source: releases/0.12.0/lib/regfi.c @ 289

Last change on this file since 289 was 179, checked in by tim, 15 years ago

fixed a bug in time validation that improves recovery rates

  • Property svn:keywords set to Id
File size: 89.6 KB
RevLine 
[30]1/*
[169]2 * Copyright (C) 2005-2010 Timothy D. Morgan
[30]3 * Copyright (C) 2005 Gerald (Jerry) Carter
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
[111]7 * the Free Software Foundation; version 3 of the License.
[30]8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
[161]16 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
[30]17 *
18 * $Id: regfi.c 179 2010-03-13 18:00:15Z tim $
19 */
20
[169]21/**
22 * @file
23 *
24 * Windows NT (and later) read-only registry library
25 *
26 * See @ref regfi.h for more information.
27 *
28 * Branched from Samba project Subversion repository, version #7470:
29 *   http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/registry/regfio.c?rev=7470&view=auto
30 *
31 * Since then, it has been heavily rewritten, simplified, and improved.
32 */
[168]33
[147]34#include "regfi.h"
[30]35
36
[32]37/* Registry types mapping */
[78]38const unsigned int regfi_num_reg_types = 12;
39static const char* regfi_type_names[] =
[65]40  {"NONE", "SZ", "EXPAND_SZ", "BINARY", "DWORD", "DWORD_BE", "LINK",
[72]41   "MULTI_SZ", "RSRC_LIST", "RSRC_DESC", "RSRC_REQ_LIST", "QWORD"};
[30]42
[161]43const char* regfi_encoding_names[] =
44  {"US-ASCII//TRANSLIT", "UTF-8//TRANSLIT", "UTF-16LE//TRANSLIT"};
[32]45
[135]46
47/******************************************************************************
48 ******************************************************************************/
[168]49void regfi_add_message(REGFI_FILE* file, uint16_t msg_type, const char* fmt, ...)
[135]50{
[136]51  /* XXX: This function is not particularly efficient,
[135]52   *      but then it is mostly used during errors.
53   */
[168]54  uint32_t buf_size, buf_used;
[136]55  char* new_msg;
56  va_list args;
[135]57
[138]58  if((file->msg_mask & msg_type) != 0)
59  {
60    if(file->last_message == NULL)
61      buf_used = 0;
62    else
63      buf_used = strlen(file->last_message);
64   
65    buf_size = buf_used+strlen(fmt)+160;
66    new_msg = realloc(file->last_message, buf_size);
67    if(new_msg == NULL)
68      /* XXX: should we report this? */
69      return;
[135]70
[138]71    switch (msg_type)
72    {
73    case REGFI_MSG_INFO:
74      strcpy(new_msg+buf_used, "INFO: ");
75      buf_used += 6;
76      break;
77    case REGFI_MSG_WARN:
78      strcpy(new_msg+buf_used, "WARN: ");
79      buf_used += 6;
80      break;
81    case REGFI_MSG_ERROR:
82      strcpy(new_msg+buf_used, "ERROR: ");
83      buf_used += 7;
84      break;
85    }
[136]86
[138]87    va_start(args, fmt);
88    vsnprintf(new_msg+buf_used, buf_size-buf_used, fmt, args);
89    va_end(args);
90    strncat(new_msg, "\n", buf_size-1);
91   
92    file->last_message = new_msg;
93  }
[135]94}
95
96
97/******************************************************************************
98 ******************************************************************************/
[136]99char* regfi_get_messages(REGFI_FILE* file)
[135]100{
101  char* ret_val = file->last_message;
102  file->last_message = NULL;
103
104  return ret_val;
105}
106
107
[168]108void regfi_set_message_mask(REGFI_FILE* file, uint16_t mask)
[138]109{
110  file->msg_mask = mask;
111}
112
113
[161]114/******************************************************************************
115 * Returns NULL for an invalid e
116 *****************************************************************************/
117static const char* regfi_encoding_int2str(REGFI_ENCODING e)
118{
119  if(e < REGFI_NUM_ENCODINGS)
120    return regfi_encoding_names[e];
121
122  return NULL;
123}
124
125
126/******************************************************************************
127 * Returns NULL for an invalid val
128 *****************************************************************************/
[78]129const char* regfi_type_val2str(unsigned int val)
[32]130{
[61]131  if(val == REG_KEY)
132    return "KEY";
133 
[78]134  if(val >= regfi_num_reg_types)
[61]135    return NULL;
136 
[78]137  return regfi_type_names[val];
[32]138}
139
140
[161]141/******************************************************************************
142 * Returns -1 on error
143 *****************************************************************************/
[78]144int regfi_type_str2val(const char* str)
[32]145{
146  int i;
147
[61]148  if(strcmp("KEY", str) == 0)
149    return REG_KEY;
[32]150
[78]151  for(i=0; i < regfi_num_reg_types; i++)
152    if (strcmp(regfi_type_names[i], str) == 0) 
[61]153      return i;
154
155  if(strcmp("DWORD_LE", str) == 0)
156    return REG_DWORD_LE;
157
158  return -1;
[32]159}
160
161
[135]162/* Security descriptor formatting functions  */
[53]163
[168]164const char* regfi_ace_type2str(uint8_t type)
[53]165{
166  static const char* map[7] 
167    = {"ALLOW", "DENY", "AUDIT", "ALARM", 
168       "ALLOW CPD", "OBJ ALLOW", "OBJ DENY"};
169  if(type < 7)
170    return map[type];
171  else
172    /* XXX: would be nice to return the unknown integer value. 
173     *      However, as it is a const string, it can't be free()ed later on,
174     *      so that would need to change.
175     */
176    return "UNKNOWN";
177}
178
179
[76]180/* XXX: need a better reference on the meaning of each flag. */
181/* For more info, see:
182 *   http://msdn2.microsoft.com/en-us/library/aa772242.aspx
183 */
[168]184char* regfi_ace_flags2str(uint8_t flags)
[53]185{
[76]186  static const char* flag_map[32] = 
[87]187    { "OI", /* Object Inherit */
188      "CI", /* Container Inherit */
189      "NP", /* Non-Propagate */
190      "IO", /* Inherit Only */
191      "IA", /* Inherited ACE */
[76]192      NULL,
193      NULL,
194      NULL,
195    };
[53]196
[76]197  char* ret_val = malloc(35*sizeof(char));
198  char* fo = ret_val;
[168]199  uint32_t i;
200  uint8_t f;
[76]201
202  if(ret_val == NULL)
[53]203    return NULL;
204
[76]205  fo[0] = '\0';
[53]206  if (!flags)
[76]207    return ret_val;
[53]208
[76]209  for(i=0; i < 8; i++)
210  {
211    f = (1<<i);
212    if((flags & f) && (flag_map[i] != NULL))
213    {
214      strcpy(fo, flag_map[i]);
215      fo += strlen(flag_map[i]);
216      *(fo++) = ' ';
217      flags ^= f;
218    }
[53]219  }
[76]220 
221  /* Any remaining unknown flags are added at the end in hex. */
222  if(flags != 0)
223    sprintf(fo, "0x%.2X ", flags);
224
225  /* Chop off the last space if we've written anything to ret_val */
226  if(fo != ret_val)
227    fo[-1] = '\0';
228
229  return ret_val;
[53]230}
231
232
[168]233char* regfi_ace_perms2str(uint32_t perms)
[53]234{
[168]235  uint32_t i, p;
[76]236  /* This is more than is needed by a fair margin. */
237  char* ret_val = malloc(350*sizeof(char));
238  char* r = ret_val;
239
240  /* Each represents one of 32 permissions bits.  NULL is for undefined/reserved bits.
241   * For more information, see:
242   *   http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
243   *   http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
244   */
245  static const char* perm_map[32] = 
246    {/* object-specific permissions (registry keys, in this case) */
247      "QRY_VAL",       /* KEY_QUERY_VALUE */
248      "SET_VAL",       /* KEY_SET_VALUE */
249      "CREATE_KEY",    /* KEY_CREATE_SUB_KEY */
250      "ENUM_KEYS",     /* KEY_ENUMERATE_SUB_KEYS */
251      "NOTIFY",        /* KEY_NOTIFY */
252      "CREATE_LNK",    /* KEY_CREATE_LINK - Reserved for system use. */
253      NULL,
254      NULL,
255      "WOW64_64",      /* KEY_WOW64_64KEY */
256      "WOW64_32",      /* KEY_WOW64_32KEY */
257      NULL,
258      NULL,
259      NULL,
260      NULL,
261      NULL,
262      NULL,
263      /* standard access rights */
264      "DELETE",        /* DELETE */
265      "R_CONT",        /* READ_CONTROL */
266      "W_DAC",         /* WRITE_DAC */
267      "W_OWNER",       /* WRITE_OWNER */
268      "SYNC",          /* SYNCHRONIZE - Shouldn't be set in registries */
269      NULL,
270      NULL,
271      NULL,
272      /* other generic */
273      "SYS_SEC",       /* ACCESS_SYSTEM_SECURITY */
274      "MAX_ALLWD",     /* MAXIMUM_ALLOWED */
275      NULL,
276      NULL,
277      "GEN_A",         /* GENERIC_ALL */
278      "GEN_X",         /* GENERIC_EXECUTE */
279      "GEN_W",         /* GENERIC_WRITE */
280      "GEN_R",         /* GENERIC_READ */
281    };
282
283
[53]284  if(ret_val == NULL)
285    return NULL;
286
[76]287  r[0] = '\0';
288  for(i=0; i < 32; i++)
289  {
290    p = (1<<i);
291    if((perms & p) && (perm_map[i] != NULL))
292    {
293      strcpy(r, perm_map[i]);
294      r += strlen(perm_map[i]);
295      *(r++) = ' ';
296      perms ^= p;
297    }
298  }
299 
300  /* Any remaining unknown permission bits are added at the end in hex. */
301  if(perms != 0)
302    sprintf(r, "0x%.8X ", perms);
[53]303
[76]304  /* Chop off the last space if we've written anything to ret_val */
305  if(r != ret_val)
306    r[-1] = '\0';
307
[53]308  return ret_val;
309}
310
311
[134]312char* regfi_sid2str(WINSEC_DOM_SID* sid)
[53]313{
[168]314  uint32_t i, size = WINSEC_MAX_SUBAUTHS*11 + 24;
315  uint32_t left = size;
316  uint8_t comps = sid->num_auths;
[53]317  char* ret_val = malloc(size);
318 
319  if(ret_val == NULL)
320    return NULL;
321
[134]322  if(comps > WINSEC_MAX_SUBAUTHS)
323    comps = WINSEC_MAX_SUBAUTHS;
[53]324
325  left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]);
326
327  for (i = 0; i < comps; i++) 
328    left -= snprintf(ret_val+(size-left), left, "-%u", sid->sub_auths[i]);
329
330  return ret_val;
331}
332
333
[134]334char* regfi_get_acl(WINSEC_ACL* acl)
[53]335{
[168]336  uint32_t i, extra, size = 0;
[53]337  const char* type_str;
338  char* flags_str;
339  char* perms_str;
340  char* sid_str;
[61]341  char* ace_delim = "";
[53]342  char* ret_val = NULL;
[61]343  char* tmp_val = NULL;
344  bool failed = false;
[53]345  char field_delim = ':';
346
[61]347  for (i = 0; i < acl->num_aces && !failed; i++)
[53]348  {
[134]349    sid_str = regfi_sid2str(acl->aces[i]->trustee);
350    type_str = regfi_ace_type2str(acl->aces[i]->type);
351    perms_str = regfi_ace_perms2str(acl->aces[i]->access_mask);
352    flags_str = regfi_ace_flags2str(acl->aces[i]->flags);
[53]353   
[61]354    if(flags_str != NULL && perms_str != NULL 
355       && type_str != NULL && sid_str != NULL)
356    {
357      /* XXX: this is slow */
358      extra = strlen(sid_str) + strlen(type_str) 
[136]359        + strlen(perms_str) + strlen(flags_str) + 5;
[61]360      tmp_val = realloc(ret_val, size+extra);
[53]361
[61]362      if(tmp_val == NULL)
363      {
364        free(ret_val);
[136]365        ret_val = NULL;
[61]366        failed = true;
367      }
368      else
369      {
370        ret_val = tmp_val;
[148]371        size += sprintf(ret_val+size, "%s%s%c%s%c%s%c%s",
372                        ace_delim,sid_str,
373                        field_delim,type_str,
374                        field_delim,perms_str,
375                        field_delim,flags_str);
[61]376        ace_delim = "|";
377      }
378    }
379    else
380      failed = true;
381
382    if(sid_str != NULL)
383      free(sid_str);
384    if(sid_str != NULL)
385      free(perms_str);
386    if(sid_str != NULL)
387      free(flags_str);
[53]388  }
389
390  return ret_val;
391}
392
393
[134]394char* regfi_get_sacl(WINSEC_DESC *sec_desc)
[53]395{
396  if (sec_desc->sacl)
[78]397    return regfi_get_acl(sec_desc->sacl);
[53]398  else
399    return NULL;
400}
401
402
[134]403char* regfi_get_dacl(WINSEC_DESC *sec_desc)
[53]404{
405  if (sec_desc->dacl)
[78]406    return regfi_get_acl(sec_desc->dacl);
[53]407  else
408    return NULL;
409}
410
411
[134]412char* regfi_get_owner(WINSEC_DESC *sec_desc)
[53]413{
[78]414  return regfi_sid2str(sec_desc->owner_sid);
[53]415}
416
417
[134]418char* regfi_get_group(WINSEC_DESC *sec_desc)
[53]419{
[78]420  return regfi_sid2str(sec_desc->grp_sid);
[53]421}
422
423
[101]424/*****************************************************************************
425 * This function is just like read(2), except that it continues to
426 * re-try reading from the file descriptor if EINTR or EAGAIN is received. 
427 * regfi_read will attempt to read length bytes from fd and write them to buf.
428 *
429 * On success, 0 is returned.  Upon failure, an errno code is returned.
430 *
431 * The number of bytes successfully read is returned through the length
432 * parameter by reference.  If both the return value and length parameter are
433 * returned as 0, then EOF was encountered immediately
434 *****************************************************************************/
[168]435uint32_t regfi_read(int fd, uint8_t* buf, uint32_t* length)
[101]436{
[168]437  uint32_t rsize = 0;
438  uint32_t rret = 0;
[101]439
440  do
441  {
442    rret = read(fd, buf + rsize, *length - rsize);
443    if(rret > 0)
444      rsize += rret;
445  }while(*length - rsize > 0 
446         && (rret > 0 || (rret == -1 && (errno == EAGAIN || errno == EINTR))));
447 
448  *length = rsize;
449  if (rret == -1 && errno != EINTR && errno != EAGAIN)
450    return errno;
451
452  return 0;
453}
454
455
456/*****************************************************************************
457 *
458 *****************************************************************************/
[168]459bool regfi_parse_cell(int fd, uint32_t offset, uint8_t* hdr, uint32_t hdr_len,
460                      uint32_t* cell_length, bool* unalloc)
[101]461{
[168]462  uint32_t length;
463  int32_t raw_length;
464  uint8_t tmp[4];
[101]465
466  if(lseek(fd, offset, SEEK_SET) == -1)
467    return false;
468
469  length = 4;
470  if((regfi_read(fd, tmp, &length) != 0) || length != 4)
471    return false;
472  raw_length = IVALS(tmp, 0);
473
474  if(raw_length < 0)
475  {
476    (*cell_length) = raw_length*(-1);
477    (*unalloc) = false;
478  }
479  else
480  {
481    (*cell_length) = raw_length;
482    (*unalloc) = true;
483  }
484
[103]485  if(*cell_length - 4 < hdr_len)
486    return false;
487
488  if(hdr_len > 0)
489  {
490    length = hdr_len;
491    if((regfi_read(fd, hdr, &length) != 0) || length != hdr_len)
492      return false;
493  }
494
[101]495  return true;
496}
497
498
[157]499/******************************************************************************
[106]500 * Given an offset and an hbin, is the offset within that hbin?
501 * The offset is a virtual file offset.
[157]502 ******************************************************************************/
[168]503static bool regfi_offset_in_hbin(const REGFI_HBIN* hbin, uint32_t voffset)
[30]504{
[106]505  if(!hbin)
[31]506    return false;
[106]507
[145]508  if((voffset > hbin->first_hbin_off) 
509     && (voffset < (hbin->first_hbin_off + hbin->block_size)))
[31]510    return true;
[30]511               
[31]512  return false;
[30]513}
514
515
[106]516
[157]517/******************************************************************************
518 * Provide a physical offset and receive the correpsonding HBIN
[106]519 * block for it.  NULL if one doesn't exist.
[157]520 ******************************************************************************/
[168]521const REGFI_HBIN* regfi_lookup_hbin(REGFI_FILE* file, uint32_t offset)
[30]522{
[157]523  return (const REGFI_HBIN*)range_list_find_data(file->hbins, offset);
[30]524}
525
526
[157]527/******************************************************************************
528 * Calculate the largest possible cell size given a physical offset.
529 * Largest size is based on the HBIN the offset is currently a member of.
530 * Returns negative values on error.
531 * (Since cells can only be ~2^31 in size, this works out.)
532 ******************************************************************************/
[168]533int32_t regfi_calc_maxsize(REGFI_FILE* file, uint32_t offset)
[157]534{
535  const REGFI_HBIN* hbin = regfi_lookup_hbin(file, offset);
536  if(hbin == NULL)
537    return -1;
[139]538
[157]539  return (hbin->block_size + hbin->file_off) - offset;
540}
541
542
[139]543/******************************************************************************
544 ******************************************************************************/
[168]545REGFI_SUBKEY_LIST* regfi_load_subkeylist(REGFI_FILE* file, uint32_t offset, 
546                                         uint32_t num_keys, uint32_t max_size, 
[139]547                                         bool strict)
[127]548{
[135]549  REGFI_SUBKEY_LIST* ret_val;
[134]550
[139]551  ret_val = regfi_load_subkeylist_aux(file, offset, max_size, strict, 
552                                      REGFI_MAX_SUBKEY_DEPTH);
[143]553  if(ret_val == NULL)
554  {
555    regfi_add_message(file, REGFI_MSG_WARN, "Failed to load subkey list at"
556                      " offset 0x%.8X.", offset);
557    return NULL;
558  }
[139]559
560  if(num_keys != ret_val->num_keys)
561  {
562    /*  Not sure which should be authoritative, the number from the
563     *  NK record, or the number in the subkey list.  Just emit a warning for
564     *  now if they don't match.
565     */
566    regfi_add_message(file, REGFI_MSG_WARN, "Number of subkeys listed in parent"
567                      " (%d) did not match number found in subkey list/tree (%d)"
568                      " while parsing subkey list/tree at offset 0x%.8X.", 
569                      num_keys, ret_val->num_keys, offset);
570  }
571
572  return ret_val;
573}
574
575
576/******************************************************************************
577 ******************************************************************************/
[168]578REGFI_SUBKEY_LIST* regfi_load_subkeylist_aux(REGFI_FILE* file, uint32_t offset, 
579                                             uint32_t max_size, bool strict,
580                                             uint8_t depth_left)
[139]581{
582  REGFI_SUBKEY_LIST* ret_val;
583  REGFI_SUBKEY_LIST** sublists;
[168]584  uint32_t i, num_sublists, off;
585  int32_t sublist_maxsize;
[139]586
587  if(depth_left == 0)
588  {
589    regfi_add_message(file, REGFI_MSG_WARN, "Maximum depth reached"
590                      " while parsing subkey list/tree at offset 0x%.8X.", 
591                      offset);
[127]592    return NULL;
[139]593  }
[134]594
[139]595  ret_val = regfi_parse_subkeylist(file, offset, max_size, strict);
[134]596  if(ret_val == NULL)
597    return NULL;
[139]598
599  if(ret_val->recursive_type)
[127]600  {
[139]601    num_sublists = ret_val->num_children;
[150]602    sublists = (REGFI_SUBKEY_LIST**)malloc(num_sublists
[139]603                                           * sizeof(REGFI_SUBKEY_LIST*));
604    for(i=0; i < num_sublists; i++)
[127]605    {
[139]606      off = ret_val->elements[i].offset + REGFI_REGF_SIZE;
[157]607
608      sublist_maxsize = regfi_calc_maxsize(file, off);
609      if(sublist_maxsize < 0)
[139]610        sublists[i] = NULL;
611      else
[157]612        sublists[i] = regfi_load_subkeylist_aux(file, off, sublist_maxsize, 
613                                                strict, depth_left-1);
[127]614    }
[150]615    talloc_free(ret_val);
[134]616
[139]617    return regfi_merge_subkeylists(num_sublists, sublists, strict);
[127]618  }
[30]619
[127]620  return ret_val;
621}
622
623
[139]624/******************************************************************************
625 ******************************************************************************/
[168]626REGFI_SUBKEY_LIST* regfi_parse_subkeylist(REGFI_FILE* file, uint32_t offset, 
627                                          uint32_t max_size, bool strict)
[30]628{
[135]629  REGFI_SUBKEY_LIST* ret_val;
[168]630  uint32_t i, cell_length, length, elem_size, read_len;
631  uint8_t* elements = NULL;
632  uint8_t buf[REGFI_SUBKEY_LIST_MIN_LEN];
[104]633  bool unalloc;
[139]634  bool recursive_type;
[30]635
[127]636  if(!regfi_parse_cell(file->fd, offset, buf, REGFI_SUBKEY_LIST_MIN_LEN, 
[104]637                       &cell_length, &unalloc))
[139]638  {
639    regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while "
640                      "parsing subkey-list at offset 0x%.8X.", offset);
[104]641    return NULL;
[139]642  }
[30]643
[116]644  if(cell_length > max_size)
645  {
[139]646    regfi_add_message(file, REGFI_MSG_WARN, "Cell size longer than max_size"
647                      " while parsing subkey-list at offset 0x%.8X.", offset);
[116]648    if(strict)
649      return NULL;
650    cell_length = max_size & 0xFFFFFFF8;
651  }
[30]652
[139]653  recursive_type = false;
[127]654  if(buf[0] == 'r' && buf[1] == 'i')
[104]655  {
[139]656    recursive_type = true;
[168]657    elem_size = sizeof(uint32_t);
[104]658  }
[139]659  else if(buf[0] == 'l' && buf[1] == 'i')
[168]660    elem_size = sizeof(uint32_t);
[134]661  else if((buf[0] == 'l') && (buf[1] == 'f' || buf[1] == 'h'))
[135]662    elem_size = sizeof(REGFI_SUBKEY_LIST_ELEM);
[134]663  else
664  {
[139]665    regfi_add_message(file, REGFI_MSG_ERROR, "Unknown magic number"
666                      " (0x%.2X, 0x%.2X) encountered while parsing"
667                      " subkey-list at offset 0x%.8X.", buf[0], buf[1], offset);
[134]668    return NULL;
669  }
670
[150]671  ret_val = talloc(NULL, REGFI_SUBKEY_LIST);
[127]672  if(ret_val == NULL)
673    return NULL;
674
675  ret_val->offset = offset;
676  ret_val->cell_size = cell_length;
[104]677  ret_val->magic[0] = buf[0];
678  ret_val->magic[1] = buf[1];
[139]679  ret_val->recursive_type = recursive_type;
680  ret_val->num_children = SVAL(buf, 0x2);
[101]681
[139]682  if(!recursive_type)
683    ret_val->num_keys = ret_val->num_children;
[101]684
[139]685  length = elem_size*ret_val->num_children;
[168]686  if(cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32_t) < length)
[134]687  {
[139]688    regfi_add_message(file, REGFI_MSG_WARN, "Number of elements too large for"
689                      " cell while parsing subkey-list at offset 0x%.8X.", 
690                      offset);
691    if(strict)
[150]692      goto fail;
[168]693    length = cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32_t);
[134]694  }
[30]695
[150]696  ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM, 
697                                   ret_val->num_children);
[127]698  if(ret_val->elements == NULL)
[150]699    goto fail;
[30]700
[168]701  elements = (uint8_t*)malloc(length);
[139]702  if(elements == NULL)
[150]703    goto fail;
[30]704
[150]705  read_len = length;
706  if(regfi_read(file->fd, elements, &read_len) != 0 || read_len != length)
707    goto fail;
[30]708
[168]709  if(elem_size == sizeof(uint32_t))
[104]710  {
[139]711    for (i=0; i < ret_val->num_children; i++)
[134]712    {
[139]713      ret_val->elements[i].offset = IVAL(elements, i*elem_size);
[134]714      ret_val->elements[i].hash = 0;
715    }
[104]716  }
[134]717  else
718  {
[139]719    for (i=0; i < ret_val->num_children; i++)
[134]720    {
[139]721      ret_val->elements[i].offset = IVAL(elements, i*elem_size);
722      ret_val->elements[i].hash = IVAL(elements, i*elem_size+4);
[134]723    }
724  }
[139]725  free(elements);
[30]726
[104]727  return ret_val;
[150]728
729 fail:
730  if(elements != NULL)
731    free(elements);
732  talloc_free(ret_val);
733  return NULL;
[30]734}
735
736
[139]737/*******************************************************************
738 *******************************************************************/
[168]739REGFI_SUBKEY_LIST* regfi_merge_subkeylists(uint16_t num_lists, 
[139]740                                           REGFI_SUBKEY_LIST** lists,
741                                           bool strict)
742{
[168]743  uint32_t i,j,k;
[139]744  REGFI_SUBKEY_LIST* ret_val;
[102]745
[139]746  if(lists == NULL)
747    return NULL;
[150]748  ret_val = talloc(NULL, REGFI_SUBKEY_LIST);
[139]749
750  if(ret_val == NULL)
751    return NULL;
752 
753  /* Obtain total number of elements */
754  ret_val->num_keys = 0;
755  for(i=0; i < num_lists; i++)
756  {
757    if(lists[i] != NULL)
758      ret_val->num_keys += lists[i]->num_children;
759  }
760  ret_val->num_children = ret_val->num_keys;
761
762  if(ret_val->num_keys > 0)
763  {
[150]764    ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM,
765                                     ret_val->num_keys);
[139]766    k=0;
767
768    if(ret_val->elements != NULL)
769    {
770      for(i=0; i < num_lists; i++)
771      {
772        if(lists[i] != NULL)
773        {
774          for(j=0; j < lists[i]->num_keys; j++)
775          {
[150]776            ret_val->elements[k].hash = lists[i]->elements[j].hash;
777            ret_val->elements[k++].offset = lists[i]->elements[j].offset;
[139]778          }
779        }
780      }
781    }
782  }
783 
784  for(i=0; i < num_lists; i++)
785    regfi_subkeylist_free(lists[i]);
786  free(lists);
787
788  return ret_val;
789}
790
791
[147]792/******************************************************************************
793 *
794 ******************************************************************************/
[168]795REGFI_SK_REC* regfi_parse_sk(REGFI_FILE* file, uint32_t offset, uint32_t max_size, 
[147]796                             bool strict)
[30]797{
[135]798  REGFI_SK_REC* ret_val;
[168]799  uint8_t* sec_desc_buf = NULL;
800  uint32_t cell_length, length;
801  uint8_t sk_header[REGFI_SK_MIN_LENGTH];
[102]802  bool unalloc = false;
[30]803
[102]804  if(!regfi_parse_cell(file->fd, offset, sk_header, REGFI_SK_MIN_LENGTH,
805                       &cell_length, &unalloc))
[137]806  {
[138]807    regfi_add_message(file, REGFI_MSG_WARN, "Could not parse SK record cell"
[137]808                      " at offset 0x%.8X.", offset);
[102]809    return NULL;
[137]810  }
[102]811   
812  if(sk_header[0] != 's' || sk_header[1] != 'k')
[137]813  {
[138]814    regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch in parsing"
815                      " SK record at offset 0x%.8X.", offset);
[102]816    return NULL;
[137]817  }
818
[147]819  ret_val = talloc(NULL, REGFI_SK_REC);
[102]820  if(ret_val == NULL)
821    return NULL;
[30]822
[102]823  ret_val->offset = offset;
[116]824  /* XXX: Is there a way to be more conservative (shorter) with
825   *      cell length when cell is unallocated?
[111]826   */
[102]827  ret_val->cell_size = cell_length;
[30]828
[102]829  if(ret_val->cell_size > max_size)
830    ret_val->cell_size = max_size & 0xFFFFFFF8;
831  if((ret_val->cell_size < REGFI_SK_MIN_LENGTH) 
[157]832     || (strict && (ret_val->cell_size & 0x00000007) != 0))
[102]833  {
[138]834    regfi_add_message(file, REGFI_MSG_WARN, "Invalid cell size found while"
835                      " parsing SK record at offset 0x%.8X.", offset);
[147]836    goto fail;
[102]837  }
[30]838
[102]839  ret_val->magic[0] = sk_header[0];
840  ret_val->magic[1] = sk_header[1];
[30]841
[102]842  ret_val->unknown_tag = SVAL(sk_header, 0x2);
843  ret_val->prev_sk_off = IVAL(sk_header, 0x4);
844  ret_val->next_sk_off = IVAL(sk_header, 0x8);
845  ret_val->ref_count = IVAL(sk_header, 0xC);
846  ret_val->desc_size = IVAL(sk_header, 0x10);
[30]847
[157]848  if((ret_val->prev_sk_off & 0x00000007) != 0
849     || (ret_val->next_sk_off & 0x00000007) != 0)
[140]850  {
851    regfi_add_message(file, REGFI_MSG_WARN, "SK record's next/previous offsets"
852                      " are not a multiple of 8 while parsing SK record at"
853                      " offset 0x%.8X.", offset);
[147]854    goto fail;
[140]855  }
856
[102]857  if(ret_val->desc_size + REGFI_SK_MIN_LENGTH > ret_val->cell_size)
858  {
[140]859    regfi_add_message(file, REGFI_MSG_WARN, "Security descriptor too large for"
[138]860                      " cell while parsing SK record at offset 0x%.8X.", 
861                      offset);
[147]862    goto fail;
[102]863  }
[30]864
[168]865  sec_desc_buf = (uint8_t*)malloc(ret_val->desc_size);
[147]866  if(sec_desc_buf == NULL)
867    goto fail;
[102]868
[134]869  length = ret_val->desc_size;
870  if(regfi_read(file->fd, sec_desc_buf, &length) != 0 
871     || length != ret_val->desc_size)
872  {
[138]873    regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read security"
874                      " descriptor while parsing SK record at offset 0x%.8X.",
875                      offset);
[147]876    goto fail;
[134]877  }
[102]878
[147]879  if(!(ret_val->sec_desc = winsec_parse_desc(ret_val, sec_desc_buf, 
880                                                   ret_val->desc_size)))
[134]881  {
[138]882    regfi_add_message(file, REGFI_MSG_ERROR, "Failed to parse security"
883                      " descriptor while parsing SK record at offset 0x%.8X.",
884                      offset);
[147]885    goto fail;
[134]886  }
[147]887
[134]888  free(sec_desc_buf);
[147]889  return ret_val;
[134]890
[147]891 fail:
892  if(sec_desc_buf != NULL)
893    free(sec_desc_buf);
894  talloc_free(ret_val);
895  return NULL;
[30]896}
897
898
[168]899REGFI_VALUE_LIST* regfi_parse_valuelist(REGFI_FILE* file, uint32_t offset, 
900                                        uint32_t num_values, bool strict)
[111]901{
[145]902  REGFI_VALUE_LIST* ret_val;
[168]903  uint32_t i, cell_length, length, read_len;
[111]904  bool unalloc;
[30]905
[111]906  if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc))
[137]907  {
[138]908    regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read cell header"
[137]909                      " while parsing value list at offset 0x%.8X.", offset);
[111]910    return NULL;
[137]911  }
[111]912
[157]913  if((cell_length & 0x00000007) != 0)
[111]914  {
[145]915    regfi_add_message(file, REGFI_MSG_WARN, "Cell length not a multiple of 8"
916                      " while parsing value list at offset 0x%.8X.", offset);
[111]917    if(strict)
918      return NULL;
919    cell_length = cell_length & 0xFFFFFFF8;
920  }
[145]921
[168]922  if((num_values * sizeof(uint32_t)) > cell_length-sizeof(uint32_t))
[137]923  {
[140]924    regfi_add_message(file, REGFI_MSG_WARN, "Too many values found"
[137]925                      " while parsing value list at offset 0x%.8X.", offset);
[145]926    if(strict)
927      return NULL;
[168]928    num_values = cell_length/sizeof(uint32_t) - sizeof(uint32_t);
[137]929  }
[111]930
[168]931  read_len = num_values*sizeof(uint32_t);
[150]932  ret_val = talloc(NULL, REGFI_VALUE_LIST);
[111]933  if(ret_val == NULL)
934    return NULL;
935
[150]936  ret_val->elements = (REGFI_VALUE_LIST_ELEM*)talloc_size(ret_val, read_len);
[145]937  if(ret_val->elements == NULL)
938  {
[150]939    talloc_free(ret_val);
[145]940    return NULL;
941  }
942  ret_val->num_values = num_values;
943
[111]944  length = read_len;
[168]945  if((regfi_read(file->fd, (uint8_t*)ret_val->elements, &length) != 0) 
[145]946     || length != read_len)
[111]947  {
[138]948    regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read value pointers"
[137]949                      " while parsing value list at offset 0x%.8X.", offset);
[150]950    talloc_free(ret_val);
[111]951    return NULL;
952  }
953 
954  for(i=0; i < num_values; i++)
955  {
956    /* Fix endianness */
[145]957    ret_val->elements[i] = IVAL(&ret_val->elements[i], 0);
[111]958
959    /* Validate the first num_values values to ensure they make sense */
960    if(strict)
961    {
[145]962      /* XXX: Need to revisit this file length check when we start dealing
963       *      with partial files. */
964      if((ret_val->elements[i] + REGFI_REGF_SIZE > file->file_length)
[157]965         || ((ret_val->elements[i] & 0x00000007) != 0))
[111]966      {
[145]967        regfi_add_message(file, REGFI_MSG_WARN, "Invalid value pointer"
[138]968                          " (0x%.8X) found while parsing value list at offset"
[145]969                          " 0x%.8X.", ret_val->elements[i], offset);
[150]970        talloc_free(ret_val);
[111]971        return NULL;
972      }
973    }
974  }
975
976  return ret_val;
977}
978
979
[172]980void regfi_interpret_valuename(REGFI_FILE* file, REGFI_VK_REC* vk, 
[162]981                               REGFI_ENCODING output_encoding, bool strict)
[30]982{
[165]983  /* XXX: Registry value names are supposedly limited to 16383 characters
984   *      according to:
985   *      http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
986   *      Might want to emit a warning if this is exceeded. 
987   *      It is expected that "characters" could be variable width.
988   *      Also, it may be useful to use this information to limit false positives
989   *      when recovering deleted VK records.
990   */
[172]991  int32_t tmp_size;
992  REGFI_ENCODING from_encoding = (vk->flags & REGFI_VK_FLAG_ASCIINAME)
[162]993    ? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE;
[151]994
[162]995  if(from_encoding == output_encoding)
996  {
[172]997    vk->valuename_raw = talloc_realloc(vk, vk->valuename_raw,
998                                            uint8_t, vk->name_length+1);
999    vk->valuename_raw[vk->name_length] = '\0';
1000    vk->valuename = (char*)vk->valuename_raw;
[162]1001  }
1002  else
1003  {
[172]1004    vk->valuename = talloc_array(vk, char, vk->name_length+1);
1005    if(vk->valuename == NULL)
[162]1006    {
[172]1007      regfi_free_value(vk);
1008      return;
[162]1009    }
1010
1011    tmp_size = regfi_conv_charset(regfi_encoding_int2str(from_encoding),
1012                                  regfi_encoding_int2str(output_encoding),
[172]1013                                  vk->valuename_raw, vk->valuename,
1014                                  vk->name_length, vk->name_length+1);
[162]1015    if(tmp_size < 0)
1016    {
1017      regfi_add_message(file, REGFI_MSG_WARN, "Error occurred while converting"
1018                        " valuename to encoding %s.  Error message: %s",
1019                        regfi_encoding_int2str(output_encoding), 
1020                        strerror(-tmp_size));
[172]1021      talloc_free(vk->valuename);
1022      vk->valuename = NULL;
[162]1023    }
1024  }
[172]1025}
[162]1026
[172]1027
1028/******************************************************************************
1029 ******************************************************************************/
1030REGFI_VK_REC* regfi_load_value(REGFI_FILE* file, uint32_t offset, 
1031                               REGFI_ENCODING output_encoding, bool strict)
1032{
1033  REGFI_VK_REC* ret_val = NULL;
1034  int32_t max_size;
1035
1036  max_size = regfi_calc_maxsize(file, offset);
1037  if(max_size < 0)
1038    return NULL;
1039 
1040  ret_val = regfi_parse_vk(file, offset, max_size, strict);
1041  if(ret_val == NULL)
1042    return NULL;
1043
1044  regfi_interpret_valuename(file, ret_val, output_encoding, strict);
1045
[103]1046  return ret_val;
[30]1047}
1048
1049
[145]1050/******************************************************************************
1051 * If !strict, the list may contain NULLs, VK records may point to NULL.
1052 ******************************************************************************/
[168]1053REGFI_VALUE_LIST* regfi_load_valuelist(REGFI_FILE* file, uint32_t offset, 
1054                                       uint32_t num_values, uint32_t max_size,
[145]1055                                       bool strict)
1056{
[168]1057  uint32_t usable_num_values;
[30]1058
[168]1059  if((num_values+1) * sizeof(uint32_t) > max_size)
[145]1060  {
1061    regfi_add_message(file, REGFI_MSG_WARN, "Number of values indicated by"
1062                      " parent key (%d) would cause cell to straddle HBIN"
1063                      " boundary while loading value list at offset"
1064                      " 0x%.8X.", num_values, offset);
1065    if(strict)
1066      return NULL;
[168]1067    usable_num_values = max_size/sizeof(uint32_t) - sizeof(uint32_t);
[145]1068  }
1069  else
1070    usable_num_values = num_values;
1071
1072  return regfi_parse_valuelist(file, offset, usable_num_values, strict);
1073}
1074
1075
[172]1076void regfi_interpret_keyname(REGFI_FILE* file, REGFI_NK_REC* nk, 
[161]1077                             REGFI_ENCODING output_encoding, bool strict)
[30]1078{
[165]1079  /* XXX: Registry key names are supposedly limited to 255 characters according to:
1080   *      http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
1081   *      Might want to emit a warning if this is exceeded. 
1082   *      It is expected that "characters" could be variable width.
1083   *      Also, it may be useful to use this information to limit false positives
1084   *      when recovering deleted NK records.
1085   */
[172]1086  int32_t tmp_size;
1087  REGFI_ENCODING from_encoding = (nk->flags & REGFI_NK_FLAG_ASCIINAME) 
[161]1088    ? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE;
[172]1089 
[161]1090  if(from_encoding == output_encoding)
1091  {
[168]1092    nk->keyname_raw = talloc_realloc(nk, nk->keyname_raw, uint8_t, nk->name_length+1);
[161]1093    nk->keyname_raw[nk->name_length] = '\0';
1094    nk->keyname = (char*)nk->keyname_raw;
1095  }
1096  else
1097  {
1098    nk->keyname = talloc_array(nk, char, nk->name_length+1);
1099    if(nk->keyname == NULL)
1100    {
1101      regfi_free_key(nk);
[172]1102      return;
[161]1103    }
1104
1105    tmp_size = regfi_conv_charset(regfi_encoding_int2str(from_encoding),
1106                                  regfi_encoding_int2str(output_encoding),
1107                                  nk->keyname_raw, nk->keyname,
1108                                  nk->name_length, nk->name_length+1);
1109    if(tmp_size < 0)
1110    {
1111      regfi_add_message(file, REGFI_MSG_WARN, "Error occurred while converting"
1112                        " keyname to encoding %s.  Error message: %s",
1113                        regfi_encoding_int2str(output_encoding), 
1114                        strerror(-tmp_size));
1115      talloc_free(nk->keyname);
1116      nk->keyname = NULL;
1117    }
1118  }
[172]1119}
[161]1120
1121
[172]1122/******************************************************************************
1123 *
1124 ******************************************************************************/
1125REGFI_NK_REC* regfi_load_key(REGFI_FILE* file, uint32_t offset, 
1126                             REGFI_ENCODING output_encoding, bool strict)
1127{
1128  REGFI_NK_REC* nk;
1129  uint32_t off;
1130  int32_t max_size;
1131
1132  max_size = regfi_calc_maxsize(file, offset);
1133  if (max_size < 0) 
1134    return NULL;
1135
1136  /* get the initial nk record */
1137  if((nk = regfi_parse_nk(file, offset, max_size, true)) == NULL)
1138  {
1139    regfi_add_message(file, REGFI_MSG_ERROR, "Could not load NK record at"
1140                      " offset 0x%.8X.", offset);
1141    return NULL;
1142  }
1143
1144  regfi_interpret_keyname(file, nk, output_encoding, strict);
1145
[146]1146  /* get value list */
[135]1147  if(nk->num_values && (nk->values_off!=REGFI_OFFSET_NONE)) 
[32]1148  {
[157]1149    off = nk->values_off + REGFI_REGF_SIZE;
1150    max_size = regfi_calc_maxsize(file, off);
1151    if(max_size < 0)
[32]1152    {
[105]1153      if(strict)
[32]1154      {
[150]1155        regfi_free_key(nk);
[99]1156        return NULL;
[31]1157      }
[105]1158      else
1159        nk->values = NULL;
[133]1160
[31]1161    }
[105]1162    else
[103]1163    {
[157]1164      nk->values = regfi_load_valuelist(file, off, nk->num_values, 
1165                                        max_size, true);
[145]1166      if(nk->values == NULL)
[105]1167      {
[145]1168        regfi_add_message(file, REGFI_MSG_WARN, "Could not load value list"
1169                          " for NK record at offset 0x%.8X.", offset);
1170        if(strict)
1171        {
[150]1172          regfi_free_key(nk);
[145]1173          return NULL;
1174        }
[105]1175      }
[150]1176      talloc_steal(nk, nk->values);
[103]1177    }
[31]1178  }
[105]1179
[146]1180  /* now get subkey list */
[135]1181  if(nk->num_subkeys && (nk->subkeys_off != REGFI_OFFSET_NONE)) 
[32]1182  {
[157]1183    off = nk->subkeys_off + REGFI_REGF_SIZE;
1184    max_size = regfi_calc_maxsize(file, off);
1185    if(max_size < 0) 
[32]1186    {
[105]1187      if(strict)
[32]1188      {
[150]1189        regfi_free_key(nk);
[99]1190        return NULL;
[31]1191      }
[105]1192      else
1193        nk->subkeys = NULL;
[31]1194    }
[105]1195    else
[104]1196    {
[134]1197      nk->subkeys = regfi_load_subkeylist(file, off, nk->num_subkeys,
[157]1198                                          max_size, true);
[134]1199
[105]1200      if(nk->subkeys == NULL)
1201      {
[140]1202        regfi_add_message(file, REGFI_MSG_WARN, "Could not load subkey list"
1203                          " while parsing NK record at offset 0x%.8X.", offset);
[105]1204        nk->num_subkeys = 0;
1205      }
[150]1206      talloc_steal(nk, nk->subkeys);
[104]1207    }
[31]1208  }
[30]1209
[99]1210  return nk;
[30]1211}
1212
[32]1213
[102]1214/******************************************************************************
1215 ******************************************************************************/
[168]1216const REGFI_SK_REC* regfi_load_sk(REGFI_FILE* file, uint32_t offset, bool strict)
[146]1217{
1218  REGFI_SK_REC* ret_val = NULL;
[168]1219  int32_t max_size;
[147]1220  void* failure_ptr = NULL;
1221 
[146]1222  /* First look if we have already parsed it */
1223  ret_val = (REGFI_SK_REC*)lru_cache_find(file->sk_cache, &offset, 4);
1224
1225  /* Bail out if we have previously cached a parse failure at this offset. */
1226  if(ret_val == (void*)REGFI_OFFSET_NONE)
1227    return NULL;
1228
1229  if(ret_val == NULL)
1230  {
[157]1231    max_size = regfi_calc_maxsize(file, offset);
1232    if(max_size < 0)
[146]1233      return NULL;
1234
[157]1235    ret_val = regfi_parse_sk(file, offset, max_size, strict);
[146]1236    if(ret_val == NULL)
1237    { /* Cache the parse failure and bail out. */
[147]1238      failure_ptr = talloc(NULL, uint32_t);
1239      if(failure_ptr == NULL)
1240        return NULL;
1241      *(uint32_t*)failure_ptr = REGFI_OFFSET_NONE;
1242      lru_cache_update(file->sk_cache, &offset, 4, failure_ptr);
[146]1243      return NULL;
1244    }
1245
1246    lru_cache_update(file->sk_cache, &offset, 4, ret_val);
1247  }
1248
1249  return ret_val;
1250}
1251
1252
1253
1254/******************************************************************************
1255 ******************************************************************************/
[161]1256REGFI_NK_REC* regfi_find_root_nk(REGFI_FILE* file, const REGFI_HBIN* hbin, 
1257                                 REGFI_ENCODING output_encoding)
[30]1258{
[135]1259  REGFI_NK_REC* nk = NULL;
[168]1260  uint32_t cell_length;
1261  uint32_t cur_offset = hbin->file_off+REGFI_HBIN_HEADER_SIZE;
1262  uint32_t hbin_end = hbin->file_off+hbin->block_size;
[158]1263  bool unalloc;
[30]1264
[158]1265  while(cur_offset < hbin_end)
[32]1266  {
[158]1267    if(!regfi_parse_cell(file->fd, cur_offset, NULL, 0, &cell_length, &unalloc))
1268    {
1269      regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell at offset"
1270                        " 0x%.8X while searching for root key.", cur_offset);
1271      return NULL;
1272    }
[102]1273   
[158]1274    if(!unalloc)
[102]1275    {
[161]1276      nk = regfi_load_key(file, cur_offset, output_encoding, true);
[102]1277      if(nk != NULL)
1278      {
[161]1279        if(nk->flags & REGFI_NK_FLAG_ROOT)
[158]1280          return nk;
[102]1281      }
[31]1282    }
[30]1283
[158]1284    cur_offset += cell_length;
[31]1285  }
[32]1286
[158]1287  return NULL;
[30]1288}
1289
1290
[166]1291/******************************************************************************
1292 ******************************************************************************/
[135]1293REGFI_FILE* regfi_open(const char* filename)
[30]1294{
[166]1295  REGFI_FILE* ret_val;
[97]1296  int fd;
[30]1297
[97]1298  /* open an existing file */
[143]1299  if ((fd = open(filename, REGFI_OPEN_FLAGS)) == -1)
[97]1300  {
[143]1301    /* fprintf(stderr, "regfi_open: failure to open %s (%s)\n", filename, strerror(errno));*/
[31]1302    return NULL;
1303  }
[166]1304
1305  ret_val = regfi_alloc(fd);
1306
1307  if(ret_val == NULL)
1308    close(fd);
1309
1310  return ret_val;
1311}
1312
1313
1314/******************************************************************************
1315 ******************************************************************************/
1316REGFI_FILE* regfi_alloc(int fd)
1317{
1318  struct stat sbuf;
1319  REGFI_FILE* rb;
1320  REGFI_HBIN* hbin = NULL;
[168]1321  uint32_t hbin_off, file_length, cache_secret;
[166]1322  bool rla;
1323
[137]1324  /* Determine file length.  Must be at least big enough
1325   * for the header and one hbin.
1326   */
1327  if (fstat(fd, &sbuf) == -1)
1328    return NULL;
1329  file_length = sbuf.st_size;
1330  if(file_length < REGFI_REGF_SIZE+REGFI_HBIN_ALLOC)
1331    return NULL;
1332
[166]1333  /* Read file header */
[97]1334  if ((rb = regfi_parse_regf(fd, true)) == NULL) 
1335  {
[166]1336    /* fprintf(stderr, "regfi_alloc: Failed to read initial REGF block\n"); */
[31]1337    return NULL;
1338  }
[137]1339  rb->file_length = file_length; 
1340
[99]1341  rb->hbins = range_list_new();
[110]1342  if(rb->hbins == NULL)
[99]1343  {
[166]1344    /* fprintf(stderr, "regfi_alloc: Failed to create HBIN list.\n"); */
[150]1345    talloc_free(rb);
[99]1346    return NULL;
1347  }
[150]1348  talloc_steal(rb, rb->hbins);
1349
[106]1350  rla = true;
[135]1351  hbin_off = REGFI_REGF_SIZE;
[110]1352  hbin = regfi_parse_hbin(rb, hbin_off, true);
[106]1353  while(hbin && rla)
1354  {
[137]1355    rla = range_list_add(rb->hbins, hbin->file_off, hbin->block_size, hbin);
[148]1356    if(rla)
1357      talloc_steal(rb->hbins, hbin);
[106]1358    hbin_off = hbin->file_off + hbin->block_size;
[110]1359    hbin = regfi_parse_hbin(rb, hbin_off, true);
[106]1360  }
1361
[146]1362  /* This secret isn't very secret, but we don't need a good one.  This
1363   * secret is just designed to prevent someone from trying to blow our
1364   * caching and make things slow.
1365   */
1366  cache_secret = 0x15DEAD05^time(NULL)^(getpid()<<16);
1367
1368  /* Cache an unlimited number of SK records.  Typically there are very few. */
[150]1369  rb->sk_cache = lru_cache_create_ctx(rb, 0, cache_secret, true);
[146]1370
[138]1371  /* Default message mask */
1372  rb->msg_mask = REGFI_MSG_ERROR|REGFI_MSG_WARN;
1373
[31]1374  /* success */
1375  return rb;
[30]1376}
1377
1378
[148]1379/******************************************************************************
1380 ******************************************************************************/
[166]1381int regfi_close(REGFI_FILE* file)
[30]1382{
[31]1383  int fd;
[30]1384
[31]1385  /* nothing to do if there is no open file */
[99]1386  if ((file == NULL) || (file->fd == -1))
1387    return 0;
[30]1388
[31]1389  fd = file->fd;
1390  file->fd = -1;
[148]1391
[166]1392  regfi_free(file);
[106]1393
[166]1394  return close(fd);
1395}
[148]1396
[166]1397
1398/******************************************************************************
1399 ******************************************************************************/
1400void regfi_free(REGFI_FILE *file)
1401{
1402  if(file->last_message != NULL)
[167]1403    free(file->last_message);
[166]1404
[150]1405  talloc_free(file);
[30]1406}
1407
1408
[80]1409/******************************************************************************
[158]1410 * First checks the offset given by the file header, then checks the
1411 * rest of the file if that fails.
[148]1412 ******************************************************************************/
[161]1413REGFI_NK_REC* regfi_rootkey(REGFI_FILE* file, REGFI_ENCODING output_encoding)
[30]1414{
[135]1415  REGFI_NK_REC* nk = NULL;
[146]1416  REGFI_HBIN* hbin;
[168]1417  uint32_t root_offset, i, num_hbins;
[99]1418 
1419  if(!file)
[31]1420    return NULL;
[99]1421
[158]1422  root_offset = file->root_cell+REGFI_REGF_SIZE;
[161]1423  nk = regfi_load_key(file, root_offset, output_encoding, true);
[158]1424  if(nk != NULL)
1425  {
[161]1426    if(nk->flags & REGFI_NK_FLAG_ROOT)
[158]1427      return nk;
1428  }
1429
1430  regfi_add_message(file, REGFI_MSG_WARN, "File header indicated root key at"
1431                    " location 0x%.8X, but no root key found."
1432                    " Searching rest of file...", root_offset);
1433 
1434  /* If the file header gives bad info, scan through the file one HBIN
1435   * block at a time looking for an NK record with a root key type.
[146]1436   */
[107]1437  num_hbins = range_list_size(file->hbins);
[158]1438  for(i=0; i < num_hbins && nk == NULL; i++)
[99]1439  {
[135]1440    hbin = (REGFI_HBIN*)range_list_get(file->hbins, i)->data;
[161]1441    nk = regfi_find_root_nk(file, hbin, output_encoding);
[31]1442  }
[30]1443
[80]1444  return nk;
[30]1445}
1446
1447
[80]1448/******************************************************************************
1449 *****************************************************************************/
[150]1450void regfi_free_key(REGFI_NK_REC* nk)
[30]1451{
[127]1452  regfi_subkeylist_free(nk->subkeys);
[150]1453  talloc_free(nk);
1454}
[127]1455
[80]1456
[150]1457/******************************************************************************
1458 *****************************************************************************/
1459void regfi_free_value(REGFI_VK_REC* vk)
1460{
1461  talloc_free(vk);
[80]1462}
1463
1464
1465/******************************************************************************
1466 *****************************************************************************/
[135]1467void regfi_subkeylist_free(REGFI_SUBKEY_LIST* list)
[127]1468{
1469  if(list != NULL)
1470  {
[150]1471    talloc_free(list);
[127]1472  }
1473}
1474
1475
1476/******************************************************************************
1477 *****************************************************************************/
[161]1478REGFI_ITERATOR* regfi_iterator_new(REGFI_FILE* file, 
1479                                   REGFI_ENCODING output_encoding)
[80]1480{
[135]1481  REGFI_NK_REC* root;
[161]1482  REGFI_ITERATOR* ret_val;
1483
1484  if(output_encoding != REGFI_ENCODING_UTF8
1485     && output_encoding != REGFI_ENCODING_ASCII)
1486  { 
1487    regfi_add_message(file, REGFI_MSG_ERROR, "Invalid output_encoding supplied"
1488                      " in creation of regfi iterator.");
1489    return NULL;
1490  }
1491
1492  ret_val = talloc(NULL, REGFI_ITERATOR);
[80]1493  if(ret_val == NULL)
1494    return NULL;
1495
[161]1496  root = regfi_rootkey(file, output_encoding);
[80]1497  if(root == NULL)
1498  {
[150]1499    talloc_free(ret_val);
[80]1500    return NULL;
1501  }
1502
[135]1503  ret_val->key_positions = void_stack_new(REGFI_MAX_DEPTH);
[80]1504  if(ret_val->key_positions == NULL)
1505  {
[150]1506    talloc_free(ret_val);
[80]1507    return NULL;
1508  }
[150]1509  talloc_steal(ret_val, ret_val->key_positions);
[80]1510
[159]1511  ret_val->f = file;
[80]1512  ret_val->cur_key = root;
1513  ret_val->cur_subkey = 0;
1514  ret_val->cur_value = 0;
[161]1515  ret_val->string_encoding = output_encoding;
1516   
[80]1517  return ret_val;
1518}
1519
1520
1521/******************************************************************************
1522 *****************************************************************************/
1523void regfi_iterator_free(REGFI_ITERATOR* i)
1524{
[150]1525  talloc_free(i);
[80]1526}
1527
1528
1529
1530/******************************************************************************
1531 *****************************************************************************/
1532/* XXX: some way of indicating reason for failure should be added. */
1533bool regfi_iterator_down(REGFI_ITERATOR* i)
1534{
[135]1535  REGFI_NK_REC* subkey;
[80]1536  REGFI_ITER_POSITION* pos;
1537
[150]1538  pos = talloc(i->key_positions, REGFI_ITER_POSITION);
[80]1539  if(pos == NULL)
1540    return false;
1541
[135]1542  subkey = (REGFI_NK_REC*)regfi_iterator_cur_subkey(i);
[80]1543  if(subkey == NULL)
1544  {
[150]1545    talloc_free(pos);
[80]1546    return false;
1547  }
1548
1549  pos->nk = i->cur_key;
1550  pos->cur_subkey = i->cur_subkey;
1551  if(!void_stack_push(i->key_positions, pos))
1552  {
[150]1553    talloc_free(pos);
1554    regfi_free_key(subkey);
[80]1555    return false;
1556  }
[150]1557  talloc_steal(i, subkey);
[80]1558
1559  i->cur_key = subkey;
1560  i->cur_subkey = 0;
1561  i->cur_value = 0;
1562
1563  return true;
1564}
1565
1566
1567/******************************************************************************
1568 *****************************************************************************/
1569bool regfi_iterator_up(REGFI_ITERATOR* i)
1570{
1571  REGFI_ITER_POSITION* pos;
1572
1573  pos = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions);
1574  if(pos == NULL)
1575    return false;
1576
[150]1577  regfi_free_key(i->cur_key);
[80]1578  i->cur_key = pos->nk;
1579  i->cur_subkey = pos->cur_subkey;
1580  i->cur_value = 0;
[150]1581  talloc_free(pos);
[80]1582
1583  return true;
1584}
1585
1586
1587/******************************************************************************
1588 *****************************************************************************/
1589bool regfi_iterator_to_root(REGFI_ITERATOR* i)
1590{
1591  while(regfi_iterator_up(i))
1592    continue;
1593
1594  return true;
1595}
1596
1597
1598/******************************************************************************
1599 *****************************************************************************/
1600bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* subkey_name)
1601{
[135]1602  REGFI_NK_REC* subkey;
[80]1603  bool found = false;
[168]1604  uint32_t old_subkey = i->cur_subkey;
[133]1605
[80]1606  if(subkey_name == NULL)
1607    return false;
1608
1609  /* XXX: this alloc/free of each sub key might be a bit excessive */
[135]1610  subkey = (REGFI_NK_REC*)regfi_iterator_first_subkey(i);
[80]1611  while((subkey != NULL) && (found == false))
1612  {
1613    if(subkey->keyname != NULL 
1614       && strcasecmp(subkey->keyname, subkey_name) == 0)
1615      found = true;
[82]1616    else
1617    {
[150]1618      regfi_free_key(subkey);
[135]1619      subkey = (REGFI_NK_REC*)regfi_iterator_next_subkey(i);
[82]1620    }
[80]1621  }
1622
1623  if(found == false)
1624  {
1625    i->cur_subkey = old_subkey;
1626    return false;
1627  }
1628
[150]1629  regfi_free_key(subkey);
[80]1630  return true;
1631}
1632
1633
1634/******************************************************************************
1635 *****************************************************************************/
1636bool regfi_iterator_walk_path(REGFI_ITERATOR* i, const char** path)
1637{
[168]1638  uint32_t x;
[80]1639  if(path == NULL)
1640    return false;
1641
1642  for(x=0; 
1643      ((path[x] != NULL) && regfi_iterator_find_subkey(i, path[x])
1644       && regfi_iterator_down(i));
1645      x++)
1646  { continue; }
1647
1648  if(path[x] == NULL)
1649    return true;
1650 
1651  /* XXX: is this the right number of times? */
1652  for(; x > 0; x--)
1653    regfi_iterator_up(i);
1654 
1655  return false;
1656}
1657
1658
1659/******************************************************************************
1660 *****************************************************************************/
[135]1661const REGFI_NK_REC* regfi_iterator_cur_key(REGFI_ITERATOR* i)
[80]1662{
1663  return i->cur_key;
1664}
1665
1666
1667/******************************************************************************
1668 *****************************************************************************/
[135]1669const REGFI_SK_REC* regfi_iterator_cur_sk(REGFI_ITERATOR* i)
[109]1670{
[146]1671  if(i->cur_key == NULL || i->cur_key->sk_off == REGFI_OFFSET_NONE)
[109]1672    return NULL;
1673
[146]1674  return regfi_load_sk(i->f, i->cur_key->sk_off + REGFI_REGF_SIZE, true);
[109]1675}
1676
1677
1678/******************************************************************************
1679 *****************************************************************************/
[150]1680REGFI_NK_REC* regfi_iterator_first_subkey(REGFI_ITERATOR* i)
[80]1681{
1682  i->cur_subkey = 0;
1683  return regfi_iterator_cur_subkey(i);
1684}
1685
1686
1687/******************************************************************************
1688 *****************************************************************************/
[150]1689REGFI_NK_REC* regfi_iterator_cur_subkey(REGFI_ITERATOR* i)
[80]1690{
[168]1691  uint32_t nk_offset;
[80]1692
[31]1693  /* see if there is anything left to report */
[135]1694  if (!(i->cur_key) || (i->cur_key->subkeys_off==REGFI_OFFSET_NONE)
[80]1695      || (i->cur_subkey >= i->cur_key->num_subkeys))
[31]1696    return NULL;
[30]1697
[139]1698  nk_offset = i->cur_key->subkeys->elements[i->cur_subkey].offset;
[133]1699
[161]1700  return regfi_load_key(i->f, nk_offset+REGFI_REGF_SIZE, i->string_encoding, 
1701                        true);
[30]1702}
[80]1703
1704
1705/******************************************************************************
1706 *****************************************************************************/
1707/* XXX: some way of indicating reason for failure should be added. */
[150]1708REGFI_NK_REC* regfi_iterator_next_subkey(REGFI_ITERATOR* i)
[80]1709{
[150]1710  REGFI_NK_REC* subkey;
[80]1711
1712  i->cur_subkey++;
1713  subkey = regfi_iterator_cur_subkey(i);
1714
1715  if(subkey == NULL)
1716    i->cur_subkey--;
1717
1718  return subkey;
1719}
1720
1721
1722/******************************************************************************
1723 *****************************************************************************/
1724bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* value_name)
1725{
[150]1726  REGFI_VK_REC* cur;
[80]1727  bool found = false;
[168]1728  uint32_t old_value = i->cur_value;
[80]1729
1730  /* XXX: cur->valuename can be NULL in the registry. 
1731   *      Should we allow for a way to search for that?
1732   */
1733  if(value_name == NULL)
1734    return false;
1735
1736  cur = regfi_iterator_first_value(i);
1737  while((cur != NULL) && (found == false))
1738  {
1739    if((cur->valuename != NULL)
1740       && (strcasecmp(cur->valuename, value_name) == 0))
1741      found = true;
[95]1742    else
[150]1743    {
1744      regfi_free_value(cur);
[95]1745      cur = regfi_iterator_next_value(i);
[150]1746    }
[80]1747  }
[167]1748 
1749  if(found == false)
1750  {
1751    i->cur_value = old_value;
1752    return false;
1753  }
[80]1754
[167]1755  regfi_free_value(cur);
1756  return true;
[80]1757}
1758
1759
1760/******************************************************************************
1761 *****************************************************************************/
[150]1762REGFI_VK_REC* regfi_iterator_first_value(REGFI_ITERATOR* i)
[80]1763{
1764  i->cur_value = 0;
1765  return regfi_iterator_cur_value(i);
1766}
1767
1768
1769/******************************************************************************
1770 *****************************************************************************/
[150]1771REGFI_VK_REC* regfi_iterator_cur_value(REGFI_ITERATOR* i)
[80]1772{
[150]1773  REGFI_VK_REC* ret_val = NULL;
[168]1774  uint32_t voffset;
[80]1775
[145]1776  if(i->cur_key->values != NULL && i->cur_key->values->elements != NULL)
1777  {
1778    if(i->cur_value < i->cur_key->values->num_values)
1779    {
1780      voffset = i->cur_key->values->elements[i->cur_value];
[162]1781      ret_val = regfi_load_value(i->f, voffset+REGFI_REGF_SIZE, 
1782                                 i->string_encoding, true);
[145]1783    }
1784  }
1785
[80]1786  return ret_val;
1787}
1788
1789
1790/******************************************************************************
1791 *****************************************************************************/
[150]1792REGFI_VK_REC* regfi_iterator_next_value(REGFI_ITERATOR* i)
[80]1793{
[150]1794  REGFI_VK_REC* ret_val;
[80]1795
1796  i->cur_value++;
1797  ret_val = regfi_iterator_cur_value(i);
1798  if(ret_val == NULL)
1799    i->cur_value--;
1800
1801  return ret_val;
1802}
[97]1803
1804
[159]1805/******************************************************************************
1806 *****************************************************************************/
[160]1807REGFI_CLASSNAME* regfi_iterator_fetch_classname(REGFI_ITERATOR* i, 
1808                                                const REGFI_NK_REC* key)
1809{
1810  REGFI_CLASSNAME* ret_val;
[168]1811  uint8_t* raw;
[160]1812  char* interpreted;
[168]1813  uint32_t offset;
1814  int32_t conv_size, max_size;
1815  uint16_t parse_length;
[160]1816
1817  if(key->classname_off == REGFI_OFFSET_NONE || key->classname_length == 0)
1818    return NULL;
1819
1820  offset = key->classname_off + REGFI_REGF_SIZE;
1821  max_size = regfi_calc_maxsize(i->f, offset);
1822  if(max_size <= 0)
1823    return NULL;
1824
1825  parse_length = key->classname_length;
1826  raw = regfi_parse_classname(i->f, offset, &parse_length, max_size, true);
1827 
1828  if(raw == NULL)
1829  {
1830    regfi_add_message(i->f, REGFI_MSG_WARN, "Could not parse class"
1831                      " name at offset 0x%.8X for key record at offset 0x%.8X.",
1832                      offset, key->offset);
1833    return NULL;
1834  }
1835
1836  ret_val = talloc(NULL, REGFI_CLASSNAME);
1837  if(ret_val == NULL)
1838    return NULL;
1839
1840  ret_val->raw = raw;
1841  ret_val->size = parse_length;
1842  talloc_steal(ret_val, raw);
1843
1844  interpreted = talloc_array(NULL, char, parse_length);
1845
[161]1846  conv_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
1847                                 regfi_encoding_int2str(i->string_encoding),
[160]1848                                 raw, interpreted,
1849                                 parse_length, parse_length);
1850  if(conv_size < 0)
1851  {
1852    regfi_add_message(i->f, REGFI_MSG_WARN, "Error occurred while"
1853                      " converting classname to charset %s.  Error message: %s",
1854                      i->string_encoding, strerror(-conv_size));
1855    talloc_free(interpreted);
1856    ret_val->interpreted = NULL;
1857  }
1858  else
1859  {
1860    interpreted = talloc_realloc(NULL, interpreted, char, conv_size);
1861    ret_val->interpreted = interpreted;
1862    talloc_steal(ret_val, interpreted);
1863  }
1864
1865  return ret_val;
1866}
1867
1868
1869/******************************************************************************
1870 *****************************************************************************/
[159]1871REGFI_DATA* regfi_iterator_fetch_data(REGFI_ITERATOR* i, 
1872                                      const REGFI_VK_REC* value)
1873{
1874  REGFI_DATA* ret_val = NULL;
1875  REGFI_BUFFER raw_data;
1876
1877  if(value->data_size != 0)
1878  {
1879    raw_data = regfi_load_data(i->f, value->data_off, value->data_size,
1880                              value->data_in_offset, true);
1881    if(raw_data.buf == NULL)
1882    {
1883      regfi_add_message(i->f, REGFI_MSG_WARN, "Could not parse data record"
1884                        " while parsing VK record at offset 0x%.8X.",
1885                        value->offset);
1886    }
1887    else
1888    {
1889      ret_val = regfi_buffer_to_data(raw_data);
1890
1891      if(ret_val == NULL)
1892      {
1893        regfi_add_message(i->f, REGFI_MSG_WARN, "Error occurred in converting"
1894                          " data buffer to data structure while interpreting "
1895                          "data for VK record at offset 0x%.8X.",
1896                          value->offset);
1897        talloc_free(raw_data.buf);
1898        return NULL;
1899      }
1900
1901      if(!regfi_interpret_data(i->f, i->string_encoding, value->type, ret_val))
1902      {
1903        regfi_add_message(i->f, REGFI_MSG_INFO, "Error occurred while"
1904                          " interpreting data for VK record at offset 0x%.8X.",
1905                          value->offset);
1906      }
1907    }
1908  }
1909 
1910  return ret_val;
1911}
1912
1913
1914/******************************************************************************
1915 *****************************************************************************/
[160]1916void regfi_free_classname(REGFI_CLASSNAME* classname)
1917{
1918  talloc_free(classname);
1919}
1920
1921/******************************************************************************
1922 *****************************************************************************/
[159]1923void regfi_free_data(REGFI_DATA* data)
1924{
1925  talloc_free(data);
1926}
1927
1928
1929/******************************************************************************
1930 *****************************************************************************/
1931REGFI_DATA* regfi_buffer_to_data(REGFI_BUFFER raw_data)
1932{
1933  REGFI_DATA* ret_val;
1934
1935  if(raw_data.buf == NULL)
1936    return NULL;
1937
1938  ret_val = talloc(NULL, REGFI_DATA);
1939  if(ret_val == NULL)
1940    return NULL;
1941 
1942  talloc_steal(ret_val, raw_data.buf);
1943  ret_val->raw = raw_data.buf;
1944  ret_val->size = raw_data.len;
1945  ret_val->interpreted_size = 0;
1946  ret_val->interpreted.qword = 0;
1947
1948  return ret_val;
1949}
1950
1951
1952/******************************************************************************
1953 *****************************************************************************/
[161]1954bool regfi_interpret_data(REGFI_FILE* file, REGFI_ENCODING string_encoding,
[168]1955                          uint32_t type, REGFI_DATA* data)
[159]1956{
[168]1957  uint8_t** tmp_array;
1958  uint8_t* tmp_str;
1959  int32_t tmp_size;
1960  uint32_t i, j, array_size;
[159]1961
1962  if(data == NULL)
1963    return false;
1964
1965  switch (type)
1966  {
1967  case REG_SZ:
1968  case REG_EXPAND_SZ:
1969  /* REG_LINK is a symbolic link, stored as a unicode string. */
1970  case REG_LINK:
[168]1971    tmp_str = talloc_array(NULL, uint8_t, data->size);
[159]1972    if(tmp_str == NULL)
1973    {
1974      data->interpreted.string = NULL;
1975      data->interpreted_size = 0;
1976      return false;
1977    }
1978     
[161]1979    tmp_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
1980                                  regfi_encoding_int2str(string_encoding),
[159]1981                                  data->raw, (char*)tmp_str, 
1982                                  data->size, data->size);
1983    if(tmp_size < 0)
1984    {
1985      regfi_add_message(file, REGFI_MSG_INFO, "Error occurred while"
1986                        " converting data of type %d to %s.  Error message: %s",
1987                        type, string_encoding, strerror(-tmp_size));
1988      talloc_free(tmp_str);
1989      data->interpreted.string = NULL;
1990      data->interpreted_size = 0;
1991      return false;
1992    }
1993
[168]1994    tmp_str = talloc_realloc(NULL, tmp_str, uint8_t, tmp_size);
[159]1995    data->interpreted.string = tmp_str;
1996    data->interpreted_size = tmp_size;
1997    talloc_steal(data, tmp_str);
1998    break;
1999
2000  case REG_DWORD:
2001    if(data->size < 4)
2002    {
2003      data->interpreted.dword = 0;
2004      data->interpreted_size = 0;
2005      return false;
2006    }
2007    data->interpreted.dword = IVAL(data->raw, 0);
2008    data->interpreted_size = 4;
2009    break;
2010
2011  case REG_DWORD_BE:
2012    if(data->size < 4)
2013    {
2014      data->interpreted.dword_be = 0;
2015      data->interpreted_size = 0;
2016      return false;
2017    }
2018    data->interpreted.dword_be = RIVAL(data->raw, 0);
2019    data->interpreted_size = 4;
2020    break;
2021
2022  case REG_QWORD:
2023    if(data->size < 8)
2024    {
2025      data->interpreted.qword = 0;
2026      data->interpreted_size = 0;
2027      return false;
2028    }
2029    data->interpreted.qword = 
[168]2030      (uint64_t)IVAL(data->raw, 0) + (((uint64_t)IVAL(data->raw, 4))<<32);
[159]2031    data->interpreted_size = 8;
2032    break;
2033   
2034  case REG_MULTI_SZ:
[168]2035    tmp_str = talloc_array(NULL, uint8_t, data->size);
[159]2036    if(tmp_str == NULL)
2037    {
2038      data->interpreted.multiple_string = NULL;
2039      data->interpreted_size = 0;
2040      return false;
2041    }
2042
2043    /* Attempt to convert entire string from UTF-16LE to output encoding,
2044     * then parse and quote fields individually.
2045     */
[161]2046    tmp_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
2047                                  regfi_encoding_int2str(string_encoding),
[159]2048                                  data->raw, (char*)tmp_str,
2049                                  data->size, data->size);
2050    if(tmp_size < 0)
2051    {
2052      regfi_add_message(file, REGFI_MSG_INFO, "Error occurred while"
2053                        " converting data of type %d to %s.  Error message: %s",
2054                        type, string_encoding, strerror(-tmp_size));
2055      talloc_free(tmp_str);
2056      data->interpreted.multiple_string = NULL;
2057      data->interpreted_size = 0;
2058      return false;
2059    }
2060
2061    array_size = tmp_size+1;
[168]2062    tmp_array = talloc_array(NULL, uint8_t*, array_size);
[159]2063    if(tmp_array == NULL)
2064    {
2065      talloc_free(tmp_str);
2066      data->interpreted.string = NULL;
2067      data->interpreted_size = 0;
2068      return false;
2069    }
2070   
2071    tmp_array[0] = tmp_str;
2072    for(i=0,j=1; i < tmp_size && j < array_size-1; i++)
2073    {
2074      if(tmp_str[i] == '\0' && (i+1 < tmp_size))
2075        tmp_array[j++] = tmp_str+i+1;
2076    }
2077    tmp_array[j] = NULL;
[168]2078    tmp_array = talloc_realloc(NULL, tmp_array, uint8_t*, j+1);
[159]2079    data->interpreted.multiple_string = tmp_array;
2080    /* XXX: how meaningful is this?  should we store number of strings instead? */
2081    data->interpreted_size = tmp_size;
2082    talloc_steal(tmp_array, tmp_str);
2083    talloc_steal(data, tmp_array);
2084    break;
2085
2086  /* XXX: Dont know how to interpret these yet, just treat as binary */
2087  case REG_NONE:
2088    data->interpreted.none = data->raw;
2089    data->interpreted_size = data->size;
2090    break;
2091
2092  case REG_RESOURCE_LIST:
2093    data->interpreted.resource_list = data->raw;
2094    data->interpreted_size = data->size;
2095    break;
2096
2097  case REG_FULL_RESOURCE_DESCRIPTOR:
2098    data->interpreted.full_resource_descriptor = data->raw;
2099    data->interpreted_size = data->size;
2100    break;
2101
2102  case REG_RESOURCE_REQUIREMENTS_LIST:
2103    data->interpreted.resource_requirements_list = data->raw;
2104    data->interpreted_size = data->size;
2105    break;
2106
2107  case REG_BINARY:
2108    data->interpreted.binary = data->raw;
2109    data->interpreted_size = data->size;
2110    break;
2111
2112  default:
2113    data->interpreted.qword = 0;
2114    data->interpreted_size = 0;
2115    return false;
2116  }
2117
2118  data->type = type;
2119  return true;
2120}
2121
2122
[166]2123/******************************************************************************
[159]2124 * Convert from UTF-16LE to specified character set.
2125 * On error, returns a negative errno code.
[166]2126 *****************************************************************************/
[168]2127int32_t regfi_conv_charset(const char* input_charset, const char* output_charset,
2128                         uint8_t* input, char* output, 
2129                         uint32_t input_len, uint32_t output_max)
[159]2130{
2131  iconv_t conv_desc;
2132  char* inbuf = (char*)input;
2133  char* outbuf = output;
2134  size_t in_len = (size_t)input_len;
2135  size_t out_len = (size_t)(output_max-1);
2136  int ret;
2137
[161]2138  /* XXX: Consider creating a couple of conversion descriptors earlier,
2139   *      storing them on an iterator so they don't have to be recreated
2140   *      each time.
2141   */
2142
[159]2143  /* Set up conversion descriptor. */
[161]2144  conv_desc = iconv_open(output_charset, input_charset);
[159]2145
2146  ret = iconv(conv_desc, &inbuf, &in_len, &outbuf, &out_len);
2147  if(ret == -1)
2148  {
2149    iconv_close(conv_desc);
2150    return -errno;
2151  }
2152  *outbuf = '\0';
2153
2154  iconv_close(conv_desc); 
2155  return output_max-out_len-1;
2156}
2157
2158
2159
2160/*******************************************************************
[97]2161 * Computes the checksum of the registry file header.
[159]2162 * buffer must be at least the size of a regf header (4096 bytes).
[97]2163 *******************************************************************/
[168]2164static uint32_t regfi_compute_header_checksum(uint8_t* buffer)
[97]2165{
[168]2166  uint32_t checksum, x;
[97]2167  int i;
2168
2169  /* XOR of all bytes 0x0000 - 0x01FB */
2170
2171  checksum = x = 0;
2172 
2173  for ( i=0; i<0x01FB; i+=4 ) {
2174    x = IVAL(buffer, i );
2175    checksum ^= x;
2176  }
2177 
2178  return checksum;
2179}
2180
2181
2182/*******************************************************************
[116]2183 * XXX: Add way to return more detailed error information.
[97]2184 *******************************************************************/
[135]2185REGFI_FILE* regfi_parse_regf(int fd, bool strict)
[97]2186{
[168]2187  uint8_t file_header[REGFI_REGF_SIZE];
2188  uint32_t length;
[135]2189  REGFI_FILE* ret_val;
[97]2190
[150]2191  ret_val = talloc(NULL, REGFI_FILE);
[97]2192  if(ret_val == NULL)
2193    return NULL;
2194
2195  ret_val->fd = fd;
[150]2196  ret_val->sk_cache = NULL;
2197  ret_val->last_message = NULL;
2198  ret_val->hbins = NULL;
2199 
[135]2200  length = REGFI_REGF_SIZE;
[150]2201  if((regfi_read(fd, file_header, &length)) != 0 || length != REGFI_REGF_SIZE)
2202    goto fail;
2203 
[97]2204  ret_val->checksum = IVAL(file_header, 0x1FC);
2205  ret_val->computed_checksum = regfi_compute_header_checksum(file_header);
2206  if (strict && (ret_val->checksum != ret_val->computed_checksum))
[150]2207    goto fail;
[97]2208
[135]2209  memcpy(ret_val->magic, file_header, REGFI_REGF_MAGIC_SIZE);
[150]2210  if(memcmp(ret_val->magic, "regf", REGFI_REGF_MAGIC_SIZE) != 0)
[97]2211  {
[150]2212    if(strict)
2213      goto fail;
2214    regfi_add_message(ret_val, REGFI_MSG_WARN, "Magic number mismatch "
2215                      "(%.2X %.2X %.2X %.2X) while parsing hive header",
[151]2216                      ret_val->magic[0], ret_val->magic[1], 
[150]2217                      ret_val->magic[2], ret_val->magic[3]);
[97]2218  }
[151]2219  ret_val->sequence1 = IVAL(file_header, 0x4);
2220  ret_val->sequence2 = IVAL(file_header, 0x8);
[97]2221  ret_val->mtime.low = IVAL(file_header, 0xC);
2222  ret_val->mtime.high = IVAL(file_header, 0x10);
[151]2223  ret_val->major_version = IVAL(file_header, 0x14);
2224  ret_val->minor_version = IVAL(file_header, 0x18);
2225  ret_val->type = IVAL(file_header, 0x1C);
2226  ret_val->format = IVAL(file_header, 0x20);
2227  ret_val->root_cell = IVAL(file_header, 0x24);
[97]2228  ret_val->last_block = IVAL(file_header, 0x28);
2229
[151]2230  ret_val->cluster = IVAL(file_header, 0x2C);
[97]2231
[151]2232  memcpy(ret_val->file_name, file_header+0x30,  REGFI_REGF_NAME_SIZE);
2233
2234  /* XXX: Should we add a warning if these uuid parsers fail?  Can they? */
2235  ret_val->rm_id = winsec_parse_uuid(ret_val, file_header+0x70, 16);
2236  ret_val->log_id = winsec_parse_uuid(ret_val, file_header+0x80, 16);
2237  ret_val->flags = IVAL(file_header, 0x90);
2238  ret_val->tm_id = winsec_parse_uuid(ret_val, file_header+0x94, 16);
2239  ret_val->guid_signature = IVAL(file_header, 0xa4);
2240
2241  memcpy(ret_val->reserved1, file_header+0xa8, REGFI_REGF_RESERVED1_SIZE);
2242  memcpy(ret_val->reserved2, file_header+0x200, REGFI_REGF_RESERVED2_SIZE);
2243
2244  ret_val->thaw_tm_id = winsec_parse_uuid(ret_val, file_header+0xFC8, 16);
2245  ret_val->thaw_rm_id = winsec_parse_uuid(ret_val, file_header+0xFD8, 16);
2246  ret_val->thaw_log_id = winsec_parse_uuid(ret_val, file_header+0xFE8, 16);
[152]2247  ret_val->boot_type = IVAL(file_header, 0xFF8);
2248  ret_val->boot_recover = IVAL(file_header, 0xFFC);
[151]2249
[97]2250  return ret_val;
[150]2251
2252 fail:
2253  talloc_free(ret_val);
2254  return NULL;
[97]2255}
2256
2257
2258
[148]2259/******************************************************************************
[97]2260 * Given real file offset, read and parse the hbin at that location
[110]2261 * along with it's associated cells.
[148]2262 ******************************************************************************/
[168]2263REGFI_HBIN* regfi_parse_hbin(REGFI_FILE* file, uint32_t offset, bool strict)
[97]2264{
[135]2265  REGFI_HBIN *hbin;
[168]2266  uint8_t hbin_header[REGFI_HBIN_HEADER_SIZE];
2267  uint32_t length;
[99]2268 
2269  if(offset >= file->file_length)
2270    return NULL;
[97]2271
2272  if(lseek(file->fd, offset, SEEK_SET) == -1)
[137]2273  {
[138]2274    regfi_add_message(file, REGFI_MSG_ERROR, "Seek failed"
[137]2275                      " while parsing hbin at offset 0x%.8X.", offset);
[97]2276    return NULL;
[137]2277  }
[97]2278
[135]2279  length = REGFI_HBIN_HEADER_SIZE;
[97]2280  if((regfi_read(file->fd, hbin_header, &length) != 0) 
[135]2281     || length != REGFI_HBIN_HEADER_SIZE)
[97]2282    return NULL;
2283
2284  if(lseek(file->fd, offset, SEEK_SET) == -1)
[137]2285  {
[138]2286    regfi_add_message(file, REGFI_MSG_ERROR, "Seek failed"
[137]2287                      " while parsing hbin at offset 0x%.8X.", offset);
[97]2288    return NULL;
[137]2289  }
[97]2290
[148]2291  hbin = talloc(NULL, REGFI_HBIN);
2292  if(hbin == NULL)
[99]2293    return NULL;
2294  hbin->file_off = offset;
2295
[97]2296  memcpy(hbin->magic, hbin_header, 4);
2297  if(strict && (memcmp(hbin->magic, "hbin", 4) != 0))
[99]2298  {
[138]2299    regfi_add_message(file, REGFI_MSG_INFO, "Magic number mismatch "
2300                      "(%.2X %.2X %.2X %.2X) while parsing hbin at offset"
2301                      " 0x%.8X.", hbin->magic[0], hbin->magic[1], 
2302                      hbin->magic[2], hbin->magic[3], offset);
[148]2303    talloc_free(hbin);
[97]2304    return NULL;
[99]2305  }
[97]2306
2307  hbin->first_hbin_off = IVAL(hbin_header, 0x4);
2308  hbin->block_size = IVAL(hbin_header, 0x8);
2309  /* this should be the same thing as hbin->block_size but just in case */
2310  hbin->next_block = IVAL(hbin_header, 0x1C);
2311
2312
2313  /* Ensure the block size is a multiple of 0x1000 and doesn't run off
2314   * the end of the file.
2315   */
[116]2316  /* XXX: This may need to be relaxed for dealing with
2317   *      partial or corrupt files.
2318   */
[97]2319  if((offset + hbin->block_size > file->file_length)
2320     || (hbin->block_size & 0xFFFFF000) != hbin->block_size)
[99]2321  {
[138]2322    regfi_add_message(file, REGFI_MSG_ERROR, "The hbin offset is not aligned"
[137]2323                      " or runs off the end of the file"
2324                      " while parsing hbin at offset 0x%.8X.", offset);
[148]2325    talloc_free(hbin);
[97]2326    return NULL;
[99]2327  }
[97]2328
2329  return hbin;
2330}
2331
2332
[126]2333/*******************************************************************
2334 *******************************************************************/
[168]2335REGFI_NK_REC* regfi_parse_nk(REGFI_FILE* file, uint32_t offset, 
2336                             uint32_t max_size, bool strict)
[99]2337{
[168]2338  uint8_t nk_header[REGFI_NK_MIN_LENGTH];
[135]2339  REGFI_NK_REC* ret_val;
[168]2340  uint32_t length,cell_length;
[101]2341  bool unalloc = false;
[99]2342
[101]2343  if(!regfi_parse_cell(file->fd, offset, nk_header, REGFI_NK_MIN_LENGTH,
2344                       &cell_length, &unalloc))
[137]2345  {
[138]2346    regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]2347                      " while parsing NK record at offset 0x%.8X.", offset);
2348    return NULL;
2349  }
2350
[99]2351  /* A bit of validation before bothering to allocate memory */
[101]2352  if((nk_header[0x0] != 'n') || (nk_header[0x1] != 'k'))
[135]2353  {
[138]2354    regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch in parsing"
2355                      " NK record at offset 0x%.8X.", offset);
[99]2356    return NULL;
[135]2357  }
[99]2358
[150]2359  ret_val = talloc(NULL, REGFI_NK_REC);
[99]2360  if(ret_val == NULL)
[135]2361  {
[138]2362    regfi_add_message(file, REGFI_MSG_ERROR, "Failed to allocate memory while"
[137]2363                      " parsing NK record at offset 0x%.8X.", offset);
[99]2364    return NULL;
[135]2365  }
[99]2366
[150]2367  ret_val->values = NULL;
2368  ret_val->subkeys = NULL;
[99]2369  ret_val->offset = offset;
[101]2370  ret_val->cell_size = cell_length;
2371
[99]2372  if(ret_val->cell_size > max_size)
2373    ret_val->cell_size = max_size & 0xFFFFFFF8;
2374  if((ret_val->cell_size < REGFI_NK_MIN_LENGTH) 
[157]2375     || (strict && (ret_val->cell_size & 0x00000007) != 0))
[99]2376  {
[140]2377    regfi_add_message(file, REGFI_MSG_WARN, "A length check failed while"
[138]2378                      " parsing NK record at offset 0x%.8X.", offset);
[150]2379    talloc_free(ret_val);
[99]2380    return NULL;
2381  }
2382
[101]2383  ret_val->magic[0] = nk_header[0x0];
2384  ret_val->magic[1] = nk_header[0x1];
[161]2385  ret_val->flags = SVAL(nk_header, 0x2);
[152]2386 
[161]2387  if((ret_val->flags & ~REGFI_NK_KNOWN_FLAGS) != 0)
[99]2388  {
[152]2389    regfi_add_message(file, REGFI_MSG_WARN, "Unknown key flags (0x%.4X) while"
[138]2390                      " parsing NK record at offset 0x%.8X.", 
[161]2391                      (ret_val->flags & ~REGFI_NK_KNOWN_FLAGS), offset);
[99]2392  }
[101]2393
2394  ret_val->mtime.low = IVAL(nk_header, 0x4);
2395  ret_val->mtime.high = IVAL(nk_header, 0x8);
[116]2396  /* If the key is unallocated and the MTIME is earlier than Jan 1, 1990
2397   * or later than Jan 1, 2290, we consider this a bad key.  This helps
2398   * weed out some false positives during deleted data recovery.
2399   */
2400  if(unalloc
[179]2401     && (ret_val->mtime.high < REGFI_MTIME_MIN_HIGH
2402         || ret_val->mtime.high > REGFI_MTIME_MAX_HIGH))
2403  {
2404    talloc_free(ret_val);
[116]2405    return NULL;
[179]2406  }
[116]2407
[101]2408  ret_val->unknown1 = IVAL(nk_header, 0xC);
2409  ret_val->parent_off = IVAL(nk_header, 0x10);
2410  ret_val->num_subkeys = IVAL(nk_header, 0x14);
2411  ret_val->unknown2 = IVAL(nk_header, 0x18);
2412  ret_val->subkeys_off = IVAL(nk_header, 0x1C);
2413  ret_val->unknown3 = IVAL(nk_header, 0x20);
2414  ret_val->num_values = IVAL(nk_header, 0x24);
2415  ret_val->values_off = IVAL(nk_header, 0x28);
2416  ret_val->sk_off = IVAL(nk_header, 0x2C);
2417  ret_val->classname_off = IVAL(nk_header, 0x30);
[99]2418
[101]2419  ret_val->max_bytes_subkeyname = IVAL(nk_header, 0x34);
2420  ret_val->max_bytes_subkeyclassname = IVAL(nk_header, 0x38);
2421  ret_val->max_bytes_valuename = IVAL(nk_header, 0x3C);
2422  ret_val->max_bytes_value = IVAL(nk_header, 0x40);
2423  ret_val->unk_index = IVAL(nk_header, 0x44);
[99]2424
[101]2425  ret_val->name_length = SVAL(nk_header, 0x48);
2426  ret_val->classname_length = SVAL(nk_header, 0x4A);
[161]2427  ret_val->keyname = NULL;
[99]2428
2429  if(ret_val->name_length + REGFI_NK_MIN_LENGTH > ret_val->cell_size)
[101]2430  {
2431    if(strict)
2432    {
[138]2433      regfi_add_message(file, REGFI_MSG_ERROR, "Contents too large for cell"
[137]2434                        " while parsing NK record at offset 0x%.8X.", offset);
[150]2435      talloc_free(ret_val);
[101]2436      return NULL;
2437    }
2438    else
2439      ret_val->name_length = ret_val->cell_size - REGFI_NK_MIN_LENGTH;
2440  }
2441  else if (unalloc)
2442  { /* Truncate cell_size if it's much larger than the apparent total record length. */
2443    /* Round up to the next multiple of 8 */
2444    length = (ret_val->name_length + REGFI_NK_MIN_LENGTH) & 0xFFFFFFF8;
2445    if(length < ret_val->name_length + REGFI_NK_MIN_LENGTH)
2446      length+=8;
[99]2447
[101]2448    /* If cell_size is still greater, truncate. */
2449    if(length < ret_val->cell_size)
2450      ret_val->cell_size = length;
2451  }
2452
[168]2453  ret_val->keyname_raw = talloc_array(ret_val, uint8_t, ret_val->name_length);
[161]2454  if(ret_val->keyname_raw == NULL)
[99]2455  {
[150]2456    talloc_free(ret_val);
[99]2457    return NULL;
2458  }
2459
2460  /* Don't need to seek, should be at the right offset */
2461  length = ret_val->name_length;
[168]2462  if((regfi_read(file->fd, (uint8_t*)ret_val->keyname_raw, &length) != 0)
[99]2463     || length != ret_val->name_length)
2464  {
[138]2465    regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read key name"
[137]2466                      " while parsing NK record at offset 0x%.8X.", offset);
[150]2467    talloc_free(ret_val);
[99]2468    return NULL;
2469  }
2470
[126]2471  return ret_val;
2472}
2473
2474
[168]2475uint8_t* regfi_parse_classname(REGFI_FILE* file, uint32_t offset, 
2476                             uint16_t* name_length, uint32_t max_size, bool strict)
[126]2477{
[168]2478  uint8_t* ret_val = NULL;
2479  uint32_t length;
2480  uint32_t cell_length;
[126]2481  bool unalloc = false;
2482
[135]2483  if(*name_length > 0 && offset != REGFI_OFFSET_NONE
[157]2484     && (offset & 0x00000007) == 0)
[131]2485  {
[126]2486    if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc))
[137]2487    {
[138]2488      regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]2489                        " while parsing class name at offset 0x%.8X.", offset);
[126]2490        return NULL;
[137]2491    }
[126]2492
[157]2493    if((cell_length & 0x0000007) != 0)
[137]2494    {
[138]2495      regfi_add_message(file, REGFI_MSG_ERROR, "Cell length not a multiple of 8"
[137]2496                        " while parsing class name at offset 0x%.8X.", offset);
[131]2497      return NULL;
[137]2498    }
2499
[131]2500    if(cell_length > max_size)
[125]2501    {
[138]2502      regfi_add_message(file, REGFI_MSG_WARN, "Cell stretches past hbin "
2503                        "boundary while parsing class name at offset 0x%.8X.",
2504                        offset);
[126]2505      if(strict)
2506        return NULL;
[131]2507      cell_length = max_size;
[126]2508    }
[131]2509
2510    if((cell_length - 4) < *name_length)
2511    {
[138]2512      regfi_add_message(file, REGFI_MSG_WARN, "Class name is larger than"
2513                        " cell_length while parsing class name at offset"
2514                        " 0x%.8X.", offset);
[131]2515      if(strict)
2516        return NULL;
2517      *name_length = cell_length - 4;
2518    }
[126]2519   
[168]2520    ret_val = talloc_array(NULL, uint8_t, *name_length);
[126]2521    if(ret_val != NULL)
2522    {
2523      length = *name_length;
[160]2524      if((regfi_read(file->fd, ret_val, &length) != 0)
[126]2525         || length != *name_length)
[125]2526      {
[138]2527        regfi_add_message(file, REGFI_MSG_ERROR, "Could not read class name"
[137]2528                          " while parsing class name at offset 0x%.8X.", offset);
[150]2529        talloc_free(ret_val);
[126]2530        return NULL;
[125]2531      }
2532    }
2533  }
2534
[99]2535  return ret_val;
2536}
2537
2538
[152]2539/******************************************************************************
2540*******************************************************************************/
[168]2541REGFI_VK_REC* regfi_parse_vk(REGFI_FILE* file, uint32_t offset, 
2542                             uint32_t max_size, bool strict)
[97]2543{
[135]2544  REGFI_VK_REC* ret_val;
[168]2545  uint8_t vk_header[REGFI_VK_MIN_LENGTH];
2546  uint32_t raw_data_size, length, cell_length;
[101]2547  bool unalloc = false;
[97]2548
[101]2549  if(!regfi_parse_cell(file->fd, offset, vk_header, REGFI_VK_MIN_LENGTH,
2550                       &cell_length, &unalloc))
[137]2551  {
[138]2552    regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]2553                      " while parsing VK record at offset 0x%.8X.", offset);
[101]2554    return NULL;
[137]2555  }
[111]2556
[150]2557  ret_val = talloc(NULL, REGFI_VK_REC);
[101]2558  if(ret_val == NULL)
2559    return NULL;
2560
2561  ret_val->offset = offset;
2562  ret_val->cell_size = cell_length;
[150]2563  ret_val->valuename = NULL;
[162]2564  ret_val->valuename_raw = NULL;
[150]2565 
[101]2566  if(ret_val->cell_size > max_size)
2567    ret_val->cell_size = max_size & 0xFFFFFFF8;
2568  if((ret_val->cell_size < REGFI_VK_MIN_LENGTH) 
[157]2569     || (ret_val->cell_size & 0x00000007) != 0)
[97]2570  {
[138]2571    regfi_add_message(file, REGFI_MSG_WARN, "Invalid cell size encountered"
[137]2572                      " while parsing VK record at offset 0x%.8X.", offset);
[150]2573    talloc_free(ret_val);
[101]2574    return NULL;
2575  }
[97]2576
[101]2577  ret_val->magic[0] = vk_header[0x0];
2578  ret_val->magic[1] = vk_header[0x1];
2579  if((ret_val->magic[0] != 'v') || (ret_val->magic[1] != 'k'))
2580  {
[124]2581    /* XXX: This does not account for deleted keys under Win2K which
2582     *      often have this (and the name length) overwritten with
2583     *      0xFFFF.
2584     */
[138]2585    regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch"
[137]2586                      " while parsing VK record at offset 0x%.8X.", offset);
[150]2587    talloc_free(ret_val);
[101]2588    return NULL;
2589  }
2590
2591  ret_val->name_length = SVAL(vk_header, 0x2);
2592  raw_data_size = IVAL(vk_header, 0x4);
[135]2593  ret_val->data_size = raw_data_size & ~REGFI_VK_DATA_IN_OFFSET;
[157]2594  /* The data is typically stored in the offset if the size <= 4,
2595   * in which case this flag is set.
2596   */
[135]2597  ret_val->data_in_offset = (bool)(raw_data_size & REGFI_VK_DATA_IN_OFFSET);
[101]2598  ret_val->data_off = IVAL(vk_header, 0x8);
2599  ret_val->type = IVAL(vk_header, 0xC);
[162]2600  ret_val->flags = SVAL(vk_header, 0x10);
[101]2601  ret_val->unknown1 = SVAL(vk_header, 0x12);
2602
[162]2603  if(ret_val->name_length > 0)
[101]2604  {
[113]2605    if(ret_val->name_length + REGFI_VK_MIN_LENGTH + 4 > ret_val->cell_size)
[101]2606    {
[138]2607      regfi_add_message(file, REGFI_MSG_WARN, "Name too long for remaining cell"
2608                        " space while parsing VK record at offset 0x%.8X.",
2609                        offset);
[101]2610      if(strict)
2611      {
[150]2612        talloc_free(ret_val);
[101]2613        return NULL;
2614      }
2615      else
[113]2616        ret_val->name_length = ret_val->cell_size - REGFI_VK_MIN_LENGTH - 4;
[101]2617    }
2618
2619    /* Round up to the next multiple of 8 */
[113]2620    cell_length = (ret_val->name_length + REGFI_VK_MIN_LENGTH + 4) & 0xFFFFFFF8;
2621    if(cell_length < ret_val->name_length + REGFI_VK_MIN_LENGTH + 4)
2622      cell_length+=8;
[101]2623
[168]2624    ret_val->valuename_raw = talloc_array(ret_val, uint8_t, ret_val->name_length);
[162]2625    if(ret_val->valuename_raw == NULL)
[101]2626    {
[150]2627      talloc_free(ret_val);
[101]2628      return NULL;
2629    }
[113]2630
[101]2631    length = ret_val->name_length;
[168]2632    if((regfi_read(file->fd, (uint8_t*)ret_val->valuename_raw, &length) != 0)
[101]2633       || length != ret_val->name_length)
2634    {
[138]2635      regfi_add_message(file, REGFI_MSG_ERROR, "Could not read value name"
[137]2636                        " while parsing VK record at offset 0x%.8X.", offset);
[150]2637      talloc_free(ret_val);
[101]2638      return NULL;
2639    }
2640  }
2641  else
[113]2642    cell_length = REGFI_VK_MIN_LENGTH + 4;
[101]2643
2644  if(unalloc)
2645  {
2646    /* If cell_size is still greater, truncate. */
[113]2647    if(cell_length < ret_val->cell_size)
2648      ret_val->cell_size = cell_length;
[101]2649  }
2650
2651  return ret_val;
[97]2652}
[101]2653
2654
[152]2655/******************************************************************************
[157]2656 *
2657 ******************************************************************************/
[168]2658REGFI_BUFFER regfi_load_data(REGFI_FILE* file, uint32_t voffset,
2659                             uint32_t length, bool data_in_offset,
[157]2660                             bool strict)
[101]2661{
[151]2662  REGFI_BUFFER ret_val;
[168]2663  uint32_t cell_length, offset;
2664  int32_t max_size;
[101]2665  bool unalloc;
[151]2666 
[159]2667  /* Microsoft's documentation indicates that "available memory" is
[165]2668   * the limit on value sizes for the more recent registry format version.
2669   * This is not only annoying, but it's probably also incorrect, since clearly
2670   * value data sizes are limited to 2^31 (high bit used as a flag) and even
2671   * with big data records, the apparent max size is:
2672   *   16344 * 2^16 = 1071104040 (~1GB).
2673   *
2674   * We choose to limit it to 1M which was the limit in older versions and
2675   * should rarely be exceeded unless the file is corrupt or malicious.
2676   * For more info, see:
2677   *   http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
[159]2678   */
[160]2679  /* XXX: add way to skip this check at user discression. */
2680  if(length > REGFI_VK_MAX_DATA_LENGTH)
[159]2681  {
[160]2682    regfi_add_message(file, REGFI_MSG_WARN, "Value data size %d larger than "
2683                      "%d, truncating...", length, REGFI_VK_MAX_DATA_LENGTH);
2684    length = REGFI_VK_MAX_DATA_LENGTH;
[159]2685  }
2686
[145]2687  if(data_in_offset)
[157]2688    return regfi_parse_little_data(file, voffset, length, strict);
2689  else
[101]2690  {
[157]2691    offset = voffset + REGFI_REGF_SIZE;
2692    max_size = regfi_calc_maxsize(file, offset);
2693    if(max_size < 0)
[137]2694    {
[157]2695      regfi_add_message(file, REGFI_MSG_WARN, "Could not find HBIN for data"
2696                        " at offset 0x%.8X.", offset);
[151]2697      goto fail;
[137]2698    }
[157]2699   
[101]2700    if(!regfi_parse_cell(file->fd, offset, NULL, 0,
2701                         &cell_length, &unalloc))
[137]2702    {
[138]2703      regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
[137]2704                        " parsing data record at offset 0x%.8X.", offset);
[151]2705      goto fail;
[137]2706    }
[111]2707
[157]2708    if((cell_length & 0x00000007) != 0)
[137]2709    {
[138]2710      regfi_add_message(file, REGFI_MSG_WARN, "Cell length not multiple of 8"
[137]2711                        " while parsing data record at offset 0x%.8X.",
2712                        offset);
[151]2713      goto fail;
[137]2714    }
[101]2715
[131]2716    if(cell_length > max_size)
2717    {
[145]2718      regfi_add_message(file, REGFI_MSG_WARN, "Cell extends past HBIN boundary"
2719                        " while parsing data record at offset 0x%.8X.",
[137]2720                        offset);
[157]2721      goto fail;
[131]2722    }
2723
[101]2724    if(cell_length - 4 < length)
2725    {
[155]2726      /* XXX: All big data records thus far have been 16 bytes long. 
2727       *      Should we check for this precise size instead of just
2728       *      relying upon the above check?
2729       */
[152]2730      if (file->major_version >= 1 && file->minor_version >= 5)
2731      {
2732        /* Attempt to parse a big data record */
[157]2733        return regfi_load_big_data(file, offset, length, cell_length, 
2734                                   NULL, strict);
[152]2735      }
[101]2736      else
[152]2737      {
2738        regfi_add_message(file, REGFI_MSG_WARN, "Data length (0x%.8X) larger than"
2739                          " remaining cell length (0x%.8X)"
2740                          " while parsing data record at offset 0x%.8X.", 
2741                          length, cell_length - 4, offset);
2742        if(strict)
2743          goto fail;
2744        else
2745          length = cell_length - 4;
2746      }
[101]2747    }
2748
[157]2749    ret_val = regfi_parse_data(file, offset, length, strict);
[101]2750  }
2751
2752  return ret_val;
[151]2753
2754 fail:
2755  ret_val.buf = NULL;
2756  ret_val.len = 0;
2757  return ret_val;
[101]2758}
[110]2759
2760
[152]2761/******************************************************************************
[157]2762 * Parses the common case data records stored in a single cell.
2763 ******************************************************************************/
[168]2764REGFI_BUFFER regfi_parse_data(REGFI_FILE* file, uint32_t offset,
2765                              uint32_t length, bool strict)
[157]2766{
2767  REGFI_BUFFER ret_val;
[168]2768  uint32_t read_length;
[157]2769
2770  ret_val.buf = NULL;
2771  ret_val.len = 0;
2772 
2773  if(lseek(file->fd, offset+4, SEEK_SET) == -1)
2774  {
2775    regfi_add_message(file, REGFI_MSG_WARN, "Could not seek while "
2776                      "reading data at offset 0x%.8X.", offset);
2777    return ret_val;
2778  }
2779
[168]2780  if((ret_val.buf = talloc_array(NULL, uint8_t, length)) == NULL)
[157]2781    return ret_val;
2782  ret_val.len = length;
2783 
2784  read_length = length;
2785  if((regfi_read(file->fd, ret_val.buf, &read_length) != 0)
2786     || read_length != length)
2787  {
2788    regfi_add_message(file, REGFI_MSG_ERROR, "Could not read data block while"
2789                      " parsing data record at offset 0x%.8X.", offset);
2790    talloc_free(ret_val.buf);
2791    ret_val.buf = NULL;
2792    ret_val.buf = 0;
2793  }
2794
2795  return ret_val;
2796}
2797
2798
2799
2800/******************************************************************************
2801 *
2802 ******************************************************************************/
[168]2803REGFI_BUFFER regfi_parse_little_data(REGFI_FILE* file, uint32_t voffset,
2804                                     uint32_t length, bool strict)
[157]2805{
[173]2806  uint8_t i;
[157]2807  REGFI_BUFFER ret_val;
2808
2809  ret_val.buf = NULL;
2810  ret_val.len = 0;
2811
2812  if(length > 4)
2813  {
2814    regfi_add_message(file, REGFI_MSG_ERROR, "Data in offset but length > 4"
2815                      " while parsing data record. (voffset=0x%.8X, length=%d)",
2816                      voffset, length);
2817    return ret_val;
2818  }
2819
[168]2820  if((ret_val.buf = talloc_array(NULL, uint8_t, length)) == NULL)
[157]2821    return ret_val;
2822  ret_val.len = length;
2823 
2824  for(i = 0; i < length; i++)
[168]2825    ret_val.buf[i] = (uint8_t)((voffset >> i*8) & 0xFF);
[157]2826
2827  return ret_val;
2828}
2829
2830/******************************************************************************
[152]2831*******************************************************************************/
[168]2832REGFI_BUFFER regfi_parse_big_data_header(REGFI_FILE* file, uint32_t offset, 
2833                                         uint32_t max_size, bool strict)
[152]2834{
2835  REGFI_BUFFER ret_val;
[168]2836  uint32_t cell_length;
[152]2837  bool unalloc;
[157]2838
2839  /* XXX: do something with unalloc? */
[168]2840  ret_val.buf = (uint8_t*)talloc_array(NULL, uint8_t, REGFI_BIG_DATA_MIN_LENGTH);
[157]2841  if(ret_val.buf == NULL)
[152]2842    goto fail;
2843
[157]2844  if(REGFI_BIG_DATA_MIN_LENGTH > max_size)
2845  {
2846    regfi_add_message(file, REGFI_MSG_WARN, "Big data header exceeded max_size "
2847                      "while parsing big data header at offset 0x%.8X.",offset);
2848    goto fail;
2849  }
2850
2851  if(!regfi_parse_cell(file->fd, offset, ret_val.buf, REGFI_BIG_DATA_MIN_LENGTH,
[152]2852                       &cell_length, &unalloc))
2853  {
2854    regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
[157]2855                      " parsing big data header at offset 0x%.8X.", offset);
[152]2856    goto fail;
2857  }
[157]2858
2859  if((ret_val.buf[0] != 'd') || (ret_val.buf[1] != 'b'))
[152]2860  {
2861    regfi_add_message(file, REGFI_MSG_WARN, "Unknown magic number"
2862                      " (0x%.2X, 0x%.2X) encountered while parsing"
[157]2863                      " big data header at offset 0x%.8X.", 
2864                      ret_val.buf[0], ret_val.buf[1], offset);
[152]2865    goto fail;
2866  }
2867
[157]2868  ret_val.len = REGFI_BIG_DATA_MIN_LENGTH;
2869  return ret_val;
2870
2871 fail:
2872  if(ret_val.buf != NULL)
2873  {
2874    talloc_free(ret_val.buf);
2875    ret_val.buf = NULL;
2876  }
2877  ret_val.len = 0;
2878  return ret_val;
2879}
2880
2881
2882
2883/******************************************************************************
2884 *
2885 ******************************************************************************/
[168]2886uint32_t* regfi_parse_big_data_indirect(REGFI_FILE* file, uint32_t offset,
2887                                      uint16_t num_chunks, bool strict)
[157]2888{
[168]2889  uint32_t* ret_val;
2890  uint32_t indirect_length;
2891  int32_t max_size;
2892  uint16_t i;
[157]2893  bool unalloc;
2894
2895  /* XXX: do something with unalloc? */
2896
2897  max_size = regfi_calc_maxsize(file, offset);
[168]2898  if((max_size < 0) || (num_chunks*sizeof(uint32_t) + 4 > max_size))
[157]2899    return NULL;
2900
[168]2901  ret_val = (uint32_t*)talloc_array(NULL, uint32_t, num_chunks);
[157]2902  if(ret_val == NULL)
[152]2903    goto fail;
2904
[168]2905  if(!regfi_parse_cell(file->fd, offset, (uint8_t*)ret_val,
2906                       num_chunks*sizeof(uint32_t),
[152]2907                       &indirect_length, &unalloc))
2908  {
2909    regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
2910                      " parsing big data indirect record at offset 0x%.8X.", 
2911                      offset);
2912    goto fail;
2913  }
[157]2914
2915  /* Convert pointers to proper endianess, verify they are aligned. */
2916  for(i=0; i<num_chunks; i++)
[152]2917  {
[168]2918    ret_val[i] = IVAL(ret_val, i*sizeof(uint32_t));
[157]2919    if((ret_val[i] & 0x00000007) != 0)
2920      goto fail;
[152]2921  }
[157]2922 
2923  return ret_val;
[152]2924
[157]2925 fail:
2926  if(ret_val != NULL)
2927    talloc_free(ret_val);
2928  return NULL;
2929}
2930
2931
2932/******************************************************************************
2933 * Arguments:
2934 *  file       --
2935 *  offsets    -- list of virtual offsets.
2936 *  num_chunks --
2937 *  strict     --
2938 *
2939 * Returns:
2940 *  A range_list with physical offsets and complete lengths
2941 *  (including cell headers) of associated cells. 
2942 *  No data in range_list elements.
2943 ******************************************************************************/
[168]2944range_list* regfi_parse_big_data_cells(REGFI_FILE* file, uint32_t* offsets,
2945                                       uint16_t num_chunks, bool strict)
[157]2946{
[168]2947  uint32_t cell_length, chunk_offset;
[157]2948  range_list* ret_val;
[168]2949  uint16_t i;
[157]2950  bool unalloc;
2951 
2952  /* XXX: do something with unalloc? */
2953  ret_val = range_list_new();
2954  if(ret_val == NULL)
2955    goto fail;
2956 
[166]2957  for(i=0; i<num_chunks; i++)
[152]2958  {
[157]2959    chunk_offset = offsets[i]+REGFI_REGF_SIZE;
2960    if(!regfi_parse_cell(file->fd, chunk_offset, NULL, 0,
2961                         &cell_length, &unalloc))
[152]2962    {
2963      regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
2964                        " parsing big data chunk at offset 0x%.8X.", 
2965                        chunk_offset);
[157]2966      goto fail;
[152]2967    }
2968
[157]2969    if(!range_list_add(ret_val, chunk_offset, cell_length, NULL))
2970      goto fail;
2971  }
2972
2973  return ret_val;
2974
2975 fail:
2976  if(ret_val != NULL)
2977    range_list_free(ret_val);
2978  return NULL;
2979}
2980
2981
2982/******************************************************************************
2983*******************************************************************************/
2984REGFI_BUFFER regfi_load_big_data(REGFI_FILE* file, 
[168]2985                                 uint32_t offset, uint32_t data_length, 
2986                                 uint32_t cell_length, range_list* used_ranges,
[157]2987                                 bool strict)
2988{
2989  REGFI_BUFFER ret_val;
[168]2990  uint16_t num_chunks, i;
2991  uint32_t read_length, data_left, tmp_len, indirect_offset;
2992  uint32_t* indirect_ptrs = NULL;
[157]2993  REGFI_BUFFER bd_header;
2994  range_list* bd_cells = NULL;
2995  const range_list_element* cell_info;
2996
2997  ret_val.buf = NULL;
2998
2999  /* XXX: Add better error/warning messages */
3000
3001  bd_header = regfi_parse_big_data_header(file, offset, cell_length, strict);
3002  if(bd_header.buf == NULL)
3003    goto fail;
3004
3005  /* Keep track of used space for use by reglookup-recover */
3006  if(used_ranges != NULL)
3007    if(!range_list_add(used_ranges, offset, cell_length, NULL))
3008      goto fail;
3009
3010  num_chunks = SVAL(bd_header.buf, 0x2);
3011  indirect_offset = IVAL(bd_header.buf, 0x4) + REGFI_REGF_SIZE;
3012  talloc_free(bd_header.buf);
3013
3014  indirect_ptrs = regfi_parse_big_data_indirect(file, indirect_offset,
3015                                                num_chunks, strict);
3016  if(indirect_ptrs == NULL)
3017    goto fail;
3018
3019  if(used_ranges != NULL)
3020    if(!range_list_add(used_ranges, indirect_offset, num_chunks*4+4, NULL))
3021      goto fail;
3022 
3023  if((ret_val.buf = talloc_array(NULL, uint8_t, data_length)) == NULL)
3024    goto fail;
3025  data_left = data_length;
3026
3027  bd_cells = regfi_parse_big_data_cells(file, indirect_ptrs, num_chunks, strict);
3028  if(bd_cells == NULL)
3029    goto fail;
3030
3031  talloc_free(indirect_ptrs);
3032  indirect_ptrs = NULL;
3033 
3034  for(i=0; (i<num_chunks) && (data_left>0); i++)
3035  {
3036    cell_info = range_list_get(bd_cells, i);
3037    if(cell_info == NULL)
3038      goto fail;
3039
3040    /* XXX: This should be "cell_info->length-4" to account for the 4 byte cell
[154]3041     *      length.  However, it has been observed that some (all?) chunks
3042     *      have an additional 4 bytes of 0 at the end of their cells that
3043     *      isn't part of the data, so we're trimming that off too.
[157]3044     *      Perhaps it's just an 8 byte alignment requirement...
[154]3045     */
[157]3046    if(cell_info->length - 8 >= data_left)
3047    {
3048      if(i+1 != num_chunks)
3049      {
3050        regfi_add_message(file, REGFI_MSG_WARN, "Left over chunks detected "
3051                          "while constructing big data at offset 0x%.8X "
3052                          "(chunk offset 0x%.8X).", offset, cell_info->offset);
3053      }
[152]3054      read_length = data_left;
[157]3055    }
[152]3056    else
[157]3057      read_length = cell_info->length - 8;
[152]3058
[157]3059
3060    if(read_length > regfi_calc_maxsize(file, cell_info->offset))
3061    {
3062      regfi_add_message(file, REGFI_MSG_WARN, "A chunk exceeded the maxsize "
3063                        "while constructing big data at offset 0x%.8X "
3064                        "(chunk offset 0x%.8X).", offset, cell_info->offset);
3065      goto fail;
3066    }
3067
[168]3068    if(lseek(file->fd, cell_info->offset+sizeof(uint32_t), SEEK_SET) == -1)
[157]3069    {
3070      regfi_add_message(file, REGFI_MSG_WARN, "Could not seek to chunk while "
3071                        "constructing big data at offset 0x%.8X "
3072                        "(chunk offset 0x%.8X).", offset, cell_info->offset);
3073      goto fail;
3074    }
3075
3076    tmp_len = read_length;
[152]3077    if(regfi_read(file->fd, ret_val.buf+(data_length-data_left), 
[157]3078                  &read_length) != 0 || (read_length != tmp_len))
[152]3079    {
3080      regfi_add_message(file, REGFI_MSG_WARN, "Could not read data chunk while"
[157]3081                        " constructing big data at offset 0x%.8X"
3082                        " (chunk offset 0x%.8X).", offset, cell_info->offset);
3083      goto fail;
[152]3084    }
3085
[157]3086    if(used_ranges != NULL)
3087      if(!range_list_add(used_ranges, cell_info->offset,cell_info->length,NULL))
3088        goto fail;
3089
[152]3090    data_left -= read_length;
3091  }
[157]3092  range_list_free(bd_cells);
3093
[152]3094  ret_val.len = data_length-data_left;
3095  return ret_val;
3096
3097 fail:
[157]3098  if(ret_val.buf != NULL)
3099    talloc_free(ret_val.buf);
3100  if(indirect_ptrs != NULL)
3101    talloc_free(indirect_ptrs);
3102  if(bd_cells != NULL)
3103    range_list_free(bd_cells);
[152]3104  ret_val.buf = NULL;
3105  ret_val.len = 0;
3106  return ret_val;
3107}
3108
3109
[135]3110range_list* regfi_parse_unalloc_cells(REGFI_FILE* file)
[110]3111{
3112  range_list* ret_val;
[135]3113  REGFI_HBIN* hbin;
[110]3114  const range_list_element* hbins_elem;
[168]3115  uint32_t i, num_hbins, curr_off, cell_len;
[110]3116  bool is_unalloc;
3117
3118  ret_val = range_list_new();
3119  if(ret_val == NULL)
3120    return NULL;
3121
3122  num_hbins = range_list_size(file->hbins);
3123  for(i=0; i<num_hbins; i++)
3124  {
3125    hbins_elem = range_list_get(file->hbins, i);
3126    if(hbins_elem == NULL)
3127      break;
[135]3128    hbin = (REGFI_HBIN*)hbins_elem->data;
[110]3129
[135]3130    curr_off = REGFI_HBIN_HEADER_SIZE;
[110]3131    while(curr_off < hbin->block_size)
3132    {
3133      if(!regfi_parse_cell(file->fd, hbin->file_off+curr_off, NULL, 0,
3134                           &cell_len, &is_unalloc))
3135        break;
3136     
[157]3137      if((cell_len == 0) || ((cell_len & 0x00000007) != 0))
[140]3138      {
3139        regfi_add_message(file, REGFI_MSG_ERROR, "Bad cell length encountered"
3140                          " while parsing unallocated cells at offset 0x%.8X.",
3141                          hbin->file_off+curr_off);
[110]3142        break;
[140]3143      }
3144
[110]3145      /* for some reason the record_size of the last record in
3146         an hbin block can extend past the end of the block
3147         even though the record fits within the remaining
3148         space....aaarrrgggghhhhhh */ 
3149      if(curr_off + cell_len >= hbin->block_size)
3150        cell_len = hbin->block_size - curr_off;
3151     
3152      if(is_unalloc)
3153        range_list_add(ret_val, hbin->file_off+curr_off, 
3154                       cell_len, NULL);
3155     
3156      curr_off = curr_off+cell_len;
3157    }
3158  }
3159
3160  return ret_val;
3161}
[168]3162
3163
3164/* From lib/time.c */
3165
3166/****************************************************************************
3167 Put a 8 byte filetime from a time_t
3168 This takes real GMT as input and converts to kludge-GMT
3169****************************************************************************/
3170void regfi_unix2nt_time(REGFI_NTTIME *nt, time_t t)
3171{
3172  double d;
3173 
3174  if (t==0) 
3175  {
3176    nt->low = 0;
3177    nt->high = 0;
3178    return;
3179  }
3180 
3181  if (t == TIME_T_MAX) 
3182  {
3183    nt->low = 0xffffffff;
3184    nt->high = 0x7fffffff;
3185    return;
3186  }             
3187 
3188  if (t == -1) 
3189  {
3190    nt->low = 0xffffffff;
3191    nt->high = 0xffffffff;
3192    return;
3193  }             
3194 
3195  /* this converts GMT to kludge-GMT */
3196  /* XXX: This was removed due to difficult dependency requirements. 
3197   *      So far, times appear to be correct without this adjustment, but
3198   *      that may be proven wrong with adequate testing.
3199   */
3200  /* t -= TimeDiff(t) - get_serverzone(); */
3201 
3202  d = (double)(t);
3203  d += TIME_FIXUP_CONSTANT;
3204  d *= 1.0e7;
3205 
3206  nt->high = (uint32_t)(d * (1.0/(4.0*(double)(1<<30))));
3207  nt->low  = (uint32_t)(d - ((double)nt->high)*4.0*(double)(1<<30));
3208}
3209
3210
3211/****************************************************************************
3212 Interpret an 8 byte "filetime" structure to a time_t
3213 It's originally in "100ns units since jan 1st 1601"
3214
3215 An 8 byte value of 0xffffffffffffffff will be returned as (time_t)0.
3216
3217 It appears to be kludge-GMT (at least for file listings). This means
3218 its the GMT you get by taking a localtime and adding the
3219 serverzone. This is NOT the same as GMT in some cases. This routine
3220 converts this to real GMT.
3221****************************************************************************/
3222time_t regfi_nt2unix_time(const REGFI_NTTIME* nt)
3223{
3224  double d;
3225  time_t ret;
3226  /* The next two lines are a fix needed for the
3227     broken SCO compiler. JRA. */
3228  time_t l_time_min = TIME_T_MIN;
3229  time_t l_time_max = TIME_T_MAX;
3230 
3231  if (nt->high == 0 || (nt->high == 0xffffffff && nt->low == 0xffffffff))
3232    return(0);
3233 
3234  d = ((double)nt->high)*4.0*(double)(1<<30);
3235  d += (nt->low&0xFFF00000);
3236  d *= 1.0e-7;
3237 
3238  /* now adjust by 369 years to make the secs since 1970 */
3239  d -= TIME_FIXUP_CONSTANT;
3240 
3241  if (d <= l_time_min)
3242    return (l_time_min);
3243 
3244  if (d >= l_time_max)
3245    return (l_time_max);
3246 
3247  ret = (time_t)(d+0.5);
3248 
3249  /* this takes us from kludge-GMT to real GMT */
3250  /* XXX: This was removed due to difficult dependency requirements. 
3251   *      So far, times appear to be correct without this adjustment, but
3252   *      that may be proven wrong with adequate testing.
3253   */
3254  /*
3255    ret -= get_serverzone();
3256    ret += LocTimeDiff(ret);
3257  */
3258
3259  return(ret);
3260}
3261
3262/* End of stuff from lib/time.c */
Note: See TracBrowser for help on using the repository browser.