Context Navigation

source: trunk/lib/regfi.c @ 219

Last change on this file since 219 was 219, checked in by tim, 13 years ago
updated time conversion to return a double for more precision added modified attribute to keys to obtain user friendly time value added accessor for key classnames converted data attributes to functions to make workload more explicit
Property svn:keywords set to `Id`
File size: 100.6 KB

Rev	Line
[30]	1	/*
[169]	2	* Copyright (C) 2005-2010 Timothy D. Morgan
[30]	3	* Copyright (C) 2005 Gerald (Jerry) Carter
	4	*
	5	* This program is free software; you can redistribute it and/or modify
	6	* it under the terms of the GNU General Public License as published by
[111]	7	* the Free Software Foundation; version 3 of the License.
[30]	8	*
	9	* This program is distributed in the hope that it will be useful,
	10	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	* GNU General Public License for more details.
	13	*
	14	* You should have received a copy of the GNU General Public License
	15	* along with this program; if not, write to the Free Software
[161]	16	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
[30]	17	*
	18	* $Id: regfi.c 219 2011-03-31 04:29:09Z tim $
	19	*/
	20
[169]	21	/**
	22	* @file
	23	*
	24	* Windows NT (and later) read-only registry library
	25	*
	26	* See @ref regfi.h for more information.
	27	*
	28	* Branched from Samba project Subversion repository, version #7470:
	29	* http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/registry/regfio.c?rev=7470&view=auto
	30	*
	31	* Since then, it has been heavily rewritten, simplified, and improved.
	32	*/
[168]	33
[147]	34	#include "regfi.h"
[30]	35
	36
[32]	37	/* Registry types mapping */
[78]	38	const unsigned int regfi_num_reg_types = 12;
	39	static const char* regfi_type_names[] =
[65]	40	{"NONE", "SZ", "EXPAND_SZ", "BINARY", "DWORD", "DWORD_BE", "LINK",
[72]	41	"MULTI_SZ", "RSRC_LIST", "RSRC_DESC", "RSRC_REQ_LIST", "QWORD"};
[30]	42
[161]	43	const char* regfi_encoding_names[] =
	44	{"US-ASCII//TRANSLIT", "UTF-8//TRANSLIT", "UTF-16LE//TRANSLIT"};
[32]	45
[135]	46
[185]	47	/* Ensures regfi_init runs only once */
	48	static pthread_once_t regfi_init_once = PTHREAD_ONCE_INIT;
[182]	49
[185]	50
	51
[135]	52	/******************************************************************************
	53	******************************************************************************/
[185]	54	void regfi_log_free(void* ptr)
[135]	55	{
[185]	56	REGFI_LOG* log_info = (REGFI_LOG*)ptr;
	57
	58	if(log_info->messages != NULL)
	59	free(log_info->messages);
	60
	61	talloc_free(log_info);
	62	}
	63
	64
	65	/******************************************************************************
	66	******************************************************************************/
	67	void regfi_init()
	68	{
	69	int err;
	70	if((err = pthread_key_create(&regfi_log_key, regfi_log_free)) != 0)
	71	fprintf(stderr, "ERROR: key_create: %s\n", strerror(err));
	72	errno = err;
	73	}
	74
	75
	76	/******************************************************************************
	77	******************************************************************************/
	78	REGFI_LOG* regfi_log_new()
	79	{
	80	int err;
[182]	81	REGFI_LOG* log_info = talloc(NULL, REGFI_LOG);
	82	if(log_info == NULL)
[185]	83	return NULL;
[182]	84
[185]	85	log_info->msg_mask = REGFI_DEFAULT_LOG_MASK;
[182]	86	log_info->messages = NULL;
	87
[185]	88	pthread_once(&regfi_init_once, regfi_init);
[182]	89
[185]	90	if((err = pthread_setspecific(regfi_log_key, log_info)) != 0)
[182]	91	{
[185]	92	fprintf(stderr, "ERROR: setspecific: %s\n", strerror(err));
[182]	93	goto fail;
	94	}
	95
[185]	96	return log_info;
[182]	97
	98	fail:
	99	talloc_free(log_info);
[185]	100	errno = err;
	101	return NULL;
[182]	102	}
	103
	104
	105	/******************************************************************************
	106	******************************************************************************/
	107	void regfi_log_add(uint16_t msg_type, const char* fmt, ...)
	108	{
	109	/* XXX: Switch internal storage over to a linked list or stack.
	110	* Then add a regfi_log_get function that returns the list in some
	111	* convenient, user-friendly data structure. regfi_log_get_str should
	112	* stick around and will simply smush the list into a big string when
	113	* it's called, rather than having messages smushed when they're first
	114	* written to the log.
[135]	115	*/
[168]	116	uint32_t buf_size, buf_used;
[136]	117	char* new_msg;
[182]	118	REGFI_LOG* log_info;
[136]	119	va_list args;
[135]	120
[185]	121	log_info = (REGFI_LOG*)pthread_getspecific(regfi_log_key);
	122	if(log_info == NULL && (log_info = regfi_log_new()) == NULL)
[182]	123	return;
	124
[185]	125	if((log_info->msg_mask & msg_type) == 0)
	126	return;
	127
[182]	128	if(log_info->messages == NULL)
	129	buf_used = 0;
	130	else
	131	buf_used = strlen(log_info->messages);
	132
	133	buf_size = buf_used+strlen(fmt)+160;
	134	new_msg = realloc(log_info->messages, buf_size);
	135	if(new_msg == NULL)
	136	/* XXX: should we report this? */
	137	return;
	138
	139	switch (msg_type)
[138]	140	{
[182]	141	case REGFI_LOG_INFO:
	142	strcpy(new_msg+buf_used, "INFO: ");
	143	buf_used += 6;
	144	break;
	145	case REGFI_LOG_WARN:
	146	strcpy(new_msg+buf_used, "WARN: ");
	147	buf_used += 6;
	148	break;
	149	case REGFI_LOG_ERROR:
	150	strcpy(new_msg+buf_used, "ERROR: ");
	151	buf_used += 7;
	152	break;
[138]	153	}
[182]	154
	155	va_start(args, fmt);
	156	vsnprintf(new_msg+buf_used, buf_size-buf_used, fmt, args);
	157	va_end(args);
	158	strncat(new_msg, "\n", buf_size-1);
	159
	160	log_info->messages = new_msg;
[135]	161	}
	162
	163
	164	/******************************************************************************
	165	******************************************************************************/
[182]	166	char* regfi_log_get_str()
[135]	167	{
[182]	168	char* ret_val;
[185]	169	REGFI_LOG* log_info = (REGFI_LOG*)pthread_getspecific(regfi_log_key);
	170	if(log_info == NULL && (log_info = regfi_log_new()) == NULL)
[182]	171	return NULL;
[185]	172
[182]	173	ret_val = log_info->messages;
	174	log_info->messages = NULL;
	175
[135]	176	return ret_val;
	177	}
	178
	179
[182]	180	/******************************************************************************
	181	******************************************************************************/
[185]	182	bool regfi_log_set_mask(uint16_t msg_mask)
[138]	183	{
[185]	184	REGFI_LOG* log_info = (REGFI_LOG*)pthread_getspecific(regfi_log_key);
	185	if(log_info == NULL && (log_info = regfi_log_new()) == NULL)
	186	{
	187	return false;
	188	}
[182]	189
	190	log_info->msg_mask = msg_mask;
[185]	191	return true;
[138]	192	}
	193
	194
[161]	195	/******************************************************************************
	196	* Returns NULL for an invalid e
	197	*****************************************************************************/
	198	static const char* regfi_encoding_int2str(REGFI_ENCODING e)
	199	{
	200	if(e < REGFI_NUM_ENCODINGS)
	201	return regfi_encoding_names[e];
	202
	203	return NULL;
	204	}
	205
	206
	207	/******************************************************************************
	208	* Returns NULL for an invalid val
	209	*****************************************************************************/
[78]	210	const char* regfi_type_val2str(unsigned int val)
[32]	211	{
[61]	212	if(val == REG_KEY)
	213	return "KEY";
	214
[78]	215	if(val >= regfi_num_reg_types)
[61]	216	return NULL;
	217
[78]	218	return regfi_type_names[val];
[32]	219	}
	220
	221
[161]	222	/******************************************************************************
	223	* Returns -1 on error
	224	*****************************************************************************/
[78]	225	int regfi_type_str2val(const char* str)
[32]	226	{
	227	int i;
	228
[61]	229	if(strcmp("KEY", str) == 0)
	230	return REG_KEY;
[32]	231
[78]	232	for(i=0; i < regfi_num_reg_types; i++)
	233	if (strcmp(regfi_type_names[i], str) == 0)
[61]	234	return i;
	235
	236	if(strcmp("DWORD_LE", str) == 0)
	237	return REG_DWORD_LE;
	238
	239	return -1;
[32]	240	}
	241
	242
[135]	243	/* Security descriptor formatting functions */
[53]	244
[168]	245	const char* regfi_ace_type2str(uint8_t type)
[53]	246	{
	247	static const char* map[7]
	248	= {"ALLOW", "DENY", "AUDIT", "ALARM",
	249	"ALLOW CPD", "OBJ ALLOW", "OBJ DENY"};
	250	if(type < 7)
	251	return map[type];
	252	else
	253	/* XXX: would be nice to return the unknown integer value.
	254	* However, as it is a const string, it can't be free()ed later on,
	255	* so that would need to change.
	256	*/
	257	return "UNKNOWN";
	258	}
	259
	260
[76]	261	/* XXX: need a better reference on the meaning of each flag. */
	262	/* For more info, see:
	263	* http://msdn2.microsoft.com/en-us/library/aa772242.aspx
	264	*/
[168]	265	char* regfi_ace_flags2str(uint8_t flags)
[53]	266	{
[76]	267	static const char* flag_map[32] =
[87]	268	{ "OI", /* Object Inherit */
	269	"CI", /* Container Inherit */
	270	"NP", /* Non-Propagate */
	271	"IO", /* Inherit Only */
	272	"IA", /* Inherited ACE */
[76]	273	NULL,
	274	NULL,
	275	NULL,
	276	};
[53]	277
[76]	278	char* ret_val = malloc(35*sizeof(char));
	279	char* fo = ret_val;
[168]	280	uint32_t i;
	281	uint8_t f;
[76]	282
	283	if(ret_val == NULL)
[53]	284	return NULL;
	285
[76]	286	fo[0] = '\0';
[53]	287	if (!flags)
[76]	288	return ret_val;
[53]	289
[76]	290	for(i=0; i < 8; i++)
	291	{
	292	f = (1<<i);
	293	if((flags & f) && (flag_map[i] != NULL))
	294	{
	295	strcpy(fo, flag_map[i]);
	296	fo += strlen(flag_map[i]);
	297	*(fo++) = ' ';
	298	flags ^= f;
	299	}
[53]	300	}
[76]	301
	302	/* Any remaining unknown flags are added at the end in hex. */
	303	if(flags != 0)
	304	sprintf(fo, "0x%.2X ", flags);
	305
	306	/* Chop off the last space if we've written anything to ret_val */
	307	if(fo != ret_val)
	308	fo[-1] = '\0';
	309
	310	return ret_val;
[53]	311	}
	312
	313
[168]	314	char* regfi_ace_perms2str(uint32_t perms)
[53]	315	{
[168]	316	uint32_t i, p;
[76]	317	/* This is more than is needed by a fair margin. */
	318	char* ret_val = malloc(350*sizeof(char));
	319	char* r = ret_val;
	320
	321	/* Each represents one of 32 permissions bits. NULL is for undefined/reserved bits.
	322	* For more information, see:
	323	* http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
	324	* http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
	325	*/
	326	static const char* perm_map[32] =
	327	{/* object-specific permissions (registry keys, in this case) */
	328	"QRY_VAL", /* KEY_QUERY_VALUE */
	329	"SET_VAL", /* KEY_SET_VALUE */
	330	"CREATE_KEY", /* KEY_CREATE_SUB_KEY */
	331	"ENUM_KEYS", /* KEY_ENUMERATE_SUB_KEYS */
	332	"NOTIFY", /* KEY_NOTIFY */
	333	"CREATE_LNK", /* KEY_CREATE_LINK - Reserved for system use. */
	334	NULL,
	335	NULL,
	336	"WOW64_64", /* KEY_WOW64_64KEY */
	337	"WOW64_32", /* KEY_WOW64_32KEY */
	338	NULL,
	339	NULL,
	340	NULL,
	341	NULL,
	342	NULL,
	343	NULL,
	344	/* standard access rights */
	345	"DELETE", /* DELETE */
	346	"R_CONT", /* READ_CONTROL */
	347	"W_DAC", /* WRITE_DAC */
	348	"W_OWNER", /* WRITE_OWNER */
	349	"SYNC", /* SYNCHRONIZE - Shouldn't be set in registries */
	350	NULL,
	351	NULL,
	352	NULL,
	353	/* other generic */
	354	"SYS_SEC", /* ACCESS_SYSTEM_SECURITY */
	355	"MAX_ALLWD", /* MAXIMUM_ALLOWED */
	356	NULL,
	357	NULL,
	358	"GEN_A", /* GENERIC_ALL */
	359	"GEN_X", /* GENERIC_EXECUTE */
	360	"GEN_W", /* GENERIC_WRITE */
	361	"GEN_R", /* GENERIC_READ */
	362	};
	363
	364
[53]	365	if(ret_val == NULL)
	366	return NULL;
	367
[76]	368	r[0] = '\0';
	369	for(i=0; i < 32; i++)
	370	{
	371	p = (1<<i);
	372	if((perms & p) && (perm_map[i] != NULL))
	373	{
	374	strcpy(r, perm_map[i]);
	375	r += strlen(perm_map[i]);
	376	*(r++) = ' ';
	377	perms ^= p;
	378	}
	379	}
	380
	381	/* Any remaining unknown permission bits are added at the end in hex. */
	382	if(perms != 0)
	383	sprintf(r, "0x%.8X ", perms);
[53]	384
[76]	385	/* Chop off the last space if we've written anything to ret_val */
	386	if(r != ret_val)
	387	r[-1] = '\0';
	388
[53]	389	return ret_val;
	390	}
	391
	392
[134]	393	char* regfi_sid2str(WINSEC_DOM_SID* sid)
[53]	394	{
[168]	395	uint32_t i, size = WINSEC_MAX_SUBAUTHS*11 + 24;
	396	uint32_t left = size;
	397	uint8_t comps = sid->num_auths;
[53]	398	char* ret_val = malloc(size);
	399
	400	if(ret_val == NULL)
	401	return NULL;
	402
[134]	403	if(comps > WINSEC_MAX_SUBAUTHS)
	404	comps = WINSEC_MAX_SUBAUTHS;
[53]	405
	406	left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]);
	407
	408	for (i = 0; i < comps; i++)
	409	left -= snprintf(ret_val+(size-left), left, "-%u", sid->sub_auths[i]);
	410
	411	return ret_val;
	412	}
	413
	414
[134]	415	char* regfi_get_acl(WINSEC_ACL* acl)
[53]	416	{
[168]	417	uint32_t i, extra, size = 0;
[53]	418	const char* type_str;
	419	char* flags_str;
	420	char* perms_str;
	421	char* sid_str;
[61]	422	char* ace_delim = "";
[53]	423	char* ret_val = NULL;
[61]	424	char* tmp_val = NULL;
	425	bool failed = false;
[53]	426	char field_delim = ':';
	427
[61]	428	for (i = 0; i < acl->num_aces && !failed; i++)
[53]	429	{
[134]	430	sid_str = regfi_sid2str(acl->aces[i]->trustee);
	431	type_str = regfi_ace_type2str(acl->aces[i]->type);
	432	perms_str = regfi_ace_perms2str(acl->aces[i]->access_mask);
	433	flags_str = regfi_ace_flags2str(acl->aces[i]->flags);
[53]	434
[61]	435	if(flags_str != NULL && perms_str != NULL
	436	&& type_str != NULL && sid_str != NULL)
	437	{
	438	/* XXX: this is slow */
	439	extra = strlen(sid_str) + strlen(type_str)
[136]	440	+ strlen(perms_str) + strlen(flags_str) + 5;
[61]	441	tmp_val = realloc(ret_val, size+extra);
[53]	442
[61]	443	if(tmp_val == NULL)
	444	{
	445	free(ret_val);
[136]	446	ret_val = NULL;
[61]	447	failed = true;
	448	}
	449	else
	450	{
	451	ret_val = tmp_val;
[148]	452	size += sprintf(ret_val+size, "%s%s%c%s%c%s%c%s",
	453	ace_delim,sid_str,
	454	field_delim,type_str,
	455	field_delim,perms_str,
	456	field_delim,flags_str);
[61]	457	ace_delim = "\|";
	458	}
	459	}
	460	else
	461	failed = true;
	462
	463	if(sid_str != NULL)
	464	free(sid_str);
	465	if(sid_str != NULL)
	466	free(perms_str);
	467	if(sid_str != NULL)
	468	free(flags_str);
[53]	469	}
	470
	471	return ret_val;
	472	}
	473
	474
[134]	475	char* regfi_get_sacl(WINSEC_DESC *sec_desc)
[53]	476	{
	477	if (sec_desc->sacl)
[78]	478	return regfi_get_acl(sec_desc->sacl);
[53]	479	else
	480	return NULL;
	481	}
	482
	483
[134]	484	char* regfi_get_dacl(WINSEC_DESC *sec_desc)
[53]	485	{
	486	if (sec_desc->dacl)
[78]	487	return regfi_get_acl(sec_desc->dacl);
[53]	488	else
	489	return NULL;
	490	}
	491
	492
[134]	493	char* regfi_get_owner(WINSEC_DESC *sec_desc)
[53]	494	{
[78]	495	return regfi_sid2str(sec_desc->owner_sid);
[53]	496	}
	497
	498
[134]	499	char* regfi_get_group(WINSEC_DESC *sec_desc)
[53]	500	{
[78]	501	return regfi_sid2str(sec_desc->grp_sid);
[53]	502	}
	503
	504
[180]	505	bool regfi_read_lock(REGFI_FILE* file, pthread_rwlock_t* lock, const char* context)
	506	{
	507	int lock_ret = pthread_rwlock_rdlock(lock);
	508	if(lock_ret != 0)
	509	{
[182]	510	regfi_log_add(REGFI_LOG_ERROR, "Error obtaining read lock in"
[180]	511	"%s due to: %s\n", context, strerror(lock_ret));
	512	return false;
	513	}
	514
	515	return true;
	516	}
	517
	518
	519	bool regfi_write_lock(REGFI_FILE* file, pthread_rwlock_t* lock, const char* context)
	520	{
	521	int lock_ret = pthread_rwlock_wrlock(lock);
	522	if(lock_ret != 0)
	523	{
[182]	524	regfi_log_add(REGFI_LOG_ERROR, "Error obtaining write lock in"
[180]	525	"%s due to: %s\n", context, strerror(lock_ret));
	526	return false;
	527	}
	528
	529	return true;
	530	}
	531
	532
	533	bool regfi_rw_unlock(REGFI_FILE* file, pthread_rwlock_t* lock, const char* context)
	534	{
	535	int lock_ret = pthread_rwlock_unlock(lock);
	536	if(lock_ret != 0)
	537	{
[182]	538	regfi_log_add(REGFI_LOG_ERROR, "Error releasing lock in"
[180]	539	"%s due to: %s\n", context, strerror(lock_ret));
	540	return false;
	541	}
	542
	543	return true;
	544	}
	545
	546
	547	bool regfi_lock(REGFI_FILE* file, pthread_mutex_t* lock, const char* context)
	548	{
	549	int lock_ret = pthread_mutex_lock(lock);
	550	if(lock_ret != 0)
	551	{
[182]	552	regfi_log_add(REGFI_LOG_ERROR, "Error obtaining mutex lock in"
[180]	553	"%s due to: %s\n", context, strerror(lock_ret));
	554	return false;
	555	}
	556
	557	return true;
	558	}
	559
	560
	561	bool regfi_unlock(REGFI_FILE* file, pthread_mutex_t* lock, const char* context)
	562	{
	563	int lock_ret = pthread_mutex_unlock(lock);
	564	if(lock_ret != 0)
	565	{
[182]	566	regfi_log_add(REGFI_LOG_ERROR, "Error releasing mutex lock in"
[180]	567	"%s due to: %s\n", context, strerror(lock_ret));
	568	return false;
	569	}
	570
	571	return true;
	572	}
	573
	574
[178]	575	off_t regfi_raw_seek(REGFI_RAW_FILE* self, off_t offset, int whence)
	576	{
	577	return lseek((int)self->state, offset, whence);
	578	}
	579
	580	ssize_t regfi_raw_read(REGFI_RAW_FILE* self, void* buf, size_t count)
	581	{
	582	return read((int)self->state, buf, count);
	583	}
	584
	585
[101]	586	/*****************************************************************************
[178]	587	* Convenience function to wrap up the ugly callback stuff
	588	*****************************************************************************/
	589	off_t regfi_seek(REGFI_RAW_FILE* file_cb, off_t offset, int whence)
	590	{
	591	return file_cb->seek(file_cb, offset, whence);
	592	}
	593
	594
	595	/*****************************************************************************
[101]	596	* This function is just like read(2), except that it continues to
	597	* re-try reading from the file descriptor if EINTR or EAGAIN is received.
[178]	598	* regfi_read will attempt to read length bytes from the file and write them to
	599	* buf.
[101]	600	*
	601	* On success, 0 is returned. Upon failure, an errno code is returned.
	602	*
	603	* The number of bytes successfully read is returned through the length
	604	* parameter by reference. If both the return value and length parameter are
	605	* returned as 0, then EOF was encountered immediately
	606	*****************************************************************************/
[178]	607	uint32_t regfi_read(REGFI_RAW_FILE* file_cb, uint8_t* buf, uint32_t* length)
[101]	608	{
[168]	609	uint32_t rsize = 0;
	610	uint32_t rret = 0;
[101]	611
	612	do
	613	{
[178]	614	rret = file_cb->read(file_cb, buf + rsize, *length - rsize);
[101]	615	if(rret > 0)
	616	rsize += rret;
	617	}while(*length - rsize > 0
	618	&& (rret > 0 \|\| (rret == -1 && (errno == EAGAIN \|\| errno == EINTR))));
	619
	620	*length = rsize;
	621	if (rret == -1 && errno != EINTR && errno != EAGAIN)
	622	return errno;
	623
	624	return 0;
	625	}
	626
	627
	628	/*****************************************************************************
	629	*
	630	*****************************************************************************/
[178]	631	bool regfi_parse_cell(REGFI_RAW_FILE* file_cb, uint32_t offset, uint8_t* hdr,
	632	uint32_t hdr_len, uint32_t* cell_length, bool* unalloc)
[101]	633	{
[168]	634	uint32_t length;
	635	int32_t raw_length;
	636	uint8_t tmp[4];
[101]	637
[178]	638	if(regfi_seek(file_cb, offset, SEEK_SET) == -1)
[101]	639	return false;
	640
	641	length = 4;
[178]	642	if((regfi_read(file_cb, tmp, &length) != 0) \|\| length != 4)
[101]	643	return false;
	644	raw_length = IVALS(tmp, 0);
	645
	646	if(raw_length < 0)
	647	{
	648	(cell_length) = raw_length(-1);
	649	(*unalloc) = false;
	650	}
	651	else
	652	{
	653	(*cell_length) = raw_length;
	654	(*unalloc) = true;
	655	}
	656
[103]	657	if(*cell_length - 4 < hdr_len)
	658	return false;
	659
	660	if(hdr_len > 0)
	661	{
	662	length = hdr_len;
[178]	663	if((regfi_read(file_cb, hdr, &length) != 0) \|\| length != hdr_len)
[103]	664	return false;
	665	}
	666
[101]	667	return true;
	668	}
	669
	670
[157]	671	/******************************************************************************
[106]	672	* Given an offset and an hbin, is the offset within that hbin?
	673	* The offset is a virtual file offset.
[157]	674	******************************************************************************/
[168]	675	static bool regfi_offset_in_hbin(const REGFI_HBIN* hbin, uint32_t voffset)
[30]	676	{
[106]	677	if(!hbin)
[31]	678	return false;
[106]	679
[145]	680	if((voffset > hbin->first_hbin_off)
	681	&& (voffset < (hbin->first_hbin_off + hbin->block_size)))
[31]	682	return true;
[30]	683
[31]	684	return false;
[30]	685	}
	686
	687
[106]	688
[157]	689	/******************************************************************************
	690	* Provide a physical offset and receive the correpsonding HBIN
[106]	691	* block for it. NULL if one doesn't exist.
[157]	692	******************************************************************************/
[168]	693	const REGFI_HBIN* regfi_lookup_hbin(REGFI_FILE* file, uint32_t offset)
[30]	694	{
[157]	695	return (const REGFI_HBIN*)range_list_find_data(file->hbins, offset);
[30]	696	}
	697
	698
[157]	699	/******************************************************************************
	700	* Calculate the largest possible cell size given a physical offset.
	701	* Largest size is based on the HBIN the offset is currently a member of.
	702	* Returns negative values on error.
	703	* (Since cells can only be ~2^31 in size, this works out.)
	704	******************************************************************************/
[168]	705	int32_t regfi_calc_maxsize(REGFI_FILE* file, uint32_t offset)
[157]	706	{
	707	const REGFI_HBIN* hbin = regfi_lookup_hbin(file, offset);
	708	if(hbin == NULL)
	709	return -1;
[139]	710
[157]	711	return (hbin->block_size + hbin->file_off) - offset;
	712	}
	713
	714
[139]	715	/******************************************************************************
	716	******************************************************************************/
[168]	717	REGFI_SUBKEY_LIST* regfi_load_subkeylist(REGFI_FILE* file, uint32_t offset,
	718	uint32_t num_keys, uint32_t max_size,
[139]	719	bool strict)
[127]	720	{
[135]	721	REGFI_SUBKEY_LIST* ret_val;
[134]	722
[139]	723	ret_val = regfi_load_subkeylist_aux(file, offset, max_size, strict,
	724	REGFI_MAX_SUBKEY_DEPTH);
[143]	725	if(ret_val == NULL)
	726	{
[182]	727	regfi_log_add(REGFI_LOG_WARN, "Failed to load subkey list at"
[143]	728	" offset 0x%.8X.", offset);
	729	return NULL;
	730	}
[139]	731
	732	if(num_keys != ret_val->num_keys)
	733	{
	734	/* Not sure which should be authoritative, the number from the
	735	* NK record, or the number in the subkey list. Just emit a warning for
	736	* now if they don't match.
	737	*/
[182]	738	regfi_log_add(REGFI_LOG_WARN, "Number of subkeys listed in parent"
[139]	739	" (%d) did not match number found in subkey list/tree (%d)"
	740	" while parsing subkey list/tree at offset 0x%.8X.",
	741	num_keys, ret_val->num_keys, offset);
	742	}
	743
	744	return ret_val;
	745	}
	746
	747
	748	/******************************************************************************
	749	******************************************************************************/
[168]	750	REGFI_SUBKEY_LIST* regfi_load_subkeylist_aux(REGFI_FILE* file, uint32_t offset,
	751	uint32_t max_size, bool strict,
	752	uint8_t depth_left)
[139]	753	{
	754	REGFI_SUBKEY_LIST* ret_val;
	755	REGFI_SUBKEY_LIST** sublists;
[168]	756	uint32_t i, num_sublists, off;
	757	int32_t sublist_maxsize;
[139]	758
	759	if(depth_left == 0)
	760	{
[182]	761	regfi_log_add(REGFI_LOG_WARN, "Maximum depth reached"
[139]	762	" while parsing subkey list/tree at offset 0x%.8X.",
	763	offset);
[127]	764	return NULL;
[139]	765	}
[134]	766
[139]	767	ret_val = regfi_parse_subkeylist(file, offset, max_size, strict);
[134]	768	if(ret_val == NULL)
	769	return NULL;
[139]	770
	771	if(ret_val->recursive_type)
[127]	772	{
[139]	773	num_sublists = ret_val->num_children;
[150]	774	sublists = (REGFI_SUBKEY_LIST**)malloc(num_sublists
[139]	775	* sizeof(REGFI_SUBKEY_LIST*));
	776	for(i=0; i < num_sublists; i++)
[127]	777	{
[139]	778	off = ret_val->elements[i].offset + REGFI_REGF_SIZE;
[157]	779
	780	sublist_maxsize = regfi_calc_maxsize(file, off);
	781	if(sublist_maxsize < 0)
[139]	782	sublists[i] = NULL;
	783	else
[157]	784	sublists[i] = regfi_load_subkeylist_aux(file, off, sublist_maxsize,
	785	strict, depth_left-1);
[127]	786	}
[150]	787	talloc_free(ret_val);
[134]	788
[139]	789	return regfi_merge_subkeylists(num_sublists, sublists, strict);
[127]	790	}
[30]	791
[127]	792	return ret_val;
	793	}
	794
	795
[139]	796	/******************************************************************************
	797	******************************************************************************/
[168]	798	REGFI_SUBKEY_LIST* regfi_parse_subkeylist(REGFI_FILE* file, uint32_t offset,
	799	uint32_t max_size, bool strict)
[30]	800	{
[135]	801	REGFI_SUBKEY_LIST* ret_val;
[168]	802	uint32_t i, cell_length, length, elem_size, read_len;
	803	uint8_t* elements = NULL;
	804	uint8_t buf[REGFI_SUBKEY_LIST_MIN_LEN];
[104]	805	bool unalloc;
[139]	806	bool recursive_type;
[30]	807
[186]	808	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_subkeylist"))
[180]	809	goto fail;
	810
[178]	811	if(!regfi_parse_cell(file->cb, offset, buf, REGFI_SUBKEY_LIST_MIN_LEN,
[104]	812	&cell_length, &unalloc))
[139]	813	{
[182]	814	regfi_log_add(REGFI_LOG_WARN, "Could not parse cell while "
[139]	815	"parsing subkey-list at offset 0x%.8X.", offset);
[180]	816	goto fail_locked;
[139]	817	}
[30]	818
[116]	819	if(cell_length > max_size)
	820	{
[182]	821	regfi_log_add(REGFI_LOG_WARN, "Cell size longer than max_size"
[139]	822	" while parsing subkey-list at offset 0x%.8X.", offset);
[116]	823	if(strict)
[180]	824	goto fail_locked;
[116]	825	cell_length = max_size & 0xFFFFFFF8;
	826	}
[30]	827
[139]	828	recursive_type = false;
[127]	829	if(buf[0] == 'r' && buf[1] == 'i')
[104]	830	{
[139]	831	recursive_type = true;
[168]	832	elem_size = sizeof(uint32_t);
[104]	833	}
[139]	834	else if(buf[0] == 'l' && buf[1] == 'i')
[203]	835	{
[168]	836	elem_size = sizeof(uint32_t);
[203]	837	}
[134]	838	else if((buf[0] == 'l') && (buf[1] == 'f' \|\| buf[1] == 'h'))
[135]	839	elem_size = sizeof(REGFI_SUBKEY_LIST_ELEM);
[134]	840	else
	841	{
[182]	842	regfi_log_add(REGFI_LOG_ERROR, "Unknown magic number"
[139]	843	" (0x%.2X, 0x%.2X) encountered while parsing"
	844	" subkey-list at offset 0x%.8X.", buf[0], buf[1], offset);
[180]	845	goto fail_locked;
[134]	846	}
	847
[150]	848	ret_val = talloc(NULL, REGFI_SUBKEY_LIST);
[127]	849	if(ret_val == NULL)
[180]	850	goto fail_locked;
[127]	851
	852	ret_val->offset = offset;
	853	ret_val->cell_size = cell_length;
[104]	854	ret_val->magic[0] = buf[0];
	855	ret_val->magic[1] = buf[1];
[139]	856	ret_val->recursive_type = recursive_type;
	857	ret_val->num_children = SVAL(buf, 0x2);
[101]	858
[139]	859	if(!recursive_type)
	860	ret_val->num_keys = ret_val->num_children;
[101]	861
[139]	862	length = elem_size*ret_val->num_children;
[168]	863	if(cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32_t) < length)
[134]	864	{
[182]	865	regfi_log_add(REGFI_LOG_WARN, "Number of elements too large for"
[139]	866	" cell while parsing subkey-list at offset 0x%.8X.",
	867	offset);
	868	if(strict)
[180]	869	goto fail_locked;
[168]	870	length = cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32_t);
[134]	871	}
[30]	872
[150]	873	ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM,
	874	ret_val->num_children);
[127]	875	if(ret_val->elements == NULL)
[180]	876	goto fail_locked;
[30]	877
[168]	878	elements = (uint8_t*)malloc(length);
[139]	879	if(elements == NULL)
[180]	880	goto fail_locked;
[30]	881
[150]	882	read_len = length;
[178]	883	if(regfi_read(file->cb, elements, &read_len) != 0 \|\| read_len!=length)
[180]	884	goto fail_locked;
[30]	885
[186]	886	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_subkeylist"))
[180]	887	goto fail;
	888
[168]	889	if(elem_size == sizeof(uint32_t))
[104]	890	{
[139]	891	for (i=0; i < ret_val->num_children; i++)
[134]	892	{
[139]	893	ret_val->elements[i].offset = IVAL(elements, i*elem_size);
[134]	894	ret_val->elements[i].hash = 0;
	895	}
[104]	896	}
[134]	897	else
	898	{
[139]	899	for (i=0; i < ret_val->num_children; i++)
[134]	900	{
[139]	901	ret_val->elements[i].offset = IVAL(elements, i*elem_size);
	902	ret_val->elements[i].hash = IVAL(elements, i*elem_size+4);
[134]	903	}
	904	}
[139]	905	free(elements);
[30]	906
[104]	907	return ret_val;
[150]	908
[180]	909	fail_locked:
[186]	910	regfi_unlock(file, &file->cb_lock, "regfi_parse_subkeylist");
[150]	911	fail:
	912	if(elements != NULL)
	913	free(elements);
	914	talloc_free(ret_val);
	915	return NULL;
[30]	916	}
	917
	918
[139]	919	/*******************************************************************
	920	*******************************************************************/
[168]	921	REGFI_SUBKEY_LIST* regfi_merge_subkeylists(uint16_t num_lists,
[139]	922	REGFI_SUBKEY_LIST** lists,
	923	bool strict)
	924	{
[168]	925	uint32_t i,j,k;
[139]	926	REGFI_SUBKEY_LIST* ret_val;
[102]	927
[139]	928	if(lists == NULL)
	929	return NULL;
[150]	930	ret_val = talloc(NULL, REGFI_SUBKEY_LIST);
[139]	931
	932	if(ret_val == NULL)
	933	return NULL;
	934
	935	/* Obtain total number of elements */
	936	ret_val->num_keys = 0;
	937	for(i=0; i < num_lists; i++)
	938	{
	939	if(lists[i] != NULL)
	940	ret_val->num_keys += lists[i]->num_children;
	941	}
	942	ret_val->num_children = ret_val->num_keys;
	943
	944	if(ret_val->num_keys > 0)
	945	{
[150]	946	ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM,
	947	ret_val->num_keys);
[139]	948	k=0;
	949
	950	if(ret_val->elements != NULL)
	951	{
	952	for(i=0; i < num_lists; i++)
	953	{
	954	if(lists[i] != NULL)
	955	{
	956	for(j=0; j < lists[i]->num_keys; j++)
	957	{
[150]	958	ret_val->elements[k].hash = lists[i]->elements[j].hash;
	959	ret_val->elements[k++].offset = lists[i]->elements[j].offset;
[139]	960	}
	961	}
	962	}
	963	}
	964	}
	965
	966	for(i=0; i < num_lists; i++)
[184]	967	talloc_free(lists[i]);
[139]	968	free(lists);
	969
	970	return ret_val;
	971	}
	972
	973
[147]	974	/******************************************************************************
	975	*
	976	******************************************************************************/
[203]	977	REGFI_SK* regfi_parse_sk(REGFI_FILE* file, uint32_t offset, uint32_t max_size,
[147]	978	bool strict)
[30]	979	{
[203]	980	REGFI_SK* ret_val = NULL;
[168]	981	uint8_t* sec_desc_buf = NULL;
	982	uint32_t cell_length, length;
	983	uint8_t sk_header[REGFI_SK_MIN_LENGTH];
[102]	984	bool unalloc = false;
[30]	985
[186]	986	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_sk"))
[180]	987	goto fail;
	988
[178]	989	if(!regfi_parse_cell(file->cb, offset, sk_header, REGFI_SK_MIN_LENGTH,
[102]	990	&cell_length, &unalloc))
[137]	991	{
[182]	992	regfi_log_add(REGFI_LOG_WARN, "Could not parse SK record cell"
[137]	993	" at offset 0x%.8X.", offset);
[180]	994	goto fail_locked;
[137]	995	}
[102]	996
	997	if(sk_header[0] != 's' \|\| sk_header[1] != 'k')
[137]	998	{
[182]	999	regfi_log_add(REGFI_LOG_WARN, "Magic number mismatch in parsing"
[138]	1000	" SK record at offset 0x%.8X.", offset);
[180]	1001	goto fail_locked;
[137]	1002	}
	1003
[203]	1004	ret_val = talloc(NULL, REGFI_SK);
[102]	1005	if(ret_val == NULL)
[180]	1006	goto fail_locked;
[30]	1007
[102]	1008	ret_val->offset = offset;
[116]	1009	/* XXX: Is there a way to be more conservative (shorter) with
	1010	* cell length when cell is unallocated?
[111]	1011	*/
[102]	1012	ret_val->cell_size = cell_length;
[30]	1013
[102]	1014	if(ret_val->cell_size > max_size)
	1015	ret_val->cell_size = max_size & 0xFFFFFFF8;
	1016	if((ret_val->cell_size < REGFI_SK_MIN_LENGTH)
[157]	1017	\|\| (strict && (ret_val->cell_size & 0x00000007) != 0))
[102]	1018	{
[182]	1019	regfi_log_add(REGFI_LOG_WARN, "Invalid cell size found while"
[138]	1020	" parsing SK record at offset 0x%.8X.", offset);
[180]	1021	goto fail_locked;
[102]	1022	}
[30]	1023
[102]	1024	ret_val->magic[0] = sk_header[0];
	1025	ret_val->magic[1] = sk_header[1];
[30]	1026
[102]	1027	ret_val->unknown_tag = SVAL(sk_header, 0x2);
	1028	ret_val->prev_sk_off = IVAL(sk_header, 0x4);
	1029	ret_val->next_sk_off = IVAL(sk_header, 0x8);
	1030	ret_val->ref_count = IVAL(sk_header, 0xC);
	1031	ret_val->desc_size = IVAL(sk_header, 0x10);
[30]	1032
[157]	1033	if((ret_val->prev_sk_off & 0x00000007) != 0
	1034	\|\| (ret_val->next_sk_off & 0x00000007) != 0)
[140]	1035	{
[182]	1036	regfi_log_add(REGFI_LOG_WARN, "SK record's next/previous offsets"
[140]	1037	" are not a multiple of 8 while parsing SK record at"
	1038	" offset 0x%.8X.", offset);
[180]	1039	goto fail_locked;
[140]	1040	}
	1041
[102]	1042	if(ret_val->desc_size + REGFI_SK_MIN_LENGTH > ret_val->cell_size)
	1043	{
[182]	1044	regfi_log_add(REGFI_LOG_WARN, "Security descriptor too large for"
[138]	1045	" cell while parsing SK record at offset 0x%.8X.",
	1046	offset);
[180]	1047	goto fail_locked;
[102]	1048	}
[30]	1049
[168]	1050	sec_desc_buf = (uint8_t*)malloc(ret_val->desc_size);
[147]	1051	if(sec_desc_buf == NULL)
[180]	1052	goto fail_locked;
[102]	1053
[134]	1054	length = ret_val->desc_size;
[178]	1055	if(regfi_read(file->cb, sec_desc_buf, &length) != 0
[134]	1056	\|\| length != ret_val->desc_size)
	1057	{
[182]	1058	regfi_log_add(REGFI_LOG_ERROR, "Failed to read security"
[138]	1059	" descriptor while parsing SK record at offset 0x%.8X.",
	1060	offset);
[180]	1061	goto fail_locked;
[134]	1062	}
[102]	1063
[186]	1064	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_sk"))
[180]	1065	goto fail;
	1066
[147]	1067	if(!(ret_val->sec_desc = winsec_parse_desc(ret_val, sec_desc_buf,
	1068	ret_val->desc_size)))
[134]	1069	{
[182]	1070	regfi_log_add(REGFI_LOG_ERROR, "Failed to parse security"
[138]	1071	" descriptor while parsing SK record at offset 0x%.8X.",
	1072	offset);
[147]	1073	goto fail;
[134]	1074	}
[147]	1075
[134]	1076	free(sec_desc_buf);
[147]	1077	return ret_val;
[134]	1078
[180]	1079	fail_locked:
[186]	1080	regfi_unlock(file, &file->cb_lock, "regfi_parse_sk");
[147]	1081	fail:
	1082	if(sec_desc_buf != NULL)
	1083	free(sec_desc_buf);
	1084	talloc_free(ret_val);
	1085	return NULL;
[30]	1086	}
	1087
	1088
[168]	1089	REGFI_VALUE_LIST* regfi_parse_valuelist(REGFI_FILE* file, uint32_t offset,
	1090	uint32_t num_values, bool strict)
[111]	1091	{
[145]	1092	REGFI_VALUE_LIST* ret_val;
[168]	1093	uint32_t i, cell_length, length, read_len;
[111]	1094	bool unalloc;
[30]	1095
[186]	1096	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_valuelist"))
[180]	1097	goto fail;
	1098
[178]	1099	if(!regfi_parse_cell(file->cb, offset, NULL, 0, &cell_length, &unalloc))
[137]	1100	{
[182]	1101	regfi_log_add(REGFI_LOG_ERROR, "Failed to read cell header"
[137]	1102	" while parsing value list at offset 0x%.8X.", offset);
[180]	1103	goto fail_locked;
[137]	1104	}
[111]	1105
[157]	1106	if((cell_length & 0x00000007) != 0)
[111]	1107	{
[182]	1108	regfi_log_add(REGFI_LOG_WARN, "Cell length not a multiple of 8"
[145]	1109	" while parsing value list at offset 0x%.8X.", offset);
[111]	1110	if(strict)
[180]	1111	goto fail_locked;
[111]	1112	cell_length = cell_length & 0xFFFFFFF8;
	1113	}
[145]	1114
[168]	1115	if((num_values * sizeof(uint32_t)) > cell_length-sizeof(uint32_t))
[137]	1116	{
[182]	1117	regfi_log_add(REGFI_LOG_WARN, "Too many values found"
[137]	1118	" while parsing value list at offset 0x%.8X.", offset);
[145]	1119	if(strict)
[180]	1120	goto fail_locked;
[168]	1121	num_values = cell_length/sizeof(uint32_t) - sizeof(uint32_t);
[137]	1122	}
[111]	1123
[168]	1124	read_len = num_values*sizeof(uint32_t);
[150]	1125	ret_val = talloc(NULL, REGFI_VALUE_LIST);
[111]	1126	if(ret_val == NULL)
[180]	1127	goto fail_locked;
[111]	1128
[150]	1129	ret_val->elements = (REGFI_VALUE_LIST_ELEM*)talloc_size(ret_val, read_len);
[145]	1130	if(ret_val->elements == NULL)
[180]	1131	goto fail_locked;
	1132
[206]	1133	ret_val->offset = offset;
	1134	ret_val->cell_size = cell_length;
[145]	1135	ret_val->num_values = num_values;
	1136
[111]	1137	length = read_len;
[178]	1138	if((regfi_read(file->cb, (uint8_t*)ret_val->elements, &length) != 0)
[145]	1139	\|\| length != read_len)
[111]	1140	{
[182]	1141	regfi_log_add(REGFI_LOG_ERROR, "Failed to read value pointers"
[137]	1142	" while parsing value list at offset 0x%.8X.", offset);
[180]	1143	goto fail_locked;
[111]	1144	}
	1145
[186]	1146	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_valuelist"))
[180]	1147	goto fail;
	1148
[111]	1149	for(i=0; i < num_values; i++)
	1150	{
	1151	/* Fix endianness */
[145]	1152	ret_val->elements[i] = IVAL(&ret_val->elements[i], 0);
[111]	1153
	1154	/* Validate the first num_values values to ensure they make sense */
	1155	if(strict)
	1156	{
[145]	1157	/* XXX: Need to revisit this file length check when we start dealing
	1158	* with partial files. */
	1159	if((ret_val->elements[i] + REGFI_REGF_SIZE > file->file_length)
[157]	1160	\|\| ((ret_val->elements[i] & 0x00000007) != 0))
[111]	1161	{
[182]	1162	regfi_log_add(REGFI_LOG_WARN, "Invalid value pointer"
[138]	1163	" (0x%.8X) found while parsing value list at offset"
[145]	1164	" 0x%.8X.", ret_val->elements[i], offset);
[180]	1165	goto fail;
[111]	1166	}
	1167	}
	1168	}
	1169
	1170	return ret_val;
[180]	1171
	1172	fail_locked:
[186]	1173	regfi_unlock(file, &file->cb_lock, "regfi_parse_valuelist");
[180]	1174	fail:
	1175	talloc_free(ret_val);
	1176	return NULL;
[111]	1177	}
	1178
[206]	1179	/* XXX: should give this boolean return type to indicate errors */
[203]	1180	void regfi_interpret_valuename(REGFI_FILE* file, REGFI_VK* vk,
[162]	1181	REGFI_ENCODING output_encoding, bool strict)
[30]	1182	{
[165]	1183	/* XXX: Registry value names are supposedly limited to 16383 characters
	1184	* according to:
	1185	* http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
	1186	* Might want to emit a warning if this is exceeded.
	1187	* It is expected that "characters" could be variable width.
	1188	* Also, it may be useful to use this information to limit false positives
	1189	* when recovering deleted VK records.
	1190	*/
[172]	1191	int32_t tmp_size;
	1192	REGFI_ENCODING from_encoding = (vk->flags & REGFI_VK_FLAG_ASCIINAME)
[162]	1193	? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE;
[151]	1194
[162]	1195	if(from_encoding == output_encoding)
	1196	{
[206]	1197	vk->name_raw[vk->name_length] = '\0';
	1198	vk->name = (char*)vk->name_raw;
[162]	1199	}
	1200	else
	1201	{
[206]	1202	vk->name = talloc_array(vk, char, vk->name_length+1);
	1203	if(vk->name == NULL)
[172]	1204	return;
[162]	1205
	1206	tmp_size = regfi_conv_charset(regfi_encoding_int2str(from_encoding),
	1207	regfi_encoding_int2str(output_encoding),
[206]	1208	vk->name_raw, vk->name,
[172]	1209	vk->name_length, vk->name_length+1);
[162]	1210	if(tmp_size < 0)
	1211	{
[182]	1212	regfi_log_add(REGFI_LOG_WARN, "Error occurred while converting"
[206]	1213	" value name to encoding %s. Error message: %s",
[162]	1214	regfi_encoding_int2str(output_encoding),
	1215	strerror(-tmp_size));
[206]	1216	talloc_free(vk->name);
	1217	vk->name = NULL;
[162]	1218	}
	1219	}
[172]	1220	}
[162]	1221
[172]	1222
	1223	/******************************************************************************
	1224	******************************************************************************/
[203]	1225	REGFI_VK* regfi_load_value(REGFI_FILE* file, uint32_t offset,
[206]	1226	REGFI_ENCODING output_encoding, bool strict)
[172]	1227	{
[203]	1228	REGFI_VK* ret_val = NULL;
[172]	1229	int32_t max_size;
	1230
	1231	max_size = regfi_calc_maxsize(file, offset);
	1232	if(max_size < 0)
	1233	return NULL;
	1234
	1235	ret_val = regfi_parse_vk(file, offset, max_size, strict);
	1236	if(ret_val == NULL)
	1237	return NULL;
	1238
	1239	regfi_interpret_valuename(file, ret_val, output_encoding, strict);
	1240
[103]	1241	return ret_val;
[30]	1242	}
	1243
	1244
[145]	1245	/******************************************************************************
	1246	* If !strict, the list may contain NULLs, VK records may point to NULL.
	1247	******************************************************************************/
[168]	1248	REGFI_VALUE_LIST* regfi_load_valuelist(REGFI_FILE* file, uint32_t offset,
	1249	uint32_t num_values, uint32_t max_size,
[145]	1250	bool strict)
	1251	{
[168]	1252	uint32_t usable_num_values;
[30]	1253
[168]	1254	if((num_values+1) * sizeof(uint32_t) > max_size)
[145]	1255	{
[182]	1256	regfi_log_add(REGFI_LOG_WARN, "Number of values indicated by"
[145]	1257	" parent key (%d) would cause cell to straddle HBIN"
	1258	" boundary while loading value list at offset"
	1259	" 0x%.8X.", num_values, offset);
	1260	if(strict)
	1261	return NULL;
[168]	1262	usable_num_values = max_size/sizeof(uint32_t) - sizeof(uint32_t);
[145]	1263	}
	1264	else
	1265	usable_num_values = num_values;
	1266
	1267	return regfi_parse_valuelist(file, offset, usable_num_values, strict);
	1268	}
	1269
	1270
[206]	1271	/* XXX: should give this boolean return type to indicate errors */
[203]	1272	void regfi_interpret_keyname(REGFI_FILE* file, REGFI_NK* nk,
[161]	1273	REGFI_ENCODING output_encoding, bool strict)
[30]	1274	{
[165]	1275	/* XXX: Registry key names are supposedly limited to 255 characters according to:
	1276	* http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
	1277	* Might want to emit a warning if this is exceeded.
	1278	* It is expected that "characters" could be variable width.
	1279	* Also, it may be useful to use this information to limit false positives
	1280	* when recovering deleted NK records.
	1281	*/
[172]	1282	int32_t tmp_size;
	1283	REGFI_ENCODING from_encoding = (nk->flags & REGFI_NK_FLAG_ASCIINAME)
[161]	1284	? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE;
[172]	1285
[161]	1286	if(from_encoding == output_encoding)
	1287	{
[206]	1288	nk->name_raw[nk->name_length] = '\0';
	1289	nk->name = (char*)nk->name_raw;
[161]	1290	}
	1291	else
	1292	{
[206]	1293	nk->name = talloc_array(nk, char, nk->name_length+1);
	1294	if(nk->name == NULL)
[172]	1295	return;
[161]	1296
[206]	1297	memset(nk->name,0,nk->name_length+1);
	1298
[161]	1299	tmp_size = regfi_conv_charset(regfi_encoding_int2str(from_encoding),
	1300	regfi_encoding_int2str(output_encoding),
[206]	1301	nk->name_raw, nk->name,
[161]	1302	nk->name_length, nk->name_length+1);
	1303	if(tmp_size < 0)
	1304	{
[182]	1305	regfi_log_add(REGFI_LOG_WARN, "Error occurred while converting"
[206]	1306	" key name to encoding %s. Error message: %s",
[161]	1307	regfi_encoding_int2str(output_encoding),
	1308	strerror(-tmp_size));
[206]	1309	talloc_free(nk->name);
	1310	nk->name = NULL;
[161]	1311	}
	1312	}
[172]	1313	}
[161]	1314
	1315
[172]	1316	/******************************************************************************
	1317	*
	1318	******************************************************************************/
[203]	1319	REGFI_NK* regfi_load_key(REGFI_FILE* file, uint32_t offset,
[206]	1320	REGFI_ENCODING output_encoding, bool strict)
[172]	1321	{
[203]	1322	REGFI_NK* nk;
[172]	1323	uint32_t off;
	1324	int32_t max_size;
	1325
	1326	max_size = regfi_calc_maxsize(file, offset);
	1327	if (max_size < 0)
	1328	return NULL;
	1329
	1330	/* get the initial nk record */
	1331	if((nk = regfi_parse_nk(file, offset, max_size, true)) == NULL)
	1332	{
[182]	1333	regfi_log_add(REGFI_LOG_ERROR, "Could not load NK record at"
	1334	" offset 0x%.8X.", offset);
[172]	1335	return NULL;
	1336	}
	1337
	1338	regfi_interpret_keyname(file, nk, output_encoding, strict);
	1339
[146]	1340	/* get value list */
[135]	1341	if(nk->num_values && (nk->values_off!=REGFI_OFFSET_NONE))
[32]	1342	{
[157]	1343	off = nk->values_off + REGFI_REGF_SIZE;
	1344	max_size = regfi_calc_maxsize(file, off);
	1345	if(max_size < 0)
[32]	1346	{
[105]	1347	if(strict)
[32]	1348	{
[184]	1349	talloc_free(nk);
[99]	1350	return NULL;
[31]	1351	}
[105]	1352	else
	1353	nk->values = NULL;
[133]	1354
[31]	1355	}
[105]	1356	else
[103]	1357	{
[157]	1358	nk->values = regfi_load_valuelist(file, off, nk->num_values,
	1359	max_size, true);
[145]	1360	if(nk->values == NULL)
[105]	1361	{
[182]	1362	regfi_log_add(REGFI_LOG_WARN, "Could not load value list"
	1363	" for NK record at offset 0x%.8X.", offset);
[145]	1364	if(strict)
	1365	{
[184]	1366	talloc_free(nk);
[145]	1367	return NULL;
	1368	}
[105]	1369	}
[181]	1370	talloc_steal(nk, nk->values);
[103]	1371	}
[31]	1372	}
[105]	1373
[146]	1374	/* now get subkey list */
[135]	1375	if(nk->num_subkeys && (nk->subkeys_off != REGFI_OFFSET_NONE))
[32]	1376	{
[157]	1377	off = nk->subkeys_off + REGFI_REGF_SIZE;
	1378	max_size = regfi_calc_maxsize(file, off);
	1379	if(max_size < 0)
[32]	1380	{
[105]	1381	if(strict)
[32]	1382	{
[184]	1383	talloc_free(nk);
[99]	1384	return NULL;
[31]	1385	}
[105]	1386	else
	1387	nk->subkeys = NULL;
[31]	1388	}
[105]	1389	else
[104]	1390	{
[134]	1391	nk->subkeys = regfi_load_subkeylist(file, off, nk->num_subkeys,
[157]	1392	max_size, true);
[134]	1393
[105]	1394	if(nk->subkeys == NULL)
	1395	{
[182]	1396	regfi_log_add(REGFI_LOG_WARN, "Could not load subkey list"
	1397	" while parsing NK record at offset 0x%.8X.", offset);
[105]	1398	nk->num_subkeys = 0;
	1399	}
[181]	1400	talloc_steal(nk, nk->subkeys);
[104]	1401	}
[31]	1402	}
[30]	1403
[99]	1404	return nk;
[30]	1405	}
	1406
[32]	1407
[102]	1408	/******************************************************************************
	1409	******************************************************************************/
[203]	1410	const REGFI_SK* regfi_load_sk(REGFI_FILE* file, uint32_t offset, bool strict)
[146]	1411	{
[203]	1412	REGFI_SK* ret_val = NULL;
[168]	1413	int32_t max_size;
[147]	1414	void* failure_ptr = NULL;
	1415
[184]	1416	max_size = regfi_calc_maxsize(file, offset);
	1417	if(max_size < 0)
	1418	return NULL;
	1419
	1420	if(file->sk_cache == NULL)
	1421	return regfi_parse_sk(file, offset, max_size, strict);
	1422
[186]	1423	if(!regfi_lock(file, &file->sk_lock, "regfi_load_sk"))
[180]	1424	return NULL;
	1425
[146]	1426	/* First look if we have already parsed it */
[203]	1427	ret_val = (REGFI_SK*)lru_cache_find(file->sk_cache, &offset, 4);
[146]	1428
	1429	/* Bail out if we have previously cached a parse failure at this offset. */
	1430	if(ret_val == (void*)REGFI_OFFSET_NONE)
	1431	return NULL;
	1432
	1433	if(ret_val == NULL)
	1434	{
[157]	1435	ret_val = regfi_parse_sk(file, offset, max_size, strict);
[146]	1436	if(ret_val == NULL)
	1437	{ /* Cache the parse failure and bail out. */
[147]	1438	failure_ptr = talloc(NULL, uint32_t);
	1439	if(failure_ptr == NULL)
	1440	return NULL;
	1441	(uint32_t)failure_ptr = REGFI_OFFSET_NONE;
	1442	lru_cache_update(file->sk_cache, &offset, 4, failure_ptr);
[184]	1443
	1444	/* Let the cache be the only owner of this */
	1445	talloc_unlink(NULL, failure_ptr);
[146]	1446	return NULL;
	1447	}
	1448	}
	1449
[186]	1450	if(!regfi_unlock(file, &file->sk_lock, "regfi_load_sk"))
[184]	1451	{
	1452	talloc_unlink(NULL, ret_val);
[180]	1453	return NULL;
[184]	1454	}
[180]	1455
[146]	1456	return ret_val;
	1457	}
	1458
	1459
	1460
	1461	/******************************************************************************
	1462	******************************************************************************/
[203]	1463	REGFI_NK* regfi_find_root_nk(REGFI_FILE* file, const REGFI_HBIN* hbin,
[206]	1464	REGFI_ENCODING output_encoding)
[30]	1465	{
[203]	1466	REGFI_NK* nk = NULL;
[168]	1467	uint32_t cell_length;
	1468	uint32_t cur_offset = hbin->file_off+REGFI_HBIN_HEADER_SIZE;
	1469	uint32_t hbin_end = hbin->file_off+hbin->block_size;
[158]	1470	bool unalloc;
[30]	1471
[158]	1472	while(cur_offset < hbin_end)
[32]	1473	{
[180]	1474
[186]	1475	if(!regfi_lock(file, &file->cb_lock, "regfi_find_root_nk"))
[180]	1476	return NULL;
	1477
[178]	1478	if(!regfi_parse_cell(file->cb, cur_offset, NULL, 0, &cell_length, &unalloc))
[158]	1479	{
[182]	1480	regfi_log_add(REGFI_LOG_WARN, "Could not parse cell at offset"
	1481	" 0x%.8X while searching for root key.", cur_offset);
[158]	1482	return NULL;
	1483	}
[180]	1484
[186]	1485	if(!regfi_unlock(file, &file->cb_lock, "regfi_find_root_nk"))
[180]	1486	return NULL;
	1487
[158]	1488	if(!unalloc)
[102]	1489	{
[161]	1490	nk = regfi_load_key(file, cur_offset, output_encoding, true);
[102]	1491	if(nk != NULL)
	1492	{
[161]	1493	if(nk->flags & REGFI_NK_FLAG_ROOT)
[158]	1494	return nk;
[102]	1495	}
[31]	1496	}
[30]	1497
[158]	1498	cur_offset += cell_length;
[31]	1499	}
[32]	1500
[158]	1501	return NULL;
[30]	1502	}
	1503
	1504
[178]	1505
[166]	1506	/******************************************************************************
	1507	******************************************************************************/
[206]	1508	REGFI_FILE* regfi_alloc(int fd, REGFI_ENCODING output_encoding)
[30]	1509	{
[166]	1510	REGFI_FILE* ret_val;
[178]	1511	REGFI_RAW_FILE* file_cb = talloc(NULL, REGFI_RAW_FILE);
	1512	if(file_cb == NULL)
[31]	1513	return NULL;
[166]	1514
[178]	1515	file_cb->state = (void*)talloc(file_cb, int);
	1516	if(file_cb->state == NULL)
	1517	goto fail;
	1518	(int)file_cb->state = fd;
	1519
	1520	file_cb->cur_off = 0;
	1521	file_cb->size = 0;
	1522	file_cb->read = &regfi_raw_read;
	1523	file_cb->seek = &regfi_raw_seek;
	1524
[206]	1525	ret_val = regfi_alloc_cb(file_cb, output_encoding);
[166]	1526	if(ret_val == NULL)
[178]	1527	goto fail;
[166]	1528
[178]	1529	/* In this case, we want file_cb to be freed when ret_val is */
[181]	1530	talloc_steal(ret_val, file_cb);
[166]	1531	return ret_val;
[178]	1532
	1533	fail:
	1534	talloc_free(file_cb);
	1535	return NULL;
[166]	1536	}
	1537
	1538
[186]	1539	/******************************************************************************
	1540	******************************************************************************/
	1541	int regfi_free_cb(void* f)
	1542	{
	1543	REGFI_FILE* file = (REGFI_FILE*)f;
[178]	1544
[186]	1545	pthread_mutex_destroy(&file->cb_lock);
	1546	pthread_rwlock_destroy(&file->hbins_lock);
	1547	pthread_mutex_destroy(&file->sk_lock);
	1548
	1549	return 0;
	1550	}
	1551
	1552
	1553	/******************************************************************************
	1554	******************************************************************************/
[206]	1555	REGFI_FILE* regfi_alloc_cb(REGFI_RAW_FILE* file_cb,
	1556	REGFI_ENCODING output_encoding)
[166]	1557	{
	1558	REGFI_FILE* rb;
	1559	REGFI_HBIN* hbin = NULL;
[178]	1560	uint32_t hbin_off, cache_secret;
	1561	int32_t file_length;
[166]	1562	bool rla;
	1563
[178]	1564	/* Determine file length. Must be at least big enough for the header
	1565	* and one hbin.
[137]	1566	*/
[178]	1567	file_length = file_cb->seek(file_cb, 0, SEEK_END);
[137]	1568	if(file_length < REGFI_REGF_SIZE+REGFI_HBIN_ALLOC)
[182]	1569	{
	1570	regfi_log_add(REGFI_LOG_ERROR, "File length (%d) too short to contain a"
	1571	" header and at least one HBIN.", file_length);
[137]	1572	return NULL;
[182]	1573	}
[178]	1574	file_cb->seek(file_cb, 0, SEEK_SET);
[137]	1575
[206]	1576	if(output_encoding != REGFI_ENCODING_UTF8
	1577	&& output_encoding != REGFI_ENCODING_ASCII)
	1578	{
	1579	regfi_log_add(REGFI_LOG_ERROR, "Invalid output_encoding supplied"
	1580	" in creation of regfi iterator.");
	1581	return NULL;
	1582	}
	1583
[166]	1584	/* Read file header */
[203]	1585	if ((rb = regfi_parse_regf(file_cb, false)) == NULL)
[97]	1586	{
[182]	1587	regfi_log_add(REGFI_LOG_ERROR, "Failed to read REGF block.");
[31]	1588	return NULL;
	1589	}
[203]	1590	rb->file_length = file_length;
[178]	1591	rb->cb = file_cb;
[206]	1592	rb->string_encoding = output_encoding;
[137]	1593
[186]	1594	if(pthread_mutex_init(&rb->cb_lock, NULL) != 0)
[182]	1595	{
	1596	regfi_log_add(REGFI_LOG_ERROR, "Failed to create cb_lock mutex.");
[180]	1597	goto fail;
[182]	1598	}
[180]	1599
[186]	1600	if(pthread_rwlock_init(&rb->hbins_lock, NULL) != 0)
[182]	1601	{
	1602	regfi_log_add(REGFI_LOG_ERROR, "Failed to create hbins_lock rwlock.");
[180]	1603	goto fail;
[182]	1604	}
[180]	1605
[186]	1606	if(pthread_mutex_init(&rb->sk_lock, NULL) != 0)
[182]	1607	{
	1608	regfi_log_add(REGFI_LOG_ERROR, "Failed to create sk_lock mutex.");
[180]	1609	goto fail;
[182]	1610	}
[180]	1611
[99]	1612	rb->hbins = range_list_new();
[110]	1613	if(rb->hbins == NULL)
[182]	1614	{
	1615	regfi_log_add(REGFI_LOG_ERROR, "Failed to create HBIN range_list.");
[180]	1616	goto fail;
[182]	1617	}
[181]	1618	talloc_steal(rb, rb->hbins);
[150]	1619
[106]	1620	rla = true;
[135]	1621	hbin_off = REGFI_REGF_SIZE;
[110]	1622	hbin = regfi_parse_hbin(rb, hbin_off, true);
[106]	1623	while(hbin && rla)
	1624	{
[137]	1625	rla = range_list_add(rb->hbins, hbin->file_off, hbin->block_size, hbin);
[148]	1626	if(rla)
[181]	1627	talloc_steal(rb->hbins, hbin);
[180]	1628
[106]	1629	hbin_off = hbin->file_off + hbin->block_size;
[110]	1630	hbin = regfi_parse_hbin(rb, hbin_off, true);
[106]	1631	}
	1632
[146]	1633	/* This secret isn't very secret, but we don't need a good one. This
	1634	* secret is just designed to prevent someone from trying to blow our
	1635	* caching and make things slow.
	1636	*/
	1637	cache_secret = 0x15DEAD05^time(NULL)^(getpid()<<16);
	1638
[184]	1639	if(REGFI_CACHE_SK)
	1640	rb->sk_cache = lru_cache_create_ctx(rb, 64, cache_secret, true);
	1641	else
	1642	rb->sk_cache = NULL;
[146]	1643
[31]	1644	/* success */
[186]	1645	talloc_set_destructor(rb, regfi_free_cb);
[31]	1646	return rb;
[180]	1647
	1648	fail:
[186]	1649	pthread_mutex_destroy(&rb->cb_lock);
	1650	pthread_rwlock_destroy(&rb->hbins_lock);
	1651	pthread_mutex_destroy(&rb->sk_lock);
[180]	1652
	1653	range_list_free(rb->hbins);
	1654	talloc_free(rb);
	1655	return NULL;
[30]	1656	}
	1657
	1658
[148]	1659	/******************************************************************************
	1660	******************************************************************************/
[186]	1661	void regfi_free(REGFI_FILE* file)
[166]	1662	{
[186]	1663	/* Callback handles cleanup side effects */
[150]	1664	talloc_free(file);
[30]	1665	}
	1666
	1667
[80]	1668	/******************************************************************************
[158]	1669	* First checks the offset given by the file header, then checks the
	1670	* rest of the file if that fails.
[148]	1671	******************************************************************************/
[215]	1672	const REGFI_NK* regfi_get_rootkey(REGFI_FILE* file)
[30]	1673	{
[203]	1674	REGFI_NK* nk = NULL;
[146]	1675	REGFI_HBIN* hbin;
[168]	1676	uint32_t root_offset, i, num_hbins;
[99]	1677
	1678	if(!file)
[31]	1679	return NULL;
[99]	1680
[158]	1681	root_offset = file->root_cell+REGFI_REGF_SIZE;
[206]	1682	nk = regfi_load_key(file, root_offset, file->string_encoding, true);
[158]	1683	if(nk != NULL)
	1684	{
[161]	1685	if(nk->flags & REGFI_NK_FLAG_ROOT)
[158]	1686	return nk;
	1687	}
	1688
[182]	1689	regfi_log_add(REGFI_LOG_WARN, "File header indicated root key at"
	1690	" location 0x%.8X, but no root key found."
	1691	" Searching rest of file...", root_offset);
[158]	1692
	1693	/* If the file header gives bad info, scan through the file one HBIN
	1694	* block at a time looking for an NK record with a root key type.
[146]	1695	*/
[180]	1696
[215]	1697	if(!regfi_read_lock(file, &file->hbins_lock, "regfi_get_rootkey"))
[180]	1698	return NULL;
	1699
[107]	1700	num_hbins = range_list_size(file->hbins);
[158]	1701	for(i=0; i < num_hbins && nk == NULL; i++)
[99]	1702	{
[135]	1703	hbin = (REGFI_HBIN*)range_list_get(file->hbins, i)->data;
[206]	1704	nk = regfi_find_root_nk(file, hbin, file->string_encoding);
[31]	1705	}
[30]	1706
[215]	1707	if(!regfi_rw_unlock(file, &file->hbins_lock, "regfi_get_rootkey"))
[180]	1708	return NULL;
	1709
[80]	1710	return nk;
[30]	1711	}
	1712
	1713
[80]	1714	/******************************************************************************
	1715	*****************************************************************************/
[184]	1716	void regfi_free_record(const void* record)
[30]	1717	{
[184]	1718	talloc_unlink(NULL, (void*)record);
[150]	1719	}
[127]	1720
[80]	1721
	1722
[207]	1723
[80]	1724	/******************************************************************************
	1725	*****************************************************************************/
[207]	1726	uint32_t regfi_fetch_num_subkeys(const REGFI_NK* key)
	1727	{
	1728	uint32_t num_in_list = 0;
[215]	1729	if(key == NULL)
	1730	return 0;
	1731
[207]	1732	if(key->subkeys != NULL)
	1733	num_in_list = key->subkeys->num_keys;
	1734
	1735	if(num_in_list != key->num_subkeys)
	1736	{
	1737	regfi_log_add(REGFI_LOG_INFO, "Key at offset 0x%.8X contains %d keys in its"
	1738	" subkey list but reports %d should be available.",
	1739	key->offset, num_in_list, key->num_subkeys);
	1740	return (num_in_list < key->num_subkeys)?num_in_list:key->num_subkeys;
	1741	}
	1742
	1743	return num_in_list;
	1744	}
	1745
	1746
	1747	/******************************************************************************
	1748	*****************************************************************************/
	1749	uint32_t regfi_fetch_num_values(const REGFI_NK* key)
	1750	{
	1751	uint32_t num_in_list = 0;
[215]	1752	if(key == NULL)
	1753	return 0;
	1754
[207]	1755	if(key->values != NULL)
	1756	num_in_list = key->values->num_values;
	1757
	1758	if(num_in_list != key->num_values)
	1759	{
	1760	regfi_log_add(REGFI_LOG_INFO, "Key at offset 0x%.8X contains %d values in"
	1761	" its value list but reports %d should be available.",
	1762	key->offset, num_in_list, key->num_values);
	1763	return (num_in_list < key->num_values)?num_in_list:key->num_values;
	1764	}
	1765
	1766	return num_in_list;
	1767	}
	1768
	1769
	1770	/******************************************************************************
	1771	*****************************************************************************/
[206]	1772	REGFI_ITERATOR* regfi_iterator_new(REGFI_FILE* file)
[80]	1773	{
[203]	1774	REGFI_NK* root;
[161]	1775	REGFI_ITERATOR* ret_val;
	1776
	1777	ret_val = talloc(NULL, REGFI_ITERATOR);
[80]	1778	if(ret_val == NULL)
	1779	return NULL;
	1780
[215]	1781	root = (REGFI_NK*)regfi_get_rootkey(file);
[80]	1782	if(root == NULL)
	1783	{
[150]	1784	talloc_free(ret_val);
[80]	1785	return NULL;
	1786	}
[181]	1787	ret_val->cur_key = root;
[213]	1788	talloc_reparent(NULL, ret_val, root);
[80]	1789
[135]	1790	ret_val->key_positions = void_stack_new(REGFI_MAX_DEPTH);
[80]	1791	if(ret_val->key_positions == NULL)
	1792	{
[150]	1793	talloc_free(ret_val);
[80]	1794	return NULL;
	1795	}
[181]	1796	talloc_steal(ret_val, ret_val->key_positions);
[80]	1797
[159]	1798	ret_val->f = file;
[80]	1799	ret_val->cur_subkey = 0;
	1800	ret_val->cur_value = 0;
[161]	1801
[80]	1802	return ret_val;
	1803	}
	1804
	1805
	1806	/******************************************************************************
	1807	*****************************************************************************/
	1808	void regfi_iterator_free(REGFI_ITERATOR* i)
	1809	{
[150]	1810	talloc_free(i);
[80]	1811	}
	1812
	1813
	1814
	1815	/******************************************************************************
	1816	*****************************************************************************/
	1817	/* XXX: some way of indicating reason for failure should be added. */
	1818	bool regfi_iterator_down(REGFI_ITERATOR* i)
	1819	{
[203]	1820	REGFI_NK* subkey;
[80]	1821	REGFI_ITER_POSITION* pos;
	1822
[150]	1823	pos = talloc(i->key_positions, REGFI_ITER_POSITION);
[80]	1824	if(pos == NULL)
	1825	return false;
	1826
[203]	1827	subkey = (REGFI_NK*)regfi_iterator_cur_subkey(i);
[80]	1828	if(subkey == NULL)
	1829	{
[150]	1830	talloc_free(pos);
[80]	1831	return false;
	1832	}
	1833
	1834	pos->nk = i->cur_key;
	1835	pos->cur_subkey = i->cur_subkey;
	1836	if(!void_stack_push(i->key_positions, pos))
	1837	{
[150]	1838	talloc_free(pos);
[184]	1839	talloc_unlink(NULL, subkey);
[80]	1840	return false;
	1841	}
[213]	1842	talloc_reparent(NULL, i, subkey);
[80]	1843
	1844	i->cur_key = subkey;
	1845	i->cur_subkey = 0;
	1846	i->cur_value = 0;
	1847
	1848	return true;
	1849	}
	1850
	1851
	1852	/******************************************************************************
	1853	*****************************************************************************/
	1854	bool regfi_iterator_up(REGFI_ITERATOR* i)
	1855	{
	1856	REGFI_ITER_POSITION* pos;
	1857
	1858	pos = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions);
	1859	if(pos == NULL)
	1860	return false;
	1861
[184]	1862	talloc_unlink(i, i->cur_key);
[80]	1863	i->cur_key = pos->nk;
	1864	i->cur_subkey = pos->cur_subkey;
	1865	i->cur_value = 0;
[150]	1866	talloc_free(pos);
[80]	1867
	1868	return true;
	1869	}
	1870
	1871
	1872	/******************************************************************************
	1873	*****************************************************************************/
	1874	bool regfi_iterator_to_root(REGFI_ITERATOR* i)
	1875	{
	1876	while(regfi_iterator_up(i))
	1877	continue;
	1878
	1879	return true;
	1880	}
	1881
	1882
	1883	/******************************************************************************
	1884	*****************************************************************************/
[207]	1885	bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* name)
[80]	1886	{
[207]	1887	uint32_t new_index;
[133]	1888
[207]	1889	if(regfi_find_subkey(i->f, i->cur_key, name, &new_index))
[80]	1890	{
[207]	1891	i->cur_subkey = new_index;
	1892	return true;
[80]	1893	}
	1894
[207]	1895	return false;
[80]	1896	}
	1897
	1898
	1899	/******************************************************************************
	1900	*****************************************************************************/
	1901	bool regfi_iterator_walk_path(REGFI_ITERATOR* i, const char** path)
	1902	{
[168]	1903	uint32_t x;
[80]	1904	if(path == NULL)
	1905	return false;
	1906
	1907	for(x=0;
	1908	((path[x] != NULL) && regfi_iterator_find_subkey(i, path[x])
	1909	&& regfi_iterator_down(i));
	1910	x++)
	1911	{ continue; }
	1912
	1913	if(path[x] == NULL)
[215]	1914	{
[80]	1915	return true;
[215]	1916	}
	1917
[80]	1918	/* XXX: is this the right number of times? */
	1919	for(; x > 0; x--)
	1920	regfi_iterator_up(i);
	1921
	1922	return false;
	1923	}
	1924
	1925
	1926	/******************************************************************************
	1927	*****************************************************************************/
[203]	1928	const REGFI_NK* regfi_iterator_cur_key(REGFI_ITERATOR* i)
[80]	1929	{
[213]	1930	talloc_reference(NULL, i->cur_key);
[80]	1931	return i->cur_key;
	1932	}
	1933
	1934
	1935	/******************************************************************************
	1936	*****************************************************************************/
[206]	1937	const REGFI_SK* regfi_fetch_sk(REGFI_FILE* file, const REGFI_NK* key)
[109]	1938	{
[206]	1939	if(key == NULL \|\| key->sk_off == REGFI_OFFSET_NONE)
[109]	1940	return NULL;
	1941
[206]	1942	return regfi_load_sk(file, key->sk_off + REGFI_REGF_SIZE, true);
[109]	1943	}
	1944
	1945
	1946	/******************************************************************************
	1947	*****************************************************************************/
[199]	1948	bool regfi_iterator_first_subkey(REGFI_ITERATOR* i)
[80]	1949	{
	1950	i->cur_subkey = 0;
[199]	1951
	1952	return ((i->cur_key != NULL) && (i->cur_key->subkeys_off!=REGFI_OFFSET_NONE)
[207]	1953	&& (i->cur_subkey < regfi_fetch_num_subkeys(i->cur_key)));
[80]	1954	}
	1955
	1956
	1957	/******************************************************************************
	1958	*****************************************************************************/
[203]	1959	const REGFI_NK* regfi_iterator_cur_subkey(REGFI_ITERATOR* i)
[80]	1960	{
[207]	1961	return regfi_get_subkey(i->f, i->cur_key, i->cur_subkey);
[30]	1962	}
[80]	1963
	1964
	1965	/******************************************************************************
	1966	*****************************************************************************/
[199]	1967	bool regfi_iterator_next_subkey(REGFI_ITERATOR* i)
[80]	1968	{
	1969	i->cur_subkey++;
	1970
[199]	1971	return ((i->cur_key != NULL) && (i->cur_key->subkeys_off!=REGFI_OFFSET_NONE)
[207]	1972	&& (i->cur_subkey < regfi_fetch_num_subkeys(i->cur_key)));
[80]	1973	}
	1974
	1975
	1976	/******************************************************************************
	1977	*****************************************************************************/
[207]	1978	bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* name)
[80]	1979	{
[207]	1980	uint32_t new_index;
[80]	1981
[207]	1982	if(regfi_find_value(i->f, i->cur_key, name, &new_index))
[80]	1983	{
[207]	1984	i->cur_value = new_index;
	1985	return true;
[80]	1986	}
	1987
[207]	1988	return false;
[80]	1989	}
	1990
	1991
	1992	/******************************************************************************
	1993	*****************************************************************************/
[199]	1994	bool regfi_iterator_first_value(REGFI_ITERATOR* i)
[80]	1995	{
	1996	i->cur_value = 0;
[199]	1997	return (i->cur_key->values != NULL && i->cur_key->values->elements != NULL
[207]	1998	&& (i->cur_value < regfi_fetch_num_values(i->cur_key)));
[80]	1999	}
	2000
	2001
	2002	/******************************************************************************
	2003	*****************************************************************************/
[203]	2004	const REGFI_VK* regfi_iterator_cur_value(REGFI_ITERATOR* i)
[80]	2005	{
[207]	2006	return regfi_get_value(i->f, i->cur_key, i->cur_value);
[80]	2007	}
	2008
	2009
	2010	/******************************************************************************
	2011	*****************************************************************************/
[199]	2012	bool regfi_iterator_next_value(REGFI_ITERATOR* i)
[80]	2013	{
	2014	i->cur_value++;
[199]	2015	return (i->cur_key->values != NULL && i->cur_key->values->elements != NULL
[207]	2016	&& (i->cur_value < regfi_fetch_num_values(i->cur_key)));
[80]	2017	}
[97]	2018
	2019
[159]	2020	/******************************************************************************
	2021	*****************************************************************************/
[206]	2022	const REGFI_CLASSNAME* regfi_fetch_classname(REGFI_FILE* file,
	2023	const REGFI_NK* key)
[160]	2024	{
	2025	REGFI_CLASSNAME* ret_val;
[168]	2026	uint8_t* raw;
[160]	2027	char* interpreted;
[168]	2028	uint32_t offset;
	2029	int32_t conv_size, max_size;
	2030	uint16_t parse_length;
[160]	2031
	2032	if(key->classname_off == REGFI_OFFSET_NONE \|\| key->classname_length == 0)
	2033	return NULL;
	2034
	2035	offset = key->classname_off + REGFI_REGF_SIZE;
[206]	2036	max_size = regfi_calc_maxsize(file, offset);
[160]	2037	if(max_size <= 0)
	2038	return NULL;
	2039
	2040	parse_length = key->classname_length;
[206]	2041	raw = regfi_parse_classname(file, offset, &parse_length, max_size, true);
[160]	2042
	2043	if(raw == NULL)
	2044	{
[182]	2045	regfi_log_add(REGFI_LOG_WARN, "Could not parse class"
	2046	" name at offset 0x%.8X for key record at offset 0x%.8X.",
	2047	offset, key->offset);
[160]	2048	return NULL;
	2049	}
	2050
	2051	ret_val = talloc(NULL, REGFI_CLASSNAME);
	2052	if(ret_val == NULL)
	2053	return NULL;
	2054
[206]	2055	ret_val->offset = offset;
[160]	2056	ret_val->raw = raw;
	2057	ret_val->size = parse_length;
[181]	2058	talloc_steal(ret_val, raw);
[160]	2059
	2060	interpreted = talloc_array(NULL, char, parse_length);
	2061
[161]	2062	conv_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
[206]	2063	regfi_encoding_int2str(file->string_encoding),
[160]	2064	raw, interpreted,
	2065	parse_length, parse_length);
	2066	if(conv_size < 0)
	2067	{
[182]	2068	regfi_log_add(REGFI_LOG_WARN, "Error occurred while"
	2069	" converting classname to charset %s. Error message: %s",
[206]	2070	file->string_encoding, strerror(-conv_size));
[160]	2071	talloc_free(interpreted);
	2072	ret_val->interpreted = NULL;
	2073	}
	2074	else
	2075	{
	2076	interpreted = talloc_realloc(NULL, interpreted, char, conv_size);
	2077	ret_val->interpreted = interpreted;
[181]	2078	talloc_steal(ret_val, interpreted);
[160]	2079	}
	2080
	2081	return ret_val;
	2082	}
	2083
	2084
	2085	/******************************************************************************
	2086	*****************************************************************************/
[206]	2087	const REGFI_DATA* regfi_fetch_data(REGFI_FILE* file,
	2088	const REGFI_VK* value)
[159]	2089	{
	2090	REGFI_DATA* ret_val = NULL;
	2091	REGFI_BUFFER raw_data;
	2092
	2093	if(value->data_size != 0)
	2094	{
[206]	2095	raw_data = regfi_load_data(file, value->data_off, value->data_size,
[209]	2096	value->data_in_offset, true);
[159]	2097	if(raw_data.buf == NULL)
	2098	{
[182]	2099	regfi_log_add(REGFI_LOG_WARN, "Could not parse data record"
	2100	" while parsing VK record at offset 0x%.8X.",
	2101	value->offset);
[159]	2102	}
	2103	else
	2104	{
	2105	ret_val = regfi_buffer_to_data(raw_data);
	2106
	2107	if(ret_val == NULL)
	2108	{
[182]	2109	regfi_log_add(REGFI_LOG_WARN, "Error occurred in converting"
	2110	" data buffer to data structure while interpreting "
	2111	"data for VK record at offset 0x%.8X.",
	2112	value->offset);
[159]	2113	talloc_free(raw_data.buf);
	2114	return NULL;
	2115	}
	2116
[206]	2117	if(!regfi_interpret_data(file, file->string_encoding,
	2118	value->type, ret_val))
[159]	2119	{
[182]	2120	regfi_log_add(REGFI_LOG_INFO, "Error occurred while"
	2121	" interpreting data for VK record at offset 0x%.8X.",
	2122	value->offset);
[159]	2123	}
	2124	}
	2125	}
	2126
	2127	return ret_val;
	2128	}
	2129
	2130
[207]	2131
[159]	2132	/******************************************************************************
	2133	*****************************************************************************/
[207]	2134	bool regfi_find_subkey(REGFI_FILE* file, const REGFI_NK* key,
	2135	const char* name, uint32_t* index)
	2136	{
	2137	const REGFI_NK* cur;
	2138	uint32_t i;
	2139	uint32_t num_subkeys = regfi_fetch_num_subkeys(key);
	2140	bool found = false;
	2141
	2142	/* XXX: cur->name can be NULL in the registry.
	2143	* Should we allow for a way to search for that?
	2144	*/
	2145	if(name == NULL)
	2146	return false;
	2147
	2148	for(i=0; (i < num_subkeys) && (found == false); i++)
	2149	{
	2150	cur = regfi_get_subkey(file, key, i);
	2151	if(cur == NULL)
	2152	return false;
	2153
	2154	if((cur->name != NULL)
	2155	&& (strcasecmp(cur->name, name) == 0))
	2156	{
	2157	found = true;
	2158	*index = i;
	2159	}
	2160
	2161	regfi_free_record(cur);
	2162	}
	2163
	2164	return found;
	2165	}
	2166
	2167
	2168
	2169	/******************************************************************************
	2170	*****************************************************************************/
	2171	bool regfi_find_value(REGFI_FILE* file, const REGFI_NK* key,
	2172	const char* name, uint32_t* index)
	2173	{
	2174	const REGFI_VK* cur;
	2175	uint32_t i;
	2176	uint32_t num_values = regfi_fetch_num_values(key);
	2177	bool found = false;
	2178
	2179	/* XXX: cur->name can be NULL in the registry.
	2180	* Should we allow for a way to search for that?
	2181	*/
	2182	if(name == NULL)
	2183	return false;
	2184
	2185	for(i=0; (i < num_values) && (found == false); i++)
	2186	{
	2187	cur = regfi_get_value(file, key, i);
	2188	if(cur == NULL)
	2189	return false;
	2190
	2191	if((cur->name != NULL)
	2192	&& (strcasecmp(cur->name, name) == 0))
	2193	{
	2194	found = true;
	2195	*index = i;
	2196	}
	2197
	2198	regfi_free_record(cur);
	2199	}
	2200
	2201	return found;
	2202	}
	2203
	2204
	2205
	2206	/******************************************************************************
	2207	*****************************************************************************/
	2208	const REGFI_NK* regfi_get_subkey(REGFI_FILE* file, const REGFI_NK* key,
	2209	uint32_t index)
	2210	{
	2211	if(index < regfi_fetch_num_subkeys(key))
	2212	{
	2213	return regfi_load_key(file,
	2214	key->subkeys->elements[index].offset+REGFI_REGF_SIZE,
	2215	file->string_encoding, true);
	2216	}
	2217
	2218	return NULL;
	2219	}
	2220
	2221
	2222	/******************************************************************************
	2223	*****************************************************************************/
	2224	const REGFI_VK* regfi_get_value(REGFI_FILE* file, const REGFI_NK* key,
	2225	uint32_t index)
	2226	{
	2227	if(index < regfi_fetch_num_values(key))
	2228	{
	2229	return regfi_load_value(file,
	2230	key->values->elements[index]+REGFI_REGF_SIZE,
	2231	file->string_encoding, true);
	2232	}
	2233
	2234	return NULL;
	2235	}
	2236
	2237
[215]	2238
[207]	2239	/******************************************************************************
	2240	*****************************************************************************/
[215]	2241	const REGFI_NK* regfi_get_parentkey(REGFI_FILE* file, const REGFI_NK* key)
	2242	{
	2243	if(key != NULL && key->parent_off != REGFI_OFFSET_NONE)
	2244	{
	2245	/* fprintf(stderr, "key->parent_off=%.8X\n", key->parent_off);*/
	2246	return regfi_load_key(file,
	2247	key->parent_off+REGFI_REGF_SIZE,
	2248	file->string_encoding, true);
	2249	}
	2250
	2251	return NULL;
	2252	}
	2253
	2254
	2255
	2256	/******************************************************************************
	2257	*****************************************************************************/
[159]	2258	REGFI_DATA* regfi_buffer_to_data(REGFI_BUFFER raw_data)
	2259	{
	2260	REGFI_DATA* ret_val;
	2261
	2262	if(raw_data.buf == NULL)
	2263	return NULL;
	2264
	2265	ret_val = talloc(NULL, REGFI_DATA);
	2266	if(ret_val == NULL)
	2267	return NULL;
	2268
[181]	2269	talloc_steal(ret_val, raw_data.buf);
[159]	2270	ret_val->raw = raw_data.buf;
	2271	ret_val->size = raw_data.len;
	2272	ret_val->interpreted_size = 0;
	2273	ret_val->interpreted.qword = 0;
	2274
	2275	return ret_val;
	2276	}
	2277
	2278
	2279	/******************************************************************************
	2280	*****************************************************************************/
[161]	2281	bool regfi_interpret_data(REGFI_FILE* file, REGFI_ENCODING string_encoding,
[168]	2282	uint32_t type, REGFI_DATA* data)
[159]	2283	{
[168]	2284	uint8_t** tmp_array;
	2285	uint8_t* tmp_str;
	2286	int32_t tmp_size;
	2287	uint32_t i, j, array_size;
[159]	2288
	2289	if(data == NULL)
	2290	return false;
	2291
	2292	switch (type)
	2293	{
	2294	case REG_SZ:
	2295	case REG_EXPAND_SZ:
	2296	/* REG_LINK is a symbolic link, stored as a unicode string. */
	2297	case REG_LINK:
[168]	2298	tmp_str = talloc_array(NULL, uint8_t, data->size);
[159]	2299	if(tmp_str == NULL)
	2300	{
	2301	data->interpreted.string = NULL;
	2302	data->interpreted_size = 0;
	2303	return false;
	2304	}
	2305
[161]	2306	tmp_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
	2307	regfi_encoding_int2str(string_encoding),
[159]	2308	data->raw, (char*)tmp_str,
	2309	data->size, data->size);
	2310	if(tmp_size < 0)
	2311	{
[182]	2312	regfi_log_add(REGFI_LOG_INFO, "Error occurred while"
[193]	2313	" converting data of type %d to %d. Error message: %s",
[182]	2314	type, string_encoding, strerror(-tmp_size));
[159]	2315	talloc_free(tmp_str);
	2316	data->interpreted.string = NULL;
	2317	data->interpreted_size = 0;
	2318	return false;
	2319	}
	2320
[168]	2321	tmp_str = talloc_realloc(NULL, tmp_str, uint8_t, tmp_size);
[159]	2322	data->interpreted.string = tmp_str;
	2323	data->interpreted_size = tmp_size;
[181]	2324	talloc_steal(data, tmp_str);
[159]	2325	break;
	2326
	2327	case REG_DWORD:
	2328	if(data->size < 4)
	2329	{
	2330	data->interpreted.dword = 0;
	2331	data->interpreted_size = 0;
	2332	return false;
	2333	}
	2334	data->interpreted.dword = IVAL(data->raw, 0);
	2335	data->interpreted_size = 4;
	2336	break;
	2337
	2338	case REG_DWORD_BE:
	2339	if(data->size < 4)
	2340	{
	2341	data->interpreted.dword_be = 0;
	2342	data->interpreted_size = 0;
	2343	return false;
	2344	}
	2345	data->interpreted.dword_be = RIVAL(data->raw, 0);
	2346	data->interpreted_size = 4;
	2347	break;
	2348
	2349	case REG_QWORD:
	2350	if(data->size < 8)
	2351	{
	2352	data->interpreted.qword = 0;
	2353	data->interpreted_size = 0;
	2354	return false;
	2355	}
	2356	data->interpreted.qword =
[168]	2357	(uint64_t)IVAL(data->raw, 0) + (((uint64_t)IVAL(data->raw, 4))<<32);
[159]	2358	data->interpreted_size = 8;
	2359	break;
	2360
	2361	case REG_MULTI_SZ:
[168]	2362	tmp_str = talloc_array(NULL, uint8_t, data->size);
[159]	2363	if(tmp_str == NULL)
	2364	{
	2365	data->interpreted.multiple_string = NULL;
	2366	data->interpreted_size = 0;
	2367	return false;
	2368	}
	2369
	2370	/* Attempt to convert entire string from UTF-16LE to output encoding,
	2371	* then parse and quote fields individually.
	2372	*/
[161]	2373	tmp_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
	2374	regfi_encoding_int2str(string_encoding),
[159]	2375	data->raw, (char*)tmp_str,
	2376	data->size, data->size);
	2377	if(tmp_size < 0)
	2378	{
[182]	2379	regfi_log_add(REGFI_LOG_INFO, "Error occurred while"
	2380	" converting data of type %d to %s. Error message: %s",
	2381	type, string_encoding, strerror(-tmp_size));
[159]	2382	talloc_free(tmp_str);
	2383	data->interpreted.multiple_string = NULL;
	2384	data->interpreted_size = 0;
	2385	return false;
	2386	}
	2387
	2388	array_size = tmp_size+1;
[168]	2389	tmp_array = talloc_array(NULL, uint8_t*, array_size);
[159]	2390	if(tmp_array == NULL)
	2391	{
	2392	talloc_free(tmp_str);
	2393	data->interpreted.string = NULL;
	2394	data->interpreted_size = 0;
	2395	return false;
	2396	}
	2397
	2398	tmp_array[0] = tmp_str;
	2399	for(i=0,j=1; i < tmp_size && j < array_size-1; i++)
	2400	{
[209]	2401	if(tmp_str[i] == '\0' && (i+1 < tmp_size) && tmp_str[i+1] != '\0')
[159]	2402	tmp_array[j++] = tmp_str+i+1;
	2403	}
	2404	tmp_array[j] = NULL;
[168]	2405	tmp_array = talloc_realloc(NULL, tmp_array, uint8_t*, j+1);
[159]	2406	data->interpreted.multiple_string = tmp_array;
	2407	/* XXX: how meaningful is this? should we store number of strings instead? */
	2408	data->interpreted_size = tmp_size;
[181]	2409	talloc_steal(tmp_array, tmp_str);
	2410	talloc_steal(data, tmp_array);
[159]	2411	break;
	2412
	2413	/* XXX: Dont know how to interpret these yet, just treat as binary */
	2414	case REG_NONE:
	2415	data->interpreted.none = data->raw;
	2416	data->interpreted_size = data->size;
	2417	break;
	2418
	2419	case REG_RESOURCE_LIST:
	2420	data->interpreted.resource_list = data->raw;
	2421	data->interpreted_size = data->size;
	2422	break;
	2423
	2424	case REG_FULL_RESOURCE_DESCRIPTOR:
	2425	data->interpreted.full_resource_descriptor = data->raw;
	2426	data->interpreted_size = data->size;
	2427	break;
	2428
	2429	case REG_RESOURCE_REQUIREMENTS_LIST:
	2430	data->interpreted.resource_requirements_list = data->raw;
	2431	data->interpreted_size = data->size;
	2432	break;
	2433
	2434	case REG_BINARY:
	2435	data->interpreted.binary = data->raw;
	2436	data->interpreted_size = data->size;
	2437	break;
	2438
	2439	default:
	2440	data->interpreted.qword = 0;
	2441	data->interpreted_size = 0;
	2442	return false;
	2443	}
	2444
	2445	data->type = type;
	2446	return true;
	2447	}
	2448
	2449
[166]	2450	/******************************************************************************
[159]	2451	* Convert from UTF-16LE to specified character set.
	2452	* On error, returns a negative errno code.
[166]	2453	*****************************************************************************/
[168]	2454	int32_t regfi_conv_charset(const char* input_charset, const char* output_charset,
[206]	2455	uint8_t* input, char* output,
	2456	uint32_t input_len, uint32_t output_max)
[159]	2457	{
	2458	iconv_t conv_desc;
	2459	char* inbuf = (char*)input;
	2460	char* outbuf = output;
	2461	size_t in_len = (size_t)input_len;
	2462	size_t out_len = (size_t)(output_max-1);
	2463	int ret;
	2464
[161]	2465	/* XXX: Consider creating a couple of conversion descriptors earlier,
	2466	* storing them on an iterator so they don't have to be recreated
	2467	* each time.
	2468	*/
	2469
[159]	2470	/* Set up conversion descriptor. */
[161]	2471	conv_desc = iconv_open(output_charset, input_charset);
[159]	2472
	2473	ret = iconv(conv_desc, &inbuf, &in_len, &outbuf, &out_len);
	2474	if(ret == -1)
	2475	{
	2476	iconv_close(conv_desc);
	2477	return -errno;
	2478	}
	2479	*outbuf = '\0';
	2480
	2481	iconv_close(conv_desc);
	2482	return output_max-out_len-1;
	2483	}
	2484
	2485
	2486
	2487	/*******************************************************************
[97]	2488	* Computes the checksum of the registry file header.
[159]	2489	* buffer must be at least the size of a regf header (4096 bytes).
[97]	2490	*******************************************************************/
[168]	2491	static uint32_t regfi_compute_header_checksum(uint8_t* buffer)
[97]	2492	{
[168]	2493	uint32_t checksum, x;
[97]	2494	int i;
	2495
	2496	/* XOR of all bytes 0x0000 - 0x01FB */
	2497
	2498	checksum = x = 0;
	2499
	2500	for ( i=0; i<0x01FB; i+=4 ) {
	2501	x = IVAL(buffer, i );
	2502	checksum ^= x;
	2503	}
	2504
	2505	return checksum;
	2506	}
	2507
	2508
	2509	/*******************************************************************
	2510	*******************************************************************/
[178]	2511	REGFI_FILE* regfi_parse_regf(REGFI_RAW_FILE* file_cb, bool strict)
[97]	2512	{
[168]	2513	uint8_t file_header[REGFI_REGF_SIZE];
	2514	uint32_t length;
[135]	2515	REGFI_FILE* ret_val;
[97]	2516
[150]	2517	ret_val = talloc(NULL, REGFI_FILE);
[97]	2518	if(ret_val == NULL)
	2519	return NULL;
	2520
[150]	2521	ret_val->sk_cache = NULL;
	2522	ret_val->hbins = NULL;
[178]	2523
[135]	2524	length = REGFI_REGF_SIZE;
[178]	2525	if((regfi_read(file_cb, file_header, &length)) != 0
	2526	\|\| length != REGFI_REGF_SIZE)
[182]	2527	{
	2528	regfi_log_add(REGFI_LOG_WARN, "Read failed while parsing REGF structure.");
[150]	2529	goto fail;
[182]	2530	}
	2531
[97]	2532	ret_val->checksum = IVAL(file_header, 0x1FC);
	2533	ret_val->computed_checksum = regfi_compute_header_checksum(file_header);
	2534	if (strict && (ret_val->checksum != ret_val->computed_checksum))
[182]	2535	{
	2536	regfi_log_add(REGFI_LOG_WARN, "Stored header checksum (%.8X) did not equal"
	2537	" computed checksum (%.8X).",
	2538	ret_val->checksum, ret_val->computed_checksum);
	2539	if(strict)
	2540	goto fail;
	2541	}
[97]	2542
[135]	2543	memcpy(ret_val->magic, file_header, REGFI_REGF_MAGIC_SIZE);
[150]	2544	if(memcmp(ret_val->magic, "regf", REGFI_REGF_MAGIC_SIZE) != 0)
[97]	2545	{
[182]	2546	regfi_log_add(REGFI_LOG_ERROR, "Magic number mismatch "
	2547	"(%.2X %.2X %.2X %.2X) while parsing hive header",
	2548	ret_val->magic[0], ret_val->magic[1],
	2549	ret_val->magic[2], ret_val->magic[3]);
	2550	goto fail;
[97]	2551	}
[178]	2552
[151]	2553	ret_val->sequence1 = IVAL(file_header, 0x4);
	2554	ret_val->sequence2 = IVAL(file_header, 0x8);
[97]	2555	ret_val->mtime.low = IVAL(file_header, 0xC);
	2556	ret_val->mtime.high = IVAL(file_header, 0x10);
[151]	2557	ret_val->major_version = IVAL(file_header, 0x14);
	2558	ret_val->minor_version = IVAL(file_header, 0x18);
	2559	ret_val->type = IVAL(file_header, 0x1C);
	2560	ret_val->format = IVAL(file_header, 0x20);
	2561	ret_val->root_cell = IVAL(file_header, 0x24);
[97]	2562	ret_val->last_block = IVAL(file_header, 0x28);
[151]	2563	ret_val->cluster = IVAL(file_header, 0x2C);
[97]	2564
[151]	2565	memcpy(ret_val->file_name, file_header+0x30, REGFI_REGF_NAME_SIZE);
	2566
	2567	/* XXX: Should we add a warning if these uuid parsers fail? Can they? */
	2568	ret_val->rm_id = winsec_parse_uuid(ret_val, file_header+0x70, 16);
	2569	ret_val->log_id = winsec_parse_uuid(ret_val, file_header+0x80, 16);
	2570	ret_val->flags = IVAL(file_header, 0x90);
	2571	ret_val->tm_id = winsec_parse_uuid(ret_val, file_header+0x94, 16);
	2572	ret_val->guid_signature = IVAL(file_header, 0xa4);
	2573
	2574	memcpy(ret_val->reserved1, file_header+0xa8, REGFI_REGF_RESERVED1_SIZE);
	2575	memcpy(ret_val->reserved2, file_header+0x200, REGFI_REGF_RESERVED2_SIZE);
	2576
	2577	ret_val->thaw_tm_id = winsec_parse_uuid(ret_val, file_header+0xFC8, 16);
	2578	ret_val->thaw_rm_id = winsec_parse_uuid(ret_val, file_header+0xFD8, 16);
	2579	ret_val->thaw_log_id = winsec_parse_uuid(ret_val, file_header+0xFE8, 16);
[152]	2580	ret_val->boot_type = IVAL(file_header, 0xFF8);
	2581	ret_val->boot_recover = IVAL(file_header, 0xFFC);
[151]	2582
[97]	2583	return ret_val;
[150]	2584
	2585	fail:
	2586	talloc_free(ret_val);
	2587	return NULL;
[97]	2588	}
	2589
	2590
	2591
[148]	2592	/******************************************************************************
[97]	2593	* Given real file offset, read and parse the hbin at that location
[110]	2594	* along with it's associated cells.
[148]	2595	******************************************************************************/
[168]	2596	REGFI_HBIN* regfi_parse_hbin(REGFI_FILE* file, uint32_t offset, bool strict)
[97]	2597	{
[181]	2598	REGFI_HBIN* hbin = NULL;
[168]	2599	uint8_t hbin_header[REGFI_HBIN_HEADER_SIZE];
	2600	uint32_t length;
[99]	2601
	2602	if(offset >= file->file_length)
[180]	2603	goto fail;
	2604
[186]	2605	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_hbin"))
[180]	2606	goto fail;
[97]	2607
[178]	2608	if(regfi_seek(file->cb, offset, SEEK_SET) == -1)
[137]	2609	{
[182]	2610	regfi_log_add(REGFI_LOG_ERROR, "Seek failed"
	2611	" while parsing hbin at offset 0x%.8X.", offset);
[180]	2612	goto fail_locked;
[137]	2613	}
[97]	2614
[135]	2615	length = REGFI_HBIN_HEADER_SIZE;
[178]	2616	if((regfi_read(file->cb, hbin_header, &length) != 0)
[135]	2617	\|\| length != REGFI_HBIN_HEADER_SIZE)
[182]	2618	{
	2619	regfi_log_add(REGFI_LOG_ERROR, "Read failed"
	2620	" while parsing hbin at offset 0x%.8X.", offset);
[180]	2621	goto fail_locked;
[182]	2622	}
[97]	2623
[186]	2624	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_hbin"))
[180]	2625	goto fail;
[97]	2626
[148]	2627	hbin = talloc(NULL, REGFI_HBIN);
	2628	if(hbin == NULL)
[180]	2629	goto fail;
[99]	2630	hbin->file_off = offset;
	2631
[97]	2632	memcpy(hbin->magic, hbin_header, 4);
	2633	if(strict && (memcmp(hbin->magic, "hbin", 4) != 0))
[99]	2634	{
[182]	2635	/* This always seems to happen at the end of a file, so we make it an INFO
	2636	* message, rather than something more serious.
	2637	*/
	2638	regfi_log_add(REGFI_LOG_INFO, "Magic number mismatch "
	2639	"(%.2X %.2X %.2X %.2X) while parsing hbin at offset"
	2640	" 0x%.8X.", hbin->magic[0], hbin->magic[1],
	2641	hbin->magic[2], hbin->magic[3], offset);
[180]	2642	goto fail;
[99]	2643	}
[97]	2644
	2645	hbin->first_hbin_off = IVAL(hbin_header, 0x4);
	2646	hbin->block_size = IVAL(hbin_header, 0x8);
[182]	2647	/* this should be the same thing as hbin->block_size, but just in case */
[97]	2648	hbin->next_block = IVAL(hbin_header, 0x1C);
	2649
	2650
	2651	/* Ensure the block size is a multiple of 0x1000 and doesn't run off
	2652	* the end of the file.
	2653	*/
[116]	2654	/* XXX: This may need to be relaxed for dealing with
	2655	* partial or corrupt files.
	2656	*/
[97]	2657	if((offset + hbin->block_size > file->file_length)
	2658	\|\| (hbin->block_size & 0xFFFFF000) != hbin->block_size)
[99]	2659	{
[182]	2660	regfi_log_add(REGFI_LOG_ERROR, "The hbin offset is not aligned"
	2661	" or runs off the end of the file"
	2662	" while parsing hbin at offset 0x%.8X.", offset);
[180]	2663	goto fail;
[99]	2664	}
[97]	2665
	2666	return hbin;
[180]	2667
	2668	fail_locked:
[186]	2669	regfi_unlock(file, &file->cb_lock, "regfi_parse_hbin");
[180]	2670	fail:
	2671	talloc_free(hbin);
	2672	return NULL;
[97]	2673	}
	2674
	2675
[126]	2676	/*******************************************************************
	2677	*******************************************************************/
[203]	2678	REGFI_NK* regfi_parse_nk(REGFI_FILE* file, uint32_t offset,
	2679	uint32_t max_size, bool strict)
[99]	2680	{
[168]	2681	uint8_t nk_header[REGFI_NK_MIN_LENGTH];
[203]	2682	REGFI_NK* ret_val;
[168]	2683	uint32_t length,cell_length;
[101]	2684	bool unalloc = false;
[99]	2685
[203]	2686	ret_val = talloc(NULL, REGFI_NK);
[180]	2687	if(ret_val == NULL)
	2688	{
[182]	2689	regfi_log_add(REGFI_LOG_ERROR, "Failed to allocate memory while"
	2690	" parsing NK record at offset 0x%.8X.", offset);
[180]	2691	goto fail;
	2692	}
	2693
[186]	2694	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_nk"))
[180]	2695	goto fail;
	2696
[178]	2697	if(!regfi_parse_cell(file->cb, offset, nk_header, REGFI_NK_MIN_LENGTH,
[101]	2698	&cell_length, &unalloc))
[137]	2699	{
[182]	2700	regfi_log_add(REGFI_LOG_WARN, "Could not parse cell header"
	2701	" while parsing NK record at offset 0x%.8X.", offset);
[180]	2702	goto fail_locked;
[137]	2703	}
	2704
[101]	2705	if((nk_header[0x0] != 'n') \|\| (nk_header[0x1] != 'k'))
[135]	2706	{
[182]	2707	regfi_log_add(REGFI_LOG_WARN, "Magic number mismatch in parsing"
	2708	" NK record at offset 0x%.8X.", offset);
[180]	2709	goto fail_locked;
[135]	2710	}
[99]	2711
[150]	2712	ret_val->values = NULL;
	2713	ret_val->subkeys = NULL;
[99]	2714	ret_val->offset = offset;
[101]	2715	ret_val->cell_size = cell_length;
	2716
[99]	2717	if(ret_val->cell_size > max_size)
	2718	ret_val->cell_size = max_size & 0xFFFFFFF8;
	2719	if((ret_val->cell_size < REGFI_NK_MIN_LENGTH)
[157]	2720	\|\| (strict && (ret_val->cell_size & 0x00000007) != 0))
[99]	2721	{
[182]	2722	regfi_log_add(REGFI_LOG_WARN, "A length check failed while"
	2723	" parsing NK record at offset 0x%.8X.", offset);
[180]	2724	goto fail_locked;
[99]	2725	}
	2726
[101]	2727	ret_val->magic[0] = nk_header[0x0];
	2728	ret_val->magic[1] = nk_header[0x1];
[161]	2729	ret_val->flags = SVAL(nk_header, 0x2);
[152]	2730
[161]	2731	if((ret_val->flags & ~REGFI_NK_KNOWN_FLAGS) != 0)
[99]	2732	{
[182]	2733	regfi_log_add(REGFI_LOG_WARN, "Unknown key flags (0x%.4X) while"
	2734	" parsing NK record at offset 0x%.8X.",
	2735	(ret_val->flags & ~REGFI_NK_KNOWN_FLAGS), offset);
[99]	2736	}
[101]	2737
	2738	ret_val->mtime.low = IVAL(nk_header, 0x4);
	2739	ret_val->mtime.high = IVAL(nk_header, 0x8);
[116]	2740	/* If the key is unallocated and the MTIME is earlier than Jan 1, 1990
	2741	* or later than Jan 1, 2290, we consider this a bad key. This helps
	2742	* weed out some false positives during deleted data recovery.
	2743	*/
	2744	if(unalloc
[178]	2745	&& (ret_val->mtime.high < REGFI_MTIME_MIN_HIGH
	2746	\|\| ret_val->mtime.high > REGFI_MTIME_MAX_HIGH))
[180]	2747	{ goto fail_locked; }
[116]	2748
[101]	2749	ret_val->unknown1 = IVAL(nk_header, 0xC);
	2750	ret_val->parent_off = IVAL(nk_header, 0x10);
	2751	ret_val->num_subkeys = IVAL(nk_header, 0x14);
	2752	ret_val->unknown2 = IVAL(nk_header, 0x18);
	2753	ret_val->subkeys_off = IVAL(nk_header, 0x1C);
	2754	ret_val->unknown3 = IVAL(nk_header, 0x20);
	2755	ret_val->num_values = IVAL(nk_header, 0x24);
	2756	ret_val->values_off = IVAL(nk_header, 0x28);
	2757	ret_val->sk_off = IVAL(nk_header, 0x2C);
	2758	ret_val->classname_off = IVAL(nk_header, 0x30);
[99]	2759
[101]	2760	ret_val->max_bytes_subkeyname = IVAL(nk_header, 0x34);
	2761	ret_val->max_bytes_subkeyclassname = IVAL(nk_header, 0x38);
	2762	ret_val->max_bytes_valuename = IVAL(nk_header, 0x3C);
	2763	ret_val->max_bytes_value = IVAL(nk_header, 0x40);
	2764	ret_val->unk_index = IVAL(nk_header, 0x44);
[99]	2765
[101]	2766	ret_val->name_length = SVAL(nk_header, 0x48);
	2767	ret_val->classname_length = SVAL(nk_header, 0x4A);
[206]	2768	ret_val->name = NULL;
[99]	2769
	2770	if(ret_val->name_length + REGFI_NK_MIN_LENGTH > ret_val->cell_size)
[101]	2771	{
	2772	if(strict)
	2773	{
[182]	2774	regfi_log_add(REGFI_LOG_ERROR, "Contents too large for cell"
	2775	" while parsing NK record at offset 0x%.8X.", offset);
[180]	2776	goto fail_locked;
[101]	2777	}
	2778	else
	2779	ret_val->name_length = ret_val->cell_size - REGFI_NK_MIN_LENGTH;
	2780	}
	2781	else if (unalloc)
	2782	{ /* Truncate cell_size if it's much larger than the apparent total record length. */
	2783	/* Round up to the next multiple of 8 */
	2784	length = (ret_val->name_length + REGFI_NK_MIN_LENGTH) & 0xFFFFFFF8;
	2785	if(length < ret_val->name_length + REGFI_NK_MIN_LENGTH)
	2786	length+=8;
[99]	2787
[101]	2788	/* If cell_size is still greater, truncate. */
	2789	if(length < ret_val->cell_size)
	2790	ret_val->cell_size = length;
	2791	}
	2792
[206]	2793	/* +1 to length in case we decided to use this directly as a string later */
	2794	ret_val->name_raw = talloc_array(ret_val, uint8_t, ret_val->name_length+1);
	2795	if(ret_val->name_raw == NULL)
[180]	2796	goto fail_locked;
[99]	2797
	2798	/* Don't need to seek, should be at the right offset */
	2799	length = ret_val->name_length;
[206]	2800	if((regfi_read(file->cb, (uint8_t*)ret_val->name_raw, &length) != 0)
[99]	2801	\|\| length != ret_val->name_length)
	2802	{
[182]	2803	regfi_log_add(REGFI_LOG_ERROR, "Failed to read key name"
	2804	" while parsing NK record at offset 0x%.8X.", offset);
[180]	2805	goto fail_locked;
[99]	2806	}
	2807
[186]	2808	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_nk"))
[180]	2809	goto fail;
	2810
[126]	2811	return ret_val;
[180]	2812
	2813	fail_locked:
[186]	2814	regfi_unlock(file, &file->cb_lock, "regfi_parse_nk");
[180]	2815	fail:
	2816	talloc_free(ret_val);
	2817	return NULL;
[126]	2818	}
	2819
	2820
[168]	2821	uint8_t* regfi_parse_classname(REGFI_FILE* file, uint32_t offset,
[206]	2822	uint16_t* name_length, uint32_t max_size, bool strict)
[126]	2823	{
[168]	2824	uint8_t* ret_val = NULL;
	2825	uint32_t length;
	2826	uint32_t cell_length;
[126]	2827	bool unalloc = false;
	2828
[180]	2829	if(*name_length <= 0 \|\| offset == REGFI_OFFSET_NONE
	2830	\|\| (offset & 0x00000007) != 0)
	2831	{ goto fail; }
	2832
[186]	2833	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_classname"))
[180]	2834	goto fail;
	2835
	2836	if(!regfi_parse_cell(file->cb, offset, NULL, 0, &cell_length, &unalloc))
[131]	2837	{
[182]	2838	regfi_log_add(REGFI_LOG_WARN, "Could not parse cell header"
	2839	" while parsing class name at offset 0x%.8X.", offset);
[180]	2840	goto fail_locked;
	2841	}
	2842
	2843	if((cell_length & 0x0000007) != 0)
	2844	{
[182]	2845	regfi_log_add(REGFI_LOG_ERROR, "Cell length not a multiple of 8"
	2846	" while parsing class name at offset 0x%.8X.", offset);
[180]	2847	goto fail_locked;
	2848	}
	2849
	2850	if(cell_length > max_size)
	2851	{
[182]	2852	regfi_log_add(REGFI_LOG_WARN, "Cell stretches past hbin "
	2853	"boundary while parsing class name at offset 0x%.8X.",
	2854	offset);
[180]	2855	if(strict)
	2856	goto fail_locked;
	2857	cell_length = max_size;
	2858	}
	2859
	2860	if((cell_length - 4) < *name_length)
	2861	{
[182]	2862	regfi_log_add(REGFI_LOG_WARN, "Class name is larger than"
	2863	" cell_length while parsing class name at offset"
	2864	" 0x%.8X.", offset);
[180]	2865	if(strict)
	2866	goto fail_locked;
	2867	*name_length = cell_length - 4;
	2868	}
	2869
	2870	ret_val = talloc_array(NULL, uint8_t, *name_length);
	2871	if(ret_val != NULL)
	2872	{
	2873	length = *name_length;
	2874	if((regfi_read(file->cb, ret_val, &length) != 0)
	2875	\|\| length != *name_length)
[137]	2876	{
[182]	2877	regfi_log_add(REGFI_LOG_ERROR, "Could not read class name"
	2878	" while parsing class name at offset 0x%.8X.", offset);
[180]	2879	goto fail_locked;
[137]	2880	}
[180]	2881	}
[126]	2882
[186]	2883	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_classname"))
[180]	2884	goto fail;
[137]	2885
[180]	2886	return ret_val;
[131]	2887
[180]	2888	fail_locked:
[186]	2889	regfi_unlock(file, &file->cb_lock, "regfi_parse_classname");
[180]	2890	fail:
	2891	talloc_free(ret_val);
	2892	return NULL;
[99]	2893	}
	2894
	2895
[152]	2896	/******************************************************************************
	2897	*******************************************************************************/
[203]	2898	REGFI_VK* regfi_parse_vk(REGFI_FILE* file, uint32_t offset,
[168]	2899	uint32_t max_size, bool strict)
[97]	2900	{
[203]	2901	REGFI_VK* ret_val;
[168]	2902	uint8_t vk_header[REGFI_VK_MIN_LENGTH];
	2903	uint32_t raw_data_size, length, cell_length;
[101]	2904	bool unalloc = false;
[97]	2905
[203]	2906	ret_val = talloc(NULL, REGFI_VK);
[180]	2907	if(ret_val == NULL)
	2908	goto fail;
	2909
[186]	2910	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_nk"))
[180]	2911	goto fail;
	2912
[178]	2913	if(!regfi_parse_cell(file->cb, offset, vk_header, REGFI_VK_MIN_LENGTH,
[101]	2914	&cell_length, &unalloc))
[137]	2915	{
[182]	2916	regfi_log_add(REGFI_LOG_WARN, "Could not parse cell header"
	2917	" while parsing VK record at offset 0x%.8X.", offset);
[180]	2918	goto fail_locked;
[137]	2919	}
[111]	2920
[101]	2921	ret_val->offset = offset;
	2922	ret_val->cell_size = cell_length;
[206]	2923	ret_val->name = NULL;
	2924	ret_val->name_raw = NULL;
[150]	2925
[101]	2926	if(ret_val->cell_size > max_size)
	2927	ret_val->cell_size = max_size & 0xFFFFFFF8;
	2928	if((ret_val->cell_size < REGFI_VK_MIN_LENGTH)
[157]	2929	\|\| (ret_val->cell_size & 0x00000007) != 0)
[97]	2930	{
[182]	2931	regfi_log_add(REGFI_LOG_WARN, "Invalid cell size encountered"
	2932	" while parsing VK record at offset 0x%.8X.", offset);
[180]	2933	goto fail_locked;
[101]	2934	}
[97]	2935
[101]	2936	ret_val->magic[0] = vk_header[0x0];
	2937	ret_val->magic[1] = vk_header[0x1];
	2938	if((ret_val->magic[0] != 'v') \|\| (ret_val->magic[1] != 'k'))
	2939	{
[124]	2940	/* XXX: This does not account for deleted keys under Win2K which
	2941	* often have this (and the name length) overwritten with
	2942	* 0xFFFF.
	2943	*/
[182]	2944	regfi_log_add(REGFI_LOG_WARN, "Magic number mismatch"
	2945	" while parsing VK record at offset 0x%.8X.", offset);
[180]	2946	goto fail_locked;
[101]	2947	}
	2948
	2949	ret_val->name_length = SVAL(vk_header, 0x2);
	2950	raw_data_size = IVAL(vk_header, 0x4);
[135]	2951	ret_val->data_size = raw_data_size & ~REGFI_VK_DATA_IN_OFFSET;
[157]	2952	/* The data is typically stored in the offset if the size <= 4,
	2953	* in which case this flag is set.
	2954	*/
[135]	2955	ret_val->data_in_offset = (bool)(raw_data_size & REGFI_VK_DATA_IN_OFFSET);
[101]	2956	ret_val->data_off = IVAL(vk_header, 0x8);
	2957	ret_val->type = IVAL(vk_header, 0xC);
[162]	2958	ret_val->flags = SVAL(vk_header, 0x10);
[101]	2959	ret_val->unknown1 = SVAL(vk_header, 0x12);
	2960
[162]	2961	if(ret_val->name_length > 0)
[101]	2962	{
[113]	2963	if(ret_val->name_length + REGFI_VK_MIN_LENGTH + 4 > ret_val->cell_size)
[101]	2964	{
[182]	2965	regfi_log_add(REGFI_LOG_WARN, "Name too long for remaining cell"
	2966	" space while parsing VK record at offset 0x%.8X.",
	2967	offset);
[101]	2968	if(strict)
[180]	2969	goto fail_locked;
[101]	2970	else
[113]	2971	ret_val->name_length = ret_val->cell_size - REGFI_VK_MIN_LENGTH - 4;
[101]	2972	}
	2973
	2974	/* Round up to the next multiple of 8 */
[113]	2975	cell_length = (ret_val->name_length + REGFI_VK_MIN_LENGTH + 4) & 0xFFFFFFF8;
	2976	if(cell_length < ret_val->name_length + REGFI_VK_MIN_LENGTH + 4)
	2977	cell_length+=8;
[101]	2978
[206]	2979	/* +1 to length in case we decided to use this directly as a string later */
	2980	ret_val->name_raw = talloc_array(ret_val, uint8_t, ret_val->name_length+1);
	2981	if(ret_val->name_raw == NULL)
[180]	2982	goto fail_locked;
[113]	2983
[101]	2984	length = ret_val->name_length;
[206]	2985	if((regfi_read(file->cb, (uint8_t*)ret_val->name_raw, &length) != 0)
[101]	2986	\|\| length != ret_val->name_length)
	2987	{
[182]	2988	regfi_log_add(REGFI_LOG_ERROR, "Could not read value name"
	2989	" while parsing VK record at offset 0x%.8X.", offset);
[180]	2990	goto fail_locked;
[101]	2991	}
	2992	}
	2993	else
[113]	2994	cell_length = REGFI_VK_MIN_LENGTH + 4;
[101]	2995
[186]	2996	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_nk"))
[180]	2997	goto fail;
	2998
[101]	2999	if(unalloc)
	3000	{
	3001	/* If cell_size is still greater, truncate. */
[113]	3002	if(cell_length < ret_val->cell_size)
	3003	ret_val->cell_size = cell_length;
[101]	3004	}
	3005
	3006	return ret_val;
[180]	3007
	3008	fail_locked:
[186]	3009	regfi_unlock(file, &file->cb_lock, "regfi_parse_vk");
[180]	3010	fail:
	3011	talloc_free(ret_val);
	3012	return NULL;
[97]	3013	}
[101]	3014
	3015
[152]	3016	/******************************************************************************
[157]	3017	*
	3018	******************************************************************************/
[168]	3019	REGFI_BUFFER regfi_load_data(REGFI_FILE* file, uint32_t voffset,
	3020	uint32_t length, bool data_in_offset,
[157]	3021	bool strict)
[101]	3022	{
[151]	3023	REGFI_BUFFER ret_val;
[168]	3024	uint32_t cell_length, offset;
	3025	int32_t max_size;
[101]	3026	bool unalloc;
[151]	3027
[159]	3028	/* Microsoft's documentation indicates that "available memory" is
[165]	3029	* the limit on value sizes for the more recent registry format version.
	3030	* This is not only annoying, but it's probably also incorrect, since clearly
	3031	* value data sizes are limited to 2^31 (high bit used as a flag) and even
	3032	* with big data records, the apparent max size is:
	3033	* 16344 * 2^16 = 1071104040 (~1GB).
	3034	*
	3035	* We choose to limit it to 1M which was the limit in older versions and
	3036	* should rarely be exceeded unless the file is corrupt or malicious.
	3037	* For more info, see:
	3038	* http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
[159]	3039	*/
[160]	3040	/* XXX: add way to skip this check at user discression. */
	3041	if(length > REGFI_VK_MAX_DATA_LENGTH)
[159]	3042	{
[182]	3043	regfi_log_add(REGFI_LOG_WARN, "Value data size %d larger than "
	3044	"%d, truncating...", length, REGFI_VK_MAX_DATA_LENGTH);
[160]	3045	length = REGFI_VK_MAX_DATA_LENGTH;
[159]	3046	}
	3047
[145]	3048	if(data_in_offset)
[157]	3049	return regfi_parse_little_data(file, voffset, length, strict);
	3050	else
[101]	3051	{
[157]	3052	offset = voffset + REGFI_REGF_SIZE;
	3053	max_size = regfi_calc_maxsize(file, offset);
	3054	if(max_size < 0)
[137]	3055	{
[182]	3056	regfi_log_add(REGFI_LOG_WARN, "Could not find HBIN for data"
	3057	" at offset 0x%.8X.", offset);
[151]	3058	goto fail;
[137]	3059	}
[157]	3060
[186]	3061	if(!regfi_lock(file, &file->cb_lock, "regfi_load_data"))
[180]	3062	goto fail;
	3063
[178]	3064	if(!regfi_parse_cell(file->cb, offset, NULL, 0,
[101]	3065	&cell_length, &unalloc))
[137]	3066	{
[182]	3067	regfi_log_add(REGFI_LOG_WARN, "Could not parse cell while"
	3068	" parsing data record at offset 0x%.8X.", offset);
[180]	3069	goto fail_locked;
[137]	3070	}
[111]	3071
[186]	3072	if(!regfi_unlock(file, &file->cb_lock, "regfi_load_data"))
[180]	3073	goto fail;
	3074
[157]	3075	if((cell_length & 0x00000007) != 0)
[137]	3076	{
[182]	3077	regfi_log_add(REGFI_LOG_WARN, "Cell length not multiple of 8"
	3078	" while parsing data record at offset 0x%.8X.",
	3079	offset);
[151]	3080	goto fail;
[137]	3081	}
[101]	3082
[131]	3083	if(cell_length > max_size)
	3084	{
[182]	3085	regfi_log_add(REGFI_LOG_WARN, "Cell extends past HBIN boundary"
	3086	" while parsing data record at offset 0x%.8X.",
	3087	offset);
[157]	3088	goto fail;
[131]	3089	}
	3090
[101]	3091	if(cell_length - 4 < length)
	3092	{
[155]	3093	/* XXX: All big data records thus far have been 16 bytes long.
	3094	* Should we check for this precise size instead of just
	3095	* relying upon the above check?
	3096	*/
[152]	3097	if (file->major_version >= 1 && file->minor_version >= 5)
	3098	{
	3099	/* Attempt to parse a big data record */
[157]	3100	return regfi_load_big_data(file, offset, length, cell_length,
	3101	NULL, strict);
[152]	3102	}
[101]	3103	else
[152]	3104	{
[182]	3105	regfi_log_add(REGFI_LOG_WARN, "Data length (0x%.8X) larger than"
	3106	" remaining cell length (0x%.8X)"
	3107	" while parsing data record at offset 0x%.8X.",
	3108	length, cell_length - 4, offset);
[152]	3109	if(strict)
	3110	goto fail;
	3111	else
	3112	length = cell_length - 4;
	3113	}
[101]	3114	}
	3115
[157]	3116	ret_val = regfi_parse_data(file, offset, length, strict);
[101]	3117	}
	3118
	3119	return ret_val;
[151]	3120
[180]	3121	fail_locked:
[186]	3122	regfi_unlock(file, &file->cb_lock, "regfi_load_data");
[151]	3123	fail:
	3124	ret_val.buf = NULL;
	3125	ret_val.len = 0;
	3126	return ret_val;
[101]	3127	}
[110]	3128
	3129
[152]	3130	/******************************************************************************
[157]	3131	* Parses the common case data records stored in a single cell.
	3132	******************************************************************************/
[168]	3133	REGFI_BUFFER regfi_parse_data(REGFI_FILE* file, uint32_t offset,
	3134	uint32_t length, bool strict)
[157]	3135	{
	3136	REGFI_BUFFER ret_val;
[168]	3137	uint32_t read_length;
[157]	3138
	3139	ret_val.buf = NULL;
	3140	ret_val.len = 0;
	3141
[180]	3142	if((ret_val.buf = talloc_array(NULL, uint8_t, length)) == NULL)
	3143	goto fail;
	3144	ret_val.len = length;
	3145
[186]	3146	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_data"))
[180]	3147	goto fail;
	3148
[178]	3149	if(regfi_seek(file->cb, offset+4, SEEK_SET) == -1)
[157]	3150	{
[182]	3151	regfi_log_add(REGFI_LOG_WARN, "Could not seek while "
	3152	"reading data at offset 0x%.8X.", offset);
[180]	3153	goto fail_locked;
[157]	3154	}
	3155
	3156	read_length = length;
[178]	3157	if((regfi_read(file->cb, ret_val.buf, &read_length) != 0)
[157]	3158	\|\| read_length != length)
	3159	{
[182]	3160	regfi_log_add(REGFI_LOG_ERROR, "Could not read data block while"
	3161	" parsing data record at offset 0x%.8X.", offset);
[180]	3162	goto fail_locked;
[157]	3163	}
	3164
[186]	3165	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_data"))
[180]	3166	goto fail;
	3167
[157]	3168	return ret_val;
[180]	3169
	3170	fail_locked:
[186]	3171	regfi_unlock(file, &file->cb_lock, "regfi_parse_data");
[180]	3172	fail:
	3173	talloc_free(ret_val.buf);
	3174	ret_val.buf = NULL;
	3175	ret_val.buf = 0;
	3176	return ret_val;
[157]	3177	}
	3178
	3179
	3180
	3181	/******************************************************************************
	3182	*
	3183	******************************************************************************/
[168]	3184	REGFI_BUFFER regfi_parse_little_data(REGFI_FILE* file, uint32_t voffset,
	3185	uint32_t length, bool strict)
[157]	3186	{
[173]	3187	uint8_t i;
[157]	3188	REGFI_BUFFER ret_val;
	3189
	3190	ret_val.buf = NULL;
	3191	ret_val.len = 0;
	3192
	3193	if(length > 4)
	3194	{
[182]	3195	regfi_log_add(REGFI_LOG_ERROR, "Data in offset but length > 4"
	3196	" while parsing data record. (voffset=0x%.8X, length=%d)",
	3197	voffset, length);
[157]	3198	return ret_val;
	3199	}
	3200
[168]	3201	if((ret_val.buf = talloc_array(NULL, uint8_t, length)) == NULL)
[157]	3202	return ret_val;
	3203	ret_val.len = length;
	3204
	3205	for(i = 0; i < length; i++)
[168]	3206	ret_val.buf[i] = (uint8_t)((voffset >> i*8) & 0xFF);
[157]	3207
	3208	return ret_val;
	3209	}
	3210
	3211	/******************************************************************************
[152]	3212	*******************************************************************************/
[168]	3213	REGFI_BUFFER regfi_parse_big_data_header(REGFI_FILE* file, uint32_t offset,
	3214	uint32_t max_size, bool strict)
[152]	3215	{
	3216	REGFI_BUFFER ret_val;
[168]	3217	uint32_t cell_length;
[152]	3218	bool unalloc;
[157]	3219
	3220	/* XXX: do something with unalloc? */
[168]	3221	ret_val.buf = (uint8_t*)talloc_array(NULL, uint8_t, REGFI_BIG_DATA_MIN_LENGTH);
[157]	3222	if(ret_val.buf == NULL)
[152]	3223	goto fail;
	3224
[157]	3225	if(REGFI_BIG_DATA_MIN_LENGTH > max_size)
	3226	{
[182]	3227	regfi_log_add(REGFI_LOG_WARN, "Big data header exceeded max_size "
	3228	"while parsing big data header at offset 0x%.8X.",offset);
[157]	3229	goto fail;
	3230	}
	3231
[186]	3232	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_big_data_header"))
[180]	3233	goto fail;
	3234
	3235
[178]	3236	if(!regfi_parse_cell(file->cb, offset, ret_val.buf, REGFI_BIG_DATA_MIN_LENGTH,
[152]	3237	&cell_length, &unalloc))
	3238	{
[182]	3239	regfi_log_add(REGFI_LOG_WARN, "Could not parse cell while"
	3240	" parsing big data header at offset 0x%.8X.", offset);
[180]	3241	goto fail_locked;
[152]	3242	}
[157]	3243
[186]	3244	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_big_data_header"))
[180]	3245	goto fail;
	3246
[157]	3247	if((ret_val.buf[0] != 'd') \|\| (ret_val.buf[1] != 'b'))
[152]	3248	{
[182]	3249	regfi_log_add(REGFI_LOG_WARN, "Unknown magic number"
	3250	" (0x%.2X, 0x%.2X) encountered while parsing"
	3251	" big data header at offset 0x%.8X.",
	3252	ret_val.buf[0], ret_val.buf[1], offset);
[152]	3253	goto fail;
	3254	}
	3255
[157]	3256	ret_val.len = REGFI_BIG_DATA_MIN_LENGTH;
	3257	return ret_val;
	3258
[180]	3259	fail_locked:
[186]	3260	regfi_unlock(file, &file->cb_lock, "regfi_parse_big_data_header");
[157]	3261	fail:
[180]	3262	talloc_free(ret_val.buf);
	3263	ret_val.buf = NULL;
[157]	3264	ret_val.len = 0;
	3265	return ret_val;
	3266	}
	3267
	3268
	3269
	3270	/******************************************************************************
	3271	*
	3272	******************************************************************************/
[168]	3273	uint32_t* regfi_parse_big_data_indirect(REGFI_FILE* file, uint32_t offset,
	3274	uint16_t num_chunks, bool strict)
[157]	3275	{
[168]	3276	uint32_t* ret_val;
	3277	uint32_t indirect_length;
	3278	int32_t max_size;
	3279	uint16_t i;
[157]	3280	bool unalloc;
	3281
	3282	/* XXX: do something with unalloc? */
	3283
	3284	max_size = regfi_calc_maxsize(file, offset);
[168]	3285	if((max_size < 0) \|\| (num_chunks*sizeof(uint32_t) + 4 > max_size))
[157]	3286	return NULL;
	3287
[168]	3288	ret_val = (uint32_t*)talloc_array(NULL, uint32_t, num_chunks);
[157]	3289	if(ret_val == NULL)
[152]	3290	goto fail;
	3291
[186]	3292	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_big_data_indirect"))
[180]	3293	goto fail;
	3294
[178]	3295	if(!regfi_parse_cell(file->cb, offset, (uint8_t*)ret_val,
[168]	3296	num_chunks*sizeof(uint32_t),
[152]	3297	&indirect_length, &unalloc))
	3298	{
[182]	3299	regfi_log_add(REGFI_LOG_WARN, "Could not parse cell while"
	3300	" parsing big data indirect record at offset 0x%.8X.",
	3301	offset);
[180]	3302	goto fail_locked;
[152]	3303	}
[157]	3304
[186]	3305	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_big_data_indirect"))
[180]	3306	goto fail;
	3307
[157]	3308	/* Convert pointers to proper endianess, verify they are aligned. */
	3309	for(i=0; i<num_chunks; i++)
[152]	3310	{
[168]	3311	ret_val[i] = IVAL(ret_val, i*sizeof(uint32_t));
[157]	3312	if((ret_val[i] & 0x00000007) != 0)
	3313	goto fail;
[152]	3314	}
[157]	3315
	3316	return ret_val;
[152]	3317
[180]	3318	fail_locked:
[186]	3319	regfi_unlock(file, &file->cb_lock, "regfi_parse_big_data_indirect");
[157]	3320	fail:
[180]	3321	talloc_free(ret_val);
[157]	3322	return NULL;
	3323	}
	3324
	3325
	3326	/******************************************************************************
	3327	* Arguments:
	3328	* file --
	3329	* offsets -- list of virtual offsets.
	3330	* num_chunks --
	3331	* strict --
	3332	*
	3333	* Returns:
	3334	* A range_list with physical offsets and complete lengths
	3335	* (including cell headers) of associated cells.
	3336	* No data in range_list elements.
	3337	******************************************************************************/
[168]	3338	range_list* regfi_parse_big_data_cells(REGFI_FILE* file, uint32_t* offsets,
	3339	uint16_t num_chunks, bool strict)
[157]	3340	{
[168]	3341	uint32_t cell_length, chunk_offset;
[157]	3342	range_list* ret_val;
[168]	3343	uint16_t i;
[157]	3344	bool unalloc;
	3345
	3346	/* XXX: do something with unalloc? */
	3347	ret_val = range_list_new();
	3348	if(ret_val == NULL)
	3349	goto fail;
	3350
[166]	3351	for(i=0; i<num_chunks; i++)
[152]	3352	{
[186]	3353	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_big_data_cells"))
[180]	3354	goto fail;
	3355
[157]	3356	chunk_offset = offsets[i]+REGFI_REGF_SIZE;
[178]	3357	if(!regfi_parse_cell(file->cb, chunk_offset, NULL, 0,
[157]	3358	&cell_length, &unalloc))
[152]	3359	{
[182]	3360	regfi_log_add(REGFI_LOG_WARN, "Could not parse cell while"
	3361	" parsing big data chunk at offset 0x%.8X.",
	3362	chunk_offset);
[180]	3363	goto fail_locked;
[152]	3364	}
	3365
[186]	3366	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_big_data_cells"))
[180]	3367	goto fail;
	3368
[157]	3369	if(!range_list_add(ret_val, chunk_offset, cell_length, NULL))
	3370	goto fail;
	3371	}
	3372
	3373	return ret_val;
	3374
[180]	3375	fail_locked:
[186]	3376	regfi_unlock(file, &file->cb_lock, "regfi_parse_big_data_cells");
[157]	3377	fail:
	3378	if(ret_val != NULL)
	3379	range_list_free(ret_val);
	3380	return NULL;
	3381	}
	3382
	3383
	3384	/******************************************************************************
	3385	*******************************************************************************/
	3386	REGFI_BUFFER regfi_load_big_data(REGFI_FILE* file,
[168]	3387	uint32_t offset, uint32_t data_length,
	3388	uint32_t cell_length, range_list* used_ranges,
[157]	3389	bool strict)
	3390	{
	3391	REGFI_BUFFER ret_val;
[168]	3392	uint16_t num_chunks, i;
	3393	uint32_t read_length, data_left, tmp_len, indirect_offset;
	3394	uint32_t* indirect_ptrs = NULL;
[157]	3395	REGFI_BUFFER bd_header;
	3396	range_list* bd_cells = NULL;
	3397	const range_list_element* cell_info;
	3398
	3399	ret_val.buf = NULL;
	3400
	3401	/* XXX: Add better error/warning messages */
	3402
	3403	bd_header = regfi_parse_big_data_header(file, offset, cell_length, strict);
	3404	if(bd_header.buf == NULL)
	3405	goto fail;
	3406
	3407	/* Keep track of used space for use by reglookup-recover */
	3408	if(used_ranges != NULL)
	3409	if(!range_list_add(used_ranges, offset, cell_length, NULL))
	3410	goto fail;
	3411
	3412	num_chunks = SVAL(bd_header.buf, 0x2);
	3413	indirect_offset = IVAL(bd_header.buf, 0x4) + REGFI_REGF_SIZE;
	3414	talloc_free(bd_header.buf);
	3415
	3416	indirect_ptrs = regfi_parse_big_data_indirect(file, indirect_offset,
	3417	num_chunks, strict);
	3418	if(indirect_ptrs == NULL)
	3419	goto fail;
	3420
	3421	if(used_ranges != NULL)
	3422	if(!range_list_add(used_ranges, indirect_offset, num_chunks*4+4, NULL))
	3423	goto fail;
	3424
	3425	if((ret_val.buf = talloc_array(NULL, uint8_t, data_length)) == NULL)
	3426	goto fail;
	3427	data_left = data_length;
	3428
	3429	bd_cells = regfi_parse_big_data_cells(file, indirect_ptrs, num_chunks, strict);
	3430	if(bd_cells == NULL)
	3431	goto fail;
	3432
	3433	talloc_free(indirect_ptrs);
	3434	indirect_ptrs = NULL;
	3435
	3436	for(i=0; (i<num_chunks) && (data_left>0); i++)
	3437	{
	3438	cell_info = range_list_get(bd_cells, i);
	3439	if(cell_info == NULL)
	3440	goto fail;
	3441
	3442	/* XXX: This should be "cell_info->length-4" to account for the 4 byte cell
[154]	3443	* length. However, it has been observed that some (all?) chunks
	3444	* have an additional 4 bytes of 0 at the end of their cells that
	3445	* isn't part of the data, so we're trimming that off too.
[157]	3446	* Perhaps it's just an 8 byte alignment requirement...
[154]	3447	*/
[157]	3448	if(cell_info->length - 8 >= data_left)
	3449	{
	3450	if(i+1 != num_chunks)
	3451	{
[182]	3452	regfi_log_add(REGFI_LOG_WARN, "Left over chunks detected "
	3453	"while constructing big data at offset 0x%.8X "
	3454	"(chunk offset 0x%.8X).", offset, cell_info->offset);
[157]	3455	}
[152]	3456	read_length = data_left;
[157]	3457	}
[152]	3458	else
[157]	3459	read_length = cell_info->length - 8;
[152]	3460
[157]	3461
	3462	if(read_length > regfi_calc_maxsize(file, cell_info->offset))
	3463	{
[182]	3464	regfi_log_add(REGFI_LOG_WARN, "A chunk exceeded the maxsize "
	3465	"while constructing big data at offset 0x%.8X "
	3466	"(chunk offset 0x%.8X).", offset, cell_info->offset);
[157]	3467	goto fail;
	3468	}
	3469
[186]	3470	if(!regfi_lock(file, &file->cb_lock, "regfi_load_big_data"))
[180]	3471	goto fail;
	3472
[178]	3473	if(regfi_seek(file->cb, cell_info->offset+sizeof(uint32_t), SEEK_SET) == -1)
[157]	3474	{
[182]	3475	regfi_log_add(REGFI_LOG_WARN, "Could not seek to chunk while "
	3476	"constructing big data at offset 0x%.8X "
	3477	"(chunk offset 0x%.8X).", offset, cell_info->offset);
[180]	3478	goto fail_locked;
[157]	3479	}
	3480
	3481	tmp_len = read_length;
[178]	3482	if(regfi_read(file->cb, ret_val.buf+(data_length-data_left),
[157]	3483	&read_length) != 0 \|\| (read_length != tmp_len))
[152]	3484	{
[182]	3485	regfi_log_add(REGFI_LOG_WARN, "Could not read data chunk while"
	3486	" constructing big data at offset 0x%.8X"
	3487	" (chunk offset 0x%.8X).", offset, cell_info->offset);
[180]	3488	goto fail_locked;
[152]	3489	}
	3490
[186]	3491	if(!regfi_unlock(file, &file->cb_lock, "regfi_load_big_data"))
[180]	3492	goto fail;
	3493
[157]	3494	if(used_ranges != NULL)
	3495	if(!range_list_add(used_ranges, cell_info->offset,cell_info->length,NULL))
	3496	goto fail;
	3497
[152]	3498	data_left -= read_length;
	3499	}
[157]	3500	range_list_free(bd_cells);
	3501
[152]	3502	ret_val.len = data_length-data_left;
	3503	return ret_val;
	3504
[180]	3505	fail_locked:
[186]	3506	regfi_unlock(file, &file->cb_lock, "regfi_load_big_data");
[152]	3507	fail:
[180]	3508	talloc_free(ret_val.buf);
	3509	talloc_free(indirect_ptrs);
[157]	3510	if(bd_cells != NULL)
	3511	range_list_free(bd_cells);
[152]	3512	ret_val.buf = NULL;
	3513	ret_val.len = 0;
	3514	return ret_val;
	3515	}
	3516
	3517
[135]	3518	range_list* regfi_parse_unalloc_cells(REGFI_FILE* file)
[110]	3519	{
	3520	range_list* ret_val;
[135]	3521	REGFI_HBIN* hbin;
[110]	3522	const range_list_element* hbins_elem;
[168]	3523	uint32_t i, num_hbins, curr_off, cell_len;
[110]	3524	bool is_unalloc;
	3525
	3526	ret_val = range_list_new();
	3527	if(ret_val == NULL)
	3528	return NULL;
	3529
[186]	3530	if(!regfi_read_lock(file, &file->hbins_lock, "regfi_parse_unalloc_cells"))
[180]	3531	{
	3532	range_list_free(ret_val);
	3533	return NULL;
	3534	}
	3535
[110]	3536	num_hbins = range_list_size(file->hbins);
	3537	for(i=0; i<num_hbins; i++)
	3538	{
	3539	hbins_elem = range_list_get(file->hbins, i);
	3540	if(hbins_elem == NULL)
	3541	break;
[135]	3542	hbin = (REGFI_HBIN*)hbins_elem->data;
[110]	3543
[135]	3544	curr_off = REGFI_HBIN_HEADER_SIZE;
[110]	3545	while(curr_off < hbin->block_size)
	3546	{
[186]	3547	if(!regfi_lock(file, &file->cb_lock, "regfi_parse_unalloc_cells"))
[180]	3548	break;
	3549
[178]	3550	if(!regfi_parse_cell(file->cb, hbin->file_off+curr_off, NULL, 0,
[110]	3551	&cell_len, &is_unalloc))
[180]	3552	{
[186]	3553	regfi_unlock(file, &file->cb_lock, "regfi_parse_unalloc_cells");
[110]	3554	break;
[180]	3555	}
	3556
[186]	3557	if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_unalloc_cells"))
[180]	3558	break;
	3559
[157]	3560	if((cell_len == 0) \|\| ((cell_len & 0x00000007) != 0))
[140]	3561	{
[182]	3562	regfi_log_add(REGFI_LOG_ERROR, "Bad cell length encountered"
	3563	" while parsing unallocated cells at offset 0x%.8X.",
	3564	hbin->file_off+curr_off);
[110]	3565	break;
[140]	3566	}
	3567
[110]	3568	/* for some reason the record_size of the last record in
	3569	an hbin block can extend past the end of the block
	3570	even though the record fits within the remaining
	3571	space....aaarrrgggghhhhhh */
	3572	if(curr_off + cell_len >= hbin->block_size)
	3573	cell_len = hbin->block_size - curr_off;
	3574
	3575	if(is_unalloc)
	3576	range_list_add(ret_val, hbin->file_off+curr_off,
	3577	cell_len, NULL);
	3578
	3579	curr_off = curr_off+cell_len;
	3580	}
	3581	}
	3582
[186]	3583	if(!regfi_rw_unlock(file, &file->hbins_lock, "regfi_parse_unalloc_cells"))
[180]	3584	{
	3585	range_list_free(ret_val);
	3586	return NULL;
	3587	}
	3588
[110]	3589	return ret_val;
	3590	}
[168]	3591
	3592
	3593	/* From lib/time.c */
	3594
	3595	/****************************************************************************
	3596	Put a 8 byte filetime from a time_t
	3597	This takes real GMT as input and converts to kludge-GMT
	3598	****************************************************************************/
	3599	void regfi_unix2nt_time(REGFI_NTTIME *nt, time_t t)
	3600	{
	3601	double d;
	3602
	3603	if (t==0)
	3604	{
	3605	nt->low = 0;
	3606	nt->high = 0;
	3607	return;
	3608	}
	3609
	3610	if (t == TIME_T_MAX)
	3611	{
	3612	nt->low = 0xffffffff;
	3613	nt->high = 0x7fffffff;
	3614	return;
	3615	}
	3616
	3617	if (t == -1)
	3618	{
	3619	nt->low = 0xffffffff;
	3620	nt->high = 0xffffffff;
	3621	return;
	3622	}
	3623
	3624	/* this converts GMT to kludge-GMT */
	3625	/* XXX: This was removed due to difficult dependency requirements.
	3626	* So far, times appear to be correct without this adjustment, but
	3627	* that may be proven wrong with adequate testing.
	3628	*/
	3629	/* t -= TimeDiff(t) - get_serverzone(); */
	3630
	3631	d = (double)(t);
	3632	d += TIME_FIXUP_CONSTANT;
	3633	d *= 1.0e7;
	3634
	3635	nt->high = (uint32_t)(d * (1.0/(4.0*(double)(1<<30))));
	3636	nt->low = (uint32_t)(d - ((double)nt->high)4.0(double)(1<<30));
	3637	}
	3638
	3639
	3640	/****************************************************************************
	3641	Interpret an 8 byte "filetime" structure to a time_t
	3642	It's originally in "100ns units since jan 1st 1601"
	3643
	3644	An 8 byte value of 0xffffffffffffffff will be returned as (time_t)0.
	3645
	3646	It appears to be kludge-GMT (at least for file listings). This means
	3647	its the GMT you get by taking a localtime and adding the
	3648	serverzone. This is NOT the same as GMT in some cases. This routine
	3649	converts this to real GMT.
	3650	****************************************************************************/
[219]	3651	double regfi_nt2unix_time(const REGFI_NTTIME* nt)
[168]	3652	{
[219]	3653	double ret_val;
	3654
[168]	3655	/* The next two lines are a fix needed for the
	3656	broken SCO compiler. JRA. */
	3657	time_t l_time_min = TIME_T_MIN;
	3658	time_t l_time_max = TIME_T_MAX;
	3659
	3660	if (nt->high == 0 \|\| (nt->high == 0xffffffff && nt->low == 0xffffffff))
	3661	return(0);
	3662
[219]	3663	ret_val = ((double)nt->high)4.0(double)(1<<30);
	3664	ret_val += nt->low;
	3665	ret_val *= 1.0e-7;
[168]	3666
	3667	/* now adjust by 369 years to make the secs since 1970 */
[219]	3668	ret_val -= TIME_FIXUP_CONSTANT;
[168]	3669
[219]	3670	/* XXX: should these sanity checks be removed? */
	3671	if (ret_val <= l_time_min)
[168]	3672	return (l_time_min);
	3673
[219]	3674	if (ret_val >= l_time_max)
[168]	3675	return (l_time_max);
	3676
	3677	/* this takes us from kludge-GMT to real GMT */
	3678	/* XXX: This was removed due to difficult dependency requirements.
	3679	* So far, times appear to be correct without this adjustment, but
	3680	* that may be proven wrong with adequate testing.
	3681	*/
	3682	/*
	3683	ret -= get_serverzone();
	3684	ret += LocTimeDiff(ret);
	3685	*/
	3686
[219]	3687	return ret_val;
[168]	3688	}
	3689
	3690	/* End of stuff from lib/time.c */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: