From 466ea8eabacc7b881a73a476e8797bbefe4d13db Mon Sep 17 00:00:00 2001
From: Jens Steube <jens.steube@gmail.com>
Date: Fri, 31 Aug 2018 15:47:48 +0200
Subject: [PATCH] Fixed detection of unique ESSID in WPA-PMKID-* parser

---
 OpenCL/m16800-pure.cl | 13 ++++++++++++-
 OpenCL/m16801-pure.cl |  8 +++++++-
 src/interface.c       |  6 ++++--
 src/opencl.c          | 16 ++++++++++++++++
 src/selftest.c        |  9 +++++++++
 5 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/OpenCL/m16800-pure.cl b/OpenCL/m16800-pure.cl
index 9d13e669a..33cbd83f2 100644
--- a/OpenCL/m16800-pure.cl
+++ b/OpenCL/m16800-pure.cl
@@ -210,6 +210,11 @@ __kernel void m16800_loop (__global pw_t *pws, __global const kernel_rule_t *rul
 }
 
 __kernel void m16800_comp (__global pw_t *pws, __global const kernel_rule_t *rules_buf, __global const pw_t *combs_buf, __global const bf_t *bfs_buf, __global wpa_pbkdf2_tmp_t *tmps, __global void *hooks, __global const u32 *bitmaps_buf_s1_a, __global const u32 *bitmaps_buf_s1_b, __global const u32 *bitmaps_buf_s1_c, __global const u32 *bitmaps_buf_s1_d, __global const u32 *bitmaps_buf_s2_a, __global const u32 *bitmaps_buf_s2_b, __global const u32 *bitmaps_buf_s2_c, __global const u32 *bitmaps_buf_s2_d, __global plain_t *plains_buf, __global const digest_t *digests_buf, __global u32 *hashes_shown, __global const salt_t *salt_bufs, __global const wpa_pmkid_t *wpa_pmkid_bufs, __global u32 *d_return_buf, __global u32 *d_scryptV0_buf, __global u32 *d_scryptV1_buf, __global u32 *d_scryptV2_buf, __global u32 *d_scryptV3_buf, const u32 bitmap_mask, const u32 bitmap_shift1, const u32 bitmap_shift2, const u32 salt_pos, const u32 loop_pos, const u32 loop_cnt, const u32 il_cnt, const u32 digests_cnt, const u32 digests_offset, const u32 combs_mode, const u64 gid_max)
+{
+  // not in use here, special case...
+}
+
+__kernel void m16800_aux1 (__global pw_t *pws, __global const kernel_rule_t *rules_buf, __global const pw_t *combs_buf, __global const bf_t *bfs_buf, __global wpa_pbkdf2_tmp_t *tmps, __global void *hooks, __global const u32 *bitmaps_buf_s1_a, __global const u32 *bitmaps_buf_s1_b, __global const u32 *bitmaps_buf_s1_c, __global const u32 *bitmaps_buf_s1_d, __global const u32 *bitmaps_buf_s2_a, __global const u32 *bitmaps_buf_s2_b, __global const u32 *bitmaps_buf_s2_c, __global const u32 *bitmaps_buf_s2_d, __global plain_t *plains_buf, __global const digest_t *digests_buf, __global u32 *hashes_shown, __global const salt_t *salt_bufs, __global const wpa_pmkid_t *wpa_pmkid_bufs, __global u32 *d_return_buf, __global u32 *d_scryptV0_buf, __global u32 *d_scryptV1_buf, __global u32 *d_scryptV2_buf, __global u32 *d_scryptV3_buf, const u32 bitmap_mask, const u32 bitmap_shift1, const u32 bitmap_shift2, const u32 salt_pos, const u32 loop_pos, const u32 loop_cnt, const u32 il_cnt, const u32 digests_cnt, const u32 digests_offset, const u32 combs_mode, const u64 gid_max)
 {
   const u64 gid = get_global_id (0);
   const u64 lid = get_local_id (0);
@@ -235,11 +240,17 @@ __kernel void m16800_comp (__global pw_t *pws, __global const kernel_rule_t *rul
   w[14] = 0;
   w[15] = 0;
 
+  const u32 digest_pos = loop_pos;
+
+  const u32 digest_cur = digests_offset + digest_pos;
+
+  __global const wpa_pmkid_t *wpa_pmkid = &wpa_pmkid_bufs[digest_cur];
+
   sha1_hmac_ctx_t sha1_hmac_ctx;
 
   sha1_hmac_init (&sha1_hmac_ctx, w, 32);
 
-  sha1_hmac_update_global_swap (&sha1_hmac_ctx, wpa_pmkid_bufs[digests_offset].pmkid_data, 20);
+  sha1_hmac_update_global_swap (&sha1_hmac_ctx, wpa_pmkid->pmkid_data, 20);
 
   sha1_hmac_final (&sha1_hmac_ctx);
 
diff --git a/OpenCL/m16801-pure.cl b/OpenCL/m16801-pure.cl
index 1ad301f97..85c5334bc 100644
--- a/OpenCL/m16801-pure.cl
+++ b/OpenCL/m16801-pure.cl
@@ -110,11 +110,17 @@ __kernel void m16801_comp (__global pw_t *pws, __global const kernel_rule_t *rul
   w[14] = 0;
   w[15] = 0;
 
+  const u32 digest_pos = loop_pos;
+
+  const u32 digest_cur = digests_offset + digest_pos;
+
+  __global const wpa_pmkid_t *wpa_pmkid = &wpa_pmkid_bufs[digest_cur];
+
   sha1_hmac_ctx_t sha1_hmac_ctx;
 
   sha1_hmac_init (&sha1_hmac_ctx, w, 32);
 
-  sha1_hmac_update_global_swap (&sha1_hmac_ctx, wpa_pmkid_bufs[digests_offset].pmkid_data, 20);
+  sha1_hmac_update_global_swap (&sha1_hmac_ctx, wpa_pmkid->pmkid_data, 20);
 
   sha1_hmac_final (&sha1_hmac_ctx);
 
diff --git a/src/interface.c b/src/interface.c
index 52ef6a37a..c39d81448 100644
--- a/src/interface.c
+++ b/src/interface.c
@@ -27214,7 +27214,8 @@ int hashconfig_init (hashcat_ctx_t *hashcat_ctx)
     case 16800:  hashconfig->hash_type      = HASH_TYPE_WPA_PMKID_PBKDF2;
                  hashconfig->salt_type      = SALT_TYPE_EMBEDDED;
                  hashconfig->attack_exec    = ATTACK_EXEC_OUTSIDE_KERNEL;
-                 hashconfig->opts_type      = OPTS_TYPE_PT_GENERATE_LE;
+                 hashconfig->opts_type      = OPTS_TYPE_PT_GENERATE_LE
+                                            | OPTS_TYPE_AUX1;
                  hashconfig->kern_type      = KERN_TYPE_WPA_PMKID_PBKDF2;
                  hashconfig->dgst_size      = DGST_SIZE_4_4;
                  hashconfig->parse_func     = wpa_pmkid_pbkdf2_parse_hash;
@@ -27231,7 +27232,8 @@ int hashconfig_init (hashcat_ctx_t *hashcat_ctx)
     case 16801:  hashconfig->hash_type      = HASH_TYPE_WPA_PMKID_PMK;
                  hashconfig->salt_type      = SALT_TYPE_EMBEDDED;
                  hashconfig->attack_exec    = ATTACK_EXEC_OUTSIDE_KERNEL;
-                 hashconfig->opts_type      = OPTS_TYPE_PT_GENERATE_LE;
+                 hashconfig->opts_type      = OPTS_TYPE_PT_GENERATE_LE
+                                            | OPTS_TYPE_AUX1;
                  hashconfig->kern_type      = KERN_TYPE_WPA_PMKID_PMK;
                  hashconfig->dgst_size      = DGST_SIZE_4_4;
                  hashconfig->parse_func     = wpa_pmkid_pmk_parse_hash;
diff --git a/src/opencl.c b/src/opencl.c
index 8c1e598c5..8e10a5f87 100644
--- a/src/opencl.c
+++ b/src/opencl.c
@@ -1440,6 +1440,22 @@ int choose_kernel (hashcat_ctx_t *hashcat_ctx, hc_device_param_t *device_param,
           if (status_ctx->run_thread_level2 == false) break;
         }
       }
+      else if ((hashconfig->hash_mode == 16800) || (hashconfig->hash_mode == 16801))
+      {
+        const u32 loops_cnt = hashes->salts_buf[salt_pos].digests_cnt;
+
+        for (u32 loops_pos = 0; loops_pos < loops_cnt; loops_pos++)
+        {
+          device_param->kernel_params_buf32[28] = loops_pos;
+          device_param->kernel_params_buf32[29] = loops_cnt;
+
+          CL_rc = run_kernel (hashcat_ctx, device_param, KERN_RUN_AUX1, pws_cnt, false, 0);
+
+          if (CL_rc == -1) return -1;
+
+          if (status_ctx->run_thread_level2 == false) break;
+        }
+      }
       else
       {
         CL_rc = run_kernel (hashcat_ctx, device_param, KERN_RUN_3, pws_cnt, false, 0);
diff --git a/src/selftest.c b/src/selftest.c
index 76af4d4ad..935f4a0f2 100644
--- a/src/selftest.c
+++ b/src/selftest.c
@@ -432,6 +432,15 @@ static int selftest (hashcat_ctx_t *hashcat_ctx, hc_device_param_t *device_param
 
       if (CL_rc == -1) return -1;
     }
+    else if ((hashconfig->hash_mode == 16800) || (hashconfig->hash_mode == 16801))
+    {
+      device_param->kernel_params_buf32[28] = 0;
+      device_param->kernel_params_buf32[29] = 1;
+
+      CL_rc = run_kernel (hashcat_ctx, device_param, KERN_RUN_AUX1, 1, false, 0);
+
+      if (CL_rc == -1) return -1;
+    }
     else
     {
       CL_rc = run_kernel (hashcat_ctx, device_param, KERN_RUN_3, 1, false, 0);