mirror of
https://github.com/hashcat/hashcat.git
synced 2024-11-14 03:39:09 +00:00
462 lines
12 KiB
Common Lisp
462 lines
12 KiB
Common Lisp
/**
|
|
* Author......: See docs/credits.txt
|
|
* License.....: MIT
|
|
*/
|
|
|
|
#define NEW_SIMD_CODE
|
|
|
|
#ifdef KERNEL_STATIC
|
|
#include M2S(INCLUDE_PATH/inc_vendor.h)
|
|
#include M2S(INCLUDE_PATH/inc_types.h)
|
|
#include M2S(INCLUDE_PATH/inc_platform.cl)
|
|
#include M2S(INCLUDE_PATH/inc_common.cl)
|
|
#include M2S(INCLUDE_PATH/inc_simd.cl)
|
|
#include M2S(INCLUDE_PATH/inc_hash_sha256.cl)
|
|
#include M2S(INCLUDE_PATH/inc_cipher_aes.cl)
|
|
#include M2S(INCLUDE_PATH/inc_cipher_aes-gcm.cl)
|
|
#endif
|
|
|
|
#define COMPARE_S M2S(INCLUDE_PATH/inc_comp_single.cl)
|
|
#define COMPARE_M M2S(INCLUDE_PATH/inc_comp_multi.cl)
|
|
|
|
typedef struct pbkdf2_sha256_tmp
|
|
{
|
|
u32 ipad[8];
|
|
u32 opad[8];
|
|
|
|
u32 dgst[32];
|
|
u32 out[32];
|
|
|
|
} pbkdf2_sha256_tmp_t;
|
|
|
|
typedef struct onepassword8
|
|
{
|
|
u32 hkdf_salt_buf[8];
|
|
u32 hkdf_key_buf[8];
|
|
u32 tag_buf[4];
|
|
|
|
u32 iv_buf[4];
|
|
int iv_len;
|
|
|
|
u32 email_buf[64];
|
|
int email_len;
|
|
|
|
u32 ct_buf[1024];
|
|
int ct_len;
|
|
|
|
} onepassword8_t;
|
|
|
|
DECLSPEC void hmac_sha256_run_V (PRIVATE_AS u32x *w0, PRIVATE_AS u32x *w1, PRIVATE_AS u32x *w2, PRIVATE_AS u32x *w3, PRIVATE_AS u32x *ipad, PRIVATE_AS u32x *opad, PRIVATE_AS u32x *digest)
|
|
{
|
|
digest[0] = ipad[0];
|
|
digest[1] = ipad[1];
|
|
digest[2] = ipad[2];
|
|
digest[3] = ipad[3];
|
|
digest[4] = ipad[4];
|
|
digest[5] = ipad[5];
|
|
digest[6] = ipad[6];
|
|
digest[7] = ipad[7];
|
|
|
|
sha256_transform_vector (w0, w1, w2, w3, digest);
|
|
|
|
w0[0] = digest[0];
|
|
w0[1] = digest[1];
|
|
w0[2] = digest[2];
|
|
w0[3] = digest[3];
|
|
w1[0] = digest[4];
|
|
w1[1] = digest[5];
|
|
w1[2] = digest[6];
|
|
w1[3] = digest[7];
|
|
w2[0] = 0x80000000;
|
|
w2[1] = 0;
|
|
w2[2] = 0;
|
|
w2[3] = 0;
|
|
w3[0] = 0;
|
|
w3[1] = 0;
|
|
w3[2] = 0;
|
|
w3[3] = (64 + 32) * 8;
|
|
|
|
digest[0] = opad[0];
|
|
digest[1] = opad[1];
|
|
digest[2] = opad[2];
|
|
digest[3] = opad[3];
|
|
digest[4] = opad[4];
|
|
digest[5] = opad[5];
|
|
digest[6] = opad[6];
|
|
digest[7] = opad[7];
|
|
|
|
sha256_transform_vector (w0, w1, w2, w3, digest);
|
|
}
|
|
|
|
KERNEL_FQ void m31800_init (KERN_ATTR_TMPS_ESALT (pbkdf2_sha256_tmp_t, onepassword8_t))
|
|
{
|
|
/**
|
|
* base
|
|
*/
|
|
|
|
const u64 gid = get_global_id (0);
|
|
|
|
if (gid >= GID_CNT) return;
|
|
|
|
sha256_hmac_ctx_t sha256_hmac_ctx;
|
|
|
|
sha256_hmac_init_global_swap (&sha256_hmac_ctx, pws[gid].i, pws[gid].pw_len);
|
|
|
|
tmps[gid].ipad[0] = sha256_hmac_ctx.ipad.h[0];
|
|
tmps[gid].ipad[1] = sha256_hmac_ctx.ipad.h[1];
|
|
tmps[gid].ipad[2] = sha256_hmac_ctx.ipad.h[2];
|
|
tmps[gid].ipad[3] = sha256_hmac_ctx.ipad.h[3];
|
|
tmps[gid].ipad[4] = sha256_hmac_ctx.ipad.h[4];
|
|
tmps[gid].ipad[5] = sha256_hmac_ctx.ipad.h[5];
|
|
tmps[gid].ipad[6] = sha256_hmac_ctx.ipad.h[6];
|
|
tmps[gid].ipad[7] = sha256_hmac_ctx.ipad.h[7];
|
|
|
|
tmps[gid].opad[0] = sha256_hmac_ctx.opad.h[0];
|
|
tmps[gid].opad[1] = sha256_hmac_ctx.opad.h[1];
|
|
tmps[gid].opad[2] = sha256_hmac_ctx.opad.h[2];
|
|
tmps[gid].opad[3] = sha256_hmac_ctx.opad.h[3];
|
|
tmps[gid].opad[4] = sha256_hmac_ctx.opad.h[4];
|
|
tmps[gid].opad[5] = sha256_hmac_ctx.opad.h[5];
|
|
tmps[gid].opad[6] = sha256_hmac_ctx.opad.h[6];
|
|
tmps[gid].opad[7] = sha256_hmac_ctx.opad.h[7];
|
|
|
|
u32 salt_buf[16];
|
|
|
|
salt_buf[ 0] = esalt_bufs[DIGESTS_OFFSET_HOST].hkdf_salt_buf[0];
|
|
salt_buf[ 1] = esalt_bufs[DIGESTS_OFFSET_HOST].hkdf_salt_buf[1];
|
|
salt_buf[ 2] = esalt_bufs[DIGESTS_OFFSET_HOST].hkdf_salt_buf[2];
|
|
salt_buf[ 3] = esalt_bufs[DIGESTS_OFFSET_HOST].hkdf_salt_buf[3];
|
|
salt_buf[ 4] = esalt_bufs[DIGESTS_OFFSET_HOST].hkdf_salt_buf[4];
|
|
salt_buf[ 5] = esalt_bufs[DIGESTS_OFFSET_HOST].hkdf_salt_buf[5];
|
|
salt_buf[ 6] = esalt_bufs[DIGESTS_OFFSET_HOST].hkdf_salt_buf[6];
|
|
salt_buf[ 7] = esalt_bufs[DIGESTS_OFFSET_HOST].hkdf_salt_buf[7];
|
|
salt_buf[ 8] = 0;
|
|
salt_buf[ 9] = 0;
|
|
salt_buf[10] = 0;
|
|
salt_buf[11] = 0;
|
|
salt_buf[12] = 0;
|
|
salt_buf[13] = 0;
|
|
salt_buf[14] = 0;
|
|
salt_buf[15] = 0;
|
|
|
|
sha256_hmac_update (&sha256_hmac_ctx, salt_buf, 32);
|
|
|
|
for (u32 i = 0, j = 1; i < 8; i += 8, j += 1)
|
|
{
|
|
sha256_hmac_ctx_t sha256_hmac_ctx2 = sha256_hmac_ctx;
|
|
|
|
u32 w0[4];
|
|
u32 w1[4];
|
|
u32 w2[4];
|
|
u32 w3[4];
|
|
|
|
w0[0] = j;
|
|
w0[1] = 0;
|
|
w0[2] = 0;
|
|
w0[3] = 0;
|
|
w1[0] = 0;
|
|
w1[1] = 0;
|
|
w1[2] = 0;
|
|
w1[3] = 0;
|
|
w2[0] = 0;
|
|
w2[1] = 0;
|
|
w2[2] = 0;
|
|
w2[3] = 0;
|
|
w3[0] = 0;
|
|
w3[1] = 0;
|
|
w3[2] = 0;
|
|
w3[3] = 0;
|
|
|
|
sha256_hmac_update_64 (&sha256_hmac_ctx2, w0, w1, w2, w3, 4);
|
|
|
|
sha256_hmac_final (&sha256_hmac_ctx2);
|
|
|
|
tmps[gid].dgst[i + 0] = sha256_hmac_ctx2.opad.h[0];
|
|
tmps[gid].dgst[i + 1] = sha256_hmac_ctx2.opad.h[1];
|
|
tmps[gid].dgst[i + 2] = sha256_hmac_ctx2.opad.h[2];
|
|
tmps[gid].dgst[i + 3] = sha256_hmac_ctx2.opad.h[3];
|
|
tmps[gid].dgst[i + 4] = sha256_hmac_ctx2.opad.h[4];
|
|
tmps[gid].dgst[i + 5] = sha256_hmac_ctx2.opad.h[5];
|
|
tmps[gid].dgst[i + 6] = sha256_hmac_ctx2.opad.h[6];
|
|
tmps[gid].dgst[i + 7] = sha256_hmac_ctx2.opad.h[7];
|
|
|
|
tmps[gid].out[i + 0] = tmps[gid].dgst[i + 0];
|
|
tmps[gid].out[i + 1] = tmps[gid].dgst[i + 1];
|
|
tmps[gid].out[i + 2] = tmps[gid].dgst[i + 2];
|
|
tmps[gid].out[i + 3] = tmps[gid].dgst[i + 3];
|
|
tmps[gid].out[i + 4] = tmps[gid].dgst[i + 4];
|
|
tmps[gid].out[i + 5] = tmps[gid].dgst[i + 5];
|
|
tmps[gid].out[i + 6] = tmps[gid].dgst[i + 6];
|
|
tmps[gid].out[i + 7] = tmps[gid].dgst[i + 7];
|
|
}
|
|
}
|
|
|
|
KERNEL_FQ void m31800_loop (KERN_ATTR_TMPS_ESALT (pbkdf2_sha256_tmp_t, onepassword8_t))
|
|
{
|
|
const u64 gid = get_global_id (0);
|
|
|
|
if ((gid * VECT_SIZE) >= GID_CNT) return;
|
|
|
|
u32x ipad[8];
|
|
u32x opad[8];
|
|
|
|
ipad[0] = packv (tmps, ipad, gid, 0);
|
|
ipad[1] = packv (tmps, ipad, gid, 1);
|
|
ipad[2] = packv (tmps, ipad, gid, 2);
|
|
ipad[3] = packv (tmps, ipad, gid, 3);
|
|
ipad[4] = packv (tmps, ipad, gid, 4);
|
|
ipad[5] = packv (tmps, ipad, gid, 5);
|
|
ipad[6] = packv (tmps, ipad, gid, 6);
|
|
ipad[7] = packv (tmps, ipad, gid, 7);
|
|
|
|
opad[0] = packv (tmps, opad, gid, 0);
|
|
opad[1] = packv (tmps, opad, gid, 1);
|
|
opad[2] = packv (tmps, opad, gid, 2);
|
|
opad[3] = packv (tmps, opad, gid, 3);
|
|
opad[4] = packv (tmps, opad, gid, 4);
|
|
opad[5] = packv (tmps, opad, gid, 5);
|
|
opad[6] = packv (tmps, opad, gid, 6);
|
|
opad[7] = packv (tmps, opad, gid, 7);
|
|
|
|
for (u32 i = 0; i < 8; i += 8)
|
|
{
|
|
u32x dgst[8];
|
|
u32x out[8];
|
|
|
|
dgst[0] = packv (tmps, dgst, gid, i + 0);
|
|
dgst[1] = packv (tmps, dgst, gid, i + 1);
|
|
dgst[2] = packv (tmps, dgst, gid, i + 2);
|
|
dgst[3] = packv (tmps, dgst, gid, i + 3);
|
|
dgst[4] = packv (tmps, dgst, gid, i + 4);
|
|
dgst[5] = packv (tmps, dgst, gid, i + 5);
|
|
dgst[6] = packv (tmps, dgst, gid, i + 6);
|
|
dgst[7] = packv (tmps, dgst, gid, i + 7);
|
|
|
|
out[0] = packv (tmps, out, gid, i + 0);
|
|
out[1] = packv (tmps, out, gid, i + 1);
|
|
out[2] = packv (tmps, out, gid, i + 2);
|
|
out[3] = packv (tmps, out, gid, i + 3);
|
|
out[4] = packv (tmps, out, gid, i + 4);
|
|
out[5] = packv (tmps, out, gid, i + 5);
|
|
out[6] = packv (tmps, out, gid, i + 6);
|
|
out[7] = packv (tmps, out, gid, i + 7);
|
|
|
|
for (u32 j = 0; j < LOOP_CNT; j++)
|
|
{
|
|
u32x w0[4];
|
|
u32x w1[4];
|
|
u32x w2[4];
|
|
u32x w3[4];
|
|
|
|
w0[0] = dgst[0];
|
|
w0[1] = dgst[1];
|
|
w0[2] = dgst[2];
|
|
w0[3] = dgst[3];
|
|
w1[0] = dgst[4];
|
|
w1[1] = dgst[5];
|
|
w1[2] = dgst[6];
|
|
w1[3] = dgst[7];
|
|
w2[0] = 0x80000000;
|
|
w2[1] = 0;
|
|
w2[2] = 0;
|
|
w2[3] = 0;
|
|
w3[0] = 0;
|
|
w3[1] = 0;
|
|
w3[2] = 0;
|
|
w3[3] = (64 + 32) * 8;
|
|
|
|
hmac_sha256_run_V (w0, w1, w2, w3, ipad, opad, dgst);
|
|
|
|
out[0] ^= dgst[0];
|
|
out[1] ^= dgst[1];
|
|
out[2] ^= dgst[2];
|
|
out[3] ^= dgst[3];
|
|
out[4] ^= dgst[4];
|
|
out[5] ^= dgst[5];
|
|
out[6] ^= dgst[6];
|
|
out[7] ^= dgst[7];
|
|
}
|
|
|
|
unpackv (tmps, dgst, gid, i + 0, dgst[0]);
|
|
unpackv (tmps, dgst, gid, i + 1, dgst[1]);
|
|
unpackv (tmps, dgst, gid, i + 2, dgst[2]);
|
|
unpackv (tmps, dgst, gid, i + 3, dgst[3]);
|
|
unpackv (tmps, dgst, gid, i + 4, dgst[4]);
|
|
unpackv (tmps, dgst, gid, i + 5, dgst[5]);
|
|
unpackv (tmps, dgst, gid, i + 6, dgst[6]);
|
|
unpackv (tmps, dgst, gid, i + 7, dgst[7]);
|
|
|
|
unpackv (tmps, out, gid, i + 0, out[0]);
|
|
unpackv (tmps, out, gid, i + 1, out[1]);
|
|
unpackv (tmps, out, gid, i + 2, out[2]);
|
|
unpackv (tmps, out, gid, i + 3, out[3]);
|
|
unpackv (tmps, out, gid, i + 4, out[4]);
|
|
unpackv (tmps, out, gid, i + 5, out[5]);
|
|
unpackv (tmps, out, gid, i + 6, out[6]);
|
|
unpackv (tmps, out, gid, i + 7, out[7]);
|
|
}
|
|
}
|
|
|
|
KERNEL_FQ void m31800_comp (KERN_ATTR_TMPS_ESALT (pbkdf2_sha256_tmp_t, onepassword8_t))
|
|
{
|
|
const u64 gid = get_global_id (0);
|
|
const u64 lid = get_local_id (0);
|
|
const u64 lsz = get_local_size (0);
|
|
|
|
/**
|
|
* aes shared
|
|
*/
|
|
|
|
#ifdef REAL_SHM
|
|
|
|
LOCAL_VK u32 s_te0[256];
|
|
LOCAL_VK u32 s_te1[256];
|
|
LOCAL_VK u32 s_te2[256];
|
|
LOCAL_VK u32 s_te3[256];
|
|
LOCAL_VK u32 s_te4[256];
|
|
|
|
for (u32 i = lid; i < 256; i += lsz)
|
|
{
|
|
s_te0[i] = te0[i];
|
|
s_te1[i] = te1[i];
|
|
s_te2[i] = te2[i];
|
|
s_te3[i] = te3[i];
|
|
s_te4[i] = te4[i];
|
|
}
|
|
|
|
SYNC_THREADS ();
|
|
|
|
#else
|
|
|
|
CONSTANT_AS u32a *s_te0 = te0;
|
|
CONSTANT_AS u32a *s_te1 = te1;
|
|
CONSTANT_AS u32a *s_te2 = te2;
|
|
CONSTANT_AS u32a *s_te3 = te3;
|
|
CONSTANT_AS u32a *s_te4 = te4;
|
|
|
|
#endif
|
|
|
|
if (gid >= GID_CNT) return;
|
|
|
|
const u32 digest_pos = LOOP_POS;
|
|
|
|
const u32 digest_cur = DIGESTS_OFFSET_HOST + digest_pos;
|
|
|
|
GLOBAL_AS const onepassword8_t *onepassword8 = &esalt_bufs[digest_cur];
|
|
|
|
// keys
|
|
|
|
u32 hkdf_key[8];
|
|
|
|
hkdf_key[0] = onepassword8->hkdf_key_buf[0];
|
|
hkdf_key[1] = onepassword8->hkdf_key_buf[1];
|
|
hkdf_key[2] = onepassword8->hkdf_key_buf[2];
|
|
hkdf_key[3] = onepassword8->hkdf_key_buf[3];
|
|
hkdf_key[4] = onepassword8->hkdf_key_buf[4];
|
|
hkdf_key[5] = onepassword8->hkdf_key_buf[5];
|
|
hkdf_key[6] = onepassword8->hkdf_key_buf[6];
|
|
hkdf_key[7] = onepassword8->hkdf_key_buf[7];
|
|
|
|
u32 out[8];
|
|
|
|
out[0] = tmps[gid].out[0];
|
|
out[1] = tmps[gid].out[1];
|
|
out[2] = tmps[gid].out[2];
|
|
out[3] = tmps[gid].out[3];
|
|
out[4] = tmps[gid].out[4];
|
|
out[5] = tmps[gid].out[5];
|
|
out[6] = tmps[gid].out[6];
|
|
out[7] = tmps[gid].out[7];
|
|
|
|
u32 muk[8];
|
|
|
|
muk[0] = out[0] ^ hkdf_key[0];
|
|
muk[1] = out[1] ^ hkdf_key[1];
|
|
muk[2] = out[2] ^ hkdf_key[2];
|
|
muk[3] = out[3] ^ hkdf_key[3];
|
|
muk[4] = out[4] ^ hkdf_key[4];
|
|
muk[5] = out[5] ^ hkdf_key[5];
|
|
muk[6] = out[6] ^ hkdf_key[6];
|
|
muk[7] = out[7] ^ hkdf_key[7];
|
|
|
|
u32 key_len = 32 * 8;
|
|
|
|
u32 key[60] = { 0 };
|
|
u32 subKey[4] = { 0 };
|
|
|
|
AES_GCM_Init (muk, key_len, key, subKey, s_te0, s_te1, s_te2, s_te3, s_te4);
|
|
|
|
// iv
|
|
|
|
u32 iv[4];
|
|
|
|
iv[0] = onepassword8->iv_buf[0];
|
|
iv[1] = onepassword8->iv_buf[1];
|
|
iv[2] = onepassword8->iv_buf[2];
|
|
iv[3] = onepassword8->iv_buf[3];
|
|
|
|
const u32 iv_len = onepassword8->iv_len;
|
|
|
|
u32 J0[4] = { 0 };
|
|
|
|
AES_GCM_Prepare_J0 (iv, iv_len, subKey, J0);
|
|
|
|
u32 ct[8];
|
|
|
|
ct[0] = onepassword8->ct_buf[0];
|
|
ct[1] = onepassword8->ct_buf[1];
|
|
ct[2] = onepassword8->ct_buf[2];
|
|
ct[3] = onepassword8->ct_buf[3];
|
|
ct[4] = onepassword8->ct_buf[4];
|
|
ct[5] = onepassword8->ct_buf[5];
|
|
ct[6] = onepassword8->ct_buf[6];
|
|
ct[7] = onepassword8->ct_buf[7];
|
|
|
|
u32 pt[8] = { 0 };
|
|
|
|
AES_GCM_decrypt (key, J0, ct, 32, pt, s_te0, s_te1, s_te2, s_te3, s_te4);
|
|
|
|
const int correct = is_valid_printable_32 (pt[0])
|
|
+ is_valid_printable_32 (pt[1])
|
|
+ is_valid_printable_32 (pt[2])
|
|
+ is_valid_printable_32 (pt[3])
|
|
+ is_valid_printable_32 (pt[4])
|
|
+ is_valid_printable_32 (pt[5])
|
|
+ is_valid_printable_32 (pt[6])
|
|
+ is_valid_printable_32 (pt[7]);
|
|
|
|
if (correct != 8) return;
|
|
|
|
/*
|
|
const int pt_len = 28; // not using 32 byte but 28 because our UTF8 allows up to 4 byte per character and since we decrypt 32 byte
|
|
// only we can't guarantee it is not in the middle of a UTF8 byte stream at that point
|
|
|
|
if (hc_enc_scan (pt, pt_len))
|
|
{
|
|
hc_enc_t hc_enc;
|
|
|
|
hc_enc_init (&hc_enc);
|
|
|
|
while (hc_enc_has_next (&hc_enc, pt_len))
|
|
{
|
|
u32 enc_buf[16] = { 0 };
|
|
|
|
const int enc_len = hc_enc_next (&hc_enc, pt, pt_len, 32, enc_buf, sizeof (enc_buf));
|
|
|
|
if (enc_len == -1) return;
|
|
}
|
|
}
|
|
*/
|
|
|
|
const u32 r0 = ct[0];
|
|
const u32 r1 = ct[1];
|
|
const u32 r2 = ct[2];
|
|
const u32 r3 = ct[3];
|
|
|
|
#define il_pos 0
|
|
|
|
#ifdef KERNEL_STATIC
|
|
#include COMPARE_M
|
|
#endif
|
|
}
|