[gid].out[7]);
|
|
|
|
u32 aes_iv[4];
|
|
|
|
aes_iv[0] = 0;
|
|
aes_iv[1] = 0;
|
|
aes_iv[2] = 0;
|
|
aes_iv[3] = 0;
|
|
|
|
u32 aes_ks[60];
|
|
|
|
aes256_set_encrypt_key (aes_ks, aes_key, s_te0, s_te1, s_te2, s_te3);
|
|
|
|
u32 key_bytes[8];
|
|
|
|
u32 out[4];
|
|
aes256_encrypt_cbc (aes_ks, aes_iv, nfolded, out, s_te0, s_te1, s_te2, s_te3, s_te4);
|
|
|
|
key_bytes[0] = out[0];
|
|
key_bytes[1] = out[1];
|
|
key_bytes[2] = out[2];
|
|
key_bytes[3] = out[3];
|
|
|
|
aes_iv[0] = 0;
|
|
aes_iv[1] = 0;
|
|
aes_iv[2] = 0;
|
|
aes_iv[3] = 0;
|
|
|
|
aes256_encrypt_cbc (aes_ks, aes_iv, out, out, s_te0, s_te1, s_te2, s_te3, s_te4);
|
|
|
|
key_bytes[4] = out[0];
|
|
key_bytes[5] = out[1];
|
|
key_bytes[6] = out[2];
|
|
key_bytes[7] = out[3];
|
|
|
|
/*
|
|
We will now compute 'ki', having 'key_bytes'
|
|
|
|
Description of the key derivation function from RFC3961 Section 5.3:
|
|
The "well-known constant" used for the DK function is the key usage
|
|
number, expressed as four octets in big-endian order, followed by
|
|
one octet indicated below.
|
|
Kc = DK(base-key, usage | 0x99);
|
|
Ke = DK(base-key, usage | 0xAA);
|
|
Ki = DK(base-key, usage | 0x55);
|
|
|
|
The key usage numbers are defined in RFC4120. In Section 5.4.2, it
|
|
specifies that a key usage number of 3 is used for the EncASRepPart
|
|
of an AS-REP message.
|
|
*/
|
|
|
|
u32 ki[8];
|
|
|
|
// we can precompute _nfold(pack('>IB', 3, 0x55), 16)
|
|
nfolded[0] = 0x6b60b058;
|
|
nfolded[1] = 0x2a6ba80d;
|
|
nfolded[2] = 0x5aad56ab;
|
|
nfolded[3] = 0x55406ad5;
|
|
|
|
aes_iv[0] = 0;
|
|
aes_iv[1] = 0;
|
|
aes_iv[2] = 0;
|
|
aes_iv[3] = 0;
|
|
|
|
key_bytes[0] = hc_swap32_S (key_bytes[0]);
|
|
key_bytes[1] = hc_swap32_S (key_bytes[1]);
|
|
key_bytes[2] = hc_swap32_S (key_bytes[2]);
|
|
key_bytes[3] = hc_swap32_S (key_bytes[3]);
|
|
key_bytes[4] = hc_swap32_S (key_bytes[4]);
|
|
key_bytes[5] = hc_swap32_S (key_bytes[5]);
|
|
key_bytes[6] = hc_swap32_S (key_bytes[6]);
|
|
key_bytes[7] = hc_swap32_S (key_bytes[7]);
|
|
|
|
// then aes_cbc encrypt this nfolded value with 'key_bytes' as key along with a null IV
|
|
aes256_set_encrypt_key (aes_ks, key_bytes, s_te0, s_te1, s_te2, s_te3);
|
|
|
|
aes256_encrypt_cbc (aes_ks, aes_iv, nfolded, out, s_te0, s_te1, s_te2, s_te3, s_te4);
|
|
|
|
ki[0] = out[0];
|
|
ki[1] = out[1];
|
|
ki[2] = out[2];
|
|
ki[3] = out[3];
|
|
|
|
aes_iv[0] = 0;
|
|
aes_iv[1] = 0;
|
|
aes_iv[2] = 0;
|
|
aes_iv[3] = 0;
|
|
|
|
aes256_encrypt_cbc (aes_ks, aes_iv, out, out, s_te0, s_te1, s_te2, s_te3, s_te4);
|
|
|
|
ki[4] = out[0];
|
|
ki[5] = out[1];
|
|
ki[6] = out[2];
|
|
ki[7] = out[3];
|
|
|
|
/* we will now compute 'ke' */
|
|
|
|
u32 ke[8];
|
|
|
|
// we can precompute _nfold(pack('>IB', 3, 0xAA), 16)
|
|
nfolded[0] = 0xbe349a4d;
|
|
nfolded[1] = 0x24be500e;
|
|
nfolded[2] = 0xaf57abd5;
|
|
nfolded[3] = 0xea80757a;
|
|
|
|
aes_iv[0] = 0;
|
|
aes_iv[1] = 0;
|
|
aes_iv[2] = 0;
|
|
aes_iv[3] = 0;
|
|
|
|
// then aes_cbc encrypt this nfolded value with 'key_bytes' as key along with a null IV
|
|
aes256_encrypt_cbc (aes_ks, aes_iv, nfolded, out, s_te0, s_te1, s_te2, s_te3, s_te4);
|
|
|
|
ke[0] = out[0];
|
|
ke[1] = out[1];
|
|
ke[2] = out[2];
|
|
ke[3] = out[3];
|
|
|
|
aes_iv[0] = 0;
|
|
aes_iv[1] = 0;
|
|
aes_iv[2] = 0;
|
|
aes_iv[3] = 0;
|
|
|
|
aes256_encrypt_cbc (aes_ks, aes_iv, out, out, s_te0, s_te1, s_te2, s_te3, s_te4);
|
|
|
|
ke[4] = out[0];
|
|
ke[5] = out[1];
|
|
ke[6] = out[2];
|
|
ke[7] = out[3];
|
|
|
|
/*
|
|
We now have 'ke' and 'ki'
|
|
|
|
We will decrypt (with 'ke') the 32 first bytes to search for ASN.1 structs
|
|
and if we find ASN.1 structs, we will compute the hmac (with 'ki')
|
|
|
|
For AS-REP EncASRepPart:
|
|
The first byte is 0x79 (01 1 11001, where 01 = "class=APPLICATION", 1 = "form=constructed", 11001 is application type 25)
|
|
|
|
According to RFC4120 Section 5.4.2: "Some implementations unconditionally send an encrypted EncTGSRepPart (application
|
|
tag number 26) in this field regardless of whether the reply is a AS-REP or a TGS-REP. In the interest of compatibility,
|
|
implementors MAY relax the check on the tag number of the decrypted ENC-PART"
|
|
|
|
The first byte can thus also be 0x7a (corresponding to application type 26) instead of 0x79
|
|
|
|
The next byte is the length:
|
|
|
|
if length < 128 bytes:
|
|
length is on 1 byte, and the next byte is 0x30 (class=SEQUENCE)
|
|
else if length <= 256:
|
|
length is on 2 bytes, the first byte is 0x81, and the third byte is 0x30 (class=SEQUENCE)
|
|
else if length > 256:
|
|
length is on 3 bytes, the first byte is 0x82, and the fourth byte is 0x30 (class=SEQUENCE)
|
|
*/
|
|
|
|
u32 first_blocks[16];
|
|
|
|
u32 decrypted_block[8];
|
|
|
|
first_blocks[0] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[0];
|
|
first_blocks[1] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[1];
|
|
first_blocks[2] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[2];
|
|
first_blocks[3] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[3];
|
|
|
|
first_blocks[4] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[4]; // possible ASN1 structs
|
|
first_blocks[5] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[5];
|
|
first_blocks[6] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[6]; // possible ASN1 structs
|
|
first_blocks[7] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[7];
|
|
|
|
/*
|
|
we will decrypt them here in order to be able to compute hmac directly
|
|
if ASN1 structs were to be found
|
|
*/
|
|
first_blocks[8] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[8];
|
|
first_blocks[9] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[9];
|
|
first_blocks[10] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[10];
|
|
first_blocks[11] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[11];
|
|
|
|
first_blocks[12] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[12];
|
|
first_blocks[13] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[13];
|
|
first_blocks[14] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[14];
|
|
first_blocks[15] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[15];
|
|
|
|
u32 w0[4];
|
|
u32 w1[4];
|
|
u32 w2[4];
|
|
u32 w3[4];
|
|
|
|
u32 aes_cts_decrypt_ks[60];
|
|
|
|
AES256_set_decrypt_key (aes_cts_decrypt_ks, ke, s_te0, s_te1, s_te2, s_te3, s_td0, s_td1, s_td2, s_td3);
|
|
|
|
aes_iv[0] = 0;
|
|
aes_iv[1] = 0;
|
|
aes_iv[2] = 0;
|
|
aes_iv[3] = 0;
|
|
|
|
aes256_decrypt_cbc (aes_cts_decrypt_ks, first_blocks, decrypted_block, aes_iv, s_td0, s_td1, s_td2, s_td3, s_td4);
|
|
|
|
w0[0] = hc_swap32_S (decrypted_block[0]);
|
|
w0[1] = hc_swap32_S (decrypted_block[1]);
|
|
w0[2] = hc_swap32_S (decrypted_block[2]);
|
|
w0[3] = hc_swap32_S (decrypted_block[3]);
|
|
|
|
aes256_decrypt_cbc (aes_cts_decrypt_ks, first_blocks + 4, decrypted_block, aes_iv, s_td0, s_td1, s_td2, s_td3, s_td4);
|
|
|
|
w1[0] = hc_swap32_S (decrypted_block[0]);
|
|
w1[1] = hc_swap32_S (decrypted_block[1]);
|
|
w1[2] = hc_swap32_S (decrypted_block[2]);
|
|
w1[3] = hc_swap32_S (decrypted_block[3]);
|
|
|
|
if (((decrypted_block[0] & 0x00ff80ff) == 0x00300079) ||
|
|
((decrypted_block[0] & 0x00ff80ff) == 0x0030007a) ||
|
|
((decrypted_block[0] & 0xFF00FFFF) == 0x30008179) ||
|
|
((decrypted_block[0] & 0xFF00FFFF) == 0x3000817a) ||
|
|
((decrypted_block[0] & 0x0000FFFF) == 0x00008279 && (decrypted_block[1] & 0x000000FF) == 0x00000030) ||
|
|
((decrypted_block[0] & 0x0000FFFF) == 0x0000827a && (decrypted_block[1] & 0x000000FF) == 0x00000030))
|
|
{
|
|
// now we decrypt all the ticket to verify checksum
|
|
|
|
// we need to decrypt also the 2 following blocks in order to be able to compute the hmac directly
|
|
aes256_decrypt_cbc (aes_cts_decrypt_ks, first_blocks + 8, decrypted_block, aes_iv, s_td0, s_td1, s_td2, s_td3, s_td4);
|
|
|
|
w2[0] = hc_swap32_S (decrypted_block[0]);
|
|
w2[1] = hc_swap32_S (decrypted_block[1]);
|
|
w2[2] = hc_swap32_S (decrypted_block[2]);
|
|
w2[3] = hc_swap32_S (decrypted_block[3]);
|
|
|
|
aes256_decrypt_cbc (aes_cts_decrypt_ks, first_blocks + 12, decrypted_block, aes_iv, s_td0, s_td1, s_td2, s_td3, s_td4);
|
|
|
|
w3[0] = hc_swap32_S (decrypted_block[0]);
|
|
w3[1] = hc_swap32_S (decrypted_block[1]);
|
|
w3[2] = hc_swap32_S (decrypted_block[2]);
|
|
w3[3] = hc_swap32_S (decrypted_block[3]);
|
|
|
|
int block_position;
|
|
|
|
int edata2_len = esalt_bufs[DIGESTS_OFFSET_HOST].edata2_len;
|
|
|
|
int edata2_left;
|
|
|
|
u32 block[16];
|
|
|
|
int last_block_size = edata2_len % 16;
|
|
|
|
if (last_block_size == 0)
|
|
{
|
|
last_block_size = 16;
|
|
}
|
|
|
|
int last_part = last_block_size + 16;
|
|
|
|
int need = edata2_len - last_part;
|
|
|
|
int last_block_cbc_position = (need - 16) / 4;
|
|
|
|
sha1_hmac_ctx_t sha1_hmac_ctx;
|
|
|
|
/*
|
|
hmac message = plaintext
|
|
hmac key = ki
|
|
*/
|
|
|
|
u32 k0[4];
|
|
u32 k1[4];
|
|
u32 k2[4];
|
|
u32 k3[4];
|
|
|
|
k0[0] = ki[0];
|
|
k0[1] = ki[1];
|
|
k0[2] = ki[2];
|
|
k0[3] = ki[3];
|
|
|
|
k1[0] = ki[4];
|
|
k1[1] = ki[5];
|
|
k1[2] = ki[6];
|
|
k1[3] = ki[7];
|
|
|
|
k2[0] = 0;
|
|
k2[1] = 0;
|
|
k2[2] = 0;
|
|
k2[3] = 0;
|
|
|
|
k3[0] = 0;
|
|
k3[1] = 0;
|
|
k3[2] = 0;
|
|
k3[3] = 0;
|
|
|
|
sha1_hmac_init_64 (&sha1_hmac_ctx, k0, k1, k2, k3);
|
|
|
|
sha1_hmac_update_64 (&sha1_hmac_ctx, w0, w1, w2, w3, 64);
|
|
|
|
block_position = 16;
|
|
|
|
// first 4 blocks are already decrypted
|
|
for (edata2_left = need - 64; edata2_left >= 64; edata2_left -= 64)
|
|
{
|
|
block[0] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 0];
|
|
block[1] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 1];
|
|
block[2] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 2];
|
|
block[3] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 3];
|
|
block[4] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 4];
|
|
block[5] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 5];
|
|
block[6] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 6];
|
|
block[7] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 7];
|
|
block[8] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 8];
|
|
block[9] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 9];
|
|
block[10] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 10];
|
|
block[11] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 11];
|
|
block[12] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 12];
|
|
block[13] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 13];
|
|
block[14] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 14];
|
|
block[15] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 15];
|
|
|
|
aes256_decrypt_cbc (aes_cts_decrypt_ks, block, decrypted_block, aes_iv, s_td0, s_td1, s_td2, s_td3, s_td4);
|
|
|
|
w0[0] = hc_swap32_S (decrypted_block[0]);
|
|
w0[1] = hc_swap32_S (decrypted_block[1]);
|
|
w0[2] = hc_swap32_S (decrypted_block[2]);
|
|
w0[3] = hc_swap32_S (decrypted_block[3]);
|
|
|
|
aes256_decrypt_cbc (aes_cts_decrypt_ks, block + 4, decrypted_block, aes_iv, s_td0, s_td1, s_td2, s_td3, s_td4);
|
|
|
|
w1[0] = hc_swap32_S (decrypted_block[0]);
|
|
w1[1] = hc_swap32_S (decrypted_block[1]);
|
|
w1[2] = hc_swap32_S (decrypted_block[2]);
|
|
w1[3] = hc_swap32_S (decrypted_block[3]);
|
|
|
|
aes256_decrypt_cbc (aes_cts_decrypt_ks, block + 8, decrypted_block, aes_iv, s_td0, s_td1, s_td2, s_td3, s_td4);
|
|
|
|
w2[0] = hc_swap32_S (decrypted_block[0]);
|
|
w2[1] = hc_swap32_S (decrypted_block[1]);
|
|
w2[2] = hc_swap32_S (decrypted_block[2]);
|
|
w2[3] = hc_swap32_S (decrypted_block[3]);
|
|
|
|
aes256_decrypt_cbc (aes_cts_decrypt_ks, block + 12, decrypted_block, aes_iv, s_td0, s_td1, s_td2, s_td3, s_td4);
|
|
|
|
w3[0] = hc_swap32_S (decrypted_block[0]);
|
|
w3[1] = hc_swap32_S (decrypted_block[1]);
|
|
w3[2] = hc_swap32_S (decrypted_block[2]);
|
|
w3[3] = hc_swap32_S (decrypted_block[3]);
|
|
|
|
sha1_hmac_update_64 (&sha1_hmac_ctx, w0, w1, w2, w3, 64);
|
|
|
|
block_position += 16;
|
|
}
|
|
|
|
if (edata2_left == 16)
|
|
{
|
|
|
|
block[0] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 0];
|
|
block[1] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 1];
|
|
block[2] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 2];
|
|
block[3] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 3];
|
|
|
|
aes256_decrypt_cbc (aes_cts_decrypt_ks, block, decrypted_block, aes_iv, s_td0, s_td1, s_td2, s_td3, s_td4);
|
|
|
|
w0[0] = hc_swap32_S (decrypted_block[0]);
|
|
w0[1] = hc_swap32_S (decrypted_block[1]);
|
|
w0[2] = hc_swap32_S (decrypted_block[2]);
|
|
w0[3] = hc_swap32_S (decrypted_block[3]);
|
|
|
|
w1[0] = 0;
|
|
w1[1] = 0;
|
|
w1[2] = 0;
|
|
w1[3] = 0;
|
|
|
|
w2[0] = 0;
|
|
w2[1] = 0;
|
|
w2[2] = 0;
|
|
w2[3] = 0;
|
|
|
|
w3[0] = 0;
|
|
w3[1] = 0;
|
|
w3[2] = 0;
|
|
w3[3] = 0;
|
|
|
|
sha1_hmac_update_64 (&sha1_hmac_ctx, w0, w1, w2, w3, 16);
|
|
|
|
block_position += 4;
|
|
}
|
|
else if (edata2_left == 32)
|
|
{
|
|
block[0] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 0];
|
|
block[1] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 1];
|
|
block[2] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 2];
|
|
block[3] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 3];
|
|
block[4] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 4];
|
|
block[5] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 5];
|
|
block[6] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 6];
|
|
block[7] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 7];
|
|
|
|
aes256_decrypt_cbc (aes_cts_decrypt_ks, block, decrypted_block, aes_iv, s_td0, s_td1, s_td2, s_td3, s_td4);
|
|
|
|
w0[0] = hc_swap32_S (decrypted_block[0]);
|
|
w0[1] = hc_swap32_S (decrypted_block[1]);
|
|
w0[2] = hc_swap32_S (decrypted_block[2]);
|
|
w0[3] = hc_swap32_S (decrypted_block[3]);
|
|
|
|
aes256_decrypt_cbc (aes_cts_decrypt_ks, block + 4, decrypted_block, aes_iv, s_td0, s_td1, s_td2, s_td3, s_td4);
|
|
|
|
w1[0] = hc_swap32_S (decrypted_block[0]);
|
|
w1[1] = hc_swap32_S (decrypted_block[1]);
|
|
w1[2] = hc_swap32_S (decrypted_block[2]);
|
|
w1[3] = hc_swap32_S (decrypted_block[3]);
|
|
|
|
w2[0] = 0;
|
|
w2[1] = 0;
|
|
w2[2] = 0;
|
|
w2[3] = 0;
|
|
|
|
w3[0] = 0;
|
|
w3[1] = 0;
|
|
w3[2] = 0;
|
|
w3[3] = 0;
|
|
|
|
sha1_hmac_update_64 (&sha1_hmac_ctx, w0, w1, w2, w3, 32);
|
|
|
|
block_position += 8;
|
|
}
|
|
else if (edata2_left == 48)
|
|
{
|
|
block[0] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 0];
|
|
block[1] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 1];
|
|
block[2] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 2];
|
|
block[3] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 3];
|
|
block[4] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 4];
|
|
block[5] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 5];
|
|
block[6] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 6];
|
|
block[7] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 7];
|
|
block[8] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 8];
|
|
block[9] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 9];
|
|
block[10] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 10];
|
|
block[11] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 11];
|
|
|
|
aes256_decrypt_cbc (aes_cts_decrypt_ks, block, decrypted_block, aes_iv, s_td0, s_td1, s_td2, s_td3, s_td4);
|
|
|
|
w0[0] = hc_swap32_S (decrypted_block[0]);
|
|
w0[1] = hc_swap32_S (decrypted_block[1]);
|
|
w0[2] = hc_swap32_S (decrypted_block[2]);
|
|
w0[3] = hc_swap32_S (decrypted_block[3]);
|
|
|
|
aes256_decrypt_cbc (aes_cts_decrypt_ks, block + 4, decrypted_block, aes_iv, s_td0, s_td1, s_td2, s_td3, s_td4);
|
|
|
|
w1[0] = hc_swap32_S (decrypted_block[0]);
|
|
w1[1] = hc_swap32_S (decrypted_block[1]);
|
|
w1[2] = hc_swap32_S (decrypted_block[2]);
|
|
w1[3] = hc_swap32_S (decrypted_block[3]);
|
|
|
|
aes256_decrypt_cbc (aes_cts_decrypt_ks, block + 8, decrypted_block, aes_iv, s_td0, s_td1, s_td2, s_td3, s_td4);
|
|
|
|
w2[0] = hc_swap32_S (decrypted_block[0]);
|
|
w2[1] = hc_swap32_S (decrypted_block[1]);
|
|
w2[2] = hc_swap32_S (decrypted_block[2]);
|
|
w2[3] = hc_swap32_S (decrypted_block[3]);
|
|
|
|
w3[0] = 0;
|
|
w3[1] = 0;
|
|
w3[2] = 0;
|
|
w3[3] = 0;
|
|
|
|
sha1_hmac_update_64 (&sha1_hmac_ctx, w0, w1, w2, w3, 48);
|
|
|
|
block_position += 12;
|
|
}
|
|
|
|
/*
|
|
now all the ticket should be decrypted until block n-1 (not included)
|
|
and n
|
|
*/
|
|
|
|
// this is block n-2, it will be xored with the n-1 block later crafted
|
|
u32 last_block_cbc[4];
|
|
|
|
last_block_cbc[0] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[last_block_cbc_position + 0];
|
|
last_block_cbc[1] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[last_block_cbc_position + 1];
|
|
last_block_cbc[2] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[last_block_cbc_position + 2];
|
|
last_block_cbc[3] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[last_block_cbc_position + 3];
|
|
|
|
// n-1 block is decrypted separately from the previous blocks which were cbc decrypted
|
|
block[0] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 0];
|
|
block[1] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 1];
|
|
block[2] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 2];
|
|
block[3] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[block_position + 3];
|
|
|
|
aes256_decrypt (aes_cts_decrypt_ks, block, decrypted_block, s_td0, s_td1, s_td2, s_td3, s_td4);
|
|
|
|
u32 last_block[4];
|
|
|
|
int last_block_position = (edata2_len - last_block_size) / 4;
|
|
|
|
u32 n_1_crafted[4];
|
|
|
|
u32 last_plaintext[4];
|
|
|
|
last_plaintext[0] = 0;
|
|
last_plaintext[1] = 0;
|
|
last_plaintext[2] = 0;
|
|
last_plaintext[3] = 0;
|
|
|
|
/*
|
|
n-1 block is first computed as follows:
|
|
- fill n-1 block with the X first bytes of the encrypted last block (n)
|
|
with X == length of last block
|
|
- complete the rest of the block with
|
|
|
|
Final block (n) is computed as follows:
|
|
- fill with the X first bytes from n-1 block decrypted and xor them with last block (n)
|
|
with X == length of last block
|
|
*/
|
|
int remaining_blocks = last_block_size / 4;
|
|
|
|
/*
|
|
last block is not necessarily aligned on 4 bytes so we will have
|
|
to shift values for the CTS crap...
|
|
*/
|
|
u32 shift = last_block_size % 4;
|
|
|
|
u32 mask;
|
|
|
|
switch (remaining_blocks)
|
|
{
|
|
case 0:
|
|
|
|
last_block[0] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[last_block_position + 0];
|
|
|
|
mask = (0xffffffff >> ((4 - last_block_size) * 8));
|
|
|
|
last_plaintext[0] = last_block[0] ^ (decrypted_block[0] & mask);
|
|
last_plaintext[0] = hc_swap32_S (last_plaintext[0]);
|
|
|
|
n_1_crafted[0] = (last_block[0] & mask) | (decrypted_block[0] & (mask ^ 0xffffffff));
|
|
n_1_crafted[1] = decrypted_block[1];
|
|
n_1_crafted[2] = decrypted_block[2];
|
|
n_1_crafted[3] = decrypted_block[3];
|
|
break;
|
|
|
|
case 1:
|
|
|
|
last_block[0] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[last_block_position + 0];
|
|
|
|
if (shift == 0)
|
|
{
|
|
n_1_crafted[0] = last_block[0];
|
|
n_1_crafted[1] = decrypted_block[1];
|
|
n_1_crafted[2] = decrypted_block[2];
|
|
n_1_crafted[3] = decrypted_block[3];
|
|
|
|
last_plaintext[0] = last_block[0] ^ decrypted_block[0];
|
|
last_plaintext[0] = hc_swap32_S (last_plaintext[0]);
|
|
}
|
|
else
|
|
{
|
|
last_block[1] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[last_block_position + 1];
|
|
|
|
mask = (0xffffffff >> ((4 - (last_block_size % 4)) * 8));
|
|
|
|
last_plaintext[0] = last_block[0] ^ decrypted_block[0];
|
|
last_plaintext[1] = last_block[1] ^ (decrypted_block[1] & mask);
|
|
|
|
last_plaintext[0] = hc_swap32_S (last_plaintext[0]);
|
|
last_plaintext[1] = hc_swap32_S (last_plaintext[1]);
|
|
|
|
n_1_crafted[0] = last_block[0];
|
|
n_1_crafted[1] = (last_block[1] & mask) | (decrypted_block[1] & (mask ^ 0xffffffff));
|
|
n_1_crafted[2] = decrypted_block[2];
|
|
n_1_crafted[3] = decrypted_block[3];
|
|
}
|
|
break;
|
|
|
|
case 2:
|
|
|
|
last_block[0] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[last_block_position + 0];
|
|
last_block[1] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[last_block_position + 1];
|
|
|
|
if (shift == 0)
|
|
{
|
|
n_1_crafted[0] = last_block[0];
|
|
n_1_crafted[1] = last_block[1];
|
|
n_1_crafted[2] = decrypted_block[2];
|
|
n_1_crafted[3] = decrypted_block[3];
|
|
|
|
last_plaintext[0] = last_block[0] ^ decrypted_block[0];
|
|
last_plaintext[1] = last_block[1] ^ decrypted_block[1];
|
|
|
|
last_plaintext[0] = hc_swap32_S (last_plaintext[0]);
|
|
last_plaintext[1] = hc_swap32_S (last_plaintext[1]);
|
|
}
|
|
else
|
|
{
|
|
last_block[2] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[last_block_position + 2];
|
|
|
|
mask = (0xffffffff >> ((4 - (last_block_size % 4)) * 8));
|
|
|
|
last_plaintext[0] = last_block[0] ^ decrypted_block[0];
|
|
last_plaintext[1] = last_block[1] ^ decrypted_block[1];
|
|
last_plaintext[2] = last_block[2] ^ (decrypted_block[2] & mask);
|
|
|
|
last_plaintext[0] = hc_swap32_S (last_plaintext[0]);
|
|
last_plaintext[1] = hc_swap32_S (last_plaintext[1]);
|
|
last_plaintext[2] = hc_swap32_S (last_plaintext[2]);
|
|
|
|
n_1_crafted[0] = last_block[0];
|
|
n_1_crafted[1] = last_block[1];
|
|
n_1_crafted[2] = (last_block[2] & mask) | (decrypted_block[2] & (mask ^ 0xffffffff));
|
|
n_1_crafted[3] = decrypted_block[3];
|
|
}
|
|
break;
|
|
|
|
case 3:
|
|
|
|
last_block[0] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[last_block_position + 0];
|
|
last_block[1] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[last_block_position + 1];
|
|
last_block[2] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[last_block_position + 2];
|
|
|
|
if (shift == 0)
|
|
{
|
|
n_1_crafted[0] = last_block[0];
|
|
n_1_crafted[1] = last_block[1];
|
|
n_1_crafted[2] = last_block[2];
|
|
n_1_crafted[3] = decrypted_block[3];
|
|
|
|
last_plaintext[0] = last_block[0] ^ decrypted_block[0];
|
|
last_plaintext[1] = last_block[1] ^ decrypted_block[1];
|
|
last_plaintext[2] = last_block[2] ^ decrypted_block[2];
|
|
|
|
last_plaintext[0] = hc_swap32_S (last_plaintext[0]);
|
|
last_plaintext[1] = hc_swap32_S (last_plaintext[1]);
|
|
last_plaintext[2] = hc_swap32_S (last_plaintext[2]);
|
|
}
|
|
else
|
|
{
|
|
last_block[3] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[last_block_position + 3];
|
|
|
|
mask = (0xffffffff >> ((4 - (last_block_size % 4)) * 8));
|
|
|
|
last_plaintext[0] = last_block[0] ^ decrypted_block[0];
|
|
last_plaintext[1] = last_block[1] ^ decrypted_block[1];
|
|
last_plaintext[2] = last_block[2] ^ decrypted_block[2];
|
|
last_plaintext[3] = last_block[3] ^ (decrypted_block[3] & mask);
|
|
|
|
last_plaintext[0] = hc_swap32_S (last_plaintext[0]);
|
|
last_plaintext[1] = hc_swap32_S (last_plaintext[1]);
|
|
last_plaintext[2] = hc_swap32_S (last_plaintext[2]);
|
|
last_plaintext[3] = hc_swap32_S (last_plaintext[3]);
|
|
|
|
n_1_crafted[0] = last_block[0];
|
|
n_1_crafted[1] = last_block[1];
|
|
n_1_crafted[2] = last_block[2];
|
|
n_1_crafted[3] = (last_block[3] & mask) | (decrypted_block[3] & (mask ^ 0xffffffff));
|
|
}
|
|
break;
|
|
|
|
case 4:
|
|
|
|
last_block[0] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[last_block_position + 0];
|
|
last_block[1] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[last_block_position + 1];
|
|
last_block[2] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[last_block_position + 2];
|
|
last_block[3] = esalt_bufs[DIGESTS_OFFSET_HOST].edata2[last_block_position + 3];
|
|
|
|
n_1_crafted[0] = last_block[0];
|
|
n_1_crafted[1] = last_block[1];
|
|
n_1_crafted[2] = last_block[2];
|
|
n_1_crafted[3] = last_block[3];
|
|
|
|
last_plaintext[0] = last_block[0] ^ decrypted_block[0];
|
|
last_plaintext[1] = last_block[1] ^ decrypted_block[1];
|
|
last_plaintext[2] = last_block[2] ^ decrypted_block[2];
|
|
last_plaintext[3] = last_block[3] ^ decrypted_block[3];
|
|
|
|
last_plaintext[0] = hc_swap32_S (last_plaintext[0]);
|
|
last_plaintext[1] = hc_swap32_S (last_plaintext[1]);
|
|
last_plaintext[2] = hc_swap32_S (last_plaintext[2]);
|
|
last_plaintext[3] = hc_swap32_S (last_plaintext[3]);
|
|
break;
|
|
|
|
default:
|
|
return;
|
|
}
|
|
|
|
|
|
// then decrypt this newly created n-1 with 'ke'
|
|
aes256_decrypt (aes_cts_decrypt_ks, n_1_crafted, n_1_crafted, s_td0, s_td1, s_td2, s_td3, s_td4);
|
|
|
|
// then xor with the encrypted n-2 block
|
|
n_1_crafted[0] ^= last_block_cbc[0];
|
|
n_1_crafted[1] ^= last_block_cbc[1];
|
|
n_1_crafted[2] ^= last_block_cbc[2];
|
|
n_1_crafted[3] ^= last_block_cbc[3];
|
|
|
|
w0[0] = hc_swap32_S (n_1_crafted[0]);
|
|
w0[1] = hc_swap32_S (n_1_crafted[1]);
|
|
w0[2] = hc_swap32_S (n_1_crafted[2]);
|
|
w0[3] = hc_swap32_S (n_1_crafted[3]);
|
|
|
|
w1[0] = last_plaintext[0];
|
|
w1[1] = last_plaintext[1];
|
|
w1[2] = last_plaintext[2];
|
|
w1[3] = last_plaintext[3];
|
|
|
|
w2[0] = 0;
|
|
w2[1] = 0;
|
|
w2[2] = 0;
|
|
w2[3] = 0;
|
|
|
|
w3[0] = 0;
|
|
w3[1] = 0;
|
|
w3[2] = 0;
|
|
w3[3] = 0;
|
|
|
|
sha1_hmac_update_64 (&sha1_hmac_ctx, w0, w1, w2, w3, 16 + last_block_size);
|
|
|
|
sha1_hmac_final (&sha1_hmac_ctx);
|
|
|
|
if (sha1_hmac_ctx.opad.h[0] == esalt_bufs[DIGESTS_OFFSET_HOST].checksum[0]
|
|
&& sha1_hmac_ctx.opad.h[1] == esalt_bufs[DIGESTS_OFFSET_HOST].checksum[1]
|
|
&& sha1_hmac_ctx.opad.h[2] == esalt_bufs[DIGESTS_OFFSET_HOST].checksum[2])
|
|
{
|
|
if (hc_atomic_inc (&hashes_shown[DIGESTS_OFFSET_HOST]) == 0)
|
|
{
|
|
#define il_pos 0
|
|
mark_hash (plains_buf, d_return_buf, SALT_POS_HOST, DIGESTS_CNT, 0, DIGESTS_OFFSET_HOST + 0, gid, il_pos, 0, 0);
|
|
}
|
|
}
|
|
}
|
|
}
|