1 /*
2  * Drupal 7 phpass variant using SHA-512 and hashes cut at 258 bits.
3  *
4  * This software is Copyright (c) 2012 magnum, and it is hereby released to the
5  * general public under the following terms:  Redistribution and use in source
6  * and binary forms, with or without modification, are permitted.
7  *
8  * These are 8 byte salted hashes with a loop count that defines the number
9  * of loops to compute. Drupal uses 258 bits of the hash, this is a multiple of
10  * 6 but not 8. I presume this is for getting unpadded base64. Anyway we store
11  * an extra byte but for now we will only compare 256 bits. I doubt that will
12  * pose any problems. Actually I'm not quite sure the last bits end up correct
13  * from the current version of get_binary().
14  *
15  * Based on [old thick] phpass-md5.
16  */
17 
18 #if FMT_EXTERNS_H
19 extern struct fmt_main fmt_drupal7;
20 #elif FMT_REGISTERS_H
21 john_register_one(&fmt_drupal7);
22 #else
23 
24 #ifdef _OPENMP
25 #include <omp.h>
26 #endif
27 
28 #include "sha2.h"
29 #include "arch.h"
30 #include "misc.h"
31 #include "common.h"
32 #include "formats.h"
33 #include "johnswap.h"
34 #include "simd-intrinsics.h"
35 #include "drupal7_common.h"
36 
37 #define FORMAT_LABEL			"Drupal7"
38 #define ALGORITHM_NAME			"SHA512 " SHA512_ALGORITHM_NAME
39 
40 #define PLAINTEXT_LENGTH		47
41 
42 #define DIGEST_SIZE			(512/8)
43 
44 #define BINARY_SIZE			(258/8) // ((258+7)/8)
45 #define BINARY_ALIGN			4
46 
47 #ifndef OMP_SCALE
48 #define OMP_SCALE			1
49 #endif
50 
51 #ifdef SIMD_COEF_64
52 #define MIN_KEYS_PER_CRYPT      (SIMD_COEF_64*SIMD_PARA_SHA512)
53 #define MAX_KEYS_PER_CRYPT      (SIMD_COEF_64*SIMD_PARA_SHA512)
54 #if ARCH_LITTLE_ENDIAN
55 #define GETPOS(i, index)        ( (index&(SIMD_COEF_64-1))*8 + ((i)&(0xffffffff-7))*SIMD_COEF_64 + (7-((i)&7)) + (unsigned int)index/SIMD_COEF_64*SHA_BUF_SIZ*SIMD_COEF_64*8 )
56 #else
57 #define GETPOS(i, index)        ( (index&(SIMD_COEF_64-1))*8 + ((i)&(0xffffffff-7))*SIMD_COEF_64 + ((i)&7) + (unsigned int)index/SIMD_COEF_64*SHA_BUF_SIZ*SIMD_COEF_64*8 )
58 #endif
59 #else
60 #define MIN_KEYS_PER_CRYPT		1
61 #define MAX_KEYS_PER_CRYPT		2
62 #endif
63 
64 /*
65  * NOTE, due to the 0x4000 iteration count, I am not wasting time pre-loading
66  * keys/salts.  We will simply add SIMD code to the crypt_all.  We could only
67  * gain < .1% worrying about all the extra stuff from set_key, get_key, the
68  * hashes, etc needed to split out SIMD.  We just keep all input data in 'flat'
69  * format, switch to SIMD, do the 0x4000 loops, and put output back into 'flat'
70  * layout again.  So we have no 'static' SIMD objects.
71  */
72 static unsigned char *cursalt;
73 static unsigned loopCnt;
74 static unsigned char (*EncKey)[PLAINTEXT_LENGTH + 1];
75 static unsigned int *EncKeyLen;
76 static char (*crypt_key)[DIGEST_SIZE];
77 
init(struct fmt_main * self)78 static void init(struct fmt_main *self)
79 {
80 	omp_autotune(self, OMP_SCALE);
81 
82 	EncKey    = mem_calloc(self->params.max_keys_per_crypt,
83 	                       sizeof(*EncKey));
84 	EncKeyLen = mem_calloc(self->params.max_keys_per_crypt,
85 	                       sizeof(*EncKeyLen));
86 	crypt_key = mem_calloc(self->params.max_keys_per_crypt,
87 	                       sizeof(*crypt_key));
88 }
89 
done(void)90 static void done(void)
91 {
92 	MEM_FREE(crypt_key);
93 	MEM_FREE(EncKeyLen);
94 	MEM_FREE(EncKey);
95 }
96 
set_salt(void * salt)97 static void set_salt(void *salt)
98 {
99 	loopCnt = (1 << (atoi64[ARCH_INDEX(((char*)salt)[8])]));
100 	cursalt = salt;
101 }
102 
set_key(char * key,int index)103 static void set_key(char *key, int index)
104 {
105 	EncKeyLen[index] = strnzcpyn((char*)EncKey[index], key, sizeof(*EncKey));
106 }
107 
get_key(int index)108 static char *get_key(int index)
109 {
110 	return (char*)EncKey[index];
111 }
112 
cmp_all(void * binary,int count)113 static int cmp_all(void *binary, int count)
114 {
115 	int index;
116 
117 	for (index = 0; index < count; index++)
118 		if (!memcmp(binary, crypt_key[index], ARCH_SIZE))
119 			return 1;
120 	return 0;
121 }
122 
cmp_one(void * binary,int index)123 static int cmp_one(void *binary, int index)
124 {
125 	return !memcmp(binary, crypt_key[index], BINARY_SIZE);
126 }
127 
cmp_exact(char * source,int index)128 static int cmp_exact(char *source, int index)
129 {
130 	return 1;
131 }
132 
crypt_all(int * pcount,struct db_salt * salt)133 static int crypt_all(int *pcount, struct db_salt *salt)
134 {
135 	const int count = *pcount;
136 	int index;
137 
138 #ifdef _OPENMP
139 #pragma omp parallel for
140 #endif
141 	for (index = 0; index < count; index+=MIN_KEYS_PER_CRYPT) {
142 #ifdef SIMD_COEF_64
143 		unsigned char _IBuf[128*MIN_KEYS_PER_CRYPT+MEM_ALIGN_CACHE], *keys;
144 		uint64_t *keys64;
145 		unsigned i, j, len, Lcount = loopCnt;
146 
147 		keys = (unsigned char*)mem_align(_IBuf, MEM_ALIGN_CACHE);
148 		keys64 = (uint64_t*)keys;
149 		memset(keys, 0, 128*MIN_KEYS_PER_CRYPT);
150 		for (i = 0; i < MIN_KEYS_PER_CRYPT; ++i) {
151 			len = EncKeyLen[index+i];
152 			for (j = 0; j < 8; ++j)
153 				keys[GETPOS(j, i)] = cursalt[j];
154 			for (j = 0; j < len; ++j)
155 				keys[GETPOS(j+8, i)] = EncKey[index+i][j];
156 			keys[GETPOS(j+8, i)] = 0x80;
157 			keys64[15*SIMD_COEF_64+(i&(SIMD_COEF_64-1))+i/SIMD_COEF_64*SHA_BUF_SIZ*SIMD_COEF_64] = (len+8) << 3;
158 		}
159 		SIMDSHA512body(keys, keys64, NULL, SSEi_MIXED_IN|SSEi_OUTPUT_AS_INP_FMT);
160 		for (i = 0; i < MIN_KEYS_PER_CRYPT; ++i) {
161 			len = EncKeyLen[index+i];
162 			for (j = 0; j < len; ++j)
163 				keys[GETPOS(j+64, i)] = EncKey[index+i][j];
164 			keys[GETPOS(j+64, i)] = 0x80;
165 			keys64[15*SIMD_COEF_64+(i&(SIMD_COEF_64-1))+i/SIMD_COEF_64*SHA_BUF_SIZ*SIMD_COEF_64] = (len+64) << 3;
166 		}
167 		while (--Lcount)
168 			SIMDSHA512body(keys, keys64, NULL, SSEi_MIXED_IN|SSEi_OUTPUT_AS_INP_FMT);
169 
170 		// Last one with FLAT_OUT
171 		SIMDSHA512body(keys, (uint64_t*)crypt_key[index], NULL, SSEi_MIXED_IN|SSEi_OUTPUT_AS_INP_FMT|SSEi_FLAT_OUT);
172 #else
173 		SHA512_CTX ctx;
174 		unsigned char tmp[DIGEST_SIZE + PLAINTEXT_LENGTH];
175 		int len = EncKeyLen[index];
176 		unsigned Lcount = loopCnt - 1;
177 
178 		SHA512_Init( &ctx );
179 		SHA512_Update( &ctx, cursalt, 8 );
180 		SHA512_Update( &ctx, EncKey[index], len );
181 		memcpy(&tmp[DIGEST_SIZE], (char *)EncKey[index], len);
182 		SHA512_Final( tmp, &ctx);
183 		len += DIGEST_SIZE;
184 
185 		do {
186 			SHA512_Init( &ctx );
187 			SHA512_Update( &ctx, tmp, len);
188 			SHA512_Final( tmp, &ctx);
189 		} while (--Lcount);
190 		SHA512_Init( &ctx );
191 		SHA512_Update( &ctx, tmp, len);
192 		SHA512_Final( (unsigned char *) crypt_key[index], &ctx);
193 #endif
194 	}
195 	return count;
196 }
197 
198 #define COMMON_GET_HASH_VAR crypt_key
199 #include "common-get-hash.h"
200 
201 struct fmt_main fmt_drupal7 = {
202 	{
203 		FORMAT_LABEL,
204 		FORMAT_NAME,
205 		ALGORITHM_NAME,
206 		BENCHMARK_COMMENT,
207 		BENCHMARK_LENGTH,
208 		0,
209 		PLAINTEXT_LENGTH,
210 		BINARY_SIZE,
211 		BINARY_ALIGN,
212 		// true salt is SALT_SIZE but we add the loop count
213 		SALT_SIZE + 1,
214 		SALT_ALIGN,
215 		MIN_KEYS_PER_CRYPT,
216 		MAX_KEYS_PER_CRYPT,
217 		FMT_CASE | FMT_8_BIT | FMT_OMP,
218 		{
219 			"iteration count",
220 		},
221 		{ FORMAT_TAG },
222 		tests
223 	}, {
224 		init,
225 		done,
226 		fmt_default_reset,
227 		fmt_default_prepare,
228 		valid,
229 		fmt_default_split,
230 		get_binary,
231 		get_salt,
232 		{
233 			iteration_count,
234 		},
235 		fmt_default_source,
236 		{
237 			fmt_default_binary_hash_0,
238 			fmt_default_binary_hash_1,
239 			fmt_default_binary_hash_2,
240 			fmt_default_binary_hash_3,
241 			fmt_default_binary_hash_4,
242 			fmt_default_binary_hash_5,
243 			fmt_default_binary_hash_6
244 		},
245 		salt_hash,
246 		NULL,
247 		set_salt,
248 		set_key,
249 		get_key,
250 		fmt_default_clear_keys,
251 		crypt_all,
252 		{
253 #define COMMON_GET_HASH_LINK
254 #include "common-get-hash.h"
255 		},
256 		cmp_all,
257 		cmp_one,
258 		cmp_exact
259 	}
260 };
261 
262 #endif /* plugin stanza */
263