Context Navigation

source: trunk/lib/regfi.c @ 217

Last change on this file since 217 was 215, checked in by tim, 14 years ago
improvements to smoketest script, additional test case added a function to get a key's parent in both regfi and pyregfi bug fixes
Property svn:keywords set to `Id`
File size: 100.6 KB

Rev	Line
[30]	1	/*
[169]	2	* Copyright (C) 2005-2010 Timothy D. Morgan
[30]	3	* Copyright (C) 2005 Gerald (Jerry) Carter
	4	*
	5	* This program is free software; you can redistribute it and/or modify
	6	* it under the terms of the GNU General Public License as published by
[111]	7	* the Free Software Foundation; version 3 of the License.
[30]	8	*
	9	* This program is distributed in the hope that it will be useful,
	10	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	* GNU General Public License for more details.
	13	*
	14	* You should have received a copy of the GNU General Public License
	15	* along with this program; if not, write to the Free Software
[161]	16	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
[30]	17	*
	18	* $Id: regfi.c 215 2011-03-28 01:46:11Z tim $
	19	*/
	20
[169]	21	/**
	22	* @file
	23	*
	24	* Windows NT (and later) read-only registry library
	25	*
	26	* See @ref regfi.h for more information.
	27	*
	28	* Branched from Samba project Subversion repository, version #7470:
	29	* http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/registry/regfio.c?rev=7470&view=auto
	30	*
	31	* Since then, it has been heavily rewritten, simplified, and improved.
	32	*/
[168]	33
[147]	34	#include "regfi.h"
[30]	35
	36
[32]	37	/* Registry types mapping */
[78]	38	const unsigned int regfi_num_reg_types = 12;
	39	static const char* regfi_type_names[] =
[65]	40	{"NONE", "SZ", "EXPAND_SZ", "BINARY", "DWORD", "DWORD_BE", "LINK",
[72]	41	"MULTI_SZ", "RSRC_LIST", "RSRC_DESC", "RSRC_REQ_LIST", "QWORD"};
[30]	42
[161]	43	const char* regfi_encoding_names[] =
	44	{"US-ASCII//TRANSLIT", "UTF-8//TRANSLIT", "UTF-16LE//TRANSLIT"};
[32]	45
[135]	46
[185]	47	/* Ensures regfi_init runs only once */
	48	static pthread_once_t regfi_init_once = PTHREAD_ONCE_INIT;
[182]	49
[185]	50
	51
[135]	52	/******************************************************************************
	53	******************************************************************************/
[185]	54	void regfi_log_free(void* ptr)
[135]	55	{
[185]	56	REGFI_LOG* log_info = (REGFI_LOG*)ptr;
	57
	58	if(log_info->messages != NULL)
	59	free(log_info->messages);
	60
	61	talloc_free(log_info);
	62	}
	63
	64
	65	/******************************************************************************
	66	******************************************************************************/
	67	void regfi_init()
	68	{
	69	int err;
	70	if((err = pthread_key_create(&regfi_log_key, regfi_log_free)) != 0)
	71	fprintf(stderr, "ERROR: key_create: %s\n", strerror(err));
	72	errno = err;
	73	}
	74
	75
	76	/******************************************************************************
	77	******************************************************************************/
	78	REGFI_LOG* regfi_log_new()
	79	{
	80	int err;
[182]	81	REGFI_LOG* log_info = talloc(NULL, REGFI_LOG);
	82	if(log_info == NULL)
[185]	83	return NULL;
[182]	84
[185]	85	log_info->msg_mask = REGFI_DEFAULT_LOG_MASK;
[182]	86	log_info->messages = NULL;
	87
[185]	88	pthread_once(&regfi_init_once, regfi_init);
[182]	89
[185]	90	if((err = pthread_setspecific(regfi_log_key, log_info)) != 0)
[182]	91	{
[185]	92	fprintf(stderr, "ERROR: setspecific: %s\n", strerror(err));
[182]	93	goto fail;
	94	}
	95
[185]	96	return log_info;
[182]	97
	98	fail:
	99	talloc_free(log_info);
[185]	100	errno = err;
	101	return NULL;
[182]	102	}
	103
	104
	105	/******************************************************************************
	106	******************************************************************************/
	107	void regfi_log_add(uint16_t msg_type, const char* fmt, ...)
	108	{
	109	/* XXX: Switch internal storage over to a linked list or stack.
	110	* Then add a regfi_log_get function that returns the list in some
	111	* convenient, user-friendly data structure. regfi_log_get_str should
	112	* stick around and will simply smush the list into a big string when
	113	* it's called, rather than having messages smushed when they're first
	114	* written to the log.
[135]	115	*/
[168]	116	uint32_t buf_size, buf_used;
[136]	117	char* new_msg;
[182]	118	REGFI_LOG* log_info;
[136]	119	va_list args;
[135]	120
[185]	121	log_info = (REGFI_LOG*)pthread_getspecific(regfi_log_key);
	122	if(log_info == NULL && (log_info = regfi_log_new()) == NULL)
[182]	123	return;
	124
[185]	125	if((log_info->msg_mask & msg_type) == 0)
	126	return;
	127
[182]	128	if(log_info->messages == NULL)
	129	buf_used = 0;
	130	else
	131	buf_used = strlen(log_info->messages);
	132
	133	buf_size = buf_used+strlen(fmt)+160;
	134	new_msg = realloc(log_info->messages, buf_size);
	135	if(new_msg == NULL)
	136	/* XXX: should we report this? */
	137	return;
	138
	139	switch (msg_type)
[138]	140	{
[182]	141	case REGFI_LOG_INFO:
	142	strcpy(new_msg+buf_used, "INFO: ");
	143	buf_used += 6;
	144	break;
	145	case REGFI_LOG_WARN:
	146	strcpy(new_msg+buf_used, "WARN: ");
	147	buf_used += 6;
	148	break;
	149	case REGFI_LOG_ERROR:
	150	strcpy(new_msg+buf_used, "ERROR: ");
	151	buf_used += 7;
	152	break;
[138]	153	}
[182]	154
	155	va_start(args, fmt);
	156	vsnprintf(new_msg+buf_used, buf_size-buf_used, fmt, args);
	157	va_end(args);
	158	strncat(new_msg, "\n", buf_size-1);
	159
	160	log_info->messages = new_msg;
[135]	161	}
	162
	163
	164	/******************************************************************************
	165	******************************************************************************/
[182]	166	char* regfi_log_get_str()
[135]	167	{
[182]	168	char* ret_val;
[185]	169	REGFI_LOG* log_info = (REGFI_LOG*)pthread_getspecific(regfi_log_key);
	170	if(log_info == NULL && (log_info = regfi_log_new()) == NULL)
[182]	171	return NULL;
[185]	172
[182]	173	ret_val = log_info->messages;
	174	log_info->messages = NULL;
	175
[135]	176	return ret_val;
	177	}
	178
	179
[182]	180	/******************************************************************************
	181	******************************************************************************/
[185]	182	bool regfi_log_set_mask(uint16_t msg_mask)
[138]	183	{
[185]	184	REGFI_LOG* log_info = (REGFI_LOG*)pthread_getspecific(regfi_log_key);
	185	if(log_info == NULL && (log_info = regfi_log_new()) == NULL)
	186	{
	187	return false;
	188	}
[182]	189
	190	log_info->msg_mask = msg_mask;
[185]	191	return true;
[138]	192	}
	193
	194
[161]	195	/******************************************************************************
	196	* Returns NULL for an invalid e
	197	*****************************************************************************/
	198	static const char* regfi_encoding_int2str(REGFI_ENCODING e)
	199	{
	200	if(e < REGFI_NUM_ENCODINGS)
	201	return regfi_encoding_names[e];
	202
	203	return NULL;
	204	}
	205
	206
	207	/******************************************************************************
	208	* Returns NULL for an invalid val
	209	*****************************************************************************/
[78]	210	const char* regfi_type_val2str(unsigned int val)
[32]	211	{
[61]	212	if(val == REG_KEY)
	213	return "KEY";
	214
[78]	215	if(val >= regfi_num_reg_types)
[61]	216	return NULL;
	217
[78]	218	return regfi_type_names[val];
[32]	219	}
	220
	221
[161]	222	/******************************************************************************
	223	* Returns -1 on error
	224	*****************************************************************************/
[78]	225	int regfi_type_str2val(const char* str)
[32]	226	{
	227	int i;
	228
[61]	229	if(strcmp("KEY", str) == 0)
	230	return REG_KEY;
[32]	231
[78]	232	for(i=0; i < regfi_num_reg_types; i++)
	233	if (strcmp(regfi_type_names[i], str) == 0)
[61]	234	return i;
	235
	236	if(strcmp("DWORD_LE", str) == 0)
	237	return REG_DWORD_LE;
	238
	239	return -1;
[32]	240	}
	241
	242
[135]	243	/* Security descriptor formatting functions */
[53]	244
[168]	245	const char* regfi_ace_type2str(uint8_t type)
[53]	246	{
	247	static const char* map[7]
	248	= {"ALLOW", "DENY", "AUDIT", "ALARM",
	249	"ALLOW CPD", "OBJ ALLOW", "OBJ DENY"};
	250	if(type < 7)
	251	return map[type];
	252	else
	253	/* XXX: would be nice to return the unknown integer value.
	254	* However, as it is a const string, it can't be free()ed later on,
	255	* so that would need to change.
	256	*/
	257	return "UNKNOWN";
	258	}
	259
	260
[76]	261	/* XXX: need a better reference on the meaning of each flag. */
	262	/* For more info, see:
	263	* http://msdn2.microsoft.com/en-us/library/aa772242.aspx
	264	*/
[168]	265	char* regfi_ace_flags2str(uint8_t flags)
[53]	266	{
[76]	267	static const char* flag_map[32] =
[87]	268	{ "OI", /* Object Inherit */
	269	"CI", /* Container Inherit */
	270	"NP", /* Non-Propagate */
	271	"IO", /* Inherit Only */
	272	"IA", /* Inherited ACE */
[76]	273	NULL,
	274	NULL,
	275	NULL,
	276	};
[53]	277
[76]	278	char* ret_val = malloc(35*sizeof(char));
	279	char* fo = ret_val;
[168]	280	uint32_t i;
	281	uint8_t f;
[76]	282
	283	if(ret_val == NULL)
[53]	284	return NULL;
	285
[76]	286	fo[0] = '\0';
[53]	287	if (!flags)
[76]	288	return ret_val;
[53]	289
[76]	290	for(i=0; i < 8; i++)
	291	{
	292	f = (1<<i);
	293	if((flags & f) && (flag_map[i] != NULL))
	294	{
	295	strcpy(fo, flag_map[i]);
	296	fo += strlen(flag_map[i]);
	297	*(fo++) = ' ';
	298	flags ^= f;
	299	}
[53]	300	}
[76]	301
	302	/* Any remaining unknown flags are added at the end in hex. */
	303	if(flags != 0)
	304	sprintf(fo, "0x%.2X ", flags);
	305
	306	/* Chop off the last space if we've written anything to ret_val */
	307	if(fo != ret_val)
	308	fo[-1] = '\0';
	309
	310	return ret_val;
[53]	311	}
	312
	313
[168]	314	char* regfi_ace_perms2str(uint32_t perms)
[53]	315	{
[168]	316	uint32_t i, p;
[76]	317	/* This is more than is needed by a fair margin. */
	318	char* ret_val = malloc(350*sizeof(char));
	319	char* r = ret_val;
	320
	321	/* Each represents one of 32 permissions bits. NULL is for undefined/reserved bits.
	322	* For more information, see:
	323	* http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
	324	* http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
	325	*/
	326	static const char* perm_map[32] =
	327	{/* object-specific permissions (registry keys, in this case) */
	328	"QRY_VAL", /* KEY_QUERY_VALUE */
	329	"SET_VAL", /* KEY_SET_VALUE */
	330	"CREATE_KEY", /* KEY_CREATE_SUB_KEY */
	331	"ENUM_KEYS", /* KEY_ENUMERATE_SUB_KEYS */
	332	"NOTIFY", /* KEY_NOTIFY */
	333	"CREATE_LNK", /* KEY_CREATE_LINK - Reserved for system use. */
	334	NULL,
	335	NULL,
	336	"WOW64_64", /* KEY_WOW64_64KEY */
	337	"WOW64_32", /* KEY_WOW64_32KEY */
	338	NULL,
	339	NULL,
	340	NULL,
	341	NULL,
	342	NULL,
	343	NULL,
	344	/* standard access rights */
	345	"DELETE", /* DELETE */
	346	"R_CONT", /* READ_CONTROL */
	347	"W_DAC", /* WRITE_DAC */
	348	"W_OWNER", /* WRITE_OWNER */
	349	"SYNC", /* SYNCHRONIZE - Shouldn't be set in registries */
	350	NULL,
	351	NULL,
	352	NULL,
	353	/* other generic */
	354	"SYS_SEC", /* ACCESS_SYSTEM_SECURITY */
	355	"MAX_ALLWD", /* MAXIMUM_ALLOWED */
	356	NULL,
	357	NULL,
	358	"GEN_A", /* GENERIC_ALL */
	359	"GEN_X", /* GENERIC_EXECUTE */
	360	"GEN_W", /* GENERIC_WRITE */
	361	"GEN_R", /* GENERIC_READ */
	362	};
	363
	364
[53]	365	if(ret_val == NULL)
	366	return NULL;
	367
[76]	368	r[0] = '\0';
	369	for(i=0; i < 32; i++)
	370	{
	371	p = (1<<i);
	372	if((perms & p) && (perm_map[i] != NULL))
	373	{
	374	strcpy(r, perm_map[i]);
	375	r += strlen(perm_map[i]);
	376	*(r++) = ' ';
	377	perms ^= p;
	378	}
	379	}
	380
	381	/* Any remaining unknown permission bits are added at the end in hex. */
	382	if(perms != 0)
	383	sprintf(r, "0x%.8X ", perms);
[53]	384
[76]	385	/* Chop off the last space if we've written anything to ret_val */
	386	if(r != ret_val)
	387	r[-1] = '\0';
	388
[53]	389	return ret_val;
	390	}
	391
	392
[134]	393	char* regfi_sid2str(WINSEC_DOM_SID* sid)
[53]	394	{
[168]	395	uint32_t i, size = WINSEC_MAX_SUBAUTHS*11 + 24;
	396	uint32_t left = size;
	397	uint8_t comps = sid->num_auths;
[53]	398	char* ret_val = malloc(size);
	399
	400	if(ret_val == NULL)
	401	return NULL;
	402
[134]	403	if(comps > WINSEC_MAX_SUBAUTHS)
	404	comps = WINSEC_MAX_SUBAUTHS;
[53]	405
	406	left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]);
	407
	408	for (i = 0; i < comps; i++)
	409	left -= snprintf(ret_val+(size-left), left, "-%u", sid->sub_auths[i]);
	410
	411	return ret_val;
	412	}
	413
	414
[134]	415	char* regfi_get_acl(WINSEC_ACL* acl)
[53]	416	{
[168]	417	uint32_t i, extra, size = 0;
[53]	418	const char* type_str;
	419	char* flags_str;
	420	char* perms_str;
	421	char* sid_str;
[61]	422	char* ace_delim = "";
[53]	423	char* ret_val = NULL;
[61]	424	char* tmp_val = NULL;
	425	bool failed = false;
[53]	426	char field_delim = ':';
	427
[61]	428	for (i = 0; i < acl->num_aces && !failed; i++)
[53]	429	{
[134]	430	sid_str = regfi_sid2str(acl->aces[i]->trustee);
	431	type_str = regfi_ace_type2str(acl->aces[i]->type);
	432	perms_str = regfi_ace_perms2str(acl->aces[i]->access_mask);
	433	flags_str = regfi_ace_flags2str(acl->aces[i]->flags);
[53]	434
[61]	435	if(flags_str != NULL && perms_str != NULL
	436	&& type_str != NULL && sid_str != NULL)
	437	{
	438	/* XXX: this is slow */
	439	extra = strlen(sid_str) + strlen(type_str)
[136]	440	+ strlen(perms_str) + strlen(flags_str) + 5;
[61]	441	tmp_val = realloc(ret_val, size+extra);
[53]	442
[61]	443	if(tmp_val == NULL)
	444	{
	445	free(ret_val);
[136]	446	ret_val = NULL;
[61]	447	failed = true;
	448	}
	449	else
	450	{
	451	ret_val = tmp_val;
[148]	452	size += sprintf(ret_val+size, "%s%s%c%s%c%s%c%s",
	453	ace_delim,sid_str,
	454	field_delim,type_str,
	455	field_delim,perms_str,
	456	field_delim,flags_str);
[61]	457	ace_delim = "\|";
	458	}
	459	}
	460	else
	461	failed = true;
	462
	463	if(sid_str != NULL)
	464	free(sid_str);
	465	if(sid_str != NULL)
	466	free(perms_str);
	467	if(sid_str != NULL)
	468	free(flags_str);
[53]	469	}
	470
	471	return ret_val;
	472	}
	473
	474
[134]	475	char* regfi_get_sacl(WINSEC_DESC *sec_desc)
[53]	476	{
	477	if (sec_desc->sacl)
[78]	478	return regfi_get_acl(sec_desc->sacl);
[53]	479	else
	480	return NULL;
	481	}
	482
	483
[134]	484	char* regfi_get_dacl(WINSEC_DESC *sec_desc)
[53]	485	{
	486	if (sec_desc->dacl)
[78]	487	return regfi_get_acl(sec_desc->dacl);
[53]	488	else
	489	return NULL;
	490	}
	491
	492
[134]	493	char* regfi_get_owner(WINSEC_DESC *sec_desc)
[53]	494	{
[78]	495	return regfi_sid2str(sec_desc->owner_sid);
[53]	496	}
	497
	498
[134]	499	char* regfi_get_group(WINSEC_DESC *sec_desc)
[53]	500	{
[78]	501	return regfi_sid2str(sec_desc->grp_sid);
[53]	502	}
	503
	504
[180]	505	bool regfi_read_lock(REGFI_FILE* file, pthread_rwlock_t* lock, const char* context)
	506	{
	507	int lock_ret = pthread_rwlock_rdlock(lock);
	508	if(lock_ret != 0)
	509	{
[182]	510	regfi_log_add(REGFI_LOG_ERROR, "Error obtaining read lock in"
[180]	511	"%s due to: %s\n", context, strerror(lock_ret));
	512	return false;
	513	}
	514
	515	return true;
	516	}
	517
	518
	519	bool regfi_write_lock(REGFI_FILE* file, pthread_rwlock_t* lock, const char* context)
	520	{
	521	int lock_ret = pthread_rwlock_wrlock(lock);
	522	if(lock_ret != 0)
	523	{
[182]	524	regfi_log_add(REGFI_LOG_ERROR, "Error obtaining write lock in"
[180]	525	"%s due to: %s\n", context, strerror(lock_ret));
	526	return false;
	527	}
	528
	529	return true;
	530	}
	531
	532
	533	bool regfi_rw_unlock(REGFI_FILE* file, pthread_rwlock_t* lock, const char* context)
	534	{
	535	int lock_ret = pthread_rwlock_unlock(lock);
	536	if(lock_ret != 0)
	537	{
[182]	538	regfi_log_add(REGFI_LOG_ERROR, "Error releasing lock in"
[180]	539	"%s due to: %s\n", context, strerror(lock_ret));
	540	return false;
	541	}
	542
	543	return true;
	544	}
	545
	546
	547	bool regfi_lock(REGFI_FILE* file, pthread_mutex_t* lock, const char* context)
	548	{
	549	int lock_ret = pthread_mutex_lock(lock);
	550	if(lock_ret != 0)
	551	{
[182]	552	regfi_log_add(REGFI_LOG_ERROR, "Error obtaining mutex lock in"
[180]	553	"%s due to: %s\n", context, strerror(lock_ret));
	554	return false;
	555	}
	556
	557	return true;
	558	}
	559
	560
	561	bool regfi_unlock(REGFI_FILE* file, pthread_mutex_t* lock, const char* context)
	562	{
	563	int lock_ret = pthread_mutex_unlock(lock);
	564	if(lock_ret != 0)
	565	{
[182]	566	regfi_log_add(REGFI_LOG_ERROR, "Error releasing mutex lock in"
[180]	567	"%s due to: %s\n", context, strerror(lock_ret));
	568	return false;
	569	}
	570
	571	return true;
	572	}
	573
	574
[178]	575	off_t regfi_raw_seek(REGFI_RAW_FILE* self, off_t offset, int whence)
	576	{
	577	return lseek((int)self->state, offset, whence);
	578	}
	579
	580	ssize_t regfi_raw_read(REGFI_RAW_FILE* self, void* buf, size_t count)
	581	{
	582	return read((int)self->state, buf, count);
	583	}
	584
	585
[101]	586	/*****************************************************************************
[178]	587	* Convenience function to wrap up the ugly callback stuff
	588	*****************************************************************************/
	589	off_t regfi_seek(REGFI_RAW_FILE* file_cb, off_t offset, int whence)
	590	{
	591	return file_cb->seek(file_cb, offset, whence);
	592	}
	593
	594
	595	/*****************************************************************************
[101]	596	* This function is just like read(2), except that it continues to
	597	* re-try reading from the file descriptor if EINTR or EAGAIN is received.
[178]	598	* regfi_read will attempt to read length bytes from the file and write them to
	599	* buf.
[101]	600	*
	601	* On success, 0 is returned. Upon failure, an errno code is returned.
	602	*
	603	* The number of bytes successfully read is returned through the length
	604	* parameter by reference. If both the return value and length parameter are
	605	* returned as 0, then EOF was encountered immediately
	606	*****************************************************************************/
[178]	607	uint32_t regfi_read(REGFI_RAW_FILE* file_cb, uint8_t* buf, uint32_t* length)
[101]	608	{
[168]	609	uint32_t rsize = 0;
	610	uint32_t rret = 0;
[101]	611
	612	do
	613	{
[178]	614	rret = file_cb->read(file_cb, buf + rsize, *length - rsize);
[101]	615	if(rret > 0)
	616	rsize += rret;
	617	}while(*length - rsize > 0
	618	&& (rret > 0 \|\| (rret == -1 && (errno == EAGAIN \|\| errno == EINTR))));
	619
	620	*length = rsize;
	621	if (rret == -1 && errno != EINTR && errno != EAGAIN)
	622	return errno;
	623
	624	return 0;
	625	}
	626
	627
	628	/*****************************************************************************
	629	*
	630	*****************************************************************************/
[178]	631	bool regfi_parse_cell(REGFI_RAW_FILE* file_cb, uint32_t offset, uint8_t* hdr,
	632	uint32_t hdr_len, uint32_t* cell_length, bool* unalloc)
[101]	633	{
[168]	634	uint32_t length;
	635	int32_t raw_length;
	636	uint8_t tmp[4];
[101]	637
[178]	638	if(regfi_seek(file_cb, offset, SEEK_SET) == -1)
[101]	639	return false;
	640
	641	length = 4;
[178]	642	if((regfi_read(file_cb, tmp, &length) != 0) \|\| length != 4)
[101]	643	return false;
	644	raw_length = IVALS(tmp, 0);
	645
	646	if(raw_length < 0)
	647	{
	648	(cell_length) = raw_length(-1);
	649	(*unalloc) = false;
	650	}
	651	else
	652	{
	653	(*cell_length) = raw_length;
	654	(*unalloc) = true;
	655	}
	656
[103]	657	if(*cell_length - 4 < hdr_len)
	658	return false;
	659
	660	if(hdr_len > 0)
	661	{
	662	length = hdr_len;
[178]	663	if((regfi_read(file_cb, hdr, &length) != 0) \|\| length != hdr_len)
[103]	664	return false;
	665	}
	666
[101]	667	return true;
	668	}
	669
	670
[157]	671	/******************************************************************************
[106]	672	* Given an offset and an hbin, is the offset within that hbin?
	673	* The offset is a virtual file offset.
[157]	674	******************************************************************************/
[168]	675	static bool regfi_offset_in_hbin(const REGFI_HBIN* hbin, uint32_t voffset)
[30]	676	{
[106]	677	if(!hbin)
[31]	678	return false;
[106]	679
[145]	680	if((voffset > hbin->first_hbin_off)
	681	&& (voffset < (hbin->first_hbin_off + hbin->block_size)))
[31]	682	return true;
[30]	683
[31]	684	return false;
[30]	685	}
	686
	687
[106]	688
[157]	689	/******************************************************************************
	690	* Provide a physical offset and receive the correpsonding HBIN
[106]	691	* block for it. NULL if one doesn't exist.
[157]	692	******************************************************************************/
[168]	693	const REGFI_HBIN* regfi_lookup_hbin(REGFI_FILE* file, uint32_t offset)
[30]	694	{
[157]	695	return (const REGFI_HBIN*)range_list_find_data(file->hbins, offset);
[30]	696	}
	697
	698
[157]	699	/******************************************************************************
	700	* Calculate the largest possible cell size given a physical offset.
	701	* Largest size is based on the HBIN the offset is currently a member of.
	702	* Returns negative values on error.
	703	* (Since cells can only be ~2^31 in size, this works out.)
	704	******************************************************************************/
[168]	705	int32_t regfi_calc_maxsize(REGFI_FILE* file, uint32_t offset)
[157]	706	{
	707	const REGFI_HBIN* hbin = regfi_lookup_hbin(file, offset);
	708	if(hbin == NULL)
	709	return -1;
[139]	710
[157]	711	return (hbin->block_size + hbin->file_off) - offset;
	712	}
	713
	714
[139]	715	/******************************************************************************
	716	******************************************************************************/
[168]	717	REGFI_SUBKEY_LIST* regfi_load_subkeylist(REGFI_FILE* file, uint32_t offset,
	718	uint32_t num_keys, uint32_t max_size,
[139]	719	bool strict)
[127]	720	{
[135]	721	REGFI_SUBKEY_LIST* ret_val;
[134]	722
[139]	723	ret_val = regfi_load_subkeylist_aux(file, offset, max_size, strict,
	724	REGFI_MAX_SUBKEY_DEPTH);
[143]	725	if(ret_val == NULL)
	726	{
[182]	727	regfi_log_add(REGFI_LOG_WARN, "Failed to load subkey list at"
[143]	728	" offset 0x%.8X.", offset);
	729	return NULL;
	730	}
[139]	731
	732	if(num_keys != ret_val->num_keys)
	733	{
	734	/* Not sure which should be authoritative, the number from the
	735	* NK record, or the number in the subkey list. Just emit a warning for
	736	* now if they don't match.
	737	*/
[182]	738	regfi_log_add(REGFI_LOG_WARN, "Number of subkeys listed in parent"
[139]	739	" (%d) did not match number found in subkey list/tree (%d)"
	740	" while parsing subkey list/tree at offset 0x%.8X.",
	741	num_keys, ret_val->num_keys, offset);
	742	}
	743
	744	return ret_val;
	745	}
	746
	747
	748	/******************************************************************************
	749	******************************************************************************/
[168]	750	REGFI_SUBKEY_LIST* regfi_load_subkeylist_aux(REGFI_FILE* file, uint32_t offset,
	751	uint32_t max_size, bool strict,
	752	uint8_t depth_left)
[139]	753	{
	754	REGFI_SUBKEY_LIST* ret_val;
	755	REGFI_SUBKEY_LIST** sublists;
[168]	756	uint32_t i, num_sublists, off;
	757	int32_t sublist_maxsize;
[139]	758
	759	if(depth_left == 0)
	760	{
[182]	761	regfi_log_add(REGFI_LOG_WARN, "Maximum depth reached"
[139]	762	" while parsing subkey list/tree at offset 0x%.8X.",
	763	offset);
[127]	764	return NULL;
[139]	765	}
[134]	766
[139]	767	ret_val = regfi_parse_subkeylist(file, offset, max_size, strict);
[134]	768	if(ret_val == NULL)
	769	return NULL;
[139]	770
	771	if(ret_val->recursive_type)
[127]	772	{
[139]	773	num_sublists = ret_val->num_children;
[150]	774	sublists = (REGFI_SUBKEY_LIST**)malloc(num_sublists
[139]	775	* sizeof(REGFI_SUBKEY_LIST*));
	776	for(i=0; i < num_sublists; i++)
[127]	777	{
[139]	778	off = ret_val->elements[i].offset + REGFI_REGF_SIZE;
[157]	779
	780	sublist_maxsize = regfi_calc_maxsize(file, off);
	781	if(sublist_maxsize < 0)
[139]	782	sublists[i] = NULL;
	783	else
[157]	784	sublists[i] = regfi_load_subkeylist_aux(file, off, sublist_maxsize,
	785	strict, depth_left-1);
[127]	786	}
[150]	787	talloc_free(ret_val);
[134]	788
[139]	789	return regfi_merge_subkeylists(num_sublists, sublists, strict);
[127]	790	}
[30]	791
[127]	792	return ret_val;
	793	}
	794
	795
[139]	796	/******************************************************************************
	797	******************************************************************************/
[168]	798	REGFI_SUBKEY_LIST* regfi_parse_subkeylist(REGFI_FILE* file, uint32_t offset,
	799	uint32_t max_size, bool strict)
[30]	800	{
[135]	801	REGFI_SUBKEY_LIST* ret_val;
[168]	802	uint32_t i, cell_length, length, elem_size, read_len;
	803	uint8_t* elements = NULL;
	804	uint8_t buf[REGFI_SUBKEY_LIST_MIN_LEN];
[104]	805	bool unalloc;
[139]	806	bool recursive_type;
[30]	807
[186]	808	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_subkeylist"))
[180]	809	goto fail;
	810
[178]	811	if(!regfi_parse_cell(file->cb, offset, buf, REGFI_SUBKEY_LIST_MIN_LEN,
[104]	812	&cell_length, &unalloc))
[139]	813	{
[182]	814	regfi_log_add(REGFI_LOG_WARN, "Could not parse cell while "
[139]	815	"parsing subkey-list at offset 0x%.8X.", offset);
[180]	816	goto fail_locked;
[139]	817	}
[30]	818
[116]	819	if(cell_length > max_size)
	820	{
[182]	821	regfi_log_add(REGFI_LOG_WARN, "Cell size longer than max_size"
[139]	822	" while parsing subkey-list at offset 0x%.8X.", offset);
[116]	823	if(strict)
[180]	824	goto fail_locked;
[116]	825	cell_length = max_size & 0xFFFFFFF8;
	826	}
[30]	827
[139]	828	recursive_type = false;
[127]	829	if(buf[0] == 'r' && buf[1] == 'i')
[104]	830	{
[139]	831	recursive_type = true;
[168]	832	elem_size = sizeof(uint32_t);
[104]	833	}
[139]	834	else if(buf[0] == 'l' && buf[1] == 'i')
[203]	835	{
[168]	836	elem_size = sizeof(uint32_t);
[203]	837	}
[134]	838	else if((buf[0] == 'l') && (buf[1] == 'f' \|\| buf[1] == 'h'))
[135]	839	elem_size = sizeof(REGFI_SUBKEY_LIST_ELEM);
[134]	840	else
	841	{
[182]	842	regfi_log_add(REGFI_LOG_ERROR, "Unknown magic number"
[139]	843	" (0x%.2X, 0x%.2X) encountered while parsing"
	844	" subkey-list at offset 0x%.8X.", buf[0], buf[1], offset);
[180]	845	goto fail_locked;
[134]	846	}
	847
[150]	848	ret_val = talloc(NULL, REGFI_SUBKEY_LIST);
[127]	849	if(ret_val == NULL)
[180]	850	goto fail_locked;
[127]	851
	852	ret_val->offset = offset;
	853	ret_val->cell_size = cell_length;
[104]	854	ret_val->magic[0] = buf[0];
	855	ret_val->magic[1] = buf[1];
[139]	856	ret_val->recursive_type = recursive_type;
	857	ret_val->num_children = SVAL(buf, 0x2);
[101]	858
[139]	859	if(!recursive_type)
	860	ret_val->num_keys = ret_val->num_children;
[101]	861
[139]	862	length = elem_size*ret_val->num_children;
[168]	863	if(cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32_t) < length)
[134]	864	{
[182]	865	regfi_log_add(REGFI_LOG_WARN, "Number of elements too large for"
[139]	866	" cell while parsing subkey-list at offset 0x%.8X.",
	867	offset);
	868	if(strict)
[180]	869	goto fail_locked;
[168]	870	length = cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32_t);
[134]	871	}
[30]	872
[150]	873	ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM,
	874	ret_val->num_children);
[127]	875	if(ret_val->elements == NULL)
[180]	876	goto fail_locked;
[30]	877
[168]	878	elements = (uint8_t*)malloc(length);
[139]	879	if(elements == NULL)
[180]	880	goto fail_locked;
[30]	881
[150]	882	read_len = length;
[178]	883	if(regfi_read(file->cb, elements, &read_len) != 0 \|\| read_len!=length)
[180]	884	goto fail_locked;
[30]	885
[186]	886	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_subkeylist"))
[180]	887	goto fail;
	888
[168]	889	if(elem_size == sizeof(uint32_t))
[104]	890	{
[139]	891	for (i=0; i < ret_val->num_children; i++)
[134]	892	{
[139]	893	ret_val->elements[i].offset = IVAL(elements, i*elem_size);
[134]	894	ret_val->elements[i].hash = 0;
	895	}
[104]	896	}
[134]	897	else
	898	{
[139]	899	for (i=0; i < ret_val->num_children; i++)
[134]	900	{
[139]	901	ret_val->elements[i].offset = IVAL(elements, i*elem_size);
	902	ret_val->elements[i].hash = IVAL(elements, i*elem_size+4);
[134]	903	}
	904	}
[139]	905	free(elements);
[30]	906
[104]	907	return ret_val;
[150]	908
[180]	909	fail_locked:
[186]	910	regfi_unlock(file, &file->cb_lock, "regfi_parse_subkeylist");
[150]	911	fail:
	912	if(elements != NULL)
	913	free(elements);
	914	talloc_free(ret_val);
	915	return NULL;
[30]	916	}
	917
	918
[139]	919	/*******************************************************************
	920	*******************************************************************/
[168]	921	REGFI_SUBKEY_LIST* regfi_merge_subkeylists(uint16_t num_lists,
[139]	922	REGFI_SUBKEY_LIST** lists,
	923	bool strict)
	924	{
[168]	925	uint32_t i,j,k;
[139]	926	REGFI_SUBKEY_LIST* ret_val;
[102]	927
[139]	928	if(lists == NULL)
	929	return NULL;
[150]	930	ret_val = talloc(NULL, REGFI_SUBKEY_LIST);
[139]	931
	932	if(ret_val == NULL)
	933	return NULL;
	934
	935	/* Obtain total number of elements */
	936	ret_val->num_keys = 0;
	937	for(i=0; i < num_lists; i++)
	938	{
	939	if(lists[i] != NULL)
	940	ret_val->num_keys += lists[i]->num_children;
	941	}
	942	ret_val->num_children = ret_val->num_keys;
	943
	944	if(ret_val->num_keys > 0)
	945	{
[150]	946	ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM,
	947	ret_val->num_keys);
[139]	948	k=0;
	949
	950	if(ret_val->elements != NULL)
	951	{
	952	for(i=0; i < num_lists; i++)
	953	{
	954	if(lists[i] != NULL)
	955	{
	956	for(j=0; j < lists[i]->num_keys; j++)
	957	{
[150]	958	ret_val->elements[k].hash = lists[i]->elements[j].hash;
	959	ret_val->elements[k++].offset = lists[i]->elements[j].offset;
[139]	960	}
	961	}
	962	}
	963	}
	964	}
	965
	966	for(i=0; i < num_lists; i++)
[184]	967	talloc_free(lists[i]);
[139]	968	free(lists);
	969
	970	return ret_val;
	971	}
	972
	973
[147]	974	/******************************************************************************
	975	*
	976	******************************************************************************/
[203]	977	REGFI_SK* regfi_parse_sk(REGFI_FILE* file, uint32_t offset, uint32_t max_size,
[147]	978	bool strict)
[30]	979	{
[203]	980	REGFI_SK* ret_val = NULL;
[168]	981	uint8_t* sec_desc_buf = NULL;
	982	uint32_t cell_length, length;
	983	uint8_t sk_header[REGFI_SK_MIN_LENGTH];
[102]	984	bool unalloc = false;
[30]	985
[186]	986	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_sk"))
[180]	987	goto fail;
	988
[178]	989	if(!regfi_parse_cell(file->cb, offset, sk_header, REGFI_SK_MIN_LENGTH,
[102]	990	&cell_length, &unalloc))
[137]	991	{
[182]	992	regfi_log_add(REGFI_LOG_WARN, "Could not parse SK record cell"
[137]	993	" at offset 0x%.8X.", offset);
[180]	994	goto fail_locked;
[137]	995	}
[102]	996
	997	if(sk_header[0] != 's' \|\| sk_header[1] != 'k')
[137]	998	{
[182]	999	regfi_log_add(REGFI_LOG_WARN, "Magic number mismatch in parsing"
[138]	1000	" SK record at offset 0x%.8X.", offset);
[180]	1001	goto fail_locked;
[137]	1002	}
	1003
[203]	1004	ret_val = talloc(NULL, REGFI_SK);
[102]	1005	if(ret_val == NULL)
[180]	1006	goto fail_locked;
[30]	1007
[102]	1008	ret_val->offset = offset;
[116]	1009	/* XXX: Is there a way to be more conservative (shorter) with
	1010	* cell length when cell is unallocated?
[111]	1011	*/
[102]	1012	ret_val->cell_size = cell_length;
[30]	1013
[102]	1014	if(ret_val->cell_size > max_size)
	1015	ret_val->cell_size = max_size & 0xFFFFFFF8;
	1016	if((ret_val->cell_size < REGFI_SK_MIN_LENGTH)
[157]	1017	\|\| (strict && (ret_val->cell_size & 0x00000007) != 0))
[102]	1018	{
[182]	1019	regfi_log_add(REGFI_LOG_WARN, "Invalid cell size found while"
[138]	1020	" parsing SK record at offset 0x%.8X.", offset);
[180]	1021	goto fail_locked;
[102]	1022	}
[30]	1023
[102]	1024	ret_val->magic[0] = sk_header[0];
	1025	ret_val->magic[1] = sk_header[1];
[30]	1026
[102]	1027	ret_val->unknown_tag = SVAL(sk_header, 0x2);
	1028	ret_val->prev_sk_off = IVAL(sk_header, 0x4);
	1029	ret_val->next_sk_off = IVAL(sk_header, 0x8);
	1030	ret_val->ref_count = IVAL(sk_header, 0xC);
	1031	ret_val->desc_size = IVAL(sk_header, 0x10);
[30]	1032
[157]	1033	if((ret_val->prev_sk_off & 0x00000007) != 0
	1034	\|\| (ret_val->next_sk_off & 0x00000007) != 0)
[140]	1035	{
[182]	1036	regfi_log_add(REGFI_LOG_WARN, "SK record's next/previous offsets"
[140]	1037	" are not a multiple of 8 while parsing SK record at"
	1038	" offset 0x%.8X.", offset);
[180]	1039	goto fail_locked;
[140]	1040	}
	1041
[102]	1042	if(ret_val->desc_size + REGFI_SK_MIN_LENGTH > ret_val->cell_size)
	1043	{
[182]	1044	regfi_log_add(REGFI_LOG_WARN, "Security descriptor too large for"
[138]	1045	" cell while parsing SK record at offset 0x%.8X.",
	1046	offset);
[180]	1047	goto fail_locked;
[102]	1048	}
[30]	1049
[168]	1050	sec_desc_buf = (uint8_t*)malloc(ret_val->desc_size);
[147]	1051	if(sec_desc_buf == NULL)
[180]	1052	goto fail_locked;
[102]	1053
[134]	1054	length = ret_val->desc_size;
[178]	1055	if(regfi_read(file->cb, sec_desc_buf, &length) != 0
[134]	1056	\|\| length != ret_val->desc_size)
	1057	{
[182]	1058	regfi_log_add(REGFI_LOG_ERROR, "Failed to read security"
[138]	1059	" descriptor while parsing SK record at offset 0x%.8X.",
	1060	offset);
[180]	1061	goto fail_locked;
[134]	1062	}
[102]	1063
[186]	1064	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_sk"))
[180]	1065	goto fail;
	1066
[147]	1067	if(!(ret_val->sec_desc = winsec_parse_desc(ret_val, sec_desc_buf,
	1068	ret_val->desc_size)))
[134]	1069	{
[182]	1070	regfi_log_add(REGFI_LOG_ERROR, "Failed to parse security"
[138]	1071	" descriptor while parsing SK record at offset 0x%.8X.",
	1072	offset);
[147]	1073	goto fail;
[134]	1074	}
[147]	1075
[134]	1076	free(sec_desc_buf);
[147]	1077	return ret_val;
[134]	1078
[180]	1079	fail_locked:
[186]	1080	regfi_unlock(file, &file->cb_lock, "regfi_parse_sk");
[147]	1081	fail:
	1082	if(sec_desc_buf != NULL)
	1083	free(sec_desc_buf);
	1084	talloc_free(ret_val);
	1085	return NULL;
[30]	1086	}
	1087
	1088
[168]	1089	REGFI_VALUE_LIST* regfi_parse_valuelist(REGFI_FILE* file, uint32_t offset,
	1090	uint32_t num_values, bool strict)
[111]	1091	{
[145]	1092	REGFI_VALUE_LIST* ret_val;
[168]	1093	uint32_t i, cell_length, length, read_len;
[111]	1094	bool unalloc;
[30]	1095
[186]	1096	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_valuelist"))
[180]	1097	goto fail;
	1098
[178]	1099	if(!regfi_parse_cell(file->cb, offset, NULL, 0, &cell_length, &unalloc))
[137]	1100	{
[182]	1101	regfi_log_add(REGFI_LOG_ERROR, "Failed to read cell header"
[137]	1102	" while parsing value list at offset 0x%.8X.", offset);
[180]	1103	goto fail_locked;
[137]	1104	}
[111]	1105
[157]	1106	if((cell_length & 0x00000007) != 0)
[111]	1107	{
[182]	1108	regfi_log_add(REGFI_LOG_WARN, "Cell length not a multiple of 8"
[145]	1109	" while parsing value list at offset 0x%.8X.", offset);
[111]	1110	if(strict)
[180]	1111	goto fail_locked;
[111]	1112	cell_length = cell_length & 0xFFFFFFF8;
	1113	}
[145]	1114
[168]	1115	if((num_values * sizeof(uint32_t)) > cell_length-sizeof(uint32_t))
[137]	1116	{
[182]	1117	regfi_log_add(REGFI_LOG_WARN, "Too many values found"
[137]	1118	" while parsing value list at offset 0x%.8X.", offset);
[145]	1119	if(strict)
[180]	1120	goto fail_locked;
[168]	1121	num_values = cell_length/sizeof(uint32_t) - sizeof(uint32_t);
[137]	1122	}
[111]	1123
[168]	1124	read_len = num_values*sizeof(uint32_t);
[150]	1125	ret_val = talloc(NULL, REGFI_VALUE_LIST);
[111]	1126	if(ret_val == NULL)
[180]	1127	goto fail_locked;
[111]	1128
[150]	1129	ret_val->elements = (REGFI_VALUE_LIST_ELEM*)talloc_size(ret_val, read_len);
[145]	1130	if(ret_val->elements == NULL)
[180]	1131	goto fail_locked;
	1132
[206]	1133	ret_val->offset = offset;
	1134	ret_val->cell_size = cell_length;
[145]	1135	ret_val->num_values = num_values;
	1136
[111]	1137	length = read_len;
[178]	1138	if((regfi_read(file->cb, (uint8_t*)ret_val->elements, &length) != 0)
[145]	1139	\|\| length != read_len)
[111]	1140	{
[182]	1141	regfi_log_add(REGFI_LOG_ERROR, "Failed to read value pointers"
[137]	1142	" while parsing value list at offset 0x%.8X.", offset);
[180]	1143	goto fail_locked;
[111]	1144	}
	1145
[186]	1146	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_valuelist"))
[180]	1147	goto fail;
	1148
[111]	1149	for(i=0; i < num_values; i++)
	1150	{
	1151	/* Fix endianness */
[145]	1152	ret_val->elements[i] = IVAL(&ret_val->elements[i], 0);
[111]	1153
	1154	/* Validate the first num_values values to ensure they make sense */
	1155	if(strict)
	1156	{
[145]	1157	/* XXX: Need to revisit this file length check when we start dealing
	1158	* with partial files. */
	1159	if((ret_val->elements[i] + REGFI_REGF_SIZE > file->file_length)
[157]	1160	\|\| ((ret_val->elements[i] & 0x00000007) != 0))
[111]	1161	{
[182]	1162	regfi_log_add(REGFI_LOG_WARN, "Invalid value pointer"
[138]	1163	" (0x%.8X) found while parsing value list at offset"
[145]	1164	" 0x%.8X.", ret_val->elements[i], offset);
[180]	1165	goto fail;
[111]	1166	}
	1167	}
	1168	}
	1169
	1170	return ret_val;
[180]	1171
	1172	fail_locked:
[186]	1173	regfi_unlock(file, &file->cb_lock, "regfi_parse_valuelist");
[180]	1174	fail:
	1175	talloc_free(ret_val);
	1176	return NULL;
[111]	1177	}
	1178
[206]	1179	/* XXX: should give this boolean return type to indicate errors */
[203]	1180	void regfi_interpret_valuename(REGFI_FILE* file, REGFI_VK* vk,
[162]	1181	REGFI_ENCODING output_encoding, bool strict)
[30]	1182	{
[165]	1183	/* XXX: Registry value names are supposedly limited to 16383 characters
	1184	* according to:
	1185	* http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
	1186	* Might want to emit a warning if this is exceeded.
	1187	* It is expected that "characters" could be variable width.
	1188	* Also, it may be useful to use this information to limit false positives
	1189	* when recovering deleted VK records.
	1190	*/
[172]	1191	int32_t tmp_size;
	1192	REGFI_ENCODING from_encoding = (vk->flags & REGFI_VK_FLAG_ASCIINAME)
[162]	1193	? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE;
[151]	1194
[162]	1195	if(from_encoding == output_encoding)
	1196	{
[206]	1197	vk->name_raw[vk->name_length] = '\0';
	1198	vk->name = (char*)vk->name_raw;
[162]	1199	}
	1200	else
	1201	{
[206]	1202	vk->name = talloc_array(vk, char, vk->name_length+1);
	1203	if(vk->name == NULL)
[172]	1204	return;
[162]	1205
	1206	tmp_size = regfi_conv_charset(regfi_encoding_int2str(from_encoding),
	1207	regfi_encoding_int2str(output_encoding),
[206]	1208	vk->name_raw, vk->name,
[172]	1209	vk->name_length, vk->name_length+1);
[162]	1210	if(tmp_size < 0)
	1211	{
[182]	1212	regfi_log_add(REGFI_LOG_WARN, "Error occurred while converting"
[206]	1213	" value name to encoding %s. Error message: %s",
[162]	1214	regfi_encoding_int2str(output_encoding),
	1215	strerror(-tmp_size));
[206]	1216	talloc_free(vk->name);
	1217	vk->name = NULL;
[162]	1218	}
	1219	}
[172]	1220	}
[162]	1221
[172]	1222
	1223	/******************************************************************************
	1224	******************************************************************************/
[203]	1225	REGFI_VK* regfi_load_value(REGFI_FILE* file, uint32_t offset,
[206]	1226	REGFI_ENCODING output_encoding, bool strict)
[172]	1227	{
[203]	1228	REGFI_VK* ret_val = NULL;
[172]	1229	int32_t max_size;
	1230
	1231	max_size = regfi_calc_maxsize(file, offset);
	1232	if(max_size < 0)
	1233	return NULL;
	1234
	1235	ret_val = regfi_parse_vk(file, offset, max_size, strict);
	1236	if(ret_val == NULL)
	1237	return NULL;
	1238
	1239	regfi_interpret_valuename(file, ret_val, output_encoding, strict);
	1240
[103]	1241	return ret_val;
[30]	1242	}
	1243
	1244
[145]	1245	/******************************************************************************
	1246	* If !strict, the list may contain NULLs, VK records may point to NULL.
	1247	******************************************************************************/
[168]	1248	REGFI_VALUE_LIST* regfi_load_valuelist(REGFI_FILE* file, uint32_t offset,
	1249	uint32_t num_values, uint32_t max_size,
[145]	1250	bool strict)
	1251	{
[168]	1252	uint32_t usable_num_values;
[30]	1253
[168]	1254	if((num_values+1) * sizeof(uint32_t) > max_size)
[145]	1255	{
[182]	1256	regfi_log_add(REGFI_LOG_WARN, "Number of values indicated by"
[145]	1257	" parent key (%d) would cause cell to straddle HBIN"
	1258	" boundary while loading value list at offset"
	1259	" 0x%.8X.", num_values, offset);
	1260	if(strict)
	1261	return NULL;
[168]	1262	usable_num_values = max_size/sizeof(uint32_t) - sizeof(uint32_t);
[145]	1263	}
	1264	else
	1265	usable_num_values = num_values;
	1266
	1267	return regfi_parse_valuelist(file, offset, usable_num_values, strict);
	1268	}
	1269
	1270
[206]	1271	/* XXX: should give this boolean return type to indicate errors */
[203]	1272	void regfi_interpret_keyname(REGFI_FILE* file, REGFI_NK* nk,
[161]	1273	REGFI_ENCODING output_encoding, bool strict)
[30]	1274	{
[165]	1275	/* XXX: Registry key names are supposedly limited to 255 characters according to:
	1276	* http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
	1277	* Might want to emit a warning if this is exceeded.
	1278	* It is expected that "characters" could be variable width.
	1279	* Also, it may be useful to use this information to limit false positives
	1280	* when recovering deleted NK records.
	1281	*/
[172]	1282	int32_t tmp_size;
	1283	REGFI_ENCODING from_encoding = (nk->flags & REGFI_NK_FLAG_ASCIINAME)
[161]	1284	? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE;
[172]	1285
[161]	1286	if(from_encoding == output_encoding)
	1287	{
[206]	1288	nk->name_raw[nk->name_length] = '\0';
	1289	nk->name = (char*)nk->name_raw;
[161]	1290	}
	1291	else
	1292	{
[206]	1293	nk->name = talloc_array(nk, char, nk->name_length+1);
	1294	if(nk->name == NULL)
[172]	1295	return;
[161]	1296
[206]	1297	memset(nk->name,0,nk->name_length+1);
	1298
[161]	1299	tmp_size = regfi_conv_charset(regfi_encoding_int2str(from_encoding),
	1300	regfi_encoding_int2str(output_encoding),
[206]	1301	nk->name_raw, nk->name,
[161]	1302	nk->name_length, nk->name_length+1);
	1303	if(tmp_size < 0)
	1304	{
[182]	1305	regfi_log_add(REGFI_LOG_WARN, "Error occurred while converting"
[206]	1306	" key name to encoding %s. Error message: %s",
[161]	1307	regfi_encoding_int2str(output_encoding),
	1308	strerror(-tmp_size));
[206]	1309	talloc_free(nk->name);
	1310	nk->name = NULL;
[161]	1311	}
	1312	}
[172]	1313	}
[161]	1314
	1315
[172]	1316	/******************************************************************************
	1317	*
	1318	******************************************************************************/
[203]	1319	REGFI_NK* regfi_load_key(REGFI_FILE* file, uint32_t offset,
[206]	1320	REGFI_ENCODING output_encoding, bool strict)
[172]	1321	{
[203]	1322	REGFI_NK* nk;
[172]	1323	uint32_t off;
	1324	int32_t max_size;
	1325
	1326	max_size = regfi_calc_maxsize(file, offset);
	1327	if (max_size < 0)
	1328	return NULL;
	1329
	1330	/* get the initial nk record */
	1331	if((nk = regfi_parse_nk(file, offset, max_size, true)) == NULL)
	1332	{
[182]	1333	regfi_log_add(REGFI_LOG_ERROR, "Could not load NK record at"
	1334	" offset 0x%.8X.", offset);
[172]	1335	return NULL;
	1336	}
	1337
	1338	regfi_interpret_keyname(file, nk, output_encoding, strict);
	1339
[146]	1340	/* get value list */
[135]	1341	if(nk->num_values && (nk->values_off!=REGFI_OFFSET_NONE))
[32]	1342	{
[157]	1343	off = nk->values_off + REGFI_REGF_SIZE;
	1344	max_size = regfi_calc_maxsize(file, off);
	1345	if(max_size < 0)
[32]	1346	{
[105]	1347	if(strict)
[32]	1348	{
[184]	1349	talloc_free(nk);
[99]	1350	return NULL;
[31]	1351	}
[105]	1352	else
	1353	nk->values = NULL;
[133]	1354
[31]	1355	}
[105]	1356	else
[103]	1357	{
[157]	1358	nk->values = regfi_load_valuelist(file, off, nk->num_values,
	1359	max_size, true);
[145]	1360	if(nk->values == NULL)
[105]	1361	{
[182]	1362	regfi_log_add(REGFI_LOG_WARN, "Could not load value list"
	1363	" for NK record at offset 0x%.8X.", offset);
[145]	1364	if(strict)
	1365	{
[184]	1366	talloc_free(nk);
[145]	1367	return NULL;
	1368	}
[105]	1369	}
[181]	1370	talloc_steal(nk, nk->values);
[103]	1371	}
[31]	1372	}
[105]	1373
[146]	1374	/* now get subkey list */
[135]	1375	if(nk->num_subkeys && (nk->subkeys_off != REGFI_OFFSET_NONE))
[32]	1376	{
[157]	1377	off = nk->subkeys_off + REGFI_REGF_SIZE;
	1378	max_size = regfi_calc_maxsize(file, off);
	1379	if(max_size < 0)
[32]	1380	{
[105]	1381	if(strict)
[32]	1382	{
[184]	1383	talloc_free(nk);
[99]	1384	return NULL;
[31]	1385	}
[105]	1386	else
	1387	nk->subkeys = NULL;
[31]	1388	}
[105]	1389	else
[104]	1390	{
[134]	1391	nk->subkeys = regfi_load_subkeylist(file, off, nk->num_subkeys,
[157]	1392	max_size, true);
[134]	1393
[105]	1394	if(nk->subkeys == NULL)
	1395	{
[182]	1396	regfi_log_add(REGFI_LOG_WARN, "Could not load subkey list"
	1397	" while parsing NK record at offset 0x%.8X.", offset);
[105]	1398	nk->num_subkeys = 0;
	1399	}
[181]	1400	talloc_steal(nk, nk->subkeys);
[104]	1401	}
[31]	1402	}
[30]	1403
[99]	1404	return nk;
[30]	1405	}
	1406
[32]	1407
[102]	1408	/******************************************************************************
	1409	******************************************************************************/
[203]	1410	const REGFI_SK* regfi_load_sk(REGFI_FILE* file, uint32_t offset, bool strict)
[146]	1411	{
[203]	1412	REGFI_SK* ret_val = NULL;
[168]	1413	int32_t max_size;
[147]	1414	void* failure_ptr = NULL;
	1415
[184]	1416	max_size = regfi_calc_maxsize(file, offset);
	1417	if(max_size < 0)
	1418	return NULL;
	1419
	1420	if(file->sk_cache == NULL)
	1421	return regfi_parse_sk(file, offset, max_size, strict);
	1422
[186]	1423	if(!regfi_lock(file, &file->sk_lock, "regfi_load_sk"))
[180]	1424	return NULL;
	1425
[146]	1426	/* First look if we have already parsed it */
[203]	1427	ret_val = (REGFI_SK*)lru_cache_find(file->sk_cache, &offset, 4);
[146]	1428
	1429	/* Bail out if we have previously cached a parse failure at this offset. */
	1430	if(ret_val == (void*)REGFI_OFFSET_NONE)
	1431	return NULL;
	1432
	1433	if(ret_val == NULL)
	1434	{
[157]	1435	ret_val = regfi_parse_sk(file, offset, max_size, strict);
[146]	1436	if(ret_val == NULL)
	1437	{ /* Cache the parse failure and bail out. */
[147]	1438	failure_ptr = talloc(NULL, uint32_t);
	1439	if(failure_ptr == NULL)
	1440	return NULL;
	1441	(uint32_t)failure_ptr = REGFI_OFFSET_NONE;
	1442	lru_cache_update(file->sk_cache, &offset, 4, failure_ptr);
[184]	1443
	1444	/* Let the cache be the only owner of this */
	1445	talloc_unlink(NULL, failure_ptr);
[146]	1446	return NULL;
	1447	}
	1448	}
	1449
[186]	1450	if(!regfi_unlock(file, &file->sk_lock, "regfi_load_sk"))
[184]	1451	{
	1452	talloc_unlink(NULL, ret_val);
[180]	1453	return NULL;
[184]	1454	}
[180]	1455
[146]	1456	return ret_val;
	1457	}
	1458
	1459
	1460
	1461	/******************************************************************************
	1462	******************************************************************************/
[203]	1463	REGFI_NK* regfi_find_root_nk(REGFI_FILE* file, const REGFI_HBIN* hbin,
[206]	1464	REGFI_ENCODING output_encoding)
[30]	1465	{
[203]	1466	REGFI_NK* nk = NULL;
[168]	1467	uint32_t cell_length;
	1468	uint32_t cur_offset = hbin->file_off+REGFI_HBIN_HEADER_SIZE;
	1469	uint32_t hbin_end = hbin->file_off+hbin->block_size;
[158]	1470	bool unalloc;
[30]	1471
[158]	1472	while(cur_offset < hbin_end)
[32]	1473	{
[180]	1474
[186]	1475	if(!regfi_lock(file, &file->cb_lock, "regfi_find_root_nk"))
[180]	1476	return NULL;
	1477
[178]	1478	if(!regfi_parse_cell(file->cb, cur_offset, NULL, 0, &cell_length, &unalloc))
[158]	1479	{
[182]	1480	regfi_log_add(REGFI_LOG_WARN, "Could not parse cell at offset"
	1481	" 0x%.8X while searching for root key.", cur_offset);
[158]	1482	return NULL;
	1483	}
[180]	1484
[186]	1485	if(!regfi_unlock(file, &file->cb_lock, "regfi_find_root_nk"))
[180]	1486	return NULL;
	1487
[158]	1488	if(!unalloc)
[102]	1489	{
[161]	1490	nk = regfi_load_key(file, cur_offset, output_encoding, true);
[102]	1491	if(nk != NULL)
	1492	{
[161]	1493	if(nk->flags & REGFI_NK_FLAG_ROOT)
[158]	1494	return nk;
[102]	1495	}
[31]	1496	}
[30]	1497
[158]	1498	cur_offset += cell_length;
[31]	1499	}
[32]	1500
[158]	1501	return NULL;
[30]	1502	}
	1503
	1504
[178]	1505
[166]	1506	/******************************************************************************
	1507	******************************************************************************/
[206]	1508	REGFI_FILE* regfi_alloc(int fd, REGFI_ENCODING output_encoding)
[30]	1509	{
[166]	1510	REGFI_FILE* ret_val;
[178]	1511	REGFI_RAW_FILE* file_cb = talloc(NULL, REGFI_RAW_FILE);
	1512	if(file_cb == NULL)
[31]	1513	return NULL;
[166]	1514
[178]	1515	file_cb->state = (void*)talloc(file_cb, int);
	1516	if(file_cb->state == NULL)
	1517	goto fail;
	1518	(int)file_cb->state = fd;
	1519
	1520	file_cb->cur_off = 0;
	1521	file_cb->size = 0;
	1522	file_cb->read = &regfi_raw_read;
	1523	file_cb->seek = &regfi_raw_seek;
	1524
[206]	1525	ret_val = regfi_alloc_cb(file_cb, output_encoding);
[166]	1526	if(ret_val == NULL)
[178]	1527	goto fail;
[166]	1528
[178]	1529	/* In this case, we want file_cb to be freed when ret_val is */
[181]	1530	talloc_steal(ret_val, file_cb);
[166]	1531	return ret_val;
[178]	1532
	1533	fail:
	1534	talloc_free(file_cb);
	1535	return NULL;
[166]	1536	}
	1537
	1538
[186]	1539	/******************************************************************************
	1540	******************************************************************************/
	1541	int regfi_free_cb(void* f)
	1542	{
	1543	REGFI_FILE* file = (REGFI_FILE*)f;
[178]	1544
[186]	1545	pthread_mutex_destroy(&file->cb_lock);
	1546	pthread_rwlock_destroy(&file->hbins_lock);
	1547	pthread_mutex_destroy(&file->sk_lock);
	1548
	1549	return 0;
	1550	}
	1551
	1552
	1553	/******************************************************************************
	1554	******************************************************************************/
[206]	1555	REGFI_FILE* regfi_alloc_cb(REGFI_RAW_FILE* file_cb,
	1556	REGFI_ENCODING output_encoding)
[166]	1557	{
	1558	REGFI_FILE* rb;
	1559	REGFI_HBIN* hbin = NULL;
[178]	1560	uint32_t hbin_off, cache_secret;
	1561	int32_t file_length;
[166]	1562	bool rla;
	1563
[178]	1564	/* Determine file length. Must be at least big enough for the header
	1565	* and one hbin.
[137]	1566	*/
[178]	1567	file_length = file_cb->seek(file_cb, 0, SEEK_END);
[137]	1568	if(file_length < REGFI_REGF_SIZE+REGFI_HBIN_ALLOC)
[182]	1569	{
	1570	regfi_log_add(REGFI_LOG_ERROR, "File length (%d) too short to contain a"
	1571	" header and at least one HBIN.", file_length);
[137]	1572	return NULL;
[182]	1573	}
[178]	1574	file_cb->seek(file_cb, 0, SEEK_SET);
[137]	1575
[206]	1576	if(output_encoding != REGFI_ENCODING_UTF8
	1577	&& output_encoding != REGFI_ENCODING_ASCII)
	1578	{
	1579	regfi_log_add(REGFI_LOG_ERROR, "Invalid output_encoding supplied"
	1580	" in creation of regfi iterator.");
	1581	return NULL;
	1582	}
	1583
[166]	1584	/* Read file header */
[203]	1585	if ((rb = regfi_parse_regf(file_cb, false)) == NULL)
[97]	1586	{
[182]	1587	regfi_log_add(REGFI_LOG_ERROR, "Failed to read REGF block.");
[31]	1588	return NULL;
	1589	}
[203]	1590	rb->file_length = file_length;
[178]	1591	rb->cb = file_cb;
[206]	1592	rb->string_encoding = output_encoding;
[137]	1593
[186]	1594	if(pthread_mutex_init(&rb->cb_lock, NULL) != 0)
[182]	1595	{
	1596	regfi_log_add(REGFI_LOG_ERROR, "Failed to create cb_lock mutex.");
[180]	1597	goto fail;
[182]	1598	}
[180]	1599
[186]	1600	if(pthread_rwlock_init(&rb->hbins_lock, NULL) != 0)
[182]	1601	{
	1602	regfi_log_add(REGFI_LOG_ERROR, "Failed to create hbins_lock rwlock.");
[180]	1603	goto fail;
[182]	1604	}
[180]	1605
[186]	1606	if(pthread_mutex_init(&rb->sk_lock, NULL) != 0)
[182]	1607	{
	1608	regfi_log_add(REGFI_LOG_ERROR, "Failed to create sk_lock mutex.");
[180]	1609	goto fail;
[182]	1610	}
[180]	1611
[99]	1612	rb->hbins = range_list_new();
[110]	1613	if(rb->hbins == NULL)
[182]	1614	{
	1615	regfi_log_add(REGFI_LOG_ERROR, "Failed to create HBIN range_list.");
[180]	1616	goto fail;
[182]	1617	}
[181]	1618	talloc_steal(rb, rb->hbins);
[150]	1619
[106]	1620	rla = true;
[135]	1621	hbin_off = REGFI_REGF_SIZE;
[110]	1622	hbin = regfi_parse_hbin(rb, hbin_off, true);
[106]	1623	while(hbin && rla)
	1624	{
[137]	1625	rla = range_list_add(rb->hbins, hbin->file_off, hbin->block_size, hbin);
[148]	1626	if(rla)
[181]	1627	talloc_steal(rb->hbins, hbin);
[180]	1628
[106]	1629	hbin_off = hbin->file_off + hbin->block_size;
[110]	1630	hbin = regfi_parse_hbin(rb, hbin_off, true);
[106]	1631	}
	1632
[146]	1633	/* This secret isn't very secret, but we don't need a good one. This
	1634	* secret is just designed to prevent someone from trying to blow our
	1635	* caching and make things slow.
	1636	*/
	1637	cache_secret = 0x15DEAD05^time(NULL)^(getpid()<<16);
	1638
[184]	1639	if(REGFI_CACHE_SK)
	1640	rb->sk_cache = lru_cache_create_ctx(rb, 64, cache_secret, true);
	1641	else
	1642	rb->sk_cache = NULL;
[146]	1643
[31]	1644	/* success */
[186]	1645	talloc_set_destructor(rb, regfi_free_cb);
[31]	1646	return rb;
[180]	1647
	1648	fail:
[186]	1649	pthread_mutex_destroy(&rb->cb_lock);
	1650	pthread_rwlock_destroy(&rb->hbins_lock);
	1651	pthread_mutex_destroy(&rb->sk_lock);
[180]	1652
	1653	range_list_free(rb->hbins);
	1654	talloc_free(rb);
	1655	return NULL;
[30]	1656	}
	1657
	1658
[148]	1659	/******************************************************************************
	1660	******************************************************************************/
[186]	1661	void regfi_free(REGFI_FILE* file)
[166]	1662	{
[186]	1663	/* Callback handles cleanup side effects */
[150]	1664	talloc_free(file);
[30]	1665	}
	1666
	1667
[80]	1668	/******************************************************************************
[158]	1669	* First checks the offset given by the file header, then checks the
	1670	* rest of the file if that fails.
[148]	1671	******************************************************************************/
[215]	1672	const REGFI_NK* regfi_get_rootkey(REGFI_FILE* file)
[30]	1673	{
[203]	1674	REGFI_NK* nk = NULL;
[146]	1675	REGFI_HBIN* hbin;
[168]	1676	uint32_t root_offset, i, num_hbins;
[99]	1677
	1678	if(!file)
[31]	1679	return NULL;
[99]	1680
[158]	1681	root_offset = file->root_cell+REGFI_REGF_SIZE;
[206]	1682	nk = regfi_load_key(file, root_offset, file->string_encoding, true);
[158]	1683	if(nk != NULL)
	1684	{
[161]	1685	if(nk->flags & REGFI_NK_FLAG_ROOT)
[158]	1686	return nk;
	1687	}
	1688
[182]	1689	regfi_log_add(REGFI_LOG_WARN, "File header indicated root key at"
	1690	" location 0x%.8X, but no root key found."
	1691	" Searching rest of file...", root_offset);
[158]	1692
	1693	/* If the file header gives bad info, scan through the file one HBIN
	1694	* block at a time looking for an NK record with a root key type.
[146]	1695	*/
[180]	1696
[215]	1697	if(!regfi_read_lock(file, &file->hbins_lock, "regfi_get_rootkey"))
[180]	1698	return NULL;
	1699
[107]	1700	num_hbins = range_list_size(file->hbins);
[158]	1701	for(i=0; i < num_hbins && nk == NULL; i++)
[99]	1702	{
[135]	1703	hbin = (REGFI_HBIN*)range_list_get(file->hbins, i)->data;
[206]	1704	nk = regfi_find_root_nk(file, hbin, file->string_encoding);
[31]	1705	}
[30]	1706
[215]	1707	if(!regfi_rw_unlock(file, &file->hbins_lock, "regfi_get_rootkey"))
[180]	1708	return NULL;
	1709
[80]	1710	return nk;
[30]	1711	}
	1712
	1713
[80]	1714	/******************************************************************************
	1715	*****************************************************************************/
[184]	1716	void regfi_free_record(const void* record)
[30]	1717	{
[184]	1718	talloc_unlink(NULL, (void*)record);
[150]	1719	}
[127]	1720
[80]	1721
	1722
[207]	1723
[80]	1724	/******************************************************************************
	1725	*****************************************************************************/
[207]	1726	uint32_t regfi_fetch_num_subkeys(const REGFI_NK* key)
	1727	{
	1728	uint32_t num_in_list = 0;
[215]	1729	if(key == NULL)
	1730	return 0;
	1731
[207]	1732	if(key->subkeys != NULL)
	1733	num_in_list = key->subkeys->num_keys;
	1734
	1735	if(num_in_list != key->num_subkeys)
	1736	{
	1737	regfi_log_add(REGFI_LOG_INFO, "Key at offset 0x%.8X contains %d keys in its"
	1738	" subkey list but reports %d should be available.",
	1739	key->offset, num_in_list, key->num_subkeys);
	1740	return (num_in_list < key->num_subkeys)?num_in_list:key->num_subkeys;
	1741	}
	1742
	1743	return num_in_list;
	1744	}
	1745
	1746
	1747	/******************************************************************************
	1748	*****************************************************************************/
	1749	uint32_t regfi_fetch_num_values(const REGFI_NK* key)
	1750	{
	1751	uint32_t num_in_list = 0;
[215]	1752	if(key == NULL)
	1753	return 0;
	1754
[207]	1755	if(key->values != NULL)
	1756	num_in_list = key->values->num_values;
	1757
	1758	if(num_in_list != key->num_values)
	1759	{
	1760	regfi_log_add(REGFI_LOG_INFO, "Key at offset 0x%.8X contains %d values in"
	1761	" its value list but reports %d should be available.",
	1762	key->offset, num_in_list, key->num_values);
	1763	return (num_in_list < key->num_values)?num_in_list:key->num_values;
	1764	}
	1765
	1766	return num_in_list;
	1767	}
	1768
	1769
	1770	/******************************************************************************
	1771	*****************************************************************************/
[206]	1772	REGFI_ITERATOR* regfi_iterator_new(REGFI_FILE* file)
[80]	1773	{
[203]	1774	REGFI_NK* root;
[161]	1775	REGFI_ITERATOR* ret_val;
	1776
	1777	ret_val = talloc(NULL, REGFI_ITERATOR);
[80]	1778	if(ret_val == NULL)
	1779	return NULL;
	1780
[215]	1781	root = (REGFI_NK*)regfi_get_rootkey(file);
[80]	1782	if(root == NULL)
	1783	{
[150]	1784	talloc_free(ret_val);
[80]	1785	return NULL;
	1786	}
[181]	1787	ret_val->cur_key = root;
[213]	1788	talloc_reparent(NULL, ret_val, root);
[80]	1789
[135]	1790	ret_val->key_positions = void_stack_new(REGFI_MAX_DEPTH);
[80]	1791	if(ret_val->key_positions == NULL)
	1792	{
[150]	1793	talloc_free(ret_val);
[80]	1794	return NULL;
	1795	}
[181]	1796	talloc_steal(ret_val, ret_val->key_positions);
[80]	1797
[159]	1798	ret_val->f = file;
[80]	1799	ret_val->cur_subkey = 0;
	1800	ret_val->cur_value = 0;
[161]	1801
[80]	1802	return ret_val;
	1803	}
	1804
	1805
	1806	/******************************************************************************
	1807	*****************************************************************************/
	1808	void regfi_iterator_free(REGFI_ITERATOR* i)
	1809	{
[150]	1810	talloc_free(i);
[80]	1811	}
	1812
	1813
	1814
	1815	/******************************************************************************
	1816	*****************************************************************************/
	1817	/* XXX: some way of indicating reason for failure should be added. */
	1818	bool regfi_iterator_down(REGFI_ITERATOR* i)
	1819	{
[203]	1820	REGFI_NK* subkey;
[80]	1821	REGFI_ITER_POSITION* pos;
	1822
[150]	1823	pos = talloc(i->key_positions, REGFI_ITER_POSITION);
[80]	1824	if(pos == NULL)
	1825	return false;
	1826
[203]	1827	subkey = (REGFI_NK*)regfi_iterator_cur_subkey(i);
[80]	1828	if(subkey == NULL)
	1829	{
[150]	1830	talloc_free(pos);
[80]	1831	return false;
	1832	}
	1833
	1834	pos->nk = i->cur_key;
	1835	pos->cur_subkey = i->cur_subkey;
	1836	if(!void_stack_push(i->key_positions, pos))
	1837	{
[150]	1838	talloc_free(pos);
[184]	1839	talloc_unlink(NULL, subkey);
[80]	1840	return false;
	1841	}
[213]	1842	talloc_reparent(NULL, i, subkey);
[80]	1843
	1844	i->cur_key = subkey;
	1845	i->cur_subkey = 0;
	1846	i->cur_value = 0;
	1847
	1848	return true;
	1849	}
	1850
	1851
	1852	/******************************************************************************
	1853	*****************************************************************************/
	1854	bool regfi_iterator_up(REGFI_ITERATOR* i)
	1855	{
	1856	REGFI_ITER_POSITION* pos;
	1857
	1858	pos = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions);
	1859	if(pos == NULL)
	1860	return false;
	1861
[184]	1862	talloc_unlink(i, i->cur_key);
[80]	1863	i->cur_key = pos->nk;
	1864	i->cur_subkey = pos->cur_subkey;
	1865	i->cur_value = 0;
[150]	1866	talloc_free(pos);
[80]	1867
	1868	return true;
	1869	}
	1870
	1871
	1872	/******************************************************************************
	1873	*****************************************************************************/
	1874	bool regfi_iterator_to_root(REGFI_ITERATOR* i)
	1875	{
	1876	while(regfi_iterator_up(i))
	1877	continue;
	1878
	1879	return true;
	1880	}
	1881
	1882
	1883	/******************************************************************************
	1884	*****************************************************************************/
[207]	1885	bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* name)
[80]	1886	{
[207]	1887	uint32_t new_index;
[133]	1888
[207]	1889	if(regfi_find_subkey(i->f, i->cur_key, name, &new_index))
[80]	1890	{
[207]	1891	i->cur_subkey = new_index;
	1892	return true;
[80]	1893	}
	1894
[207]	1895	return false;
[80]	1896	}
	1897
	1898
	1899	/******************************************************************************
	1900	*****************************************************************************/
	1901	bool regfi_iterator_walk_path(REGFI_ITERATOR* i, const char** path)
	1902	{
[168]	1903	uint32_t x;
[80]	1904	if(path == NULL)
	1905	return false;
	1906
	1907	for(x=0;
	1908	((path[x] != NULL) && regfi_iterator_find_subkey(i, path[x])
	1909	&& regfi_iterator_down(i));
	1910	x++)
	1911	{ continue; }
	1912
	1913	if(path[x] == NULL)
[215]	1914	{
[80]	1915	return true;
[215]	1916	}
	1917
[80]	1918	/* XXX: is this the right number of times? */
	1919	for(; x > 0; x--)
	1920	regfi_iterator_up(i);
	1921
	1922	return false;
	1923	}
	1924
	1925
	1926	/******************************************************************************
	1927	*****************************************************************************/
[203]	1928	const REGFI_NK* regfi_iterator_cur_key(REGFI_ITERATOR* i)
[80]	1929	{
[213]	1930	talloc_reference(NULL, i->cur_key);
[80]	1931	return i->cur_key;
	1932	}
	1933
	1934
	1935	/******************************************************************************
	1936	*****************************************************************************/
[206]	1937	const REGFI_SK* regfi_fetch_sk(REGFI_FILE* file, const REGFI_NK* key)
[109]	1938	{
[206]	1939	if(key == NULL \|\| key->sk_off == REGFI_OFFSET_NONE)
[109]	1940	return NULL;
	1941
[206]	1942	return regfi_load_sk(file, key->sk_off + REGFI_REGF_SIZE, true);
[109]	1943	}
	1944
	1945
	1946	/******************************************************************************
	1947	*****************************************************************************/
[199]	1948	bool regfi_iterator_first_subkey(REGFI_ITERATOR* i)
[80]	1949	{
	1950	i->cur_subkey = 0;
[199]	1951
	1952	return ((i->cur_key != NULL) && (i->cur_key->subkeys_off!=REGFI_OFFSET_NONE)
[207]	1953	&& (i->cur_subkey < regfi_fetch_num_subkeys(i->cur_key)));
[80]	1954	}
	1955
	1956
	1957	/******************************************************************************
	1958	*****************************************************************************/
[203]	1959	const REGFI_NK* regfi_iterator_cur_subkey(REGFI_ITERATOR* i)
[80]	1960	{
[207]	1961	return regfi_get_subkey(i->f, i->cur_key, i->cur_subkey);
[30]	1962	}
[80]	1963
	1964
	1965	/******************************************************************************
	1966	*****************************************************************************/
[199]	1967	bool regfi_iterator_next_subkey(REGFI_ITERATOR* i)
[80]	1968	{
	1969	i->cur_subkey++;
	1970
[199]	1971	return ((i->cur_key != NULL) && (i->cur_key->subkeys_off!=REGFI_OFFSET_NONE)
[207]	1972	&& (i->cur_subkey < regfi_fetch_num_subkeys(i->cur_key)));
[80]	1973	}
	1974
	1975
	1976	/******************************************************************************
	1977	*****************************************************************************/
[207]	1978	bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* name)
[80]	1979	{
[207]	1980	uint32_t new_index;
[80]	1981
[207]	1982	if(regfi_find_value(i->f, i->cur_key, name, &new_index))
[80]	1983	{
[207]	1984	i->cur_value = new_index;
	1985	return true;
[80]	1986	}
	1987
[207]	1988	return false;
[80]	1989	}
	1990
	1991
	1992	/******************************************************************************
	1993	*****************************************************************************/
[199]	1994	bool regfi_iterator_first_value(REGFI_ITERATOR* i)
[80]	1995	{
	1996	i->cur_value = 0;
[199]	1997	return (i->cur_key->values != NULL && i->cur_key->values->elements != NULL
[207]	1998	&& (i->cur_value < regfi_fetch_num_values(i->cur_key)));
[80]	1999	}
	2000
	2001
	2002	/******************************************************************************
	2003	*****************************************************************************/
[203]	2004	const REGFI_VK* regfi_iterator_cur_value(REGFI_ITERATOR* i)
[80]	2005	{
[207]	2006	return regfi_get_value(i->f, i->cur_key, i->cur_value);
[80]	2007	}
	2008
	2009
	2010	/******************************************************************************
	2011	*****************************************************************************/
[199]	2012	bool regfi_iterator_next_value(REGFI_ITERATOR* i)
[80]	2013	{
	2014	i->cur_value++;
[199]	2015	return (i->cur_key->values != NULL && i->cur_key->values->elements != NULL
[207]	2016	&& (i->cur_value < regfi_fetch_num_values(i->cur_key)));
[80]	2017	}
[97]	2018
	2019
[159]	2020	/******************************************************************************
	2021	*****************************************************************************/
[206]	2022	const REGFI_CLASSNAME* regfi_fetch_classname(REGFI_FILE* file,
	2023	const REGFI_NK* key)
[160]	2024	{
	2025	REGFI_CLASSNAME* ret_val;
[168]	2026	uint8_t* raw;
[160]	2027	char* interpreted;
[168]	2028	uint32_t offset;
	2029	int32_t conv_size, max_size;
	2030	uint16_t parse_length;
[160]	2031
	2032	if(key->classname_off == REGFI_OFFSET_NONE \|\| key->classname_length == 0)
	2033	return NULL;
	2034
	2035	offset = key->classname_off + REGFI_REGF_SIZE;
[206]	2036	max_size = regfi_calc_maxsize(file, offset);
[160]	2037	if(max_size <= 0)
	2038	return NULL;
	2039
	2040	parse_length = key->classname_length;
[206]	2041	raw = regfi_parse_classname(file, offset, &parse_length, max_size, true);
[160]	2042
	2043	if(raw == NULL)
	2044	{
[182]	2045	regfi_log_add(REGFI_LOG_WARN, "Could not parse class"
	2046	" name at offset 0x%.8X for key record at offset 0x%.8X.",
	2047	offset, key->offset);
[160]	2048	return NULL;
	2049	}
	2050
	2051	ret_val = talloc(NULL, REGFI_CLASSNAME);
	2052	if(ret_val == NULL)
	2053	return NULL;
	2054
[206]	2055	ret_val->offset = offset;
[160]	2056	ret_val->raw = raw;
	2057	ret_val->size = parse_length;
[181]	2058	talloc_steal(ret_val, raw);
[160]	2059
	2060	interpreted = talloc_array(NULL, char, parse_length);
	2061
[161]	2062	conv_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
[206]	2063	regfi_encoding_int2str(file->string_encoding),
[160]	2064	raw, interpreted,
	2065	parse_length, parse_length);
	2066	if(conv_size < 0)
	2067	{
[182]	2068	regfi_log_add(REGFI_LOG_WARN, "Error occurred while"
	2069	" converting classname to charset %s. Error message: %s",
[206]	2070	file->string_encoding, strerror(-conv_size));
[160]	2071	talloc_free(interpreted);
	2072	ret_val->interpreted = NULL;
	2073	}
	2074	else
	2075	{
	2076	interpreted = talloc_realloc(NULL, interpreted, char, conv_size);
	2077	ret_val->interpreted = interpreted;
[181]	2078	talloc_steal(ret_val, interpreted);
[160]	2079	}
	2080
	2081	return ret_val;
	2082	}
	2083
	2084
	2085	/******************************************************************************
	2086	*****************************************************************************/
[206]	2087	const REGFI_DATA* regfi_fetch_data(REGFI_FILE* file,
	2088	const REGFI_VK* value)
[159]	2089	{
	2090	REGFI_DATA* ret_val = NULL;
	2091	REGFI_BUFFER raw_data;
	2092
	2093	if(value->data_size != 0)
	2094	{
[206]	2095	raw_data = regfi_load_data(file, value->data_off, value->data_size,
[209]	2096	value->data_in_offset, true);
[159]	2097	if(raw_data.buf == NULL)
	2098	{
[182]	2099	regfi_log_add(REGFI_LOG_WARN, "Could not parse data record"
	2100	" while parsing VK record at offset 0x%.8X.",
	2101	value->offset);
[159]	2102	}
	2103	else
	2104	{
	2105	ret_val = regfi_buffer_to_data(raw_data);
	2106
	2107	if(ret_val == NULL)
	2108	{
[182]	2109	regfi_log_add(REGFI_LOG_WARN, "Error occurred in converting"
	2110	" data buffer to data structure while interpreting "
	2111	"data for VK record at offset 0x%.8X.",
	2112	value->offset);
[159]	2113	talloc_free(raw_data.buf);
	2114	return NULL;
	2115	}
	2116
[206]	2117	if(!regfi_interpret_data(file, file->string_encoding,
	2118	value->type, ret_val))
[159]	2119	{
[182]	2120	regfi_log_add(REGFI_LOG_INFO, "Error occurred while"
	2121	" interpreting data for VK record at offset 0x%.8X.",
	2122	value->offset);
[159]	2123	}
	2124	}
	2125	}
	2126
	2127	return ret_val;
	2128	}
	2129
	2130
[207]	2131
[159]	2132	/******************************************************************************
	2133	*****************************************************************************/
[207]	2134	bool regfi_find_subkey(REGFI_FILE* file, const REGFI_NK* key,
	2135	const char* name, uint32_t* index)
	2136	{
	2137	const REGFI_NK* cur;
	2138	uint32_t i;
	2139	uint32_t num_subkeys = regfi_fetch_num_subkeys(key);
	2140	bool found = false;
	2141
	2142	/* XXX: cur->name can be NULL in the registry.
	2143	* Should we allow for a way to search for that?
	2144	*/
	2145	if(name == NULL)
	2146	return false;
	2147
	2148	for(i=0; (i < num_subkeys) && (found == false); i++)
	2149	{
	2150	cur = regfi_get_subkey(file, key, i);
	2151	if(cur == NULL)
	2152	return false;
	2153
	2154	if((cur->name != NULL)
	2155	&& (strcasecmp(cur->name, name) == 0))
	2156	{
	2157	found = true;
	2158	*index = i;
	2159	}
	2160
	2161	regfi_free_record(cur);
	2162	}
	2163
	2164	return found;
	2165	}
	2166
	2167
	2168
	2169	/******************************************************************************
	2170	*****************************************************************************/
	2171	bool regfi_find_value(REGFI_FILE* file, const REGFI_NK* key,
	2172	const char* name, uint32_t* index)
	2173	{
	2174	const REGFI_VK* cur;
	2175	uint32_t i;
	2176	uint32_t num_values = regfi_fetch_num_values(key);
	2177	bool found = false;
	2178
	2179	/* XXX: cur->name can be NULL in the registry.
	2180	* Should we allow for a way to search for that?
	2181	*/
	2182	if(name == NULL)
	2183	return false;
	2184
	2185	for(i=0; (i < num_values) && (found == false); i++)
	2186	{
	2187	cur = regfi_get_value(file, key, i);
	2188	if(cur == NULL)
	2189	return false;
	2190
	2191	if((cur->name != NULL)
	2192	&& (strcasecmp(cur->name, name) == 0))
	2193	{
	2194	found = true;
	2195	*index = i;
	2196	}
	2197
	2198	regfi_free_record(cur);
	2199	}
	2200
	2201	return found;
	2202	}
	2203
	2204
	2205
	2206	/******************************************************************************
	2207	*****************************************************************************/
	2208	const REGFI_NK* regfi_get_subkey(REGFI_FILE* file, const REGFI_NK* key,
	2209	uint32_t index)
	2210	{
	2211	if(index < regfi_fetch_num_subkeys(key))
	2212	{
	2213	return regfi_load_key(file,
	2214	key->subkeys->elements[index].offset+REGFI_REGF_SIZE,
	2215	file->string_encoding, true);
	2216	}
	2217
	2218	return NULL;
	2219	}
	2220
	2221
	2222	/******************************************************************************
	2223	*****************************************************************************/
	2224	const REGFI_VK* regfi_get_value(REGFI_FILE* file, const REGFI_NK* key,
	2225	uint32_t index)
	2226	{
	2227	if(index < regfi_fetch_num_values(key))
	2228	{
	2229	return regfi_load_value(file,
	2230	key->values->elements[index]+REGFI_REGF_SIZE,
	2231	file->string_encoding, true);
	2232	}
	2233
	2234	return NULL;
	2235	}
	2236
	2237
[215]	2238
[207]	2239	/******************************************************************************
	2240	*****************************************************************************/
[215]	2241	const REGFI_NK* regfi_get_parentkey(REGFI_FILE* file, const REGFI_NK* key)
	2242	{
	2243	if(key != NULL && key->parent_off != REGFI_OFFSET_NONE)
	2244	{
	2245	/* fprintf(stderr, "key->parent_off=%.8X\n", key->parent_off);*/
	2246	return regfi_load_key(file,
	2247	key->parent_off+REGFI_REGF_SIZE,
	2248	file->string_encoding, true);
	2249	}
	2250
	2251	return NULL;
	2252	}
	2253
	2254
	2255
	2256	/******************************************************************************
	2257	*****************************************************************************/
[159]	2258	REGFI_DATA* regfi_buffer_to_data(REGFI_BUFFER raw_data)
	2259	{
	2260	REGFI_DATA* ret_val;
	2261
	2262	if(raw_data.buf == NULL)
	2263	return NULL;
	2264
	2265	ret_val = talloc(NULL, REGFI_DATA);
	2266	if(ret_val == NULL)
	2267	return NULL;
	2268
[181]	2269	talloc_steal(ret_val, raw_data.buf);
[159]	2270	ret_val->raw = raw_data.buf;
	2271	ret_val->size = raw_data.len;
	2272	ret_val->interpreted_size = 0;
	2273	ret_val->interpreted.qword = 0;
	2274
	2275	return ret_val;
	2276	}
	2277
	2278
	2279	/******************************************************************************
	2280	*****************************************************************************/
[161]	2281	bool regfi_interpret_data(REGFI_FILE* file, REGFI_ENCODING string_encoding,
[168]	2282	uint32_t type, REGFI_DATA* data)
[159]	2283	{
[168]	2284	uint8_t** tmp_array;
	2285	uint8_t* tmp_str;
	2286	int32_t tmp_size;
	2287	uint32_t i, j, array_size;
[159]	2288
	2289	if(data == NULL)
	2290	return false;
	2291
	2292	switch (type)
	2293	{
	2294	case REG_SZ:
	2295	case REG_EXPAND_SZ:
	2296	/* REG_LINK is a symbolic link, stored as a unicode string. */
	2297	case REG_LINK:
[168]	2298	tmp_str = talloc_array(NULL, uint8_t, data->size);
[159]	2299	if(tmp_str == NULL)
	2300	{
	2301	data->interpreted.string = NULL;
	2302	data->interpreted_size = 0;
	2303	return false;
	2304	}
	2305
[161]	2306	tmp_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
	2307	regfi_encoding_int2str(string_encoding),
[159]	2308	data->raw, (char*)tmp_str,
	2309	data->size, data->size);
	2310	if(tmp_size < 0)
	2311	{
[182]	2312	regfi_log_add(REGFI_LOG_INFO, "Error occurred while"
[193]	2313	" converting data of type %d to %d. Error message: %s",
[182]	2314	type, string_encoding, strerror(-tmp_size));
[159]	2315	talloc_free(tmp_str);
	2316	data->interpreted.string = NULL;
	2317	data->interpreted_size = 0;
	2318	return false;
	2319	}
	2320
[168]	2321	tmp_str = talloc_realloc(NULL, tmp_str, uint8_t, tmp_size);
[159]	2322	data->interpreted.string = tmp_str;
	2323	data->interpreted_size = tmp_size;
[181]	2324	talloc_steal(data, tmp_str);
[159]	2325	break;
	2326
	2327	case REG_DWORD:
	2328	if(data->size < 4)
	2329	{
	2330	data->interpreted.dword = 0;
	2331	data->interpreted_size = 0;
	2332	return false;
	2333	}
	2334	data->interpreted.dword = IVAL(data->raw, 0);
	2335	data->interpreted_size = 4;
	2336	break;
	2337
	2338	case REG_DWORD_BE:
	2339	if(data->size < 4)
	2340	{
	2341	data->interpreted.dword_be = 0;
	2342	data->interpreted_size = 0;
	2343	return false;
	2344	}
	2345	data->interpreted.dword_be = RIVAL(data->raw, 0);
	2346	data->interpreted_size = 4;
	2347	break;
	2348
	2349	case REG_QWORD:
	2350	if(data->size < 8)
	2351	{
	2352	data->interpreted.qword = 0;
	2353	data->interpreted_size = 0;
	2354	return false;
	2355	}
	2356	data->interpreted.qword =
[168]	2357	(uint64_t)IVAL(data->raw, 0) + (((uint64_t)IVAL(data->raw, 4))<<32);
[159]	2358	data->interpreted_size = 8;
	2359	break;
	2360
	2361	case REG_MULTI_SZ:
[168]	2362	tmp_str = talloc_array(NULL, uint8_t, data->size);
[159]	2363	if(tmp_str == NULL)
	2364	{
	2365	data->interpreted.multiple_string = NULL;
	2366	data->interpreted_size = 0;
	2367	return false;
	2368	}
	2369
	2370	/* Attempt to convert entire string from UTF-16LE to output encoding,
	2371	* then parse and quote fields individually.
	2372	*/
[161]	2373	tmp_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
	2374	regfi_encoding_int2str(string_encoding),
[159]	2375	data->raw, (char*)tmp_str,
	2376	data->size, data->size);
	2377	if(tmp_size < 0)
	2378	{
[182]	2379	regfi_log_add(REGFI_LOG_INFO, "Error occurred while"
	2380	" converting data of type %d to %s. Error message: %s",
	2381	type, string_encoding, strerror(-tmp_size));
[159]	2382	talloc_free(tmp_str);
	2383	data->interpreted.multiple_string = NULL;
	2384	data->interpreted_size = 0;
	2385	return false;
	2386	}
	2387
	2388	array_size = tmp_size+1;
[168]	2389	tmp_array = talloc_array(NULL, uint8_t*, array_size);
[159]	2390	if(tmp_array == NULL)
	2391	{
	2392	talloc_free(tmp_str);
	2393	data->interpreted.string = NULL;
	2394	data->interpreted_size = 0;
	2395	return false;
	2396	}
	2397
	2398	tmp_array[0] = tmp_str;
	2399	for(i=0,j=1; i < tmp_size && j < array_size-1; i++)
	2400	{
[209]	2401	if(tmp_str[i] == '\0' && (i+1 < tmp_size) && tmp_str[i+1] != '\0')
[159]	2402	tmp_array[j++] = tmp_str+i+1;
	2403	}
	2404	tmp_array[j] = NULL;
[168]	2405	tmp_array = talloc_realloc(NULL, tmp_array, uint8_t*, j+1);
[159]	2406	data->interpreted.multiple_string = tmp_array;
	2407	/* XXX: how meaningful is this? should we store number of strings instead? */
	2408	data->interpreted_size = tmp_size;
[181]	2409	talloc_steal(tmp_array, tmp_str);
	2410	talloc_steal(data, tmp_array);
[159]	2411	break;
	2412
	2413	/* XXX: Dont know how to interpret these yet, just treat as binary */
	2414	case REG_NONE:
	2415	data->interpreted.none = data->raw;
	2416	data->interpreted_size = data->size;
	2417	break;
	2418
	2419	case REG_RESOURCE_LIST:
	2420	data->interpreted.resource_list = data->raw;
	2421	data->interpreted_size = data->size;
	2422	break;
	2423
	2424	case REG_FULL_RESOURCE_DESCRIPTOR:
	2425	data->interpreted.full_resource_descriptor = data->raw;
	2426	data->interpreted_size = data->size;
	2427	break;
	2428
	2429	case REG_RESOURCE_REQUIREMENTS_LIST:
	2430	data->interpreted.resource_requirements_list = data->raw;
	2431	data->interpreted_size = data->size;
	2432	break;
	2433
	2434	case REG_BINARY:
	2435	data->interpreted.binary = data->raw;
	2436	data->interpreted_size = data->size;
	2437	break;
	2438
	2439	default:
	2440	data->interpreted.qword = 0;
	2441	data->interpreted_size = 0;
	2442	return false;
	2443	}
	2444
	2445	data->type = type;
	2446	return true;
	2447	}
	2448
	2449
[166]	2450	/******************************************************************************
[159]	2451	* Convert from UTF-16LE to specified character set.
	2452	* On error, returns a negative errno code.
[166]	2453	*****************************************************************************/
[168]	2454	int32_t regfi_conv_charset(const char* input_charset, const char* output_charset,
[206]	2455	uint8_t* input, char* output,
	2456	uint32_t input_len, uint32_t output_max)
[159]	2457	{
	2458	iconv_t conv_desc;
	2459	char* inbuf = (char*)input;
	2460	char* outbuf = output;
	2461	size_t in_len = (size_t)input_len;
	2462	size_t out_len = (size_t)(output_max-1);
	2463	int ret;
	2464
[161]	2465	/* XXX: Consider creating a couple of conversion descriptors earlier,
	2466	* storing them on an iterator so they don't have to be recreated
	2467	* each time.
	2468	*/
	2469
[159]	2470	/* Set up conversion descriptor. */
[161]	2471	conv_desc = iconv_open(output_charset, input_charset);
[159]	2472
	2473	ret = iconv(conv_desc, &inbuf, &in_len, &outbuf, &out_len);
	2474	if(ret == -1)
	2475	{
	2476	iconv_close(conv_desc);
	2477	return -errno;
	2478	}
	2479	*outbuf = '\0';
	2480
	2481	iconv_close(conv_desc);
	2482	return output_max-out_len-1;
	2483	}
	2484
	2485
	2486
	2487	/*******************************************************************
[97]	2488	* Computes the checksum of the registry file header.
[159]	2489	* buffer must be at least the size of a regf header (4096 bytes).
[97]	2490	*******************************************************************/
[168]	2491	static uint32_t regfi_compute_header_checksum(uint8_t* buffer)
[97]	2492	{
[168]	2493	uint32_t checksum, x;
[97]	2494	int i;
	2495
	2496	/* XOR of all bytes 0x0000 - 0x01FB */
	2497
	2498	checksum = x = 0;
	2499
	2500	for ( i=0; i<0x01FB; i+=4 ) {
	2501	x = IVAL(buffer, i );
	2502	checksum ^= x;
	2503	}
	2504
	2505	return checksum;
	2506	}
	2507
	2508
	2509	/*******************************************************************
	2510	*******************************************************************/
[178]	2511	REGFI_FILE* regfi_parse_regf(REGFI_RAW_FILE* file_cb, bool strict)
[97]	2512	{
[168]	2513	uint8_t file_header[REGFI_REGF_SIZE];
	2514	uint32_t length;
[135]	2515	REGFI_FILE* ret_val;
[97]	2516
[150]	2517	ret_val = talloc(NULL, REGFI_FILE);
[97]	2518	if(ret_val == NULL)
	2519	return NULL;
	2520
[150]	2521	ret_val->sk_cache = NULL;
	2522	ret_val->hbins = NULL;
[178]	2523
[135]	2524	length = REGFI_REGF_SIZE;
[178]	2525	if((regfi_read(file_cb, file_header, &length)) != 0
	2526	\|\| length != REGFI_REGF_SIZE)
[182]	2527	{
	2528	regfi_log_add(REGFI_LOG_WARN, "Read failed while parsing REGF structure.");
[150]	2529	goto fail;
[182]	2530	}
	2531
[97]	2532	ret_val->checksum = IVAL(file_header, 0x1FC);
	2533	ret_val->computed_checksum = regfi_compute_header_checksum(file_header);
	2534	if (strict && (ret_val->checksum != ret_val->computed_checksum))
[182]	2535	{
	2536	regfi_log_add(REGFI_LOG_WARN, "Stored header checksum (%.8X) did not equal"
	2537	" computed checksum (%.8X).",
	2538	ret_val->checksum, ret_val->computed_checksum);
	2539	if(strict)
	2540	goto fail;
	2541	}
[97]	2542
[135]	2543	memcpy(ret_val->magic, file_header, REGFI_REGF_MAGIC_SIZE);
[150]	2544	if(memcmp(ret_val->magic, "regf", REGFI_REGF_MAGIC_SIZE) != 0)
[97]	2545	{
[182]	2546	regfi_log_add(REGFI_LOG_ERROR, "Magic number mismatch "
	2547	"(%.2X %.2X %.2X %.2X) while parsing hive header",
	2548	ret_val->magic[0], ret_val->magic[1],
	2549	ret_val->magic[2], ret_val->magic[3]);
	2550	goto fail;
[97]	2551	}
[178]	2552
[151]	2553	ret_val->sequence1 = IVAL(file_header, 0x4);
	2554	ret_val->sequence2 = IVAL(file_header, 0x8);
[97]	2555	ret_val->mtime.low = IVAL(file_header, 0xC);
	2556	ret_val->mtime.high = IVAL(file_header, 0x10);
[151]	2557	ret_val->major_version = IVAL(file_header, 0x14);
	2558	ret_val->minor_version = IVAL(file_header, 0x18);
	2559	ret_val->type = IVAL(file_header, 0x1C);
	2560	ret_val->format = IVAL(file_header, 0x20);
	2561	ret_val->root_cell = IVAL(file_header, 0x24);
[97]	2562	ret_val->last_block = IVAL(file_header, 0x28);
[151]	2563	ret_val->cluster = IVAL(file_header, 0x2C);
[97]	2564
[151]	2565	memcpy(ret_val->file_name, file_header+0x30, REGFI_REGF_NAME_SIZE);
	2566
	2567	/* XXX: Should we add a warning if these uuid parsers fail? Can they? */
	2568	ret_val->rm_id = winsec_parse_uuid(ret_val, file_header+0x70, 16);
	2569	ret_val->log_id = winsec_parse_uuid(ret_val, file_header+0x80, 16);
	2570	ret_val->flags = IVAL(file_header, 0x90);
	2571	ret_val->tm_id = winsec_parse_uuid(ret_val, file_header+0x94, 16);
	2572	ret_val->guid_signature = IVAL(file_header, 0xa4);
	2573
	2574	memcpy(ret_val->reserved1, file_header+0xa8, REGFI_REGF_RESERVED1_SIZE);
	2575	memcpy(ret_val->reserved2, file_header+0x200, REGFI_REGF_RESERVED2_SIZE);
	2576
	2577	ret_val->thaw_tm_id = winsec_parse_uuid(ret_val, file_header+0xFC8, 16);
	2578	ret_val->thaw_rm_id = winsec_parse_uuid(ret_val, file_header+0xFD8, 16);
	2579	ret_val->thaw_log_id = winsec_parse_uuid(ret_val, file_header+0xFE8, 16);
[152]	2580	ret_val->boot_type = IVAL(file_header, 0xFF8);
	2581	ret_val->boot_recover = IVAL(file_header, 0xFFC);
[151]	2582
[97]	2583	return ret_val;
[150]	2584
	2585	fail:
	2586	talloc_free(ret_val);
	2587	return NULL;
[97]	2588	}
	2589
	2590
	2591
[148]	2592	/******************************************************************************
[97]	2593	* Given real file offset, read and parse the hbin at that location
[110]	2594	* along with it's associated cells.
[148]	2595	******************************************************************************/
[168]	2596	REGFI_HBIN* regfi_parse_hbin(REGFI_FILE* file, uint32_t offset, bool strict)
[97]	2597	{
[181]	2598	REGFI_HBIN* hbin = NULL;
[168]	2599	uint8_t hbin_header[REGFI_HBIN_HEADER_SIZE];
	2600	uint32_t length;
[99]	2601
	2602	if(offset >= file->file_length)
[180]	2603	goto fail;
	2604
[186]	2605	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_hbin"))
[180]	2606	goto fail;
[97]	2607
[178]	2608	if(regfi_seek(file->cb, offset, SEEK_SET) == -1)
[137]	2609	{
[182]	2610	regfi_log_add(REGFI_LOG_ERROR, "Seek failed"
	2611	" while parsing hbin at offset 0x%.8X.", offset);
[180]	2612	goto fail_locked;
[137]	2613	}
[97]	2614
[135]	2615	length = REGFI_HBIN_HEADER_SIZE;
[178]	2616	if((regfi_read(file->cb, hbin_header, &length) != 0)
[135]	2617	\|\| length != REGFI_HBIN_HEADER_SIZE)
[182]	2618	{
	2619	regfi_log_add(REGFI_LOG_ERROR, "Read failed"
	2620	" while parsing hbin at offset 0x%.8X.", offset);
[180]	2621	goto fail_locked;
[182]	2622	}
[97]	2623
[186]	2624	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_hbin"))
[180]	2625	goto fail;
[97]	2626
[148]	2627	hbin = talloc(NULL, REGFI_HBIN);
	2628	if(hbin == NULL)
[180]	2629	goto fail;
[99]	2630	hbin->file_off = offset;
	2631
[97]	2632	memcpy(hbin->magic, hbin_header, 4);
	2633	if(strict && (memcmp(hbin->magic, "hbin", 4) != 0))
[99]	2634	{
[182]	2635	/* This always seems to happen at the end of a file, so we make it an INFO
	2636	* message, rather than something more serious.
	2637	*/
	2638	regfi_log_add(REGFI_LOG_INFO, "Magic number mismatch "
	2639	"(%.2X %.2X %.2X %.2X) while parsing hbin at offset"
	2640	" 0x%.8X.", hbin->magic[0], hbin->magic[1],
	2641	hbin->magic[2], hbin->magic[3], offset);
[180]	2642	goto fail;
[99]	2643	}
[97]	2644
	2645	hbin->first_hbin_off = IVAL(hbin_header, 0x4);
	2646	hbin->block_size = IVAL(hbin_header, 0x8);
[182]	2647	/* this should be the same thing as hbin->block_size, but just in case */
[97]	2648	hbin->next_block = IVAL(hbin_header, 0x1C);
	2649
	2650
	2651	/* Ensure the block size is a multiple of 0x1000 and doesn't run off
	2652	* the end of the file.
	2653	*/
[116]	2654	/* XXX: This may need to be relaxed for dealing with
	2655	* partial or corrupt files.
	2656	*/
[97]	2657	if((offset + hbin->block_size > file->file_length)
	2658	\|\| (hbin->block_size & 0xFFFFF000) != hbin->block_size)
[99]	2659	{
[182]	2660	regfi_log_add(REGFI_LOG_ERROR, "The hbin offset is not aligned"
	2661	" or runs off the end of the file"
	2662	" while parsing hbin at offset 0x%.8X.", offset);
[180]	2663	goto fail;
[99]	2664	}
[97]	2665
	2666	return hbin;
[180]	2667
	2668	fail_locked:
[186]	2669	regfi_unlock(file, &file->cb_lock, "regfi_parse_hbin");
[180]	2670	fail:
	2671	talloc_free(hbin);
	2672	return NULL;
[97]	2673	}
	2674
	2675
[126]	2676	/*******************************************************************
	2677	*******************************************************************/
[203]	2678	REGFI_NK* regfi_parse_nk(REGFI_FILE* file, uint32_t offset,
	2679	uint32_t max_size, bool strict)
[99]	2680	{
[168]	2681	uint8_t nk_header[REGFI_NK_MIN_LENGTH];
[203]	2682	REGFI_NK* ret_val;
[168]	2683	uint32_t length,cell_length;
[101]	2684	bool unalloc = false;
[99]	2685
[203]	2686	ret_val = talloc(NULL, REGFI_NK);
[180]	2687	if(ret_val == NULL)
	2688	{
[182]	2689	regfi_log_add(REGFI_LOG_ERROR, "Failed to allocate memory while"
	2690	" parsing NK record at offset 0x%.8X.", offset);
[180]	2691	goto fail;
	2692	}
	2693
[186]	2694	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_nk"))
[180]	2695	goto fail;
	2696
[178]	2697	if(!regfi_parse_cell(file->cb, offset, nk_header, REGFI_NK_MIN_LENGTH,
[101]	2698	&cell_length, &unalloc))
[137]	2699	{
[182]	2700	regfi_log_add(REGFI_LOG_WARN, "Could not parse cell header"
	2701	" while parsing NK record at offset 0x%.8X.", offset);
[180]	2702	goto fail_locked;
[137]	2703	}
	2704
[101]	2705	if((nk_header[0x0] != 'n') \|\| (nk_header[0x1] != 'k'))
[135]	2706	{
[182]	2707	regfi_log_add(REGFI_LOG_WARN, "Magic number mismatch in parsing"
	2708	" NK record at offset 0x%.8X.", offset);
[180]	2709	goto fail_locked;
[135]	2710	}
[99]	2711
[150]	2712	ret_val->values = NULL;
	2713	ret_val->subkeys = NULL;
[99]	2714	ret_val->offset = offset;
[101]	2715	ret_val->cell_size = cell_length;
	2716
[99]	2717	if(ret_val->cell_size > max_size)
	2718	ret_val->cell_size = max_size & 0xFFFFFFF8;
	2719	if((ret_val->cell_size < REGFI_NK_MIN_LENGTH)
[157]	2720	\|\| (strict && (ret_val->cell_size & 0x00000007) != 0))
[99]	2721	{
[182]	2722	regfi_log_add(REGFI_LOG_WARN, "A length check failed while"
	2723	" parsing NK record at offset 0x%.8X.", offset);
[180]	2724	goto fail_locked;
[99]	2725	}
	2726
[101]	2727	ret_val->magic[0] = nk_header[0x0];
	2728	ret_val->magic[1] = nk_header[0x1];
[161]	2729	ret_val->flags = SVAL(nk_header, 0x2);
[152]	2730
[161]	2731	if((ret_val->flags & ~REGFI_NK_KNOWN_FLAGS) != 0)
[99]	2732	{
[182]	2733	regfi_log_add(REGFI_LOG_WARN, "Unknown key flags (0x%.4X) while"
	2734	" parsing NK record at offset 0x%.8X.",
	2735	(ret_val->flags & ~REGFI_NK_KNOWN_FLAGS), offset);
[99]	2736	}
[101]	2737
	2738	ret_val->mtime.low = IVAL(nk_header, 0x4);
	2739	ret_val->mtime.high = IVAL(nk_header, 0x8);
[116]	2740	/* If the key is unallocated and the MTIME is earlier than Jan 1, 1990
	2741	* or later than Jan 1, 2290, we consider this a bad key. This helps
	2742	* weed out some false positives during deleted data recovery.
	2743	*/
	2744	if(unalloc
[178]	2745	&& (ret_val->mtime.high < REGFI_MTIME_MIN_HIGH
	2746	\|\| ret_val->mtime.high > REGFI_MTIME_MAX_HIGH))
[180]	2747	{ goto fail_locked; }
[116]	2748
[101]	2749	ret_val->unknown1 = IVAL(nk_header, 0xC);
	2750	ret_val->parent_off = IVAL(nk_header, 0x10);
	2751	ret_val->num_subkeys = IVAL(nk_header, 0x14);
	2752	ret_val->unknown2 = IVAL(nk_header, 0x18);
	2753	ret_val->subkeys_off = IVAL(nk_header, 0x1C);
	2754	ret_val->unknown3 = IVAL(nk_header, 0x20);
	2755	ret_val->num_values = IVAL(nk_header, 0x24);
	2756	ret_val->values_off = IVAL(nk_header, 0x28);
	2757	ret_val->sk_off = IVAL(nk_header, 0x2C);
	2758	ret_val->classname_off = IVAL(nk_header, 0x30);
[99]	2759
[101]	2760	ret_val->max_bytes_subkeyname = IVAL(nk_header, 0x34);
	2761	ret_val->max_bytes_subkeyclassname = IVAL(nk_header, 0x38);
	2762	ret_val->max_bytes_valuename = IVAL(nk_header, 0x3C);
	2763	ret_val->max_bytes_value = IVAL(nk_header, 0x40);
	2764	ret_val->unk_index = IVAL(nk_header, 0x44);
[99]	2765
[101]	2766	ret_val->name_length = SVAL(nk_header, 0x48);
	2767	ret_val->classname_length = SVAL(nk_header, 0x4A);
[206]	2768	ret_val->name = NULL;
[99]	2769
	2770	if(ret_val->name_length + REGFI_NK_MIN_LENGTH > ret_val->cell_size)
[101]	2771	{
	2772	if(strict)
	2773	{
[182]	2774	regfi_log_add(REGFI_LOG_ERROR, "Contents too large for cell"
	2775	" while parsing NK record at offset 0x%.8X.", offset);
[180]	2776	goto fail_locked;
[101]	2777	}
	2778	else
	2779	ret_val->name_length = ret_val->cell_size - REGFI_NK_MIN_LENGTH;
	2780	}
	2781	else if (unalloc)
	2782	{ /* Truncate cell_size if it's much larger than the apparent total record length. */
	2783	/* Round up to the next multiple of 8 */
	2784	length = (ret_val->name_length + REGFI_NK_MIN_LENGTH) & 0xFFFFFFF8;
	2785	if(length < ret_val->name_length + REGFI_NK_MIN_LENGTH)
	2786	length+=8;
[99]	2787
[101]	2788	/* If cell_size is still greater, truncate. */
	2789	if(length < ret_val->cell_size)
	2790	ret_val->cell_size = length;
	2791	}
	2792
[206]	2793	/* +1 to length in case we decided to use this directly as a string later */
	2794	ret_val->name_raw = talloc_array(ret_val, uint8_t, ret_val->name_length+1);
	2795	if(ret_val->name_raw == NULL)
[180]	2796	goto fail_locked;
[99]	2797
	2798	/* Don't need to seek, should be at the right offset */
	2799	length = ret_val->name_length;
[206]	2800	if((regfi_read(file->cb, (uint8_t*)ret_val->name_raw, &length) != 0)
[99]	2801	\|\| length != ret_val->name_length)
	2802	{
[182]	2803	regfi_log_add(REGFI_LOG_ERROR, "Failed to read key name"
	2804	" while parsing NK record at offset 0x%.8X.", offset);
[180]	2805	goto fail_locked;
[99]	2806	}
	2807
[186]	2808	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_nk"))
[180]	2809	goto fail;
	2810
[126]	2811	return ret_val;
[180]	2812
	2813	fail_locked:
[186]	2814	regfi_unlock(file, &file->cb_lock, "regfi_parse_nk");
[180]	2815	fail:
	2816	talloc_free(ret_val);
	2817	return NULL;
[126]	2818	}
	2819
	2820
[168]	2821	uint8_t* regfi_parse_classname(REGFI_FILE* file, uint32_t offset,
[206]	2822	uint16_t* name_length, uint32_t max_size, bool strict)
[126]	2823	{
[168]	2824	uint8_t* ret_val = NULL;
	2825	uint32_t length;
	2826	uint32_t cell_length;
[126]	2827	bool unalloc = false;
	2828
[180]	2829	if(*name_length <= 0 \|\| offset == REGFI_OFFSET_NONE
	2830	\|\| (offset & 0x00000007) != 0)
	2831	{ goto fail; }
	2832
[186]	2833	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_classname"))
[180]	2834	goto fail;
	2835
	2836	if(!regfi_parse_cell(file->cb, offset, NULL, 0, &cell_length, &unalloc))
[131]	2837	{
[182]	2838	regfi_log_add(REGFI_LOG_WARN, "Could not parse cell header"
	2839	" while parsing class name at offset 0x%.8X.", offset);
[180]	2840	goto fail_locked;
	2841	}
	2842
	2843	if((cell_length & 0x0000007) != 0)
	2844	{
[182]	2845	regfi_log_add(REGFI_LOG_ERROR, "Cell length not a multiple of 8"
	2846	" while parsing class name at offset 0x%.8X.", offset);
[180]	2847	goto fail_locked;
	2848	}
	2849
	2850	if(cell_length > max_size)
	2851	{
[182]	2852	regfi_log_add(REGFI_LOG_WARN, "Cell stretches past hbin "
	2853	"boundary while parsing class name at offset 0x%.8X.",
	2854	offset);
[180]	2855	if(strict)
	2856	goto fail_locked;
	2857	cell_length = max_size;
	2858	}
	2859
	2860	if((cell_length - 4) < *name_length)
	2861	{
[182]	2862	regfi_log_add(REGFI_LOG_WARN, "Class name is larger than"
	2863	" cell_length while parsing class name at offset"
	2864	" 0x%.8X.", offset);
[180]	2865	if(strict)
	2866	goto fail_locked;
	2867	*name_length = cell_length - 4;
	2868	}
	2869
	2870	ret_val = talloc_array(NULL, uint8_t, *name_length);
	2871	if(ret_val != NULL)
	2872	{
	2873	length = *name_length;
	2874	if((regfi_read(file->cb, ret_val, &length) != 0)
	2875	\|\| length != *name_length)
[137]	2876	{
[182]	2877	regfi_log_add(REGFI_LOG_ERROR, "Could not read class name"
	2878	" while parsing class name at offset 0x%.8X.", offset);
[180]	2879	goto fail_locked;
[137]	2880	}
[180]	2881	}
[126]	2882
[186]	2883	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_classname"))
[180]	2884	goto fail;
[137]	2885
[180]	2886	return ret_val;
[131]	2887
[180]	2888	fail_locked:
[186]	2889	regfi_unlock(file, &file->cb_lock, "regfi_parse_classname");
[180]	2890	fail:
	2891	talloc_free(ret_val);
	2892	return NULL;
[99]	2893	}
	2894
	2895
[152]	2896	/******************************************************************************
	2897	*******************************************************************************/
[203]	2898	REGFI_VK* regfi_parse_vk(REGFI_FILE* file, uint32_t offset,
[168]	2899	uint32_t max_size, bool strict)
[97]	2900	{
[203]	2901	REGFI_VK* ret_val;
[168]	2902	uint8_t vk_header[REGFI_VK_MIN_LENGTH];
	2903	uint32_t raw_data_size, length, cell_length;
[101]	2904	bool unalloc = false;
[97]	2905
[203]	2906	ret_val = talloc(NULL, REGFI_VK);
[180]	2907	if(ret_val == NULL)
	2908	goto fail;
	2909
[186]	2910	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_nk"))
[180]	2911	goto fail;
	2912
[178]	2913	if(!regfi_parse_cell(file->cb, offset, vk_header, REGFI_VK_MIN_LENGTH,
[101]	2914	&cell_length, &unalloc))
[137]	2915	{
[182]	2916	regfi_log_add(REGFI_LOG_WARN, "Could not parse cell header"
	2917	" while parsing VK record at offset 0x%.8X.", offset);
[180]	2918	goto fail_locked;
[137]	2919	}
[111]	2920
[101]	2921	ret_val->offset = offset;
	2922	ret_val->cell_size = cell_length;
[206]	2923	ret_val->name = NULL;
	2924	ret_val->name_raw = NULL;
[150]	2925
[101]	2926	if(ret_val->cell_size > max_size)
	2927	ret_val->cell_size = max_size & 0xFFFFFFF8;
	2928	if((ret_val->cell_size < REGFI_VK_MIN_LENGTH)
[157]	2929	\|\| (ret_val->cell_size & 0x00000007) != 0)
[97]	2930	{
[182]	2931	regfi_log_add(REGFI_LOG_WARN, "Invalid cell size encountered"
	2932	" while parsing VK record at offset 0x%.8X.", offset);
[180]	2933	goto fail_locked;
[101]	2934	}
[97]	2935
[101]	2936	ret_val->magic[0] = vk_header[0x0];
	2937	ret_val->magic[1] = vk_header[0x1];
	2938	if((ret_val->magic[0] != 'v') \|\| (ret_val->magic[1] != 'k'))
	2939	{
[124]	2940	/* XXX: This does not account for deleted keys under Win2K which
	2941	* often have this (and the name length) overwritten with
	2942	* 0xFFFF.
	2943	*/
[182]	2944	regfi_log_add(REGFI_LOG_WARN, "Magic number mismatch"
	2945	" while parsing VK record at offset 0x%.8X.", offset);
[180]	2946	goto fail_locked;
[101]	2947	}
	2948
	2949	ret_val->name_length = SVAL(vk_header, 0x2);
	2950	raw_data_size = IVAL(vk_header, 0x4);
[135]	2951	ret_val->data_size = raw_data_size & ~REGFI_VK_DATA_IN_OFFSET;
[157]	2952	/* The data is typically stored in the offset if the size <= 4,
	2953	* in which case this flag is set.
	2954	*/
[135]	2955	ret_val->data_in_offset = (bool)(raw_data_size & REGFI_VK_DATA_IN_OFFSET);
[101]	2956	ret_val->data_off = IVAL(vk_header, 0x8);
	2957	ret_val->type = IVAL(vk_header, 0xC);
[162]	2958	ret_val->flags = SVAL(vk_header, 0x10);
[101]	2959	ret_val->unknown1 = SVAL(vk_header, 0x12);
	2960
[162]	2961	if(ret_val->name_length > 0)
[101]	2962	{
[113]	2963	if(ret_val->name_length + REGFI_VK_MIN_LENGTH + 4 > ret_val->cell_size)
[101]	2964	{
[182]	2965	regfi_log_add(REGFI_LOG_WARN, "Name too long for remaining cell"
	2966	" space while parsing VK record at offset 0x%.8X.",
	2967	offset);
[101]	2968	if(strict)
[180]	2969	goto fail_locked;
[101]	2970	else
[113]	2971	ret_val->name_length = ret_val->cell_size - REGFI_VK_MIN_LENGTH - 4;
[101]	2972	}
	2973
	2974	/* Round up to the next multiple of 8 */
[113]	2975	cell_length = (ret_val->name_length + REGFI_VK_MIN_LENGTH + 4) & 0xFFFFFFF8;
	2976	if(cell_length < ret_val->name_length + REGFI_VK_MIN_LENGTH + 4)
	2977	cell_length+=8;
[101]	2978
[206]	2979	/* +1 to length in case we decided to use this directly as a string later */
	2980	ret_val->name_raw = talloc_array(ret_val, uint8_t, ret_val->name_length+1);
	2981	if(ret_val->name_raw == NULL)
[180]	2982	goto fail_locked;
[113]	2983
[101]	2984	length = ret_val->name_length;
[206]	2985	if((regfi_read(file->cb, (uint8_t*)ret_val->name_raw, &length) != 0)
[101]	2986	\|\| length != ret_val->name_length)
	2987	{
[182]	2988	regfi_log_add(REGFI_LOG_ERROR, "Could not read value name"
	2989	" while parsing VK record at offset 0x%.8X.", offset);
[180]	2990	goto fail_locked;
[101]	2991	}
	2992	}
	2993	else
[113]	2994	cell_length = REGFI_VK_MIN_LENGTH + 4;
[101]	2995
[186]	2996	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_nk"))
[180]	2997	goto fail;
	2998
[101]	2999	if(unalloc)
	3000	{
	3001	/* If cell_size is still greater, truncate. */
[113]	3002	if(cell_length < ret_val->cell_size)
	3003	ret_val->cell_size = cell_length;
[101]	3004	}
	3005
	3006	return ret_val;
[180]	3007
	3008	fail_locked:
[186]	3009	regfi_unlock(file, &file->cb_lock, "regfi_parse_vk");
[180]	3010	fail:
	3011	talloc_free(ret_val);
	3012	return NULL;
[97]	3013	}
[101]	3014
	3015
[152]	3016	/******************************************************************************
[157]	3017	*
	3018	******************************************************************************/
[168]	3019	REGFI_BUFFER regfi_load_data(REGFI_FILE* file, uint32_t voffset,
	3020	uint32_t length, bool data_in_offset,
[157]	3021	bool strict)
[101]	3022	{
[151]	3023	REGFI_BUFFER ret_val;
[168]	3024	uint32_t cell_length, offset;
	3025	int32_t max_size;
[101]	3026	bool unalloc;
[151]	3027
[159]	3028	/* Microsoft's documentation indicates that "available memory" is
[165]	3029	* the limit on value sizes for the more recent registry format version.
	3030	* This is not only annoying, but it's probably also incorrect, since clearly
	3031	* value data sizes are limited to 2^31 (high bit used as a flag) and even
	3032	* with big data records, the apparent max size is:
	3033	* 16344 * 2^16 = 1071104040 (~1GB).
	3034	*
	3035	* We choose to limit it to 1M which was the limit in older versions and
	3036	* should rarely be exceeded unless the file is corrupt or malicious.
	3037	* For more info, see:
	3038	* http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
[159]	3039	*/
[160]	3040	/* XXX: add way to skip this check at user discression. */
	3041	if(length > REGFI_VK_MAX_DATA_LENGTH)
[159]	3042	{
[182]	3043	regfi_log_add(REGFI_LOG_WARN, "Value data size %d larger than "
	3044	"%d, truncating...", length, REGFI_VK_MAX_DATA_LENGTH);
[160]	3045	length = REGFI_VK_MAX_DATA_LENGTH;
[159]	3046	}
	3047
[145]	3048	if(data_in_offset)
[157]	3049	return regfi_parse_little_data(file, voffset, length, strict);
	3050	else
[101]	3051	{
[157]	3052	offset = voffset + REGFI_REGF_SIZE;
	3053	max_size = regfi_calc_maxsize(file, offset);
	3054	if(max_size < 0)
[137]	3055	{
[182]	3056	regfi_log_add(REGFI_LOG_WARN, "Could not find HBIN for data"
	3057	" at offset 0x%.8X.", offset);
[151]	3058	goto fail;
[137]	3059	}
[157]	3060
[186]	3061	if(!regfi_lock(file, &file->cb_lock, "regfi_load_data"))
[180]	3062	goto fail;
	3063
[178]	3064	if(!regfi_parse_cell(file->cb, offset, NULL, 0,
[101]	3065	&cell_length, &unalloc))
[137]	3066	{
[182]	3067	regfi_log_add(REGFI_LOG_WARN, "Could not parse cell while"
	3068	" parsing data record at offset 0x%.8X.", offset);
[180]	3069	goto fail_locked;
[137]	3070	}
[111]	3071
[186]	3072	if(!regfi_unlock(file, &file->cb_lock, "regfi_load_data"))
[180]	3073	goto fail;
	3074
[157]	3075	if((cell_length & 0x00000007) != 0)
[137]	3076	{
[182]	3077	regfi_log_add(REGFI_LOG_WARN, "Cell length not multiple of 8"
	3078	" while parsing data record at offset 0x%.8X.",
	3079	offset);
[151]	3080	goto fail;
[137]	3081	}
[101]	3082
[131]	3083	if(cell_length > max_size)
	3084	{
[182]	3085	regfi_log_add(REGFI_LOG_WARN, "Cell extends past HBIN boundary"
	3086	" while parsing data record at offset 0x%.8X.",
	3087	offset);
[157]	3088	goto fail;
[131]	3089	}
	3090
[101]	3091	if(cell_length - 4 < length)
	3092	{
[155]	3093	/* XXX: All big data records thus far have been 16 bytes long.
	3094	* Should we check for this precise size instead of just
	3095	* relying upon the above check?
	3096	*/
[152]	3097	if (file->major_version >= 1 && file->minor_version >= 5)
	3098	{
	3099	/* Attempt to parse a big data record */
[157]	3100	return regfi_load_big_data(file, offset, length, cell_length,
	3101	NULL, strict);
[152]	3102	}
[101]	3103	else
[152]	3104	{
[182]	3105	regfi_log_add(REGFI_LOG_WARN, "Data length (0x%.8X) larger than"
	3106	" remaining cell length (0x%.8X)"
	3107	" while parsing data record at offset 0x%.8X.",
	3108	length, cell_length - 4, offset);
[152]	3109	if(strict)
	3110	goto fail;
	3111	else
	3112	length = cell_length - 4;
	3113	}
[101]	3114	}
	3115
[157]	3116	ret_val = regfi_parse_data(file, offset, length, strict);
[101]	3117	}
	3118
	3119	return ret_val;
[151]	3120
[180]	3121	fail_locked:
[186]	3122	regfi_unlock(file, &file->cb_lock, "regfi_load_data");
[151]	3123	fail:
	3124	ret_val.buf = NULL;
	3125	ret_val.len = 0;
	3126	return ret_val;
[101]	3127	}
[110]	3128
	3129
[152]	3130	/******************************************************************************
[157]	3131	* Parses the common case data records stored in a single cell.
	3132	******************************************************************************/
[168]	3133	REGFI_BUFFER regfi_parse_data(REGFI_FILE* file, uint32_t offset,
	3134	uint32_t length, bool strict)
[157]	3135	{
	3136	REGFI_BUFFER ret_val;
[168]	3137	uint32_t read_length;
[157]	3138
	3139	ret_val.buf = NULL;
	3140	ret_val.len = 0;
	3141
[180]	3142	if((ret_val.buf = talloc_array(NULL, uint8_t, length)) == NULL)
	3143	goto fail;
	3144	ret_val.len = length;
	3145
[186]	3146	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_data"))
[180]	3147	goto fail;
	3148
[178]	3149	if(regfi_seek(file->cb, offset+4, SEEK_SET) == -1)
[157]	3150	{
[182]	3151	regfi_log_add(REGFI_LOG_WARN, "Could not seek while "
	3152	"reading data at offset 0x%.8X.", offset);
[180]	3153	goto fail_locked;
[157]	3154	}
	3155
	3156	read_length = length;
[178]	3157	if((regfi_read(file->cb, ret_val.buf, &read_length) != 0)
[157]	3158	\|\| read_length != length)
	3159	{
[182]	3160	regfi_log_add(REGFI_LOG_ERROR, "Could not read data block while"
	3161	" parsing data record at offset 0x%.8X.", offset);
[180]	3162	goto fail_locked;
[157]	3163	}
	3164
[186]	3165	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_data"))
[180]	3166	goto fail;
	3167
[157]	3168	return ret_val;
[180]	3169
	3170	fail_locked:
[186]	3171	regfi_unlock(file, &file->cb_lock, "regfi_parse_data");
[180]	3172	fail:
	3173	talloc_free(ret_val.buf);
	3174	ret_val.buf = NULL;
	3175	ret_val.buf = 0;
	3176	return ret_val;
[157]	3177	}
	3178
	3179
	3180
	3181	/******************************************************************************
	3182	*
	3183	******************************************************************************/
[168]	3184	REGFI_BUFFER regfi_parse_little_data(REGFI_FILE* file, uint32_t voffset,
	3185	uint32_t length, bool strict)
[157]	3186	{
[173]	3187	uint8_t i;
[157]	3188	REGFI_BUFFER ret_val;
	3189
	3190	ret_val.buf = NULL;
	3191	ret_val.len = 0;
	3192
	3193	if(length > 4)
	3194	{
[182]	3195	regfi_log_add(REGFI_LOG_ERROR, "Data in offset but length > 4"
	3196	" while parsing data record. (voffset=0x%.8X, length=%d)",
	3197	voffset, length);
[157]	3198	return ret_val;
	3199	}
	3200
[168]	3201	if((ret_val.buf = talloc_array(NULL, uint8_t, length)) == NULL)
[157]	3202	return ret_val;
	3203	ret_val.len = length;
	3204
	3205	for(i = 0; i < length; i++)
[168]	3206	ret_val.buf[i] = (uint8_t)((voffset >> i*8) & 0xFF);
[157]	3207
	3208	return ret_val;
	3209	}
	3210
	3211	/******************************************************************************
[152]	3212	*******************************************************************************/
[168]	3213	REGFI_BUFFER regfi_parse_big_data_header(REGFI_FILE* file, uint32_t offset,
	3214	uint32_t max_size, bool strict)
[152]	3215	{
	3216	REGFI_BUFFER ret_val;
[168]	3217	uint32_t cell_length;
[152]	3218	bool unalloc;
[157]	3219
	3220	/* XXX: do something with unalloc? */
[168]	3221	ret_val.buf = (uint8_t*)talloc_array(NULL, uint8_t, REGFI_BIG_DATA_MIN_LENGTH);
[157]	3222	if(ret_val.buf == NULL)
[152]	3223	goto fail;
	3224
[157]	3225	if(REGFI_BIG_DATA_MIN_LENGTH > max_size)
	3226	{
[182]	3227	regfi_log_add(REGFI_LOG_WARN, "Big data header exceeded max_size "
	3228	"while parsing big data header at offset 0x%.8X.",offset);
[157]	3229	goto fail;
	3230	}
	3231
[186]	3232	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_big_data_header"))
[180]	3233	goto fail;
	3234
	3235
[178]	3236	if(!regfi_parse_cell(file->cb, offset, ret_val.buf, REGFI_BIG_DATA_MIN_LENGTH,
[152]	3237	&cell_length, &unalloc))
	3238	{
[182]	3239	regfi_log_add(REGFI_LOG_WARN, "Could not parse cell while"
	3240	" parsing big data header at offset 0x%.8X.", offset);
[180]	3241	goto fail_locked;
[152]	3242	}
[157]	3243
[186]	3244	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_big_data_header"))
[180]	3245	goto fail;
	3246
[157]	3247	if((ret_val.buf[0] != 'd') \|\| (ret_val.buf[1] != 'b'))
[152]	3248	{
[182]	3249	regfi_log_add(REGFI_LOG_WARN, "Unknown magic number"
	3250	" (0x%.2X, 0x%.2X) encountered while parsing"
	3251	" big data header at offset 0x%.8X.",
	3252	ret_val.buf[0], ret_val.buf[1], offset);
[152]	3253	goto fail;
	3254	}
	3255
[157]	3256	ret_val.len = REGFI_BIG_DATA_MIN_LENGTH;
	3257	return ret_val;
	3258
[180]	3259	fail_locked:
[186]	3260	regfi_unlock(file, &file->cb_lock, "regfi_parse_big_data_header");
[157]	3261	fail:
[180]	3262	talloc_free(ret_val.buf);
	3263	ret_val.buf = NULL;
[157]	3264	ret_val.len = 0;
	3265	return ret_val;
	3266	}
	3267
	3268
	3269
	3270	/******************************************************************************
	3271	*
	3272	******************************************************************************/
[168]	3273	uint32_t* regfi_parse_big_data_indirect(REGFI_FILE* file, uint32_t offset,
	3274	uint16_t num_chunks, bool strict)
[157]	3275	{
[168]	3276	uint32_t* ret_val;
	3277	uint32_t indirect_length;
	3278	int32_t max_size;
	3279	uint16_t i;
[157]	3280	bool unalloc;
	3281
	3282	/* XXX: do something with unalloc? */
	3283
	3284	max_size = regfi_calc_maxsize(file, offset);
[168]	3285	if((max_size < 0) \|\| (num_chunks*sizeof(uint32_t) + 4 > max_size))
[157]	3286	return NULL;
	3287
[168]	3288	ret_val = (uint32_t*)talloc_array(NULL, uint32_t, num_chunks);
[157]	3289	if(ret_val == NULL)
[152]	3290	goto fail;
	3291
[186]	3292	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_big_data_indirect"))
[180]	3293	goto fail;
	3294
[178]	3295	if(!regfi_parse_cell(file->cb, offset, (uint8_t*)ret_val,
[168]	3296	num_chunks*sizeof(uint32_t),
[152]	3297	&indirect_length, &unalloc))
	3298	{
[182]	3299	regfi_log_add(REGFI_LOG_WARN, "Could not parse cell while"
	3300	" parsing big data indirect record at offset 0x%.8X.",
	3301	offset);
[180]	3302	goto fail_locked;
[152]	3303	}
[157]	3304
[186]	3305	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_big_data_indirect"))
[180]	3306	goto fail;
	3307
[157]	3308	/* Convert pointers to proper endianess, verify they are aligned. */
	3309	for(i=0; i<num_chunks; i++)
[152]	3310	{
[168]	3311	ret_val[i] = IVAL(ret_val, i*sizeof(uint32_t));
[157]	3312	if((ret_val[i] & 0x00000007) != 0)
	3313	goto fail;
[152]	3314	}
[157]	3315
	3316	return ret_val;
[152]	3317
[180]	3318	fail_locked:
[186]	3319	regfi_unlock(file, &file->cb_lock, "regfi_parse_big_data_indirect");
[157]	3320	fail:
[180]	3321	talloc_free(ret_val);
[157]	3322	return NULL;
	3323	}
	3324
	3325
	3326	/******************************************************************************
	3327	* Arguments:
	3328	* file --
	3329	* offsets -- list of virtual offsets.
	3330	* num_chunks --
	3331	* strict --
	3332	*
	3333	* Returns:
	3334	* A range_list with physical offsets and complete lengths
	3335	* (including cell headers) of associated cells.
	3336	* No data in range_list elements.
	3337	******************************************************************************/
[168]	3338	range_list* regfi_parse_big_data_cells(REGFI_FILE* file, uint32_t* offsets,
	3339	uint16_t num_chunks, bool strict)
[157]	3340	{
[168]	3341	uint32_t cell_length, chunk_offset;
[157]	3342	range_list* ret_val;
[168]	3343	uint16_t i;
[157]	3344	bool unalloc;
	3345
	3346	/* XXX: do something with unalloc? */
	3347	ret_val = range_list_new();
	3348	if(ret_val == NULL)
	3349	goto fail;
	3350
[166]	3351	for(i=0; i<num_chunks; i++)
[152]	3352	{
[186]	3353	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_big_data_cells"))
[180]	3354	goto fail;
	3355
[157]	3356	chunk_offset = offsets[i]+REGFI_REGF_SIZE;
[178]	3357	if(!regfi_parse_cell(file->cb, chunk_offset, NULL, 0,
[157]	3358	&cell_length, &unalloc))
[152]	3359	{
[182]	3360	regfi_log_add(REGFI_LOG_WARN, "Could not parse cell while"
	3361	" parsing big data chunk at offset 0x%.8X.",
	3362	chunk_offset);
[180]	3363	goto fail_locked;
[152]	3364	}
	3365
[186]	3366	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_big_data_cells"))
[180]	3367	goto fail;
	3368
[157]	3369	if(!range_list_add(ret_val, chunk_offset, cell_length, NULL))
	3370	goto fail;
	3371	}
	3372
	3373	return ret_val;
	3374
[180]	3375	fail_locked:
[186]	3376	regfi_unlock(file, &file->cb_lock, "regfi_parse_big_data_cells");
[157]	3377	fail:
	3378	if(ret_val != NULL)
	3379	range_list_free(ret_val);
	3380	return NULL;
	3381	}
	3382
	3383
	3384	/******************************************************************************
	3385	*******************************************************************************/
	3386	REGFI_BUFFER regfi_load_big_data(REGFI_FILE* file,
[168]	3387	uint32_t offset, uint32_t data_length,
	3388	uint32_t cell_length, range_list* used_ranges,
[157]	3389	bool strict)
	3390	{
	3391	REGFI_BUFFER ret_val;
[168]	3392	uint16_t num_chunks, i;
	3393	uint32_t read_length, data_left, tmp_len, indirect_offset;
	3394	uint32_t* indirect_ptrs = NULL;
[157]	3395	REGFI_BUFFER bd_header;
	3396	range_list* bd_cells = NULL;
	3397	const range_list_element* cell_info;
	3398
	3399	ret_val.buf = NULL;
	3400
	3401	/* XXX: Add better error/warning messages */
	3402
	3403	bd_header = regfi_parse_big_data_header(file, offset, cell_length, strict);
	3404	if(bd_header.buf == NULL)
	3405	goto fail;
	3406
	3407	/* Keep track of used space for use by reglookup-recover */
	3408	if(used_ranges != NULL)
	3409	if(!range_list_add(used_ranges, offset, cell_length, NULL))
	3410	goto fail;
	3411
	3412	num_chunks = SVAL(bd_header.buf, 0x2);
	3413	indirect_offset = IVAL(bd_header.buf, 0x4) + REGFI_REGF_SIZE;
	3414	talloc_free(bd_header.buf);
	3415
	3416	indirect_ptrs = regfi_parse_big_data_indirect(file, indirect_offset,
	3417	num_chunks, strict);
	3418	if(indirect_ptrs == NULL)
	3419	goto fail;
	3420
	3421	if(used_ranges != NULL)
	3422	if(!range_list_add(used_ranges, indirect_offset, num_chunks*4+4, NULL))
	3423	goto fail;
	3424
	3425	if((ret_val.buf = talloc_array(NULL, uint8_t, data_length)) == NULL)
	3426	goto fail;
	3427	data_left = data_length;
	3428
	3429	bd_cells = regfi_parse_big_data_cells(file, indirect_ptrs, num_chunks, strict);
	3430	if(bd_cells == NULL)
	3431	goto fail;
	3432
	3433	talloc_free(indirect_ptrs);
	3434	indirect_ptrs = NULL;
	3435
	3436	for(i=0; (i<num_chunks) && (data_left>0); i++)
	3437	{
	3438	cell_info = range_list_get(bd_cells, i);
	3439	if(cell_info == NULL)
	3440	goto fail;
	3441
	3442	/* XXX: This should be "cell_info->length-4" to account for the 4 byte cell
[154]	3443	* length. However, it has been observed that some (all?) chunks
	3444	* have an additional 4 bytes of 0 at the end of their cells that
	3445	* isn't part of the data, so we're trimming that off too.
[157]	3446	* Perhaps it's just an 8 byte alignment requirement...
[154]	3447	*/
[157]	3448	if(cell_info->length - 8 >= data_left)
	3449	{
	3450	if(i+1 != num_chunks)
	3451	{
[182]	3452	regfi_log_add(REGFI_LOG_WARN, "Left over chunks detected "
	3453	"while constructing big data at offset 0x%.8X "
	3454	"(chunk offset 0x%.8X).", offset, cell_info->offset);
[157]	3455	}
[152]	3456	read_length = data_left;
[157]	3457	}
[152]	3458	else
[157]	3459	read_length = cell_info->length - 8;
[152]	3460
[157]	3461
	3462	if(read_length > regfi_calc_maxsize(file, cell_info->offset))
	3463	{
[182]	3464	regfi_log_add(REGFI_LOG_WARN, "A chunk exceeded the maxsize "
	3465	"while constructing big data at offset 0x%.8X "
	3466	"(chunk offset 0x%.8X).", offset, cell_info->offset);
[157]	3467	goto fail;
	3468	}
	3469
[186]	3470	if(!regfi_lock(file, &file->cb_lock, "regfi_load_big_data"))
[180]	3471	goto fail;
	3472
[178]	3473	if(regfi_seek(file->cb, cell_info->offset+sizeof(uint32_t), SEEK_SET) == -1)
[157]	3474	{
[182]	3475	regfi_log_add(REGFI_LOG_WARN, "Could not seek to chunk while "
	3476	"constructing big data at offset 0x%.8X "
	3477	"(chunk offset 0x%.8X).", offset, cell_info->offset);
[180]	3478	goto fail_locked;
[157]	3479	}
	3480
	3481	tmp_len = read_length;
[178]	3482	if(regfi_read(file->cb, ret_val.buf+(data_length-data_left),
[157]	3483	&read_length) != 0 \|\| (read_length != tmp_len))
[152]	3484	{
[182]	3485	regfi_log_add(REGFI_LOG_WARN, "Could not read data chunk while"
	3486	" constructing big data at offset 0x%.8X"
	3487	" (chunk offset 0x%.8X).", offset, cell_info->offset);
[180]	3488	goto fail_locked;
[152]	3489	}
	3490
[186]	3491	if(!regfi_unlock(file, &file->cb_lock, "regfi_load_big_data"))
[180]	3492	goto fail;
	3493
[157]	3494	if(used_ranges != NULL)
	3495	if(!range_list_add(used_ranges, cell_info->offset,cell_info->length,NULL))
	3496	goto fail;
	3497
[152]	3498	data_left -= read_length;
	3499	}
[157]	3500	range_list_free(bd_cells);
	3501
[152]	3502	ret_val.len = data_length-data_left;
	3503	return ret_val;
	3504
[180]	3505	fail_locked:
[186]	3506	regfi_unlock(file, &file->cb_lock, "regfi_load_big_data");
[152]	3507	fail:
[180]	3508	talloc_free(ret_val.buf);
	3509	talloc_free(indirect_ptrs);
[157]	3510	if(bd_cells != NULL)
	3511	range_list_free(bd_cells);
[152]	3512	ret_val.buf = NULL;
	3513	ret_val.len = 0;
	3514	return ret_val;
	3515	}
	3516
	3517
[135]	3518	range_list* regfi_parse_unalloc_cells(REGFI_FILE* file)
[110]	3519	{
	3520	range_list* ret_val;
[135]	3521	REGFI_HBIN* hbin;
[110]	3522	const range_list_element* hbins_elem;
[168]	3523	uint32_t i, num_hbins, curr_off, cell_len;
[110]	3524	bool is_unalloc;
	3525
	3526	ret_val = range_list_new();
	3527	if(ret_val == NULL)
	3528	return NULL;
	3529
[186]	3530	if(!regfi_read_lock(file, &file->hbins_lock, "regfi_parse_unalloc_cells"))
[180]	3531	{
	3532	range_list_free(ret_val);
	3533	return NULL;
	3534	}
	3535
[110]	3536	num_hbins = range_list_size(file->hbins);
	3537	for(i=0; i<num_hbins; i++)
	3538	{
	3539	hbins_elem = range_list_get(file->hbins, i);
	3540	if(hbins_elem == NULL)
	3541	break;
[135]	3542	hbin = (REGFI_HBIN*)hbins_elem->data;
[110]	3543
[135]	3544	curr_off = REGFI_HBIN_HEADER_SIZE;
[110]	3545	while(curr_off < hbin->block_size)
	3546	{
[186]	3547	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_unalloc_cells"))
[180]	3548	break;
	3549
[178]	3550	if(!regfi_parse_cell(file->cb, hbin->file_off+curr_off, NULL, 0,
[110]	3551	&cell_len, &is_unalloc))
[180]	3552	{
[186]	3553	regfi_unlock(file, &file->cb_lock, "regfi_parse_unalloc_cells");
[110]	3554	break;
[180]	3555	}
	3556
[186]	3557	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_unalloc_cells"))
[180]	3558	break;
	3559
[157]	3560	if((cell_len == 0) \|\| ((cell_len & 0x00000007) != 0))
[140]	3561	{
[182]	3562	regfi_log_add(REGFI_LOG_ERROR, "Bad cell length encountered"
	3563	" while parsing unallocated cells at offset 0x%.8X.",
	3564	hbin->file_off+curr_off);
[110]	3565	break;
[140]	3566	}
	3567
[110]	3568	/* for some reason the record_size of the last record in
	3569	an hbin block can extend past the end of the block
	3570	even though the record fits within the remaining
	3571	space....aaarrrgggghhhhhh */
	3572	if(curr_off + cell_len >= hbin->block_size)
	3573	cell_len = hbin->block_size - curr_off;
	3574
	3575	if(is_unalloc)
	3576	range_list_add(ret_val, hbin->file_off+curr_off,
	3577	cell_len, NULL);
	3578
	3579	curr_off = curr_off+cell_len;
	3580	}
	3581	}
	3582
[186]	3583	if(!regfi_rw_unlock(file, &file->hbins_lock, "regfi_parse_unalloc_cells"))
[180]	3584	{
	3585	range_list_free(ret_val);
	3586	return NULL;
	3587	}
	3588
[110]	3589	return ret_val;
	3590	}
[168]	3591
	3592
	3593	/* From lib/time.c */
	3594
	3595	/****************************************************************************
	3596	Put a 8 byte filetime from a time_t
	3597	This takes real GMT as input and converts to kludge-GMT
	3598	****************************************************************************/
	3599	void regfi_unix2nt_time(REGFI_NTTIME *nt, time_t t)
	3600	{
	3601	double d;
	3602
	3603	if (t==0)
	3604	{
	3605	nt->low = 0;
	3606	nt->high = 0;
	3607	return;
	3608	}
	3609
	3610	if (t == TIME_T_MAX)
	3611	{
	3612	nt->low = 0xffffffff;
	3613	nt->high = 0x7fffffff;
	3614	return;
	3615	}
	3616
	3617	if (t == -1)
	3618	{
	3619	nt->low = 0xffffffff;
	3620	nt->high = 0xffffffff;
	3621	return;
	3622	}
	3623
	3624	/* this converts GMT to kludge-GMT */
	3625	/* XXX: This was removed due to difficult dependency requirements.
	3626	* So far, times appear to be correct without this adjustment, but
	3627	* that may be proven wrong with adequate testing.
	3628	*/
	3629	/* t -= TimeDiff(t) - get_serverzone(); */
	3630
	3631	d = (double)(t);
	3632	d += TIME_FIXUP_CONSTANT;
	3633	d *= 1.0e7;
	3634
	3635	nt->high = (uint32_t)(d * (1.0/(4.0*(double)(1<<30))));
	3636	nt->low = (uint32_t)(d - ((double)nt->high)4.0(double)(1<<30));
	3637	}
	3638
	3639
	3640	/****************************************************************************
	3641	Interpret an 8 byte "filetime" structure to a time_t
	3642	It's originally in "100ns units since jan 1st 1601"
	3643
	3644	An 8 byte value of 0xffffffffffffffff will be returned as (time_t)0.
	3645
	3646	It appears to be kludge-GMT (at least for file listings). This means
	3647	its the GMT you get by taking a localtime and adding the
	3648	serverzone. This is NOT the same as GMT in some cases. This routine
	3649	converts this to real GMT.
	3650	****************************************************************************/
	3651	time_t regfi_nt2unix_time(const REGFI_NTTIME* nt)
	3652	{
	3653	double d;
	3654	time_t ret;
	3655	/* The next two lines are a fix needed for the
	3656	broken SCO compiler. JRA. */
	3657	time_t l_time_min = TIME_T_MIN;
	3658	time_t l_time_max = TIME_T_MAX;
	3659
	3660	if (nt->high == 0 \|\| (nt->high == 0xffffffff && nt->low == 0xffffffff))
	3661	return(0);
	3662
	3663	d = ((double)nt->high)4.0(double)(1<<30);
	3664	d += (nt->low&0xFFF00000);
	3665	d *= 1.0e-7;
	3666
	3667	/* now adjust by 369 years to make the secs since 1970 */
	3668	d -= TIME_FIXUP_CONSTANT;
	3669
	3670	if (d <= l_time_min)
	3671	return (l_time_min);
	3672
	3673	if (d >= l_time_max)
	3674	return (l_time_max);
	3675
	3676	ret = (time_t)(d+0.5);
	3677
	3678	/* this takes us from kludge-GMT to real GMT */
	3679	/* XXX: This was removed due to difficult dependency requirements.
	3680	* So far, times appear to be correct without this adjustment, but
	3681	* that may be proven wrong with adequate testing.
	3682	*/
	3683	/*
	3684	ret -= get_serverzone();
	3685	ret += LocTimeDiff(ret);
	3686	*/
	3687
	3688	return(ret);
	3689	}
	3690
	3691	/* End of stuff from lib/time.c */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: