diff --git a/cab.c b/cab.c index 24c47a3..edb84b9 100644 --- a/cab.c +++ b/cab.c @@ -33,11 +33,11 @@ struct cab_ctx_st { - uint32_t header_size; - uint32_t sigpos; - uint32_t siglen; - uint32_t fileend; - uint16_t flags; + uint32_t header_size; + uint32_t sigpos; + uint32_t siglen; + uint32_t fileend; + uint16_t flags; }; /* FILE_FORMAT method prototypes */ @@ -55,18 +55,18 @@ static BIO *cab_bio_free(BIO *hash, BIO *outdata); static void cab_ctx_cleanup(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata); FILE_FORMAT file_format_cab = { - .ctx_new = cab_ctx_new, - .data_blob_get = cab_obsolete_link_get, - .check_file = cab_check_file, - .digest_calc = cab_digest_calc, - .verify_digests = cab_verify_digests, - .pkcs7_extract = cab_pkcs7_extract, - .remove_pkcs7 = cab_remove_pkcs7, - .pkcs7_prepare = cab_pkcs7_prepare, - .append_pkcs7 = cab_append_pkcs7, - .update_data_size = cab_update_data_size, - .bio_free = cab_bio_free, - .ctx_cleanup = cab_ctx_cleanup + .ctx_new = cab_ctx_new, + .data_blob_get = cab_obsolete_link_get, + .check_file = cab_check_file, + .digest_calc = cab_digest_calc, + .verify_digests = cab_verify_digests, + .pkcs7_extract = cab_pkcs7_extract, + .remove_pkcs7 = cab_remove_pkcs7, + .pkcs7_prepare = cab_pkcs7_prepare, + .append_pkcs7 = cab_append_pkcs7, + .update_data_size = cab_update_data_size, + .bio_free = cab_bio_free, + .ctx_cleanup = cab_ctx_cleanup }; /* Prototypes */ @@ -89,40 +89,40 @@ static int cab_add_header(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata); */ static FILE_FORMAT_CTX *cab_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *outdata) { - FILE_FORMAT_CTX *ctx; - CAB_CTX *cab_ctx; - uint32_t filesize; + FILE_FORMAT_CTX *ctx; + CAB_CTX *cab_ctx; + uint32_t filesize; - filesize = get_file_size(options->infile); - if (filesize == 0) - return NULL; /* FAILED */ + filesize = get_file_size(options->infile); + if (filesize == 0) + return NULL; /* FAILED */ - options->indata = map_file(options->infile, filesize); - if (!options->indata) { - return NULL; /* FAILED */ - } - if (memcmp(options->indata, "MSCF", 4)) { - unmap_file(options->infile, filesize); - return NULL; /* FAILED */ - } - cab_ctx = cab_ctx_get(options->indata, filesize); - if (!cab_ctx) { - unmap_file(options->infile, filesize); - return NULL; /* FAILED */ - } - ctx = OPENSSL_malloc(sizeof(FILE_FORMAT_CTX)); - ctx->format = &file_format_cab; - ctx->options = options; - ctx->cab_ctx = cab_ctx; + options->indata = map_file(options->infile, filesize); + if (!options->indata) { + return NULL; /* FAILED */ + } + if (memcmp(options->indata, "MSCF", 4)) { + unmap_file(options->infile, filesize); + return NULL; /* FAILED */ + } + cab_ctx = cab_ctx_get(options->indata, filesize); + if (!cab_ctx) { + unmap_file(options->infile, filesize); + return NULL; /* FAILED */ + } + ctx = OPENSSL_malloc(sizeof(FILE_FORMAT_CTX)); + ctx->format = &file_format_cab; + ctx->options = options; + ctx->cab_ctx = cab_ctx; - /* Push hash on outdata, if hash is NULL the function does nothing */ - BIO_push(hash, outdata); + /* Push hash on outdata, if hash is NULL the function does nothing */ + BIO_push(hash, outdata); - if (options->pagehash == 1) - printf("Warning: -ph option is only valid for PE files\n"); - if (options->add_msi_dse == 1) - printf("Warning: -add-msi-dse option is only valid for MSI files\n"); - return ctx; + if (options->pagehash == 1) + printf("Warning: -ph option is only valid for PE files\n"); + if (options->add_msi_dse == 1) + printf("Warning: -add-msi-dse option is only valid for MSI files\n"); + return ctx; } /* @@ -134,19 +134,19 @@ static FILE_FORMAT_CTX *cab_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *out */ static ASN1_OBJECT *cab_obsolete_link_get(u_char **p, int *plen, FILE_FORMAT_CTX *ctx) { - ASN1_OBJECT *dtype; - SpcLink *link = spc_link_obsolete_get(); + ASN1_OBJECT *dtype; + SpcLink *link = spc_link_obsolete_get(); - /* squash the unused parameter warning */ - (void)ctx; + /* squash the unused parameter warning */ + (void)ctx; - *plen = i2d_SpcLink(link, NULL); - *p = OPENSSL_malloc((size_t)*plen); - i2d_SpcLink(link, p); - *p -= *plen; - dtype = OBJ_txt2obj(SPC_CAB_DATA_OBJID, 1); - SpcLink_free(link); - return dtype; /* OK */ + *plen = i2d_SpcLink(link, NULL); + *p = OPENSSL_malloc((size_t)*plen); + i2d_SpcLink(link, p); + *p -= *plen; + dtype = OBJ_txt2obj(SPC_CAB_DATA_OBJID, 1); + SpcLink_free(link); + return dtype; /* OK */ } /* @@ -157,24 +157,24 @@ static ASN1_OBJECT *cab_obsolete_link_get(u_char **p, int *plen, FILE_FORMAT_CTX */ static int cab_check_file(FILE_FORMAT_CTX *ctx, int detached) { - if (!ctx) { - printf("Init error\n\n"); - return 0; /* FAILED */ - } - if (detached) { - printf("Checking the specified catalog file\n\n"); - return 1; /* OK */ - } - if (ctx->cab_ctx->header_size != 20) { - printf("No signature found\n\n"); - return 0; /* FAILED */ - } - if (ctx->cab_ctx->sigpos == 0 || ctx->cab_ctx->siglen == 0 - || ctx->cab_ctx->sigpos > ctx->cab_ctx->fileend) { - printf("No signature found\n\n"); - return 0; /* FAILED */ - } - return 1; /* OK */ + if (!ctx) { + printf("Init error\n\n"); + return 0; /* FAILED */ + } + if (detached) { + printf("Checking the specified catalog file\n\n"); + return 1; /* OK */ + } + if (ctx->cab_ctx->header_size != 20) { + printf("No signature found\n\n"); + return 0; /* FAILED */ + } + if (ctx->cab_ctx->sigpos == 0 || ctx->cab_ctx->siglen == 0 + || ctx->cab_ctx->sigpos > ctx->cab_ctx->fileend) { + printf("No signature found\n\n"); + return 0; /* FAILED */ + } + return 1; /* OK */ } /* @@ -185,120 +185,120 @@ static int cab_check_file(FILE_FORMAT_CTX *ctx, int detached) */ static u_char *cab_digest_calc(FILE_FORMAT_CTX *ctx, const EVP_MD *md) { - uint32_t idx, fileend, coffFiles; - u_char *mdbuf = NULL; - BIO *bhash = BIO_new(BIO_f_md()); + uint32_t idx, fileend, coffFiles; + u_char *mdbuf = NULL; + BIO *bhash = BIO_new(BIO_f_md()); - if (!BIO_set_md(bhash, md)) { - printf("Unable to set the message digest of BIO\n"); - BIO_free_all(bhash); - return 0; /* FAILED */ - } - BIO_push(bhash, BIO_new(BIO_s_null())); + if (!BIO_set_md(bhash, md)) { + printf("Unable to set the message digest of BIO\n"); + BIO_free_all(bhash); + return 0; /* FAILED */ + } + BIO_push(bhash, BIO_new(BIO_s_null())); - /* u1 signature[4] 4643534D MSCF: 0-3 */ - BIO_write(bhash, ctx->options->indata, 4); - /* u4 reserved1 00000000: 4-7 skipped */ - if (ctx->cab_ctx->sigpos) { - uint16_t nfolders, flags; - - /* - * u4 cbCabinet - size of this cabinet file in bytes: 8-11 - * u4 reserved2 00000000: 12-15 - */ - BIO_write(bhash, ctx->options->indata + 8, 8); - /* u4 coffFiles - offset of the first CFFILE entry: 16-19 */ - coffFiles = GET_UINT32_LE(ctx->options->indata + 16); - BIO_write(bhash, ctx->options->indata + 16, 4); - /* - * u4 reserved3 00000000: 20-23 - * u1 versionMinor 03: 24 - * u1 versionMajor 01: 25 - */ - BIO_write(bhash, ctx->options->indata + 20, 6); - /* u2 cFolders - number of CFFOLDER entries in this cabinet: 26-27 */ - nfolders = GET_UINT16_LE(ctx->options->indata + 26); - BIO_write(bhash, ctx->options->indata + 26, 2); - /* u2 cFiles - number of CFFILE entries in this cabinet: 28-29 */ - BIO_write(bhash, ctx->options->indata + 28, 2); - /* u2 flags: 30-31 */ - flags = GET_UINT16_LE(ctx->options->indata + 30); - BIO_write(bhash, ctx->options->indata + 30, 2); - /* u2 setID must be the same for all cabinets in a set: 32-33 */ - BIO_write(bhash, ctx->options->indata + 32, 2); - /* - * u2 iCabinet - number of this cabinet file in a set: 34-35 skipped - * u2 cbCFHeader: 36-37 skipped - * u1 cbCFFolder: 38 skipped - * u1 cbCFData: 39 skipped - * u22 abReserve: 40-55 skipped - * - Additional data offset: 44-47 skipped - * - Additional data size: 48-51 skipped - */ - /* u22 abReserve: 56-59 */ - BIO_write(bhash, ctx->options->indata + 56, 4); - idx = 60; - fileend = ctx->cab_ctx->sigpos; - /* TODO */ - if (flags & FLAG_PREV_CABINET) { - uint8_t byte; - /* szCabinetPrev */ - do { - byte = GET_UINT8_LE(ctx->options->indata + idx); - BIO_write(bhash, ctx->options->indata + idx, 1); - idx++; - } while (byte && idx < fileend); - /* szDiskPrev */ - do { - byte = GET_UINT8_LE(ctx->options->indata + idx); - BIO_write(bhash, ctx->options->indata + idx, 1); - idx++; - } while (byte && idx < fileend); - } - if (flags & FLAG_NEXT_CABINET) { - uint8_t byte; - /* szCabinetNext */ - do { - byte = GET_UINT8_LE(ctx->options->indata + idx); - BIO_write(bhash, ctx->options->indata + idx, 1); - idx++; - } while (byte && idx < fileend); - /* szDiskNext */ - do { - byte = GET_UINT8_LE(ctx->options->indata + idx); - BIO_write(bhash, ctx->options->indata + idx, 1); - idx++; - } while (byte && idx < fileend); - } - /* - * (u8 * cFolders) CFFOLDER - structure contains information about - * one of the folders or partial folders stored in this cabinet file - */ - while (nfolders) { - BIO_write(bhash, ctx->options->indata + idx, 8); - idx += 8; - nfolders--; - } - if (idx != coffFiles) { - printf("Corrupt coffFiles value: 0x%08X\n", coffFiles); - BIO_free_all(bhash); - return 0; /* FAILED */ - } - } else { - /* read what's left of the unsigned CAB file */ - idx = 8; - fileend = ctx->cab_ctx->fileend; - } - /* (variable) ab - the compressed data bytes */ - if (!bio_hash_data(bhash, ctx->options->indata, idx, fileend)) { - printf("Unable to calculate digest\n"); - BIO_free_all(bhash); - return 0; /* FAILED */ - } - mdbuf = OPENSSL_malloc((size_t)EVP_MD_size(md)); - BIO_gets(bhash, (char*)mdbuf, EVP_MD_size(md)); - BIO_free_all(bhash); - return mdbuf; /* OK */ + /* u1 signature[4] 4643534D MSCF: 0-3 */ + BIO_write(bhash, ctx->options->indata, 4); + /* u4 reserved1 00000000: 4-7 skipped */ + if (ctx->cab_ctx->sigpos) { + uint16_t nfolders, flags; + + /* + * u4 cbCabinet - size of this cabinet file in bytes: 8-11 + * u4 reserved2 00000000: 12-15 + */ + BIO_write(bhash, ctx->options->indata + 8, 8); + /* u4 coffFiles - offset of the first CFFILE entry: 16-19 */ + coffFiles = GET_UINT32_LE(ctx->options->indata + 16); + BIO_write(bhash, ctx->options->indata + 16, 4); + /* + * u4 reserved3 00000000: 20-23 + * u1 versionMinor 03: 24 + * u1 versionMajor 01: 25 + */ + BIO_write(bhash, ctx->options->indata + 20, 6); + /* u2 cFolders - number of CFFOLDER entries in this cabinet: 26-27 */ + nfolders = GET_UINT16_LE(ctx->options->indata + 26); + BIO_write(bhash, ctx->options->indata + 26, 2); + /* u2 cFiles - number of CFFILE entries in this cabinet: 28-29 */ + BIO_write(bhash, ctx->options->indata + 28, 2); + /* u2 flags: 30-31 */ + flags = GET_UINT16_LE(ctx->options->indata + 30); + BIO_write(bhash, ctx->options->indata + 30, 2); + /* u2 setID must be the same for all cabinets in a set: 32-33 */ + BIO_write(bhash, ctx->options->indata + 32, 2); + /* + * u2 iCabinet - number of this cabinet file in a set: 34-35 skipped + * u2 cbCFHeader: 36-37 skipped + * u1 cbCFFolder: 38 skipped + * u1 cbCFData: 39 skipped + * u22 abReserve: 40-55 skipped + * - Additional data offset: 44-47 skipped + * - Additional data size: 48-51 skipped + */ + /* u22 abReserve: 56-59 */ + BIO_write(bhash, ctx->options->indata + 56, 4); + idx = 60; + fileend = ctx->cab_ctx->sigpos; + /* TODO */ + if (flags & FLAG_PREV_CABINET) { + uint8_t byte; + /* szCabinetPrev */ + do { + byte = GET_UINT8_LE(ctx->options->indata + idx); + BIO_write(bhash, ctx->options->indata + idx, 1); + idx++; + } while (byte && idx < fileend); + /* szDiskPrev */ + do { + byte = GET_UINT8_LE(ctx->options->indata + idx); + BIO_write(bhash, ctx->options->indata + idx, 1); + idx++; + } while (byte && idx < fileend); + } + if (flags & FLAG_NEXT_CABINET) { + uint8_t byte; + /* szCabinetNext */ + do { + byte = GET_UINT8_LE(ctx->options->indata + idx); + BIO_write(bhash, ctx->options->indata + idx, 1); + idx++; + } while (byte && idx < fileend); + /* szDiskNext */ + do { + byte = GET_UINT8_LE(ctx->options->indata + idx); + BIO_write(bhash, ctx->options->indata + idx, 1); + idx++; + } while (byte && idx < fileend); + } + /* + * (u8 * cFolders) CFFOLDER - structure contains information about + * one of the folders or partial folders stored in this cabinet file + */ + while (nfolders) { + BIO_write(bhash, ctx->options->indata + idx, 8); + idx += 8; + nfolders--; + } + if (idx != coffFiles) { + printf("Corrupt coffFiles value: 0x%08X\n", coffFiles); + BIO_free_all(bhash); + return 0; /* FAILED */ + } + } else { + /* read what's left of the unsigned CAB file */ + idx = 8; + fileend = ctx->cab_ctx->fileend; + } + /* (variable) ab - the compressed data bytes */ + if (!bio_hash_data(bhash, ctx->options->indata, idx, fileend)) { + printf("Unable to calculate digest\n"); + BIO_free_all(bhash); + return 0; /* FAILED */ + } + mdbuf = OPENSSL_malloc((size_t)EVP_MD_size(md)); + BIO_gets(bhash, (char*)mdbuf, EVP_MD_size(md)); + BIO_free_all(bhash); + return mdbuf; /* OK */ } /* @@ -309,40 +309,40 @@ static u_char *cab_digest_calc(FILE_FORMAT_CTX *ctx, const EVP_MD *md) */ static int cab_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7) { - int mdtype = -1; - const EVP_MD *md; - u_char mdbuf[EVP_MAX_MD_SIZE]; - u_char *cmdbuf; + int mdtype = -1; + const EVP_MD *md; + u_char mdbuf[EVP_MAX_MD_SIZE]; + u_char *cmdbuf; - if (is_content_type(p7, SPC_INDIRECT_DATA_OBJID)) { - ASN1_STRING *content_val = p7->d.sign->contents->d.other->value.sequence; - const u_char *p = content_val->data; - SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, content_val->length); - if (idc) { - if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) { - mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm); - memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)idc->messageDigest->digest->length); - } - SpcIndirectDataContent_free(idc); - } - } - if (mdtype == -1) { - printf("Failed to extract current message digest\n\n"); - return 0; /* FAILED */ - } - md = EVP_get_digestbynid(mdtype); - cmdbuf = cab_digest_calc(ctx, md); - if (!cmdbuf) { - printf("Failed to calculate message digest\n\n"); - return 0; /* FAILED */ - } - if (!compare_digests(mdbuf, cmdbuf, mdtype)) { - printf("Signature verification: failed\n\n"); - OPENSSL_free(cmdbuf); - return 0; /* FAILED */ - } - OPENSSL_free(cmdbuf); - return 1; /* OK */ + if (is_content_type(p7, SPC_INDIRECT_DATA_OBJID)) { + ASN1_STRING *content_val = p7->d.sign->contents->d.other->value.sequence; + const u_char *p = content_val->data; + SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, content_val->length); + if (idc) { + if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) { + mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm); + memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)idc->messageDigest->digest->length); + } + SpcIndirectDataContent_free(idc); + } + } + if (mdtype == -1) { + printf("Failed to extract current message digest\n\n"); + return 0; /* FAILED */ + } + md = EVP_get_digestbynid(mdtype); + cmdbuf = cab_digest_calc(ctx, md); + if (!cmdbuf) { + printf("Failed to calculate message digest\n\n"); + return 0; /* FAILED */ + } + if (!compare_digests(mdbuf, cmdbuf, mdtype)) { + printf("Signature verification: failed\n\n"); + OPENSSL_free(cmdbuf); + return 0; /* FAILED */ + } + OPENSSL_free(cmdbuf); + return 1; /* OK */ } /* @@ -352,11 +352,11 @@ static int cab_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7) */ static PKCS7 *cab_pkcs7_extract(FILE_FORMAT_CTX *ctx) { - if (ctx->cab_ctx->sigpos == 0 || ctx->cab_ctx->siglen == 0 - || ctx->cab_ctx->sigpos > ctx->cab_ctx->fileend) { - return NULL; /* FAILED */ - } - return pkcs7_get(ctx->options->indata, ctx->cab_ctx->sigpos, ctx->cab_ctx->siglen); + if (ctx->cab_ctx->sigpos == 0 || ctx->cab_ctx->siglen == 0 + || ctx->cab_ctx->sigpos > ctx->cab_ctx->fileend) { + return NULL; /* FAILED */ + } + return pkcs7_get(ctx->options->indata, ctx->cab_ctx->sigpos, ctx->cab_ctx->siglen); } /* @@ -368,72 +368,72 @@ static PKCS7 *cab_pkcs7_extract(FILE_FORMAT_CTX *ctx) */ static int cab_remove_pkcs7(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) { - size_t i, written, len; - uint32_t tmp; - uint16_t nfolders, flags; - char *buf = OPENSSL_malloc(SIZE_64K); + size_t i, written, len; + uint32_t tmp; + uint16_t nfolders, flags; + char *buf = OPENSSL_malloc(SIZE_64K); - /* squash the unused parameter warning */ - (void)hash; + /* squash the unused parameter warning */ + (void)hash; - /* - * u1 signature[4] 4643534D MSCF: 0-3 - * u4 reserved1 00000000: 4-7 - */ - BIO_write(outdata, ctx->options->indata, 8); - /* u4 cbCabinet - size of this cabinet file in bytes: 8-11 */ - tmp = GET_UINT32_LE(ctx->options->indata + 8) - 24; - PUT_UINT32_LE(tmp, buf); - BIO_write(outdata, buf, 4); - /* u4 reserved2 00000000: 12-15 */ - BIO_write(outdata, ctx->options->indata + 12, 4); - /* u4 coffFiles - offset of the first CFFILE entry: 16-19 */ - tmp = GET_UINT32_LE(ctx->options->indata + 16) - 24; - PUT_UINT32_LE(tmp, buf); - BIO_write(outdata, buf, 4); - /* - * u4 reserved3 00000000: 20-23 - * u1 versionMinor 03: 24 - * u1 versionMajor 01: 25 - * u2 cFolders - number of CFFOLDER entries in this cabinet: 26-27 - * u2 cFiles - number of CFFILE entries in this cabinet: 28-29 - */ - BIO_write(outdata, ctx->options->indata + 20, 10); - /* u2 flags: 30-31 */ - flags = GET_UINT16_LE(ctx->options->indata + 30); - /* coverity[result_independent_of_operands] only least significant byte is affected */ - PUT_UINT16_LE(flags & (FLAG_PREV_CABINET | FLAG_NEXT_CABINET), buf); - BIO_write(outdata, buf, 2); - /* - * u2 setID must be the same for all cabinets in a set: 32-33 - * u2 iCabinet - number of this cabinet file in a set: 34-35 - */ - BIO_write(outdata, ctx->options->indata + 32, 4); - i = cab_write_optional_names(outdata, ctx->options->indata, 60, flags); - /* - * (u8 * cFolders) CFFOLDER - structure contains information about - * one of the folders or partial folders stored in this cabinet file - */ - nfolders = GET_UINT16_LE(ctx->options->indata + 26); - while (nfolders) { - tmp = GET_UINT32_LE(ctx->options->indata + i); - tmp -= 24; - PUT_UINT32_LE(tmp, buf); - BIO_write(outdata, buf, 4); - BIO_write(outdata, ctx->options->indata + i + 4, 4); - i+=8; - nfolders--; - } - OPENSSL_free(buf); - /* Write what's left - the compressed data bytes */ - len = ctx->cab_ctx->fileend - ctx->cab_ctx->siglen - i; - while (len > 0) { - if (!BIO_write_ex(outdata, ctx->options->indata + i, len, &written)) - return 1; /* FAILED */ - len -= written; - i += written; - } - return 0; /* OK */ + /* + * u1 signature[4] 4643534D MSCF: 0-3 + * u4 reserved1 00000000: 4-7 + */ + BIO_write(outdata, ctx->options->indata, 8); + /* u4 cbCabinet - size of this cabinet file in bytes: 8-11 */ + tmp = GET_UINT32_LE(ctx->options->indata + 8) - 24; + PUT_UINT32_LE(tmp, buf); + BIO_write(outdata, buf, 4); + /* u4 reserved2 00000000: 12-15 */ + BIO_write(outdata, ctx->options->indata + 12, 4); + /* u4 coffFiles - offset of the first CFFILE entry: 16-19 */ + tmp = GET_UINT32_LE(ctx->options->indata + 16) - 24; + PUT_UINT32_LE(tmp, buf); + BIO_write(outdata, buf, 4); + /* + * u4 reserved3 00000000: 20-23 + * u1 versionMinor 03: 24 + * u1 versionMajor 01: 25 + * u2 cFolders - number of CFFOLDER entries in this cabinet: 26-27 + * u2 cFiles - number of CFFILE entries in this cabinet: 28-29 + */ + BIO_write(outdata, ctx->options->indata + 20, 10); + /* u2 flags: 30-31 */ + flags = GET_UINT16_LE(ctx->options->indata + 30); + /* coverity[result_independent_of_operands] only least significant byte is affected */ + PUT_UINT16_LE(flags & (FLAG_PREV_CABINET | FLAG_NEXT_CABINET), buf); + BIO_write(outdata, buf, 2); + /* + * u2 setID must be the same for all cabinets in a set: 32-33 + * u2 iCabinet - number of this cabinet file in a set: 34-35 + */ + BIO_write(outdata, ctx->options->indata + 32, 4); + i = cab_write_optional_names(outdata, ctx->options->indata, 60, flags); + /* + * (u8 * cFolders) CFFOLDER - structure contains information about + * one of the folders or partial folders stored in this cabinet file + */ + nfolders = GET_UINT16_LE(ctx->options->indata + 26); + while (nfolders) { + tmp = GET_UINT32_LE(ctx->options->indata + i); + tmp -= 24; + PUT_UINT32_LE(tmp, buf); + BIO_write(outdata, buf, 4); + BIO_write(outdata, ctx->options->indata + i + 4, 4); + i+=8; + nfolders--; + } + OPENSSL_free(buf); + /* Write what's left - the compressed data bytes */ + len = ctx->cab_ctx->fileend - ctx->cab_ctx->siglen - i; + while (len > 0) { + if (!BIO_write_ex(outdata, ctx->options->indata + i, len, &written)) + return 1; /* FAILED */ + len -= written; + i += written; + } + return 0; /* OK */ } /* @@ -445,65 +445,65 @@ static int cab_remove_pkcs7(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) */ static PKCS7 *cab_pkcs7_prepare(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) { - PKCS7 *cursig = NULL, *p7 = NULL; + PKCS7 *cursig = NULL, *p7 = NULL; - /* Strip current signature and modify header */ - if (ctx->cab_ctx->header_size == 20) { - if (!cab_modify_header(ctx, hash, outdata)) - return NULL; /* FAILED */ - } else { - if (!cab_add_header(ctx, hash, outdata)) - return NULL; /* FAILED */ - } - /* Obtain a current signature from previously-signed file */ - if ((ctx->options->cmd == CMD_SIGN && ctx->options->nest) - || (ctx->options->cmd == CMD_ATTACH && ctx->options->nest) - || ctx->options->cmd == CMD_ADD) { - cursig = pkcs7_get(ctx->options->indata, ctx->cab_ctx->sigpos, ctx->cab_ctx->siglen); - if (!cursig) { - printf("Unable to extract existing signature\n"); - return NULL; /* FAILED */ - } - if (ctx->options->cmd == CMD_ADD) - p7 = cursig; - } - if (ctx->options->cmd == CMD_ATTACH) { - /* Obtain an existing PKCS#7 signature */ - p7 = pkcs7_get_sigfile(ctx); - if (!p7) { - printf("Unable to extract valid signature\n"); - PKCS7_free(cursig); - return NULL; /* FAILED */ - } - } else if (ctx->options->cmd == CMD_SIGN) { - /* Create a new PKCS#7 signature */ - p7 = pkcs7_create(ctx); - if (!p7) { - printf("Creating a new signature failed\n"); - return NULL; /* FAILED */ - } - if (ctx->options->jp >= 0 && !cab_add_jp_attribute(p7, ctx->options->jp)) { - printf("Adding jp attribute failed\n"); - PKCS7_free(p7); - return NULL; /* FAILED */ - } - if (!add_indirect_data_object(p7, hash, ctx)) { - printf("Adding SPC_INDIRECT_DATA_OBJID failed\n"); - PKCS7_free(p7); - return NULL; /* FAILED */ - } - } - if (ctx->options->nest) { - if (!cursig_set_nested(cursig, p7, ctx)) { - printf("Unable to append the nested signature to the current signature\n"); - PKCS7_free(p7); - PKCS7_free(cursig); - return NULL; /* FAILED */ - } - PKCS7_free(p7); - return cursig; - } - return p7; + /* Strip current signature and modify header */ + if (ctx->cab_ctx->header_size == 20) { + if (!cab_modify_header(ctx, hash, outdata)) + return NULL; /* FAILED */ + } else { + if (!cab_add_header(ctx, hash, outdata)) + return NULL; /* FAILED */ + } + /* Obtain a current signature from previously-signed file */ + if ((ctx->options->cmd == CMD_SIGN && ctx->options->nest) + || (ctx->options->cmd == CMD_ATTACH && ctx->options->nest) + || ctx->options->cmd == CMD_ADD) { + cursig = pkcs7_get(ctx->options->indata, ctx->cab_ctx->sigpos, ctx->cab_ctx->siglen); + if (!cursig) { + printf("Unable to extract existing signature\n"); + return NULL; /* FAILED */ + } + if (ctx->options->cmd == CMD_ADD) + p7 = cursig; + } + if (ctx->options->cmd == CMD_ATTACH) { + /* Obtain an existing PKCS#7 signature */ + p7 = pkcs7_get_sigfile(ctx); + if (!p7) { + printf("Unable to extract valid signature\n"); + PKCS7_free(cursig); + return NULL; /* FAILED */ + } + } else if (ctx->options->cmd == CMD_SIGN) { + /* Create a new PKCS#7 signature */ + p7 = pkcs7_create(ctx); + if (!p7) { + printf("Creating a new signature failed\n"); + return NULL; /* FAILED */ + } + if (ctx->options->jp >= 0 && !cab_add_jp_attribute(p7, ctx->options->jp)) { + printf("Adding jp attribute failed\n"); + PKCS7_free(p7); + return NULL; /* FAILED */ + } + if (!add_indirect_data_object(p7, hash, ctx)) { + printf("Adding SPC_INDIRECT_DATA_OBJID failed\n"); + PKCS7_free(p7); + return NULL; /* FAILED */ + } + } + if (ctx->options->nest) { + if (!cursig_set_nested(cursig, p7, ctx)) { + printf("Unable to append the nested signature to the current signature\n"); + PKCS7_free(p7); + PKCS7_free(cursig); + return NULL; /* FAILED */ + } + PKCS7_free(p7); + return cursig; + } + return p7; } /* @@ -515,29 +515,29 @@ static PKCS7 *cab_pkcs7_prepare(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) */ static int cab_append_pkcs7(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7) { - u_char *p = NULL; - int len; /* signature length */ - int padlen; /* signature padding length */ + u_char *p = NULL; + int len; /* signature length */ + int padlen; /* signature padding length */ - /* squash the unused parameter warning */ - (void)ctx; + /* squash the unused parameter warning */ + (void)ctx; - if (((len = i2d_PKCS7(p7, NULL)) <= 0) - || (p = OPENSSL_malloc((size_t)len)) == NULL) { - printf("i2d_PKCS memory allocation failed: %d\n", len); - return 1; /* FAILED */ - } - i2d_PKCS7(p7, &p); - p -= len; - padlen = (8 - len % 8) % 8; - BIO_write(outdata, p, len); - /* pad (with 0's) asn1 blob to 8 byte boundary */ - if (padlen > 0) { - memset(p, 0, (size_t)padlen); - BIO_write(outdata, p, padlen); - } - OPENSSL_free(p); - return 0; /* OK */ + if (((len = i2d_PKCS7(p7, NULL)) <= 0) + || (p = OPENSSL_malloc((size_t)len)) == NULL) { + printf("i2d_PKCS memory allocation failed: %d\n", len); + return 1; /* FAILED */ + } + i2d_PKCS7(p7, &p); + p -= len; + padlen = (8 - len % 8) % 8; + BIO_write(outdata, p, len); + /* pad (with 0's) asn1 blob to 8 byte boundary */ + if (padlen > 0) { + memset(p, 0, (size_t)padlen); + BIO_write(outdata, p, padlen); + } + OPENSSL_free(p); + return 0; /* OK */ } /* @@ -551,20 +551,20 @@ static int cab_append_pkcs7(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7) */ static void cab_update_data_size(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7) { - int len, padlen; - u_char buf[] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - }; + int len, padlen; + u_char buf[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + }; - if (ctx->options->cmd == CMD_VERIFY || ctx->options->cmd == CMD_EXTRACT - || ctx->options->cmd == CMD_REMOVE) { - return; - } - (void)BIO_seek(outdata, 0x30); - len = i2d_PKCS7(p7, NULL); - padlen = (8 - len % 8) % 8; - PUT_UINT32_LE(len + padlen, buf); - BIO_write(outdata, buf, 4); + if (ctx->options->cmd == CMD_VERIFY || ctx->options->cmd == CMD_EXTRACT + || ctx->options->cmd == CMD_REMOVE) { + return; + } + (void)BIO_seek(outdata, 0x30); + len = i2d_PKCS7(p7, NULL); + padlen = (8 - len % 8) % 8; + PUT_UINT32_LE(len + padlen, buf); + BIO_write(outdata, buf, 4); } /* @@ -575,11 +575,11 @@ static void cab_update_data_size(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7) */ static BIO *cab_bio_free(BIO *hash, BIO *outdata) { - /* squash the unused parameter warning */ - (void)outdata; + /* squash the unused parameter warning */ + (void)outdata; - BIO_free_all(hash); - return NULL; + BIO_free_all(hash); + return NULL; } /* @@ -592,19 +592,19 @@ static BIO *cab_bio_free(BIO *hash, BIO *outdata) */ static void cab_ctx_cleanup(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) { - if (outdata) { - BIO_free_all(hash); - if (ctx->options->outfile) { + if (outdata) { + BIO_free_all(hash); + if (ctx->options->outfile) { #ifdef WIN32 - _unlink(ctx->options->outfile); + _unlink(ctx->options->outfile); #else - unlink(ctx->options->outfile); + unlink(ctx->options->outfile); #endif /* WIN32 */ - } - } - unmap_file(ctx->options->indata, ctx->cab_ctx->fileend); - OPENSSL_free(ctx->cab_ctx); - OPENSSL_free(ctx); + } + } + unmap_file(ctx->options->indata, ctx->cab_ctx->fileend); + OPENSSL_free(ctx->cab_ctx); + OPENSSL_free(ctx); } /* @@ -619,70 +619,70 @@ static void cab_ctx_cleanup(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) */ static CAB_CTX *cab_ctx_get(char *indata, uint32_t filesize) { - CAB_CTX *cab_ctx; - uint32_t reserved, header_size = 0, sigpos = 0, siglen = 0; - uint16_t flags; + CAB_CTX *cab_ctx; + uint32_t reserved, header_size = 0, sigpos = 0, siglen = 0; + uint16_t flags; - if (filesize < 44) { - printf("CAB file is too short\n"); - return NULL; /* FAILED */ - } - reserved = GET_UINT32_LE(indata + 4); - if (reserved) { - printf("Reserved1: 0x%08X\n", reserved); - return NULL; /* FAILED */ - } - /* flags specify bit-mapped values that indicate the presence of optional data */ - flags = GET_UINT16_LE(indata + 30); - if (flags & FLAG_PREV_CABINET) { - /* FLAG_NEXT_CABINET works */ - printf("Multivolume cabinet file is unsupported: flags 0x%04X\n", flags); - return NULL; /* FAILED */ - } - if (flags & FLAG_RESERVE_PRESENT) { - /* - * Additional headers is located at offset 36 (cbCFHeader, cbCFFolder, cbCFData); - * size of header (4 bytes, little-endian order) must be 20 (checkpoint). - */ - header_size = GET_UINT32_LE(indata + 36); - if (header_size != 20) { - printf("Additional header size: 0x%08X\n", header_size); - return NULL; /* FAILED */ - } - reserved = GET_UINT32_LE(indata + 40); - if (reserved != 0x00100000) { - printf("abReserved: 0x%08X\n", reserved); - return NULL; /* FAILED */ - } - /* - * File size is defined at offset 8, however if additional header exists, this size is not valid. - * sigpos - additional data offset is located at offset 44 (from file beginning) - * and consist of 4 bytes (little-endian order) - * siglen - additional data size is located at offset 48 (from file beginning) - * and consist of 4 bytes (little-endian order) - * If there are additional headers, size of the CAB archive file is calcualted - * as additional data offset plus additional data size. - */ - sigpos = GET_UINT32_LE(indata + 44); - siglen = GET_UINT32_LE(indata + 48); - if ((sigpos < filesize && sigpos + siglen != filesize) || (sigpos >= filesize)) { - printf("Additional data offset:\t%u bytes\nAdditional data size:\t%u bytes\n", - sigpos, siglen); - printf("File size:\t\t%u bytes\n", filesize); - return NULL; /* FAILED */ - } - if ((sigpos > 0 && siglen == 0) || (sigpos == 0 && siglen > 0)) { - printf("Corrupt signature\n"); - return NULL; /* FAILED */ - } - } - cab_ctx = OPENSSL_zalloc(sizeof(CAB_CTX)); - cab_ctx->header_size = header_size; - cab_ctx->sigpos = sigpos; - cab_ctx->siglen = siglen; - cab_ctx->fileend = filesize; - cab_ctx->flags = flags; - return cab_ctx; /* OK */ + if (filesize < 44) { + printf("CAB file is too short\n"); + return NULL; /* FAILED */ + } + reserved = GET_UINT32_LE(indata + 4); + if (reserved) { + printf("Reserved1: 0x%08X\n", reserved); + return NULL; /* FAILED */ + } + /* flags specify bit-mapped values that indicate the presence of optional data */ + flags = GET_UINT16_LE(indata + 30); + if (flags & FLAG_PREV_CABINET) { + /* FLAG_NEXT_CABINET works */ + printf("Multivolume cabinet file is unsupported: flags 0x%04X\n", flags); + return NULL; /* FAILED */ + } + if (flags & FLAG_RESERVE_PRESENT) { + /* + * Additional headers is located at offset 36 (cbCFHeader, cbCFFolder, cbCFData); + * size of header (4 bytes, little-endian order) must be 20 (checkpoint). + */ + header_size = GET_UINT32_LE(indata + 36); + if (header_size != 20) { + printf("Additional header size: 0x%08X\n", header_size); + return NULL; /* FAILED */ + } + reserved = GET_UINT32_LE(indata + 40); + if (reserved != 0x00100000) { + printf("abReserved: 0x%08X\n", reserved); + return NULL; /* FAILED */ + } + /* + * File size is defined at offset 8, however if additional header exists, this size is not valid. + * sigpos - additional data offset is located at offset 44 (from file beginning) + * and consist of 4 bytes (little-endian order) + * siglen - additional data size is located at offset 48 (from file beginning) + * and consist of 4 bytes (little-endian order) + * If there are additional headers, size of the CAB archive file is calcualted + * as additional data offset plus additional data size. + */ + sigpos = GET_UINT32_LE(indata + 44); + siglen = GET_UINT32_LE(indata + 48); + if ((sigpos < filesize && sigpos + siglen != filesize) || (sigpos >= filesize)) { + printf("Additional data offset:\t%u bytes\nAdditional data size:\t%u bytes\n", + sigpos, siglen); + printf("File size:\t\t%u bytes\n", filesize); + return NULL; /* FAILED */ + } + if ((sigpos > 0 && siglen == 0) || (sigpos == 0 && siglen > 0)) { + printf("Corrupt signature\n"); + return NULL; /* FAILED */ + } + } + cab_ctx = OPENSSL_zalloc(sizeof(CAB_CTX)); + cab_ctx->header_size = header_size; + cab_ctx->sigpos = sigpos; + cab_ctx->siglen = siglen; + cab_ctx->fileend = filesize; + cab_ctx->flags = flags; + return cab_ctx; /* OK */ } /* @@ -694,38 +694,38 @@ static CAB_CTX *cab_ctx_get(char *indata, uint32_t filesize) */ static int cab_add_jp_attribute(PKCS7 *p7, int jp) { - STACK_OF(PKCS7_SIGNER_INFO) *signer_info; - PKCS7_SIGNER_INFO *si; - ASN1_STRING *astr; - const u_char *attrs = NULL; - const u_char java_attrs_low[] = { - 0x30, 0x06, 0x03, 0x02, 0x00, 0x01, 0x30, 0x00 - }; + STACK_OF(PKCS7_SIGNER_INFO) *signer_info; + PKCS7_SIGNER_INFO *si; + ASN1_STRING *astr; + const u_char *attrs = NULL; + const u_char java_attrs_low[] = { + 0x30, 0x06, 0x03, 0x02, 0x00, 0x01, 0x30, 0x00 + }; - signer_info = PKCS7_get_signer_info(p7); - if (!signer_info) - return 0; /* FAILED */ - si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); - if (!si) - return 0; /* FAILED */ - switch (jp) { - case 0: - attrs = java_attrs_low; - break; - case 1: - /* XXX */ - case 2: - /* XXX */ - default: - break; - } - if (attrs) { - astr = ASN1_STRING_new(); - ASN1_STRING_set(astr, attrs, sizeof java_attrs_low); - return PKCS7_add_signed_attribute(si, OBJ_txt2nid(MS_JAVA_SOMETHING), - V_ASN1_SEQUENCE, astr); - } - return 1; /* OK */ + signer_info = PKCS7_get_signer_info(p7); + if (!signer_info) + return 0; /* FAILED */ + si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); + if (!si) + return 0; /* FAILED */ + switch (jp) { + case 0: + attrs = java_attrs_low; + break; + case 1: + /* XXX */ + case 2: + /* XXX */ + default: + break; + } + if (attrs) { + astr = ASN1_STRING_new(); + ASN1_STRING_set(astr, attrs, sizeof java_attrs_low); + return PKCS7_add_signed_attribute(si, OBJ_txt2nid(MS_JAVA_SOMETHING), + V_ASN1_SEQUENCE, astr); + } + return 1; /* OK */ } /* @@ -739,39 +739,39 @@ static int cab_add_jp_attribute(PKCS7 *p7, int jp) */ static size_t cab_write_optional_names(BIO *outdata, char *indata, size_t i, uint16_t flags) { - if (flags & FLAG_PREV_CABINET) { - /* szCabinetPrev */ - while (GET_UINT8_LE(indata + i)) { - BIO_write(outdata, indata + i, 1); - i++; - } - BIO_write(outdata, indata + i, 1); - i++; - /* szDiskPrev */ - while (GET_UINT8_LE(indata + i)) { - BIO_write(outdata, indata + i, 1); - i++; - } - BIO_write(outdata, indata + i, 1); - i++; - } - if (flags & FLAG_NEXT_CABINET) { - /* szCabinetNext */ - while (GET_UINT8_LE(indata + i)) { - BIO_write(outdata, indata + i, 1); - i++; - } - BIO_write(outdata, indata + i, 1); - i++; - /* szDiskNext */ - while (GET_UINT8_LE(indata + i)) { - BIO_write(outdata, indata + i, 1); - i++; - } - BIO_write(outdata, indata + i, 1); - i++; - } - return i; + if (flags & FLAG_PREV_CABINET) { + /* szCabinetPrev */ + while (GET_UINT8_LE(indata + i)) { + BIO_write(outdata, indata + i, 1); + i++; + } + BIO_write(outdata, indata + i, 1); + i++; + /* szDiskPrev */ + while (GET_UINT8_LE(indata + i)) { + BIO_write(outdata, indata + i, 1); + i++; + } + BIO_write(outdata, indata + i, 1); + i++; + } + if (flags & FLAG_NEXT_CABINET) { + /* szCabinetNext */ + while (GET_UINT8_LE(indata + i)) { + BIO_write(outdata, indata + i, 1); + i++; + } + BIO_write(outdata, indata + i, 1); + i++; + /* szDiskNext */ + while (GET_UINT8_LE(indata + i)) { + BIO_write(outdata, indata + i, 1); + i++; + } + BIO_write(outdata, indata + i, 1); + i++; + } + return i; } /* @@ -783,64 +783,64 @@ static size_t cab_write_optional_names(BIO *outdata, char *indata, size_t i, uin */ static int cab_modify_header(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) { - size_t i, written, len; - uint16_t nfolders, flags; - u_char buf[] = {0x00, 0x00}; + size_t i, written, len; + uint16_t nfolders, flags; + u_char buf[] = {0x00, 0x00}; - /* u1 signature[4] 4643534D MSCF: 0-3 */ - BIO_write(hash, ctx->options->indata, 4); - /* u4 reserved1 00000000: 4-7 */ - BIO_write(outdata, ctx->options->indata + 4, 4); - /* - * u4 cbCabinet - size of this cabinet file in bytes: 8-11 - * u4 reserved2 00000000: 12-15 - * u4 coffFiles - offset of the first CFFILE entry: 16-19 - * u4 reserved3 00000000: 20-23 - * u1 versionMinor 03: 24 - * u1 versionMajor 01: 25 - * u2 cFolders - number of CFFOLDER entries in this cabinet: 26-27 - * u2 cFiles - number of CFFILE entries in this cabinet: 28-29 - */ - BIO_write(hash, ctx->options->indata + 8, 22); - /* u2 flags: 30-31 */ - flags = GET_UINT16_LE(ctx->options->indata + 30); - PUT_UINT16_LE(flags, buf); - BIO_write(hash, buf, 2); - /* u2 setID must be the same for all cabinets in a set: 32-33 */ - BIO_write(hash, ctx->options->indata + 32, 2); - /* - * u2 iCabinet - number of this cabinet file in a set: 34-35 - * u2 cbCFHeader: 36-37 - * u1 cbCFFolder: 38 - * u1 cbCFData: 39 - * u16 abReserve: 40-55 - * - Additional data offset: 44-47 - * - Additional data size: 48-51 - */ - BIO_write(outdata, ctx->options->indata + 34, 22); - /* u4 abReserve: 56-59 */ - BIO_write(hash, ctx->options->indata + 56, 4); + /* u1 signature[4] 4643534D MSCF: 0-3 */ + BIO_write(hash, ctx->options->indata, 4); + /* u4 reserved1 00000000: 4-7 */ + BIO_write(outdata, ctx->options->indata + 4, 4); + /* + * u4 cbCabinet - size of this cabinet file in bytes: 8-11 + * u4 reserved2 00000000: 12-15 + * u4 coffFiles - offset of the first CFFILE entry: 16-19 + * u4 reserved3 00000000: 20-23 + * u1 versionMinor 03: 24 + * u1 versionMajor 01: 25 + * u2 cFolders - number of CFFOLDER entries in this cabinet: 26-27 + * u2 cFiles - number of CFFILE entries in this cabinet: 28-29 + */ + BIO_write(hash, ctx->options->indata + 8, 22); + /* u2 flags: 30-31 */ + flags = GET_UINT16_LE(ctx->options->indata + 30); + PUT_UINT16_LE(flags, buf); + BIO_write(hash, buf, 2); + /* u2 setID must be the same for all cabinets in a set: 32-33 */ + BIO_write(hash, ctx->options->indata + 32, 2); + /* + * u2 iCabinet - number of this cabinet file in a set: 34-35 + * u2 cbCFHeader: 36-37 + * u1 cbCFFolder: 38 + * u1 cbCFData: 39 + * u16 abReserve: 40-55 + * - Additional data offset: 44-47 + * - Additional data size: 48-51 + */ + BIO_write(outdata, ctx->options->indata + 34, 22); + /* u4 abReserve: 56-59 */ + BIO_write(hash, ctx->options->indata + 56, 4); - i = cab_write_optional_names(outdata, ctx->options->indata, 60, flags); - /* - * (u8 * cFolders) CFFOLDER - structure contains information about - * one of the folders or partial folders stored in this cabinet file - */ - nfolders = GET_UINT16_LE(ctx->options->indata + 26); - while (nfolders) { - BIO_write(hash, ctx->options->indata + i, 8); - i += 8; - nfolders--; - } - /* Write what's left - the compressed data bytes */ - len = ctx->cab_ctx->sigpos - i; - while (len > 0) { - if (!BIO_write_ex(hash, ctx->options->indata + i, len, &written)) - return 0; /* FAILED */ - len -= written; - i += written; - } - return 1; /* OK */ + i = cab_write_optional_names(outdata, ctx->options->indata, 60, flags); + /* + * (u8 * cFolders) CFFOLDER - structure contains information about + * one of the folders or partial folders stored in this cabinet file + */ + nfolders = GET_UINT16_LE(ctx->options->indata + 26); + while (nfolders) { + BIO_write(hash, ctx->options->indata + i, 8); + i += 8; + nfolders--; + } + /* Write what's left - the compressed data bytes */ + len = ctx->cab_ctx->sigpos - i; + while (len > 0) { + if (!BIO_write_ex(hash, ctx->options->indata + i, len, &written)) + return 0; /* FAILED */ + len -= written; + i += written; + } + return 1; /* OK */ } /* @@ -852,83 +852,83 @@ static int cab_modify_header(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) */ static int cab_add_header(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) { - size_t i, written, len; - uint32_t tmp; - uint16_t nfolders, flags; - u_char cabsigned[] = { - 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, - 0xde, 0xad, 0xbe, 0xef, /* size of cab file */ - 0xde, 0xad, 0xbe, 0xef, /* size of asn1 blob */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - }; - char *buf = OPENSSL_malloc(SIZE_64K); - memset(buf, 0, SIZE_64K); + size_t i, written, len; + uint32_t tmp; + uint16_t nfolders, flags; + u_char cabsigned[] = { + 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, + 0xde, 0xad, 0xbe, 0xef, /* size of cab file */ + 0xde, 0xad, 0xbe, 0xef, /* size of asn1 blob */ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + }; + char *buf = OPENSSL_malloc(SIZE_64K); + memset(buf, 0, SIZE_64K); - /* u1 signature[4] 4643534D MSCF: 0-3 */ - BIO_write(hash, ctx->options->indata, 4); - /* u4 reserved1 00000000: 4-7 */ - BIO_write(outdata, ctx->options->indata + 4, 4); - /* u4 cbCabinet - size of this cabinet file in bytes: 8-11 */ - tmp = GET_UINT32_LE(ctx->options->indata + 8) + 24; - PUT_UINT32_LE(tmp, buf); - BIO_write(hash, buf, 4); - /* u4 reserved2 00000000: 12-15 */ - BIO_write(hash, ctx->options->indata + 12, 4); - /* u4 coffFiles - offset of the first CFFILE entry: 16-19 */ - tmp = GET_UINT32_LE(ctx->options->indata + 16) + 24; - PUT_UINT32_LE(tmp, buf + 4); - BIO_write(hash, buf + 4, 4); - /* - * u4 reserved3 00000000: 20-23 - * u1 versionMinor 03: 24 - * u1 versionMajor 01: 25 - * u2 cFolders - number of CFFOLDER entries in this cabinet: 26-27 - * u2 cFiles - number of CFFILE entries in this cabinet: 28-29 - */ - memcpy(buf + 4, ctx->options->indata + 20, 10); - flags = GET_UINT16_LE(ctx->options->indata + 30); - buf[4+10] = (char)flags | FLAG_RESERVE_PRESENT; - /* u2 setID must be the same for all cabinets in a set: 32-33 */ - memcpy(buf + 16, ctx->options->indata + 32, 2); - BIO_write(hash, buf + 4, 14); - /* u2 iCabinet - number of this cabinet file in a set: 34-35 */ - BIO_write(outdata, ctx->options->indata + 34, 2); - memcpy(cabsigned + 8, buf, 4); - BIO_write(outdata, cabsigned, 20); - BIO_write(hash, cabsigned+20, 4); + /* u1 signature[4] 4643534D MSCF: 0-3 */ + BIO_write(hash, ctx->options->indata, 4); + /* u4 reserved1 00000000: 4-7 */ + BIO_write(outdata, ctx->options->indata + 4, 4); + /* u4 cbCabinet - size of this cabinet file in bytes: 8-11 */ + tmp = GET_UINT32_LE(ctx->options->indata + 8) + 24; + PUT_UINT32_LE(tmp, buf); + BIO_write(hash, buf, 4); + /* u4 reserved2 00000000: 12-15 */ + BIO_write(hash, ctx->options->indata + 12, 4); + /* u4 coffFiles - offset of the first CFFILE entry: 16-19 */ + tmp = GET_UINT32_LE(ctx->options->indata + 16) + 24; + PUT_UINT32_LE(tmp, buf + 4); + BIO_write(hash, buf + 4, 4); + /* + * u4 reserved3 00000000: 20-23 + * u1 versionMinor 03: 24 + * u1 versionMajor 01: 25 + * u2 cFolders - number of CFFOLDER entries in this cabinet: 26-27 + * u2 cFiles - number of CFFILE entries in this cabinet: 28-29 + */ + memcpy(buf + 4, ctx->options->indata + 20, 10); + flags = GET_UINT16_LE(ctx->options->indata + 30); + buf[4+10] = (char)flags | FLAG_RESERVE_PRESENT; + /* u2 setID must be the same for all cabinets in a set: 32-33 */ + memcpy(buf + 16, ctx->options->indata + 32, 2); + BIO_write(hash, buf + 4, 14); + /* u2 iCabinet - number of this cabinet file in a set: 34-35 */ + BIO_write(outdata, ctx->options->indata + 34, 2); + memcpy(cabsigned + 8, buf, 4); + BIO_write(outdata, cabsigned, 20); + BIO_write(hash, cabsigned+20, 4); - i = cab_write_optional_names(outdata, ctx->options->indata, 36, flags); - /* - * (u8 * cFolders) CFFOLDER - structure contains information about - * one of the folders or partial folders stored in this cabinet file - */ - nfolders = GET_UINT16_LE(ctx->options->indata + 26); - while (nfolders) { - tmp += 24; - PUT_UINT32_LE(tmp, buf); - BIO_write(hash, buf, 4); - BIO_write(hash, ctx->options->indata + i + 4, 4); - i += 8; - nfolders--; - } - OPENSSL_free(buf); - /* Write what's left - the compressed data bytes */ - len = ctx->cab_ctx->fileend - i; - while (len > 0) { - if (!BIO_write_ex(hash, ctx->options->indata + i, len, &written)) - return 0; /* FAILED */ - len -= written; - i += written; - } - return 1; /* OK */ + i = cab_write_optional_names(outdata, ctx->options->indata, 36, flags); + /* + * (u8 * cFolders) CFFOLDER - structure contains information about + * one of the folders or partial folders stored in this cabinet file + */ + nfolders = GET_UINT16_LE(ctx->options->indata + 26); + while (nfolders) { + tmp += 24; + PUT_UINT32_LE(tmp, buf); + BIO_write(hash, buf, 4); + BIO_write(hash, ctx->options->indata + i + 4, 4); + i += 8; + nfolders--; + } + OPENSSL_free(buf); + /* Write what's left - the compressed data bytes */ + len = ctx->cab_ctx->fileend - i; + while (len > 0) { + if (!BIO_write_ex(hash, ctx->options->indata + i, len, &written)) + return 0; /* FAILED */ + len -= written; + i += written; + } + return 1; /* OK */ } /* Local Variables: c-basic-offset: 4 tab-width: 4 - indent-tabs-mode: t + indent-tabs-mode: nil End: - vim: set ts=4 noexpandtab: + vim: set ts=4 expandtab: */ diff --git a/cat.c b/cat.c index 07c286c..2f885da 100644 --- a/cat.c +++ b/cat.c @@ -11,14 +11,14 @@ #include "helpers.h" const u_char pkcs7_signed_data[] = { - 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, - 0x01, 0x07, 0x02, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x07, 0x02, }; struct cat_ctx_st { - uint32_t sigpos; - uint32_t siglen; - uint32_t fileend; + uint32_t sigpos; + uint32_t siglen; + uint32_t fileend; }; /* FILE_FORMAT method prototypes */ @@ -30,12 +30,12 @@ static BIO *cat_bio_free(BIO *hash, BIO *outdata); static void cat_ctx_cleanup(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata); FILE_FORMAT file_format_cat = { - .ctx_new = cat_ctx_new, - .pkcs7_extract = cat_pkcs7_extract, - .pkcs7_prepare = cat_pkcs7_prepare, - .append_pkcs7 = cat_append_pkcs7, - .bio_free = cat_bio_free, - .ctx_cleanup = cat_ctx_cleanup, + .ctx_new = cat_ctx_new, + .pkcs7_extract = cat_pkcs7_extract, + .pkcs7_prepare = cat_pkcs7_prepare, + .append_pkcs7 = cat_append_pkcs7, + .bio_free = cat_bio_free, + .ctx_cleanup = cat_ctx_cleanup, }; /* Prototypes */ @@ -54,59 +54,59 @@ static CAT_CTX *cat_ctx_get(char *indata, uint32_t filesize); */ static FILE_FORMAT_CTX *cat_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *outdata) { - FILE_FORMAT_CTX *ctx; - CAT_CTX *cat_ctx; - uint32_t filesize; + FILE_FORMAT_CTX *ctx; + CAT_CTX *cat_ctx; + uint32_t filesize; - /* squash unused parameter warnings */ - (void)outdata; - (void)hash; + /* squash unused parameter warnings */ + (void)outdata; + (void)hash; - if (options->cmd == CMD_REMOVE || options->cmd==CMD_ATTACH) { - printf("Unsupported command\n"); - return NULL; /* FAILED */ - } - if (options->cmd == CMD_VERIFY) { - printf("Use -catalog option\n"); - return NULL; /* FAILED */ - } - filesize = get_file_size(options->infile); - if (filesize == 0) - return NULL; /* FAILED */ + if (options->cmd == CMD_REMOVE || options->cmd==CMD_ATTACH) { + printf("Unsupported command\n"); + return NULL; /* FAILED */ + } + if (options->cmd == CMD_VERIFY) { + printf("Use -catalog option\n"); + return NULL; /* FAILED */ + } + filesize = get_file_size(options->infile); + if (filesize == 0) + return NULL; /* FAILED */ - options->indata = map_file(options->infile, filesize); - if (!options->indata) { - return NULL; /* FAILED */ - } - /* the maximum size of a supported cat file is (2^24 -1) bytes */ - if (memcmp(options->indata + ((GET_UINT8_LE(options->indata+1) == 0x82) ? 4 : 5), - pkcs7_signed_data, sizeof pkcs7_signed_data)) { - unmap_file(options->infile, filesize); - return NULL; /* FAILED */ - } - cat_ctx = cat_ctx_get(options->indata, filesize); - if (!cat_ctx) { - unmap_file(options->infile, filesize); - return NULL; /* FAILED */ - } - ctx = OPENSSL_malloc(sizeof(FILE_FORMAT_CTX)); - ctx->format = &file_format_cat; - ctx->options = options; - ctx->cat_ctx = cat_ctx; + options->indata = map_file(options->infile, filesize); + if (!options->indata) { + return NULL; /* FAILED */ + } + /* the maximum size of a supported cat file is (2^24 -1) bytes */ + if (memcmp(options->indata + ((GET_UINT8_LE(options->indata+1) == 0x82) ? 4 : 5), + pkcs7_signed_data, sizeof pkcs7_signed_data)) { + unmap_file(options->infile, filesize); + return NULL; /* FAILED */ + } + cat_ctx = cat_ctx_get(options->indata, filesize); + if (!cat_ctx) { + unmap_file(options->infile, filesize); + return NULL; /* FAILED */ + } + ctx = OPENSSL_malloc(sizeof(FILE_FORMAT_CTX)); + ctx->format = &file_format_cat; + ctx->options = options; + ctx->cat_ctx = cat_ctx; - /* Push hash on outdata, if hash is NULL the function does nothing */ - BIO_push(hash, outdata); + /* Push hash on outdata, if hash is NULL the function does nothing */ + BIO_push(hash, outdata); - if (options->nest) - /* I've not tried using set_nested_signature as signtool won't do this */ - printf("Warning: CAT files do not support nesting\n"); - if (options->jp >= 0) - printf("Warning: -jp option is only valid for CAB files\n"); - if (options->pagehash == 1) - printf("Warning: -ph option is only valid for PE files\n"); - if (options->add_msi_dse == 1) - printf("Warning: -add-msi-dse option is only valid for MSI files\n"); - return ctx; + if (options->nest) + /* I've not tried using set_nested_signature as signtool won't do this */ + printf("Warning: CAT files do not support nesting\n"); + if (options->jp >= 0) + printf("Warning: -jp option is only valid for CAB files\n"); + if (options->pagehash == 1) + printf("Warning: -ph option is only valid for PE files\n"); + if (options->add_msi_dse == 1) + printf("Warning: -add-msi-dse option is only valid for MSI files\n"); + return ctx; } /* @@ -116,7 +116,7 @@ static FILE_FORMAT_CTX *cat_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *out */ static PKCS7 *cat_pkcs7_extract(FILE_FORMAT_CTX *ctx) { - return pkcs7_get(ctx->options->indata, ctx->cat_ctx->sigpos, ctx->cat_ctx->siglen); + return pkcs7_get(ctx->options->indata, ctx->cat_ctx->sigpos, ctx->cat_ctx->siglen); } /* @@ -128,37 +128,37 @@ static PKCS7 *cat_pkcs7_extract(FILE_FORMAT_CTX *ctx) */ static PKCS7 *cat_pkcs7_prepare(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) { - PKCS7 *cursig = NULL, *p7 = NULL; + PKCS7 *cursig = NULL, *p7 = NULL; - /* squash unused parameter warnings */ - (void)outdata; - (void)hash; + /* squash unused parameter warnings */ + (void)outdata; + (void)hash; - /* Obtain an existing signature */ - cursig = pkcs7_get(ctx->options->indata, ctx->cat_ctx->sigpos, ctx->cat_ctx->siglen); - if (!cursig) { - printf("Unable to extract existing signature\n"); - return NULL; /* FAILED */ - } - if (ctx->options->cmd == CMD_ADD || ctx->options->cmd == CMD_ATTACH) { - p7 = cursig; - } else if (ctx->options->cmd == CMD_SIGN) { - /* Create a new signature */ - p7 = pkcs7_create(ctx); - if (!p7) { - printf("Creating a new signature failed\n"); - PKCS7_free(cursig); - return NULL; /* FAILED */ - } - if (!add_ms_ctl_object(p7, cursig)) { - printf("Adding MS_CTL_OBJID failed\n"); - PKCS7_free(p7); - PKCS7_free(cursig); - return NULL; /* FAILED */ - } - PKCS7_free(cursig); - } - return p7; /* OK */ + /* Obtain an existing signature */ + cursig = pkcs7_get(ctx->options->indata, ctx->cat_ctx->sigpos, ctx->cat_ctx->siglen); + if (!cursig) { + printf("Unable to extract existing signature\n"); + return NULL; /* FAILED */ + } + if (ctx->options->cmd == CMD_ADD || ctx->options->cmd == CMD_ATTACH) { + p7 = cursig; + } else if (ctx->options->cmd == CMD_SIGN) { + /* Create a new signature */ + p7 = pkcs7_create(ctx); + if (!p7) { + printf("Creating a new signature failed\n"); + PKCS7_free(cursig); + return NULL; /* FAILED */ + } + if (!add_ms_ctl_object(p7, cursig)) { + printf("Adding MS_CTL_OBJID failed\n"); + PKCS7_free(p7); + PKCS7_free(cursig); + return NULL; /* FAILED */ + } + PKCS7_free(cursig); + } + return p7; /* OK */ } /* @@ -170,22 +170,22 @@ static PKCS7 *cat_pkcs7_prepare(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) */ static int cat_append_pkcs7(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7) { - u_char *p = NULL; - int len; /* signature length */ + u_char *p = NULL; + int len; /* signature length */ - /* squash the unused parameter warning */ - (void)ctx; + /* squash the unused parameter warning */ + (void)ctx; - if (((len = i2d_PKCS7(p7, NULL)) <= 0) - || (p = OPENSSL_malloc((size_t)len)) == NULL) { - printf("i2d_PKCS memory allocation failed: %d\n", len); - return 1; /* FAILED */ - } - i2d_PKCS7(p7, &p); - p -= len; - i2d_PKCS7_bio(outdata, p7); - OPENSSL_free(p); - return 0; /* OK */ + if (((len = i2d_PKCS7(p7, NULL)) <= 0) + || (p = OPENSSL_malloc((size_t)len)) == NULL) { + printf("i2d_PKCS memory allocation failed: %d\n", len); + return 1; /* FAILED */ + } + i2d_PKCS7(p7, &p); + p -= len; + i2d_PKCS7_bio(outdata, p7); + OPENSSL_free(p); + return 0; /* OK */ } /* @@ -196,11 +196,11 @@ static int cat_append_pkcs7(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7) */ static BIO *cat_bio_free(BIO *hash, BIO *outdata) { - /* squash the unused parameter warning */ - (void)outdata; + /* squash the unused parameter warning */ + (void)outdata; - BIO_free_all(hash); - return NULL; + BIO_free_all(hash); + return NULL; } /* @@ -213,19 +213,19 @@ static BIO *cat_bio_free(BIO *hash, BIO *outdata) */ static void cat_ctx_cleanup(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) { - if (outdata) { - BIO_free_all(hash); - if (ctx->options->outfile) { + if (outdata) { + BIO_free_all(hash); + if (ctx->options->outfile) { #ifdef WIN32 - _unlink(ctx->options->outfile); + _unlink(ctx->options->outfile); #else - unlink(ctx->options->outfile); + unlink(ctx->options->outfile); #endif /* WIN32 */ - } - } - unmap_file(ctx->options->indata, ctx->cat_ctx->fileend); - OPENSSL_free(ctx->cat_ctx); - OPENSSL_free(ctx); + } + } + unmap_file(ctx->options->indata, ctx->cat_ctx->fileend); + OPENSSL_free(ctx->cat_ctx); + OPENSSL_free(ctx); } /* @@ -240,24 +240,24 @@ static void cat_ctx_cleanup(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) */ static CAT_CTX *cat_ctx_get(char *indata, uint32_t filesize) { - CAT_CTX *cat_ctx; + CAT_CTX *cat_ctx; - /* squash the unused parameter warning */ - (void)indata; - - cat_ctx = OPENSSL_zalloc(sizeof(CAT_CTX)); - cat_ctx->sigpos = 0; - cat_ctx->siglen = filesize; - cat_ctx->fileend = filesize; - return cat_ctx; /* OK */ + /* squash the unused parameter warning */ + (void)indata; + + cat_ctx = OPENSSL_zalloc(sizeof(CAT_CTX)); + cat_ctx->sigpos = 0; + cat_ctx->siglen = filesize; + cat_ctx->fileend = filesize; + return cat_ctx; /* OK */ } /* Local Variables: c-basic-offset: 4 tab-width: 4 - indent-tabs-mode: t + indent-tabs-mode: nil End: - vim: set ts=4 noexpandtab: + vim: set ts=4 expandtab: */ diff --git a/helpers.c b/helpers.c index ed12449..02bfa24 100644 --- a/helpers.c +++ b/helpers.c @@ -28,28 +28,28 @@ static int pkcs7_signer_info_add_signing_time(PKCS7_SIGNER_INFO *si, FILE_FORMAT */ uint32_t get_file_size(const char *infile) { - int ret; + int ret; #ifdef _WIN32 - struct _stat64 st; - ret = _stat64(infile, &st); + struct _stat64 st; + ret = _stat64(infile, &st); #else - struct stat st; - ret = stat(infile, &st); + struct stat st; + ret = stat(infile, &st); #endif - if (ret) { - printf("Failed to open file: %s\n", infile); - return 0; - } + if (ret) { + printf("Failed to open file: %s\n", infile); + return 0; + } - if (st.st_size < 4) { - printf("Unrecognized file type - file is too short: %s\n", infile); - return 0; - } - if (st.st_size > UINT32_MAX) { - printf("Unsupported file - too large: %s\n", infile); - return 0; - } - return (uint32_t)st.st_size; + if (st.st_size < 4) { + printf("Unrecognized file type - file is too short: %s\n", infile); + return 0; + } + if (st.st_size > UINT32_MAX) { + printf("Unsupported file - too large: %s\n", infile); + return 0; + } + return (uint32_t)st.st_size; } /* @@ -58,39 +58,39 @@ uint32_t get_file_size(const char *infile) */ char *map_file(const char *infile, const size_t size) { - char *indata = NULL; + char *indata = NULL; #ifdef WIN32 - HANDLE fhandle, fmap; - (void)size; - fhandle = CreateFile(infile, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); - if (fhandle == INVALID_HANDLE_VALUE) { - return NULL; - } - fmap = CreateFileMapping(fhandle, NULL, PAGE_READONLY, 0, 0, NULL); - CloseHandle(fhandle); - if (fmap == NULL) { - return NULL; - } - indata = (char *)MapViewOfFile(fmap, FILE_MAP_READ, 0, 0, 0); - CloseHandle(fmap); + HANDLE fhandle, fmap; + (void)size; + fhandle = CreateFile(infile, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); + if (fhandle == INVALID_HANDLE_VALUE) { + return NULL; + } + fmap = CreateFileMapping(fhandle, NULL, PAGE_READONLY, 0, 0, NULL); + CloseHandle(fhandle); + if (fmap == NULL) { + return NULL; + } + indata = (char *)MapViewOfFile(fmap, FILE_MAP_READ, 0, 0, 0); + CloseHandle(fmap); #else #ifdef HAVE_SYS_MMAN_H - int fd = open(infile, O_RDONLY); - if (fd < 0) { - return NULL; - } - indata = mmap(0, size, PROT_READ, MAP_PRIVATE, fd, 0); - if (indata == MAP_FAILED) { - close(fd); - return NULL; - } - close(fd); + int fd = open(infile, O_RDONLY); + if (fd < 0) { + return NULL; + } + indata = mmap(0, size, PROT_READ, MAP_PRIVATE, fd, 0); + if (indata == MAP_FAILED) { + close(fd); + return NULL; + } + close(fd); #else - printf("No file mapping function\n"); - return NULL; + printf("No file mapping function\n"); + return NULL; #endif /* HAVE_SYS_MMAN_H */ #endif /* WIN32 */ - return indata; + return indata; } /* @@ -100,13 +100,13 @@ char *map_file(const char *infile, const size_t size) */ void unmap_file(char *indata, const size_t size) { - if (!indata) - return; + if (!indata) + return; #ifdef WIN32 - (void)size; - UnmapViewOfFile(indata); + (void)size; + UnmapViewOfFile(indata); #else - munmap(indata, size); + munmap(indata, size); #endif /* WIN32 */ } @@ -117,25 +117,25 @@ void unmap_file(char *indata, const size_t size) */ static int pkcs7_signer_info_add_spc_sp_opus_info(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx) { - SpcSpOpusInfo *opus; - ASN1_STRING *astr; - int len; - u_char *p = NULL; + SpcSpOpusInfo *opus; + ASN1_STRING *astr; + int len; + u_char *p = NULL; - opus = spc_sp_opus_info_create(ctx); - if ((len = i2d_SpcSpOpusInfo(opus, NULL)) <= 0 - || (p = OPENSSL_malloc((size_t)len)) == NULL) { - SpcSpOpusInfo_free(opus); - return 0; /* FAILED */ - } - i2d_SpcSpOpusInfo(opus, &p); - p -= len; - astr = ASN1_STRING_new(); - ASN1_STRING_set(astr, p, len); - OPENSSL_free(p); - SpcSpOpusInfo_free(opus); - return PKCS7_add_signed_attribute(si, OBJ_txt2nid(SPC_SP_OPUS_INFO_OBJID), - V_ASN1_SEQUENCE, astr); + opus = spc_sp_opus_info_create(ctx); + if ((len = i2d_SpcSpOpusInfo(opus, NULL)) <= 0 + || (p = OPENSSL_malloc((size_t)len)) == NULL) { + SpcSpOpusInfo_free(opus); + return 0; /* FAILED */ + } + i2d_SpcSpOpusInfo(opus, &p); + p -= len; + astr = ASN1_STRING_new(); + ASN1_STRING_set(astr, p, len); + OPENSSL_free(p); + SpcSpOpusInfo_free(opus); + return PKCS7_add_signed_attribute(si, OBJ_txt2nid(SPC_SP_OPUS_INFO_OBJID), + V_ASN1_SEQUENCE, astr); } /* @@ -145,23 +145,23 @@ static int pkcs7_signer_info_add_spc_sp_opus_info(PKCS7_SIGNER_INFO *si, FILE_FO */ static int pkcs7_signer_info_add_purpose(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx) { - static const u_char purpose_ind[] = { - 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, - 0x01, 0x82, 0x37, 0x02, 0x01, 0x15 - }; - static const u_char purpose_comm[] = { - 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, - 0x01, 0x82, 0x37, 0x02, 0x01, 0x16 - }; - ASN1_STRING *purpose = ASN1_STRING_new(); + static const u_char purpose_ind[] = { + 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, + 0x01, 0x82, 0x37, 0x02, 0x01, 0x15 + }; + static const u_char purpose_comm[] = { + 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, + 0x01, 0x82, 0x37, 0x02, 0x01, 0x16 + }; + ASN1_STRING *purpose = ASN1_STRING_new(); - if (ctx->options->comm) { - ASN1_STRING_set(purpose, purpose_comm, sizeof purpose_comm); - } else { - ASN1_STRING_set(purpose, purpose_ind, sizeof purpose_ind); - } - return PKCS7_add_signed_attribute(si, OBJ_txt2nid(SPC_STATEMENT_TYPE_OBJID), - V_ASN1_SEQUENCE, purpose); + if (ctx->options->comm) { + ASN1_STRING_set(purpose, purpose_comm, sizeof purpose_comm); + } else { + ASN1_STRING_set(purpose, purpose_ind, sizeof purpose_ind); + } + return PKCS7_add_signed_attribute(si, OBJ_txt2nid(SPC_STATEMENT_TYPE_OBJID), + V_ASN1_SEQUENCE, purpose); } /* @@ -176,10 +176,10 @@ static int pkcs7_signer_info_add_purpose(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX */ static int pkcs7_signer_info_add_signing_time(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx) { - if (ctx->options->time == INVALID_TIME) /* -time option was not specified */ - return 1; /* SUCCESS */ - return PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, V_ASN1_UTCTIME, - ASN1_TIME_adj(NULL, ctx->options->time, 0, 0)); + if (ctx->options->time == INVALID_TIME) /* -time option was not specified */ + return 1; /* SUCCESS */ + return PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, V_ASN1_UTCTIME, + ASN1_TIME_adj(NULL, ctx->options->time, 0, 0)); } /* @@ -191,31 +191,31 @@ static int pkcs7_signer_info_add_signing_time(PKCS7_SIGNER_INFO *si, FILE_FORMAT */ PKCS7 *pkcs7_get_sigfile(FILE_FORMAT_CTX *ctx) { - PKCS7 *p7 = NULL; - uint32_t filesize; - char *indata; - BIO *bio; - const char pemhdr[] = "-----BEGIN PKCS7-----"; + PKCS7 *p7 = NULL; + uint32_t filesize; + char *indata; + BIO *bio; + const char pemhdr[] = "-----BEGIN PKCS7-----"; - filesize = get_file_size(ctx->options->sigfile); - if (!filesize) { - return NULL; /* FAILED */ - } - indata = map_file(ctx->options->sigfile, filesize); - if (!indata) { - printf("Failed to open file: %s\n", ctx->options->sigfile); - return NULL; /* FAILED */ - } - bio = BIO_new_mem_buf(indata, (int)filesize); - if (filesize >= sizeof pemhdr && !memcmp(indata, pemhdr, sizeof pemhdr - 1)) { - /* PEM format */ - p7 = PEM_read_bio_PKCS7(bio, NULL, NULL, NULL); - } else { /* DER format */ - p7 = d2i_PKCS7_bio(bio, NULL); - } - BIO_free_all(bio); - unmap_file(indata, filesize); - return p7; + filesize = get_file_size(ctx->options->sigfile); + if (!filesize) { + return NULL; /* FAILED */ + } + indata = map_file(ctx->options->sigfile, filesize); + if (!indata) { + printf("Failed to open file: %s\n", ctx->options->sigfile); + return NULL; /* FAILED */ + } + bio = BIO_new_mem_buf(indata, (int)filesize); + if (filesize >= sizeof pemhdr && !memcmp(indata, pemhdr, sizeof pemhdr - 1)) { + /* PEM format */ + p7 = PEM_read_bio_PKCS7(bio, NULL, NULL, NULL); + } else { /* DER format */ + p7 = d2i_PKCS7_bio(bio, NULL); + } + BIO_free_all(bio); + unmap_file(indata, filesize); + return p7; } /* @@ -225,76 +225,76 @@ PKCS7 *pkcs7_get_sigfile(FILE_FORMAT_CTX *ctx) */ PKCS7 *pkcs7_create(FILE_FORMAT_CTX *ctx) { - int i, signer = -1; - PKCS7 *p7; - PKCS7_SIGNER_INFO *si = NULL; + int i, signer = -1; + PKCS7 *p7; + PKCS7_SIGNER_INFO *si = NULL; - p7 = PKCS7_new(); - PKCS7_set_type(p7, NID_pkcs7_signed); + p7 = PKCS7_new(); + PKCS7_set_type(p7, NID_pkcs7_signed); - if (ctx->options->cert != NULL) { - /* - * the private key and corresponding certificate are parsed from the PKCS12 - * structure or loaded from the security token, so we may omit to check - * the consistency of a private key with the public key in an X509 certificate - */ - si = PKCS7_add_signature(p7, ctx->options->cert, ctx->options->pkey, - ctx->options->md); - if (si == NULL) - return NULL; /* FAILED */ - } else { - /* find the signer's certificate located somewhere in the whole certificate chain */ - for (i=0; ioptions->certs); i++) { - X509 *signcert = sk_X509_value(ctx->options->certs, i); - if (X509_check_private_key(signcert, ctx->options->pkey)) { - si = PKCS7_add_signature(p7, signcert, ctx->options->pkey, ctx->options->md); - signer = i; - break; - } - } - if (si == NULL) { - printf("Failed to checking the consistency of a private key: %s\n", - ctx->options->keyfile); - printf(" with a public key in any X509 certificate: %s\n\n", - ctx->options->certfile); - return NULL; /* FAILED */ - } - } - pkcs7_signer_info_add_signing_time(si, ctx); + if (ctx->options->cert != NULL) { + /* + * the private key and corresponding certificate are parsed from the PKCS12 + * structure or loaded from the security token, so we may omit to check + * the consistency of a private key with the public key in an X509 certificate + */ + si = PKCS7_add_signature(p7, ctx->options->cert, ctx->options->pkey, + ctx->options->md); + if (si == NULL) + return NULL; /* FAILED */ + } else { + /* find the signer's certificate located somewhere in the whole certificate chain */ + for (i=0; ioptions->certs); i++) { + X509 *signcert = sk_X509_value(ctx->options->certs, i); + if (X509_check_private_key(signcert, ctx->options->pkey)) { + si = PKCS7_add_signature(p7, signcert, ctx->options->pkey, ctx->options->md); + signer = i; + break; + } + } + if (si == NULL) { + printf("Failed to checking the consistency of a private key: %s\n", + ctx->options->keyfile); + printf(" with a public key in any X509 certificate: %s\n\n", + ctx->options->certfile); + return NULL; /* FAILED */ + } + } + pkcs7_signer_info_add_signing_time(si, ctx); - if (!pkcs7_signer_info_add_purpose(si, ctx)) - return NULL; /* FAILED */ + if (!pkcs7_signer_info_add_purpose(si, ctx)) + return NULL; /* FAILED */ - if ((ctx->options->desc || ctx->options->url) && - !pkcs7_signer_info_add_spc_sp_opus_info(si, ctx)) { - printf("Couldn't allocate memory for opus info\n"); - return NULL; /* FAILED */ - } - PKCS7_content_new(p7, NID_pkcs7_data); + if ((ctx->options->desc || ctx->options->url) && + !pkcs7_signer_info_add_spc_sp_opus_info(si, ctx)) { + printf("Couldn't allocate memory for opus info\n"); + return NULL; /* FAILED */ + } + PKCS7_content_new(p7, NID_pkcs7_data); - /* add the signer's certificate */ - if (ctx->options->cert != NULL) - PKCS7_add_certificate(p7, ctx->options->cert); - if (signer != -1) - PKCS7_add_certificate(p7, sk_X509_value(ctx->options->certs, signer)); + /* add the signer's certificate */ + if (ctx->options->cert != NULL) + PKCS7_add_certificate(p7, ctx->options->cert); + if (signer != -1) + PKCS7_add_certificate(p7, sk_X509_value(ctx->options->certs, signer)); - /* add the certificate chain */ - for (i=0; ioptions->certs); i++) { - if (i == signer) - continue; - PKCS7_add_certificate(p7, sk_X509_value(ctx->options->certs, i)); - } - /* add all cross certificates */ - if (ctx->options->xcerts) { - for (i=0; ioptions->xcerts); i++) - PKCS7_add_certificate(p7, sk_X509_value(ctx->options->xcerts, i)); - } - /* add crls */ - if (ctx->options->crls) { - for (i=0; ioptions->crls); i++) - PKCS7_add_crl(p7, sk_X509_CRL_value(ctx->options->crls, i)); - } - return p7; /* OK */ + /* add the certificate chain */ + for (i=0; ioptions->certs); i++) { + if (i == signer) + continue; + PKCS7_add_certificate(p7, sk_X509_value(ctx->options->certs, i)); + } + /* add all cross certificates */ + if (ctx->options->xcerts) { + for (i=0; ioptions->xcerts); i++) + PKCS7_add_certificate(p7, sk_X509_value(ctx->options->xcerts, i)); + } + /* add crls */ + if (ctx->options->crls) { + for (i=0; ioptions->crls); i++) + PKCS7_add_crl(p7, sk_X509_CRL_value(ctx->options->crls, i)); + } + return p7; /* OK */ } /* @@ -304,23 +304,23 @@ PKCS7 *pkcs7_create(FILE_FORMAT_CTX *ctx) */ int add_indirect_data_object(PKCS7 *p7, BIO *hash, FILE_FORMAT_CTX *ctx) { - STACK_OF(PKCS7_SIGNER_INFO) *signer_info; - PKCS7_SIGNER_INFO *si; - - signer_info = PKCS7_get_signer_info(p7); - if (!signer_info) - return 0; /* FAILED */ - si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); - if (!si) - return 0; /* FAILED */ - if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, - V_ASN1_OBJECT, OBJ_txt2obj(SPC_INDIRECT_DATA_OBJID, 1))) - return 0; /* FAILED */ - if (!pkcs7_set_data_content(p7, hash, ctx)) { - printf("Signing failed\n"); - return 0; /* FAILED */ - } - return 1; /* OK */ + STACK_OF(PKCS7_SIGNER_INFO) *signer_info; + PKCS7_SIGNER_INFO *si; + + signer_info = PKCS7_get_signer_info(p7); + if (!signer_info) + return 0; /* FAILED */ + si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); + if (!si) + return 0; /* FAILED */ + if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, + V_ASN1_OBJECT, OBJ_txt2obj(SPC_INDIRECT_DATA_OBJID, 1))) + return 0; /* FAILED */ + if (!pkcs7_set_data_content(p7, hash, ctx)) { + printf("Signing failed\n"); + return 0; /* FAILED */ + } + return 1; /* OK */ } /* @@ -330,54 +330,54 @@ int add_indirect_data_object(PKCS7 *p7, BIO *hash, FILE_FORMAT_CTX *ctx) */ int add_ms_ctl_object(PKCS7 *p7, PKCS7 *cursig) { - STACK_OF(PKCS7_SIGNER_INFO) *signer_info; - PKCS7_SIGNER_INFO *si; - - signer_info = PKCS7_get_signer_info(p7); - if (!signer_info) - return 0; /* FAILED */ - si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); - if (!si) - return 0; /* FAILED */ - if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, - V_ASN1_OBJECT, OBJ_txt2obj(MS_CTL_OBJID, 1))) - return 0; /* FAILED */ - if (!pkcs7_set_content_blob(p7, cursig)) { - printf("Signing failed\n"); - return 0; /* FAILED */ - } - return 1; /* OK */ + STACK_OF(PKCS7_SIGNER_INFO) *signer_info; + PKCS7_SIGNER_INFO *si; + + signer_info = PKCS7_get_signer_info(p7); + if (!signer_info) + return 0; /* FAILED */ + si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); + if (!si) + return 0; /* FAILED */ + if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, + V_ASN1_OBJECT, OBJ_txt2obj(MS_CTL_OBJID, 1))) + return 0; /* FAILED */ + if (!pkcs7_set_content_blob(p7, cursig)) { + printf("Signing failed\n"); + return 0; /* FAILED */ + } + return 1; /* OK */ } static int pkcs7_set_content_blob(PKCS7 *sig, PKCS7 *cursig) { - PKCS7 *contents; - u_char *content; - int seqhdrlen, content_length; - BIO *sigbio; + PKCS7 *contents; + u_char *content; + int seqhdrlen, content_length; + BIO *sigbio; - contents = cursig->d.sign->contents; - seqhdrlen = asn1_simple_hdr_len(contents->d.other->value.sequence->data, - contents->d.other->value.sequence->length); - content = contents->d.other->value.sequence->data + seqhdrlen; - content_length = contents->d.other->value.sequence->length - seqhdrlen; + contents = cursig->d.sign->contents; + seqhdrlen = asn1_simple_hdr_len(contents->d.other->value.sequence->data, + contents->d.other->value.sequence->length); + content = contents->d.other->value.sequence->data + seqhdrlen; + content_length = contents->d.other->value.sequence->length - seqhdrlen; - if ((sigbio = PKCS7_dataInit(sig, NULL)) == NULL) { - printf("PKCS7_dataInit failed\n"); - return 0; /* FAILED */ - } - BIO_write(sigbio, content, content_length); - (void)BIO_flush(sigbio); - if (!PKCS7_dataFinal(sig, sigbio)) { - printf("PKCS7_dataFinal failed\n"); - return 0; /* FAILED */ - } - BIO_free_all(sigbio); - if (!PKCS7_set_content(sig, PKCS7_dup(contents))) { - printf("PKCS7_set_content failed\n"); - return 0; /* FAILED */ - } - return 1; /* OK */ + if ((sigbio = PKCS7_dataInit(sig, NULL)) == NULL) { + printf("PKCS7_dataInit failed\n"); + return 0; /* FAILED */ + } + BIO_write(sigbio, content, content_length); + (void)BIO_flush(sigbio); + if (!PKCS7_dataFinal(sig, sigbio)) { + printf("PKCS7_dataFinal failed\n"); + return 0; /* FAILED */ + } + BIO_free_all(sigbio); + if (!PKCS7_set_content(sig, PKCS7_dup(contents))) { + printf("PKCS7_set_content failed\n"); + return 0; /* FAILED */ + } + return 1; /* OK */ } /* @@ -390,32 +390,32 @@ static int pkcs7_set_content_blob(PKCS7 *sig, PKCS7 *cursig) */ int cursig_set_nested(PKCS7 *cursig, PKCS7 *p7, FILE_FORMAT_CTX *ctx) { - u_char *p = NULL; - int len = 0; - PKCS7_SIGNER_INFO *si; - STACK_OF(PKCS7_SIGNER_INFO) *signer_info; + u_char *p = NULL; + int len = 0; + PKCS7_SIGNER_INFO *si; + STACK_OF(PKCS7_SIGNER_INFO) *signer_info; - if (!cursig) - return 0; /* FAILED */ - signer_info = PKCS7_get_signer_info(cursig); - if (!signer_info) - return 0; /* FAILED */ - si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); - if (!si) - return 0; /* FAILED */ - if (((len = i2d_PKCS7(p7, NULL)) <= 0) || - (p = OPENSSL_malloc((size_t)len)) == NULL) - return 0; /* FAILED */ - i2d_PKCS7(p7, &p); - p -= len; + if (!cursig) + return 0; /* FAILED */ + signer_info = PKCS7_get_signer_info(cursig); + if (!signer_info) + return 0; /* FAILED */ + si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); + if (!si) + return 0; /* FAILED */ + if (((len = i2d_PKCS7(p7, NULL)) <= 0) || + (p = OPENSSL_malloc((size_t)len)) == NULL) + return 0; /* FAILED */ + i2d_PKCS7(p7, &p); + p -= len; - pkcs7_signer_info_add_signing_time(si, ctx); - if (!X509_attribute_chain_append_signature(&(si->unauth_attr), p, len)) { - OPENSSL_free(p); - return 0; /* FAILED */ - } - OPENSSL_free(p); - return 1; /* OK */ + pkcs7_signer_info_add_signing_time(si, ctx); + if (!X509_attribute_chain_append_signature(&(si->unauth_attr), p, len)) { + OPENSSL_free(p); + return 0; /* FAILED */ + } + OPENSSL_free(p); + return 1; /* OK */ } /* Return the header length (tag and length octets) of the ASN.1 type @@ -425,9 +425,9 @@ int cursig_set_nested(PKCS7 *cursig, PKCS7 *p7, FILE_FORMAT_CTX *ctx) */ int asn1_simple_hdr_len(const u_char *p, int len) { - if (len <= 2 || p[0] > 0x31) - return 0; - return (p[1]&0x80) ? (2 + (p[1]&0x7f)) : 2; + if (len <= 2 || p[0] > 0x31) + return 0; + return (p[1]&0x80) ? (2 + (p[1]&0x7f)) : 2; } /* @@ -439,16 +439,16 @@ int asn1_simple_hdr_len(const u_char *p, int len) */ int bio_hash_data(BIO *hash, char *indata, size_t idx, size_t fileend) { - while (idx < fileend) { - size_t want, written; - want = fileend - idx; - if (want > SIZE_64K) - want = SIZE_64K; - if (!BIO_write_ex(hash, indata + idx, want, &written)) - return 0; /* FAILED */ - idx += written; - } - return 1; /* OK */ + while (idx < fileend) { + size_t want, written; + want = fileend - idx; + if (want > SIZE_64K) + want = SIZE_64K; + if (!BIO_write_ex(hash, indata + idx, want, &written)) + return 0; /* FAILED */ + idx += written; + } + return 1; /* OK */ } /* @@ -459,20 +459,20 @@ int bio_hash_data(BIO *hash, char *indata, size_t idx, size_t fileend) */ void print_hash(const char *descript1, const char *descript2, const u_char *mdbuf, int len) { - char *hexbuf = NULL; - int size, i, j = 0; + char *hexbuf = NULL; + int size, i, j = 0; - size = 2 * len + 1; - hexbuf = OPENSSL_malloc((size_t)size); - for (i = 0; i < len; i++) { + size = 2 * len + 1; + hexbuf = OPENSSL_malloc((size_t)size); + for (i = 0; i < len; i++) { #ifdef WIN32 - j += sprintf_s(hexbuf + j, size - j, "%02X", mdbuf[i]); + j += sprintf_s(hexbuf + j, size - j, "%02X", mdbuf[i]); #else - j += sprintf(hexbuf + j, "%02X", mdbuf[i]); + j += sprintf(hexbuf + j, "%02X", mdbuf[i]); #endif /* WIN32 */ - } - printf("%s: %s %s\n", descript1, hexbuf, descript2); - OPENSSL_free(hexbuf); + } + printf("%s: %s %s\n", descript1, hexbuf, descript2); + OPENSSL_free(hexbuf); } /* @@ -482,16 +482,16 @@ void print_hash(const char *descript1, const char *descript2, const u_char *mdbu */ int is_content_type(PKCS7 *p7, const char *objid) { - ASN1_OBJECT *indir_objid; - int ret; + ASN1_OBJECT *indir_objid; + int ret; - indir_objid = OBJ_txt2obj(objid, 1); - ret = p7 && PKCS7_type_is_signed(p7) && - !OBJ_cmp(p7->d.sign->contents->type, indir_objid) && - (p7->d.sign->contents->d.other->type == V_ASN1_SEQUENCE || - p7->d.sign->contents->d.other->type == V_ASN1_OCTET_STRING); - ASN1_OBJECT_free(indir_objid); - return ret; + indir_objid = OBJ_txt2obj(objid, 1); + ret = p7 && PKCS7_type_is_signed(p7) && + !OBJ_cmp(p7->d.sign->contents->type, indir_objid) && + (p7->d.sign->contents->d.other->type == V_ASN1_SEQUENCE || + p7->d.sign->contents->d.other->type == V_ASN1_OCTET_STRING); + ASN1_OBJECT_free(indir_objid); + return ret; } /* @@ -502,22 +502,22 @@ int is_content_type(PKCS7 *p7, const char *objid) */ int pkcs7_set_data_content(PKCS7 *p7, BIO *hash, FILE_FORMAT_CTX *ctx) { - u_char *p = NULL; - int len = 0; - u_char *buf; + u_char *p = NULL; + int len = 0; + u_char *buf; - if (!spc_indirect_data_content_get(&p, &len, ctx)) - return 0; /* FAILED */ - buf = OPENSSL_malloc(SIZE_64K); - memcpy(buf, p, (size_t)len); - OPENSSL_free(p); - if (!pkcs7_set_spc_indirect_data_content(p7, hash, buf, len)) { - OPENSSL_free(buf); - return 0; /* FAILED */ - } - OPENSSL_free(buf); + if (!spc_indirect_data_content_get(&p, &len, ctx)) + return 0; /* FAILED */ + buf = OPENSSL_malloc(SIZE_64K); + memcpy(buf, p, (size_t)len); + OPENSSL_free(p); + if (!pkcs7_set_spc_indirect_data_content(p7, hash, buf, len)) { + OPENSSL_free(buf); + return 0; /* FAILED */ + } + OPENSSL_free(buf); - return 1; /* OK */ + return 1; /* OK */ } /* @@ -527,19 +527,19 @@ int pkcs7_set_data_content(PKCS7 *p7, BIO *hash, FILE_FORMAT_CTX *ctx) */ SpcLink *spc_link_obsolete_get(void) { - const u_char obsolete[] = { - 0x00, 0x3c, 0x00, 0x3c, 0x00, 0x3c, 0x00, 0x4f, - 0x00, 0x62, 0x00, 0x73, 0x00, 0x6f, 0x00, 0x6c, - 0x00, 0x65, 0x00, 0x74, 0x00, 0x65, 0x00, 0x3e, - 0x00, 0x3e, 0x00, 0x3e - }; - SpcLink *link = SpcLink_new(); - link->type = 2; - link->value.file = SpcString_new(); - link->value.file->type = 0; - link->value.file->value.unicode = ASN1_BMPSTRING_new(); - ASN1_STRING_set(link->value.file->value.unicode, obsolete, sizeof obsolete); - return link; + const u_char obsolete[] = { + 0x00, 0x3c, 0x00, 0x3c, 0x00, 0x3c, 0x00, 0x4f, + 0x00, 0x62, 0x00, 0x73, 0x00, 0x6f, 0x00, 0x6c, + 0x00, 0x65, 0x00, 0x74, 0x00, 0x65, 0x00, 0x3e, + 0x00, 0x3e, 0x00, 0x3e + }; + SpcLink *link = SpcLink_new(); + link->type = 2; + link->value.file = SpcString_new(); + link->value.file->type = 0; + link->value.file->value.unicode = ASN1_BMPSTRING_new(); + ASN1_STRING_set(link->value.file->value.unicode, obsolete, sizeof obsolete); + return link; } /* @@ -551,12 +551,12 @@ SpcLink *spc_link_obsolete_get(void) */ PKCS7 *pkcs7_get(char *indata, uint32_t sigpos, uint32_t siglen) { - PKCS7 *p7 = NULL; - const u_char *blob; + PKCS7 *p7 = NULL; + const u_char *blob; - blob = (u_char *)indata + sigpos; - p7 = d2i_PKCS7(NULL, &blob, siglen); - return p7; + blob = (u_char *)indata + sigpos; + p7 = d2i_PKCS7(NULL, &blob, siglen); + return p7; } /* @@ -566,12 +566,12 @@ PKCS7 *pkcs7_get(char *indata, uint32_t sigpos, uint32_t siglen) */ int compare_digests(u_char *mdbuf, u_char *cmdbuf, int mdtype) { - int mdlen = EVP_MD_size(EVP_get_digestbynid(mdtype)); - int mdok = !memcmp(mdbuf, cmdbuf, (size_t)mdlen); - printf("Message digest algorithm : %s\n", OBJ_nid2sn(mdtype)); - print_hash("Current message digest ", "", mdbuf, mdlen); - print_hash("Calculated message digest ", mdok ? "\n" : " MISMATCH!!!\n", cmdbuf, mdlen); - return mdok; + int mdlen = EVP_MD_size(EVP_get_digestbynid(mdtype)); + int mdok = !memcmp(mdbuf, cmdbuf, (size_t)mdlen); + printf("Message digest algorithm : %s\n", OBJ_nid2sn(mdtype)); + print_hash("Current message digest ", "", mdbuf, mdlen); + print_hash("Calculated message digest ", mdok ? "\n" : " MISMATCH!!!\n", cmdbuf, mdlen); + return mdok; } /* @@ -584,23 +584,23 @@ int compare_digests(u_char *mdbuf, u_char *cmdbuf, int mdtype) */ static SpcSpOpusInfo *spc_sp_opus_info_create(FILE_FORMAT_CTX *ctx) { - SpcSpOpusInfo *info = SpcSpOpusInfo_new(); + SpcSpOpusInfo *info = SpcSpOpusInfo_new(); - if (ctx->options->desc) { - info->programName = SpcString_new(); - info->programName->type = 1; - info->programName->value.ascii = ASN1_IA5STRING_new(); - ASN1_STRING_set((ASN1_STRING *)info->programName->value.ascii, - ctx->options->desc, (int)strlen(ctx->options->desc)); - } - if (ctx->options->url) { - info->moreInfo = SpcLink_new(); - info->moreInfo->type = 0; - info->moreInfo->value.url = ASN1_IA5STRING_new(); - ASN1_STRING_set((ASN1_STRING *)info->moreInfo->value.url, - ctx->options->url, (int)strlen(ctx->options->url)); - } - return info; + if (ctx->options->desc) { + info->programName = SpcString_new(); + info->programName->type = 1; + info->programName->value.ascii = ASN1_IA5STRING_new(); + ASN1_STRING_set((ASN1_STRING *)info->programName->value.ascii, + ctx->options->desc, (int)strlen(ctx->options->desc)); + } + if (ctx->options->url) { + info->moreInfo = SpcLink_new(); + info->moreInfo->type = 0; + info->moreInfo->value.url = ASN1_IA5STRING_new(); + ASN1_STRING_set((ASN1_STRING *)info->moreInfo->value.url, + ctx->options->url, (int)strlen(ctx->options->url)); + } + return info; } /* @@ -611,34 +611,34 @@ static SpcSpOpusInfo *spc_sp_opus_info_create(FILE_FORMAT_CTX *ctx) */ static int X509_attribute_chain_append_signature(STACK_OF(X509_ATTRIBUTE) **unauth_attr, u_char *p, int len) { - X509_ATTRIBUTE *attr = NULL; - int nid = OBJ_txt2nid(SPC_NESTED_SIGNATURE_OBJID); + X509_ATTRIBUTE *attr = NULL; + int nid = OBJ_txt2nid(SPC_NESTED_SIGNATURE_OBJID); - if (*unauth_attr == NULL) { - if ((*unauth_attr = sk_X509_ATTRIBUTE_new_null()) == NULL) - return 0; /* FAILED */ - } else { - /* try to find SPC_NESTED_SIGNATURE_OBJID attribute */ - int i; - for (i = 0; i < sk_X509_ATTRIBUTE_num(*unauth_attr); i++) { - attr = sk_X509_ATTRIBUTE_value(*unauth_attr, i); - if (OBJ_obj2nid(X509_ATTRIBUTE_get0_object(attr)) == nid) { - /* append p to the V_ASN1_SEQUENCE */ - if (!X509_ATTRIBUTE_set1_data(attr, V_ASN1_SEQUENCE, p, len)) - return 0; /* FAILED */ - return 1; /* OK */ - } - } - } - /* create new unauthorized SPC_NESTED_SIGNATURE_OBJID attribute */ - attr = X509_ATTRIBUTE_create_by_NID(NULL, nid, V_ASN1_SEQUENCE, p, len); - if (!attr) - return 0; /* FAILED */ - if (!sk_X509_ATTRIBUTE_push(*unauth_attr, attr)) { - X509_ATTRIBUTE_free(attr); - return 0; /* FAILED */ - } - return 1; /* OK */ + if (*unauth_attr == NULL) { + if ((*unauth_attr = sk_X509_ATTRIBUTE_new_null()) == NULL) + return 0; /* FAILED */ + } else { + /* try to find SPC_NESTED_SIGNATURE_OBJID attribute */ + int i; + for (i = 0; i < sk_X509_ATTRIBUTE_num(*unauth_attr); i++) { + attr = sk_X509_ATTRIBUTE_value(*unauth_attr, i); + if (OBJ_obj2nid(X509_ATTRIBUTE_get0_object(attr)) == nid) { + /* append p to the V_ASN1_SEQUENCE */ + if (!X509_ATTRIBUTE_set1_data(attr, V_ASN1_SEQUENCE, p, len)) + return 0; /* FAILED */ + return 1; /* OK */ + } + } + } + /* create new unauthorized SPC_NESTED_SIGNATURE_OBJID attribute */ + attr = X509_ATTRIBUTE_create_by_NID(NULL, nid, V_ASN1_SEQUENCE, p, len); + if (!attr) + return 0; /* FAILED */ + if (!sk_X509_ATTRIBUTE_push(*unauth_attr, attr)) { + X509_ATTRIBUTE_free(attr); + return 0; /* FAILED */ + } + return 1; /* OK */ } /* @@ -649,34 +649,34 @@ static int X509_attribute_chain_append_signature(STACK_OF(X509_ATTRIBUTE) **unau */ static int spc_indirect_data_content_get(u_char **blob, int *len, FILE_FORMAT_CTX *ctx) { - u_char *p = NULL; - int hashlen, l = 0; - void *hash; - SpcIndirectDataContent *idc = SpcIndirectDataContent_new(); + u_char *p = NULL; + int hashlen, l = 0; + void *hash; + SpcIndirectDataContent *idc = SpcIndirectDataContent_new(); - idc->data->value = ASN1_TYPE_new(); - idc->data->value->type = V_ASN1_SEQUENCE; - idc->data->value->value.sequence = ASN1_STRING_new(); - idc->data->type = ctx->format->data_blob_get(&p, &l, ctx); - idc->data->value->value.sequence->data = p; - idc->data->value->value.sequence->length = l; - idc->messageDigest->digestAlgorithm->algorithm = OBJ_nid2obj(EVP_MD_nid(ctx->options->md)); - idc->messageDigest->digestAlgorithm->parameters = ASN1_TYPE_new(); - idc->messageDigest->digestAlgorithm->parameters->type = V_ASN1_NULL; + idc->data->value = ASN1_TYPE_new(); + idc->data->value->type = V_ASN1_SEQUENCE; + idc->data->value->value.sequence = ASN1_STRING_new(); + idc->data->type = ctx->format->data_blob_get(&p, &l, ctx); + idc->data->value->value.sequence->data = p; + idc->data->value->value.sequence->length = l; + idc->messageDigest->digestAlgorithm->algorithm = OBJ_nid2obj(EVP_MD_nid(ctx->options->md)); + idc->messageDigest->digestAlgorithm->parameters = ASN1_TYPE_new(); + idc->messageDigest->digestAlgorithm->parameters->type = V_ASN1_NULL; - hashlen = EVP_MD_size(ctx->options->md); - hash = OPENSSL_malloc((size_t)hashlen); - memset(hash, 0, (size_t)hashlen); - ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen); - OPENSSL_free(hash); + hashlen = EVP_MD_size(ctx->options->md); + hash = OPENSSL_malloc((size_t)hashlen); + memset(hash, 0, (size_t)hashlen); + ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen); + OPENSSL_free(hash); - *len = i2d_SpcIndirectDataContent(idc, NULL); - *blob = OPENSSL_malloc((size_t)*len); - p = *blob; - i2d_SpcIndirectDataContent(idc, &p); - SpcIndirectDataContent_free(idc); - *len -= EVP_MD_size(ctx->options->md); - return 1; /* OK */ + *len = i2d_SpcIndirectDataContent(idc, NULL); + *blob = OPENSSL_malloc((size_t)*len); + p = *blob; + i2d_SpcIndirectDataContent(idc, &p); + SpcIndirectDataContent_free(idc); + *len -= EVP_MD_size(ctx->options->md); + return 1; /* OK */ } /* @@ -689,48 +689,48 @@ static int spc_indirect_data_content_get(u_char **blob, int *len, FILE_FORMAT_CT */ static int pkcs7_set_spc_indirect_data_content(PKCS7 *p7, BIO *hash, u_char *buf, int len) { - u_char mdbuf[EVP_MAX_MD_SIZE]; - int mdlen, seqhdrlen; - BIO *bio; - PKCS7 *td7; + u_char mdbuf[EVP_MAX_MD_SIZE]; + int mdlen, seqhdrlen; + BIO *bio; + PKCS7 *td7; - mdlen = BIO_gets(hash, (char*)mdbuf, EVP_MAX_MD_SIZE); - memcpy(buf+len, mdbuf, (size_t)mdlen); - seqhdrlen = asn1_simple_hdr_len(buf, len); + mdlen = BIO_gets(hash, (char*)mdbuf, EVP_MAX_MD_SIZE); + memcpy(buf+len, mdbuf, (size_t)mdlen); + seqhdrlen = asn1_simple_hdr_len(buf, len); - if ((bio = PKCS7_dataInit(p7, NULL)) == NULL) { - printf("PKCS7_dataInit failed\n"); - return 0; /* FAILED */ - } - BIO_write(bio, buf + seqhdrlen, len - seqhdrlen + mdlen); - (void)BIO_flush(bio); + if ((bio = PKCS7_dataInit(p7, NULL)) == NULL) { + printf("PKCS7_dataInit failed\n"); + return 0; /* FAILED */ + } + BIO_write(bio, buf + seqhdrlen, len - seqhdrlen + mdlen); + (void)BIO_flush(bio); - if (!PKCS7_dataFinal(p7, bio)) { - printf("PKCS7_dataFinal failed\n"); - return 0; /* FAILED */ - } - BIO_free_all(bio); + if (!PKCS7_dataFinal(p7, bio)) { + printf("PKCS7_dataFinal failed\n"); + return 0; /* FAILED */ + } + BIO_free_all(bio); - td7 = PKCS7_new(); - td7->type = OBJ_txt2obj(SPC_INDIRECT_DATA_OBJID, 1); - td7->d.other = ASN1_TYPE_new(); - td7->d.other->type = V_ASN1_SEQUENCE; - td7->d.other->value.sequence = ASN1_STRING_new(); - ASN1_STRING_set(td7->d.other->value.sequence, buf, len+mdlen); - if (!PKCS7_set_content(p7, td7)) { - PKCS7_free(td7); - printf("PKCS7_set_content failed\n"); - return 0; /* FAILED */ - } - return 1; /* OK */ + td7 = PKCS7_new(); + td7->type = OBJ_txt2obj(SPC_INDIRECT_DATA_OBJID, 1); + td7->d.other = ASN1_TYPE_new(); + td7->d.other->type = V_ASN1_SEQUENCE; + td7->d.other->value.sequence = ASN1_STRING_new(); + ASN1_STRING_set(td7->d.other->value.sequence, buf, len+mdlen); + if (!PKCS7_set_content(p7, td7)) { + PKCS7_free(td7); + printf("PKCS7_set_content failed\n"); + return 0; /* FAILED */ + } + return 1; /* OK */ } /* Local Variables: c-basic-offset: 4 tab-width: 4 - indent-tabs-mode: t + indent-tabs-mode: nil End: - vim: set ts=4 noexpandtab: + vim: set ts=4 expandtab: */ diff --git a/helpers.h b/helpers.h index 34df226..03772e4 100644 --- a/helpers.h +++ b/helpers.h @@ -28,8 +28,8 @@ int compare_digests(u_char *mdbuf, u_char *cmdbuf, int mdtype); Local Variables: c-basic-offset: 4 tab-width: 4 - indent-tabs-mode: t + indent-tabs-mode: nil End: - vim: set ts=4 noexpandtab: + vim: set ts=4 expandtab: */ diff --git a/msi.c b/msi.c index 7c7cee1..3997c7d 100644 --- a/msi.c +++ b/msi.c @@ -70,143 +70,143 @@ #define DIRENT_FILE_SIZE 0x78 static const u_char msi_magic[] = { - 0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, 0x1a, 0xe1 + 0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, 0x1a, 0xe1 }; static const u_char digital_signature[] = { - 0x05, 0x00, 0x44, 0x00, 0x69, 0x00, 0x67, 0x00, - 0x69, 0x00, 0x74, 0x00, 0x61, 0x00, 0x6C, 0x00, - 0x53, 0x00, 0x69, 0x00, 0x67, 0x00, 0x6E, 0x00, - 0x61, 0x00, 0x74, 0x00, 0x75, 0x00, 0x72, 0x00, - 0x65, 0x00, 0x00, 0x00 + 0x05, 0x00, 0x44, 0x00, 0x69, 0x00, 0x67, 0x00, + 0x69, 0x00, 0x74, 0x00, 0x61, 0x00, 0x6C, 0x00, + 0x53, 0x00, 0x69, 0x00, 0x67, 0x00, 0x6E, 0x00, + 0x61, 0x00, 0x74, 0x00, 0x75, 0x00, 0x72, 0x00, + 0x65, 0x00, 0x00, 0x00 }; static const u_char digital_signature_ex[] = { - 0x05, 0x00, 0x4D, 0x00, 0x73, 0x00, 0x69, 0x00, - 0x44, 0x00, 0x69, 0x00, 0x67, 0x00, 0x69, 0x00, - 0x74, 0x00, 0x61, 0x00, 0x6C, 0x00, 0x53, 0x00, - 0x69, 0x00, 0x67, 0x00, 0x6E, 0x00, 0x61, 0x00, - 0x74, 0x00, 0x75, 0x00, 0x72, 0x00, 0x65, 0x00, - 0x45, 0x00, 0x78, 0x00, 0x00, 0x00 + 0x05, 0x00, 0x4D, 0x00, 0x73, 0x00, 0x69, 0x00, + 0x44, 0x00, 0x69, 0x00, 0x67, 0x00, 0x69, 0x00, + 0x74, 0x00, 0x61, 0x00, 0x6C, 0x00, 0x53, 0x00, + 0x69, 0x00, 0x67, 0x00, 0x6E, 0x00, 0x61, 0x00, + 0x74, 0x00, 0x75, 0x00, 0x72, 0x00, 0x65, 0x00, + 0x45, 0x00, 0x78, 0x00, 0x00, 0x00 }; static const u_char msi_root_entry[] = { - 0x52, 0x00, 0x6F, 0x00, 0x6F, 0x00, 0x74, 0x00, - 0x20, 0x00, 0x45, 0x00, 0x6E, 0x00, 0x74, 0x00, - 0x72, 0x00, 0x79, 0x00, 0x00, 0x00 + 0x52, 0x00, 0x6F, 0x00, 0x6F, 0x00, 0x74, 0x00, + 0x20, 0x00, 0x45, 0x00, 0x6E, 0x00, 0x74, 0x00, + 0x72, 0x00, 0x79, 0x00, 0x00, 0x00 }; static const u_char msi_zeroes[] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; typedef struct { - ASN1_INTEGER *a; - ASN1_OCTET_STRING *string; - ASN1_INTEGER *b; - ASN1_INTEGER *c; - ASN1_INTEGER *d; - ASN1_INTEGER *e; - ASN1_INTEGER *f; + ASN1_INTEGER *a; + ASN1_OCTET_STRING *string; + ASN1_INTEGER *b; + ASN1_INTEGER *c; + ASN1_INTEGER *d; + ASN1_INTEGER *e; + ASN1_INTEGER *f; } SpcSipInfo; DECLARE_ASN1_FUNCTIONS(SpcSipInfo) ASN1_SEQUENCE(SpcSipInfo) = { - ASN1_SIMPLE(SpcSipInfo, a, ASN1_INTEGER), - ASN1_SIMPLE(SpcSipInfo, string, ASN1_OCTET_STRING), - ASN1_SIMPLE(SpcSipInfo, b, ASN1_INTEGER), - ASN1_SIMPLE(SpcSipInfo, c, ASN1_INTEGER), - ASN1_SIMPLE(SpcSipInfo, d, ASN1_INTEGER), - ASN1_SIMPLE(SpcSipInfo, e, ASN1_INTEGER), - ASN1_SIMPLE(SpcSipInfo, f, ASN1_INTEGER), + ASN1_SIMPLE(SpcSipInfo, a, ASN1_INTEGER), + ASN1_SIMPLE(SpcSipInfo, string, ASN1_OCTET_STRING), + ASN1_SIMPLE(SpcSipInfo, b, ASN1_INTEGER), + ASN1_SIMPLE(SpcSipInfo, c, ASN1_INTEGER), + ASN1_SIMPLE(SpcSipInfo, d, ASN1_INTEGER), + ASN1_SIMPLE(SpcSipInfo, e, ASN1_INTEGER), + ASN1_SIMPLE(SpcSipInfo, f, ASN1_INTEGER), } ASN1_SEQUENCE_END(SpcSipInfo) IMPLEMENT_ASN1_FUNCTIONS(SpcSipInfo) typedef struct { - u_char signature[8]; /* 0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, 0x1a, 0xe1 */ - u_char unused_clsid[16]; /* reserved and unused */ - uint16_t minorVersion; - uint16_t majorVersion; - uint16_t byteOrder; - uint16_t sectorShift; /* power of 2 */ - uint16_t miniSectorShift; /* power of 2 */ - u_char reserved[6]; /* reserved and unused */ - uint32_t numDirectorySector; - uint32_t numFATSector; - uint32_t firstDirectorySectorLocation; - uint32_t transactionSignatureNumber; /* reserved */ - uint32_t miniStreamCutoffSize; - uint32_t firstMiniFATSectorLocation; - uint32_t numMiniFATSector; - uint32_t firstDIFATSectorLocation; - uint32_t numDIFATSector; - uint32_t headerDIFAT[DIFAT_IN_HEADER]; + u_char signature[8]; /* 0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, 0x1a, 0xe1 */ + u_char unused_clsid[16]; /* reserved and unused */ + uint16_t minorVersion; + uint16_t majorVersion; + uint16_t byteOrder; + uint16_t sectorShift; /* power of 2 */ + uint16_t miniSectorShift; /* power of 2 */ + u_char reserved[6]; /* reserved and unused */ + uint32_t numDirectorySector; + uint32_t numFATSector; + uint32_t firstDirectorySectorLocation; + uint32_t transactionSignatureNumber; /* reserved */ + uint32_t miniStreamCutoffSize; + uint32_t firstMiniFATSectorLocation; + uint32_t numMiniFATSector; + uint32_t firstDIFATSectorLocation; + uint32_t numDIFATSector; + uint32_t headerDIFAT[DIFAT_IN_HEADER]; } MSI_FILE_HDR; typedef struct { - u_char name[DIRENT_MAX_NAME_SIZE]; - uint16_t nameLen; - uint8_t type; - uint8_t colorFlag; - uint32_t leftSiblingID; - uint32_t rightSiblingID; - uint32_t childID; - u_char clsid[16]; - u_char stateBits[4]; - u_char creationTime[8]; - u_char modifiedTime[8]; - uint32_t startSectorLocation; - u_char size[8]; + u_char name[DIRENT_MAX_NAME_SIZE]; + uint16_t nameLen; + uint8_t type; + uint8_t colorFlag; + uint32_t leftSiblingID; + uint32_t rightSiblingID; + uint32_t childID; + u_char clsid[16]; + u_char stateBits[4]; + u_char creationTime[8]; + u_char modifiedTime[8]; + uint32_t startSectorLocation; + u_char size[8]; } MSI_ENTRY; typedef struct msi_dirent_struct { - u_char name[DIRENT_MAX_NAME_SIZE]; - uint16_t nameLen; - uint8_t type; - MSI_ENTRY *entry; - STACK_OF(MSI_DIRENT) *children; - struct msi_dirent_struct *next; /* for cycle detection */ + u_char name[DIRENT_MAX_NAME_SIZE]; + uint16_t nameLen; + uint8_t type; + MSI_ENTRY *entry; + STACK_OF(MSI_DIRENT) *children; + struct msi_dirent_struct *next; /* for cycle detection */ } MSI_DIRENT; DEFINE_STACK_OF(MSI_DIRENT) typedef struct { - const u_char *m_buffer; - uint32_t m_bufferLen; - MSI_FILE_HDR *m_hdr; - uint32_t m_sectorSize; - uint32_t m_minisectorSize; - uint32_t m_miniStreamStartSector; + const u_char *m_buffer; + uint32_t m_bufferLen; + MSI_FILE_HDR *m_hdr; + uint32_t m_sectorSize; + uint32_t m_minisectorSize; + uint32_t m_miniStreamStartSector; } MSI_FILE; typedef struct { - char *header; - char *ministream; - char *minifat; - char *fat; - uint32_t dirtreeLen; - uint32_t miniStreamLen; - uint32_t minifatLen; - uint32_t fatLen; - uint32_t ministreamsMemallocCount; - uint32_t minifatMemallocCount; - uint32_t fatMemallocCount; - uint32_t dirtreeSectorsCount; - uint32_t minifatSectorsCount; - uint32_t fatSectorsCount; - uint32_t miniSectorNum; - uint32_t sectorNum; - uint32_t sectorSize; + char *header; + char *ministream; + char *minifat; + char *fat; + uint32_t dirtreeLen; + uint32_t miniStreamLen; + uint32_t minifatLen; + uint32_t fatLen; + uint32_t ministreamsMemallocCount; + uint32_t minifatMemallocCount; + uint32_t fatMemallocCount; + uint32_t dirtreeSectorsCount; + uint32_t minifatSectorsCount; + uint32_t fatSectorsCount; + uint32_t miniSectorNum; + uint32_t sectorNum; + uint32_t sectorSize; } MSI_OUT; struct msi_ctx_st { - MSI_FILE *msi; - MSI_DIRENT *dirent; - u_char *p_msiex; /* MsiDigitalSignatureEx stream data */ - uint32_t len_msiex; /* MsiDigitalSignatureEx stream data length */ - uint32_t fileend; + MSI_FILE *msi; + MSI_DIRENT *dirent; + u_char *p_msiex; /* MsiDigitalSignatureEx stream data */ + uint32_t len_msiex; /* MsiDigitalSignatureEx stream data length */ + uint32_t fileend; }; /* FILE_FORMAT method prototypes */ @@ -223,26 +223,26 @@ static BIO *msi_bio_free(BIO *hash, BIO *outdata); static void msi_ctx_cleanup(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata); FILE_FORMAT file_format_msi = { - .ctx_new = msi_ctx_new, - .data_blob_get = msi_spc_sip_info_get, - .check_file = msi_check_file, - .digest_calc = msi_digest_calc, - .verify_digests = msi_verify_digests, - .pkcs7_extract = msi_pkcs7_extract, - .remove_pkcs7 = msi_remove_pkcs7, - .pkcs7_prepare = msi_pkcs7_prepare, - .append_pkcs7 = msi_append_pkcs7, - .bio_free = msi_bio_free, - .ctx_cleanup = msi_ctx_cleanup + .ctx_new = msi_ctx_new, + .data_blob_get = msi_spc_sip_info_get, + .check_file = msi_check_file, + .digest_calc = msi_digest_calc, + .verify_digests = msi_verify_digests, + .pkcs7_extract = msi_pkcs7_extract, + .remove_pkcs7 = msi_remove_pkcs7, + .pkcs7_prepare = msi_pkcs7_prepare, + .append_pkcs7 = msi_append_pkcs7, + .bio_free = msi_bio_free, + .ctx_cleanup = msi_ctx_cleanup }; /* Prototypes */ static MSI_CTX *msi_ctx_get(char *indata, uint32_t filesize); static PKCS7 *msi_pkcs7_get_digital_signature(FILE_FORMAT_CTX *ctx, MSI_ENTRY *ds, - char **p, uint32_t len); + char **p, uint32_t len); static int recurse_entry(MSI_FILE *msi, uint32_t entryID, MSI_DIRENT *parent); static int msi_file_write(MSI_FILE *msi, MSI_DIRENT *dirent, u_char *p_msi, uint32_t len_msi, - u_char *p_msiex, uint32_t len_msiex, BIO *outdata); + u_char *p_msiex, uint32_t len_msiex, BIO *outdata); static MSI_ENTRY *msi_signatures_get(MSI_DIRENT *dirent, MSI_ENTRY **dse); static int msi_file_read(MSI_FILE *msi, MSI_ENTRY *entry, uint32_t offset, char *buffer, uint32_t len); static int msi_dirent_delete(MSI_DIRENT *dirent, const u_char *name, uint16_t nameLen); @@ -269,43 +269,43 @@ static int msi_prehash_dir(MSI_DIRENT *dirent, BIO *hash, int is_root); */ static FILE_FORMAT_CTX *msi_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *outdata) { - FILE_FORMAT_CTX *ctx; - MSI_CTX *msi_ctx; - uint32_t filesize; + FILE_FORMAT_CTX *ctx; + MSI_CTX *msi_ctx; + uint32_t filesize; - /* squash the unused parameter warning */ - (void)outdata; + /* squash the unused parameter warning */ + (void)outdata; - filesize = get_file_size(options->infile); - if (filesize == 0) - return NULL; /* FAILED */ + filesize = get_file_size(options->infile); + if (filesize == 0) + return NULL; /* FAILED */ - options->indata = map_file(options->infile, filesize); - if (!options->indata) { - return NULL; /* FAILED */ - } - if (memcmp(options->indata, msi_magic, sizeof msi_magic)) { - unmap_file(options->infile, filesize); - return NULL; /* FAILED */ - } - msi_ctx = msi_ctx_get(options->indata, filesize); - if (!msi_ctx) { - unmap_file(options->infile, filesize); - return NULL; /* FAILED */ - } - ctx = OPENSSL_malloc(sizeof(FILE_FORMAT_CTX)); - ctx->format = &file_format_msi; - ctx->options = options; - ctx->msi_ctx = msi_ctx; + options->indata = map_file(options->infile, filesize); + if (!options->indata) { + return NULL; /* FAILED */ + } + if (memcmp(options->indata, msi_magic, sizeof msi_magic)) { + unmap_file(options->infile, filesize); + return NULL; /* FAILED */ + } + msi_ctx = msi_ctx_get(options->indata, filesize); + if (!msi_ctx) { + unmap_file(options->infile, filesize); + return NULL; /* FAILED */ + } + ctx = OPENSSL_malloc(sizeof(FILE_FORMAT_CTX)); + ctx->format = &file_format_msi; + ctx->options = options; + ctx->msi_ctx = msi_ctx; - if (hash) - BIO_push(hash, BIO_new(BIO_s_null())); + if (hash) + BIO_push(hash, BIO_new(BIO_s_null())); - if (options->pagehash == 1) - printf("Warning: -ph option is only valid for PE files\n"); - if (options->jp >= 0) - printf("Warning: -jp option is only valid for CAB files\n"); - return ctx; + if (options->pagehash == 1) + printf("Warning: -ph option is only valid for PE files\n"); + if (options->jp >= 0) + printf("Warning: -jp option is only valid for CAB files\n"); + return ctx; } /* @@ -317,30 +317,30 @@ static FILE_FORMAT_CTX *msi_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *out */ static ASN1_OBJECT *msi_spc_sip_info_get(u_char **p, int *plen, FILE_FORMAT_CTX *ctx) { - const u_char msistr[] = { - 0xf1, 0x10, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 - }; - ASN1_OBJECT *dtype; - SpcSipInfo *si = SpcSipInfo_new(); + const u_char msistr[] = { + 0xf1, 0x10, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 + }; + ASN1_OBJECT *dtype; + SpcSipInfo *si = SpcSipInfo_new(); - /* squash the unused parameter warning */ - (void)ctx; + /* squash the unused parameter warning */ + (void)ctx; - ASN1_INTEGER_set(si->a, 1); - ASN1_INTEGER_set(si->b, 0); - ASN1_INTEGER_set(si->c, 0); - ASN1_INTEGER_set(si->d, 0); - ASN1_INTEGER_set(si->e, 0); - ASN1_INTEGER_set(si->f, 0); - ASN1_OCTET_STRING_set(si->string, msistr, sizeof msistr); - *plen = i2d_SpcSipInfo(si, NULL); - *p = OPENSSL_malloc((size_t)*plen); - i2d_SpcSipInfo(si, p); - *p -= *plen; - dtype = OBJ_txt2obj(SPC_SIPINFO_OBJID, 1); - SpcSipInfo_free(si); - return dtype; /* OK */ + ASN1_INTEGER_set(si->a, 1); + ASN1_INTEGER_set(si->b, 0); + ASN1_INTEGER_set(si->c, 0); + ASN1_INTEGER_set(si->d, 0); + ASN1_INTEGER_set(si->e, 0); + ASN1_INTEGER_set(si->f, 0); + ASN1_OCTET_STRING_set(si->string, msistr, sizeof msistr); + *plen = i2d_SpcSipInfo(si, NULL); + *p = OPENSSL_malloc((size_t)*plen); + i2d_SpcSipInfo(si, p); + *p -= *plen; + dtype = OBJ_txt2obj(SPC_SIPINFO_OBJID, 1); + SpcSipInfo_free(si); + return dtype; /* OK */ } /* @@ -352,56 +352,56 @@ static ASN1_OBJECT *msi_spc_sip_info_get(u_char **p, int *plen, FILE_FORMAT_CTX */ static int msi_check_file(FILE_FORMAT_CTX *ctx, int detached) { - char *indata = NULL; - uint32_t inlen; - MSI_ENTRY *ds, *dse = NULL; + char *indata = NULL; + uint32_t inlen; + MSI_ENTRY *ds, *dse = NULL; - /* squash the unused parameter warning */ - (void)detached; + /* squash the unused parameter warning */ + (void)detached; - if (!ctx) { - printf("Init error\n\n"); - return 0; /* FAILED */ - } - if (detached) { - printf("Checking the specified catalog file\n\n"); - return 1; /* OK */ - } - ds = msi_signatures_get(ctx->msi_ctx->dirent, &dse); - if (!ds) { - printf("MSI file has no signature\n\n"); - return 0; /* FAILED */ - } - inlen = GET_UINT32_LE(ds->size); - if (inlen == 0 || inlen >= MAXREGSECT) { - printf("Corrupted DigitalSignature stream length 0x%08X\n", inlen); - return 0; /* FAILED */ - } - indata = OPENSSL_malloc((size_t)inlen); - if (!msi_file_read(ctx->msi_ctx->msi, ds, 0, indata, inlen)) { - printf("DigitalSignature stream data error\n\n"); - return 0; /* FAILED */ - } - if (!dse) { - printf("Warning: MsiDigitalSignatureEx stream doesn't exist\n"); - } else { - ctx->msi_ctx->len_msiex = GET_UINT32_LE(dse->size); - if (ctx->msi_ctx->len_msiex == 0 || ctx->msi_ctx->len_msiex >= MAXREGSECT) { - printf("Corrupted MsiDigitalSignatureEx stream length 0x%08X\n", - ctx->msi_ctx->len_msiex); - OPENSSL_free(indata); - return 0; /* FAILED */ - } - ctx->msi_ctx->p_msiex = OPENSSL_malloc((size_t)ctx->msi_ctx->len_msiex); - if (!msi_file_read(ctx->msi_ctx->msi, dse, 0, (char *)ctx->msi_ctx->p_msiex, - ctx->msi_ctx->len_msiex)) { - printf("MsiDigitalSignatureEx stream data error\n\n"); - OPENSSL_free(indata); - return 0; /* FAILED */ - } - } - OPENSSL_free(indata); - return 1; /* OK */ + if (!ctx) { + printf("Init error\n\n"); + return 0; /* FAILED */ + } + if (detached) { + printf("Checking the specified catalog file\n\n"); + return 1; /* OK */ + } + ds = msi_signatures_get(ctx->msi_ctx->dirent, &dse); + if (!ds) { + printf("MSI file has no signature\n\n"); + return 0; /* FAILED */ + } + inlen = GET_UINT32_LE(ds->size); + if (inlen == 0 || inlen >= MAXREGSECT) { + printf("Corrupted DigitalSignature stream length 0x%08X\n", inlen); + return 0; /* FAILED */ + } + indata = OPENSSL_malloc((size_t)inlen); + if (!msi_file_read(ctx->msi_ctx->msi, ds, 0, indata, inlen)) { + printf("DigitalSignature stream data error\n\n"); + return 0; /* FAILED */ + } + if (!dse) { + printf("Warning: MsiDigitalSignatureEx stream doesn't exist\n"); + } else { + ctx->msi_ctx->len_msiex = GET_UINT32_LE(dse->size); + if (ctx->msi_ctx->len_msiex == 0 || ctx->msi_ctx->len_msiex >= MAXREGSECT) { + printf("Corrupted MsiDigitalSignatureEx stream length 0x%08X\n", + ctx->msi_ctx->len_msiex); + OPENSSL_free(indata); + return 0; /* FAILED */ + } + ctx->msi_ctx->p_msiex = OPENSSL_malloc((size_t)ctx->msi_ctx->len_msiex); + if (!msi_file_read(ctx->msi_ctx->msi, dse, 0, (char *)ctx->msi_ctx->p_msiex, + ctx->msi_ctx->len_msiex)) { + printf("MsiDigitalSignatureEx stream data error\n\n"); + OPENSSL_free(indata); + return 0; /* FAILED */ + } + } + OPENSSL_free(indata); + return 1; /* OK */ } /* @@ -413,24 +413,24 @@ static int msi_check_file(FILE_FORMAT_CTX *ctx, int detached) */ static u_char *msi_digest_calc(FILE_FORMAT_CTX *ctx, const EVP_MD *md) { - u_char *mdbuf = NULL; - BIO *bhash = BIO_new(BIO_f_md()); + u_char *mdbuf = NULL; + BIO *bhash = BIO_new(BIO_f_md()); - if (!BIO_set_md(bhash, md)) { - printf("Unable to set the message digest of BIO\n"); - BIO_free_all(bhash); - return NULL; /* FAILED */ - } - BIO_push(bhash, BIO_new(BIO_s_null())); - if (!bio_hash_data(bhash, ctx->options->indata, 0, ctx->msi_ctx->fileend)) { - printf("Unable to calculate digest\n"); - BIO_free_all(bhash); - return NULL; /* FAILED */ - } - mdbuf = OPENSSL_malloc((size_t)EVP_MD_size(md)); - BIO_gets(bhash, (char *)mdbuf, EVP_MD_size(md)); - BIO_free_all(bhash); - return mdbuf; /* OK */ + if (!BIO_set_md(bhash, md)) { + printf("Unable to set the message digest of BIO\n"); + BIO_free_all(bhash); + return NULL; /* FAILED */ + } + BIO_push(bhash, BIO_new(BIO_s_null())); + if (!bio_hash_data(bhash, ctx->options->indata, 0, ctx->msi_ctx->fileend)) { + printf("Unable to calculate digest\n"); + BIO_free_all(bhash); + return NULL; /* FAILED */ + } + mdbuf = OPENSSL_malloc((size_t)EVP_MD_size(md)); + BIO_gets(bhash, (char *)mdbuf, EVP_MD_size(md)); + BIO_free_all(bhash); + return mdbuf; /* OK */ } /* @@ -442,93 +442,93 @@ static u_char *msi_digest_calc(FILE_FORMAT_CTX *ctx, const EVP_MD *md) */ static int msi_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7) { - int mdok, mdlen, mdtype = -1; - u_char mdbuf[EVP_MAX_MD_SIZE]; - u_char cmdbuf[EVP_MAX_MD_SIZE]; - u_char cexmdbuf[EVP_MAX_MD_SIZE]; - u_char *cdigest = NULL; - const EVP_MD *md; - BIO *hash; + int mdok, mdlen, mdtype = -1; + u_char mdbuf[EVP_MAX_MD_SIZE]; + u_char cmdbuf[EVP_MAX_MD_SIZE]; + u_char cexmdbuf[EVP_MAX_MD_SIZE]; + u_char *cdigest = NULL; + const EVP_MD *md; + BIO *hash; - if (is_content_type(p7, SPC_INDIRECT_DATA_OBJID)) { - ASN1_STRING *content_val = p7->d.sign->contents->d.other->value.sequence; - const u_char *p = content_val->data; - SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, content_val->length); - if (idc) { - if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) { - mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm); - memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)idc->messageDigest->digest->length); - } - SpcIndirectDataContent_free(idc); - } - } - if (mdtype == -1) { - printf("Failed to extract current message digest\n\n"); - return 0; /* FAILED */ - } - printf("Message digest algorithm : %s\n", OBJ_nid2sn(mdtype)); - md = EVP_get_digestbynid(mdtype); - hash = BIO_new(BIO_f_md()); - if (!BIO_set_md(hash, md)) { - printf("Unable to set the message digest of BIO\n"); - BIO_free_all(hash); - return 0; /* FAILED */ - } - BIO_push(hash, BIO_new(BIO_s_null())); - if (ctx->msi_ctx->p_msiex) { - BIO *prehash = BIO_new(BIO_f_md()); - if (EVP_MD_size(md) != (int)ctx->msi_ctx->len_msiex) { - printf("Incorrect MsiDigitalSignatureEx stream data length\n\n"); - BIO_free_all(hash); - BIO_free_all(prehash); - return 0; /* FAILED */ - } - if (!BIO_set_md(prehash, md)) { - printf("Unable to set the message digest of BIO\n"); - BIO_free_all(hash); - BIO_free_all(prehash); - return 0; /* FAILED */ - } - BIO_push(prehash, BIO_new(BIO_s_null())); + if (is_content_type(p7, SPC_INDIRECT_DATA_OBJID)) { + ASN1_STRING *content_val = p7->d.sign->contents->d.other->value.sequence; + const u_char *p = content_val->data; + SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, content_val->length); + if (idc) { + if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) { + mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm); + memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)idc->messageDigest->digest->length); + } + SpcIndirectDataContent_free(idc); + } + } + if (mdtype == -1) { + printf("Failed to extract current message digest\n\n"); + return 0; /* FAILED */ + } + printf("Message digest algorithm : %s\n", OBJ_nid2sn(mdtype)); + md = EVP_get_digestbynid(mdtype); + hash = BIO_new(BIO_f_md()); + if (!BIO_set_md(hash, md)) { + printf("Unable to set the message digest of BIO\n"); + BIO_free_all(hash); + return 0; /* FAILED */ + } + BIO_push(hash, BIO_new(BIO_s_null())); + if (ctx->msi_ctx->p_msiex) { + BIO *prehash = BIO_new(BIO_f_md()); + if (EVP_MD_size(md) != (int)ctx->msi_ctx->len_msiex) { + printf("Incorrect MsiDigitalSignatureEx stream data length\n\n"); + BIO_free_all(hash); + BIO_free_all(prehash); + return 0; /* FAILED */ + } + if (!BIO_set_md(prehash, md)) { + printf("Unable to set the message digest of BIO\n"); + BIO_free_all(hash); + BIO_free_all(prehash); + return 0; /* FAILED */ + } + BIO_push(prehash, BIO_new(BIO_s_null())); - print_hash("Current MsiDigitalSignatureEx ", "", (u_char *)ctx->msi_ctx->p_msiex, - (int)ctx->msi_ctx->len_msiex); - if (!msi_prehash_dir(ctx->msi_ctx->dirent, prehash, 1)) { - printf("Failed to calculate pre-hash used for MsiDigitalSignatureEx\n\n"); - BIO_free_all(hash); - BIO_free_all(prehash); - return 0; /* FAILED */ - } - BIO_gets(prehash, (char*)cexmdbuf, EVP_MAX_MD_SIZE); - BIO_free_all(prehash); - BIO_write(hash, (char*)cexmdbuf, EVP_MD_size(md)); - print_hash("Calculated MsiDigitalSignatureEx ", "", cexmdbuf, EVP_MD_size(md)); - } + print_hash("Current MsiDigitalSignatureEx ", "", (u_char *)ctx->msi_ctx->p_msiex, + (int)ctx->msi_ctx->len_msiex); + if (!msi_prehash_dir(ctx->msi_ctx->dirent, prehash, 1)) { + printf("Failed to calculate pre-hash used for MsiDigitalSignatureEx\n\n"); + BIO_free_all(hash); + BIO_free_all(prehash); + return 0; /* FAILED */ + } + BIO_gets(prehash, (char*)cexmdbuf, EVP_MAX_MD_SIZE); + BIO_free_all(prehash); + BIO_write(hash, (char*)cexmdbuf, EVP_MD_size(md)); + print_hash("Calculated MsiDigitalSignatureEx ", "", cexmdbuf, EVP_MD_size(md)); + } - if (!msi_hash_dir(ctx->msi_ctx->msi, ctx->msi_ctx->dirent, hash, 1)) { - printf("Failed to calculate DigitalSignature\n\n"); - BIO_free_all(hash); - return 0; /* FAILED */ - } - print_hash("Current DigitalSignature ", "", mdbuf, EVP_MD_size(md)); - BIO_gets(hash, (char*)cmdbuf, EVP_MAX_MD_SIZE); - BIO_free_all(hash); - mdok = !memcmp(mdbuf, cmdbuf, (size_t)EVP_MD_size(md)); - print_hash("Calculated DigitalSignature ", mdok ? "" : " MISMATCH!!!\n", - cmdbuf, EVP_MD_size(md)); - if (!mdok) { - printf("Signature verification: failed\n\n"); - return 0; /* FAILED */ - } - cdigest = msi_digest_calc(ctx, md); - if (!cdigest) { - printf("Failed to calculate simple message digest\n\n"); - return 0; /* FAILED */ - } - mdlen = EVP_MD_size(EVP_get_digestbynid(mdtype)); - print_hash("Calculated message digest ", "\n", cdigest, mdlen); - OPENSSL_free(cdigest); - return 1; /* OK */ + if (!msi_hash_dir(ctx->msi_ctx->msi, ctx->msi_ctx->dirent, hash, 1)) { + printf("Failed to calculate DigitalSignature\n\n"); + BIO_free_all(hash); + return 0; /* FAILED */ + } + print_hash("Current DigitalSignature ", "", mdbuf, EVP_MD_size(md)); + BIO_gets(hash, (char*)cmdbuf, EVP_MAX_MD_SIZE); + BIO_free_all(hash); + mdok = !memcmp(mdbuf, cmdbuf, (size_t)EVP_MD_size(md)); + print_hash("Calculated DigitalSignature ", mdok ? "" : " MISMATCH!!!\n", + cmdbuf, EVP_MD_size(md)); + if (!mdok) { + printf("Signature verification: failed\n\n"); + return 0; /* FAILED */ + } + cdigest = msi_digest_calc(ctx, md); + if (!cdigest) { + printf("Failed to calculate simple message digest\n\n"); + return 0; /* FAILED */ + } + mdlen = EVP_MD_size(EVP_get_digestbynid(mdtype)); + print_hash("Calculated message digest ", "\n", cdigest, mdlen); + OPENSSL_free(cdigest); + return 1; /* OK */ } /* @@ -538,23 +538,23 @@ static int msi_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7) */ static PKCS7 *msi_pkcs7_extract(FILE_FORMAT_CTX *ctx) { - PKCS7 *p7; - uint32_t len; - char *p; + PKCS7 *p7; + uint32_t len; + char *p; - MSI_ENTRY *ds = msi_signatures_get(ctx->msi_ctx->dirent, NULL); - if (!ds) { - return NULL; /* FAILED */ - } - len = GET_UINT32_LE(ds->size); - if (len == 0 || len >= MAXREGSECT) { - printf("Corrupted DigitalSignature stream length 0x%08X\n", len); - return NULL; /* FAILED */ - } - p = OPENSSL_malloc((size_t)len); - p7 = msi_pkcs7_get_digital_signature(ctx, ds, &p, len); - OPENSSL_free(p); - return p7; + MSI_ENTRY *ds = msi_signatures_get(ctx->msi_ctx->dirent, NULL); + if (!ds) { + return NULL; /* FAILED */ + } + len = GET_UINT32_LE(ds->size); + if (len == 0 || len >= MAXREGSECT) { + printf("Corrupted DigitalSignature stream length 0x%08X\n", len); + return NULL; /* FAILED */ + } + p = OPENSSL_malloc((size_t)len); + p7 = msi_pkcs7_get_digital_signature(ctx, ds, &p, len); + OPENSSL_free(p); + return p7; } /* @@ -566,23 +566,23 @@ static PKCS7 *msi_pkcs7_extract(FILE_FORMAT_CTX *ctx) */ static int msi_remove_pkcs7(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) { - /* squash the unused parameter warning */ - (void)hash; + /* squash the unused parameter warning */ + (void)hash; - if (!msi_dirent_delete(ctx->msi_ctx->dirent, digital_signature_ex, - sizeof digital_signature_ex)) { - return 1; /* FAILED */ - } - if (!msi_dirent_delete(ctx->msi_ctx->dirent, digital_signature, - sizeof digital_signature)) { - return 1; /* FAILED */ - } - if (!msi_file_write(ctx->msi_ctx->msi, ctx->msi_ctx->dirent, - NULL, 0, NULL, 0, outdata)) { - printf("Saving the msi file failed\n"); - return 1; /* FAILED */ - } - return 0; /* OK */ + if (!msi_dirent_delete(ctx->msi_ctx->dirent, digital_signature_ex, + sizeof digital_signature_ex)) { + return 1; /* FAILED */ + } + if (!msi_dirent_delete(ctx->msi_ctx->dirent, digital_signature, + sizeof digital_signature)) { + return 1; /* FAILED */ + } + if (!msi_file_write(ctx->msi_ctx->msi, ctx->msi_ctx->dirent, + NULL, 0, NULL, 0, outdata)) { + printf("Saving the msi file failed\n"); + return 1; /* FAILED */ + } + return 0; /* OK */ } /* @@ -594,82 +594,82 @@ static int msi_remove_pkcs7(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) */ static PKCS7 *msi_pkcs7_prepare(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) { - PKCS7 *cursig = NULL, *p7 = NULL; - uint32_t len; - char *p; - - /* squash the unused parameter warning */ - (void)outdata; + PKCS7 *cursig = NULL, *p7 = NULL; + uint32_t len; + char *p; - if (ctx->options->add_msi_dse && !msi_calc_MsiDigitalSignatureEx(ctx, hash)) { - printf("Unable to calc MsiDigitalSignatureEx\n"); - return NULL; /* FAILED */ - } - if (!msi_hash_dir(ctx->msi_ctx->msi, ctx->msi_ctx->dirent, hash, 1)) { - printf("Unable to msi_handle_dir()\n"); - return NULL; /* FAILED */ - } - /* Obtain a current signature from previously-signed file */ - if ((ctx->options->cmd == CMD_SIGN && ctx->options->nest) - || (ctx->options->cmd == CMD_ATTACH && ctx->options->nest) - || ctx->options->cmd == CMD_ADD) { - MSI_ENTRY *dse = NULL; - MSI_ENTRY *ds = msi_signatures_get(ctx->msi_ctx->dirent, &dse); - if (!ds) { - printf("MSI file has no signature\n\n"); - return NULL; /* FAILED */ - } - if (!msi_check_MsiDigitalSignatureEx(ctx, dse)) { - return NULL; /* FAILED */ - } - len = GET_UINT32_LE(ds->size); - if (len == 0 || len >= MAXREGSECT) { - printf("Corrupted DigitalSignature stream length 0x%08X\n", len); - return NULL; /* FAILED */ - } - p = OPENSSL_malloc((size_t)len); - /* get current signature */ - cursig = msi_pkcs7_get_digital_signature(ctx, ds, &p, len); - OPENSSL_free(p); - if (!cursig) { - printf("Unable to extract existing signature\n"); - return NULL; /* FAILED */ - } - if (ctx->options->cmd == CMD_ADD) - p7 = cursig; - } - if (ctx->options->cmd == CMD_ATTACH) { - /* Obtain an existing PKCS#7 signature */ - p7 = pkcs7_get_sigfile(ctx); - if (!p7) { - printf("Unable to extract valid signature\n"); - PKCS7_free(cursig); - return NULL; /* FAILED */ - } - } else if (ctx->options->cmd == CMD_SIGN) { - /* Create a new PKCS#7 signature */ - p7 = pkcs7_create(ctx); - if (!p7) { - printf("Creating a new signature failed\n"); - return NULL; /* FAILED */ - } - if (!add_indirect_data_object(p7, hash, ctx)) { - printf("Adding SPC_INDIRECT_DATA_OBJID failed\n"); - PKCS7_free(p7); - return NULL; /* FAILED */ - } - } - if (ctx->options->nest) { - if (!cursig_set_nested(cursig, p7, ctx)) { - printf("Unable to append the nested signature to the current signature\n"); - PKCS7_free(p7); - PKCS7_free(cursig); - return NULL; /* FAILED */ - } - PKCS7_free(p7); - return cursig; - } - return p7; + /* squash the unused parameter warning */ + (void)outdata; + + if (ctx->options->add_msi_dse && !msi_calc_MsiDigitalSignatureEx(ctx, hash)) { + printf("Unable to calc MsiDigitalSignatureEx\n"); + return NULL; /* FAILED */ + } + if (!msi_hash_dir(ctx->msi_ctx->msi, ctx->msi_ctx->dirent, hash, 1)) { + printf("Unable to msi_handle_dir()\n"); + return NULL; /* FAILED */ + } + /* Obtain a current signature from previously-signed file */ + if ((ctx->options->cmd == CMD_SIGN && ctx->options->nest) + || (ctx->options->cmd == CMD_ATTACH && ctx->options->nest) + || ctx->options->cmd == CMD_ADD) { + MSI_ENTRY *dse = NULL; + MSI_ENTRY *ds = msi_signatures_get(ctx->msi_ctx->dirent, &dse); + if (!ds) { + printf("MSI file has no signature\n\n"); + return NULL; /* FAILED */ + } + if (!msi_check_MsiDigitalSignatureEx(ctx, dse)) { + return NULL; /* FAILED */ + } + len = GET_UINT32_LE(ds->size); + if (len == 0 || len >= MAXREGSECT) { + printf("Corrupted DigitalSignature stream length 0x%08X\n", len); + return NULL; /* FAILED */ + } + p = OPENSSL_malloc((size_t)len); + /* get current signature */ + cursig = msi_pkcs7_get_digital_signature(ctx, ds, &p, len); + OPENSSL_free(p); + if (!cursig) { + printf("Unable to extract existing signature\n"); + return NULL; /* FAILED */ + } + if (ctx->options->cmd == CMD_ADD) + p7 = cursig; + } + if (ctx->options->cmd == CMD_ATTACH) { + /* Obtain an existing PKCS#7 signature */ + p7 = pkcs7_get_sigfile(ctx); + if (!p7) { + printf("Unable to extract valid signature\n"); + PKCS7_free(cursig); + return NULL; /* FAILED */ + } + } else if (ctx->options->cmd == CMD_SIGN) { + /* Create a new PKCS#7 signature */ + p7 = pkcs7_create(ctx); + if (!p7) { + printf("Creating a new signature failed\n"); + return NULL; /* FAILED */ + } + if (!add_indirect_data_object(p7, hash, ctx)) { + printf("Adding SPC_INDIRECT_DATA_OBJID failed\n"); + PKCS7_free(p7); + return NULL; /* FAILED */ + } + } + if (ctx->options->nest) { + if (!cursig_set_nested(cursig, p7, ctx)) { + printf("Unable to append the nested signature to the current signature\n"); + PKCS7_free(p7); + PKCS7_free(cursig); + return NULL; /* FAILED */ + } + PKCS7_free(p7); + return cursig; + } + return p7; } /* @@ -681,25 +681,25 @@ static PKCS7 *msi_pkcs7_prepare(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) */ static int msi_append_pkcs7(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7) { - u_char *p = NULL; - int len; /* signature length */ + u_char *p = NULL; + int len; /* signature length */ - if (((len = i2d_PKCS7(p7, NULL)) <= 0) - || (p = OPENSSL_malloc((size_t)len)) == NULL) { - printf("i2d_PKCS memory allocation failed: %d\n", len); - return 1; /* FAILED */ - } - i2d_PKCS7(p7, &p); - p -= len; + if (((len = i2d_PKCS7(p7, NULL)) <= 0) + || (p = OPENSSL_malloc((size_t)len)) == NULL) { + printf("i2d_PKCS memory allocation failed: %d\n", len); + return 1; /* FAILED */ + } + i2d_PKCS7(p7, &p); + p -= len; - if (!msi_file_write(ctx->msi_ctx->msi, ctx->msi_ctx->dirent, p, (uint32_t)len, - ctx->msi_ctx->p_msiex, ctx->msi_ctx->len_msiex, outdata)) { - printf("Saving the msi file failed\n"); - OPENSSL_free(p); - return 1; /* FAILED */ - } - OPENSSL_free(p); - return 0; /* OK */ + if (!msi_file_write(ctx->msi_ctx->msi, ctx->msi_ctx->dirent, p, (uint32_t)len, + ctx->msi_ctx->p_msiex, ctx->msi_ctx->len_msiex, outdata)) { + printf("Saving the msi file failed\n"); + OPENSSL_free(p); + return 1; /* FAILED */ + } + OPENSSL_free(p); + return 0; /* OK */ } /* @@ -710,9 +710,9 @@ static int msi_append_pkcs7(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7) */ static BIO *msi_bio_free(BIO *hash, BIO *outdata) { - BIO_free_all(hash); - BIO_free_all(outdata); - return NULL; + BIO_free_all(hash); + BIO_free_all(outdata); + return NULL; } /* @@ -725,23 +725,23 @@ static BIO *msi_bio_free(BIO *hash, BIO *outdata) */ static void msi_ctx_cleanup(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) { - if (outdata) { - BIO_free_all(hash); - BIO_free_all(outdata); - if (ctx->options->outfile) { + if (outdata) { + BIO_free_all(hash); + BIO_free_all(outdata); + if (ctx->options->outfile) { #ifdef WIN32 - _unlink(ctx->options->outfile); + _unlink(ctx->options->outfile); #else - unlink(ctx->options->outfile); + unlink(ctx->options->outfile); #endif /* WIN32 */ - } - } - unmap_file(ctx->options->indata, ctx->msi_ctx->fileend); - msi_file_free(ctx->msi_ctx->msi); - msi_dirent_free(ctx->msi_ctx->dirent); - OPENSSL_free(ctx->msi_ctx->p_msiex); - OPENSSL_free(ctx->msi_ctx); - OPENSSL_free(ctx); + } + } + unmap_file(ctx->options->indata, ctx->msi_ctx->fileend); + msi_file_free(ctx->msi_ctx->msi); + msi_dirent_free(ctx->msi_ctx->dirent); + OPENSSL_free(ctx->msi_ctx->p_msiex); + OPENSSL_free(ctx->msi_ctx); + OPENSSL_free(ctx); } /* @@ -756,152 +756,152 @@ static void msi_ctx_cleanup(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) */ static MSI_CTX *msi_ctx_get(char *indata, uint32_t filesize) { - MSI_ENTRY *root; - MSI_FILE *msi; - MSI_DIRENT *dirent; - MSI_CTX *msi_ctx; + MSI_ENTRY *root; + MSI_FILE *msi; + MSI_DIRENT *dirent; + MSI_CTX *msi_ctx; - msi = msi_file_new(indata, filesize); - if (!msi) { - printf("Failed to parse MSI_FILE struct\n"); - return NULL; /* FAILED */ - } - root = msi_root_entry_get(msi); - if (!root) { - printf("Failed to get file entry\n"); - msi_file_free(msi); - return NULL; /* FAILED */ - } - if (!msi_dirent_new(msi, root, NULL, &(dirent))) { - printf("Failed to parse MSI_DIRENT struct\n"); - msi_file_free(msi); - return NULL; /* FAILED */ - } - msi_ctx = OPENSSL_zalloc(sizeof(MSI_CTX)); - msi_ctx->msi = msi; - msi_ctx->dirent = dirent; - msi_ctx->fileend = filesize; - return msi_ctx; /* OK */ + msi = msi_file_new(indata, filesize); + if (!msi) { + printf("Failed to parse MSI_FILE struct\n"); + return NULL; /* FAILED */ + } + root = msi_root_entry_get(msi); + if (!root) { + printf("Failed to get file entry\n"); + msi_file_free(msi); + return NULL; /* FAILED */ + } + if (!msi_dirent_new(msi, root, NULL, &(dirent))) { + printf("Failed to parse MSI_DIRENT struct\n"); + msi_file_free(msi); + return NULL; /* FAILED */ + } + msi_ctx = OPENSSL_zalloc(sizeof(MSI_CTX)); + msi_ctx->msi = msi; + msi_ctx->dirent = dirent; + msi_ctx->fileend = filesize; + return msi_ctx; /* OK */ } static PKCS7 *msi_pkcs7_get_digital_signature(FILE_FORMAT_CTX *ctx, MSI_ENTRY *ds, - char **p, uint32_t len) + char **p, uint32_t len) { - PKCS7 *p7 = NULL; - const u_char *blob; + PKCS7 *p7 = NULL; + const u_char *blob; - if (!msi_file_read(ctx->msi_ctx->msi, ds, 0, *p, len)) { - printf("DigitalSignature stream data error\n"); - return NULL; - } - blob = (u_char *)*p; - p7 = d2i_PKCS7(NULL, &blob, len); - if (!p7) { - printf("Failed to extract PKCS7 data\n"); - return NULL; - } - return p7; + if (!msi_file_read(ctx->msi_ctx->msi, ds, 0, *p, len)) { + printf("DigitalSignature stream data error\n"); + return NULL; + } + blob = (u_char *)*p; + p7 = d2i_PKCS7(NULL, &blob, len); + if (!p7) { + printf("Failed to extract PKCS7 data\n"); + return NULL; + } + return p7; } /* Get absolute address from sector and offset */ static const u_char *sector_offset_to_address(MSI_FILE *msi, uint32_t sector, uint32_t offset) { - if (sector >= MAXREGSECT || offset >= msi->m_sectorSize - || (msi->m_bufferLen - offset) / msi->m_sectorSize <= sector) { - printf("Corrupted file\n"); - return NULL; /* FAILED */ - } - return msi->m_buffer + (sector + 1) * msi->m_sectorSize + offset; + if (sector >= MAXREGSECT || offset >= msi->m_sectorSize + || (msi->m_bufferLen - offset) / msi->m_sectorSize <= sector) { + printf("Corrupted file\n"); + return NULL; /* FAILED */ + } + return msi->m_buffer + (sector + 1) * msi->m_sectorSize + offset; } static uint32_t get_fat_sector_location(MSI_FILE *msi, uint32_t fatSectorNumber) { - uint32_t entriesPerSector, difatSectorLocation, fatSectorLocation; - const u_char *address; + uint32_t entriesPerSector, difatSectorLocation, fatSectorLocation; + const u_char *address; - if (fatSectorNumber < DIFAT_IN_HEADER) { - return LE_UINT32(msi->m_hdr->headerDIFAT[fatSectorNumber]); - } else { - fatSectorNumber -= DIFAT_IN_HEADER; - entriesPerSector = msi->m_sectorSize / 4 - 1; - difatSectorLocation = msi->m_hdr->firstDIFATSectorLocation; - while (fatSectorNumber >= entriesPerSector) { - fatSectorNumber -= entriesPerSector; - address = sector_offset_to_address(msi, difatSectorLocation, msi->m_sectorSize - 4); - if (!address) { - printf("Failed to get a next sector address\n"); - return NOSTREAM; /* FAILED */ - } - difatSectorLocation = GET_UINT32_LE(address); - } - address = sector_offset_to_address(msi, difatSectorLocation, fatSectorNumber * 4); - if (!address) { - printf("Failed to get a next sector address\n"); - return NOSTREAM; /* FAILED */ - } - fatSectorLocation = GET_UINT32_LE(address); - if (fatSectorLocation == 0 || fatSectorLocation >= FREESECT) { - printf("Get corrupted sector location 0x%08X\n", fatSectorLocation); - return NOSTREAM; /* FAILED */ - } - return fatSectorLocation; - } + if (fatSectorNumber < DIFAT_IN_HEADER) { + return LE_UINT32(msi->m_hdr->headerDIFAT[fatSectorNumber]); + } else { + fatSectorNumber -= DIFAT_IN_HEADER; + entriesPerSector = msi->m_sectorSize / 4 - 1; + difatSectorLocation = msi->m_hdr->firstDIFATSectorLocation; + while (fatSectorNumber >= entriesPerSector) { + fatSectorNumber -= entriesPerSector; + address = sector_offset_to_address(msi, difatSectorLocation, msi->m_sectorSize - 4); + if (!address) { + printf("Failed to get a next sector address\n"); + return NOSTREAM; /* FAILED */ + } + difatSectorLocation = GET_UINT32_LE(address); + } + address = sector_offset_to_address(msi, difatSectorLocation, fatSectorNumber * 4); + if (!address) { + printf("Failed to get a next sector address\n"); + return NOSTREAM; /* FAILED */ + } + fatSectorLocation = GET_UINT32_LE(address); + if (fatSectorLocation == 0 || fatSectorLocation >= FREESECT) { + printf("Get corrupted sector location 0x%08X\n", fatSectorLocation); + return NOSTREAM; /* FAILED */ + } + return fatSectorLocation; + } } /* Lookup FAT */ static uint32_t get_next_sector(MSI_FILE *msi, uint32_t sector) { - const u_char *address; - uint32_t nextSectorLocation; - uint32_t entriesPerSector = msi->m_sectorSize / 4; - uint32_t fatSectorNumber = sector / entriesPerSector; - uint32_t fatSectorLocation = get_fat_sector_location(msi, fatSectorNumber); - if (fatSectorLocation == NOSTREAM) { - printf("Failed to get a fat sector location\n"); - return NOSTREAM; /* FAILED */ - } - address = sector_offset_to_address(msi, fatSectorLocation, sector % entriesPerSector * 4); - if (!address) { - printf("Failed to get a next sector address\n"); - return NOSTREAM; /* FAILED */ - } - nextSectorLocation = GET_UINT32_LE(address); - if (nextSectorLocation == 0 || nextSectorLocation >= FREESECT) { - printf("Get corrupted sector location 0x%08X\n", nextSectorLocation); - return NOSTREAM; /* FAILED */ - } - return nextSectorLocation; + const u_char *address; + uint32_t nextSectorLocation; + uint32_t entriesPerSector = msi->m_sectorSize / 4; + uint32_t fatSectorNumber = sector / entriesPerSector; + uint32_t fatSectorLocation = get_fat_sector_location(msi, fatSectorNumber); + if (fatSectorLocation == NOSTREAM) { + printf("Failed to get a fat sector location\n"); + return NOSTREAM; /* FAILED */ + } + address = sector_offset_to_address(msi, fatSectorLocation, sector % entriesPerSector * 4); + if (!address) { + printf("Failed to get a next sector address\n"); + return NOSTREAM; /* FAILED */ + } + nextSectorLocation = GET_UINT32_LE(address); + if (nextSectorLocation == 0 || nextSectorLocation >= FREESECT) { + printf("Get corrupted sector location 0x%08X\n", nextSectorLocation); + return NOSTREAM; /* FAILED */ + } + return nextSectorLocation; } /* Locate the final sector/offset when original offset expands multiple sectors */ static int locate_final_sector(MSI_FILE *msi, uint32_t sector, uint32_t offset, uint32_t *finalSector, uint32_t *finalOffset) { - while (offset >= msi->m_sectorSize) { - offset -= msi->m_sectorSize; - sector = get_next_sector(msi, sector); - if (sector == NOSTREAM) { - printf("Failed to get a next sector\n"); - return 0; /* FAILED */ - } - } - *finalSector = sector; - *finalOffset = offset; - return 1; /* OK */ + while (offset >= msi->m_sectorSize) { + offset -= msi->m_sectorSize; + sector = get_next_sector(msi, sector); + if (sector == NOSTREAM) { + printf("Failed to get a next sector\n"); + return 0; /* FAILED */ + } + } + *finalSector = sector; + *finalOffset = offset; + return 1; /* OK */ } /* Get absolute address from mini sector and offset */ static const u_char *mini_sector_offset_to_address(MSI_FILE *msi, uint32_t sector, uint32_t offset) { - if (sector >= MAXREGSECT || offset >= msi->m_minisectorSize || - (msi->m_bufferLen - offset) / msi->m_minisectorSize <= sector) { - printf("Corrupted file\n"); - return NULL; /* FAILED */ - } - if (!locate_final_sector(msi, msi->m_miniStreamStartSector, sector * msi->m_minisectorSize + offset, §or, &offset)) { - printf("Failed to locate a final sector\n"); - return NULL; /* FAILED */ - } - return sector_offset_to_address(msi, sector, offset); + if (sector >= MAXREGSECT || offset >= msi->m_minisectorSize || + (msi->m_bufferLen - offset) / msi->m_minisectorSize <= sector) { + printf("Corrupted file\n"); + return NULL; /* FAILED */ + } + if (!locate_final_sector(msi, msi->m_miniStreamStartSector, sector * msi->m_minisectorSize + offset, §or, &offset)) { + printf("Failed to locate a final sector\n"); + return NULL; /* FAILED */ + } + return sector_offset_to_address(msi, sector, offset); } /* @@ -910,105 +910,105 @@ static const u_char *mini_sector_offset_to_address(MSI_FILE *msi, uint32_t secto */ static int read_stream(MSI_FILE *msi, uint32_t sector, uint32_t offset, char *buffer, uint32_t len) { - if (!locate_final_sector(msi, sector, offset, §or, &offset)) { - printf("Failed to locate a final sector\n"); - return 0; /* FAILED */ - } - while (len > 0) { - const u_char *address; - uint32_t copylen; - address = sector_offset_to_address(msi, sector, offset); - if (!address) { - printf("Failed to get a next sector address\n"); - return 0; /* FAILED */ - } - copylen = MIN(len, msi->m_sectorSize - offset); - if (msi->m_buffer + msi->m_bufferLen < address + copylen) { - printf("Corrupted file\n"); - return 0; /* FAILED */ - } - memcpy(buffer, address, copylen); - buffer += copylen; - len -= copylen; - sector = get_next_sector(msi, sector); - if (sector == 0) { - printf("Failed to get a next sector\n"); - return 0; /* FAILED */ - } - offset = 0; - } - return 1; /* OK */ + if (!locate_final_sector(msi, sector, offset, §or, &offset)) { + printf("Failed to locate a final sector\n"); + return 0; /* FAILED */ + } + while (len > 0) { + const u_char *address; + uint32_t copylen; + address = sector_offset_to_address(msi, sector, offset); + if (!address) { + printf("Failed to get a next sector address\n"); + return 0; /* FAILED */ + } + copylen = MIN(len, msi->m_sectorSize - offset); + if (msi->m_buffer + msi->m_bufferLen < address + copylen) { + printf("Corrupted file\n"); + return 0; /* FAILED */ + } + memcpy(buffer, address, copylen); + buffer += copylen; + len -= copylen; + sector = get_next_sector(msi, sector); + if (sector == 0) { + printf("Failed to get a next sector\n"); + return 0; /* FAILED */ + } + offset = 0; + } + return 1; /* OK */ } /* Lookup miniFAT */ static uint32_t get_next_mini_sector(MSI_FILE *msi, uint32_t miniSector) { - uint32_t sector, offset, nextMiniSectorLocation; - const u_char *address; + uint32_t sector, offset, nextMiniSectorLocation; + const u_char *address; - if (!locate_final_sector(msi, msi->m_hdr->firstMiniFATSectorLocation, miniSector * 4, §or, &offset)) { - printf("Failed to locate a final sector\n"); - return NOSTREAM; /* FAILED */ - } - address = sector_offset_to_address(msi, sector, offset); - if (!address) { - printf("Failed to get a next mini sector address\n"); - return NOSTREAM; /* FAILED */ - } - nextMiniSectorLocation = GET_UINT32_LE(address); - if (nextMiniSectorLocation == 0 || nextMiniSectorLocation >= FREESECT) { - printf("Get corrupted sector location 0x%08X\n", nextMiniSectorLocation); - return NOSTREAM; /* FAILED */ - } - return nextMiniSectorLocation; + if (!locate_final_sector(msi, msi->m_hdr->firstMiniFATSectorLocation, miniSector * 4, §or, &offset)) { + printf("Failed to locate a final sector\n"); + return NOSTREAM; /* FAILED */ + } + address = sector_offset_to_address(msi, sector, offset); + if (!address) { + printf("Failed to get a next mini sector address\n"); + return NOSTREAM; /* FAILED */ + } + nextMiniSectorLocation = GET_UINT32_LE(address); + if (nextMiniSectorLocation == 0 || nextMiniSectorLocation >= FREESECT) { + printf("Get corrupted sector location 0x%08X\n", nextMiniSectorLocation); + return NOSTREAM; /* FAILED */ + } + return nextMiniSectorLocation; } static int locate_final_mini_sector(MSI_FILE *msi, uint32_t sector, uint32_t offset, uint32_t *finalSector, uint32_t *finalOffset) { - while (offset >= msi->m_minisectorSize) { - offset -= msi->m_minisectorSize; - sector = get_next_mini_sector(msi, sector); - if (sector == NOSTREAM) { - printf("Failed to get a next mini sector\n"); - return 0; /* FAILED */ - } - } - *finalSector = sector; - *finalOffset = offset; - return 1; /* OK */ + while (offset >= msi->m_minisectorSize) { + offset -= msi->m_minisectorSize; + sector = get_next_mini_sector(msi, sector); + if (sector == NOSTREAM) { + printf("Failed to get a next mini sector\n"); + return 0; /* FAILED */ + } + } + *finalSector = sector; + *finalOffset = offset; + return 1; /* OK */ } /* Same logic as "read_stream" except that use mini stream functions instead */ static int read_mini_stream(MSI_FILE *msi, uint32_t sector, uint32_t offset, char *buffer, uint32_t len) { - if (!locate_final_mini_sector(msi, sector, offset, §or, &offset)) { - printf("Failed to locate a final mini sector\n"); - return 0; /* FAILED */ - } - while (len > 0) { - const u_char *address; - uint32_t copylen; - address = mini_sector_offset_to_address(msi, sector, offset); - if (!address) { - printf("Failed to get a next mini sector address\n"); - return 0; /* FAILED */ - } - copylen = MIN(len, msi->m_minisectorSize - offset); - if (msi->m_buffer + msi->m_bufferLen < address + copylen) { - printf("Corrupted file\n"); - return 0; /* FAILED */ - } - memcpy(buffer, address, copylen); - buffer += copylen; - len -= copylen; - sector = get_next_mini_sector(msi, sector); - if (sector == NOSTREAM) { - printf("Failed to get a next mini sector\n"); - return 0; /* FAILED */ - } - offset = 0; - } - return 1; /* OK */ + if (!locate_final_mini_sector(msi, sector, offset, §or, &offset)) { + printf("Failed to locate a final mini sector\n"); + return 0; /* FAILED */ + } + while (len > 0) { + const u_char *address; + uint32_t copylen; + address = mini_sector_offset_to_address(msi, sector, offset); + if (!address) { + printf("Failed to get a next mini sector address\n"); + return 0; /* FAILED */ + } + copylen = MIN(len, msi->m_minisectorSize - offset); + if (msi->m_buffer + msi->m_bufferLen < address + copylen) { + printf("Corrupted file\n"); + return 0; /* FAILED */ + } + memcpy(buffer, address, copylen); + buffer += copylen; + len -= copylen; + sector = get_next_mini_sector(msi, sector); + if (sector == NOSTREAM) { + printf("Failed to get a next mini sector\n"); + return 0; /* FAILED */ + } + offset = 0; + } + return 1; /* OK */ } /* @@ -1017,144 +1017,144 @@ static int read_mini_stream(MSI_FILE *msi, uint32_t sector, uint32_t offset, cha */ static int msi_file_read(MSI_FILE *msi, MSI_ENTRY *entry, uint32_t offset, char *buffer, uint32_t len) { - if (len < msi->m_hdr->miniStreamCutoffSize) { - if (!read_mini_stream(msi, entry->startSectorLocation, offset, buffer, len)) - return 0; /* FAILED */ - } else { - if (!read_stream(msi, entry->startSectorLocation, offset, buffer, len)) - return 0; /* FAILED */ - } - return 1; /* OK */ + if (len < msi->m_hdr->miniStreamCutoffSize) { + if (!read_mini_stream(msi, entry->startSectorLocation, offset, buffer, len)) + return 0; /* FAILED */ + } else { + if (!read_stream(msi, entry->startSectorLocation, offset, buffer, len)) + return 0; /* FAILED */ + } + return 1; /* OK */ } /* Parse MSI_FILE_HDR struct */ static MSI_FILE_HDR *parse_header(char *data) { - MSI_FILE_HDR *header = (MSI_FILE_HDR *)OPENSSL_malloc(HEADER_SIZE); + MSI_FILE_HDR *header = (MSI_FILE_HDR *)OPENSSL_malloc(HEADER_SIZE); - /* initialise 512 bytes */ - memset(header, 0, sizeof(MSI_FILE_HDR)); - memcpy(header->signature, data + HEADER_SIGNATURE, sizeof header->signature); - /* Minor Version field SHOULD be set to 0x003E. */ - header->minorVersion = GET_UINT16_LE(data + HEADER_MINOR_VER); - if (header->minorVersion !=0x003E ) { - printf("Warning: Minor Version field SHOULD be 0x003E, but is: 0x%04X\n", header->minorVersion); - } - /* Major Version field MUST be set to either 0x0003 (version 3) or 0x0004 (version 4). */ - header->majorVersion = GET_UINT16_LE(data + HEADER_MAJOR_VER); - if (header->majorVersion != 0x0003 && header->majorVersion != 0x0004) { - printf("Unknown Major Version: 0x%04X\n", header->majorVersion); - OPENSSL_free(header); - return NULL; /* FAILED */ - } - /* Byte Order field MUST be set to 0xFFFE, specifies little-endian byte order. */ - header->byteOrder = GET_UINT16_LE(data + HEADER_BYTE_ORDER); - if (header->byteOrder != 0xFFFE) { - printf("Unknown Byte Order: 0x%04X\n", header->byteOrder); - OPENSSL_free(header); - return NULL; /* FAILED */ - } - /* Sector Shift field MUST be set to 0x0009, or 0x000c, depending on the Major Version field. - * This field specifies the sector size of the compound file as a power of 2. */ - header->sectorShift = GET_UINT16_LE(data + HEADER_SECTOR_SHIFT); - if ((header->majorVersion == 0x0003 && header->sectorShift != 0x0009) || - (header->majorVersion == 0x0004 && header->sectorShift != 0x000C)) { - printf("Unknown Sector Shift: 0x%04X\n", header->sectorShift); - OPENSSL_free(header); - return NULL; /* FAILED */ - } - /* Mini Sector Shift field MUST be set to 0x0006. - * This field specifies the sector size of the Mini Stream as a power of 2. - * The sector size of the Mini Stream MUST be 64 bytes. */ - header->miniSectorShift = GET_UINT16_LE(data + HEADER_MINI_SECTOR_SHIFT); - if (header->miniSectorShift != 0x0006) { - printf("Unknown Mini Sector Shift: 0x%04X\n", header->miniSectorShift); - OPENSSL_free(header); - return NULL; /* FAILED */ - } - /* Number of Directory Sectors field contains the count of the number - * of directory sectors in the compound file. - * If Major Version is 3, the Number of Directory Sectors MUST be zero. */ - header->numDirectorySector = GET_UINT32_LE(data + HEADER_DIR_SECTORS_NUM); - if (header->majorVersion == 0x0003 && header->numDirectorySector != 0x00000000) { - printf("Unsupported Number of Directory Sectors: 0x%08X\n", header->numDirectorySector); - OPENSSL_free(header); - return NULL; /* FAILED */ - } - header->numFATSector = GET_UINT32_LE(data + HEADER_FAT_SECTORS_NUM); - header->firstDirectorySectorLocation = GET_UINT32_LE(data + HEADER_DIR_SECTOR_LOC); - header->transactionSignatureNumber = GET_UINT32_LE(data + HEADER_TRANSACTION); - /* Mini Stream Cutoff Size field MUST be set to 0x00001000. - * This field specifies the maximum size of a user-defined data stream that is allocated - * from the mini FAT and mini stream, and that cutoff is 4,096 bytes. - * Any user-defined data stream that is greater than or equal to this cutoff size - * must be allocated as normal sectors from the FAT. */ - header->miniStreamCutoffSize = GET_UINT32_LE(data + HEADER_MINI_STREAM_CUTOFF); - if (header->miniStreamCutoffSize != 0x00001000) { - printf("Unsupported Mini Stream Cutoff Size: 0x%08X\n", header->miniStreamCutoffSize); - OPENSSL_free(header); - return NULL; /* FAILED */ - } - header->firstMiniFATSectorLocation = GET_UINT32_LE(data + HEADER_MINI_FAT_SECTOR_LOC); - header->numMiniFATSector = GET_UINT32_LE(data + HEADER_MINI_FAT_SECTORS_NUM); - header->firstDIFATSectorLocation = GET_UINT32_LE(data + HEADER_DIFAT_SECTOR_LOC); - header->numDIFATSector = GET_UINT32_LE(data + HEADER_DIFAT_SECTORS_NUM); - memcpy(header->headerDIFAT, data + HEADER_DIFAT, sizeof header->headerDIFAT); - return header; + /* initialise 512 bytes */ + memset(header, 0, sizeof(MSI_FILE_HDR)); + memcpy(header->signature, data + HEADER_SIGNATURE, sizeof header->signature); + /* Minor Version field SHOULD be set to 0x003E. */ + header->minorVersion = GET_UINT16_LE(data + HEADER_MINOR_VER); + if (header->minorVersion !=0x003E ) { + printf("Warning: Minor Version field SHOULD be 0x003E, but is: 0x%04X\n", header->minorVersion); + } + /* Major Version field MUST be set to either 0x0003 (version 3) or 0x0004 (version 4). */ + header->majorVersion = GET_UINT16_LE(data + HEADER_MAJOR_VER); + if (header->majorVersion != 0x0003 && header->majorVersion != 0x0004) { + printf("Unknown Major Version: 0x%04X\n", header->majorVersion); + OPENSSL_free(header); + return NULL; /* FAILED */ + } + /* Byte Order field MUST be set to 0xFFFE, specifies little-endian byte order. */ + header->byteOrder = GET_UINT16_LE(data + HEADER_BYTE_ORDER); + if (header->byteOrder != 0xFFFE) { + printf("Unknown Byte Order: 0x%04X\n", header->byteOrder); + OPENSSL_free(header); + return NULL; /* FAILED */ + } + /* Sector Shift field MUST be set to 0x0009, or 0x000c, depending on the Major Version field. + * This field specifies the sector size of the compound file as a power of 2. */ + header->sectorShift = GET_UINT16_LE(data + HEADER_SECTOR_SHIFT); + if ((header->majorVersion == 0x0003 && header->sectorShift != 0x0009) || + (header->majorVersion == 0x0004 && header->sectorShift != 0x000C)) { + printf("Unknown Sector Shift: 0x%04X\n", header->sectorShift); + OPENSSL_free(header); + return NULL; /* FAILED */ + } + /* Mini Sector Shift field MUST be set to 0x0006. + * This field specifies the sector size of the Mini Stream as a power of 2. + * The sector size of the Mini Stream MUST be 64 bytes. */ + header->miniSectorShift = GET_UINT16_LE(data + HEADER_MINI_SECTOR_SHIFT); + if (header->miniSectorShift != 0x0006) { + printf("Unknown Mini Sector Shift: 0x%04X\n", header->miniSectorShift); + OPENSSL_free(header); + return NULL; /* FAILED */ + } + /* Number of Directory Sectors field contains the count of the number + * of directory sectors in the compound file. + * If Major Version is 3, the Number of Directory Sectors MUST be zero. */ + header->numDirectorySector = GET_UINT32_LE(data + HEADER_DIR_SECTORS_NUM); + if (header->majorVersion == 0x0003 && header->numDirectorySector != 0x00000000) { + printf("Unsupported Number of Directory Sectors: 0x%08X\n", header->numDirectorySector); + OPENSSL_free(header); + return NULL; /* FAILED */ + } + header->numFATSector = GET_UINT32_LE(data + HEADER_FAT_SECTORS_NUM); + header->firstDirectorySectorLocation = GET_UINT32_LE(data + HEADER_DIR_SECTOR_LOC); + header->transactionSignatureNumber = GET_UINT32_LE(data + HEADER_TRANSACTION); + /* Mini Stream Cutoff Size field MUST be set to 0x00001000. + * This field specifies the maximum size of a user-defined data stream that is allocated + * from the mini FAT and mini stream, and that cutoff is 4,096 bytes. + * Any user-defined data stream that is greater than or equal to this cutoff size + * must be allocated as normal sectors from the FAT. */ + header->miniStreamCutoffSize = GET_UINT32_LE(data + HEADER_MINI_STREAM_CUTOFF); + if (header->miniStreamCutoffSize != 0x00001000) { + printf("Unsupported Mini Stream Cutoff Size: 0x%08X\n", header->miniStreamCutoffSize); + OPENSSL_free(header); + return NULL; /* FAILED */ + } + header->firstMiniFATSectorLocation = GET_UINT32_LE(data + HEADER_MINI_FAT_SECTOR_LOC); + header->numMiniFATSector = GET_UINT32_LE(data + HEADER_MINI_FAT_SECTORS_NUM); + header->firstDIFATSectorLocation = GET_UINT32_LE(data + HEADER_DIFAT_SECTOR_LOC); + header->numDIFATSector = GET_UINT32_LE(data + HEADER_DIFAT_SECTORS_NUM); + memcpy(header->headerDIFAT, data + HEADER_DIFAT, sizeof header->headerDIFAT); + return header; } /* Parse MSI_ENTRY struct */ static MSI_ENTRY *parse_entry(MSI_FILE *msi, const u_char *data, int is_root) { - uint32_t inlen; - MSI_ENTRY *entry = (MSI_ENTRY *)OPENSSL_malloc(sizeof(MSI_ENTRY)); + uint32_t inlen; + MSI_ENTRY *entry = (MSI_ENTRY *)OPENSSL_malloc(sizeof(MSI_ENTRY)); - /* initialise 128 bytes */ - memset(entry, 0, sizeof(MSI_ENTRY)); - entry->nameLen = GET_UINT16_LE(data + DIRENT_NAME_LEN); - /* This length MUST NOT exceed 64, the maximum size of the Directory Entry Name field */ - if (entry->nameLen == 0 || entry->nameLen > 64) { - printf("Corrupted Directory Entry Name Length\n"); - OPENSSL_free(entry); - return NULL; /* FAILED */ - } - memcpy(entry->name, data + DIRENT_NAME, entry->nameLen); - /* The root directory entry's Name field MUST contain the null-terminated - * string "Root Entry" in Unicode UTF-16. */ - if (is_root && (entry->nameLen != sizeof msi_root_entry - || memcmp(entry->name, msi_root_entry, entry->nameLen))) { - printf("Corrupted Root Directory Entry's Name\n"); - OPENSSL_free(entry); - return NULL; /* FAILED */ - } - entry->type = GET_UINT8_LE(data + DIRENT_TYPE); - entry->colorFlag = GET_UINT8_LE(data + DIRENT_COLOUR); - entry->leftSiblingID = GET_UINT32_LE(data + DIRENT_LEFT_SIBLING_ID); - entry->rightSiblingID = GET_UINT32_LE(data + DIRENT_RIGHT_SIBLING_ID); - entry->childID = GET_UINT32_LE(data + DIRENT_CHILD_ID); - memcpy(entry->clsid, data + DIRENT_CLSID, 16); - memcpy(entry->stateBits, data + DIRENT_STATE_BITS, 4); - memcpy(entry->creationTime, data + DIRENT_CREATE_TIME, 8); - /* The Creation Time field in the root storage directory entry MUST be all zeroes - but the Modified Time field in the root storage directory entry MAY be all zeroes */ - if (is_root && memcmp(entry->creationTime, msi_zeroes, 8)) { - printf("Corrupted Root Directory Entry's Creation Time\n"); - OPENSSL_free(entry); - return NULL; /* FAILED */ - } - memcpy(entry->modifiedTime, data + DIRENT_MODIFY_TIME, 8); - entry->startSectorLocation = GET_UINT32_LE(data + DIRENT_START_SECTOR_LOC); - memcpy(entry->size, data + DIRENT_FILE_SIZE, 8); - /* For a version 3 compound file 512-byte sector size, the value of this field - MUST be less than or equal to 0x80000000 */ - inlen = GET_UINT32_LE(entry->size); - if ((msi->m_sectorSize == 0x0200 && inlen > 0x80000000) - || (msi->m_bufferLen <= inlen)) { - printf("Corrupted Stream Size 0x%08X\n", inlen); - OPENSSL_free(entry); - return NULL; /* FAILED */ - } - return entry; + /* initialise 128 bytes */ + memset(entry, 0, sizeof(MSI_ENTRY)); + entry->nameLen = GET_UINT16_LE(data + DIRENT_NAME_LEN); + /* This length MUST NOT exceed 64, the maximum size of the Directory Entry Name field */ + if (entry->nameLen == 0 || entry->nameLen > 64) { + printf("Corrupted Directory Entry Name Length\n"); + OPENSSL_free(entry); + return NULL; /* FAILED */ + } + memcpy(entry->name, data + DIRENT_NAME, entry->nameLen); + /* The root directory entry's Name field MUST contain the null-terminated + * string "Root Entry" in Unicode UTF-16. */ + if (is_root && (entry->nameLen != sizeof msi_root_entry + || memcmp(entry->name, msi_root_entry, entry->nameLen))) { + printf("Corrupted Root Directory Entry's Name\n"); + OPENSSL_free(entry); + return NULL; /* FAILED */ + } + entry->type = GET_UINT8_LE(data + DIRENT_TYPE); + entry->colorFlag = GET_UINT8_LE(data + DIRENT_COLOUR); + entry->leftSiblingID = GET_UINT32_LE(data + DIRENT_LEFT_SIBLING_ID); + entry->rightSiblingID = GET_UINT32_LE(data + DIRENT_RIGHT_SIBLING_ID); + entry->childID = GET_UINT32_LE(data + DIRENT_CHILD_ID); + memcpy(entry->clsid, data + DIRENT_CLSID, 16); + memcpy(entry->stateBits, data + DIRENT_STATE_BITS, 4); + memcpy(entry->creationTime, data + DIRENT_CREATE_TIME, 8); + /* The Creation Time field in the root storage directory entry MUST be all zeroes + but the Modified Time field in the root storage directory entry MAY be all zeroes */ + if (is_root && memcmp(entry->creationTime, msi_zeroes, 8)) { + printf("Corrupted Root Directory Entry's Creation Time\n"); + OPENSSL_free(entry); + return NULL; /* FAILED */ + } + memcpy(entry->modifiedTime, data + DIRENT_MODIFY_TIME, 8); + entry->startSectorLocation = GET_UINT32_LE(data + DIRENT_START_SECTOR_LOC); + memcpy(entry->size, data + DIRENT_FILE_SIZE, 8); + /* For a version 3 compound file 512-byte sector size, the value of this field + MUST be less than or equal to 0x80000000 */ + inlen = GET_UINT32_LE(entry->size); + if ((msi->m_sectorSize == 0x0200 && inlen > 0x80000000) + || (msi->m_bufferLen <= inlen)) { + printf("Corrupted Stream Size 0x%08X\n", inlen); + OPENSSL_free(entry); + return NULL; /* FAILED */ + } + return entry; } /* @@ -1164,246 +1164,246 @@ static MSI_ENTRY *parse_entry(MSI_FILE *msi, const u_char *data, int is_root) */ static MSI_ENTRY *get_entry(MSI_FILE *msi, uint32_t entryID, int is_root) { - uint32_t sector = 0; - uint32_t offset = 0; - const u_char *address; + uint32_t sector = 0; + uint32_t offset = 0; + const u_char *address; - /* Corrupted file */ - if (!is_root && entryID == 0) { - printf("Corrupted entryID\n"); - return NULL; /* FAILED */ - } - if (msi->m_bufferLen / sizeof(MSI_ENTRY) <= entryID) { - printf("Invalid argument entryID\n"); - return NULL; /* FAILED */ - } - /* The first entry in the first sector of the directory chain is known as - the root directory entry so it can not contain the directory stream */ - if (msi->m_hdr->firstDirectorySectorLocation == 0 && entryID == 0) { - printf("Corrupted First Directory Sector Location\n"); - return NULL; /* FAILED */ - } - if (!locate_final_sector(msi, msi->m_hdr->firstDirectorySectorLocation, - entryID * sizeof(MSI_ENTRY), §or, &offset)) { - printf("Failed to locate a final sector\n"); - return NULL; /* FAILED */ - } - address = sector_offset_to_address(msi, sector, offset); - if (!address) { - printf("Failed to get a final address\n"); - return NULL; /* FAILED */ - } - return parse_entry(msi, address, is_root); + /* Corrupted file */ + if (!is_root && entryID == 0) { + printf("Corrupted entryID\n"); + return NULL; /* FAILED */ + } + if (msi->m_bufferLen / sizeof(MSI_ENTRY) <= entryID) { + printf("Invalid argument entryID\n"); + return NULL; /* FAILED */ + } + /* The first entry in the first sector of the directory chain is known as + the root directory entry so it can not contain the directory stream */ + if (msi->m_hdr->firstDirectorySectorLocation == 0 && entryID == 0) { + printf("Corrupted First Directory Sector Location\n"); + return NULL; /* FAILED */ + } + if (!locate_final_sector(msi, msi->m_hdr->firstDirectorySectorLocation, + entryID * sizeof(MSI_ENTRY), §or, &offset)) { + printf("Failed to locate a final sector\n"); + return NULL; /* FAILED */ + } + address = sector_offset_to_address(msi, sector, offset); + if (!address) { + printf("Failed to get a final address\n"); + return NULL; /* FAILED */ + } + return parse_entry(msi, address, is_root); } static MSI_ENTRY *msi_root_entry_get(MSI_FILE *msi) { - return get_entry(msi, 0, TRUE); + return get_entry(msi, 0, TRUE); } static void msi_file_free(MSI_FILE *msi) { - if (!msi) - return; - OPENSSL_free(msi->m_hdr); - OPENSSL_free(msi); + if (!msi) + return; + OPENSSL_free(msi->m_hdr); + OPENSSL_free(msi); } /* Parse MSI_FILE struct */ static MSI_FILE *msi_file_new(char *buffer, uint32_t len) { - MSI_FILE *msi; - MSI_ENTRY *root; - MSI_FILE_HDR *header; + MSI_FILE *msi; + MSI_ENTRY *root; + MSI_FILE_HDR *header; - if (buffer == NULL || len == 0) { - printf("Invalid argument\n"); - return NULL; /* FAILED */ - } - header = parse_header(buffer); - if (!header) { - printf("Failed to parse MSI_FILE_HDR struct\n"); - return NULL; /* FAILED */ - } - msi = (MSI_FILE *)OPENSSL_malloc(sizeof(MSI_FILE)); - msi->m_buffer = (const u_char *)(buffer); - msi->m_bufferLen = len; - msi->m_hdr = header; - msi->m_sectorSize = 1 << msi->m_hdr->sectorShift; - msi->m_minisectorSize = 1 << msi->m_hdr->miniSectorShift; - msi->m_miniStreamStartSector = 0; + if (buffer == NULL || len == 0) { + printf("Invalid argument\n"); + return NULL; /* FAILED */ + } + header = parse_header(buffer); + if (!header) { + printf("Failed to parse MSI_FILE_HDR struct\n"); + return NULL; /* FAILED */ + } + msi = (MSI_FILE *)OPENSSL_malloc(sizeof(MSI_FILE)); + msi->m_buffer = (const u_char *)(buffer); + msi->m_bufferLen = len; + msi->m_hdr = header; + msi->m_sectorSize = 1 << msi->m_hdr->sectorShift; + msi->m_minisectorSize = 1 << msi->m_hdr->miniSectorShift; + msi->m_miniStreamStartSector = 0; - if (msi->m_bufferLen < sizeof *(msi->m_hdr) || - memcmp(msi->m_hdr->signature, msi_magic, sizeof msi_magic)) { - printf("Wrong file format\n"); - msi_file_free(msi); - return NULL; /* FAILED */ - } + if (msi->m_bufferLen < sizeof *(msi->m_hdr) || + memcmp(msi->m_hdr->signature, msi_magic, sizeof msi_magic)) { + printf("Wrong file format\n"); + msi_file_free(msi); + return NULL; /* FAILED */ + } - /* The file must contains at least 3 sectors */ - if (msi->m_bufferLen < msi->m_sectorSize * 3) { - printf("The file must contains at least 3 sectors\n"); - msi_file_free(msi); - return NULL; /* FAILED */ - } - root = msi_root_entry_get(msi); - if (!root) { - printf("Failed to get msi root entry\n"); - msi_file_free(msi); - return NULL; /* FAILED */ - } - msi->m_miniStreamStartSector = root->startSectorLocation; - OPENSSL_free(root); - return msi; + /* The file must contains at least 3 sectors */ + if (msi->m_bufferLen < msi->m_sectorSize * 3) { + printf("The file must contains at least 3 sectors\n"); + msi_file_free(msi); + return NULL; /* FAILED */ + } + root = msi_root_entry_get(msi); + if (!root) { + printf("Failed to get msi root entry\n"); + msi_file_free(msi); + return NULL; /* FAILED */ + } + msi->m_miniStreamStartSector = root->startSectorLocation; + OPENSSL_free(root); + return msi; } /* Recursively create a tree of MSI_DIRENT structures */ static int msi_dirent_new(MSI_FILE *msi, MSI_ENTRY *entry, MSI_DIRENT *parent, MSI_DIRENT **ret) { - MSI_DIRENT *dirent; - static int cnt; - static MSI_DIRENT *tortoise, *hare; + MSI_DIRENT *dirent; + static int cnt; + static MSI_DIRENT *tortoise, *hare; - if (!entry) { - return 1; /* OK */ - } - if (entry->nameLen == 0 || entry->nameLen > 64) { - printf("Corrupted Directory Entry Name Length\n"); - return 0; /* FAILED */ - } - /* detect cycles in previously visited entries (parents, siblings) */ - if (!ret) { /* initialized (non-root entry) */ - if ((entry->leftSiblingID != NOSTREAM && tortoise->entry->leftSiblingID == entry->leftSiblingID) - || (entry->rightSiblingID != NOSTREAM && tortoise->entry->rightSiblingID == entry->rightSiblingID) - || (entry->childID != NOSTREAM && tortoise->entry->childID == entry->childID)) { - printf("MSI_ENTRY cycle detected at level %d\n", cnt); - OPENSSL_free(entry); - return 0; /* FAILED */ - } - } + if (!entry) { + return 1; /* OK */ + } + if (entry->nameLen == 0 || entry->nameLen > 64) { + printf("Corrupted Directory Entry Name Length\n"); + return 0; /* FAILED */ + } + /* detect cycles in previously visited entries (parents, siblings) */ + if (!ret) { /* initialized (non-root entry) */ + if ((entry->leftSiblingID != NOSTREAM && tortoise->entry->leftSiblingID == entry->leftSiblingID) + || (entry->rightSiblingID != NOSTREAM && tortoise->entry->rightSiblingID == entry->rightSiblingID) + || (entry->childID != NOSTREAM && tortoise->entry->childID == entry->childID)) { + printf("MSI_ENTRY cycle detected at level %d\n", cnt); + OPENSSL_free(entry); + return 0; /* FAILED */ + } + } - dirent = (MSI_DIRENT *)OPENSSL_malloc(sizeof(MSI_DIRENT)); - memcpy(dirent->name, entry->name, entry->nameLen); - dirent->nameLen = entry->nameLen; - dirent->type = entry->type; - dirent->entry = entry; - dirent->children = sk_MSI_DIRENT_new_null(); - dirent->next = NULL; /* fail-safe */ + dirent = (MSI_DIRENT *)OPENSSL_malloc(sizeof(MSI_DIRENT)); + memcpy(dirent->name, entry->name, entry->nameLen); + dirent->nameLen = entry->nameLen; + dirent->type = entry->type; + dirent->entry = entry; + dirent->children = sk_MSI_DIRENT_new_null(); + dirent->next = NULL; /* fail-safe */ - /* Floyd's cycle-finding algorithm */ - if (!ret) { /* initialized (non-root entry) */ - if (cnt++ & 1) /* move the tortoise every other invocation of msi_dirent_new() */ - tortoise = tortoise->next; - hare->next = dirent; /* build a linked list of visited entries */ - hare = dirent; /* move the hare every time */ - } else { /* initialization needed (root entry) */ - cnt = 0; - tortoise = dirent; - hare = dirent; - } + /* Floyd's cycle-finding algorithm */ + if (!ret) { /* initialized (non-root entry) */ + if (cnt++ & 1) /* move the tortoise every other invocation of msi_dirent_new() */ + tortoise = tortoise->next; + hare->next = dirent; /* build a linked list of visited entries */ + hare = dirent; /* move the hare every time */ + } else { /* initialization needed (root entry) */ + cnt = 0; + tortoise = dirent; + hare = dirent; + } - if (parent && !sk_MSI_DIRENT_push(parent->children, dirent)) { - printf("Failed to insert MSI_DIRENT\n"); - return 0; /* FAILED */ - } + if (parent && !sk_MSI_DIRENT_push(parent->children, dirent)) { + printf("Failed to insert MSI_DIRENT\n"); + return 0; /* FAILED */ + } - if (ret) - *ret = dirent; + if (ret) + *ret = dirent; - if (!recurse_entry(msi, entry->leftSiblingID, parent) - || !recurse_entry(msi, entry->rightSiblingID, parent) - || !recurse_entry(msi, entry->childID, dirent)) { - printf("Failed to add a sibling or a child to the tree\n"); - return 0; /* FAILED */ - } + if (!recurse_entry(msi, entry->leftSiblingID, parent) + || !recurse_entry(msi, entry->rightSiblingID, parent) + || !recurse_entry(msi, entry->childID, dirent)) { + printf("Failed to add a sibling or a child to the tree\n"); + return 0; /* FAILED */ + } - return 1; /* OK */ + return 1; /* OK */ } /* Add a sibling or a child to the tree */ /* NOTE: These links are a tree, not a linked list */ static int recurse_entry(MSI_FILE *msi, uint32_t entryID, MSI_DIRENT *parent) { - MSI_ENTRY *node; + MSI_ENTRY *node; - /* The special NOSTREAM (0xFFFFFFFF) value is used as a terminator */ - if (entryID == NOSTREAM) /* stop condition */ - return 1; /* OK */ + /* The special NOSTREAM (0xFFFFFFFF) value is used as a terminator */ + if (entryID == NOSTREAM) /* stop condition */ + return 1; /* OK */ - node = get_entry(msi, entryID, FALSE); - if (!node) { - printf("Corrupted ID: 0x%08X\n", entryID); - return 0; /* FAILED */ - } + node = get_entry(msi, entryID, FALSE); + if (!node) { + printf("Corrupted ID: 0x%08X\n", entryID); + return 0; /* FAILED */ + } - if (!msi_dirent_new(msi, node, parent, NULL)) { - return 0; /* FAILED */ - } + if (!msi_dirent_new(msi, node, parent, NULL)) { + return 0; /* FAILED */ + } - return 1; /* OK */ + return 1; /* OK */ } /* Return DigitalSignature and MsiDigitalSignatureEx */ static MSI_ENTRY *msi_signatures_get(MSI_DIRENT *dirent, MSI_ENTRY **dse) { - int i; - MSI_ENTRY *ds = NULL; + int i; + MSI_ENTRY *ds = NULL; - for (i = 0; i < sk_MSI_DIRENT_num(dirent->children); i++) { - MSI_DIRENT *child = sk_MSI_DIRENT_value(dirent->children, i); - if (!memcmp(child->name, digital_signature, MIN(child->nameLen, sizeof digital_signature))) { - ds = child->entry; - } else if (dse && !memcmp(child->name, digital_signature_ex, MIN(child->nameLen, sizeof digital_signature_ex))) { - *dse = child->entry; - } else { - continue; - } - } - return ds; + for (i = 0; i < sk_MSI_DIRENT_num(dirent->children); i++) { + MSI_DIRENT *child = sk_MSI_DIRENT_value(dirent->children, i); + if (!memcmp(child->name, digital_signature, MIN(child->nameLen, sizeof digital_signature))) { + ds = child->entry; + } else if (dse && !memcmp(child->name, digital_signature_ex, MIN(child->nameLen, sizeof digital_signature_ex))) { + *dse = child->entry; + } else { + continue; + } + } + return ds; } /* Recursively free MSI_DIRENT struct */ static void msi_dirent_free(MSI_DIRENT *dirent) { - if (!dirent) - return; - sk_MSI_DIRENT_pop_free(dirent->children, msi_dirent_free); - OPENSSL_free(dirent->entry); - OPENSSL_free(dirent); + if (!dirent) + return; + sk_MSI_DIRENT_pop_free(dirent->children, msi_dirent_free); + OPENSSL_free(dirent->entry); + OPENSSL_free(dirent); } /* Sorted list of MSI streams in this order is needed for hashing */ static int dirent_cmp_hash(const MSI_DIRENT *const *a, const MSI_DIRENT *const *b) { - const MSI_DIRENT *dirent_a = *a; - const MSI_DIRENT *dirent_b = *b; - int diff = memcmp(dirent_a->name, dirent_b->name, MIN(dirent_a->nameLen, dirent_b->nameLen)); - /* apparently the longer wins */ - if (diff == 0) { - return dirent_a->nameLen > dirent_b->nameLen ? -1 : 1; - } - return diff; + const MSI_DIRENT *dirent_a = *a; + const MSI_DIRENT *dirent_b = *b; + int diff = memcmp(dirent_a->name, dirent_b->name, MIN(dirent_a->nameLen, dirent_b->nameLen)); + /* apparently the longer wins */ + if (diff == 0) { + return dirent_a->nameLen > dirent_b->nameLen ? -1 : 1; + } + return diff; } /* Sorting relationship for directory entries, the left sibling MUST always be less than the right sibling */ static int dirent_cmp_tree(const MSI_DIRENT *const *a, const MSI_DIRENT *const *b) { - const MSI_DIRENT *dirent_a = *a; - const MSI_DIRENT *dirent_b = *b; - uint16_t codepoint_a, codepoint_b; - int i; + const MSI_DIRENT *dirent_a = *a; + const MSI_DIRENT *dirent_b = *b; + uint16_t codepoint_a, codepoint_b; + int i; - if (dirent_a->nameLen != dirent_b->nameLen) { - return dirent_a->nameLen < dirent_b->nameLen ? -1 : 1; - } - for (i=0; inameLen-2; i=i+2) { - codepoint_a = GET_UINT16_LE(dirent_a->name + i); - codepoint_b = GET_UINT16_LE(dirent_b->name + i); - if (codepoint_a != codepoint_b) { - return codepoint_a < codepoint_b ? -1 : 1; - } - } - return 0; + if (dirent_a->nameLen != dirent_b->nameLen) { + return dirent_a->nameLen < dirent_b->nameLen ? -1 : 1; + } + for (i=0; inameLen-2; i=i+2) { + codepoint_a = GET_UINT16_LE(dirent_a->name + i); + codepoint_b = GET_UINT16_LE(dirent_b->name + i); + if (codepoint_a != codepoint_b) { + return codepoint_a < codepoint_b ? -1 : 1; + } + } + return 0; } /* @@ -1418,708 +1418,708 @@ static int dirent_cmp_tree(const MSI_DIRENT *const *a, const MSI_DIRENT *const * /* Hash a MSI stream's extended metadata */ static void prehash_metadata(MSI_ENTRY *entry, BIO *hash) { - if (entry->type != DIR_ROOT) { - BIO_write(hash, entry->name, entry->nameLen - 2); - } - if (entry->type != DIR_STREAM) { - BIO_write(hash, entry->clsid, sizeof entry->clsid); - } else { - BIO_write(hash, entry->size, (sizeof entry->size)/2); - } - BIO_write(hash, entry->stateBits, sizeof entry->stateBits); + if (entry->type != DIR_ROOT) { + BIO_write(hash, entry->name, entry->nameLen - 2); + } + if (entry->type != DIR_STREAM) { + BIO_write(hash, entry->clsid, sizeof entry->clsid); + } else { + BIO_write(hash, entry->size, (sizeof entry->size)/2); + } + BIO_write(hash, entry->stateBits, sizeof entry->stateBits); - if (entry->type != DIR_ROOT) { - BIO_write(hash, entry->creationTime, sizeof entry->creationTime); - BIO_write(hash, entry->modifiedTime, sizeof entry->modifiedTime); - } + if (entry->type != DIR_ROOT) { + BIO_write(hash, entry->creationTime, sizeof entry->creationTime); + BIO_write(hash, entry->modifiedTime, sizeof entry->modifiedTime); + } } /* Recursively hash a MSI directory's extended metadata */ static int msi_prehash_dir(MSI_DIRENT *dirent, BIO *hash, int is_root) { - int i, ret = 0; - STACK_OF(MSI_DIRENT) *children; + int i, ret = 0; + STACK_OF(MSI_DIRENT) *children; - if (!dirent || !dirent->children) { - return ret; - } - children = sk_MSI_DIRENT_dup(dirent->children); - prehash_metadata(dirent->entry, hash); - sk_MSI_DIRENT_set_cmp_func(children, &dirent_cmp_hash); - sk_MSI_DIRENT_sort(children); - for (i = 0; i < sk_MSI_DIRENT_num(children); i++) { - MSI_DIRENT *child = sk_MSI_DIRENT_value(children, i); - if (is_root && (!memcmp(child->name, digital_signature, MIN(child->nameLen, sizeof digital_signature)) - || !memcmp(child->name, digital_signature_ex, MIN(child->nameLen, sizeof digital_signature_ex)))) { - continue; - } - if (child->type == DIR_STREAM) { - prehash_metadata(child->entry, hash); - } - if (child->type == DIR_STORAGE) { - if (!msi_prehash_dir(child, hash, 0)) { - goto out; - } - } - } - ret = 1; /* OK */ + if (!dirent || !dirent->children) { + return ret; + } + children = sk_MSI_DIRENT_dup(dirent->children); + prehash_metadata(dirent->entry, hash); + sk_MSI_DIRENT_set_cmp_func(children, &dirent_cmp_hash); + sk_MSI_DIRENT_sort(children); + for (i = 0; i < sk_MSI_DIRENT_num(children); i++) { + MSI_DIRENT *child = sk_MSI_DIRENT_value(children, i); + if (is_root && (!memcmp(child->name, digital_signature, MIN(child->nameLen, sizeof digital_signature)) + || !memcmp(child->name, digital_signature_ex, MIN(child->nameLen, sizeof digital_signature_ex)))) { + continue; + } + if (child->type == DIR_STREAM) { + prehash_metadata(child->entry, hash); + } + if (child->type == DIR_STORAGE) { + if (!msi_prehash_dir(child, hash, 0)) { + goto out; + } + } + } + ret = 1; /* OK */ out: - sk_MSI_DIRENT_free(children); - return ret; + sk_MSI_DIRENT_free(children); + return ret; } /* Recursively hash a MSI directory (storage) */ static int msi_hash_dir(MSI_FILE *msi, MSI_DIRENT *dirent, BIO *hash, int is_root) { - int i, ret = 0; - STACK_OF(MSI_DIRENT) *children; + int i, ret = 0; + STACK_OF(MSI_DIRENT) *children; - if (!dirent || !dirent->children) { - return ret; - } - children = sk_MSI_DIRENT_dup(dirent->children); - sk_MSI_DIRENT_set_cmp_func(children, &dirent_cmp_hash); - sk_MSI_DIRENT_sort(children); + if (!dirent || !dirent->children) { + return ret; + } + children = sk_MSI_DIRENT_dup(dirent->children); + sk_MSI_DIRENT_set_cmp_func(children, &dirent_cmp_hash); + sk_MSI_DIRENT_sort(children); - for (i = 0; i < sk_MSI_DIRENT_num(children); i++) { - MSI_DIRENT *child = sk_MSI_DIRENT_value(children, i); - if (is_root && (!memcmp(child->name, digital_signature, MIN(child->nameLen, sizeof digital_signature)) - || !memcmp(child->name, digital_signature_ex, MIN(child->nameLen, sizeof digital_signature_ex)))) { - /* Skip DigitalSignature and MsiDigitalSignatureEx streams */ - continue; - } - if (child->type == DIR_STREAM) { - char *indata; - uint32_t inlen = GET_UINT32_LE(child->entry->size); - if (inlen == 0 || inlen >= MAXREGSECT) { - /* Skip null and corrupted streams */ - continue; - } - indata = (char *)OPENSSL_malloc(inlen); - if (!msi_file_read(msi, child->entry, 0, indata, inlen)) { - printf("Failed to read stream data\n"); - OPENSSL_free(indata); - goto out; - } - BIO_write(hash, indata, (int)inlen); - OPENSSL_free(indata); - } - if (child->type == DIR_STORAGE) { - if (!msi_hash_dir(msi, child, hash, 0)) { - printf("Failed to hash a MSI storage\n"); - goto out; - } - } - } - BIO_write(hash, dirent->entry->clsid, sizeof dirent->entry->clsid); - ret = 1; /* OK */ + for (i = 0; i < sk_MSI_DIRENT_num(children); i++) { + MSI_DIRENT *child = sk_MSI_DIRENT_value(children, i); + if (is_root && (!memcmp(child->name, digital_signature, MIN(child->nameLen, sizeof digital_signature)) + || !memcmp(child->name, digital_signature_ex, MIN(child->nameLen, sizeof digital_signature_ex)))) { + /* Skip DigitalSignature and MsiDigitalSignatureEx streams */ + continue; + } + if (child->type == DIR_STREAM) { + char *indata; + uint32_t inlen = GET_UINT32_LE(child->entry->size); + if (inlen == 0 || inlen >= MAXREGSECT) { + /* Skip null and corrupted streams */ + continue; + } + indata = (char *)OPENSSL_malloc(inlen); + if (!msi_file_read(msi, child->entry, 0, indata, inlen)) { + printf("Failed to read stream data\n"); + OPENSSL_free(indata); + goto out; + } + BIO_write(hash, indata, (int)inlen); + OPENSSL_free(indata); + } + if (child->type == DIR_STORAGE) { + if (!msi_hash_dir(msi, child, hash, 0)) { + printf("Failed to hash a MSI storage\n"); + goto out; + } + } + } + BIO_write(hash, dirent->entry->clsid, sizeof dirent->entry->clsid); + ret = 1; /* OK */ out: - sk_MSI_DIRENT_free(children); - return ret; + sk_MSI_DIRENT_free(children); + return ret; } static void ministream_append(MSI_OUT *out, char *buf, uint32_t len) { - uint32_t needSectors = (len + out->sectorSize - 1) / out->sectorSize; - if (out->miniStreamLen + len >= (uint64_t)out->ministreamsMemallocCount * out->sectorSize) { - out->ministreamsMemallocCount += needSectors; - out->ministream = OPENSSL_realloc(out->ministream, (size_t)(out->ministreamsMemallocCount * out->sectorSize)); - } - memcpy(out->ministream + out->miniStreamLen, buf, (size_t)len); - out->miniStreamLen += len; + uint32_t needSectors = (len + out->sectorSize - 1) / out->sectorSize; + if (out->miniStreamLen + len >= (uint64_t)out->ministreamsMemallocCount * out->sectorSize) { + out->ministreamsMemallocCount += needSectors; + out->ministream = OPENSSL_realloc(out->ministream, (size_t)(out->ministreamsMemallocCount * out->sectorSize)); + } + memcpy(out->ministream + out->miniStreamLen, buf, (size_t)len); + out->miniStreamLen += len; } static void minifat_append(MSI_OUT *out, char *buf, uint32_t len) { - if (out->minifatLen == (uint64_t)out->minifatMemallocCount * out->sectorSize) { - out->minifatMemallocCount += 1; - out->minifat = OPENSSL_realloc(out->minifat, (size_t)(out->minifatMemallocCount * out->sectorSize)); - } - memcpy(out->minifat + out->minifatLen, buf, (size_t)len); - out->minifatLen += len; + if (out->minifatLen == (uint64_t)out->minifatMemallocCount * out->sectorSize) { + out->minifatMemallocCount += 1; + out->minifat = OPENSSL_realloc(out->minifat, (size_t)(out->minifatMemallocCount * out->sectorSize)); + } + memcpy(out->minifat + out->minifatLen, buf, (size_t)len); + out->minifatLen += len; } static void fat_append(MSI_OUT *out, char *buf, uint32_t len) { - if (out->fatLen == (uint64_t)out->fatMemallocCount * out->sectorSize) { - out->fatMemallocCount += 1; - out->fat = OPENSSL_realloc(out->fat, (size_t)(out->fatMemallocCount * out->sectorSize)); - } - memcpy(out->fat + out->fatLen, buf, (size_t)len); - out->fatLen += len; + if (out->fatLen == (uint64_t)out->fatMemallocCount * out->sectorSize) { + out->fatMemallocCount += 1; + out->fat = OPENSSL_realloc(out->fat, (size_t)(out->fatMemallocCount * out->sectorSize)); + } + memcpy(out->fat + out->fatLen, buf, (size_t)len); + out->fatLen += len; } static int msi_dirent_delete(MSI_DIRENT *dirent, const u_char *name, uint16_t nameLen) { - int i; + int i; - for (i = 0; i < sk_MSI_DIRENT_num(dirent->children); i++) { - MSI_DIRENT *child = sk_MSI_DIRENT_value(dirent->children, i); - if (memcmp(child->name, name, MIN(child->nameLen, nameLen))) { - continue; - } - if (child->type != DIR_STREAM) { - printf("Can't delete or replace storages\n"); - return 0; /* FAILED */ - } - sk_MSI_DIRENT_delete(dirent->children, i); - msi_dirent_free(child); - } - return 1; /* OK */ + for (i = 0; i < sk_MSI_DIRENT_num(dirent->children); i++) { + MSI_DIRENT *child = sk_MSI_DIRENT_value(dirent->children, i); + if (memcmp(child->name, name, MIN(child->nameLen, nameLen))) { + continue; + } + if (child->type != DIR_STREAM) { + printf("Can't delete or replace storages\n"); + return 0; /* FAILED */ + } + sk_MSI_DIRENT_delete(dirent->children, i); + msi_dirent_free(child); + } + return 1; /* OK */ } static MSI_DIRENT *dirent_add(const u_char *name, uint16_t nameLen) { - MSI_DIRENT *dirent = (MSI_DIRENT *)OPENSSL_malloc(sizeof(MSI_DIRENT)); - MSI_ENTRY *entry = (MSI_ENTRY *)OPENSSL_malloc(sizeof(MSI_ENTRY)); + MSI_DIRENT *dirent = (MSI_DIRENT *)OPENSSL_malloc(sizeof(MSI_DIRENT)); + MSI_ENTRY *entry = (MSI_ENTRY *)OPENSSL_malloc(sizeof(MSI_ENTRY)); - memcpy(dirent->name, name, nameLen); - dirent->nameLen = nameLen; - dirent->type = DIR_STREAM; - dirent->children = sk_MSI_DIRENT_new_null(); + memcpy(dirent->name, name, nameLen); + dirent->nameLen = nameLen; + dirent->type = DIR_STREAM; + dirent->children = sk_MSI_DIRENT_new_null(); - memcpy(entry->name, name, nameLen); - entry->nameLen = nameLen; - entry->type = DIR_STREAM; - entry->colorFlag = BLACK_COLOR; /* make everything black */ - entry->leftSiblingID = NOSTREAM; - entry->rightSiblingID = NOSTREAM; - entry->childID = NOSTREAM; - memset(entry->clsid, 0, 16); - memset(entry->stateBits, 0, 4); - memset(entry->creationTime, 0, 8); - memset(entry->modifiedTime, 0, 8); - entry->startSectorLocation = NOSTREAM; - memset(entry->size, 0, 8); - dirent->entry = entry; + memcpy(entry->name, name, nameLen); + entry->nameLen = nameLen; + entry->type = DIR_STREAM; + entry->colorFlag = BLACK_COLOR; /* make everything black */ + entry->leftSiblingID = NOSTREAM; + entry->rightSiblingID = NOSTREAM; + entry->childID = NOSTREAM; + memset(entry->clsid, 0, 16); + memset(entry->stateBits, 0, 4); + memset(entry->creationTime, 0, 8); + memset(entry->modifiedTime, 0, 8); + entry->startSectorLocation = NOSTREAM; + memset(entry->size, 0, 8); + dirent->entry = entry; - return dirent; + return dirent; } static int dirent_insert(MSI_DIRENT *dirent, const u_char *name, uint16_t nameLen) { - MSI_DIRENT *new_dirent; + MSI_DIRENT *new_dirent; - if (!msi_dirent_delete(dirent, name, nameLen)) { - return 0; /* FAILED */ - } - /* create new dirent */ - new_dirent = dirent_add(name, nameLen); - sk_MSI_DIRENT_push(dirent->children, new_dirent); + if (!msi_dirent_delete(dirent, name, nameLen)) { + return 0; /* FAILED */ + } + /* create new dirent */ + new_dirent = dirent_add(name, nameLen); + sk_MSI_DIRENT_push(dirent->children, new_dirent); - return 1; /* OK */ + return 1; /* OK */ } static int signature_insert(MSI_DIRENT *dirent, uint32_t len_msiex) { - if (len_msiex > 0) { - if (!dirent_insert(dirent, digital_signature_ex, sizeof digital_signature_ex)) { - return 0; /* FAILED */ - } - } else { - if (!msi_dirent_delete(dirent, digital_signature_ex, sizeof digital_signature_ex)) { - return 0; /* FAILED */ - } - } - if (!dirent_insert(dirent, digital_signature, sizeof digital_signature)) { - return 0; /* FAILED */ - } - return 1; /* OK */ + if (len_msiex > 0) { + if (!dirent_insert(dirent, digital_signature_ex, sizeof digital_signature_ex)) { + return 0; /* FAILED */ + } + } else { + if (!msi_dirent_delete(dirent, digital_signature_ex, sizeof digital_signature_ex)) { + return 0; /* FAILED */ + } + } + if (!dirent_insert(dirent, digital_signature, sizeof digital_signature)) { + return 0; /* FAILED */ + } + return 1; /* OK */ } static uint32_t stream_read(MSI_FILE *msi, MSI_ENTRY *entry, u_char *p_msi, uint32_t len_msi, - u_char *p_msiex, uint32_t len_msiex, char **indata, uint32_t inlen, int is_root) + u_char *p_msiex, uint32_t len_msiex, char **indata, uint32_t inlen, int is_root) { - if (is_root && !memcmp(entry->name, digital_signature, sizeof digital_signature)) { - /* DigitalSignature */ - inlen = len_msi; - *indata = OPENSSL_malloc((size_t)inlen); - memcpy(*indata, p_msi, (size_t)inlen); - } else if (is_root && !memcmp(entry->name, digital_signature_ex, sizeof digital_signature_ex)) { - /* MsiDigitalSignatureEx */ - inlen = len_msiex; - *indata = OPENSSL_malloc((size_t)inlen); - memcpy(*indata, p_msiex, (size_t)inlen); - } else if (inlen != 0) { - *indata = (char *)OPENSSL_malloc(inlen); - if (!msi_file_read(msi, entry, 0, *indata, inlen)) { - return 0; /* FAILED */ - } - } - return inlen; + if (is_root && !memcmp(entry->name, digital_signature, sizeof digital_signature)) { + /* DigitalSignature */ + inlen = len_msi; + *indata = OPENSSL_malloc((size_t)inlen); + memcpy(*indata, p_msi, (size_t)inlen); + } else if (is_root && !memcmp(entry->name, digital_signature_ex, sizeof digital_signature_ex)) { + /* MsiDigitalSignatureEx */ + inlen = len_msiex; + *indata = OPENSSL_malloc((size_t)inlen); + memcpy(*indata, p_msiex, (size_t)inlen); + } else if (inlen != 0) { + *indata = (char *)OPENSSL_malloc(inlen); + if (!msi_file_read(msi, entry, 0, *indata, inlen)) { + return 0; /* FAILED */ + } + } + return inlen; } /* Recursively handle data from MSI_DIRENT struct */ static int stream_handle(MSI_FILE *msi, MSI_DIRENT *dirent, u_char *p_msi, uint32_t len_msi, - u_char *p_msiex, uint32_t len_msiex, BIO *outdata, MSI_OUT *out, int is_root) + u_char *p_msiex, uint32_t len_msiex, BIO *outdata, MSI_OUT *out, int is_root) { - int i; + int i; - if (dirent->type == DIR_ROOT) { - if (len_msi > 0 && !signature_insert(dirent, len_msiex)) { - printf("Insert new signature failed\n"); - return 0; /* FAILED */ - } - out->ministreamsMemallocCount = (GET_UINT32_LE(dirent->entry->size) + out->sectorSize - 1)/out->sectorSize; - out->ministream = OPENSSL_malloc((uint64_t)out->ministreamsMemallocCount * out->sectorSize); - } - for (i = 0; i < sk_MSI_DIRENT_num(dirent->children); i++) { - MSI_DIRENT *child = sk_MSI_DIRENT_value(dirent->children, i); - if (child->type == DIR_STORAGE) { - if (!stream_handle(msi, child, NULL, 0, NULL, 0, outdata, out, 0)) { - return 0; /* FAILED */ - } - } else { /* DIR_STREAM */ - char buf[MAX_SECTOR_SIZE]; - char *indata; - uint32_t inlen = GET_UINT32_LE(child->entry->size); - if (inlen >= MAXREGSECT) { - printf("Corrupted stream length 0x%08X\n", inlen); - return 0; /* FAILED */ - } - /* DigitalSignature or MsiDigitalSignatureEx: inlen == 0 */ - inlen = stream_read(msi, child->entry, p_msi, len_msi, p_msiex, len_msiex, &indata, inlen, is_root); - if (inlen == 0) { - printf("Failed to read stream data\n"); - OPENSSL_free(indata); - continue; - } - /* set the size of the user-defined data if this is a stream object */ - PUT_UINT32_LE(inlen, buf); - memcpy(child->entry->size, buf, sizeof child->entry->size); + if (dirent->type == DIR_ROOT) { + if (len_msi > 0 && !signature_insert(dirent, len_msiex)) { + printf("Insert new signature failed\n"); + return 0; /* FAILED */ + } + out->ministreamsMemallocCount = (GET_UINT32_LE(dirent->entry->size) + out->sectorSize - 1)/out->sectorSize; + out->ministream = OPENSSL_malloc((uint64_t)out->ministreamsMemallocCount * out->sectorSize); + } + for (i = 0; i < sk_MSI_DIRENT_num(dirent->children); i++) { + MSI_DIRENT *child = sk_MSI_DIRENT_value(dirent->children, i); + if (child->type == DIR_STORAGE) { + if (!stream_handle(msi, child, NULL, 0, NULL, 0, outdata, out, 0)) { + return 0; /* FAILED */ + } + } else { /* DIR_STREAM */ + char buf[MAX_SECTOR_SIZE]; + char *indata; + uint32_t inlen = GET_UINT32_LE(child->entry->size); + if (inlen >= MAXREGSECT) { + printf("Corrupted stream length 0x%08X\n", inlen); + return 0; /* FAILED */ + } + /* DigitalSignature or MsiDigitalSignatureEx: inlen == 0 */ + inlen = stream_read(msi, child->entry, p_msi, len_msi, p_msiex, len_msiex, &indata, inlen, is_root); + if (inlen == 0) { + printf("Failed to read stream data\n"); + OPENSSL_free(indata); + continue; + } + /* set the size of the user-defined data if this is a stream object */ + PUT_UINT32_LE(inlen, buf); + memcpy(child->entry->size, buf, sizeof child->entry->size); - if (inlen < MINI_STREAM_CUTOFF_SIZE) { - /* set the index into the mini FAT to track the chain of sectors through the mini stream */ - child->entry->startSectorLocation = out->miniSectorNum; - ministream_append(out, indata, inlen); - /* fill to the end with known data, such as all zeroes */ - if (inlen % msi->m_minisectorSize > 0) { - uint32_t remain = msi->m_minisectorSize - inlen % msi->m_minisectorSize; - memset(buf, 0, (size_t)remain); - ministream_append(out, buf, remain); - } - while (inlen > msi->m_minisectorSize) { - out->miniSectorNum += 1; - PUT_UINT32_LE(out->miniSectorNum, buf); - minifat_append(out, buf, 4); - inlen -= msi->m_minisectorSize; - } - PUT_UINT32_LE(ENDOFCHAIN, buf); - minifat_append(out, buf, 4); - out->miniSectorNum += 1; - } else { - /* set the first sector location if this is a stream object */ - child->entry->startSectorLocation = out->sectorNum; - /* stream save */ - BIO_write(outdata, indata, (int)inlen); - /* fill to the end with known data, such as all zeroes */ - if (inlen % out->sectorSize > 0) { - uint32_t remain = out->sectorSize - inlen % out->sectorSize; - memset(buf, 0, (size_t)remain); - BIO_write(outdata, buf, (int)remain); - } - /* set a sector chain in the FAT */ - while (inlen > out->sectorSize) { - out->sectorNum += 1; - PUT_UINT32_LE(out->sectorNum, buf); - fat_append(out, buf, 4); - inlen -= out->sectorSize; - } - PUT_UINT32_LE(ENDOFCHAIN, buf); - fat_append(out, buf, 4); - out->sectorNum += 1; - } - OPENSSL_free(indata); - } - } - return 1; /* OK */ + if (inlen < MINI_STREAM_CUTOFF_SIZE) { + /* set the index into the mini FAT to track the chain of sectors through the mini stream */ + child->entry->startSectorLocation = out->miniSectorNum; + ministream_append(out, indata, inlen); + /* fill to the end with known data, such as all zeroes */ + if (inlen % msi->m_minisectorSize > 0) { + uint32_t remain = msi->m_minisectorSize - inlen % msi->m_minisectorSize; + memset(buf, 0, (size_t)remain); + ministream_append(out, buf, remain); + } + while (inlen > msi->m_minisectorSize) { + out->miniSectorNum += 1; + PUT_UINT32_LE(out->miniSectorNum, buf); + minifat_append(out, buf, 4); + inlen -= msi->m_minisectorSize; + } + PUT_UINT32_LE(ENDOFCHAIN, buf); + minifat_append(out, buf, 4); + out->miniSectorNum += 1; + } else { + /* set the first sector location if this is a stream object */ + child->entry->startSectorLocation = out->sectorNum; + /* stream save */ + BIO_write(outdata, indata, (int)inlen); + /* fill to the end with known data, such as all zeroes */ + if (inlen % out->sectorSize > 0) { + uint32_t remain = out->sectorSize - inlen % out->sectorSize; + memset(buf, 0, (size_t)remain); + BIO_write(outdata, buf, (int)remain); + } + /* set a sector chain in the FAT */ + while (inlen > out->sectorSize) { + out->sectorNum += 1; + PUT_UINT32_LE(out->sectorNum, buf); + fat_append(out, buf, 4); + inlen -= out->sectorSize; + } + PUT_UINT32_LE(ENDOFCHAIN, buf); + fat_append(out, buf, 4); + out->sectorNum += 1; + } + OPENSSL_free(indata); + } + } + return 1; /* OK */ } static void ministream_save(MSI_DIRENT *dirent, BIO *outdata, MSI_OUT *out) { - char buf[MAX_SECTOR_SIZE]; - uint32_t i, remain; - uint32_t ministreamSectorsCount = (out->miniStreamLen + out->sectorSize - 1) / out->sectorSize; + char buf[MAX_SECTOR_SIZE]; + uint32_t i, remain; + uint32_t ministreamSectorsCount = (out->miniStreamLen + out->sectorSize - 1) / out->sectorSize; - /* set the first sector of the mini stream in the entry root object */ - dirent->entry->startSectorLocation = out->sectorNum; - /* ministream save */ - BIO_write(outdata, out->ministream, (int)out->miniStreamLen); - OPENSSL_free(out->ministream); - /* fill to the end with known data, such as all zeroes */ - if (out->miniStreamLen % out->sectorSize > 0) { - remain = out->sectorSize - out->miniStreamLen % out->sectorSize; - memset(buf, 0, (size_t)remain); - BIO_write(outdata, buf, (int)remain); - } - /* set a sector chain in the FAT */ - for (i=1; isectorNum + i, buf); - fat_append(out, buf, 4); - } - /* mark the end of the mini stream data */ - PUT_UINT32_LE(ENDOFCHAIN, buf); - fat_append(out, buf, 4); + /* set the first sector of the mini stream in the entry root object */ + dirent->entry->startSectorLocation = out->sectorNum; + /* ministream save */ + BIO_write(outdata, out->ministream, (int)out->miniStreamLen); + OPENSSL_free(out->ministream); + /* fill to the end with known data, such as all zeroes */ + if (out->miniStreamLen % out->sectorSize > 0) { + remain = out->sectorSize - out->miniStreamLen % out->sectorSize; + memset(buf, 0, (size_t)remain); + BIO_write(outdata, buf, (int)remain); + } + /* set a sector chain in the FAT */ + for (i=1; isectorNum + i, buf); + fat_append(out, buf, 4); + } + /* mark the end of the mini stream data */ + PUT_UINT32_LE(ENDOFCHAIN, buf); + fat_append(out, buf, 4); - out->sectorNum += ministreamSectorsCount; + out->sectorNum += ministreamSectorsCount; } static void minifat_save(BIO *outdata, MSI_OUT *out) { - char buf[MAX_SECTOR_SIZE]; - uint32_t i, remain; + char buf[MAX_SECTOR_SIZE]; + uint32_t i, remain; - /* set Mini FAT Starting Sector Location in the header */ - if (out->minifatLen == 0) { - PUT_UINT32_LE(ENDOFCHAIN, buf); - memcpy(out->header + HEADER_MINI_FAT_SECTOR_LOC, buf, 4); - return; - } - PUT_UINT32_LE(out->sectorNum, buf); - memcpy(out->header + HEADER_MINI_FAT_SECTOR_LOC, buf, 4); - /* minifat save */ - BIO_write(outdata, out->minifat, (int)out->minifatLen); - /* marks the end of the stream */ - PUT_UINT32_LE(ENDOFCHAIN, buf); - BIO_write(outdata, buf, 4); - out->minifatLen += 4; - /* empty unallocated free sectors in the last Mini FAT sector */ - if (out->minifatLen % out->sectorSize > 0) { - remain = out->sectorSize - out->minifatLen % out->sectorSize; - memset(buf, (int)FREESECT, (size_t)remain); - BIO_write(outdata, buf, (int)remain); - } - /* set a sector chain in the FAT */ - out->minifatSectorsCount = (out->minifatLen + out->sectorSize - 1) / out->sectorSize; - for (i=1; iminifatSectorsCount; i++) { - PUT_UINT32_LE(out->sectorNum + i, buf); - fat_append(out, buf, 4); - } - /* mark the end of the mini FAT chain */ - PUT_UINT32_LE(ENDOFCHAIN, buf); - fat_append(out, buf, 4); + /* set Mini FAT Starting Sector Location in the header */ + if (out->minifatLen == 0) { + PUT_UINT32_LE(ENDOFCHAIN, buf); + memcpy(out->header + HEADER_MINI_FAT_SECTOR_LOC, buf, 4); + return; + } + PUT_UINT32_LE(out->sectorNum, buf); + memcpy(out->header + HEADER_MINI_FAT_SECTOR_LOC, buf, 4); + /* minifat save */ + BIO_write(outdata, out->minifat, (int)out->minifatLen); + /* marks the end of the stream */ + PUT_UINT32_LE(ENDOFCHAIN, buf); + BIO_write(outdata, buf, 4); + out->minifatLen += 4; + /* empty unallocated free sectors in the last Mini FAT sector */ + if (out->minifatLen % out->sectorSize > 0) { + remain = out->sectorSize - out->minifatLen % out->sectorSize; + memset(buf, (int)FREESECT, (size_t)remain); + BIO_write(outdata, buf, (int)remain); + } + /* set a sector chain in the FAT */ + out->minifatSectorsCount = (out->minifatLen + out->sectorSize - 1) / out->sectorSize; + for (i=1; iminifatSectorsCount; i++) { + PUT_UINT32_LE(out->sectorNum + i, buf); + fat_append(out, buf, 4); + } + /* mark the end of the mini FAT chain */ + PUT_UINT32_LE(ENDOFCHAIN, buf); + fat_append(out, buf, 4); - out->sectorNum += out->minifatSectorsCount; + out->sectorNum += out->minifatSectorsCount; } static char *msi_dirent_get(MSI_ENTRY *entry) { - char buf[8]; - char *data = OPENSSL_malloc(DIRENT_SIZE); + char buf[8]; + char *data = OPENSSL_malloc(DIRENT_SIZE); - /* initialise 128 bytes */ - memset(data, 0, DIRENT_SIZE); + /* initialise 128 bytes */ + memset(data, 0, DIRENT_SIZE); - memcpy(data + DIRENT_NAME, entry->name, entry->nameLen); - memset(data + DIRENT_NAME + entry->nameLen, 0, DIRENT_MAX_NAME_SIZE - entry->nameLen); - PUT_UINT16_LE(entry->nameLen, buf); - memcpy(data + DIRENT_NAME_LEN, buf, 2); - PUT_UINT8_LE(entry->type, buf); - memcpy(data + DIRENT_TYPE, buf, 1); - PUT_UINT8_LE(entry->colorFlag, buf); - memcpy(data + DIRENT_COLOUR, buf, 1); - PUT_UINT32_LE(entry->leftSiblingID, buf); - memcpy(data + DIRENT_LEFT_SIBLING_ID, buf, 4); - PUT_UINT32_LE(entry->rightSiblingID, buf); - memcpy(data + DIRENT_RIGHT_SIBLING_ID, buf, 4); - PUT_UINT32_LE(entry->childID, buf); - memcpy(data + DIRENT_CHILD_ID, buf, 4); - memcpy(data + DIRENT_CLSID, entry->clsid, 16); - memcpy(data + DIRENT_STATE_BITS, entry->stateBits, 4); - memcpy(data + DIRENT_CREATE_TIME, entry->creationTime, 8); - memcpy(data + DIRENT_MODIFY_TIME, entry->modifiedTime, 8); - PUT_UINT32_LE(entry->startSectorLocation, buf); - memcpy(data + DIRENT_START_SECTOR_LOC, buf, 4); - memcpy(data + DIRENT_FILE_SIZE, entry->size, 4); - memset(data + DIRENT_FILE_SIZE + 4, 0, 4); - return data; + memcpy(data + DIRENT_NAME, entry->name, entry->nameLen); + memset(data + DIRENT_NAME + entry->nameLen, 0, DIRENT_MAX_NAME_SIZE - entry->nameLen); + PUT_UINT16_LE(entry->nameLen, buf); + memcpy(data + DIRENT_NAME_LEN, buf, 2); + PUT_UINT8_LE(entry->type, buf); + memcpy(data + DIRENT_TYPE, buf, 1); + PUT_UINT8_LE(entry->colorFlag, buf); + memcpy(data + DIRENT_COLOUR, buf, 1); + PUT_UINT32_LE(entry->leftSiblingID, buf); + memcpy(data + DIRENT_LEFT_SIBLING_ID, buf, 4); + PUT_UINT32_LE(entry->rightSiblingID, buf); + memcpy(data + DIRENT_RIGHT_SIBLING_ID, buf, 4); + PUT_UINT32_LE(entry->childID, buf); + memcpy(data + DIRENT_CHILD_ID, buf, 4); + memcpy(data + DIRENT_CLSID, entry->clsid, 16); + memcpy(data + DIRENT_STATE_BITS, entry->stateBits, 4); + memcpy(data + DIRENT_CREATE_TIME, entry->creationTime, 8); + memcpy(data + DIRENT_MODIFY_TIME, entry->modifiedTime, 8); + PUT_UINT32_LE(entry->startSectorLocation, buf); + memcpy(data + DIRENT_START_SECTOR_LOC, buf, 4); + memcpy(data + DIRENT_FILE_SIZE, entry->size, 4); + memset(data + DIRENT_FILE_SIZE + 4, 0, 4); + return data; } static char *msi_unused_dirent_get() { - char *data = OPENSSL_malloc(DIRENT_SIZE); + char *data = OPENSSL_malloc(DIRENT_SIZE); - /* initialise 127 bytes */ - memset(data, 0, DIRENT_SIZE); + /* initialise 127 bytes */ + memset(data, 0, DIRENT_SIZE); - memset(data + DIRENT_LEFT_SIBLING_ID, (int)NOSTREAM, 4); - memset(data + DIRENT_RIGHT_SIBLING_ID, (int)NOSTREAM, 4); - memset(data + DIRENT_CHILD_ID, (int)NOSTREAM, 4); - return data; + memset(data + DIRENT_LEFT_SIBLING_ID, (int)NOSTREAM, 4); + memset(data + DIRENT_RIGHT_SIBLING_ID, (int)NOSTREAM, 4); + memset(data + DIRENT_CHILD_ID, (int)NOSTREAM, 4); + return data; } static int dirents_save(MSI_DIRENT *dirent, BIO *outdata, MSI_OUT *out, uint32_t *streamId, int count, int last) { - int i, childenNum; - char *entry; - STACK_OF(MSI_DIRENT) *children; - - if (!dirent || !dirent->children) { - return count; - } - children = sk_MSI_DIRENT_dup(dirent->children); - sk_MSI_DIRENT_set_cmp_func(children, &dirent_cmp_tree); - sk_MSI_DIRENT_sort(children); - childenNum = sk_MSI_DIRENT_num(children); - /* make everything black */ - dirent->entry->colorFlag = BLACK_COLOR; - dirent->entry->leftSiblingID = NOSTREAM; - if (dirent->type == DIR_STORAGE) { - if (last) { - dirent->entry->rightSiblingID = NOSTREAM; - } else { - /* make linked list rather than tree, only use next - right sibling */ - count += childenNum; - dirent->entry->rightSiblingID = *streamId + (uint32_t)count + 1; - } - } else { /* DIR_ROOT */ - dirent->entry->rightSiblingID = NOSTREAM; - } - dirent->entry->childID = *streamId + 1; - entry = msi_dirent_get(dirent->entry); - BIO_write(outdata, entry, DIRENT_SIZE); - OPENSSL_free(entry); - out->dirtreeLen += DIRENT_SIZE; - for (i = 0; i < childenNum; i++) { - MSI_DIRENT *child = sk_MSI_DIRENT_value(children, i); - int last_dir = i == childenNum - 1 ? 1 : 0; - *streamId += 1; - if (child->type == DIR_STORAGE) { - count += dirents_save(child, outdata, out, streamId, count, last_dir); - } else { /* DIR_STREAM */ - count = 0; - child->entry->colorFlag = BLACK_COLOR; - child->entry->leftSiblingID = NOSTREAM; - if (last_dir) { - child->entry->rightSiblingID = NOSTREAM; - } else { - child->entry->rightSiblingID = *streamId + 1; - } - entry = msi_dirent_get(child->entry); - BIO_write(outdata, entry, DIRENT_SIZE); - OPENSSL_free(entry); - out->dirtreeLen += DIRENT_SIZE; - } - } - sk_MSI_DIRENT_free(children); - return count; + int i, childenNum; + char *entry; + STACK_OF(MSI_DIRENT) *children; + + if (!dirent || !dirent->children) { + return count; + } + children = sk_MSI_DIRENT_dup(dirent->children); + sk_MSI_DIRENT_set_cmp_func(children, &dirent_cmp_tree); + sk_MSI_DIRENT_sort(children); + childenNum = sk_MSI_DIRENT_num(children); + /* make everything black */ + dirent->entry->colorFlag = BLACK_COLOR; + dirent->entry->leftSiblingID = NOSTREAM; + if (dirent->type == DIR_STORAGE) { + if (last) { + dirent->entry->rightSiblingID = NOSTREAM; + } else { + /* make linked list rather than tree, only use next - right sibling */ + count += childenNum; + dirent->entry->rightSiblingID = *streamId + (uint32_t)count + 1; + } + } else { /* DIR_ROOT */ + dirent->entry->rightSiblingID = NOSTREAM; + } + dirent->entry->childID = *streamId + 1; + entry = msi_dirent_get(dirent->entry); + BIO_write(outdata, entry, DIRENT_SIZE); + OPENSSL_free(entry); + out->dirtreeLen += DIRENT_SIZE; + for (i = 0; i < childenNum; i++) { + MSI_DIRENT *child = sk_MSI_DIRENT_value(children, i); + int last_dir = i == childenNum - 1 ? 1 : 0; + *streamId += 1; + if (child->type == DIR_STORAGE) { + count += dirents_save(child, outdata, out, streamId, count, last_dir); + } else { /* DIR_STREAM */ + count = 0; + child->entry->colorFlag = BLACK_COLOR; + child->entry->leftSiblingID = NOSTREAM; + if (last_dir) { + child->entry->rightSiblingID = NOSTREAM; + } else { + child->entry->rightSiblingID = *streamId + 1; + } + entry = msi_dirent_get(child->entry); + BIO_write(outdata, entry, DIRENT_SIZE); + OPENSSL_free(entry); + out->dirtreeLen += DIRENT_SIZE; + } + } + sk_MSI_DIRENT_free(children); + return count; } static void dirtree_save(MSI_DIRENT *dirent, BIO *outdata, MSI_OUT *out) { - char buf[MAX_SECTOR_SIZE]; - char *unused_entry; - uint32_t i, remain, streamId = 0; + char buf[MAX_SECTOR_SIZE]; + char *unused_entry; + uint32_t i, remain, streamId = 0; - /* set Directory Starting Sector Location in the header */ - PUT_UINT32_LE(out->sectorNum, buf); - memcpy(out->header + HEADER_DIR_SECTOR_LOC, buf, 4); + /* set Directory Starting Sector Location in the header */ + PUT_UINT32_LE(out->sectorNum, buf); + memcpy(out->header + HEADER_DIR_SECTOR_LOC, buf, 4); - /* set the size of the mini stream in the root object */ - if (dirent->type == DIR_ROOT) { - PUT_UINT32_LE(out->miniStreamLen, buf); - memcpy(dirent->entry->size, buf, sizeof dirent->entry->size); - } - /* sort and save all directory entries */ - dirents_save(dirent, outdata, out, &streamId, 0, 0); - /* set free (unused) directory entries */ - unused_entry = msi_unused_dirent_get(); - if (out->dirtreeLen % out->sectorSize > 0) { - remain = out->sectorSize - out->dirtreeLen % out->sectorSize; - while (remain > 0) { - BIO_write(outdata, unused_entry, DIRENT_SIZE); - remain -= DIRENT_SIZE; - } - } - OPENSSL_free(unused_entry); - /* set a sector chain in the FAT */ - out->dirtreeSectorsCount = (out->dirtreeLen + out->sectorSize - 1) / out->sectorSize; - for (i=1; idirtreeSectorsCount; i++) { - PUT_UINT32_LE(out->sectorNum + i, buf); - fat_append(out, buf, 4); - } - /* mark the end of the directory chain */ - PUT_UINT32_LE(ENDOFCHAIN, buf); - fat_append(out, buf, 4); + /* set the size of the mini stream in the root object */ + if (dirent->type == DIR_ROOT) { + PUT_UINT32_LE(out->miniStreamLen, buf); + memcpy(dirent->entry->size, buf, sizeof dirent->entry->size); + } + /* sort and save all directory entries */ + dirents_save(dirent, outdata, out, &streamId, 0, 0); + /* set free (unused) directory entries */ + unused_entry = msi_unused_dirent_get(); + if (out->dirtreeLen % out->sectorSize > 0) { + remain = out->sectorSize - out->dirtreeLen % out->sectorSize; + while (remain > 0) { + BIO_write(outdata, unused_entry, DIRENT_SIZE); + remain -= DIRENT_SIZE; + } + } + OPENSSL_free(unused_entry); + /* set a sector chain in the FAT */ + out->dirtreeSectorsCount = (out->dirtreeLen + out->sectorSize - 1) / out->sectorSize; + for (i=1; idirtreeSectorsCount; i++) { + PUT_UINT32_LE(out->sectorNum + i, buf); + fat_append(out, buf, 4); + } + /* mark the end of the directory chain */ + PUT_UINT32_LE(ENDOFCHAIN, buf); + fat_append(out, buf, 4); - out->sectorNum += out->dirtreeSectorsCount; + out->sectorNum += out->dirtreeSectorsCount; } static int fat_save(BIO *outdata, MSI_OUT *out) { - char buf[MAX_SECTOR_SIZE]; - uint32_t i, remain; + char buf[MAX_SECTOR_SIZE]; + uint32_t i, remain; - remain = (out->fatLen + out->sectorSize - 1) / out->sectorSize; - out->fatSectorsCount = (out->fatLen + remain * 4 + out->sectorSize - 1) / out->sectorSize; + remain = (out->fatLen + out->sectorSize - 1) / out->sectorSize; + out->fatSectorsCount = (out->fatLen + remain * 4 + out->sectorSize - 1) / out->sectorSize; - /* mark FAT sectors in the FAT chain */ - PUT_UINT32_LE(FATSECT, buf); - for (i=0; ifatSectorsCount; i++) { - fat_append(out, buf, 4); - } - /* set 109 FAT sectors in HEADER_DIFAT table */ - for (i=0; ifatSectorsCount, DIFAT_IN_HEADER); i++) { - PUT_UINT32_LE(out->sectorNum + i, buf); - memcpy(out->header + HEADER_DIFAT + i * 4, buf, 4); - } - out->sectorNum += out->fatSectorsCount; + /* mark FAT sectors in the FAT chain */ + PUT_UINT32_LE(FATSECT, buf); + for (i=0; ifatSectorsCount; i++) { + fat_append(out, buf, 4); + } + /* set 109 FAT sectors in HEADER_DIFAT table */ + for (i=0; ifatSectorsCount, DIFAT_IN_HEADER); i++) { + PUT_UINT32_LE(out->sectorNum + i, buf); + memcpy(out->header + HEADER_DIFAT + i * 4, buf, 4); + } + out->sectorNum += out->fatSectorsCount; - if (out->fatSectorsCount > DIFAT_IN_HEADER) { - /* TODO set FAT sectors in DIFAT sector */ - printf("DIFAT sectors are not supported\n"); - return 0; /* FAILED */ - } - /* empty unallocated free sectors in the last FAT sector */ - if (out->fatLen % out->sectorSize > 0) { - remain = out->sectorSize - out->fatLen % out->sectorSize; - memset(buf, (int)FREESECT, (size_t)remain); - fat_append(out, buf, remain); - } - BIO_write(outdata, out->fat, (int)out->fatLen); - return 1; /* OK */ + if (out->fatSectorsCount > DIFAT_IN_HEADER) { + /* TODO set FAT sectors in DIFAT sector */ + printf("DIFAT sectors are not supported\n"); + return 0; /* FAILED */ + } + /* empty unallocated free sectors in the last FAT sector */ + if (out->fatLen % out->sectorSize > 0) { + remain = out->sectorSize - out->fatLen % out->sectorSize; + memset(buf, (int)FREESECT, (size_t)remain); + fat_append(out, buf, remain); + } + BIO_write(outdata, out->fat, (int)out->fatLen); + return 1; /* OK */ } static void header_save(BIO *outdata, MSI_OUT *out) { - char buf[MAX_SECTOR_SIZE]; - uint32_t remain; + char buf[MAX_SECTOR_SIZE]; + uint32_t remain; - /* set Number of FAT sectors in the header */ - PUT_UINT32_LE(out->fatSectorsCount, buf); - memcpy(out->header + HEADER_FAT_SECTORS_NUM, buf, 4); + /* set Number of FAT sectors in the header */ + PUT_UINT32_LE(out->fatSectorsCount, buf); + memcpy(out->header + HEADER_FAT_SECTORS_NUM, buf, 4); - /* set Number of Mini FAT sectors in the header */ - PUT_UINT32_LE(out->minifatSectorsCount, buf); - memcpy(out->header + HEADER_MINI_FAT_SECTORS_NUM, buf, 4); + /* set Number of Mini FAT sectors in the header */ + PUT_UINT32_LE(out->minifatSectorsCount, buf); + memcpy(out->header + HEADER_MINI_FAT_SECTORS_NUM, buf, 4); - /* set Number of Directory Sectors in the header if Major Version is 4 */ - if (out->sectorSize == 4096) { - PUT_UINT32_LE(out->dirtreeSectorsCount, buf); - memcpy(out->header + HEADER_DIR_SECTORS_NUM, buf, 4); - } - (void)BIO_seek(outdata, 0); - BIO_write(outdata, out->header, HEADER_SIZE); + /* set Number of Directory Sectors in the header if Major Version is 4 */ + if (out->sectorSize == 4096) { + PUT_UINT32_LE(out->dirtreeSectorsCount, buf); + memcpy(out->header + HEADER_DIR_SECTORS_NUM, buf, 4); + } + (void)BIO_seek(outdata, 0); + BIO_write(outdata, out->header, HEADER_SIZE); - remain = out->sectorSize - HEADER_SIZE; - memset(buf, 0, (size_t)remain); - BIO_write(outdata, buf, (int)remain); + remain = out->sectorSize - HEADER_SIZE; + memset(buf, 0, (size_t)remain); + BIO_write(outdata, buf, (int)remain); } static char *header_new(MSI_FILE_HDR *hdr, MSI_OUT *out) { - int i; - char buf[4]; - char *data = OPENSSL_malloc(HEADER_SIZE); - static u_char dead_food[] = { - 0xde, 0xad, 0xf0, 0x0d - }; + int i; + char buf[4]; + char *data = OPENSSL_malloc(HEADER_SIZE); + static u_char dead_food[] = { + 0xde, 0xad, 0xf0, 0x0d + }; - /* initialise 512 bytes */ - memset(data, 0, HEADER_SIZE); + /* initialise 512 bytes */ + memset(data, 0, HEADER_SIZE); - memcpy(data + HEADER_SIGNATURE, msi_magic, sizeof msi_magic); - memset(data + HEADER_CLSID, 0, 16); - PUT_UINT16_LE(hdr->minorVersion, buf); - memcpy(data + HEADER_MINOR_VER, buf, 2); - if (out->sectorSize == 4096) { - PUT_UINT16_LE(0x0004, buf); - } else { - PUT_UINT16_LE(0x0003, buf); - } - memcpy(data + HEADER_MAJOR_VER, buf, 2); - PUT_UINT16_LE(hdr->byteOrder, buf); - memcpy(data + HEADER_BYTE_ORDER, buf, 2); - PUT_UINT16_LE(hdr->sectorShift, buf); - if (out->sectorSize == 4096) { - PUT_UINT16_LE(0x000C, buf); - } else { - PUT_UINT16_LE(0x0009, buf); - } - memcpy(data + HEADER_SECTOR_SHIFT, buf, 2); - PUT_UINT16_LE(hdr->miniSectorShift, buf); - memcpy(data + HEADER_MINI_SECTOR_SHIFT, buf, 2); - memset(data + RESERVED, 0, 6); - memset(data + HEADER_DIR_SECTORS_NUM, 0, 4); /* not used for version 3 */ - memcpy(data + HEADER_FAT_SECTORS_NUM, dead_food, 4); - memcpy(data + HEADER_DIR_SECTOR_LOC, dead_food, 4); - memset(data + HEADER_TRANSACTION, 0, 4); /* reserved */ - PUT_UINT32_LE(MINI_STREAM_CUTOFF_SIZE, buf); - memcpy(data + HEADER_MINI_STREAM_CUTOFF, buf, 4); - memcpy(data + HEADER_MINI_FAT_SECTOR_LOC, dead_food, 4); - memcpy(data + HEADER_MINI_FAT_SECTORS_NUM, dead_food, 4); - PUT_UINT32_LE(ENDOFCHAIN, buf); - memcpy(data + HEADER_DIFAT_SECTOR_LOC, buf, 4); - memset(data + HEADER_DIFAT_SECTORS_NUM, 0, 4); /* no DIFAT */ - memcpy(data + HEADER_DIFAT, dead_food, 4); /* sector number for FAT */ - for (i = 1; i < DIFAT_IN_HEADER; i++) { - memset(data + HEADER_DIFAT + 4*i, (int)FREESECT, 4); /* free FAT sectors */ - } - return data; + memcpy(data + HEADER_SIGNATURE, msi_magic, sizeof msi_magic); + memset(data + HEADER_CLSID, 0, 16); + PUT_UINT16_LE(hdr->minorVersion, buf); + memcpy(data + HEADER_MINOR_VER, buf, 2); + if (out->sectorSize == 4096) { + PUT_UINT16_LE(0x0004, buf); + } else { + PUT_UINT16_LE(0x0003, buf); + } + memcpy(data + HEADER_MAJOR_VER, buf, 2); + PUT_UINT16_LE(hdr->byteOrder, buf); + memcpy(data + HEADER_BYTE_ORDER, buf, 2); + PUT_UINT16_LE(hdr->sectorShift, buf); + if (out->sectorSize == 4096) { + PUT_UINT16_LE(0x000C, buf); + } else { + PUT_UINT16_LE(0x0009, buf); + } + memcpy(data + HEADER_SECTOR_SHIFT, buf, 2); + PUT_UINT16_LE(hdr->miniSectorShift, buf); + memcpy(data + HEADER_MINI_SECTOR_SHIFT, buf, 2); + memset(data + RESERVED, 0, 6); + memset(data + HEADER_DIR_SECTORS_NUM, 0, 4); /* not used for version 3 */ + memcpy(data + HEADER_FAT_SECTORS_NUM, dead_food, 4); + memcpy(data + HEADER_DIR_SECTOR_LOC, dead_food, 4); + memset(data + HEADER_TRANSACTION, 0, 4); /* reserved */ + PUT_UINT32_LE(MINI_STREAM_CUTOFF_SIZE, buf); + memcpy(data + HEADER_MINI_STREAM_CUTOFF, buf, 4); + memcpy(data + HEADER_MINI_FAT_SECTOR_LOC, dead_food, 4); + memcpy(data + HEADER_MINI_FAT_SECTORS_NUM, dead_food, 4); + PUT_UINT32_LE(ENDOFCHAIN, buf); + memcpy(data + HEADER_DIFAT_SECTOR_LOC, buf, 4); + memset(data + HEADER_DIFAT_SECTORS_NUM, 0, 4); /* no DIFAT */ + memcpy(data + HEADER_DIFAT, dead_food, 4); /* sector number for FAT */ + for (i = 1; i < DIFAT_IN_HEADER; i++) { + memset(data + HEADER_DIFAT + 4*i, (int)FREESECT, 4); /* free FAT sectors */ + } + return data; } static int msiout_set(MSI_FILE *msi, uint32_t len_msi, uint32_t len_msiex, MSI_OUT *out) { - uint32_t msi_size, msiex_size; + uint32_t msi_size, msiex_size; - out->sectorSize = msi->m_sectorSize; + out->sectorSize = msi->m_sectorSize; - if (len_msi <= MINI_STREAM_CUTOFF_SIZE) { - msi_size = ((len_msi + msi->m_minisectorSize - 1) / msi->m_minisectorSize) * msi->m_minisectorSize; - } else { - msi_size = ((len_msi + msi->m_sectorSize - 1) / msi->m_sectorSize) * msi->m_sectorSize; - } - msiex_size = ((len_msiex + msi->m_minisectorSize - 1) / msi->m_minisectorSize) * msi->m_minisectorSize; - /* - * no DIFAT sectors will be needed in a file that is smaller than - * 6,813 MB (version 3 files), respectively 436,004 MB (version 4 files) - */ - if (msi->m_bufferLen + msi_size + msiex_size > 7143936) { - out->sectorSize = 4096; - } - if (msi->m_bufferLen + msi_size + msiex_size > 457183232) { - printf("DIFAT sectors are not supported\n"); - return 0;/* FAILED */ - } - out->header = header_new(msi->m_hdr, out); - out->minifatMemallocCount = msi->m_hdr->numMiniFATSector; - out->fatMemallocCount = msi->m_hdr->numFATSector; - out->ministream = NULL; - out->minifat = OPENSSL_malloc((uint64_t)out->minifatMemallocCount * out->sectorSize); - out->fat = OPENSSL_malloc((uint64_t)out->fatMemallocCount * out->sectorSize); - out->miniSectorNum = 0; - out->sectorNum = 0; - return 1; /* OK */ + if (len_msi <= MINI_STREAM_CUTOFF_SIZE) { + msi_size = ((len_msi + msi->m_minisectorSize - 1) / msi->m_minisectorSize) * msi->m_minisectorSize; + } else { + msi_size = ((len_msi + msi->m_sectorSize - 1) / msi->m_sectorSize) * msi->m_sectorSize; + } + msiex_size = ((len_msiex + msi->m_minisectorSize - 1) / msi->m_minisectorSize) * msi->m_minisectorSize; + /* + * no DIFAT sectors will be needed in a file that is smaller than + * 6,813 MB (version 3 files), respectively 436,004 MB (version 4 files) + */ + if (msi->m_bufferLen + msi_size + msiex_size > 7143936) { + out->sectorSize = 4096; + } + if (msi->m_bufferLen + msi_size + msiex_size > 457183232) { + printf("DIFAT sectors are not supported\n"); + return 0;/* FAILED */ + } + out->header = header_new(msi->m_hdr, out); + out->minifatMemallocCount = msi->m_hdr->numMiniFATSector; + out->fatMemallocCount = msi->m_hdr->numFATSector; + out->ministream = NULL; + out->minifat = OPENSSL_malloc((uint64_t)out->minifatMemallocCount * out->sectorSize); + out->fat = OPENSSL_malloc((uint64_t)out->fatMemallocCount * out->sectorSize); + out->miniSectorNum = 0; + out->sectorNum = 0; + return 1; /* OK */ } static int msi_file_write(MSI_FILE *msi, MSI_DIRENT *dirent, u_char *p_msi, uint32_t len_msi, - u_char *p_msiex, uint32_t len_msiex, BIO *outdata) + u_char *p_msiex, uint32_t len_msiex, BIO *outdata) { - MSI_OUT out; - int ret = 0; + MSI_OUT out; + int ret = 0; - memset(&out, 0, sizeof(MSI_OUT)); - if (!msiout_set(msi, len_msi, len_msiex, &out)) { - goto out; /* FAILED */ - } - (void)BIO_seek(outdata, out.sectorSize); + memset(&out, 0, sizeof(MSI_OUT)); + if (!msiout_set(msi, len_msi, len_msiex, &out)) { + goto out; /* FAILED */ + } + (void)BIO_seek(outdata, out.sectorSize); - if (!stream_handle(msi, dirent, p_msi, len_msi, p_msiex, len_msiex, outdata, &out, 1)) { - goto out; /* FAILED */ - } - ministream_save(dirent, outdata, &out); - minifat_save(outdata, &out); - dirtree_save(dirent, outdata, &out); - if (!fat_save(outdata, &out)) { - goto out; /* FAILED */ - } - header_save(outdata, &out); - ret = 1; /* OK */ + if (!stream_handle(msi, dirent, p_msi, len_msi, p_msiex, len_msiex, outdata, &out, 1)) { + goto out; /* FAILED */ + } + ministream_save(dirent, outdata, &out); + minifat_save(outdata, &out); + dirtree_save(dirent, outdata, &out); + if (!fat_save(outdata, &out)) { + goto out; /* FAILED */ + } + header_save(outdata, &out); + ret = 1; /* OK */ out: - OPENSSL_free(out.header); - OPENSSL_free(out.fat); - OPENSSL_free(out.minifat); - return ret; + OPENSSL_free(out.header); + OPENSSL_free(out.fat); + OPENSSL_free(out.minifat); + return ret; } /* @@ -2165,28 +2165,28 @@ out: static int msi_calc_MsiDigitalSignatureEx(FILE_FORMAT_CTX *ctx, BIO *hash) { - size_t written; - BIO *prehash = BIO_new(BIO_f_md()); + size_t written; + BIO *prehash = BIO_new(BIO_f_md()); - if (!BIO_set_md(prehash, ctx->options->md)) { - printf("Unable to set the message digest of BIO\n"); - BIO_free_all(prehash); - return 0; /* FAILED */ - } - BIO_push(prehash, BIO_new(BIO_s_null())); + if (!BIO_set_md(prehash, ctx->options->md)) { + printf("Unable to set the message digest of BIO\n"); + BIO_free_all(prehash); + return 0; /* FAILED */ + } + BIO_push(prehash, BIO_new(BIO_s_null())); - if (!msi_prehash_dir(ctx->msi_ctx->dirent, prehash, 1)) { - printf("Unable to calculate MSI pre-hash ('metadata') hash\n"); - return 0; /* FAILED */ - } - ctx->msi_ctx->p_msiex = OPENSSL_malloc(EVP_MAX_MD_SIZE); - ctx->msi_ctx->len_msiex = (uint32_t)BIO_gets(prehash, - (char *)ctx->msi_ctx->p_msiex, EVP_MAX_MD_SIZE); - if (!BIO_write_ex(hash, ctx->msi_ctx->p_msiex, ctx->msi_ctx->len_msiex, &written) - || written != ctx->msi_ctx->len_msiex) - return 0; /* FAILED */ - BIO_free_all(prehash); - return 1; /* OK */ + if (!msi_prehash_dir(ctx->msi_ctx->dirent, prehash, 1)) { + printf("Unable to calculate MSI pre-hash ('metadata') hash\n"); + return 0; /* FAILED */ + } + ctx->msi_ctx->p_msiex = OPENSSL_malloc(EVP_MAX_MD_SIZE); + ctx->msi_ctx->len_msiex = (uint32_t)BIO_gets(prehash, + (char *)ctx->msi_ctx->p_msiex, EVP_MAX_MD_SIZE); + if (!BIO_write_ex(hash, ctx->msi_ctx->p_msiex, ctx->msi_ctx->len_msiex, &written) + || written != ctx->msi_ctx->len_msiex) + return 0; /* FAILED */ + BIO_free_all(prehash); + return 1; /* OK */ } /* @@ -2197,33 +2197,33 @@ static int msi_calc_MsiDigitalSignatureEx(FILE_FORMAT_CTX *ctx, BIO *hash) */ static int msi_check_MsiDigitalSignatureEx(FILE_FORMAT_CTX *ctx, MSI_ENTRY *dse) { - if (dse && GET_UINT32_LE(dse->size) != (uint32_t)EVP_MD_size(ctx->options->md)) { - printf("Unable to add nested signature with a different MD type (-h parameter) " - "than what exists in the MSI file already.\nThis is due to the presence of " - "MsiDigitalSignatureEx (-add-msi-dse parameter).\n\n"); - return 0; /* FAILED */ - } - if (!dse && ctx->options->add_msi_dse) { - printf("Unable to add signature with -add-msi-dse parameter " - "without breaking the initial signature.\n\n"); - return 0; /* FAILED */ - } - if (dse && !ctx->options->add_msi_dse) { - printf("Unable to add signature without -add-msi-dse parameter " - "without breaking the initial signature.\nThis is due to the presence of " - "MsiDigitalSignatureEx (-add-msi-dse parameter).\n" - "Should use -add-msi-dse options in this case.\n\n"); - return 0; /* FAILED */ - } - return 1; /* OK */ + if (dse && GET_UINT32_LE(dse->size) != (uint32_t)EVP_MD_size(ctx->options->md)) { + printf("Unable to add nested signature with a different MD type (-h parameter) " + "than what exists in the MSI file already.\nThis is due to the presence of " + "MsiDigitalSignatureEx (-add-msi-dse parameter).\n\n"); + return 0; /* FAILED */ + } + if (!dse && ctx->options->add_msi_dse) { + printf("Unable to add signature with -add-msi-dse parameter " + "without breaking the initial signature.\n\n"); + return 0; /* FAILED */ + } + if (dse && !ctx->options->add_msi_dse) { + printf("Unable to add signature without -add-msi-dse parameter " + "without breaking the initial signature.\nThis is due to the presence of " + "MsiDigitalSignatureEx (-add-msi-dse parameter).\n" + "Should use -add-msi-dse options in this case.\n\n"); + return 0; /* FAILED */ + } + return 1; /* OK */ } /* Local Variables: c-basic-offset: 4 tab-width: 4 - indent-tabs-mode: t + indent-tabs-mode: nil End: - vim: set ts=4 noexpandtab: + vim: set ts=4 expandtab: */ diff --git a/osslsigncode.c b/osslsigncode.c index 5327edc..a199121 100644 --- a/osslsigncode.c +++ b/osslsigncode.c @@ -36,23 +36,23 @@ * Peter Gutmann's analysis of Authenticode: - https://www.cs.auckland.ac.nz/~pgut001/pubs/authenticode.txt + https://www.cs.auckland.ac.nz/~pgut001/pubs/authenticode.txt * MS CAB SDK documentation - https://docs.microsoft.com/en-us/previous-versions/ms974336(v=msdn.10) + https://docs.microsoft.com/en-us/previous-versions/ms974336(v=msdn.10) * MS PE/COFF documentation - https://docs.microsoft.com/en-us/windows/win32/debug/pe-format + https://docs.microsoft.com/en-us/windows/win32/debug/pe-format * MS Windows Authenticode PE Signature Format - http://msdn.microsoft.com/en-US/windows/hardware/gg463183 + http://msdn.microsoft.com/en-US/windows/hardware/gg463183 - (Although the part of how the actual checksumming is done is not - how it is done inside Windows. The end result is however the same - on all "normal" PE files.) + (Although the part of how the actual checksumming is done is not + how it is done inside Windows. The end result is however the same + on all "normal" PE files.) * tail -c, tcpdump, mimencode & openssl asn1parse :) @@ -68,7 +68,7 @@ * 6:d=1 hl=2 l= 0 cons: SEQUENCE */ const u_char java_attrs_low[] = { - 0x30, 0x06, 0x03, 0x02, 0x00, 0x01, 0x30, 0x00 + 0x30, 0x06, 0x03, 0x02, 0x00, 0x01, 0x30, 0x00 }; /* @@ -77,8 +77,8 @@ const u_char java_attrs_low[] = { * 2:d=1 hl=2 l= 10 prim: OBJECT :Microsoft Individual Code Signing */ const u_char purpose_ind[] = { - 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, - 0x01, 0x82, 0x37, 0x02, 0x01, 0x15 + 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, + 0x01, 0x82, 0x37, 0x02, 0x01, 0x15 }; /* @@ -87,80 +87,80 @@ const u_char purpose_ind[] = { * 2:d=1 hl=2 l= 10 prim: OBJECT :Microsoft Commercial Code Signing */ const u_char purpose_comm[] = { - 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, - 0x01, 0x82, 0x37, 0x02, 0x01, 0x16 + 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, + 0x01, 0x82, 0x37, 0x02, 0x01, 0x16 }; /* * ASN.1 definitions (more or less from official MS Authenticode docs) */ ASN1_CHOICE(SpcString) = { - ASN1_IMP_OPT(SpcString, value.unicode, ASN1_BMPSTRING, 0), - ASN1_IMP_OPT(SpcString, value.ascii, ASN1_IA5STRING, 1) + ASN1_IMP_OPT(SpcString, value.unicode, ASN1_BMPSTRING, 0), + ASN1_IMP_OPT(SpcString, value.ascii, ASN1_IA5STRING, 1) } ASN1_CHOICE_END(SpcString) IMPLEMENT_ASN1_FUNCTIONS(SpcString) ASN1_SEQUENCE(SpcSerializedObject) = { - ASN1_SIMPLE(SpcSerializedObject, classId, ASN1_OCTET_STRING), - ASN1_SIMPLE(SpcSerializedObject, serializedData, ASN1_OCTET_STRING) + ASN1_SIMPLE(SpcSerializedObject, classId, ASN1_OCTET_STRING), + ASN1_SIMPLE(SpcSerializedObject, serializedData, ASN1_OCTET_STRING) } ASN1_SEQUENCE_END(SpcSerializedObject) IMPLEMENT_ASN1_FUNCTIONS(SpcSerializedObject) ASN1_CHOICE(SpcLink) = { - ASN1_IMP_OPT(SpcLink, value.url, ASN1_IA5STRING, 0), - ASN1_IMP_OPT(SpcLink, value.moniker, SpcSerializedObject, 1), - ASN1_EXP_OPT(SpcLink, value.file, SpcString, 2) + ASN1_IMP_OPT(SpcLink, value.url, ASN1_IA5STRING, 0), + ASN1_IMP_OPT(SpcLink, value.moniker, SpcSerializedObject, 1), + ASN1_EXP_OPT(SpcLink, value.file, SpcString, 2) } ASN1_CHOICE_END(SpcLink) IMPLEMENT_ASN1_FUNCTIONS(SpcLink) ASN1_SEQUENCE(SpcSpOpusInfo) = { - ASN1_EXP_OPT(SpcSpOpusInfo, programName, SpcString, 0), - ASN1_EXP_OPT(SpcSpOpusInfo, moreInfo, SpcLink, 1) + ASN1_EXP_OPT(SpcSpOpusInfo, programName, SpcString, 0), + ASN1_EXP_OPT(SpcSpOpusInfo, moreInfo, SpcLink, 1) } ASN1_SEQUENCE_END(SpcSpOpusInfo) IMPLEMENT_ASN1_FUNCTIONS(SpcSpOpusInfo) ASN1_SEQUENCE(SpcAttributeTypeAndOptionalValue) = { - ASN1_SIMPLE(SpcAttributeTypeAndOptionalValue, type, ASN1_OBJECT), - ASN1_OPT(SpcAttributeTypeAndOptionalValue, value, ASN1_ANY) + ASN1_SIMPLE(SpcAttributeTypeAndOptionalValue, type, ASN1_OBJECT), + ASN1_OPT(SpcAttributeTypeAndOptionalValue, value, ASN1_ANY) } ASN1_SEQUENCE_END(SpcAttributeTypeAndOptionalValue) IMPLEMENT_ASN1_FUNCTIONS(SpcAttributeTypeAndOptionalValue) ASN1_SEQUENCE(AlgorithmIdentifier) = { - ASN1_SIMPLE(AlgorithmIdentifier, algorithm, ASN1_OBJECT), - ASN1_OPT(AlgorithmIdentifier, parameters, ASN1_ANY) + ASN1_SIMPLE(AlgorithmIdentifier, algorithm, ASN1_OBJECT), + ASN1_OPT(AlgorithmIdentifier, parameters, ASN1_ANY) } ASN1_SEQUENCE_END(AlgorithmIdentifier) IMPLEMENT_ASN1_FUNCTIONS(AlgorithmIdentifier) ASN1_SEQUENCE(DigestInfo) = { - ASN1_SIMPLE(DigestInfo, digestAlgorithm, AlgorithmIdentifier), - ASN1_SIMPLE(DigestInfo, digest, ASN1_OCTET_STRING) + ASN1_SIMPLE(DigestInfo, digestAlgorithm, AlgorithmIdentifier), + ASN1_SIMPLE(DigestInfo, digest, ASN1_OCTET_STRING) } ASN1_SEQUENCE_END(DigestInfo) IMPLEMENT_ASN1_FUNCTIONS(DigestInfo) ASN1_SEQUENCE(SpcIndirectDataContent) = { - ASN1_SIMPLE(SpcIndirectDataContent, data, SpcAttributeTypeAndOptionalValue), - ASN1_SIMPLE(SpcIndirectDataContent, messageDigest, DigestInfo) + ASN1_SIMPLE(SpcIndirectDataContent, data, SpcAttributeTypeAndOptionalValue), + ASN1_SIMPLE(SpcIndirectDataContent, messageDigest, DigestInfo) } ASN1_SEQUENCE_END(SpcIndirectDataContent) IMPLEMENT_ASN1_FUNCTIONS(SpcIndirectDataContent) ASN1_SEQUENCE(CatalogAuthAttr) = { - ASN1_SIMPLE(CatalogAuthAttr, type, ASN1_OBJECT), - ASN1_OPT(CatalogAuthAttr, contents, ASN1_ANY) + ASN1_SIMPLE(CatalogAuthAttr, type, ASN1_OBJECT), + ASN1_OPT(CatalogAuthAttr, contents, ASN1_ANY) } ASN1_SEQUENCE_END(CatalogAuthAttr) IMPLEMENT_ASN1_FUNCTIONS(CatalogAuthAttr) ASN1_SEQUENCE(MessageImprint) = { - ASN1_SIMPLE(MessageImprint, digestAlgorithm, AlgorithmIdentifier), - ASN1_SIMPLE(MessageImprint, digest, ASN1_OCTET_STRING) + ASN1_SIMPLE(MessageImprint, digestAlgorithm, AlgorithmIdentifier), + ASN1_SIMPLE(MessageImprint, digest, ASN1_OCTET_STRING) } ASN1_SEQUENCE_END(MessageImprint) IMPLEMENT_ASN1_FUNCTIONS(MessageImprint) @@ -168,15 +168,15 @@ IMPLEMENT_ASN1_FUNCTIONS(MessageImprint) #ifdef ENABLE_CURL ASN1_SEQUENCE(TimeStampRequestBlob) = { - ASN1_SIMPLE(TimeStampRequestBlob, type, ASN1_OBJECT), - ASN1_EXP_OPT(TimeStampRequestBlob, signature, ASN1_OCTET_STRING, 0) + ASN1_SIMPLE(TimeStampRequestBlob, type, ASN1_OBJECT), + ASN1_EXP_OPT(TimeStampRequestBlob, signature, ASN1_OCTET_STRING, 0) } ASN1_SEQUENCE_END(TimeStampRequestBlob) IMPLEMENT_ASN1_FUNCTIONS(TimeStampRequestBlob) ASN1_SEQUENCE(TimeStampRequest) = { - ASN1_SIMPLE(TimeStampRequest, type, ASN1_OBJECT), - ASN1_SIMPLE(TimeStampRequest, blob, TimeStampRequestBlob) + ASN1_SIMPLE(TimeStampRequest, type, ASN1_OBJECT), + ASN1_SIMPLE(TimeStampRequest, blob, TimeStampRequestBlob) } ASN1_SEQUENCE_END(TimeStampRequest) IMPLEMENT_ASN1_FUNCTIONS(TimeStampRequest) @@ -184,27 +184,27 @@ IMPLEMENT_ASN1_FUNCTIONS(TimeStampRequest) /* RFC3161 Time stamping */ ASN1_SEQUENCE(PKIStatusInfo) = { - ASN1_SIMPLE(PKIStatusInfo, status, ASN1_INTEGER), - ASN1_SEQUENCE_OF_OPT(PKIStatusInfo, statusString, ASN1_UTF8STRING), - ASN1_OPT(PKIStatusInfo, failInfo, ASN1_BIT_STRING) + ASN1_SIMPLE(PKIStatusInfo, status, ASN1_INTEGER), + ASN1_SEQUENCE_OF_OPT(PKIStatusInfo, statusString, ASN1_UTF8STRING), + ASN1_OPT(PKIStatusInfo, failInfo, ASN1_BIT_STRING) } ASN1_SEQUENCE_END(PKIStatusInfo) IMPLEMENT_ASN1_FUNCTIONS(PKIStatusInfo) ASN1_SEQUENCE(TimeStampResp) = { - ASN1_SIMPLE(TimeStampResp, status, PKIStatusInfo), - ASN1_OPT(TimeStampResp, token, PKCS7) + ASN1_SIMPLE(TimeStampResp, status, PKIStatusInfo), + ASN1_OPT(TimeStampResp, token, PKCS7) } ASN1_SEQUENCE_END(TimeStampResp) IMPLEMENT_ASN1_FUNCTIONS(TimeStampResp) ASN1_SEQUENCE(TimeStampReq) = { - ASN1_SIMPLE(TimeStampReq, version, ASN1_INTEGER), - ASN1_SIMPLE(TimeStampReq, messageImprint, MessageImprint), - ASN1_OPT (TimeStampReq, reqPolicy, ASN1_OBJECT), - ASN1_OPT (TimeStampReq, nonce, ASN1_INTEGER), - ASN1_SIMPLE(TimeStampReq, certReq, ASN1_FBOOLEAN), - ASN1_IMP_SEQUENCE_OF_OPT(TimeStampReq, extensions, X509_EXTENSION, 0) + ASN1_SIMPLE(TimeStampReq, version, ASN1_INTEGER), + ASN1_SIMPLE(TimeStampReq, messageImprint, MessageImprint), + ASN1_OPT (TimeStampReq, reqPolicy, ASN1_OBJECT), + ASN1_OPT (TimeStampReq, nonce, ASN1_INTEGER), + ASN1_SIMPLE(TimeStampReq, certReq, ASN1_FBOOLEAN), + ASN1_IMP_SEQUENCE_OF_OPT(TimeStampReq, extensions, X509_EXTENSION, 0) } ASN1_SEQUENCE_END(TimeStampReq) IMPLEMENT_ASN1_FUNCTIONS(TimeStampReq) @@ -212,42 +212,42 @@ IMPLEMENT_ASN1_FUNCTIONS(TimeStampReq) #endif /* ENABLE_CURL */ ASN1_SEQUENCE(TimeStampAccuracy) = { - ASN1_OPT(TimeStampAccuracy, seconds, ASN1_INTEGER), - ASN1_IMP_OPT(TimeStampAccuracy, millis, ASN1_INTEGER, 0), - ASN1_IMP_OPT(TimeStampAccuracy, micros, ASN1_INTEGER, 1) + ASN1_OPT(TimeStampAccuracy, seconds, ASN1_INTEGER), + ASN1_IMP_OPT(TimeStampAccuracy, millis, ASN1_INTEGER, 0), + ASN1_IMP_OPT(TimeStampAccuracy, micros, ASN1_INTEGER, 1) } ASN1_SEQUENCE_END(TimeStampAccuracy) IMPLEMENT_ASN1_FUNCTIONS(TimeStampAccuracy) ASN1_SEQUENCE(TimeStampToken) = { - ASN1_SIMPLE(TimeStampToken, version, ASN1_INTEGER), - ASN1_SIMPLE(TimeStampToken, policy_id, ASN1_OBJECT), - ASN1_SIMPLE(TimeStampToken, messageImprint, MessageImprint), - ASN1_SIMPLE(TimeStampToken, serial, ASN1_INTEGER), - ASN1_SIMPLE(TimeStampToken, time, ASN1_GENERALIZEDTIME), - ASN1_OPT(TimeStampToken, accuracy, TimeStampAccuracy), - ASN1_OPT(TimeStampToken, ordering, ASN1_FBOOLEAN), - ASN1_OPT(TimeStampToken, nonce, ASN1_INTEGER), - ASN1_EXP_OPT(TimeStampToken, tsa, GENERAL_NAME, 0), - ASN1_IMP_SEQUENCE_OF_OPT(TimeStampToken, extensions, X509_EXTENSION, 1) + ASN1_SIMPLE(TimeStampToken, version, ASN1_INTEGER), + ASN1_SIMPLE(TimeStampToken, policy_id, ASN1_OBJECT), + ASN1_SIMPLE(TimeStampToken, messageImprint, MessageImprint), + ASN1_SIMPLE(TimeStampToken, serial, ASN1_INTEGER), + ASN1_SIMPLE(TimeStampToken, time, ASN1_GENERALIZEDTIME), + ASN1_OPT(TimeStampToken, accuracy, TimeStampAccuracy), + ASN1_OPT(TimeStampToken, ordering, ASN1_FBOOLEAN), + ASN1_OPT(TimeStampToken, nonce, ASN1_INTEGER), + ASN1_EXP_OPT(TimeStampToken, tsa, GENERAL_NAME, 0), + ASN1_IMP_SEQUENCE_OF_OPT(TimeStampToken, extensions, X509_EXTENSION, 1) } ASN1_SEQUENCE_END(TimeStampToken) IMPLEMENT_ASN1_FUNCTIONS(TimeStampToken) ASN1_SEQUENCE(CatalogInfo) = { - ASN1_SIMPLE(CatalogInfo, digest, ASN1_OCTET_STRING), - ASN1_SET_OF(CatalogInfo, attributes, CatalogAuthAttr) + ASN1_SIMPLE(CatalogInfo, digest, ASN1_OCTET_STRING), + ASN1_SET_OF(CatalogInfo, attributes, CatalogAuthAttr) } ASN1_SEQUENCE_END(CatalogInfo) IMPLEMENT_ASN1_FUNCTIONS(CatalogInfo) ASN1_SEQUENCE(MsCtlContent) = { - ASN1_SIMPLE(MsCtlContent, type, SpcAttributeTypeAndOptionalValue), - ASN1_SIMPLE(MsCtlContent, identifier, ASN1_OCTET_STRING), - ASN1_SIMPLE(MsCtlContent, time, ASN1_UTCTIME), - ASN1_SIMPLE(MsCtlContent, version, SpcAttributeTypeAndOptionalValue), - ASN1_SEQUENCE_OF(MsCtlContent, header_attributes, CatalogInfo), - ASN1_OPT(MsCtlContent, filename, ASN1_ANY) + ASN1_SIMPLE(MsCtlContent, type, SpcAttributeTypeAndOptionalValue), + ASN1_SIMPLE(MsCtlContent, identifier, ASN1_OCTET_STRING), + ASN1_SIMPLE(MsCtlContent, time, ASN1_UTCTIME), + ASN1_SIMPLE(MsCtlContent, version, SpcAttributeTypeAndOptionalValue), + ASN1_SEQUENCE_OF(MsCtlContent, header_attributes, CatalogInfo), + ASN1_OPT(MsCtlContent, filename, ASN1_ANY) } ASN1_SEQUENCE_END(MsCtlContent) IMPLEMENT_ASN1_FUNCTIONS(MsCtlContent) @@ -258,7 +258,7 @@ static time_t time_t_get_asn1_time(const ASN1_TIME *s); static time_t time_t_get_si_time(PKCS7_SIGNER_INFO *si); static time_t time_t_get_cms_time(CMS_ContentInfo *cms); static CMS_ContentInfo *cms_get_timestamp(PKCS7_SIGNED *p7_signed, - PKCS7_SIGNER_INFO *countersignature); + PKCS7_SIGNER_INFO *countersignature); #ifdef ENABLE_CURL @@ -269,15 +269,15 @@ static int blob_has_nl = 0; */ static size_t curl_write(void *ptr, size_t sz, size_t nmemb, void *stream) { - size_t written, len = sz * nmemb; + size_t written, len = sz * nmemb; - if (len > 0 && !blob_has_nl) { - if (memchr(ptr, '\n', len)) - blob_has_nl = 1; - } - if (!BIO_write_ex((BIO*)stream, ptr, len, &written) || written != len) - return 0; /* FAILED */ - return written; + if (len > 0 && !blob_has_nl) { + if (memchr(ptr, '\n', len)) + blob_has_nl = 1; + } + if (!BIO_write_ex((BIO*)stream, ptr, len, &written) || written != len) + return 0; /* FAILED */ + return written; } /* @@ -287,14 +287,14 @@ static size_t curl_write(void *ptr, size_t sz, size_t nmemb, void *stream) */ static void print_timestamp_error(const char *url, long http_code) { - if (http_code != -1) { - printf("Failed to convert timestamp reply from %s; " - "HTTP status %ld\n", url, http_code); - } else { - printf("Failed to convert timestamp reply from %s; " - "no HTTP status available", url); - } - ERR_print_errors_fp(stdout); + if (http_code != -1) { + printf("Failed to convert timestamp reply from %s; " + "HTTP status %ld\n", url, http_code); + } else { + printf("Failed to convert timestamp reply from %s; " + "no HTTP status available", url); + } + ERR_print_errors_fp(stdout); } /* @@ -331,52 +331,52 @@ static void print_timestamp_error(const char *url, long http_code) */ static BIO *bio_encode_rfc3161_request(PKCS7 *p7, const EVP_MD *md) { - STACK_OF(PKCS7_SIGNER_INFO) *signer_info; - PKCS7_SIGNER_INFO *si; - u_char mdbuf[EVP_MAX_MD_SIZE]; - TimeStampReq *req; - BIO *bout, *bhash; - u_char *p; - int len; + STACK_OF(PKCS7_SIGNER_INFO) *signer_info; + PKCS7_SIGNER_INFO *si; + u_char mdbuf[EVP_MAX_MD_SIZE]; + TimeStampReq *req; + BIO *bout, *bhash; + u_char *p; + int len; - signer_info = PKCS7_get_signer_info(p7); - if (!signer_info) - return NULL; /* FAILED */ + signer_info = PKCS7_get_signer_info(p7); + if (!signer_info) + return NULL; /* FAILED */ - si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); - if (!si) - return NULL; /* FAILED */ + si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); + if (!si) + return NULL; /* FAILED */ - bhash = BIO_new(BIO_f_md()); - if (!BIO_set_md(bhash, md)) { - printf("Unable to set the message digest of BIO\n"); - BIO_free_all(bhash); - return NULL; /* FAILED */ - } - BIO_push(bhash, BIO_new(BIO_s_null())); - BIO_write(bhash, si->enc_digest->data, si->enc_digest->length); - BIO_gets(bhash, (char*)mdbuf, EVP_MD_size(md)); - BIO_free_all(bhash); + bhash = BIO_new(BIO_f_md()); + if (!BIO_set_md(bhash, md)) { + printf("Unable to set the message digest of BIO\n"); + BIO_free_all(bhash); + return NULL; /* FAILED */ + } + BIO_push(bhash, BIO_new(BIO_s_null())); + BIO_write(bhash, si->enc_digest->data, si->enc_digest->length); + BIO_gets(bhash, (char*)mdbuf, EVP_MD_size(md)); + BIO_free_all(bhash); - req = TimeStampReq_new(); - ASN1_INTEGER_set(req->version, 1); - req->messageImprint->digestAlgorithm->algorithm = OBJ_nid2obj(EVP_MD_nid(md)); - req->messageImprint->digestAlgorithm->parameters = ASN1_TYPE_new(); - req->messageImprint->digestAlgorithm->parameters->type = V_ASN1_NULL; - ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md)); - req->certReq = 0xFF; + req = TimeStampReq_new(); + ASN1_INTEGER_set(req->version, 1); + req->messageImprint->digestAlgorithm->algorithm = OBJ_nid2obj(EVP_MD_nid(md)); + req->messageImprint->digestAlgorithm->parameters = ASN1_TYPE_new(); + req->messageImprint->digestAlgorithm->parameters->type = V_ASN1_NULL; + ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md)); + req->certReq = 0xFF; - len = i2d_TimeStampReq(req, NULL); - p = OPENSSL_malloc((size_t)len); - len = i2d_TimeStampReq(req, &p); - p -= len; - TimeStampReq_free(req); + len = i2d_TimeStampReq(req, NULL); + p = OPENSSL_malloc((size_t)len); + len = i2d_TimeStampReq(req, &p); + p -= len; + TimeStampReq_free(req); - bout = BIO_new(BIO_s_mem()); - BIO_write(bout, p, len); - OPENSSL_free(p); - (void)BIO_flush(bout); - return bout; + bout = BIO_new(BIO_s_mem()); + BIO_write(bout, p, len); + OPENSSL_free(p); + (void)BIO_flush(bout); + return bout; } /* @@ -386,40 +386,40 @@ static BIO *bio_encode_rfc3161_request(PKCS7 *p7, const EVP_MD *md) */ static BIO *bio_encode_authenticode_request(PKCS7 *p7) { - STACK_OF(PKCS7_SIGNER_INFO) *signer_info; - PKCS7_SIGNER_INFO *si; - TimeStampRequest *req; - BIO *bout, *b64; - u_char *p; - int len; + STACK_OF(PKCS7_SIGNER_INFO) *signer_info; + PKCS7_SIGNER_INFO *si; + TimeStampRequest *req; + BIO *bout, *b64; + u_char *p; + int len; - signer_info = PKCS7_get_signer_info(p7); - if (!signer_info) - return 0; /* FAILED */ + signer_info = PKCS7_get_signer_info(p7); + if (!signer_info) + return 0; /* FAILED */ - si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); - if (!si) - return 0; /* FAILED */ + si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); + if (!si) + return 0; /* FAILED */ - req = TimeStampRequest_new(); - req->type = OBJ_txt2obj(SPC_TIME_STAMP_REQUEST_OBJID, 1); - req->blob->type = OBJ_nid2obj(NID_pkcs7_data); - req->blob->signature = si->enc_digest; + req = TimeStampRequest_new(); + req->type = OBJ_txt2obj(SPC_TIME_STAMP_REQUEST_OBJID, 1); + req->blob->type = OBJ_nid2obj(NID_pkcs7_data); + req->blob->signature = si->enc_digest; - len = i2d_TimeStampRequest(req, NULL); - p = OPENSSL_malloc((size_t)len); - len = i2d_TimeStampRequest(req, &p); - p -= len; - req->blob->signature = NULL; - TimeStampRequest_free(req); + len = i2d_TimeStampRequest(req, NULL); + p = OPENSSL_malloc((size_t)len); + len = i2d_TimeStampRequest(req, &p); + p -= len; + req->blob->signature = NULL; + TimeStampRequest_free(req); - bout = BIO_new(BIO_s_mem()); - b64 = BIO_new(BIO_f_base64()); - bout = BIO_push(b64, bout); - BIO_write(bout, p, len); - OPENSSL_free(p); - (void)BIO_flush(bout); - return bout; + bout = BIO_new(BIO_s_mem()); + b64 = BIO_new(BIO_f_base64()); + bout = BIO_push(b64, bout); + BIO_write(bout, p, len); + OPENSSL_free(p); + (void)BIO_flush(bout); + return bout; } /* @@ -433,53 +433,53 @@ static BIO *bio_encode_authenticode_request(PKCS7 *p7) */ static CURLcode decode_rfc3161_response(PKCS7 *p7, BIO *bin, int verbose) { - PKCS7_SIGNER_INFO *si; - STACK_OF(X509_ATTRIBUTE) *attrs; - TimeStampResp *reply; - u_char *p; - int i, len; - STACK_OF(PKCS7_SIGNER_INFO) *signer_info = PKCS7_get_signer_info(p7); + PKCS7_SIGNER_INFO *si; + STACK_OF(X509_ATTRIBUTE) *attrs; + TimeStampResp *reply; + u_char *p; + int i, len; + STACK_OF(PKCS7_SIGNER_INFO) *signer_info = PKCS7_get_signer_info(p7); - if (!signer_info) - return 1; /* FAILED */ - si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); - if (!si) - return 1; /* FAILED */ + if (!signer_info) + return 1; /* FAILED */ + si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); + if (!si) + return 1; /* FAILED */ - reply = ASN1_item_d2i_bio(ASN1_ITEM_rptr(TimeStampResp), bin, NULL); - BIO_free_all(bin); - if (!reply || !reply->status) - return 1; /* FAILED */ - if (ASN1_INTEGER_get(reply->status->status) != 0) { - if (verbose) { - printf("Timestamping failed: status %ld\n", ASN1_INTEGER_get(reply->status->status)); - for (i = 0; i < sk_ASN1_UTF8STRING_num(reply->status->statusString); i++) { - ASN1_UTF8STRING *status = sk_ASN1_UTF8STRING_value(reply->status->statusString, i); - printf("%s\n", ASN1_STRING_get0_data(status)); - } - } - TimeStampResp_free(reply); - return 1; /* FAILED */ - } - if (((len = i2d_PKCS7(reply->token, NULL)) <= 0) || (p = OPENSSL_malloc((size_t)len)) == NULL) { - if (verbose) { - printf("Failed to convert pkcs7: %d\n", len); - ERR_print_errors_fp(stdout); - } - TimeStampResp_free(reply); - return 1; /* FAILED */ - } - len = i2d_PKCS7(reply->token, &p); - p -= len; - TimeStampResp_free(reply); + reply = ASN1_item_d2i_bio(ASN1_ITEM_rptr(TimeStampResp), bin, NULL); + BIO_free_all(bin); + if (!reply || !reply->status) + return 1; /* FAILED */ + if (ASN1_INTEGER_get(reply->status->status) != 0) { + if (verbose) { + printf("Timestamping failed: status %ld\n", ASN1_INTEGER_get(reply->status->status)); + for (i = 0; i < sk_ASN1_UTF8STRING_num(reply->status->statusString); i++) { + ASN1_UTF8STRING *status = sk_ASN1_UTF8STRING_value(reply->status->statusString, i); + printf("%s\n", ASN1_STRING_get0_data(status)); + } + } + TimeStampResp_free(reply); + return 1; /* FAILED */ + } + if (((len = i2d_PKCS7(reply->token, NULL)) <= 0) || (p = OPENSSL_malloc((size_t)len)) == NULL) { + if (verbose) { + printf("Failed to convert pkcs7: %d\n", len); + ERR_print_errors_fp(stdout); + } + TimeStampResp_free(reply); + return 1; /* FAILED */ + } + len = i2d_PKCS7(reply->token, &p); + p -= len; + TimeStampResp_free(reply); - attrs = sk_X509_ATTRIBUTE_new_null(); - attrs = X509at_add1_attr_by_txt(&attrs, SPC_RFC3161_OBJID, V_ASN1_SET, p, len); - OPENSSL_free(p); + attrs = sk_X509_ATTRIBUTE_new_null(); + attrs = X509at_add1_attr_by_txt(&attrs, SPC_RFC3161_OBJID, V_ASN1_SET, p, len); + OPENSSL_free(p); - PKCS7_set_attributes(si, attrs); - sk_X509_ATTRIBUTE_pop_free(attrs, X509_ATTRIBUTE_free); - return 0; /* OK */ + PKCS7_set_attributes(si, attrs); + sk_X509_ATTRIBUTE_pop_free(attrs, X509_ATTRIBUTE_free); + return 0; /* OK */ } /* @@ -494,64 +494,64 @@ static CURLcode decode_rfc3161_response(PKCS7 *p7, BIO *bin, int verbose) */ static CURLcode decode_authenticode_response(PKCS7 *p7, BIO *bin, int verbose) { - PKCS7 *resp; - PKCS7_SIGNER_INFO *info, *si; - STACK_OF(X509_ATTRIBUTE) *attrs; - BIO* b64, *b64_bin; - u_char *p; - int len, i; - STACK_OF(PKCS7_SIGNER_INFO) *signer_info; + PKCS7 *resp; + PKCS7_SIGNER_INFO *info, *si; + STACK_OF(X509_ATTRIBUTE) *attrs; + BIO* b64, *b64_bin; + u_char *p; + int len, i; + STACK_OF(PKCS7_SIGNER_INFO) *signer_info; - b64 = BIO_new(BIO_f_base64()); - if (!blob_has_nl) - BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL); - b64_bin = BIO_push(b64, bin); - resp = d2i_PKCS7_bio(b64_bin, NULL); - BIO_free_all(b64_bin); - if (resp == NULL) - return 1; /* FAILED */ + b64 = BIO_new(BIO_f_base64()); + if (!blob_has_nl) + BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL); + b64_bin = BIO_push(b64, bin); + resp = d2i_PKCS7_bio(b64_bin, NULL); + BIO_free_all(b64_bin); + if (resp == NULL) + return 1; /* FAILED */ - for(i = sk_X509_num(resp->d.sign->cert)-1; i>=0; i--) - PKCS7_add_certificate(p7, sk_X509_value(resp->d.sign->cert, i)); + for(i = sk_X509_num(resp->d.sign->cert)-1; i>=0; i--) + PKCS7_add_certificate(p7, sk_X509_value(resp->d.sign->cert, i)); - signer_info = PKCS7_get_signer_info(resp); - PKCS7_free(resp); - if (!signer_info) - return 1; /* FAILED */ - info = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); - if (!info) { - PKCS7_free(resp); - return 1; /* FAILED */ - } - if (((len = i2d_PKCS7_SIGNER_INFO(info, NULL)) <= 0) || (p = OPENSSL_malloc((size_t)len)) == NULL) { - if (verbose) { - printf("Failed to convert signer info: %d\n", len); - ERR_print_errors_fp(stdout); - } - PKCS7_free(resp); - return 1; /* FAILED */ - } - len = i2d_PKCS7_SIGNER_INFO(info, &p); - p -= len; - PKCS7_free(resp); + signer_info = PKCS7_get_signer_info(resp); + PKCS7_free(resp); + if (!signer_info) + return 1; /* FAILED */ + info = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); + if (!info) { + PKCS7_free(resp); + return 1; /* FAILED */ + } + if (((len = i2d_PKCS7_SIGNER_INFO(info, NULL)) <= 0) || (p = OPENSSL_malloc((size_t)len)) == NULL) { + if (verbose) { + printf("Failed to convert signer info: %d\n", len); + ERR_print_errors_fp(stdout); + } + PKCS7_free(resp); + return 1; /* FAILED */ + } + len = i2d_PKCS7_SIGNER_INFO(info, &p); + p -= len; + PKCS7_free(resp); - attrs = sk_X509_ATTRIBUTE_new_null(); - attrs = X509at_add1_attr_by_txt(&attrs, PKCS9_COUNTER_SIGNATURE, V_ASN1_SET, p, len); - OPENSSL_free(p); + attrs = sk_X509_ATTRIBUTE_new_null(); + attrs = X509at_add1_attr_by_txt(&attrs, PKCS9_COUNTER_SIGNATURE, V_ASN1_SET, p, len); + OPENSSL_free(p); - signer_info = PKCS7_get_signer_info(p7); - if (!signer_info) - return 1; /* FAILED */ - si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); - if (!si) - return 1; /* FAILED */ - /* - * PKCS7_set_attributes() frees up all elements of si->unauth_attr - * and sets there a copy of attrs so overrides the previous timestamp - */ - PKCS7_set_attributes(si, attrs); - sk_X509_ATTRIBUTE_pop_free(attrs, X509_ATTRIBUTE_free); - return 0; /* OK */ + signer_info = PKCS7_get_signer_info(p7); + if (!signer_info) + return 1; /* FAILED */ + si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); + if (!si) + return 1; /* FAILED */ + /* + * PKCS7_set_attributes() frees up all elements of si->unauth_attr + * and sets there a copy of attrs so overrides the previous timestamp + */ + PKCS7_set_attributes(si, attrs); + sk_X509_ATTRIBUTE_pop_free(attrs, X509_ATTRIBUTE_free); + return 0; /* OK */ } /* @@ -565,124 +565,124 @@ static CURLcode decode_authenticode_response(PKCS7 *p7, BIO *bin, int verbose) */ static int add_timestamp(PKCS7 *p7, FILE_FORMAT_CTX *ctx, char *url, int rfc3161) { - CURL *curl; - struct curl_slist *slist = NULL; - CURLcode res; - BIO *bout, *bin; - u_char *p = NULL; - long len = 0; - int verbose = ctx->options->verbose || ctx->options->ntsurl == 1; + CURL *curl; + struct curl_slist *slist = NULL; + CURLcode res; + BIO *bout, *bin; + u_char *p = NULL; + long len = 0; + int verbose = ctx->options->verbose || ctx->options->ntsurl == 1; - if (!url) - return 1; /* FAILED */ + if (!url) + return 1; /* FAILED */ - /* Encode timestamp request */ - if (rfc3161) { - bout = bio_encode_rfc3161_request(p7, ctx->options->md); - } else { - bout = bio_encode_authenticode_request(p7); - } - if (!bout) - return 1; /* FAILED */ + /* Encode timestamp request */ + if (rfc3161) { + bout = bio_encode_rfc3161_request(p7, ctx->options->md); + } else { + bout = bio_encode_authenticode_request(p7); + } + if (!bout) + return 1; /* FAILED */ - /* Start a libcurl easy session and set options for a curl easy handle */ - curl = curl_easy_init(); - if (ctx->options->proxy) { - res = curl_easy_setopt(curl, CURLOPT_PROXY, ctx->options->proxy); - if (res != CURLE_OK) { - printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); - } - if (!strncmp("http:", ctx->options->proxy, 5)) { - res = curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTP); - if (res != CURLE_OK) { - printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); - } - } - if (!strncmp("socks:", ctx->options->proxy, 6)) { - res = curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5); - if (res != CURLE_OK) { - printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); - } - } - } - res = curl_easy_setopt(curl, CURLOPT_URL, url); - if (res != CURLE_OK) { - printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); - } - /* - * ask libcurl to show us the verbose output - * curl_easy_setopt(curl, CURLOPT_VERBOSE, 42); - */ - if (ctx->options->noverifypeer) { - res = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE); - if (res != CURLE_OK) { - printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); - } - } + /* Start a libcurl easy session and set options for a curl easy handle */ + curl = curl_easy_init(); + if (ctx->options->proxy) { + res = curl_easy_setopt(curl, CURLOPT_PROXY, ctx->options->proxy); + if (res != CURLE_OK) { + printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); + } + if (!strncmp("http:", ctx->options->proxy, 5)) { + res = curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTP); + if (res != CURLE_OK) { + printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); + } + } + if (!strncmp("socks:", ctx->options->proxy, 6)) { + res = curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5); + if (res != CURLE_OK) { + printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); + } + } + } + res = curl_easy_setopt(curl, CURLOPT_URL, url); + if (res != CURLE_OK) { + printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); + } + /* + * ask libcurl to show us the verbose output + * curl_easy_setopt(curl, CURLOPT_VERBOSE, 42); + */ + if (ctx->options->noverifypeer) { + res = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE); + if (res != CURLE_OK) { + printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); + } + } - if (rfc3161) { - slist = curl_slist_append(slist, "Content-Type: application/timestamp-query"); - slist = curl_slist_append(slist, "Accept: application/timestamp-reply"); - } else { - slist = curl_slist_append(slist, "Content-Type: application/octet-stream"); - slist = curl_slist_append(slist, "Accept: application/octet-stream"); - } - slist = curl_slist_append(slist, "User-Agent: Transport"); - slist = curl_slist_append(slist, "Cache-Control: no-cache"); - res = curl_easy_setopt(curl, CURLOPT_HTTPHEADER, slist); - if (res != CURLE_OK) { - printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); - } + if (rfc3161) { + slist = curl_slist_append(slist, "Content-Type: application/timestamp-query"); + slist = curl_slist_append(slist, "Accept: application/timestamp-reply"); + } else { + slist = curl_slist_append(slist, "Content-Type: application/octet-stream"); + slist = curl_slist_append(slist, "Accept: application/octet-stream"); + } + slist = curl_slist_append(slist, "User-Agent: Transport"); + slist = curl_slist_append(slist, "Cache-Control: no-cache"); + res = curl_easy_setopt(curl, CURLOPT_HTTPHEADER, slist); + if (res != CURLE_OK) { + printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); + } - len = BIO_get_mem_data(bout, &p); - res = curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, len); - if (res != CURLE_OK) { - printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); - } - res = curl_easy_setopt(curl, CURLOPT_POSTFIELDS, (char*)p); - if (res != CURLE_OK) { - printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); - } + len = BIO_get_mem_data(bout, &p); + res = curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, len); + if (res != CURLE_OK) { + printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); + } + res = curl_easy_setopt(curl, CURLOPT_POSTFIELDS, (char*)p); + if (res != CURLE_OK) { + printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); + } - bin = BIO_new(BIO_s_mem()); - BIO_set_mem_eof_return(bin, 0); - res = curl_easy_setopt(curl, CURLOPT_POST, 1); - if (res != CURLE_OK) { - printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); - } - res = curl_easy_setopt(curl, CURLOPT_WRITEDATA, bin); - if (res != CURLE_OK) { - printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); - } - res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, curl_write); - if (res != CURLE_OK) { - printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); - } - /* Perform the request */ - res = curl_easy_perform(curl); - curl_slist_free_all(slist); - BIO_free_all(bout); + bin = BIO_new(BIO_s_mem()); + BIO_set_mem_eof_return(bin, 0); + res = curl_easy_setopt(curl, CURLOPT_POST, 1); + if (res != CURLE_OK) { + printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); + } + res = curl_easy_setopt(curl, CURLOPT_WRITEDATA, bin); + if (res != CURLE_OK) { + printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); + } + res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, curl_write); + if (res != CURLE_OK) { + printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); + } + /* Perform the request */ + res = curl_easy_perform(curl); + curl_slist_free_all(slist); + BIO_free_all(bout); - if (res != CURLE_OK) { - BIO_free_all(bin); - if (verbose) - printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); - } else { - /* CURLE_OK (0) */ - long http_code = -1; - (void)BIO_flush(bin); - curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http_code); - /* Decode a curl response from BIO and write it into the PKCS7 structure */ - if (rfc3161) - res = decode_rfc3161_response(p7, bin, verbose); - else - res = decode_authenticode_response(p7, bin, verbose); - if (res && verbose) - print_timestamp_error(url, http_code); - } - /* End a libcurl easy handle */ - curl_easy_cleanup(curl); - return (int)res; + if (res != CURLE_OK) { + BIO_free_all(bin); + if (verbose) + printf("CURL failure: %s %s\n", curl_easy_strerror(res), url); + } else { + /* CURLE_OK (0) */ + long http_code = -1; + (void)BIO_flush(bin); + curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http_code); + /* Decode a curl response from BIO and write it into the PKCS7 structure */ + if (rfc3161) + res = decode_rfc3161_response(p7, bin, verbose); + else + res = decode_authenticode_response(p7, bin, verbose); + if (res && verbose) + print_timestamp_error(url, http_code); + } + /* End a libcurl easy handle */ + curl_easy_cleanup(curl); + return (int)res; } /* @@ -692,12 +692,12 @@ static int add_timestamp(PKCS7 *p7, FILE_FORMAT_CTX *ctx, char *url, int rfc3161 */ static int add_timestamp_authenticode(PKCS7 *p7, FILE_FORMAT_CTX *ctx) { - int i; - for (i=0; ioptions->nturl; i++) { - if (!add_timestamp(p7, ctx, ctx->options->turl[i], 0)) - return 1; /* OK */ - } - return 0; /* FAILED */ + int i; + for (i=0; ioptions->nturl; i++) { + if (!add_timestamp(p7, ctx, ctx->options->turl[i], 0)) + return 1; /* OK */ + } + return 0; /* FAILED */ } /* @@ -707,12 +707,12 @@ static int add_timestamp_authenticode(PKCS7 *p7, FILE_FORMAT_CTX *ctx) */ static int add_timestamp_rfc3161(PKCS7 *p7, FILE_FORMAT_CTX *ctx) { - int i; - for (i=0; ioptions->ntsurl; i++) { - if (!add_timestamp(p7, ctx, ctx->options->tsurl[i], 1)) - return 1; /* OK */ - } - return 0; /* FAILED */ + int i; + for (i=0; ioptions->ntsurl; i++) { + if (!add_timestamp(p7, ctx, ctx->options->tsurl[i], 1)) + return 1; /* OK */ + } + return 0; /* FAILED */ } #endif /* ENABLE_CURL */ @@ -725,33 +725,33 @@ static int add_timestamp_rfc3161(PKCS7 *p7, FILE_FORMAT_CTX *ctx) */ static int add_unauthenticated_blob(PKCS7 *p7) { - PKCS7_SIGNER_INFO *si; - STACK_OF(PKCS7_SIGNER_INFO) *signer_info; - ASN1_STRING *astr; - u_char *p = NULL; - int nid, len = 1024+4; - /* Length data for ASN1 attribute plus prefix */ - const char prefix[] = "\x0c\x82\x04\x00---BEGIN_BLOB---"; - const char postfix[] = "---END_BLOB---"; + PKCS7_SIGNER_INFO *si; + STACK_OF(PKCS7_SIGNER_INFO) *signer_info; + ASN1_STRING *astr; + u_char *p = NULL; + int nid, len = 1024+4; + /* Length data for ASN1 attribute plus prefix */ + const char prefix[] = "\x0c\x82\x04\x00---BEGIN_BLOB---"; + const char postfix[] = "---END_BLOB---"; - signer_info = PKCS7_get_signer_info(p7); - if (!signer_info) - return 0; /* FAILED */ - si = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0); - if (!si) - return 0; /* FAILED */ - if ((p = OPENSSL_malloc((size_t)len)) == NULL) - return 0; /* FAILED */ - memset(p, 0, (size_t)len); - memcpy(p, prefix, sizeof prefix); - memcpy(p + len - sizeof postfix, postfix, sizeof postfix); - astr = ASN1_STRING_new(); - ASN1_STRING_set(astr, p, len); - nid = OBJ_create(SPC_UNAUTHENTICATED_DATA_BLOB_OBJID, - "unauthenticatedData", "unauthenticatedData"); - PKCS7_add_attribute(si, nid, V_ASN1_SEQUENCE, astr); - OPENSSL_free(p); - return 1; /* OK */ + signer_info = PKCS7_get_signer_info(p7); + if (!signer_info) + return 0; /* FAILED */ + si = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0); + if (!si) + return 0; /* FAILED */ + if ((p = OPENSSL_malloc((size_t)len)) == NULL) + return 0; /* FAILED */ + memset(p, 0, (size_t)len); + memcpy(p, prefix, sizeof prefix); + memcpy(p + len - sizeof postfix, postfix, sizeof postfix); + astr = ASN1_STRING_new(); + ASN1_STRING_set(astr, p, len); + nid = OBJ_create(SPC_UNAUTHENTICATED_DATA_BLOB_OBJID, + "unauthenticatedData", "unauthenticatedData"); + PKCS7_add_attribute(si, nid, V_ASN1_SEQUENCE, astr); + OPENSSL_free(p); + return 1; /* OK */ } /* @@ -762,23 +762,23 @@ static int add_unauthenticated_blob(PKCS7 *p7) static int add_timestamp_and_blob(PKCS7 *p7, FILE_FORMAT_CTX *ctx) { #ifdef ENABLE_CURL - /* add counter-signature/timestamp */ - if (ctx->options->nturl && !add_timestamp_authenticode(p7, ctx)) { - printf("%s\n%s\n", "Authenticode timestamping failed", - "Use the \"-ts\" option to add the RFC3161 Time-Stamp Authority or choose another one Authenticode Time-Stamp Authority"); - return 1; /* FAILED */ - } - if (ctx->options->ntsurl && !add_timestamp_rfc3161(p7, ctx)) { - printf("%s\n%s\n", "RFC 3161 timestamping failed", - "Use the \"-t\" option to add the Authenticode Time-Stamp Authority or choose another one RFC3161 Time-Stamp Authority"); - return 1; /* FAILED */ - } + /* add counter-signature/timestamp */ + if (ctx->options->nturl && !add_timestamp_authenticode(p7, ctx)) { + printf("%s\n%s\n", "Authenticode timestamping failed", + "Use the \"-ts\" option to add the RFC3161 Time-Stamp Authority or choose another one Authenticode Time-Stamp Authority"); + return 1; /* FAILED */ + } + if (ctx->options->ntsurl && !add_timestamp_rfc3161(p7, ctx)) { + printf("%s\n%s\n", "RFC 3161 timestamping failed", + "Use the \"-t\" option to add the Authenticode Time-Stamp Authority or choose another one RFC3161 Time-Stamp Authority"); + return 1; /* FAILED */ + } #endif /* ENABLE_CURL */ - if (ctx->options->addBlob && !add_unauthenticated_blob(p7)) { - printf("Adding unauthenticated blob failed\n"); - return 1; /* FAILED */ - } - return 0; /* OK */ + if (ctx->options->addBlob && !add_unauthenticated_blob(p7)) { + printf("Adding unauthenticated blob failed\n"); + return 1; /* FAILED */ + } + return 0; /* OK */ } /* @@ -788,15 +788,15 @@ static int add_timestamp_and_blob(PKCS7 *p7, FILE_FORMAT_CTX *ctx) */ static int x509_store_set_time(X509_STORE *store, time_t time) { - X509_VERIFY_PARAM *param; + X509_VERIFY_PARAM *param; - param = X509_STORE_get0_param(store); - if (param == NULL) - return 0; /* FAILED */ - X509_VERIFY_PARAM_set_time(param, time); - if (!X509_STORE_set1_param(store, param)) - return 0; /* FAILED */ - return 1; /* OK */ + param = X509_STORE_get0_param(store); + if (param == NULL) + return 0; /* FAILED */ + X509_VERIFY_PARAM_set_time(param, time); + if (!X509_STORE_set1_param(store, param)) + return 0; /* FAILED */ + return 1; /* OK */ } /* @@ -806,17 +806,17 @@ static int x509_store_set_time(X509_STORE *store, time_t time) */ static int print_asn1_time(const ASN1_TIME *time) { - BIO *bp; + BIO *bp; - if ((time == NULL) || (!ASN1_TIME_check(time))) { - printf("N/A\n"); - return 0; /* FAILED */ - } - bp = BIO_new_fp(stdout, BIO_NOCLOSE); - ASN1_TIME_print(bp, time); - BIO_free(bp); - printf("\n"); - return 1; /* OK */ + if ((time == NULL) || (!ASN1_TIME_check(time))) { + printf("N/A\n"); + return 0; /* FAILED */ + } + bp = BIO_new_fp(stdout, BIO_NOCLOSE); + ASN1_TIME_print(bp, time); + BIO_free(bp); + printf("\n"); + return 1; /* OK */ } /* @@ -827,20 +827,20 @@ static int print_asn1_time(const ASN1_TIME *time) */ static int print_time_t(const time_t time) { - ASN1_TIME *s; - int ret; + ASN1_TIME *s; + int ret; - if (time == INVALID_TIME) { - printf("N/A\n"); - return 0; /* FAILED */ - } - if ((s = ASN1_TIME_set(NULL, time)) == NULL) { - printf("N/A\n"); - return 0; /* FAILED */ - } - ret = print_asn1_time(s); - ASN1_TIME_free(s); - return ret; + if (time == INVALID_TIME) { + printf("N/A\n"); + return 0; /* FAILED */ + } + if ((s = ASN1_TIME_set(NULL, time)) == NULL) { + printf("N/A\n"); + return 0; /* FAILED */ + } + ret = print_asn1_time(s); + ASN1_TIME_free(s); + return ret; } @@ -852,26 +852,26 @@ static int print_time_t(const time_t time) */ static void print_cert(X509 *cert, int i) { - char *subject, *issuer, *serial; - BIGNUM *serialbn; + char *subject, *issuer, *serial; + BIGNUM *serialbn; - subject = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0); - issuer = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0); - serialbn = ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), NULL); - serial = BN_bn2hex(serialbn); - if (i > 0) - printf("\t------------------\n"); - printf("\tSigner #%d:\n\t\tSubject: %s\n\t\tIssuer : %s\n\t\tSerial : %s\n\t\tCertificate expiration date:\n", - i, subject, issuer, serial); - printf("\t\t\tnotBefore : "); - print_asn1_time(X509_get0_notBefore(cert)); - printf("\t\t\tnotAfter : "); - print_asn1_time(X509_get0_notAfter(cert)); + subject = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0); + issuer = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0); + serialbn = ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), NULL); + serial = BN_bn2hex(serialbn); + if (i > 0) + printf("\t------------------\n"); + printf("\tSigner #%d:\n\t\tSubject: %s\n\t\tIssuer : %s\n\t\tSerial : %s\n\t\tCertificate expiration date:\n", + i, subject, issuer, serial); + printf("\t\t\tnotBefore : "); + print_asn1_time(X509_get0_notBefore(cert)); + printf("\t\t\tnotAfter : "); + print_asn1_time(X509_get0_notAfter(cert)); - OPENSSL_free(subject); - OPENSSL_free(issuer); - BN_free(serialbn); - OPENSSL_free(serial); + OPENSSL_free(subject); + OPENSSL_free(issuer); + BN_free(serialbn); + OPENSSL_free(serial); } /* @@ -881,18 +881,18 @@ static void print_cert(X509 *cert, int i) */ static int print_certs(PKCS7 *p7) { - X509 *cert; - int i, count; + X509 *cert; + int i, count; - count = sk_X509_num(p7->d.sign->cert); - printf("\nNumber of certificates: %d\n", count); - for (i=0; id.sign->cert, i); - if (!cert) - return 0; /* FAILED */ - print_cert(cert, i); - } - return 1; /* OK */ + count = sk_X509_num(p7->d.sign->cert); + printf("\nNumber of certificates: %d\n", count); + for (i=0; id.sign->cert, i); + if (!cert) + return 0; /* FAILED */ + print_cert(cert, i); + } + return 1; /* OK */ } /* @@ -902,45 +902,45 @@ static int print_certs(PKCS7 *p7) */ static int x509_store_load_file(X509_STORE *store, char *cafile) { - X509_LOOKUP *lookup; - X509_VERIFY_PARAM *param; + X509_LOOKUP *lookup; + X509_VERIFY_PARAM *param; - lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); - if (!lookup || !cafile) - return 0; /* FAILED */ - if (!X509_load_cert_file(lookup, cafile, X509_FILETYPE_PEM)) { - printf("\nError: no certificate found\n"); - return 0; /* FAILED */ - } - param = X509_STORE_get0_param(store); - if (param == NULL) - return 0; /* FAILED */ - if (!X509_VERIFY_PARAM_set_purpose(param, X509_PURPOSE_ANY)) - return 0; /* FAILED */ - if (!X509_STORE_set1_param(store, param)) - return 0; /* FAILED */ + lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); + if (!lookup || !cafile) + return 0; /* FAILED */ + if (!X509_load_cert_file(lookup, cafile, X509_FILETYPE_PEM)) { + printf("\nError: no certificate found\n"); + return 0; /* FAILED */ + } + param = X509_STORE_get0_param(store); + if (param == NULL) + return 0; /* FAILED */ + if (!X509_VERIFY_PARAM_set_purpose(param, X509_PURPOSE_ANY)) + return 0; /* FAILED */ + if (!X509_STORE_set1_param(store, param)) + return 0; /* FAILED */ - return 1; /* OK */ + return 1; /* OK */ } /* X509_STORE_CTX_verify_cb */ static int verify_callback(int ok, X509_STORE_CTX *ctx) { - int error = X509_STORE_CTX_get_error(ctx); - int depth = X509_STORE_CTX_get_error_depth(ctx); + int error = X509_STORE_CTX_get_error(ctx); + int depth = X509_STORE_CTX_get_error_depth(ctx); - if (!ok && error == X509_V_ERR_CERT_HAS_EXPIRED) { - if (depth == 0) { - printf("\nWarning: Ignoring expired signer certificate for CRL validation\n"); - return 1; - } else { - X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx); - printf("\nError: Expired CA certificate:\n"); - print_cert(current_cert, 0); - printf("\n"); - } - } - return ok; + if (!ok && error == X509_V_ERR_CERT_HAS_EXPIRED) { + if (depth == 0) { + printf("\nWarning: Ignoring expired signer certificate for CRL validation\n"); + return 1; + } else { + X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx); + printf("\nError: Expired CA certificate:\n"); + print_cert(current_cert, 0); + printf("\n"); + } + } + return ok; } /* @@ -951,31 +951,31 @@ static int verify_callback(int ok, X509_STORE_CTX *ctx) */ static int x509_store_load_crlfile(X509_STORE *store, char *cafile, char *crlfile) { - X509_LOOKUP *lookup; - X509_VERIFY_PARAM *param; + X509_LOOKUP *lookup; + X509_VERIFY_PARAM *param; - lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); - if (!lookup) - return 0; /* FAILED */ - if (!X509_load_cert_file(lookup, cafile, X509_FILETYPE_PEM)) { - printf("\nError: no certificate found\n"); - return 0; /* FAILED */ - } - if (crlfile && !X509_load_crl_file(lookup, crlfile, X509_FILETYPE_PEM)) { - printf("\nError: no CRL found in %s\n", crlfile); - return 0; /* FAILED */ - } - param = X509_STORE_get0_param(store); - if (param == NULL) - return 0; /* FAILED */ - /* enable CRL checking for the certificate chain leaf certificate */ - if (!X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK)) - return 0; /* FAILED */ - if (!X509_STORE_set1_param(store, param)) - return 0; /* FAILED */ - X509_STORE_set_verify_cb(store, verify_callback); + lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); + if (!lookup) + return 0; /* FAILED */ + if (!X509_load_cert_file(lookup, cafile, X509_FILETYPE_PEM)) { + printf("\nError: no certificate found\n"); + return 0; /* FAILED */ + } + if (crlfile && !X509_load_crl_file(lookup, crlfile, X509_FILETYPE_PEM)) { + printf("\nError: no CRL found in %s\n", crlfile); + return 0; /* FAILED */ + } + param = X509_STORE_get0_param(store); + if (param == NULL) + return 0; /* FAILED */ + /* enable CRL checking for the certificate chain leaf certificate */ + if (!X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK)) + return 0; /* FAILED */ + if (!X509_STORE_set1_param(store, param)) + return 0; /* FAILED */ + X509_STORE_set_verify_cb(store, verify_callback); - return 1; /* OK */ + return 1; /* OK */ } /* @@ -989,44 +989,44 @@ static int x509_store_load_crlfile(X509_STORE *store, char *cafile, char *crlfil * [returns] 0 on error or 1 on success */ static int verify_crl(char *cafile, char *crlfile, STACK_OF(X509_CRL) *crls, - X509 *signer, STACK_OF(X509) *chain) + X509 *signer, STACK_OF(X509) *chain) { - X509_STORE *store = NULL; - X509_STORE_CTX *ctx = NULL; - int verok = 0; + X509_STORE *store = NULL; + X509_STORE_CTX *ctx = NULL; + int verok = 0; - ctx = X509_STORE_CTX_new(); - if (!ctx) - goto out; - store = X509_STORE_new(); - if (!store) - goto out; - if (!x509_store_load_crlfile(store, cafile, crlfile)) - goto out; + ctx = X509_STORE_CTX_new(); + if (!ctx) + goto out; + store = X509_STORE_new(); + if (!store) + goto out; + if (!x509_store_load_crlfile(store, cafile, crlfile)) + goto out; - /* initialise an X509_STORE_CTX structure for subsequent use by X509_verify_cert()*/ - if (!X509_STORE_CTX_init(ctx, store, signer, chain)) - goto out; + /* initialise an X509_STORE_CTX structure for subsequent use by X509_verify_cert()*/ + if (!X509_STORE_CTX_init(ctx, store, signer, chain)) + goto out; - /* set an additional CRLs */ - if (crls) - X509_STORE_CTX_set0_crls(ctx, crls); + /* set an additional CRLs */ + if (crls) + X509_STORE_CTX_set0_crls(ctx, crls); - if (X509_verify_cert(ctx) <= 0) { - int error = X509_STORE_CTX_get_error(ctx); - printf("\nX509_verify_cert: certificate verify error: %s\n", - X509_verify_cert_error_string(error)); - goto out; - } - verok = 1; /* OK */ + if (X509_verify_cert(ctx) <= 0) { + int error = X509_STORE_CTX_get_error(ctx); + printf("\nX509_verify_cert: certificate verify error: %s\n", + X509_verify_cert_error_string(error)); + goto out; + } + verok = 1; /* OK */ out: - if (!verok) - ERR_print_errors_fp(stdout); - /* NULL is a valid parameter value for X509_STORE_free() and X509_STORE_CTX_free() */ - X509_STORE_free(store); - X509_STORE_CTX_free(ctx); - return verok; + if (!verok) + ERR_print_errors_fp(stdout); + /* NULL is a valid parameter value for X509_STORE_free() and X509_STORE_CTX_free() */ + X509_STORE_free(store); + X509_STORE_CTX_free(ctx); + return verok; } /* @@ -1035,38 +1035,38 @@ out: */ static char *clrdp_url_get_x509(X509 *cert) { - STACK_OF(DIST_POINT) *crldp; - DIST_POINT *dp; - GENERAL_NAMES *gens; - GENERAL_NAME *gen; - int i, j, gtype; - ASN1_STRING *uri; - char *url = NULL; + STACK_OF(DIST_POINT) *crldp; + DIST_POINT *dp; + GENERAL_NAMES *gens; + GENERAL_NAME *gen; + int i, j, gtype; + ASN1_STRING *uri; + char *url = NULL; - crldp = X509_get_ext_d2i(cert, NID_crl_distribution_points, NULL, NULL); - if (!crldp) - return NULL; + crldp = X509_get_ext_d2i(cert, NID_crl_distribution_points, NULL, NULL); + if (!crldp) + return NULL; - for (i = 0; i < sk_DIST_POINT_num(crldp); i++) { - dp = sk_DIST_POINT_value(crldp, i); - if (!dp->distpoint || dp->distpoint->type != 0) - continue; - gens = dp->distpoint->name.fullname; - for (j = 0; j < sk_GENERAL_NAME_num(gens); j++) { - gen = sk_GENERAL_NAME_value(gens, j); - uri = GENERAL_NAME_get0_value(gen, >ype); - if (gtype == GEN_URI && ASN1_STRING_length(uri) > 6) { - url = OPENSSL_strdup((const char *)ASN1_STRING_get0_data(uri)); - if (strncmp(url, "http://", 7) == 0) - goto out; - OPENSSL_free(url); - url = NULL; - } - } - } + for (i = 0; i < sk_DIST_POINT_num(crldp); i++) { + dp = sk_DIST_POINT_value(crldp, i); + if (!dp->distpoint || dp->distpoint->type != 0) + continue; + gens = dp->distpoint->name.fullname; + for (j = 0; j < sk_GENERAL_NAME_num(gens); j++) { + gen = sk_GENERAL_NAME_value(gens, j); + uri = GENERAL_NAME_get0_value(gen, >ype); + if (gtype == GEN_URI && ASN1_STRING_length(uri) > 6) { + url = OPENSSL_strdup((const char *)ASN1_STRING_get0_data(uri)); + if (strncmp(url, "http://", 7) == 0) + goto out; + OPENSSL_free(url); + url = NULL; + } + } + } out: - sk_DIST_POINT_pop_free(crldp, DIST_POINT_free); - return url; + sk_DIST_POINT_pop_free(crldp, DIST_POINT_free); + return url; } /* @@ -1078,62 +1078,62 @@ out: */ static int verify_timestamp_token(PKCS7 *p7, CMS_ContentInfo *timestamp) { - STACK_OF(PKCS7_SIGNER_INFO) *signer_info; - PKCS7_SIGNER_INFO *si; - ASN1_OCTET_STRING *hash, **pos; - TimeStampToken *token = NULL; - const u_char *p = NULL; - u_char mdbuf[EVP_MAX_MD_SIZE]; - const EVP_MD *md; - int md_nid; - BIO *bhash; + STACK_OF(PKCS7_SIGNER_INFO) *signer_info; + PKCS7_SIGNER_INFO *si; + ASN1_OCTET_STRING *hash, **pos; + TimeStampToken *token = NULL; + const u_char *p = NULL; + u_char mdbuf[EVP_MAX_MD_SIZE]; + const EVP_MD *md; + int md_nid; + BIO *bhash; - signer_info = PKCS7_get_signer_info(p7); - if (!signer_info) - return 0; /* FAILED */ + signer_info = PKCS7_get_signer_info(p7); + if (!signer_info) + return 0; /* FAILED */ - si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); - if (!si) - return 0; /* FAILED */ + si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); + if (!si) + return 0; /* FAILED */ - pos = CMS_get0_content(timestamp); - if (pos != NULL && *pos != NULL) { - p = (*pos)->data; - token = d2i_TimeStampToken(NULL, &p, (*pos)->length); - if (token) { - /* compute a hash from the encrypted message digest value of the file */ - md_nid = OBJ_obj2nid(token->messageImprint->digestAlgorithm->algorithm); - md = EVP_get_digestbynid(md_nid); - bhash = BIO_new(BIO_f_md()); - if (!BIO_set_md(bhash, md)) { - printf("Unable to set the message digest of BIO\n"); - BIO_free_all(bhash); - return 0; /* FAILED */ - } - BIO_push(bhash, BIO_new(BIO_s_null())); - BIO_write(bhash, si->enc_digest->data, si->enc_digest->length); - BIO_gets(bhash, (char*)mdbuf, EVP_MD_size(md)); - BIO_free_all(bhash); + pos = CMS_get0_content(timestamp); + if (pos != NULL && *pos != NULL) { + p = (*pos)->data; + token = d2i_TimeStampToken(NULL, &p, (*pos)->length); + if (token) { + /* compute a hash from the encrypted message digest value of the file */ + md_nid = OBJ_obj2nid(token->messageImprint->digestAlgorithm->algorithm); + md = EVP_get_digestbynid(md_nid); + bhash = BIO_new(BIO_f_md()); + if (!BIO_set_md(bhash, md)) { + printf("Unable to set the message digest of BIO\n"); + BIO_free_all(bhash); + return 0; /* FAILED */ + } + BIO_push(bhash, BIO_new(BIO_s_null())); + BIO_write(bhash, si->enc_digest->data, si->enc_digest->length); + BIO_gets(bhash, (char*)mdbuf, EVP_MD_size(md)); + BIO_free_all(bhash); - /* compare the provided hash against the computed hash */ - hash = token->messageImprint->digest; - /* hash->length == EVP_MD_size(md) */ - if (memcmp(mdbuf, hash->data, (size_t)hash->length)) { - printf("Hash value mismatch:\n\tMessage digest algorithm: %s\n", - (md_nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(md_nid)); - print_hash("\tComputed message digest", "", mdbuf, EVP_MD_size(md)); - print_hash("\tReceived message digest", "", hash->data, hash->length); - printf("\nFile's message digest verification: failed\n"); - TimeStampToken_free(token); - return 0; /* FAILED */ - } /* else Computed and received message digests matched */ - TimeStampToken_free(token); - } else - /* our CMS_ContentInfo struct created for Authenticode Timestamp - * does not contain any TimeStampToken as specified in RFC 3161 */ - ERR_clear_error(); - } - return 1; /* OK */ + /* compare the provided hash against the computed hash */ + hash = token->messageImprint->digest; + /* hash->length == EVP_MD_size(md) */ + if (memcmp(mdbuf, hash->data, (size_t)hash->length)) { + printf("Hash value mismatch:\n\tMessage digest algorithm: %s\n", + (md_nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(md_nid)); + print_hash("\tComputed message digest", "", mdbuf, EVP_MD_size(md)); + print_hash("\tReceived message digest", "", hash->data, hash->length); + printf("\nFile's message digest verification: failed\n"); + TimeStampToken_free(token); + return 0; /* FAILED */ + } /* else Computed and received message digests matched */ + TimeStampToken_free(token); + } else + /* our CMS_ContentInfo struct created for Authenticode Timestamp + * does not contain any TimeStampToken as specified in RFC 3161 */ + ERR_clear_error(); + } + return 1; /* OK */ } /* @@ -1145,82 +1145,82 @@ static int verify_timestamp_token(PKCS7 *p7, CMS_ContentInfo *timestamp) */ static int verify_timestamp(FILE_FORMAT_CTX *ctx, PKCS7 *p7, CMS_ContentInfo *timestamp, time_t time) { - X509_STORE *store; - STACK_OF(CMS_SignerInfo) *sinfos; - CMS_SignerInfo *cmssi; - X509 *signer; - STACK_OF(X509_CRL) *crls; - char *url; - int verok = 0; + X509_STORE *store; + STACK_OF(CMS_SignerInfo) *sinfos; + CMS_SignerInfo *cmssi; + X509 *signer; + STACK_OF(X509_CRL) *crls; + char *url; + int verok = 0; - store = X509_STORE_new(); - if (!store) - goto out; - if (x509_store_load_file(store, ctx->options->tsa_cafile)) { - /* - * The TSA signing key MUST be of a sufficient length to allow for a sufficiently - * long lifetime. Even if this is done, the key will have a finite lifetime. - * Thus, any token signed by the TSA SHOULD be time-stamped again or notarized - * at a later date to renew the trust that exists in the TSA's signature. - * https://datatracker.ietf.org/doc/html/rfc3161#section-4 - * Signtool does not respect this RFC and neither we do. - * So verify timestamp against the time of its creation. - */ - if (!x509_store_set_time(store, time)) { - printf("Failed to set store time\n"); - X509_STORE_free(store); - goto out; - } - } else { - printf("Use the \"-TSA-CAfile\" option to add the Time-Stamp Authority certificates bundle to verify the Timestamp Server.\n"); - X509_STORE_free(store); - goto out; - } + store = X509_STORE_new(); + if (!store) + goto out; + if (x509_store_load_file(store, ctx->options->tsa_cafile)) { + /* + * The TSA signing key MUST be of a sufficient length to allow for a sufficiently + * long lifetime. Even if this is done, the key will have a finite lifetime. + * Thus, any token signed by the TSA SHOULD be time-stamped again or notarized + * at a later date to renew the trust that exists in the TSA's signature. + * https://datatracker.ietf.org/doc/html/rfc3161#section-4 + * Signtool does not respect this RFC and neither we do. + * So verify timestamp against the time of its creation. + */ + if (!x509_store_set_time(store, time)) { + printf("Failed to set store time\n"); + X509_STORE_free(store); + goto out; + } + } else { + printf("Use the \"-TSA-CAfile\" option to add the Time-Stamp Authority certificates bundle to verify the Timestamp Server.\n"); + X509_STORE_free(store); + goto out; + } - /* verify a CMS SignedData structure */ - if (!CMS_verify(timestamp, NULL, store, 0, NULL, 0)) { - printf("\nCMS_verify error\n"); - X509_STORE_free(store); - goto out; - } - X509_STORE_free(store); + /* verify a CMS SignedData structure */ + if (!CMS_verify(timestamp, NULL, store, 0, NULL, 0)) { + printf("\nCMS_verify error\n"); + X509_STORE_free(store); + goto out; + } + X509_STORE_free(store); - sinfos = CMS_get0_SignerInfos(timestamp); - cmssi = sk_CMS_SignerInfo_value(sinfos, 0); - CMS_SignerInfo_get0_algs(cmssi, NULL, &signer, NULL, NULL); + sinfos = CMS_get0_SignerInfos(timestamp); + cmssi = sk_CMS_SignerInfo_value(sinfos, 0); + CMS_SignerInfo_get0_algs(cmssi, NULL, &signer, NULL, NULL); - url = clrdp_url_get_x509(signer); - if (url) { - printf("TSA's CRL distribution point: %s\n", url); - OPENSSL_free(url); - } - /* verify a Certificate Revocation List */ - crls = p7->d.sign->crl; - if (ctx->options->tsa_crlfile || crls) { - STACK_OF(X509) *chain = CMS_get1_certs(timestamp); - int crlok = verify_crl(ctx->options->tsa_cafile, ctx->options->tsa_crlfile, - crls, signer, chain); - sk_X509_pop_free(chain, X509_free); - printf("Timestamp Server Signature CRL verification: %s\n", crlok ? "ok" : "failed"); - if (!crlok) - goto out; - } else { - printf("\n"); - } - /* check extended key usage flag XKU_TIMESTAMP */ - if (!(X509_get_extended_key_usage(signer) & XKU_TIMESTAMP)) { - printf("Unsupported Signer's certificate purpose XKU_TIMESTAMP\n"); - goto out; - } - /* verify the hash provided from the trusted timestamp */ - if (!verify_timestamp_token(p7, timestamp)) { - goto out; - } - verok = 1; /* OK */ + url = clrdp_url_get_x509(signer); + if (url) { + printf("TSA's CRL distribution point: %s\n", url); + OPENSSL_free(url); + } + /* verify a Certificate Revocation List */ + crls = p7->d.sign->crl; + if (ctx->options->tsa_crlfile || crls) { + STACK_OF(X509) *chain = CMS_get1_certs(timestamp); + int crlok = verify_crl(ctx->options->tsa_cafile, ctx->options->tsa_crlfile, + crls, signer, chain); + sk_X509_pop_free(chain, X509_free); + printf("Timestamp Server Signature CRL verification: %s\n", crlok ? "ok" : "failed"); + if (!crlok) + goto out; + } else { + printf("\n"); + } + /* check extended key usage flag XKU_TIMESTAMP */ + if (!(X509_get_extended_key_usage(signer) & XKU_TIMESTAMP)) { + printf("Unsupported Signer's certificate purpose XKU_TIMESTAMP\n"); + goto out; + } + /* verify the hash provided from the trusted timestamp */ + if (!verify_timestamp_token(p7, timestamp)) { + goto out; + } + verok = 1; /* OK */ out: - if (!verok) - ERR_print_errors_fp(stdout); - return verok; + if (!verok) + ERR_print_errors_fp(stdout); + return verok; } /* @@ -1232,81 +1232,81 @@ out: */ static int verify_authenticode(FILE_FORMAT_CTX *ctx, PKCS7 *p7, time_t time, X509 *signer) { - X509_STORE *store; - STACK_OF(X509_CRL) *crls; - BIO *bio = NULL; - int verok = 0; + X509_STORE *store; + STACK_OF(X509_CRL) *crls; + BIO *bio = NULL; + int verok = 0; - store = X509_STORE_new(); - if (!store) - goto out; + store = X509_STORE_new(); + if (!store) + goto out; - if (!x509_store_load_file(store, ctx->options->cafile)) { - printf("Failed to add store lookup file\n"); - X509_STORE_free(store); - goto out; - } - if (time != INVALID_TIME) { - printf("Signature verification time: "); - print_time_t(time); - if (!x509_store_set_time(store, time)) { - printf("Failed to set signature time\n"); - X509_STORE_free(store); - goto out; - } - } else if (ctx->options->time != INVALID_TIME) { - printf("Signature verification time: "); - print_time_t(ctx->options->time); - if (!x509_store_set_time(store, ctx->options->time)) { - printf("Failed to set verifying time\n"); - X509_STORE_free(store); - goto out; - } - } - /* verify a PKCS#7 signedData structure */ - if (p7->d.sign->contents->d.other->type == V_ASN1_SEQUENCE) { - /* only verify the contents of the sequence */ - int seqhdrlen; - seqhdrlen = asn1_simple_hdr_len(p7->d.sign->contents->d.other->value.sequence->data, - p7->d.sign->contents->d.other->value.sequence->length); - bio = BIO_new_mem_buf(p7->d.sign->contents->d.other->value.sequence->data + seqhdrlen, - p7->d.sign->contents->d.other->value.sequence->length - seqhdrlen); - } else { - /* verify the entire value */ - bio = BIO_new_mem_buf(p7->d.sign->contents->d.other->value.sequence->data, - p7->d.sign->contents->d.other->value.sequence->length); - } - if (!PKCS7_verify(p7, NULL, store, bio, NULL, 0)) { - printf("\nPKCS7_verify error\n"); - X509_STORE_free(store); - BIO_free(bio); - goto out; - } - X509_STORE_free(store); - BIO_free(bio); + if (!x509_store_load_file(store, ctx->options->cafile)) { + printf("Failed to add store lookup file\n"); + X509_STORE_free(store); + goto out; + } + if (time != INVALID_TIME) { + printf("Signature verification time: "); + print_time_t(time); + if (!x509_store_set_time(store, time)) { + printf("Failed to set signature time\n"); + X509_STORE_free(store); + goto out; + } + } else if (ctx->options->time != INVALID_TIME) { + printf("Signature verification time: "); + print_time_t(ctx->options->time); + if (!x509_store_set_time(store, ctx->options->time)) { + printf("Failed to set verifying time\n"); + X509_STORE_free(store); + goto out; + } + } + /* verify a PKCS#7 signedData structure */ + if (p7->d.sign->contents->d.other->type == V_ASN1_SEQUENCE) { + /* only verify the contents of the sequence */ + int seqhdrlen; + seqhdrlen = asn1_simple_hdr_len(p7->d.sign->contents->d.other->value.sequence->data, + p7->d.sign->contents->d.other->value.sequence->length); + bio = BIO_new_mem_buf(p7->d.sign->contents->d.other->value.sequence->data + seqhdrlen, + p7->d.sign->contents->d.other->value.sequence->length - seqhdrlen); + } else { + /* verify the entire value */ + bio = BIO_new_mem_buf(p7->d.sign->contents->d.other->value.sequence->data, + p7->d.sign->contents->d.other->value.sequence->length); + } + if (!PKCS7_verify(p7, NULL, store, bio, NULL, 0)) { + printf("\nPKCS7_verify error\n"); + X509_STORE_free(store); + BIO_free(bio); + goto out; + } + X509_STORE_free(store); + BIO_free(bio); - /* verify a Certificate Revocation List */ - crls = p7->d.sign->crl; - if (ctx->options->crlfile || crls) { - STACK_OF(X509) *chain = p7->d.sign->cert; - int crlok = verify_crl(ctx->options->cafile, ctx->options->crlfile, - crls, signer, chain); - printf("Signature CRL verification: %s\n", crlok ? "ok" : "failed"); - if (!crlok) - goto out; - } + /* verify a Certificate Revocation List */ + crls = p7->d.sign->crl; + if (ctx->options->crlfile || crls) { + STACK_OF(X509) *chain = p7->d.sign->cert; + int crlok = verify_crl(ctx->options->cafile, ctx->options->crlfile, + crls, signer, chain); + printf("Signature CRL verification: %s\n", crlok ? "ok" : "failed"); + if (!crlok) + goto out; + } - /* check extended key usage flag XKU_CODE_SIGN */ - if (!(X509_get_extended_key_usage(signer) & XKU_CODE_SIGN)) { - printf("Unsupported Signer's certificate purpose XKU_CODE_SIGN\n"); - goto out; - } + /* check extended key usage flag XKU_CODE_SIGN */ + if (!(X509_get_extended_key_usage(signer) & XKU_CODE_SIGN)) { + printf("Unsupported Signer's certificate purpose XKU_CODE_SIGN\n"); + goto out; + } - verok = 1; /* OK */ + verok = 1; /* OK */ out: - if (!verok) - ERR_print_errors_fp(stdout); - return verok; + if (!verok) + ERR_print_errors_fp(stdout); + return verok; } /* @@ -1316,68 +1316,68 @@ out: */ static int verify_leaf_hash(X509 *cert, const char *leafhash) { - u_char *mdbuf = NULL, *certbuf, *tmp; - u_char cmdbuf[EVP_MAX_MD_SIZE]; - const EVP_MD *md; - long mdlen = 0; - size_t certlen, written; - BIO *bhash; + u_char *mdbuf = NULL, *certbuf, *tmp; + u_char cmdbuf[EVP_MAX_MD_SIZE]; + const EVP_MD *md; + long mdlen = 0; + size_t certlen, written; + BIO *bhash; - /* decode the provided hash */ - char *mdid = OPENSSL_strdup(leafhash); - char *hash = strchr(mdid, ':'); - if (hash == NULL) { - printf("\nUnable to parse -require-leaf-hash parameter: %s\n", leafhash); - return 0; /* FAILED */ - } - *hash++ = '\0'; - md = EVP_get_digestbyname(mdid); - if (md == NULL) { - printf("\nUnable to lookup digest by name '%s'\n", mdid); - OPENSSL_free(mdid); - return 0; /* FAILED */ - } - mdbuf = OPENSSL_hexstr2buf(hash, &mdlen); - if (mdlen != EVP_MD_size(md)) { - printf("\nHash length mismatch: '%s' digest must be %d bytes long (got %ld bytes)\n", - mdid, EVP_MD_size(md), mdlen); - OPENSSL_free(mdid); - OPENSSL_free(mdbuf); - return 0; /* FAILED */ - } - OPENSSL_free(mdid); + /* decode the provided hash */ + char *mdid = OPENSSL_strdup(leafhash); + char *hash = strchr(mdid, ':'); + if (hash == NULL) { + printf("\nUnable to parse -require-leaf-hash parameter: %s\n", leafhash); + return 0; /* FAILED */ + } + *hash++ = '\0'; + md = EVP_get_digestbyname(mdid); + if (md == NULL) { + printf("\nUnable to lookup digest by name '%s'\n", mdid); + OPENSSL_free(mdid); + return 0; /* FAILED */ + } + mdbuf = OPENSSL_hexstr2buf(hash, &mdlen); + if (mdlen != EVP_MD_size(md)) { + printf("\nHash length mismatch: '%s' digest must be %d bytes long (got %ld bytes)\n", + mdid, EVP_MD_size(md), mdlen); + OPENSSL_free(mdid); + OPENSSL_free(mdbuf); + return 0; /* FAILED */ + } + OPENSSL_free(mdid); - /* compute the leaf certificate hash */ - bhash = BIO_new(BIO_f_md()); - if (!BIO_set_md(bhash, md)) { - printf("Unable to set the message digest of BIO\n"); - BIO_free_all(bhash); - OPENSSL_free(mdbuf); - return 0; /* FAILED */ - } - BIO_push(bhash, BIO_new(BIO_s_null())); - certlen = (size_t)i2d_X509(cert, NULL); - certbuf = OPENSSL_malloc(certlen); - tmp = certbuf; - i2d_X509(cert, &tmp); - if (!BIO_write_ex(bhash, certbuf, certlen, &written) || written != certlen) { - BIO_free_all(bhash); - OPENSSL_free(mdbuf); - OPENSSL_free(certbuf); - return 0; /* FAILED */ - } - BIO_gets(bhash, (char*)cmdbuf, EVP_MD_size(md)); - BIO_free_all(bhash); - OPENSSL_free(certbuf); + /* compute the leaf certificate hash */ + bhash = BIO_new(BIO_f_md()); + if (!BIO_set_md(bhash, md)) { + printf("Unable to set the message digest of BIO\n"); + BIO_free_all(bhash); + OPENSSL_free(mdbuf); + return 0; /* FAILED */ + } + BIO_push(bhash, BIO_new(BIO_s_null())); + certlen = (size_t)i2d_X509(cert, NULL); + certbuf = OPENSSL_malloc(certlen); + tmp = certbuf; + i2d_X509(cert, &tmp); + if (!BIO_write_ex(bhash, certbuf, certlen, &written) || written != certlen) { + BIO_free_all(bhash); + OPENSSL_free(mdbuf); + OPENSSL_free(certbuf); + return 0; /* FAILED */ + } + BIO_gets(bhash, (char*)cmdbuf, EVP_MD_size(md)); + BIO_free_all(bhash); + OPENSSL_free(certbuf); - /* compare the provided hash against the computed hash */ - if (memcmp(mdbuf, cmdbuf, (size_t)EVP_MD_size(md))) { - print_hash("\nLeaf hash value mismatch", "computed", cmdbuf, EVP_MD_size(md)); - OPENSSL_free(mdbuf); - return 0; /* FAILED */ - } - OPENSSL_free(mdbuf); - return 1; /* OK */ + /* compare the provided hash against the computed hash */ + if (memcmp(mdbuf, cmdbuf, (size_t)EVP_MD_size(md))) { + print_hash("\nLeaf hash value mismatch", "computed", cmdbuf, EVP_MD_size(md)); + OPENSSL_free(mdbuf); + return 0; /* FAILED */ + } + OPENSSL_free(mdbuf); + return 1; /* OK */ } /* @@ -1387,38 +1387,38 @@ static int verify_leaf_hash(X509 *cert, const char *leafhash) */ static int print_cms_timestamp(CMS_ContentInfo *timestamp, time_t time) { - STACK_OF(CMS_SignerInfo) *sinfos; - CMS_SignerInfo *si; - int md_nid; - ASN1_INTEGER *serialno; - char *issuer_name, *serial; - BIGNUM *serialbn; - X509_ALGOR *pdig; - X509_NAME *issuer = NULL; + STACK_OF(CMS_SignerInfo) *sinfos; + CMS_SignerInfo *si; + int md_nid; + ASN1_INTEGER *serialno; + char *issuer_name, *serial; + BIGNUM *serialbn; + X509_ALGOR *pdig; + X509_NAME *issuer = NULL; - sinfos = CMS_get0_SignerInfos(timestamp); - if (sinfos == NULL) - return 0; /* FAILED */ - si = sk_CMS_SignerInfo_value(sinfos, 0); - if (si == NULL) - return 0; /* FAILED */ - printf("\nThe signature is timestamped: "); - print_time_t(time); - CMS_SignerInfo_get0_algs(si, NULL, NULL, &pdig, NULL); - if (pdig == NULL || pdig->algorithm == NULL) - return 0; /* FAILED */ - md_nid = OBJ_obj2nid(pdig->algorithm); - printf("Hash Algorithm: %s\n", (md_nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(md_nid)); - if (!CMS_SignerInfo_get0_signer_id(si, NULL, &issuer, &serialno) || !issuer) - return 0; /* FAILED */ - issuer_name = X509_NAME_oneline(issuer, NULL, 0); - serialbn = ASN1_INTEGER_to_BN(serialno, NULL); - serial = BN_bn2hex(serialbn); - printf("Timestamp Verified by:\n\t\tIssuer : %s\n\t\tSerial : %s\n", issuer_name, serial); - OPENSSL_free(issuer_name); - BN_free(serialbn); - OPENSSL_free(serial); - return 1; /* OK */ + sinfos = CMS_get0_SignerInfos(timestamp); + if (sinfos == NULL) + return 0; /* FAILED */ + si = sk_CMS_SignerInfo_value(sinfos, 0); + if (si == NULL) + return 0; /* FAILED */ + printf("\nThe signature is timestamped: "); + print_time_t(time); + CMS_SignerInfo_get0_algs(si, NULL, NULL, &pdig, NULL); + if (pdig == NULL || pdig->algorithm == NULL) + return 0; /* FAILED */ + md_nid = OBJ_obj2nid(pdig->algorithm); + printf("Hash Algorithm: %s\n", (md_nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(md_nid)); + if (!CMS_SignerInfo_get0_signer_id(si, NULL, &issuer, &serialno) || !issuer) + return 0; /* FAILED */ + issuer_name = X509_NAME_oneline(issuer, NULL, 0); + serialbn = ASN1_INTEGER_to_BN(serialno, NULL); + serial = BN_bn2hex(serialbn); + printf("Timestamp Verified by:\n\t\tIssuer : %s\n\t\tSerial : %s\n", issuer_name, serial); + OPENSSL_free(issuer_name); + BN_free(serialbn); + OPENSSL_free(serial); + return 1; /* OK */ } /* @@ -1431,177 +1431,177 @@ static int print_cms_timestamp(CMS_ContentInfo *timestamp, time_t time) */ static time_t time_t_timestamp_get_attributes(CMS_ContentInfo **timestamp, PKCS7 *p7, int verbose) { - STACK_OF(PKCS7_SIGNER_INFO) *signer_info; - PKCS7_SIGNER_INFO *si; - int md_nid, i; - STACK_OF(X509_ATTRIBUTE) *auth_attr, *unauth_attr; - X509_ATTRIBUTE *attr; - ASN1_OBJECT *object; - ASN1_STRING *value; - char object_txt[128]; - time_t time = INVALID_TIME; - - signer_info = PKCS7_get_signer_info(p7); - if (!signer_info) - return INVALID_TIME; /* FAILED */ - si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); - if (!si) - return INVALID_TIME; /* FAILED */ - md_nid = OBJ_obj2nid(si->digest_alg->algorithm); - printf("\nMessage digest algorithm: %s\n", - (md_nid == NID_undef) ? "UNKNOWN" : OBJ_nid2sn(md_nid)); - printf("\nAuthenticated attributes:\n"); - auth_attr = PKCS7_get_signed_attributes(si); /* cont[0] */ - for (i=0; imoreInfo && opus->moreInfo->type == 0) { - char *url = OPENSSL_strdup((char *)opus->moreInfo->value.url->data); - printf("\tURL description: %s\n", url); - OPENSSL_free(url); - } - if (opus->programName) { - char *desc = NULL; - if (opus->programName->type == 0) { - u_char *opusdata; - int len = ASN1_STRING_to_UTF8(&opusdata, opus->programName->value.unicode); - if (len >= 0) { - desc = OPENSSL_strndup((char *)opusdata, (size_t)len); - OPENSSL_free(opusdata); - } - } else { - desc = OPENSSL_strdup((char *)opus->programName->value.ascii->data); - } - if (desc) { - printf("\tText description: %s\n", desc); - OPENSSL_free(desc); - } - } - SpcSpOpusInfo_free(opus); - } else if (!strcmp(object_txt, SPC_STATEMENT_TYPE_OBJID)) { - /* Microsoft OID: 1.3.6.1.4.1.311.2.1.11 */ - const u_char *purpose; - value = X509_ATTRIBUTE_get0_data(attr, 0, V_ASN1_SEQUENCE, NULL); - if (value == NULL) - continue; - purpose = ASN1_STRING_get0_data(value); - if (!memcmp(purpose, purpose_comm, sizeof purpose_comm)) - printf("\tMicrosoft Commercial Code Signing purpose\n"); - else if (!memcmp(purpose, purpose_ind, sizeof purpose_ind)) - printf("\tMicrosoft Individual Code Signing purpose\n"); - else - printf("\tUnrecognized Code Signing purpose\n"); - } else if (!strcmp(object_txt, MS_JAVA_SOMETHING)) { - /* Microsoft OID: 1.3.6.1.4.1.311.15.1 */ - const u_char *level; - value = X509_ATTRIBUTE_get0_data(attr, 0, V_ASN1_SEQUENCE, NULL); - if (value == NULL) - continue; - level = ASN1_STRING_get0_data(value); - if (!memcmp(level, java_attrs_low, sizeof java_attrs_low)) - printf("\tLow level of permissions in Microsoft Internet Explorer 4.x for CAB files\n"); - else - printf("\tUnrecognized level of permissions in Microsoft Internet Explorer 4.x for CAB files\n"); - } - } + STACK_OF(PKCS7_SIGNER_INFO) *signer_info; + PKCS7_SIGNER_INFO *si; + int md_nid, i; + STACK_OF(X509_ATTRIBUTE) *auth_attr, *unauth_attr; + X509_ATTRIBUTE *attr; + ASN1_OBJECT *object; + ASN1_STRING *value; + char object_txt[128]; + time_t time = INVALID_TIME; - /* Unauthenticated attributes */ - unauth_attr = PKCS7_get_attributes(si); /* cont[1] */ - for (i=0; id.sign, countersi); - if (*timestamp) { - if (!print_cms_timestamp(*timestamp, time)) - return INVALID_TIME; /* FAILED */ - } else { - printf("Error: Corrupt Authenticode Timestamp embedded content\n"); - } - } else { - printf("Error: PKCS9_TIMESTAMP_SIGNING_TIME attribute not found\n"); - PKCS7_SIGNER_INFO_free(countersi); - } - } else if (!strcmp(object_txt, SPC_RFC3161_OBJID)) { - /* RFC3161 Timestamp - Policy OID: 1.3.6.1.4.1.311.3.3.1 */ - const u_char *data; - value = X509_ATTRIBUTE_get0_data(attr, 0, V_ASN1_SEQUENCE, NULL); - if (value == NULL) - continue; - data = ASN1_STRING_get0_data(value); - *timestamp = d2i_CMS_ContentInfo(NULL, &data, ASN1_STRING_length(value)); - if (*timestamp == NULL) { - printf("Error: RFC3161 Timestamp could not be decoded correctly\n"); - ERR_print_errors_fp(stdout); - continue; - } - time = time_t_get_cms_time(*timestamp); - if (time != INVALID_TIME) { - if (!print_cms_timestamp(*timestamp, time)) - return INVALID_TIME; /* FAILED */ - } else { - printf("Error: Corrupt RFC3161 Timestamp embedded content\n"); - CMS_ContentInfo_free(*timestamp); - ERR_print_errors_fp(stdout); - } - } else if (!strcmp(object_txt, SPC_UNAUTHENTICATED_DATA_BLOB_OBJID)) { - /* Unauthenticated Data Blob - Policy OID: 1.3.6.1.4.1.42921.1.2.1 */ - ASN1_STRING *blob = X509_ATTRIBUTE_get0_data(attr, 0, V_ASN1_UTF8STRING, NULL); - if (verbose) { - char *data_blob = OPENSSL_buf2hexstr(blob->data, blob->length); - printf("\nUnauthenticated Data Blob:\n%s\n", data_blob); - OPENSSL_free(data_blob); - } else { - printf("\nUnauthenticated Data Blob length: %d bytes\n", blob->length); - } - } - } - return time; + signer_info = PKCS7_get_signer_info(p7); + if (!signer_info) + return INVALID_TIME; /* FAILED */ + si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); + if (!si) + return INVALID_TIME; /* FAILED */ + md_nid = OBJ_obj2nid(si->digest_alg->algorithm); + printf("\nMessage digest algorithm: %s\n", + (md_nid == NID_undef) ? "UNKNOWN" : OBJ_nid2sn(md_nid)); + printf("\nAuthenticated attributes:\n"); + auth_attr = PKCS7_get_signed_attributes(si); /* cont[0] */ + for (i=0; imoreInfo && opus->moreInfo->type == 0) { + char *url = OPENSSL_strdup((char *)opus->moreInfo->value.url->data); + printf("\tURL description: %s\n", url); + OPENSSL_free(url); + } + if (opus->programName) { + char *desc = NULL; + if (opus->programName->type == 0) { + u_char *opusdata; + int len = ASN1_STRING_to_UTF8(&opusdata, opus->programName->value.unicode); + if (len >= 0) { + desc = OPENSSL_strndup((char *)opusdata, (size_t)len); + OPENSSL_free(opusdata); + } + } else { + desc = OPENSSL_strdup((char *)opus->programName->value.ascii->data); + } + if (desc) { + printf("\tText description: %s\n", desc); + OPENSSL_free(desc); + } + } + SpcSpOpusInfo_free(opus); + } else if (!strcmp(object_txt, SPC_STATEMENT_TYPE_OBJID)) { + /* Microsoft OID: 1.3.6.1.4.1.311.2.1.11 */ + const u_char *purpose; + value = X509_ATTRIBUTE_get0_data(attr, 0, V_ASN1_SEQUENCE, NULL); + if (value == NULL) + continue; + purpose = ASN1_STRING_get0_data(value); + if (!memcmp(purpose, purpose_comm, sizeof purpose_comm)) + printf("\tMicrosoft Commercial Code Signing purpose\n"); + else if (!memcmp(purpose, purpose_ind, sizeof purpose_ind)) + printf("\tMicrosoft Individual Code Signing purpose\n"); + else + printf("\tUnrecognized Code Signing purpose\n"); + } else if (!strcmp(object_txt, MS_JAVA_SOMETHING)) { + /* Microsoft OID: 1.3.6.1.4.1.311.15.1 */ + const u_char *level; + value = X509_ATTRIBUTE_get0_data(attr, 0, V_ASN1_SEQUENCE, NULL); + if (value == NULL) + continue; + level = ASN1_STRING_get0_data(value); + if (!memcmp(level, java_attrs_low, sizeof java_attrs_low)) + printf("\tLow level of permissions in Microsoft Internet Explorer 4.x for CAB files\n"); + else + printf("\tUnrecognized level of permissions in Microsoft Internet Explorer 4.x for CAB files\n"); + } + } + + /* Unauthenticated attributes */ + unauth_attr = PKCS7_get_attributes(si); /* cont[1] */ + for (i=0; id.sign, countersi); + if (*timestamp) { + if (!print_cms_timestamp(*timestamp, time)) + return INVALID_TIME; /* FAILED */ + } else { + printf("Error: Corrupt Authenticode Timestamp embedded content\n"); + } + } else { + printf("Error: PKCS9_TIMESTAMP_SIGNING_TIME attribute not found\n"); + PKCS7_SIGNER_INFO_free(countersi); + } + } else if (!strcmp(object_txt, SPC_RFC3161_OBJID)) { + /* RFC3161 Timestamp - Policy OID: 1.3.6.1.4.1.311.3.3.1 */ + const u_char *data; + value = X509_ATTRIBUTE_get0_data(attr, 0, V_ASN1_SEQUENCE, NULL); + if (value == NULL) + continue; + data = ASN1_STRING_get0_data(value); + *timestamp = d2i_CMS_ContentInfo(NULL, &data, ASN1_STRING_length(value)); + if (*timestamp == NULL) { + printf("Error: RFC3161 Timestamp could not be decoded correctly\n"); + ERR_print_errors_fp(stdout); + continue; + } + time = time_t_get_cms_time(*timestamp); + if (time != INVALID_TIME) { + if (!print_cms_timestamp(*timestamp, time)) + return INVALID_TIME; /* FAILED */ + } else { + printf("Error: Corrupt RFC3161 Timestamp embedded content\n"); + CMS_ContentInfo_free(*timestamp); + ERR_print_errors_fp(stdout); + } + } else if (!strcmp(object_txt, SPC_UNAUTHENTICATED_DATA_BLOB_OBJID)) { + /* Unauthenticated Data Blob - Policy OID: 1.3.6.1.4.1.42921.1.2.1 */ + ASN1_STRING *blob = X509_ATTRIBUTE_get0_data(attr, 0, V_ASN1_UTF8STRING, NULL); + if (verbose) { + char *data_blob = OPENSSL_buf2hexstr(blob->data, blob->length); + printf("\nUnauthenticated Data Blob:\n%s\n", data_blob); + OPENSSL_free(data_blob); + } else { + printf("\nUnauthenticated Data Blob length: %d bytes\n", blob->length); + } + } + } + return time; } /* @@ -1611,20 +1611,20 @@ static time_t time_t_timestamp_get_attributes(CMS_ContentInfo **timestamp, PKCS7 */ static time_t time_t_get_asn1_time(const ASN1_TIME *s) { - struct tm tm; + struct tm tm; - if ((s == NULL) || (!ASN1_TIME_check(s))) { - return INVALID_TIME; - } - if (ASN1_TIME_to_tm(s, &tm)) { + if ((s == NULL) || (!ASN1_TIME_check(s))) { + return INVALID_TIME; + } + if (ASN1_TIME_to_tm(s, &tm)) { #ifdef _WIN32 - return _mkgmtime(&tm); + return _mkgmtime(&tm); #else - return timegm(&tm); + return timegm(&tm); #endif - } else { - return INVALID_TIME; - } + } else { + return INVALID_TIME; + } } /* @@ -1634,30 +1634,30 @@ static time_t time_t_get_asn1_time(const ASN1_TIME *s) */ static time_t time_t_get_si_time(PKCS7_SIGNER_INFO *si) { - STACK_OF(X509_ATTRIBUTE) *auth_attr; - X509_ATTRIBUTE *attr; - ASN1_OBJECT *object; - ASN1_UTCTIME *time = NULL; - time_t posix_time; - char object_txt[128]; - int i; + STACK_OF(X509_ATTRIBUTE) *auth_attr; + X509_ATTRIBUTE *attr; + ASN1_OBJECT *object; + ASN1_UTCTIME *time = NULL; + time_t posix_time; + char object_txt[128]; + int i; - auth_attr = PKCS7_get_signed_attributes(si); /* cont[0] */ - if (auth_attr) - for (i=0; idata; - token = d2i_TimeStampToken(NULL, &p, (*pos)->length); - if (token) { - asn1_time = token->time; - posix_time = time_t_get_asn1_time(asn1_time); - TimeStampToken_free(token); - } - } - return posix_time; + pos = CMS_get0_content(cms); + if (pos != NULL && *pos != NULL) { + p = (*pos)->data; + token = d2i_TimeStampToken(NULL, &p, (*pos)->length); + if (token) { + asn1_time = token->time; + posix_time = time_t_get_asn1_time(asn1_time); + TimeStampToken_free(token); + } + } + return posix_time; } /* @@ -1694,56 +1694,56 @@ static time_t time_t_get_cms_time(CMS_ContentInfo *cms) * [returns] pointer to CMS_ContentInfo structure */ static CMS_ContentInfo *cms_get_timestamp(PKCS7_SIGNED *p7_signed, - PKCS7_SIGNER_INFO *countersignature) + PKCS7_SIGNER_INFO *countersignature) { - CMS_ContentInfo *cms = NULL; - PKCS7_SIGNER_INFO *si; - PKCS7 *p7 = NULL, *content = NULL; - u_char *p = NULL; - const u_char *q; - int i, len = 0; + CMS_ContentInfo *cms = NULL; + PKCS7_SIGNER_INFO *si; + PKCS7 *p7 = NULL, *content = NULL; + u_char *p = NULL; + const u_char *q; + int i, len = 0; - p7 = PKCS7_new(); - si = sk_PKCS7_SIGNER_INFO_value(p7_signed->signer_info, 0); - if (si == NULL) - goto out; + p7 = PKCS7_new(); + si = sk_PKCS7_SIGNER_INFO_value(p7_signed->signer_info, 0); + if (si == NULL) + goto out; - /* Create new signed PKCS7 timestamp structure. */ - if (!PKCS7_set_type(p7, NID_pkcs7_signed)) - goto out; - if (!PKCS7_add_signer(p7, countersignature)) - goto out; - for (i = 0; i < sk_X509_num(p7_signed->cert); i++) { - if (!PKCS7_add_certificate(p7, sk_X509_value(p7_signed->cert, i))) - goto out; - } - /* Create new encapsulated NID_id_smime_ct_TSTInfo content. */ - content = PKCS7_new(); - content->d.other = ASN1_TYPE_new(); - content->type = OBJ_nid2obj(NID_id_smime_ct_TSTInfo); - ASN1_TYPE_set1(content->d.other, V_ASN1_OCTET_STRING, si->enc_digest); - /* Add encapsulated content to signed PKCS7 timestamp structure: - p7->d.sign->contents = content */ - if (!PKCS7_set_content(p7, content)) { - PKCS7_free(content); - goto out; - } - /* Convert PKCS7 into CMS_ContentInfo */ - if (((len = i2d_PKCS7(p7, NULL)) <= 0) || (p = OPENSSL_malloc((size_t)len)) == NULL) { - printf("Failed to convert pkcs7: %d\n", len); - goto out; - } - len = i2d_PKCS7(p7, &p); - p -= len; - q = p; - cms = d2i_CMS_ContentInfo(NULL, &q, len); - OPENSSL_free(p); + /* Create new signed PKCS7 timestamp structure. */ + if (!PKCS7_set_type(p7, NID_pkcs7_signed)) + goto out; + if (!PKCS7_add_signer(p7, countersignature)) + goto out; + for (i = 0; i < sk_X509_num(p7_signed->cert); i++) { + if (!PKCS7_add_certificate(p7, sk_X509_value(p7_signed->cert, i))) + goto out; + } + /* Create new encapsulated NID_id_smime_ct_TSTInfo content. */ + content = PKCS7_new(); + content->d.other = ASN1_TYPE_new(); + content->type = OBJ_nid2obj(NID_id_smime_ct_TSTInfo); + ASN1_TYPE_set1(content->d.other, V_ASN1_OCTET_STRING, si->enc_digest); + /* Add encapsulated content to signed PKCS7 timestamp structure: + p7->d.sign->contents = content */ + if (!PKCS7_set_content(p7, content)) { + PKCS7_free(content); + goto out; + } + /* Convert PKCS7 into CMS_ContentInfo */ + if (((len = i2d_PKCS7(p7, NULL)) <= 0) || (p = OPENSSL_malloc((size_t)len)) == NULL) { + printf("Failed to convert pkcs7: %d\n", len); + goto out; + } + len = i2d_PKCS7(p7, &p); + p -= len; + q = p; + cms = d2i_CMS_ContentInfo(NULL, &q, len); + OPENSSL_free(p); out: - if (!cms) - ERR_print_errors_fp(stdout); - PKCS7_free(p7); - return cms; + if (!cms) + ERR_print_errors_fp(stdout); + PKCS7_free(p7); + return cms; } /* @@ -1755,66 +1755,66 @@ out: */ static int verify_member(FILE_FORMAT_CTX *ctx, CatalogAuthAttr *attribute) { - int mdlen, mdtype = -1; - u_char mdbuf[EVP_MAX_MD_SIZE]; - SpcIndirectDataContent *idc; - const u_char *data; - ASN1_STRING *value; - STACK_OF(ASN1_TYPE) *contents; - ASN1_TYPE *content; - const EVP_MD *md; - u_char *cmdbuf = NULL; + int mdlen, mdtype = -1; + u_char mdbuf[EVP_MAX_MD_SIZE]; + SpcIndirectDataContent *idc; + const u_char *data; + ASN1_STRING *value; + STACK_OF(ASN1_TYPE) *contents; + ASN1_TYPE *content; + const EVP_MD *md; + u_char *cmdbuf = NULL; - value = attribute->contents->value.sequence; - data = value->data; - contents = d2i_ASN1_SET_ANY(NULL, &data, value->length); - if (contents == NULL) { - return 1; /* FAILED */ - } - content = sk_ASN1_TYPE_value(contents, 0); - sk_ASN1_TYPE_free(contents); - value = content->value.sequence; - data = value->data; - idc = d2i_SpcIndirectDataContent(NULL, &data, value->length); - if (!idc) { - printf("Failed to extract SpcIndirectDataContent data\n"); - ASN1_TYPE_free(content); - return 1; /* FAILED */ - } - if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) { - /* get a digest algorithm a message digest of the file from the content */ - mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm); - memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)idc->messageDigest->digest->length); - } - ASN1_TYPE_free(content); - if (mdtype == -1) { - printf("Failed to extract current message digest\n\n"); - return 1; /* FAILED */ - } - md = EVP_get_digestbynid(mdtype); - cmdbuf = ctx->format->digest_calc(ctx, md); - if (!cmdbuf) { - printf("Failed to compute a message digest value\n\n"); - return 1; /* Failed */ - } - mdlen = EVP_MD_size(EVP_get_digestbynid(mdtype)); - if (memcmp(mdbuf, cmdbuf, (size_t)mdlen)) { - OPENSSL_free(cmdbuf); - return 1; /* FAILED */ - } else { - printf("Message digest algorithm : %s\n", OBJ_nid2sn(mdtype)); - print_hash("Current message digest ", "", mdbuf, mdlen); - print_hash("Calculated message digest ", "\n", cmdbuf, mdlen); - } - OPENSSL_free(cmdbuf); + value = attribute->contents->value.sequence; + data = value->data; + contents = d2i_ASN1_SET_ANY(NULL, &data, value->length); + if (contents == NULL) { + return 1; /* FAILED */ + } + content = sk_ASN1_TYPE_value(contents, 0); + sk_ASN1_TYPE_free(contents); + value = content->value.sequence; + data = value->data; + idc = d2i_SpcIndirectDataContent(NULL, &data, value->length); + if (!idc) { + printf("Failed to extract SpcIndirectDataContent data\n"); + ASN1_TYPE_free(content); + return 1; /* FAILED */ + } + if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) { + /* get a digest algorithm a message digest of the file from the content */ + mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm); + memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)idc->messageDigest->digest->length); + } + ASN1_TYPE_free(content); + if (mdtype == -1) { + printf("Failed to extract current message digest\n\n"); + return 1; /* FAILED */ + } + md = EVP_get_digestbynid(mdtype); + cmdbuf = ctx->format->digest_calc(ctx, md); + if (!cmdbuf) { + printf("Failed to compute a message digest value\n\n"); + return 1; /* Failed */ + } + mdlen = EVP_MD_size(EVP_get_digestbynid(mdtype)); + if (memcmp(mdbuf, cmdbuf, (size_t)mdlen)) { + OPENSSL_free(cmdbuf); + return 1; /* FAILED */ + } else { + printf("Message digest algorithm : %s\n", OBJ_nid2sn(mdtype)); + print_hash("Current message digest ", "", mdbuf, mdlen); + print_hash("Calculated message digest ", "\n", cmdbuf, mdlen); + } + OPENSSL_free(cmdbuf); - if (idc->data && ctx->format->verify_indirect_data - && !ctx->format->verify_indirect_data(ctx, idc->data)) { - SpcIndirectDataContent_free(idc); - return 1; /* FAILED */ - } - SpcIndirectDataContent_free(idc); - return 0; /* OK */ + if (idc->data && ctx->format->verify_indirect_data + && !ctx->format->verify_indirect_data(ctx, idc->data)) { + SpcIndirectDataContent_free(idc); + return 1; /* FAILED */ + } + SpcIndirectDataContent_free(idc); + return 0; /* OK */ } /* @@ -1826,47 +1826,47 @@ static int verify_member(FILE_FORMAT_CTX *ctx, CatalogAuthAttr *attribute) */ static int verify_content(FILE_FORMAT_CTX *ctx, PKCS7 *p7) { - ASN1_STRING *value; - const u_char *data; - MsCtlContent *ctlc; - int i, j; + ASN1_STRING *value; + const u_char *data; + MsCtlContent *ctlc; + int i, j; - if (!is_content_type(p7, MS_CTL_OBJID)) { - printf("Failed to find MS_CTL_OBJID\n"); - return 1; /* FAILED */ - } - value = p7->d.sign->contents->d.other->value.sequence; - data = value->data; - ctlc = d2i_MsCtlContent(NULL, &data, value->length); - if (!ctlc) { - printf("Failed to extract MS_CTL_OBJID data\n"); - return 1; /* FAILED */ - } - ASN1_OBJECT *indir_objid = OBJ_txt2obj(SPC_INDIRECT_DATA_OBJID, 1); - for (i = 0; i < sk_CatalogInfo_num(ctlc->header_attributes); i++) { - STACK_OF(CatalogAuthAttr) *attributes; - CatalogInfo *header_attr = sk_CatalogInfo_value(ctlc->header_attributes, i); - if (header_attr == NULL) - continue; - attributes = header_attr->attributes; - for (j = 0; j < sk_CatalogAuthAttr_num(attributes); j++) { - CatalogAuthAttr *attribute = sk_CatalogAuthAttr_value(attributes, j); - if (!attribute) - continue; - if (OBJ_cmp(attribute->type, indir_objid)) - continue; - if (!verify_member(ctx, attribute)) { - /* computed message digest of the file is found in the catalog file */ - MsCtlContent_free(ctlc); - ASN1_OBJECT_free(indir_objid); - return 0; /* OK */ - } - } - } - MsCtlContent_free(ctlc); - ASN1_OBJECT_free(indir_objid); - ERR_print_errors_fp(stdout); - return 1; /* FAILED */ + if (!is_content_type(p7, MS_CTL_OBJID)) { + printf("Failed to find MS_CTL_OBJID\n"); + return 1; /* FAILED */ + } + value = p7->d.sign->contents->d.other->value.sequence; + data = value->data; + ctlc = d2i_MsCtlContent(NULL, &data, value->length); + if (!ctlc) { + printf("Failed to extract MS_CTL_OBJID data\n"); + return 1; /* FAILED */ + } + ASN1_OBJECT *indir_objid = OBJ_txt2obj(SPC_INDIRECT_DATA_OBJID, 1); + for (i = 0; i < sk_CatalogInfo_num(ctlc->header_attributes); i++) { + STACK_OF(CatalogAuthAttr) *attributes; + CatalogInfo *header_attr = sk_CatalogInfo_value(ctlc->header_attributes, i); + if (header_attr == NULL) + continue; + attributes = header_attr->attributes; + for (j = 0; j < sk_CatalogAuthAttr_num(attributes); j++) { + CatalogAuthAttr *attribute = sk_CatalogAuthAttr_value(attributes, j); + if (!attribute) + continue; + if (OBJ_cmp(attribute->type, indir_objid)) + continue; + if (!verify_member(ctx, attribute)) { + /* computed message digest of the file is found in the catalog file */ + MsCtlContent_free(ctlc); + ASN1_OBJECT_free(indir_objid); + return 0; /* OK */ + } + } + } + MsCtlContent_free(ctlc); + ASN1_OBJECT_free(indir_objid); + ERR_print_errors_fp(stdout); + return 1; /* FAILED */ } /* @@ -1876,69 +1876,69 @@ static int verify_content(FILE_FORMAT_CTX *ctx, PKCS7 *p7) */ static int verify_signature(FILE_FORMAT_CTX *ctx, PKCS7 *p7) { - int leafok, verok; - STACK_OF(X509) *signers; - X509 *signer; - char *url; + int leafok, verok; + STACK_OF(X509) *signers; + X509 *signer; + char *url; CMS_ContentInfo *timestamp = NULL; - time_t time; + time_t time; - signers = PKCS7_get0_signers(p7, NULL, 0); - if (!signers || sk_X509_num(signers) != 1) { - printf("PKCS7_get0_signers error\n"); - return 1; /* FAILED */ - } - signer = sk_X509_value(signers, 0); - sk_X509_free(signers); - printf("Signer's certificate:\n"); - print_cert(signer, 0); + signers = PKCS7_get0_signers(p7, NULL, 0); + if (!signers || sk_X509_num(signers) != 1) { + printf("PKCS7_get0_signers error\n"); + return 1; /* FAILED */ + } + signer = sk_X509_value(signers, 0); + sk_X509_free(signers); + printf("Signer's certificate:\n"); + print_cert(signer, 0); - if (!print_certs(p7)) - printf("Print certs error\n"); - time = time_t_timestamp_get_attributes(×tamp, p7, ctx->options->verbose); - if (ctx->options->leafhash != NULL) { - leafok = verify_leaf_hash(signer, ctx->options->leafhash); - printf("\nLeaf hash match: %s\n", leafok ? "ok" : "failed"); - if (!leafok) { - printf("Signature verification: failed\n\n"); - return 1; /* FAILED */ - } - } - if (ctx->options->catalog) - printf("\nFile is signed in catalog: %s\n", ctx->options->catalog); - printf("\nCAfile: %s\n", ctx->options->cafile); - if (ctx->options->crlfile) - printf("CRLfile: %s\n", ctx->options->crlfile); - if (ctx->options->tsa_cafile) - printf("TSA's certificates file: %s\n", ctx->options->tsa_cafile); - if (ctx->options->tsa_crlfile) - printf("TSA's CRL file: %s\n", ctx->options->tsa_crlfile); - url = clrdp_url_get_x509(signer); - if (url) { - printf("CRL distribution point: %s\n", url); - OPENSSL_free(url); - } - if (timestamp) { - if (ctx->options->ignore_timestamp) { - printf("\nTimestamp Server Signature verification is disabled\n\n"); - time = INVALID_TIME; - } else { - int timeok = verify_timestamp(ctx, p7, timestamp, time); - printf("Timestamp Server Signature verification: %s\n", timeok ? "ok" : "failed"); - if (!timeok) { - time = INVALID_TIME; - } - } - CMS_ContentInfo_free(timestamp); - ERR_clear_error(); - } else - printf("\nTimestamp is not available\n\n"); - verok = verify_authenticode(ctx, p7, time, signer); - printf("Signature verification: %s\n\n", verok ? "ok" : "failed"); - if (!verok) - return 1; /* FAILED */ + if (!print_certs(p7)) + printf("Print certs error\n"); + time = time_t_timestamp_get_attributes(×tamp, p7, ctx->options->verbose); + if (ctx->options->leafhash != NULL) { + leafok = verify_leaf_hash(signer, ctx->options->leafhash); + printf("\nLeaf hash match: %s\n", leafok ? "ok" : "failed"); + if (!leafok) { + printf("Signature verification: failed\n\n"); + return 1; /* FAILED */ + } + } + if (ctx->options->catalog) + printf("\nFile is signed in catalog: %s\n", ctx->options->catalog); + printf("\nCAfile: %s\n", ctx->options->cafile); + if (ctx->options->crlfile) + printf("CRLfile: %s\n", ctx->options->crlfile); + if (ctx->options->tsa_cafile) + printf("TSA's certificates file: %s\n", ctx->options->tsa_cafile); + if (ctx->options->tsa_crlfile) + printf("TSA's CRL file: %s\n", ctx->options->tsa_crlfile); + url = clrdp_url_get_x509(signer); + if (url) { + printf("CRL distribution point: %s\n", url); + OPENSSL_free(url); + } + if (timestamp) { + if (ctx->options->ignore_timestamp) { + printf("\nTimestamp Server Signature verification is disabled\n\n"); + time = INVALID_TIME; + } else { + int timeok = verify_timestamp(ctx, p7, timestamp, time); + printf("Timestamp Server Signature verification: %s\n", timeok ? "ok" : "failed"); + if (!timeok) { + time = INVALID_TIME; + } + } + CMS_ContentInfo_free(timestamp); + ERR_clear_error(); + } else + printf("\nTimestamp is not available\n\n"); + verok = verify_authenticode(ctx, p7, time, signer); + printf("Signature verification: %s\n\n", verok ? "ok" : "failed"); + if (!verok) + return 1; /* FAILED */ - return 0; /* OK */ + return 0; /* OK */ } /* @@ -1951,57 +1951,57 @@ static int verify_signature(FILE_FORMAT_CTX *ctx, PKCS7 *p7) */ static int signature_list_append_pkcs7(STACK_OF(PKCS7) **signatures, PKCS7 *p7, int allownest) { - PKCS7_SIGNER_INFO *si; - STACK_OF(X509_ATTRIBUTE) *unauth_attr; - STACK_OF(PKCS7_SIGNER_INFO) *signer_info = PKCS7_get_signer_info(p7); + PKCS7_SIGNER_INFO *si; + STACK_OF(X509_ATTRIBUTE) *unauth_attr; + STACK_OF(PKCS7_SIGNER_INFO) *signer_info = PKCS7_get_signer_info(p7); - if (!signer_info) { - printf("Failed to obtain PKCS#7 signer info list\n"); - return 0; /* FAILED */ - } - si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); - if (!si) { - printf("Failed to obtain PKCS#7 signer info value\n"); - return 0; /* FAILED */ - } - unauth_attr = PKCS7_get_attributes(si); /* cont[1] */ - if (unauth_attr) { - /* find Nested Signature - Policy OID: 1.3.6.1.4.1.311.2.4.1 */ - int i; - for (i=0; icatalog ? 1 : 0; - - if (!ctx->format->check_file(ctx, detached)) - return 1; /* FAILED */ + int i, ret = 1; + PKCS7 *p7; + STACK_OF(PKCS7) *signatures; + int detached = options->catalog ? 1 : 0; - if (detached) { - GLOBAL_OPTIONS *cat_options; - FILE_FORMAT_CTX *cat_ctx; - cat_options = OPENSSL_memdup(options, sizeof(GLOBAL_OPTIONS)); - if (!cat_options) { - printf("OPENSSL_memdup error.\n"); - return 1; /* Failed */ - } - cat_options->infile = options->catalog; - cat_options->cmd = CMD_EXTRACT; - cat_ctx = file_format_cat.ctx_new(cat_options, NULL, NULL); - if (!cat_ctx) { - printf("CAT file initialization error\n"); - return 1; /* Failed */ - } - p7 = cat_ctx->format->pkcs7_extract(cat_ctx); - cat_ctx->format->ctx_cleanup(cat_ctx, NULL, NULL); - OPENSSL_free(cat_options); - } else { - p7 = ctx->format->pkcs7_extract(ctx); - } - if (!p7) { - printf("Unable to extract existing signature\n"); - return 1; /* FAILED */ - } - signatures = sk_PKCS7_new_null(); - if (!signature_list_append_pkcs7(&signatures, p7, 1)) { - printf("Failed to create signature list\n\n"); - sk_PKCS7_pop_free(signatures, PKCS7_free); - return 1; /* FAILED */ - } - for (i = 0; i < sk_PKCS7_num(signatures); i++) { - PKCS7 *sig = sk_PKCS7_value(signatures, i); - if (detached) { - if (!verify_content(ctx, sig)) { - ret &= verify_signature(ctx, sig); - } else { - printf("Catalog verification: failed\n\n"); - } - } else if (ctx->format->verify_digests(ctx, sig)) { - printf("Signature Index: %d %s\n", i, i==0 ? " (Primary Signature)" : ""); - ret &= verify_signature(ctx, sig); - } - } - printf("Number of verified signatures: %d\n", i); - sk_PKCS7_pop_free(signatures, PKCS7_free); - if (ret) - ERR_print_errors_fp(stdout); - return ret; + if (!ctx->format->check_file(ctx, detached)) + return 1; /* FAILED */ + + if (detached) { + GLOBAL_OPTIONS *cat_options; + FILE_FORMAT_CTX *cat_ctx; + cat_options = OPENSSL_memdup(options, sizeof(GLOBAL_OPTIONS)); + if (!cat_options) { + printf("OPENSSL_memdup error.\n"); + return 1; /* Failed */ + } + cat_options->infile = options->catalog; + cat_options->cmd = CMD_EXTRACT; + cat_ctx = file_format_cat.ctx_new(cat_options, NULL, NULL); + if (!cat_ctx) { + printf("CAT file initialization error\n"); + return 1; /* Failed */ + } + p7 = cat_ctx->format->pkcs7_extract(cat_ctx); + cat_ctx->format->ctx_cleanup(cat_ctx, NULL, NULL); + OPENSSL_free(cat_options); + } else { + p7 = ctx->format->pkcs7_extract(ctx); + } + if (!p7) { + printf("Unable to extract existing signature\n"); + return 1; /* FAILED */ + } + signatures = sk_PKCS7_new_null(); + if (!signature_list_append_pkcs7(&signatures, p7, 1)) { + printf("Failed to create signature list\n\n"); + sk_PKCS7_pop_free(signatures, PKCS7_free); + return 1; /* FAILED */ + } + for (i = 0; i < sk_PKCS7_num(signatures); i++) { + PKCS7 *sig = sk_PKCS7_value(signatures, i); + if (detached) { + if (!verify_content(ctx, sig)) { + ret &= verify_signature(ctx, sig); + } else { + printf("Catalog verification: failed\n\n"); + } + } else if (ctx->format->verify_digests(ctx, sig)) { + printf("Signature Index: %d %s\n", i, i==0 ? " (Primary Signature)" : ""); + ret &= verify_signature(ctx, sig); + } + } + printf("Number of verified signatures: %d\n", i); + sk_PKCS7_pop_free(signatures, PKCS7_free); + if (ret) + ERR_print_errors_fp(stdout); + return ret; } /* @@ -2077,20 +2077,20 @@ static int verify_signed_file(FILE_FORMAT_CTX *ctx, GLOBAL_OPTIONS *options) */ static int save_extracted_pkcs7(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7) { - int ret; + int ret; - (void)BIO_reset(outdata); - if (ctx->options->output_pkcs7) { - /* PEM format */ - ret = !PEM_write_bio_PKCS7(outdata, p7); - } else { - /* default DER format */ - ret = !i2d_PKCS7_bio(outdata, p7); - } - if (ret) { - printf("Unable to write pkcs7 object\n"); - } - return ret; + (void)BIO_reset(outdata); + if (ctx->options->output_pkcs7) { + /* PEM format */ + ret = !PEM_write_bio_PKCS7(outdata, p7); + } else { + /* default DER format */ + ret = !i2d_PKCS7_bio(outdata, p7); + } + if (ret) { + printf("Unable to write pkcs7 object\n"); + } + return ret; } /* @@ -2099,38 +2099,38 @@ static int save_extracted_pkcs7(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7) */ static int check_attached_data(GLOBAL_OPTIONS *options) { - FILE_FORMAT_CTX *ctx; - GLOBAL_OPTIONS *tmp_options = NULL; + FILE_FORMAT_CTX *ctx; + GLOBAL_OPTIONS *tmp_options = NULL; - tmp_options = OPENSSL_memdup(options, sizeof(GLOBAL_OPTIONS)); - if (!tmp_options) { - printf("OPENSSL_memdup error.\n"); - return 1; /* Failed */ - } - tmp_options->infile = options->outfile; - tmp_options->cmd = CMD_VERIFY; + tmp_options = OPENSSL_memdup(options, sizeof(GLOBAL_OPTIONS)); + if (!tmp_options) { + printf("OPENSSL_memdup error.\n"); + return 1; /* Failed */ + } + tmp_options->infile = options->outfile; + tmp_options->cmd = CMD_VERIFY; - ctx = file_format_msi.ctx_new(tmp_options, NULL, NULL); - if (!ctx) - ctx = file_format_pe.ctx_new(tmp_options, NULL, NULL); - if (!ctx) - ctx = file_format_cab.ctx_new(tmp_options, NULL, NULL); - if (!ctx) - ctx = file_format_cat.ctx_new(tmp_options, NULL, NULL); - if (!ctx) { - printf("Corrupt attached signature\n"); - OPENSSL_free(tmp_options); - return 1; /* Failed */ - } - if (verify_signed_file(ctx, tmp_options)) { - printf("Signature mismatch\n"); - ctx->format->ctx_cleanup(ctx, NULL, NULL); - OPENSSL_free(tmp_options); - return 1; /* Failed */ - } - ctx->format->ctx_cleanup(ctx, NULL, NULL); - OPENSSL_free(tmp_options); - return 0; /* OK */ + ctx = file_format_msi.ctx_new(tmp_options, NULL, NULL); + if (!ctx) + ctx = file_format_pe.ctx_new(tmp_options, NULL, NULL); + if (!ctx) + ctx = file_format_cab.ctx_new(tmp_options, NULL, NULL); + if (!ctx) + ctx = file_format_cat.ctx_new(tmp_options, NULL, NULL); + if (!ctx) { + printf("Corrupt attached signature\n"); + OPENSSL_free(tmp_options); + return 1; /* Failed */ + } + if (verify_signed_file(ctx, tmp_options)) { + printf("Signature mismatch\n"); + ctx->format->ctx_cleanup(ctx, NULL, NULL); + OPENSSL_free(tmp_options); + return 1; /* Failed */ + } + ctx->format->ctx_cleanup(ctx, NULL, NULL); + OPENSSL_free(tmp_options); + return 0; /* OK */ } /* @@ -2139,24 +2139,24 @@ static int check_attached_data(GLOBAL_OPTIONS *options) */ static void free_options(GLOBAL_OPTIONS *options) { - /* If memory has not been allocated nothing is done */ - OPENSSL_free(options->cafile); - OPENSSL_free(options->tsa_cafile); - OPENSSL_free(options->crlfile); - OPENSSL_free(options->tsa_crlfile); - /* If key is NULL nothing is done */ - EVP_PKEY_free(options->pkey); - options->pkey = NULL; - /* If X509 structure is NULL nothing is done */ - X509_free(options->cert); - options->cert = NULL; - /* Free up all elements of sk structure and sk itself */ - sk_X509_pop_free(options->certs, X509_free); - options->certs = NULL; - sk_X509_pop_free(options->xcerts, X509_free); - options->xcerts = NULL; - sk_X509_CRL_pop_free(options->crls, X509_CRL_free); - options->crls = NULL; + /* If memory has not been allocated nothing is done */ + OPENSSL_free(options->cafile); + OPENSSL_free(options->tsa_cafile); + OPENSSL_free(options->crlfile); + OPENSSL_free(options->tsa_crlfile); + /* If key is NULL nothing is done */ + EVP_PKEY_free(options->pkey); + options->pkey = NULL; + /* If X509 structure is NULL nothing is done */ + X509_free(options->cert); + options->cert = NULL; + /* Free up all elements of sk structure and sk itself */ + sk_X509_pop_free(options->certs, X509_free); + options->certs = NULL; + sk_X509_pop_free(options->xcerts, X509_free); + options->xcerts = NULL; + sk_X509_CRL_pop_free(options->crls, X509_CRL_free); + options->crls = NULL; } @@ -2166,10 +2166,10 @@ static void free_options(GLOBAL_OPTIONS *options) */ static int on_list(const char *txt, const char *list[]) { - while (*list) - if (!strcmp(txt, *list++)) - return 1; /* OK */ - return 0; /* FAILED */ + while (*list) + if (!strcmp(txt, *list++)) + return 1; /* OK */ + return 0; /* FAILED */ } /* @@ -2178,88 +2178,88 @@ static int on_list(const char *txt, const char *list[]) */ static void usage(const char *argv0, const char *cmd) { - const char *cmds_all[] = {"all", NULL}; - const char *cmds_sign[] = {"all", "sign", NULL}; - const char *cmds_add[] = {"all", "add", NULL}; - const char *cmds_attach[] = {"all", "attach-signature", NULL}; - const char *cmds_extract[] = {"all", "extract-signature", NULL}; - const char *cmds_remove[] = {"all", "remove-signature", NULL}; - const char *cmds_verify[] = {"all", "verify", NULL}; + const char *cmds_all[] = {"all", NULL}; + const char *cmds_sign[] = {"all", "sign", NULL}; + const char *cmds_add[] = {"all", "add", NULL}; + const char *cmds_attach[] = {"all", "attach-signature", NULL}; + const char *cmds_extract[] = {"all", "extract-signature", NULL}; + const char *cmds_remove[] = {"all", "remove-signature", NULL}; + const char *cmds_verify[] = {"all", "verify", NULL}; - printf("\nUsage: %s", argv0); - if (on_list(cmd, cmds_all)) { - printf("\n\n%1s[ --version | -v ]\n", ""); - printf("%1s[ --help ]\n\n", ""); - } - if (on_list(cmd, cmds_sign)) { - printf("%1s[ sign ] ( -certs | -spc -key | -pkcs12 |\n", ""); - printf("%12s [ -pkcs11engine ] -pkcs11module -pkcs11cert |\n", ""); - printf("%12s -certs -key )\n", ""); + printf("\nUsage: %s", argv0); + if (on_list(cmd, cmds_all)) { + printf("\n\n%1s[ --version | -v ]\n", ""); + printf("%1s[ --help ]\n\n", ""); + } + if (on_list(cmd, cmds_sign)) { + printf("%1s[ sign ] ( -certs | -spc -key | -pkcs12 |\n", ""); + printf("%12s [ -pkcs11engine ] -pkcs11module -pkcs11cert |\n", ""); + printf("%12s -certs -key )\n", ""); #if OPENSSL_VERSION_NUMBER>=0x30000000L - printf("%12s[ -nolegacy ]\n", ""); + printf("%12s[ -nolegacy ]\n", ""); #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */ - printf("%12s[ -pass ", ""); + printf("%12s[ -pass ", ""); #ifdef PROVIDE_ASKPASS - printf("%1s [ -askpass ]", ""); + printf("%1s [ -askpass ]", ""); #endif /* PROVIDE_ASKPASS */ - printf("%1s[ -readpass ]\n", ""); - printf("%12s[ -ac ]\n", ""); - printf("%12s[ -h {md5,sha1,sha2(56),sha384,sha512} ]\n", ""); - printf("%12s[ -n ] [ -i ] [ -jp ] [ -comm ]\n", ""); - printf("%12s[ -ph ]\n", ""); + printf("%1s[ -readpass ]\n", ""); + printf("%12s[ -ac ]\n", ""); + printf("%12s[ -h {md5,sha1,sha2(56),sha384,sha512} ]\n", ""); + printf("%12s[ -n ] [ -i ] [ -jp ] [ -comm ]\n", ""); + printf("%12s[ -ph ]\n", ""); #ifdef ENABLE_CURL - printf("%12s[ -t [ -t ... ] [ -p ] [ -noverifypeer ]\n", ""); - printf("%12s[ -ts [ -ts ... ] [ -p ] [ -noverifypeer ] ]\n", ""); + printf("%12s[ -t [ -t ... ] [ -p ] [ -noverifypeer ]\n", ""); + printf("%12s[ -ts [ -ts ... ] [ -p ] [ -noverifypeer ] ]\n", ""); #endif /* ENABLE_CURL */ - printf("%12s[ -time ]\n", ""); - printf("%12s[ -addUnauthenticatedBlob ]\n", ""); - printf("%12s[ -nest ]\n", ""); - printf("%12s[ -verbose ]\n", ""); - printf("%12s[ -add-msi-dse ]\n", ""); - printf("%12s[ -in ] [-out ] \n\n", ""); - } - if (on_list(cmd, cmds_add)) { - printf("%1sadd [-addUnauthenticatedBlob]\n", ""); + printf("%12s[ -time ]\n", ""); + printf("%12s[ -addUnauthenticatedBlob ]\n", ""); + printf("%12s[ -nest ]\n", ""); + printf("%12s[ -verbose ]\n", ""); + printf("%12s[ -add-msi-dse ]\n", ""); + printf("%12s[ -in ] [-out ] \n\n", ""); + } + if (on_list(cmd, cmds_add)) { + printf("%1sadd [-addUnauthenticatedBlob]\n", ""); #ifdef ENABLE_CURL - printf("%12s[ -t [ -t ... ] [ -p ] [ -noverifypeer ]\n", ""); - printf("%12s[ -ts [ -ts ... ] [ -p ] [ -noverifypeer ] ]\n", ""); + printf("%12s[ -t [ -t ... ] [ -p ] [ -noverifypeer ]\n", ""); + printf("%12s[ -ts [ -ts ... ] [ -p ] [ -noverifypeer ] ]\n", ""); #endif /* ENABLE_CURL */ - printf("%12s[ -h {md5,sha1,sha2(56),sha384,sha512} ]\n", ""); - printf("%12s[ -verbose ]\n", ""); - printf("%12s[ -add-msi-dse ]\n", ""); - printf("%12s[ -in ] [ -out ] \n\n", ""); - } - if (on_list(cmd, cmds_attach)) { - printf("%1sattach-signature [ -sigin ] \n", ""); - printf("%12s[ -CAfile ]\n", ""); - printf("%12s[ -CRLfile ]\n", ""); - printf("%12s[ -TSA-CAfile ]\n", ""); - printf("%12s[ -TSA-CRLfile ]\n", ""); - printf("%12s[ -time ]\n", ""); - printf("%12s[ -h {md5,sha1,sha2(56),sha384,sha512} ]\n", ""); - printf("%12s[ -require-leaf-hash {md5,sha1,sha2(56),sha384,sha512}:XXXXXXXXXXXX... ]\n", ""); - printf("%12s[ -nest ]\n", ""); - printf("%12s[ -add-msi-dse ]\n", ""); - printf("%12s[ -in ] [ -out ] \n\n", ""); - } - if (on_list(cmd, cmds_extract)) { - printf("%1sextract-signature [ -pem ]\n", ""); - printf("%12s[ -in ] [ -out ] \n\n", ""); - } - if (on_list(cmd, cmds_remove)) - printf("%1sremove-signature [ -in ] [ -out ] \n\n", ""); - if (on_list(cmd, cmds_verify)) { - printf("%1sverify [ -in ] \n", ""); - printf("%12s[ -c | -catalog ]\n", ""); - printf("%12s[ -CAfile ]\n", ""); - printf("%12s[ -CRLfile ]\n", ""); - printf("%12s[ -TSA-CAfile ]\n", ""); - printf("%12s[ -TSA-CRLfile ]\n", ""); - printf("%12s[ -ignore-timestamp ]\n", ""); - printf("%12s[ -time ]\n", ""); - printf("%12s[ -require-leaf-hash {md5,sha1,sha2(56),sha384,sha512}:XXXXXXXXXXXX... ]\n", ""); - printf("%12s[ -verbose ]\n\n", ""); - } + printf("%12s[ -h {md5,sha1,sha2(56),sha384,sha512} ]\n", ""); + printf("%12s[ -verbose ]\n", ""); + printf("%12s[ -add-msi-dse ]\n", ""); + printf("%12s[ -in ] [ -out ] \n\n", ""); + } + if (on_list(cmd, cmds_attach)) { + printf("%1sattach-signature [ -sigin ] \n", ""); + printf("%12s[ -CAfile ]\n", ""); + printf("%12s[ -CRLfile ]\n", ""); + printf("%12s[ -TSA-CAfile ]\n", ""); + printf("%12s[ -TSA-CRLfile ]\n", ""); + printf("%12s[ -time ]\n", ""); + printf("%12s[ -h {md5,sha1,sha2(56),sha384,sha512} ]\n", ""); + printf("%12s[ -require-leaf-hash {md5,sha1,sha2(56),sha384,sha512}:XXXXXXXXXXXX... ]\n", ""); + printf("%12s[ -nest ]\n", ""); + printf("%12s[ -add-msi-dse ]\n", ""); + printf("%12s[ -in ] [ -out ] \n\n", ""); + } + if (on_list(cmd, cmds_extract)) { + printf("%1sextract-signature [ -pem ]\n", ""); + printf("%12s[ -in ] [ -out ] \n\n", ""); + } + if (on_list(cmd, cmds_remove)) + printf("%1sremove-signature [ -in ] [ -out ] \n\n", ""); + if (on_list(cmd, cmds_verify)) { + printf("%1sverify [ -in ] \n", ""); + printf("%12s[ -c | -catalog ]\n", ""); + printf("%12s[ -CAfile ]\n", ""); + printf("%12s[ -CRLfile ]\n", ""); + printf("%12s[ -TSA-CAfile ]\n", ""); + printf("%12s[ -TSA-CRLfile ]\n", ""); + printf("%12s[ -ignore-timestamp ]\n", ""); + printf("%12s[ -time ]\n", ""); + printf("%12s[ -require-leaf-hash {md5,sha1,sha2(56),sha384,sha512}:XXXXXXXXXXXX... ]\n", ""); + printf("%12s[ -verbose ]\n\n", ""); + } } /* @@ -2268,211 +2268,211 @@ static void usage(const char *argv0, const char *cmd) */ static void help_for(const char *argv0, const char *cmd) { - const char *cmds_all[] = {"all", NULL}; - const char *cmds_add[] = {"add", NULL}; - const char *cmds_attach[] = {"attach-signature", NULL}; - const char *cmds_extract[] = {"extract-signature", NULL}; - const char *cmds_remove[] = {"remove-signature", NULL}; - const char *cmds_sign[] = {"sign", NULL}; - const char *cmds_verify[] = {"verify", NULL}; - const char *cmds_ac[] = {"sign", NULL}; - const char *cmds_add_msi_dse[] = {"add", "attach-signature", "sign", NULL}; - const char *cmds_addUnauthenticatedBlob[] = {"sign", "add", NULL}; + const char *cmds_all[] = {"all", NULL}; + const char *cmds_add[] = {"add", NULL}; + const char *cmds_attach[] = {"attach-signature", NULL}; + const char *cmds_extract[] = {"extract-signature", NULL}; + const char *cmds_remove[] = {"remove-signature", NULL}; + const char *cmds_sign[] = {"sign", NULL}; + const char *cmds_verify[] = {"verify", NULL}; + const char *cmds_ac[] = {"sign", NULL}; + const char *cmds_add_msi_dse[] = {"add", "attach-signature", "sign", NULL}; + const char *cmds_addUnauthenticatedBlob[] = {"sign", "add", NULL}; #ifdef PROVIDE_ASKPASS - const char *cmds_askpass[] = {"sign", NULL}; + const char *cmds_askpass[] = {"sign", NULL}; #endif /* PROVIDE_ASKPASS */ - const char *cmds_CAfile[] = {"attach-signature", "verify", NULL}; - const char *cmds_catalog[] = {"verify", NULL}; - const char *cmds_certs[] = {"sign", NULL}; - const char *cmds_comm[] = {"sign", NULL}; - const char *cmds_CRLfile[] = {"attach-signature", "verify", NULL}; - const char *cmds_CRLfileTSA[] = {"attach-signature", "verify", NULL}; - const char *cmds_h[] = {"add", "attach-signature", "sign", NULL}; - const char *cmds_i[] = {"sign", NULL}; - const char *cmds_in[] = {"add", "attach-signature", "extract-signature", "remove-signature", "sign", "verify", NULL}; - const char *cmds_jp[] = {"sign", NULL}; - const char *cmds_key[] = {"sign", NULL}; + const char *cmds_CAfile[] = {"attach-signature", "verify", NULL}; + const char *cmds_catalog[] = {"verify", NULL}; + const char *cmds_certs[] = {"sign", NULL}; + const char *cmds_comm[] = {"sign", NULL}; + const char *cmds_CRLfile[] = {"attach-signature", "verify", NULL}; + const char *cmds_CRLfileTSA[] = {"attach-signature", "verify", NULL}; + const char *cmds_h[] = {"add", "attach-signature", "sign", NULL}; + const char *cmds_i[] = {"sign", NULL}; + const char *cmds_in[] = {"add", "attach-signature", "extract-signature", "remove-signature", "sign", "verify", NULL}; + const char *cmds_jp[] = {"sign", NULL}; + const char *cmds_key[] = {"sign", NULL}; #if OPENSSL_VERSION_NUMBER>=0x30000000L - const char *cmds_nolegacy[] = {"sign", NULL}; + const char *cmds_nolegacy[] = {"sign", NULL}; #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */ - const char *cmds_n[] = {"sign", NULL}; - const char *cmds_nest[] = {"attach-signature", "sign", NULL}; + const char *cmds_n[] = {"sign", NULL}; + const char *cmds_nest[] = {"attach-signature", "sign", NULL}; #ifdef ENABLE_CURL - const char *cmds_noverifypeer[] = {"add", "sign", NULL}; + const char *cmds_noverifypeer[] = {"add", "sign", NULL}; #endif /* ENABLE_CURL */ - const char *cmds_out[] = {"add", "attach-signature", "extract-signature", "remove-signature", "sign", NULL}; + const char *cmds_out[] = {"add", "attach-signature", "extract-signature", "remove-signature", "sign", NULL}; #ifdef ENABLE_CURL - const char *cmds_p[] = {"add", "sign", NULL}; + const char *cmds_p[] = {"add", "sign", NULL}; #endif /* ENABLE_CURL */ - const char *cmds_pass[] = {"sign", NULL}; - const char *cmds_pem[] = {"extract-signature", NULL}; - const char *cmds_ph[] = {"sign", NULL}; - const char *cmds_pkcs11cert[] = {"sign", NULL}; - const char *cmds_pkcs11engine[] = {"sign", NULL}; - const char *cmds_pkcs11module[] = {"sign", NULL}; - const char *cmds_pkcs12[] = {"sign", NULL}; - const char *cmds_readpass[] = {"sign", NULL}; - const char *cmds_require_leaf_hash[] = {"attach-signature", "verify", NULL}; - const char *cmds_sigin[] = {"attach-signature", NULL}; - const char *cmds_time[] = {"attach-signature", "sign", "verify", NULL}; - const char *cmds_ignore_timestamp[] = {"verify", NULL}; + const char *cmds_pass[] = {"sign", NULL}; + const char *cmds_pem[] = {"extract-signature", NULL}; + const char *cmds_ph[] = {"sign", NULL}; + const char *cmds_pkcs11cert[] = {"sign", NULL}; + const char *cmds_pkcs11engine[] = {"sign", NULL}; + const char *cmds_pkcs11module[] = {"sign", NULL}; + const char *cmds_pkcs12[] = {"sign", NULL}; + const char *cmds_readpass[] = {"sign", NULL}; + const char *cmds_require_leaf_hash[] = {"attach-signature", "verify", NULL}; + const char *cmds_sigin[] = {"attach-signature", NULL}; + const char *cmds_time[] = {"attach-signature", "sign", "verify", NULL}; + const char *cmds_ignore_timestamp[] = {"verify", NULL}; #ifdef ENABLE_CURL - const char *cmds_t[] = {"add", "sign", NULL}; - const char *cmds_ts[] = {"add", "sign", NULL}; + const char *cmds_t[] = {"add", "sign", NULL}; + const char *cmds_ts[] = {"add", "sign", NULL}; #endif /* ENABLE_CURL */ - const char *cmds_CAfileTSA[] = {"attach-signature", "verify", NULL}; - const char *cmds_verbose[] = {"add", "sign", "verify", NULL}; + const char *cmds_CAfileTSA[] = {"attach-signature", "verify", NULL}; + const char *cmds_verbose[] = {"add", "sign", "verify", NULL}; - if (on_list(cmd, cmds_all)) { - printf("osslsigncode is a small tool that implements part of the functionality of the Microsoft\n"); - printf("tool signtool.exe - more exactly the Authenticode signing and timestamping.\n"); - printf("It can sign and timestamp PE (EXE/SYS/DLL/etc), CAB and MSI files,\n"); - printf("supports getting the timestamp through a proxy as well.\n"); - printf("osslsigncode also supports signature verification, removal and extraction.\n\n"); - printf("%-22s = print osslsigncode version and usage\n", "--version | -v"); - printf("%-22s = print osslsigncode help menu\n\n", "--help"); - printf("Commands:\n"); - printf("%-22s = add an unauthenticated blob or a timestamp to a previously-signed file\n", "add"); - printf("%-22s = sign file using a given signature\n", "attach-signature"); - printf("%-22s = extract signature from a previously-signed file\n", "extract-signature"); - printf("%-22s = remove sections of the embedded signature on a file\n", "remove-signature"); - printf("%-22s = digitally sign a file\n", "sign"); - printf("%-22s = verifies the digital signature of a file\n\n", "verify"); - printf("For help on a specific command, enter %s --help\n", argv0); - } - if (on_list(cmd, cmds_add)) { - printf("\nUse the \"add\" command to add an unauthenticated blob or a timestamp to a previously-signed file.\n\n"); - printf("Options:\n"); - } - if (on_list(cmd, cmds_attach)) { - printf("\nUse the \"attach-signature\" command to attach the signature stored in the \"sigin\" file.\n"); - printf("In order to verify this signature you should specify how to find needed CA or TSA\n"); - printf("certificates, if appropriate.\n\n"); - printf("Options:\n"); - } - if (on_list(cmd, cmds_extract)) { - printf("\nUse the \"extract-signature\" command to extract the embedded signature from a previously-signed file.\n"); - printf("DER is the default format of the output file, but can be changed to PEM.\n\n"); - printf("Options:\n"); - } - if (on_list(cmd, cmds_remove)) { - printf("\nUse the \"remove-signature\" command to remove sections of the embedded signature on a file.\n\n"); - printf("Options:\n"); - } - if (on_list(cmd, cmds_sign)) { - printf("\nUse the \"sign\" command to sign files using embedded signatures.\n"); - printf("Signing protects a file from tampering, and allows users to verify the signer\n"); - printf("based on a signing certificate. The options below allow you to specify signing\n"); - printf("parameters and to select the signing certificate you wish to use.\n\n"); - printf("Options:\n"); - } - if (on_list(cmd, cmds_verify)) { - printf("\nUse the \"verify\" command to verify embedded signatures.\n"); - printf("Verification determines if the signing certificate was issued by a trusted party,\n"); - printf("whether that certificate has been revoked, and whether the certificate is valid\n"); - printf("under a specific policy. Options allow you to specify requirements that must be met\n"); - printf("and to specify how to find needed CA or TSA certificates, if appropriate.\n\n"); - printf("Options:\n"); - } - if (on_list(cmd, cmds_ac)) - printf("%-24s= additional certificates to be added to the signature block\n", "-ac"); - if (on_list(cmd, cmds_add_msi_dse)) - printf("%-24s= sign a MSI file with the add-msi-dse option\n", "-add-msi-dse"); - if (on_list(cmd, cmds_addUnauthenticatedBlob)) - printf("%-24s= add an unauthenticated blob to the PE/MSI file\n", "-addUnauthenticatedBlob"); + if (on_list(cmd, cmds_all)) { + printf("osslsigncode is a small tool that implements part of the functionality of the Microsoft\n"); + printf("tool signtool.exe - more exactly the Authenticode signing and timestamping.\n"); + printf("It can sign and timestamp PE (EXE/SYS/DLL/etc), CAB and MSI files,\n"); + printf("supports getting the timestamp through a proxy as well.\n"); + printf("osslsigncode also supports signature verification, removal and extraction.\n\n"); + printf("%-22s = print osslsigncode version and usage\n", "--version | -v"); + printf("%-22s = print osslsigncode help menu\n\n", "--help"); + printf("Commands:\n"); + printf("%-22s = add an unauthenticated blob or a timestamp to a previously-signed file\n", "add"); + printf("%-22s = sign file using a given signature\n", "attach-signature"); + printf("%-22s = extract signature from a previously-signed file\n", "extract-signature"); + printf("%-22s = remove sections of the embedded signature on a file\n", "remove-signature"); + printf("%-22s = digitally sign a file\n", "sign"); + printf("%-22s = verifies the digital signature of a file\n\n", "verify"); + printf("For help on a specific command, enter %s --help\n", argv0); + } + if (on_list(cmd, cmds_add)) { + printf("\nUse the \"add\" command to add an unauthenticated blob or a timestamp to a previously-signed file.\n\n"); + printf("Options:\n"); + } + if (on_list(cmd, cmds_attach)) { + printf("\nUse the \"attach-signature\" command to attach the signature stored in the \"sigin\" file.\n"); + printf("In order to verify this signature you should specify how to find needed CA or TSA\n"); + printf("certificates, if appropriate.\n\n"); + printf("Options:\n"); + } + if (on_list(cmd, cmds_extract)) { + printf("\nUse the \"extract-signature\" command to extract the embedded signature from a previously-signed file.\n"); + printf("DER is the default format of the output file, but can be changed to PEM.\n\n"); + printf("Options:\n"); + } + if (on_list(cmd, cmds_remove)) { + printf("\nUse the \"remove-signature\" command to remove sections of the embedded signature on a file.\n\n"); + printf("Options:\n"); + } + if (on_list(cmd, cmds_sign)) { + printf("\nUse the \"sign\" command to sign files using embedded signatures.\n"); + printf("Signing protects a file from tampering, and allows users to verify the signer\n"); + printf("based on a signing certificate. The options below allow you to specify signing\n"); + printf("parameters and to select the signing certificate you wish to use.\n\n"); + printf("Options:\n"); + } + if (on_list(cmd, cmds_verify)) { + printf("\nUse the \"verify\" command to verify embedded signatures.\n"); + printf("Verification determines if the signing certificate was issued by a trusted party,\n"); + printf("whether that certificate has been revoked, and whether the certificate is valid\n"); + printf("under a specific policy. Options allow you to specify requirements that must be met\n"); + printf("and to specify how to find needed CA or TSA certificates, if appropriate.\n\n"); + printf("Options:\n"); + } + if (on_list(cmd, cmds_ac)) + printf("%-24s= additional certificates to be added to the signature block\n", "-ac"); + if (on_list(cmd, cmds_add_msi_dse)) + printf("%-24s= sign a MSI file with the add-msi-dse option\n", "-add-msi-dse"); + if (on_list(cmd, cmds_addUnauthenticatedBlob)) + printf("%-24s= add an unauthenticated blob to the PE/MSI file\n", "-addUnauthenticatedBlob"); #ifdef PROVIDE_ASKPASS - if (on_list(cmd, cmds_askpass)) - printf("%-24s= ask for the private key password\n", "-askpass"); + if (on_list(cmd, cmds_askpass)) + printf("%-24s= ask for the private key password\n", "-askpass"); #endif /* PROVIDE_ASKPASS */ - if (on_list(cmd, cmds_catalog)) - printf("%-24s= specifies the catalog file by name\n", "-c, -catalog"); - if (on_list(cmd, cmds_CAfile)) - printf("%-24s= the file containing one or more trusted certificates in PEM format\n", "-CAfile"); - if (on_list(cmd, cmds_certs)) - printf("%-24s= the signing certificate to use\n", "-certs, -spc"); - if (on_list(cmd, cmds_comm)) - printf("%-24s= set commercial purpose (default: individual purpose)\n", "-comm"); - if (on_list(cmd, cmds_CRLfile)) - printf("%-24s= the file containing one or more CRLs in PEM format\n", "-CRLfile"); - if (on_list(cmd, cmds_h)) { - printf("%-24s= {md5|sha1|sha2(56)|sha384|sha512}\n", "-h"); - printf("%26sset of cryptographic hash functions\n", ""); - } - if (on_list(cmd, cmds_i)) - printf("%-24s= specifies a URL for expanded description of the signed content\n", "-i"); - if (on_list(cmd, cmds_in)) - printf("%-24s= input file\n", "-in"); - if (on_list(cmd, cmds_jp)) { - printf("%-24s= low | medium | high\n", "-jp"); - printf("%26slevels of permissions in Microsoft Internet Explorer 4.x for CAB files\n", ""); - printf("%26sonly \"low\" level is now supported\n", ""); - } + if (on_list(cmd, cmds_catalog)) + printf("%-24s= specifies the catalog file by name\n", "-c, -catalog"); + if (on_list(cmd, cmds_CAfile)) + printf("%-24s= the file containing one or more trusted certificates in PEM format\n", "-CAfile"); + if (on_list(cmd, cmds_certs)) + printf("%-24s= the signing certificate to use\n", "-certs, -spc"); + if (on_list(cmd, cmds_comm)) + printf("%-24s= set commercial purpose (default: individual purpose)\n", "-comm"); + if (on_list(cmd, cmds_CRLfile)) + printf("%-24s= the file containing one or more CRLs in PEM format\n", "-CRLfile"); + if (on_list(cmd, cmds_h)) { + printf("%-24s= {md5|sha1|sha2(56)|sha384|sha512}\n", "-h"); + printf("%26sset of cryptographic hash functions\n", ""); + } + if (on_list(cmd, cmds_i)) + printf("%-24s= specifies a URL for expanded description of the signed content\n", "-i"); + if (on_list(cmd, cmds_in)) + printf("%-24s= input file\n", "-in"); + if (on_list(cmd, cmds_jp)) { + printf("%-24s= low | medium | high\n", "-jp"); + printf("%26slevels of permissions in Microsoft Internet Explorer 4.x for CAB files\n", ""); + printf("%26sonly \"low\" level is now supported\n", ""); + } #if OPENSSL_VERSION_NUMBER>=0x30000000L - if (on_list(cmd, cmds_nolegacy)) - printf("%-24s= disable legacy mode and don't automatically load the legacy provider\n", "-nolegacy"); + if (on_list(cmd, cmds_nolegacy)) + printf("%-24s= disable legacy mode and don't automatically load the legacy provider\n", "-nolegacy"); #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */ - if (on_list(cmd, cmds_key)) - printf("%-24s= the private key to use or PKCS#11 URI identifies a key in the token\n", "-key"); - if (on_list(cmd, cmds_n)) - printf("%-24s= specifies a description of the signed content\n", "-n"); - if (on_list(cmd, cmds_nest)) - printf("%-24s= add the new nested signature instead of replacing the first one\n", "-nest"); + if (on_list(cmd, cmds_key)) + printf("%-24s= the private key to use or PKCS#11 URI identifies a key in the token\n", "-key"); + if (on_list(cmd, cmds_n)) + printf("%-24s= specifies a description of the signed content\n", "-n"); + if (on_list(cmd, cmds_nest)) + printf("%-24s= add the new nested signature instead of replacing the first one\n", "-nest"); #ifdef ENABLE_CURL - if (on_list(cmd, cmds_noverifypeer)) - printf("%-24s= do not verify the Time-Stamp Authority's SSL certificate\n", "-noverifypeer"); + if (on_list(cmd, cmds_noverifypeer)) + printf("%-24s= do not verify the Time-Stamp Authority's SSL certificate\n", "-noverifypeer"); #endif /* ENABLE_CURL */ - if (on_list(cmd, cmds_out)) - printf("%-24s= output file\n", "-out"); + if (on_list(cmd, cmds_out)) + printf("%-24s= output file\n", "-out"); #ifdef ENABLE_CURL - if (on_list(cmd, cmds_p)) - printf("%-24s= proxy to connect to the desired Time-Stamp Authority server\n", "-p"); + if (on_list(cmd, cmds_p)) + printf("%-24s= proxy to connect to the desired Time-Stamp Authority server\n", "-p"); #endif /* ENABLE_CURL */ - if (on_list(cmd, cmds_pass)) - printf("%-24s= the private key password\n", "-pass"); - if (on_list(cmd, cmds_pem)) - printf("%-24s= output data format PEM to use (default: DER)\n", "-pem"); - if (on_list(cmd, cmds_ph)) - printf("%-24s= generate page hashes for executable files\n", "-ph"); - if (on_list(cmd, cmds_pkcs11cert)) - printf("%-24s= PKCS#11 URI identifies a certificate in the token\n", "-pkcs11cert"); - if (on_list(cmd, cmds_pkcs11engine)) - printf("%-24s= PKCS#11 engine\n", "-pkcs11engine"); - if (on_list(cmd, cmds_pkcs11module)) - printf("%-24s= PKCS#11 module\n", "-pkcs11module"); - if (on_list(cmd, cmds_pkcs12)) - printf("%-24s= PKCS#12 container with the certificate and the private key\n", "-pkcs12"); - if (on_list(cmd, cmds_readpass)) - printf("%-24s= the private key password source\n", "-readpass"); - if (on_list(cmd, cmds_require_leaf_hash)) { - printf("%-24s= {md5|sha1|sha2(56)|sha384|sha512}:XXXXXXXXXXXX...\n", "-require-leaf-hash"); - printf("%26sspecifies an optional hash algorithm to use when computing\n", ""); - printf("%26sthe leaf certificate (in DER form) hash and compares\n", ""); - printf("%26sthe provided hash against the computed hash\n", ""); - } - if (on_list(cmd, cmds_sigin)) - printf("%-24s= a file containing the signature to be attached\n", "-sigin"); - if (on_list(cmd, cmds_ignore_timestamp)) - printf("%-24s= disable verification of the Timestamp Server signature\n", "-ignore-timestamp"); + if (on_list(cmd, cmds_pass)) + printf("%-24s= the private key password\n", "-pass"); + if (on_list(cmd, cmds_pem)) + printf("%-24s= output data format PEM to use (default: DER)\n", "-pem"); + if (on_list(cmd, cmds_ph)) + printf("%-24s= generate page hashes for executable files\n", "-ph"); + if (on_list(cmd, cmds_pkcs11cert)) + printf("%-24s= PKCS#11 URI identifies a certificate in the token\n", "-pkcs11cert"); + if (on_list(cmd, cmds_pkcs11engine)) + printf("%-24s= PKCS#11 engine\n", "-pkcs11engine"); + if (on_list(cmd, cmds_pkcs11module)) + printf("%-24s= PKCS#11 module\n", "-pkcs11module"); + if (on_list(cmd, cmds_pkcs12)) + printf("%-24s= PKCS#12 container with the certificate and the private key\n", "-pkcs12"); + if (on_list(cmd, cmds_readpass)) + printf("%-24s= the private key password source\n", "-readpass"); + if (on_list(cmd, cmds_require_leaf_hash)) { + printf("%-24s= {md5|sha1|sha2(56)|sha384|sha512}:XXXXXXXXXXXX...\n", "-require-leaf-hash"); + printf("%26sspecifies an optional hash algorithm to use when computing\n", ""); + printf("%26sthe leaf certificate (in DER form) hash and compares\n", ""); + printf("%26sthe provided hash against the computed hash\n", ""); + } + if (on_list(cmd, cmds_sigin)) + printf("%-24s= a file containing the signature to be attached\n", "-sigin"); + if (on_list(cmd, cmds_ignore_timestamp)) + printf("%-24s= disable verification of the Timestamp Server signature\n", "-ignore-timestamp"); #ifdef ENABLE_CURL - if (on_list(cmd, cmds_t)) { - printf("%-24s= specifies that the digital signature will be timestamped\n", "-t"); - printf("%26sby the Time-Stamp Authority (TSA) indicated by the URL\n", ""); - printf("%26sthis option cannot be used with the -ts option\n", ""); - } - if (on_list(cmd, cmds_ts)) { - printf("%-24s= specifies the URL of the RFC 3161 Time-Stamp Authority server\n", "-ts"); - printf("%26sthis option cannot be used with the -t option\n", ""); - } + if (on_list(cmd, cmds_t)) { + printf("%-24s= specifies that the digital signature will be timestamped\n", "-t"); + printf("%26sby the Time-Stamp Authority (TSA) indicated by the URL\n", ""); + printf("%26sthis option cannot be used with the -ts option\n", ""); + } + if (on_list(cmd, cmds_ts)) { + printf("%-24s= specifies the URL of the RFC 3161 Time-Stamp Authority server\n", "-ts"); + printf("%26sthis option cannot be used with the -t option\n", ""); + } #endif /* ENABLE_CURL */ - if (on_list(cmd, cmds_time)) - printf("%-24s= the unix-time to set the signing and/or verifying time\n", "-time"); - if (on_list(cmd, cmds_CAfileTSA)) - printf("%-24s= the file containing one or more Time-Stamp Authority certificates in PEM format\n", "-TSA-CAfile"); - if (on_list(cmd, cmds_CRLfileTSA)) - printf("%-24s= the file containing one or more Time-Stamp Authority CRLs in PEM format\n", "-TSA-CRLfile"); - if (on_list(cmd, cmds_verbose)) - printf("%-24s= include additional output in the log\n", "-verbose"); - usage(argv0, cmd); + if (on_list(cmd, cmds_time)) + printf("%-24s= the unix-time to set the signing and/or verifying time\n", "-time"); + if (on_list(cmd, cmds_CAfileTSA)) + printf("%-24s= the file containing one or more Time-Stamp Authority certificates in PEM format\n", "-TSA-CAfile"); + if (on_list(cmd, cmds_CRLfileTSA)) + printf("%-24s= the file containing one or more Time-Stamp Authority CRLs in PEM format\n", "-TSA-CRLfile"); + if (on_list(cmd, cmds_verbose)) + printf("%-24s= include additional output in the log\n", "-verbose"); + usage(argv0, cmd); } /* @@ -2482,20 +2482,20 @@ static void help_for(const char *argv0, const char *cmd) */ static STACK_OF(X509) *X509_chain_read_certs(BIO *bin, char *certpass) { - STACK_OF(X509) *certs = sk_X509_new_null(); - X509 *x509; - (void)BIO_seek(bin, 0); - x509 = PEM_read_bio_X509(bin, NULL, NULL, certpass); - while (x509) { - sk_X509_push(certs, x509); - x509 = PEM_read_bio_X509(bin, NULL, NULL, certpass); - } - ERR_clear_error(); - if (!sk_X509_num(certs)) { - sk_X509_free(certs); - return NULL; - } - return certs; + STACK_OF(X509) *certs = sk_X509_new_null(); + X509 *x509; + (void)BIO_seek(bin, 0); + x509 = PEM_read_bio_X509(bin, NULL, NULL, certpass); + while (x509) { + sk_X509_push(certs, x509); + x509 = PEM_read_bio_X509(bin, NULL, NULL, certpass); + } + ERR_clear_error(); + if (!sk_X509_num(certs)) { + sk_X509_free(certs); + return NULL; + } + return certs; } #ifdef PROVIDE_ASKPASS @@ -2506,33 +2506,33 @@ static STACK_OF(X509) *X509_chain_read_certs(BIO *bin, char *certpass) static char *getpassword(const char *prompt) { #ifdef HAVE_TERMIOS_H - struct termios ofl, nfl; - char *p, passbuf[1024], *pass; + struct termios ofl, nfl; + char *p, passbuf[1024], *pass; - fputs(prompt, stdout); + fputs(prompt, stdout); - tcgetattr(fileno(stdin), &ofl); - nfl = ofl; - nfl.c_lflag &= ~(unsigned int)ECHO; - nfl.c_lflag |= ECHONL; + tcgetattr(fileno(stdin), &ofl); + nfl = ofl; + nfl.c_lflag &= ~(unsigned int)ECHO; + nfl.c_lflag |= ECHONL; - if (tcsetattr(fileno(stdin), TCSANOW, &nfl) != 0) { - printf("Failed to set terminal attributes\n"); - return NULL; - } - p = fgets(passbuf, sizeof passbuf, stdin); - if (tcsetattr(fileno(stdin), TCSANOW, &ofl) != 0) - printf("Failed to restore terminal attributes\n"); - if (!p) { - printf("Failed to read password\n"); - return NULL; - } - passbuf[strlen(passbuf)-1] = 0x00; - pass = OPENSSL_strdup(passbuf); - memset(passbuf, 0, sizeof passbuf); - return pass; + if (tcsetattr(fileno(stdin), TCSANOW, &nfl) != 0) { + printf("Failed to set terminal attributes\n"); + return NULL; + } + p = fgets(passbuf, sizeof passbuf, stdin); + if (tcsetattr(fileno(stdin), TCSANOW, &ofl) != 0) + printf("Failed to restore terminal attributes\n"); + if (!p) { + printf("Failed to read password\n"); + return NULL; + } + passbuf[strlen(passbuf)-1] = 0x00; + pass = OPENSSL_strdup(passbuf); + memset(passbuf, 0, sizeof passbuf); + return pass; #else - return getpass(prompt); + return getpass(prompt); #endif } #endif @@ -2543,58 +2543,58 @@ static char *getpassword(const char *prompt) */ static int read_password(GLOBAL_OPTIONS *options) { - char passbuf[4096]; - int passlen; - const u_char utf8_bom[] = {0xef, 0xbb, 0xbf}; + char passbuf[4096]; + int passlen; + const u_char utf8_bom[] = {0xef, 0xbb, 0xbf}; - if (options->readpass) { + if (options->readpass) { #ifdef WIN32 - HANDLE fhandle, fmap; - LPVOID faddress; - fhandle = CreateFile(options->readpass, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); - if (fhandle == INVALID_HANDLE_VALUE) { - return 0; /* FAILED */ - } - fmap = CreateFileMapping(fhandle, NULL, PAGE_READONLY, 0, 0, NULL); - if (fmap == NULL) { - return 0; /* FAILED */ - } - faddress = MapViewOfFile(fmap, FILE_MAP_READ, 0, 0, 0); - CloseHandle(fmap); - if (faddress == NULL) { - return 0; /* FAILED */ - } - passlen = (int)GetFileSize(fhandle, NULL); - memcpy(passbuf, faddress, passlen); - UnmapViewOfFile(faddress); - CloseHandle(fhandle); + HANDLE fhandle, fmap; + LPVOID faddress; + fhandle = CreateFile(options->readpass, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); + if (fhandle == INVALID_HANDLE_VALUE) { + return 0; /* FAILED */ + } + fmap = CreateFileMapping(fhandle, NULL, PAGE_READONLY, 0, 0, NULL); + if (fmap == NULL) { + return 0; /* FAILED */ + } + faddress = MapViewOfFile(fmap, FILE_MAP_READ, 0, 0, 0); + CloseHandle(fmap); + if (faddress == NULL) { + return 0; /* FAILED */ + } + passlen = (int)GetFileSize(fhandle, NULL); + memcpy(passbuf, faddress, passlen); + UnmapViewOfFile(faddress); + CloseHandle(fhandle); #else - int passfd = open(options->readpass, O_RDONLY); - if (passfd < 0) { - return 0; /* FAILED */ - } - passlen = (int)read(passfd, passbuf, sizeof passbuf - 1); - close(passfd); + int passfd = open(options->readpass, O_RDONLY); + if (passfd < 0) { + return 0; /* FAILED */ + } + passlen = (int)read(passfd, passbuf, sizeof passbuf - 1); + close(passfd); #endif /* WIN32 */ - if (passlen <= 0) { - return 0; /* FAILED */ - } - while (passlen > 0 && (passbuf[passlen-1] == 0x0a || passbuf[passlen-1] == 0x0d)) { - passlen--; - } - passbuf[passlen] = 0x00; - if (!memcmp(passbuf, utf8_bom, sizeof utf8_bom)) { - options->pass = OPENSSL_strdup(passbuf + sizeof utf8_bom); - } else { - options->pass = OPENSSL_strdup(passbuf); - } - memset(passbuf, 0, sizeof passbuf); + if (passlen <= 0) { + return 0; /* FAILED */ + } + while (passlen > 0 && (passbuf[passlen-1] == 0x0a || passbuf[passlen-1] == 0x0d)) { + passlen--; + } + passbuf[passlen] = 0x00; + if (!memcmp(passbuf, utf8_bom, sizeof utf8_bom)) { + options->pass = OPENSSL_strdup(passbuf + sizeof utf8_bom); + } else { + options->pass = OPENSSL_strdup(passbuf); + } + memset(passbuf, 0, sizeof passbuf); #ifdef PROVIDE_ASKPASS - } else if (options->askpass) { - options->pass = getpassword("Password: "); + } else if (options->askpass) { + options->pass = getpassword("Password: "); #endif /* PROVIDE_ASKPASS */ - } - return 1; /* OK */ + } + return 1; /* OK */ } /* @@ -2607,30 +2607,30 @@ static int read_password(GLOBAL_OPTIONS *options) */ static int read_pkcs12file(GLOBAL_OPTIONS *options) { - BIO *btmp; - PKCS12 *p12; - int ret = 0; + BIO *btmp; + PKCS12 *p12; + int ret = 0; - btmp = BIO_new_file(options->pkcs12file, "rb"); - if (!btmp) { - printf("Failed to read PKCS#12 file: %s\n", options->pkcs12file); - return 0; /* FAILED */ - } - p12 = d2i_PKCS12_bio(btmp, NULL); - if (!p12) { - printf("Failed to extract PKCS#12 data: %s\n", options->pkcs12file); - goto out; /* FAILED */ - } - if (!PKCS12_parse(p12, options->pass ? options->pass : "", &options->pkey, &options->cert, &options->certs)) { - printf("Failed to parse PKCS#12 file: %s (Wrong password?)\n", options->pkcs12file); - PKCS12_free(p12); - goto out; /* FAILED */ - } - PKCS12_free(p12); - ret = 1; /* OK */ + btmp = BIO_new_file(options->pkcs12file, "rb"); + if (!btmp) { + printf("Failed to read PKCS#12 file: %s\n", options->pkcs12file); + return 0; /* FAILED */ + } + p12 = d2i_PKCS12_bio(btmp, NULL); + if (!p12) { + printf("Failed to extract PKCS#12 data: %s\n", options->pkcs12file); + goto out; /* FAILED */ + } + if (!PKCS12_parse(p12, options->pass ? options->pass : "", &options->pkey, &options->cert, &options->certs)) { + printf("Failed to parse PKCS#12 file: %s (Wrong password?)\n", options->pkcs12file); + PKCS12_free(p12); + goto out; /* FAILED */ + } + PKCS12_free(p12); + ret = 1; /* OK */ out: - BIO_free(btmp); - return ret; + BIO_free(btmp); + return ret; } /* @@ -2640,22 +2640,22 @@ out: */ static STACK_OF(X509_CRL) *X509_CRL_chain_up_ref(STACK_OF(X509_CRL) *chain) { - STACK_OF(X509_CRL) *ret; - int i; - ret = sk_X509_CRL_dup(chain); - if (ret == NULL) - return NULL; - for (i = 0; i < sk_X509_CRL_num(ret); i++) { - X509_CRL *x = sk_X509_CRL_value(ret, i); - if (!X509_CRL_up_ref(x)) - goto err; - } - return ret; + STACK_OF(X509_CRL) *ret; + int i; + ret = sk_X509_CRL_dup(chain); + if (ret == NULL) + return NULL; + for (i = 0; i < sk_X509_CRL_num(ret); i++) { + X509_CRL *x = sk_X509_CRL_value(ret, i); + if (!X509_CRL_up_ref(x)) + goto err; + } + return ret; err: - while (i-- > 0) - X509_CRL_free(sk_X509_CRL_value(ret, i)); - sk_X509_CRL_free(ret); - return NULL; + while (i-- > 0) + X509_CRL_free(sk_X509_CRL_value(ret, i)); + sk_X509_CRL_free(ret); + return NULL; } /* @@ -2667,52 +2667,52 @@ err: */ static int read_certfile(GLOBAL_OPTIONS *options) { - BIO *btmp; - int ret = 0; + BIO *btmp; + int ret = 0; - btmp = BIO_new_file(options->certfile, "rb"); - if (!btmp) { - printf("Failed to read certificate file: %s\n", options->certfile); - return 0; /* FAILED */ - } - /* .pem certificate file */ - options->certs = X509_chain_read_certs(btmp, NULL); + btmp = BIO_new_file(options->certfile, "rb"); + if (!btmp) { + printf("Failed to read certificate file: %s\n", options->certfile); + return 0; /* FAILED */ + } + /* .pem certificate file */ + options->certs = X509_chain_read_certs(btmp, NULL); - /* .der certificate file */ - if (!options->certs) { - X509 *x = NULL; - (void)BIO_seek(btmp, 0); - if (d2i_X509_bio(btmp, &x)) { - options->certs = sk_X509_new_null(); - if (!sk_X509_push(options->certs, x)) { - X509_free(x); - goto out; /* FAILED */ - } - printf("Warning: The certificate file contains a single x509 certificate\n"); - } - } + /* .der certificate file */ + if (!options->certs) { + X509 *x = NULL; + (void)BIO_seek(btmp, 0); + if (d2i_X509_bio(btmp, &x)) { + options->certs = sk_X509_new_null(); + if (!sk_X509_push(options->certs, x)) { + X509_free(x); + goto out; /* FAILED */ + } + printf("Warning: The certificate file contains a single x509 certificate\n"); + } + } - /* .spc or .p7b certificate file (PKCS#7 structure) */ - if (!options->certs) { - PKCS7 *p7; - (void)BIO_seek(btmp, 0); - p7 = d2i_PKCS7_bio(btmp, NULL); - if (!p7) - goto out; /* FAILED */ - options->certs = X509_chain_up_ref(p7->d.sign->cert); + /* .spc or .p7b certificate file (PKCS#7 structure) */ + if (!options->certs) { + PKCS7 *p7; + (void)BIO_seek(btmp, 0); + p7 = d2i_PKCS7_bio(btmp, NULL); + if (!p7) + goto out; /* FAILED */ + options->certs = X509_chain_up_ref(p7->d.sign->cert); - /* additional CRLs may be supplied as part of a PKCS#7 signed data structure */ - if (p7->d.sign->crl) - options->crls = X509_CRL_chain_up_ref(p7->d.sign->crl); - PKCS7_free(p7); - } + /* additional CRLs may be supplied as part of a PKCS#7 signed data structure */ + if (p7->d.sign->crl) + options->crls = X509_CRL_chain_up_ref(p7->d.sign->crl); + PKCS7_free(p7); + } - ret = 1; /* OK */ + ret = 1; /* OK */ out: - if (ret == 0) - printf("No certificate found\n"); - BIO_free(btmp); - return ret; + if (ret == 0) + printf("No certificate found\n"); + BIO_free(btmp); + return ret; } /* @@ -2722,24 +2722,24 @@ out: */ static int read_xcertfile(GLOBAL_OPTIONS *options) { - BIO *btmp; - int ret = 0; + BIO *btmp; + int ret = 0; - btmp = BIO_new_file(options->xcertfile, "rb"); - if (!btmp) { - printf("Failed to read cross certificates file: %s\n", options->xcertfile); - return 0; /* FAILED */ - } - options->xcerts = X509_chain_read_certs(btmp, NULL); - if (!options->xcerts) { - printf("Failed to read cross certificates file: %s\n", options->xcertfile); - goto out; /* FAILED */ - } + btmp = BIO_new_file(options->xcertfile, "rb"); + if (!btmp) { + printf("Failed to read cross certificates file: %s\n", options->xcertfile); + return 0; /* FAILED */ + } + options->xcerts = X509_chain_read_certs(btmp, NULL); + if (!options->xcerts) { + printf("Failed to read cross certificates file: %s\n", options->xcertfile); + goto out; /* FAILED */ + } - ret = 1; /* OK */ + ret = 1; /* OK */ out: - BIO_free(btmp); - return ret; + BIO_free(btmp); + return ret; } /* @@ -2749,26 +2749,26 @@ out: */ static int read_keyfile(GLOBAL_OPTIONS *options) { - BIO *btmp; - int ret = 0; + BIO *btmp; + int ret = 0; - btmp = BIO_new_file(options->keyfile, "rb"); - if (!btmp) { - printf("Failed to read private key file: %s\n", options->keyfile); - return 0; /* FAILED */ - } - if (((options->pkey = d2i_PrivateKey_bio(btmp, NULL)) == NULL && - (BIO_seek(btmp, 0) == 0) && - (options->pkey = PEM_read_bio_PrivateKey(btmp, NULL, NULL, options->pass ? options->pass : NULL)) == NULL && - (BIO_seek(btmp, 0) == 0) && - (options->pkey = PEM_read_bio_PrivateKey(btmp, NULL, NULL, NULL)) == NULL)) { - printf("Failed to decode private key file: %s (Wrong password?)\n", options->keyfile); - goto out; /* FAILED */ - } - ret = 1; /* OK */ + btmp = BIO_new_file(options->keyfile, "rb"); + if (!btmp) { + printf("Failed to read private key file: %s\n", options->keyfile); + return 0; /* FAILED */ + } + if (((options->pkey = d2i_PrivateKey_bio(btmp, NULL)) == NULL && + (BIO_seek(btmp, 0) == 0) && + (options->pkey = PEM_read_bio_PrivateKey(btmp, NULL, NULL, options->pass ? options->pass : NULL)) == NULL && + (BIO_seek(btmp, 0) == 0) && + (options->pkey = PEM_read_bio_PrivateKey(btmp, NULL, NULL, NULL)) == NULL)) { + printf("Failed to decode private key file: %s (Wrong password?)\n", options->keyfile); + goto out; /* FAILED */ + } + ret = 1; /* OK */ out: - BIO_free(btmp); - return ret; + BIO_free(btmp); + return ret; } /* @@ -2781,29 +2781,29 @@ out: */ static char *find_pvk_key(GLOBAL_OPTIONS *options) { - u_char magic[4]; - /* Microsoft Private Key format Header Hexdump */ - const u_char pvkhdr[4] = {0x1e, 0xf1, 0xb5, 0xb0}; - char *pvkfile = NULL; - BIO *btmp; + u_char magic[4]; + /* Microsoft Private Key format Header Hexdump */ + const u_char pvkhdr[4] = {0x1e, 0xf1, 0xb5, 0xb0}; + char *pvkfile = NULL; + BIO *btmp; - if (!options->keyfile + if (!options->keyfile #ifndef OPENSSL_NO_ENGINE - || options->p11module + || options->p11module #endif /* OPENSSL_NO_ENGINE */ - ) - return NULL; /* FAILED */ - btmp = BIO_new_file(options->keyfile, "rb"); - if (!btmp) - return NULL; /* FAILED */ - magic[0] = 0x00; - BIO_read(btmp, magic, 4); - if (!memcmp(magic, pvkhdr, 4)) { - pvkfile = options->keyfile; - options->keyfile = NULL; - } - BIO_free(btmp); - return pvkfile; + ) + return NULL; /* FAILED */ + btmp = BIO_new_file(options->keyfile, "rb"); + if (!btmp) + return NULL; /* FAILED */ + magic[0] = 0x00; + BIO_read(btmp, magic, 4); + if (!memcmp(magic, pvkhdr, 4)) { + pvkfile = options->keyfile; + options->keyfile = NULL; + } + BIO_free(btmp); + return pvkfile; } /* @@ -2812,24 +2812,24 @@ static char *find_pvk_key(GLOBAL_OPTIONS *options) */ static int read_pvk_key(GLOBAL_OPTIONS *options) { - BIO *btmp; + BIO *btmp; - btmp = BIO_new_file(options->pvkfile, "rb"); - if (!btmp) { - printf("Failed to read private key file: %s\n", options->pvkfile); - return 0; /* FAILED */ - } - options->pkey = b2i_PVK_bio(btmp, NULL, options->pass ? options->pass : NULL); - if (!options->pkey && options->askpass) { - (void)BIO_seek(btmp, 0); - options->pkey = b2i_PVK_bio(btmp, NULL, NULL); - } - BIO_free(btmp); - if (!options->pkey) { - printf("Failed to decode private key file: %s\n", options->pvkfile); - return 0; /* FAILED */ - } - return 1; /* OK */ + btmp = BIO_new_file(options->pvkfile, "rb"); + if (!btmp) { + printf("Failed to read private key file: %s\n", options->pvkfile); + return 0; /* FAILED */ + } + options->pkey = b2i_PVK_bio(btmp, NULL, options->pass ? options->pass : NULL); + if (!options->pkey && options->askpass) { + (void)BIO_seek(btmp, 0); + options->pkey = b2i_PVK_bio(btmp, NULL, NULL); + } + BIO_free(btmp); + if (!options->pkey) { + printf("Failed to decode private key file: %s\n", options->pvkfile); + return 0; /* FAILED */ + } + return 1; /* OK */ } #ifndef OPENSSL_NO_ENGINE @@ -2841,41 +2841,41 @@ static int read_pvk_key(GLOBAL_OPTIONS *options) */ static ENGINE *engine_dynamic(GLOBAL_OPTIONS *options) { - ENGINE *engine; - char *id; + ENGINE *engine; + char *id; - engine = ENGINE_by_id("dynamic"); - if (!engine) { - printf("Failed to load 'dynamic' engine\n"); - return NULL; /* FAILED */ - } - if (options->p11engine) { /* strip directory and extension */ - char *ptr; + engine = ENGINE_by_id("dynamic"); + if (!engine) { + printf("Failed to load 'dynamic' engine\n"); + return NULL; /* FAILED */ + } + if (options->p11engine) { /* strip directory and extension */ + char *ptr; - ptr = strrchr(options->p11engine, '/'); - if (!ptr) /* no slash -> try backslash */ - ptr = strrchr(options->p11engine, '\\'); - if (ptr) /* directory separator found */ - ptr++; /* skip it */ - else /* directory separator not found */ - ptr = options->p11engine; - id = OPENSSL_strdup(ptr); - ptr = strchr(id, '.'); - if (ptr) /* file extensions found */ - *ptr = '\0'; /* remove them */ - } else { - id = OPENSSL_strdup("pkcs11"); - } - if (!ENGINE_ctrl_cmd_string(engine, "SO_PATH", options->p11engine, 0) - || !ENGINE_ctrl_cmd_string(engine, "ID", id, 0) - || !ENGINE_ctrl_cmd_string(engine, "LIST_ADD", "1", 0) - || !ENGINE_ctrl_cmd_string(engine, "LOAD", NULL, 0)) { - printf("Failed to set 'dynamic' engine\n"); - ENGINE_free(engine); - engine = NULL; /* FAILED */ - } - OPENSSL_free(id); - return engine; + ptr = strrchr(options->p11engine, '/'); + if (!ptr) /* no slash -> try backslash */ + ptr = strrchr(options->p11engine, '\\'); + if (ptr) /* directory separator found */ + ptr++; /* skip it */ + else /* directory separator not found */ + ptr = options->p11engine; + id = OPENSSL_strdup(ptr); + ptr = strchr(id, '.'); + if (ptr) /* file extensions found */ + *ptr = '\0'; /* remove them */ + } else { + id = OPENSSL_strdup("pkcs11"); + } + if (!ENGINE_ctrl_cmd_string(engine, "SO_PATH", options->p11engine, 0) + || !ENGINE_ctrl_cmd_string(engine, "ID", id, 0) + || !ENGINE_ctrl_cmd_string(engine, "LIST_ADD", "1", 0) + || !ENGINE_ctrl_cmd_string(engine, "LOAD", NULL, 0)) { + printf("Failed to set 'dynamic' engine\n"); + ENGINE_free(engine); + engine = NULL; /* FAILED */ + } + OPENSSL_free(id); + return engine; } /* @@ -2885,12 +2885,12 @@ static ENGINE *engine_dynamic(GLOBAL_OPTIONS *options) */ static ENGINE *engine_pkcs11() { - ENGINE *engine = ENGINE_by_id("pkcs11"); - if (!engine) { - printf("Failed to find and load 'pkcs11' engine\n"); - return NULL; /* FAILED */ - } - return engine; /* OK */ + ENGINE *engine = ENGINE_by_id("pkcs11"); + if (!engine) { + printf("Failed to find and load 'pkcs11' engine\n"); + return NULL; /* FAILED */ + } + return engine; /* OK */ } /* @@ -2901,52 +2901,52 @@ static ENGINE *engine_pkcs11() */ static int read_token(GLOBAL_OPTIONS *options, ENGINE *engine) { - if (options->p11module && !ENGINE_ctrl_cmd_string(engine, "MODULE_PATH", options->p11module, 0)) { - printf("Failed to set pkcs11 engine MODULE_PATH to '%s'\n", options->p11module); - ENGINE_free(engine); - return 0; /* FAILED */ - } - if (options->pass != NULL && !ENGINE_ctrl_cmd_string(engine, "PIN", options->pass, 0)) { - printf("Failed to set pkcs11 PIN\n"); - ENGINE_free(engine); - return 0; /* FAILED */ - } - if (!ENGINE_init(engine)) { - printf("Failed to initialize pkcs11 engine\n"); - ENGINE_free(engine); - return 0; /* FAILED */ - } - /* - * ENGINE_init() returned a functional reference, so free the structural - * reference from ENGINE_by_id(). - */ - ENGINE_free(engine); + if (options->p11module && !ENGINE_ctrl_cmd_string(engine, "MODULE_PATH", options->p11module, 0)) { + printf("Failed to set pkcs11 engine MODULE_PATH to '%s'\n", options->p11module); + ENGINE_free(engine); + return 0; /* FAILED */ + } + if (options->pass != NULL && !ENGINE_ctrl_cmd_string(engine, "PIN", options->pass, 0)) { + printf("Failed to set pkcs11 PIN\n"); + ENGINE_free(engine); + return 0; /* FAILED */ + } + if (!ENGINE_init(engine)) { + printf("Failed to initialize pkcs11 engine\n"); + ENGINE_free(engine); + return 0; /* FAILED */ + } + /* + * ENGINE_init() returned a functional reference, so free the structural + * reference from ENGINE_by_id(). + */ + ENGINE_free(engine); - if (options->p11cert) { - struct { - const char *id; - X509 *cert; - } parms; + if (options->p11cert) { + struct { + const char *id; + X509 *cert; + } parms; - parms.id = options->p11cert; - parms.cert = NULL; - ENGINE_ctrl_cmd(engine, "LOAD_CERT_CTRL", 0, &parms, NULL, 1); - if (!parms.cert) { - printf("Failed to load certificate %s\n", options->p11cert); - ENGINE_finish(engine); - return 0; /* FAILED */ - } else - options->cert = parms.cert; - } + parms.id = options->p11cert; + parms.cert = NULL; + ENGINE_ctrl_cmd(engine, "LOAD_CERT_CTRL", 0, &parms, NULL, 1); + if (!parms.cert) { + printf("Failed to load certificate %s\n", options->p11cert); + ENGINE_finish(engine); + return 0; /* FAILED */ + } else + options->cert = parms.cert; + } - options->pkey = ENGINE_load_private_key(engine, options->keyfile, NULL, NULL); - /* Free the functional reference from ENGINE_init */ - ENGINE_finish(engine); - if (!options->pkey) { - printf("Failed to load private key %s\n", options->keyfile); - return 0; /* FAILED */ - } - return 1; /* OK */ + options->pkey = ENGINE_load_private_key(engine, options->keyfile, NULL, NULL); + /* Free the functional reference from ENGINE_init */ + ENGINE_finish(engine); + if (!options->pkey) { + printf("Failed to load private key %s\n", options->keyfile); + return 0; /* FAILED */ + } + return 1; /* OK */ } #endif /* OPENSSL_NO_ENGINE */ @@ -2956,57 +2956,57 @@ static int read_token(GLOBAL_OPTIONS *options, ENGINE *engine) */ static int read_crypto_params(GLOBAL_OPTIONS *options) { - int ret = 0; + int ret = 0; - /* Microsoft Private Key format support */ - options->pvkfile = find_pvk_key(options); - if (options->pvkfile) { - if (!read_certfile(options) || !read_pvk_key(options)) - goto out; /* FAILED */ + /* Microsoft Private Key format support */ + options->pvkfile = find_pvk_key(options); + if (options->pvkfile) { + if (!read_certfile(options) || !read_pvk_key(options)) + goto out; /* FAILED */ - /* PKCS#12 container with certificates and the private key ("-pkcs12" option) */ - } else if (options->pkcs12file) { - if (!read_pkcs12file(options)) - goto out; /* FAILED */ + /* PKCS#12 container with certificates and the private key ("-pkcs12" option) */ + } else if (options->pkcs12file) { + if (!read_pkcs12file(options)) + goto out; /* FAILED */ #ifndef OPENSSL_NO_ENGINE - /* PKCS11 engine and module support */ - } else if ((options->p11engine) || (options->p11module)) { - ENGINE *engine; + /* PKCS11 engine and module support */ + } else if ((options->p11engine) || (options->p11module)) { + ENGINE *engine; - if (options->p11engine) - engine = engine_dynamic(options); - else - engine = engine_pkcs11(); - if (!engine) - goto out; /* FAILED */ - printf("Engine \"%s\" set.\n", ENGINE_get_id(engine)); + if (options->p11engine) + engine = engine_dynamic(options); + else + engine = engine_pkcs11(); + if (!engine) + goto out; /* FAILED */ + printf("Engine \"%s\" set.\n", ENGINE_get_id(engine)); - /* Load the private key and the signer certificate from the security token */ - if (!read_token(options, engine)) - goto out; /* FAILED */ + /* Load the private key and the signer certificate from the security token */ + if (!read_token(options, engine)) + goto out; /* FAILED */ - /* Load the signer certificate and the whole certificate chain from a file */ - if (options->certfile && !read_certfile(options)) - goto out; /* FAILED */ + /* Load the signer certificate and the whole certificate chain from a file */ + if (options->certfile && !read_certfile(options)) + goto out; /* FAILED */ - /* PEM / DER / SPC file format support */ - } else if (!read_certfile(options) || !read_keyfile(options)) - goto out; /* FAILED */ + /* PEM / DER / SPC file format support */ + } else if (!read_certfile(options) || !read_keyfile(options)) + goto out; /* FAILED */ #endif /* OPENSSL_NO_ENGINE */ - /* Load additional (cross) certificates ("-ac" option) */ - if (options->xcertfile && !read_xcertfile(options)) - goto out; /* FAILED */ + /* Load additional (cross) certificates ("-ac" option) */ + if (options->xcertfile && !read_xcertfile(options)) + goto out; /* FAILED */ - ret = 1; /* OK */ + ret = 1; /* OK */ out: - /* reset password */ - if (options->pass) { - memset(options->pass, 0, strlen(options->pass)); - OPENSSL_free(options->pass); - } - return ret; + /* reset password */ + if (options->pass) { + memset(options->pass, 0, strlen(options->pass)); + OPENSSL_free(options->pass); + } + return ret; } /* @@ -3017,41 +3017,41 @@ static char *get_cafile(void) { #ifndef WIN32 const char *files[] = { - "/etc/ssl/certs/ca-certificates.crt", - "/etc/pki/tls/certs/ca-bundle.crt", - "/usr/share/ssl/certs/ca-bundle.crt", - "/usr/local/share/certs/ca-root-nss.crt", - "/etc/ssl/cert.pem", - NULL - }; + "/etc/ssl/certs/ca-certificates.crt", + "/etc/pki/tls/certs/ca-bundle.crt", + "/usr/share/ssl/certs/ca-bundle.crt", + "/usr/local/share/certs/ca-root-nss.crt", + "/etc/ssl/cert.pem", + NULL + }; int i; - for (i=0; files[i]; i++) { - if (!access(files[i], R_OK)) { - return OPENSSL_strdup(files[i]); - } - } + for (i=0; files[i]; i++) { + if (!access(files[i], R_OK)) { + return OPENSSL_strdup(files[i]); + } + } #endif - return NULL; + return NULL; } static void print_version(void) { #ifdef PACKAGE_STRING - printf("%s, using:\n", PACKAGE_STRING); + printf("%s, using:\n", PACKAGE_STRING); #else /* PACKAGE_STRING */ - printf("%s, using:\n", "osslsigncode custom build"); + printf("%s, using:\n", "osslsigncode custom build"); #endif /* PACKAGE_STRING */ - printf("\t%s (Library: %s)\n", OPENSSL_VERSION_TEXT, OpenSSL_version(OPENSSL_VERSION)); + printf("\t%s (Library: %s)\n", OPENSSL_VERSION_TEXT, OpenSSL_version(OPENSSL_VERSION)); #ifdef ENABLE_CURL - printf("\t%s\n", curl_version()); + printf("\t%s\n", curl_version()); #else /* ENABLE_CURL */ - printf("\t%s\n", "no libcurl available"); + printf("\t%s\n", "no libcurl available"); #endif /* ENABLE_CURL */ #ifdef PACKAGE_BUGREPORT - printf("\nPlease send bug-reports to " PACKAGE_BUGREPORT "\n"); + printf("\nPlease send bug-reports to " PACKAGE_BUGREPORT "\n"); #endif /* PACKAGE_BUGREPORT */ - printf("\n"); + printf("\n"); } /* @@ -3060,26 +3060,26 @@ static void print_version(void) */ static cmd_type_t get_command(char **argv) { - if (!strcmp(argv[1], "--help")) { - print_version(); - help_for(argv[0], "all"); - return CMD_HELP; - } else if (!strcmp(argv[1], "-v") || !strcmp(argv[1], "--version")) { - print_version(); - return CMD_HELP; - } else if (!strcmp(argv[1], "sign")) - return CMD_SIGN; - else if (!strcmp(argv[1], "extract-signature")) - return CMD_EXTRACT; - else if (!strcmp(argv[1], "attach-signature")) - return CMD_ATTACH; - else if (!strcmp(argv[1], "remove-signature")) - return CMD_REMOVE; - else if (!strcmp(argv[1], "verify")) - return CMD_VERIFY; - else if (!strcmp(argv[1], "add")) - return CMD_ADD; - return CMD_DEFAULT; + if (!strcmp(argv[1], "--help")) { + print_version(); + help_for(argv[0], "all"); + return CMD_HELP; + } else if (!strcmp(argv[1], "-v") || !strcmp(argv[1], "--version")) { + print_version(); + return CMD_HELP; + } else if (!strcmp(argv[1], "sign")) + return CMD_SIGN; + else if (!strcmp(argv[1], "extract-signature")) + return CMD_EXTRACT; + else if (!strcmp(argv[1], "attach-signature")) + return CMD_ATTACH; + else if (!strcmp(argv[1], "remove-signature")) + return CMD_REMOVE; + else if (!strcmp(argv[1], "verify")) + return CMD_VERIFY; + else if (!strcmp(argv[1], "add")) + return CMD_ADD; + return CMD_DEFAULT; } #if OPENSSL_VERSION_NUMBER>=0x30000000L @@ -3088,43 +3088,43 @@ static STACK_OF(OSSL_PROVIDER) *providers = NULL; static void provider_free(OSSL_PROVIDER *prov) { - OSSL_PROVIDER_unload(prov); + OSSL_PROVIDER_unload(prov); } static void providers_cleanup(void) { - sk_OSSL_PROVIDER_pop_free(providers, provider_free); - providers = NULL; + sk_OSSL_PROVIDER_pop_free(providers, provider_free); + providers = NULL; } static int provider_load(OSSL_LIB_CTX *libctx, const char *pname) { - OSSL_PROVIDER *prov= OSSL_PROVIDER_load(libctx, pname); - if (prov == NULL) { - printf("Unable to load provider: %s\n", pname); - return 0; /* FAILED */ - } - if (providers == NULL) { - providers = sk_OSSL_PROVIDER_new_null(); - } - if (providers == NULL || !sk_OSSL_PROVIDER_push(providers, prov)) { - providers_cleanup(); - return 0; /* FAILED */ - } - return 1; /* OK */ + OSSL_PROVIDER *prov= OSSL_PROVIDER_load(libctx, pname); + if (prov == NULL) { + printf("Unable to load provider: %s\n", pname); + return 0; /* FAILED */ + } + if (providers == NULL) { + providers = sk_OSSL_PROVIDER_new_null(); + } + if (providers == NULL || !sk_OSSL_PROVIDER_push(providers, prov)) { + providers_cleanup(); + return 0; /* FAILED */ + } + return 1; /* OK */ } static int use_legacy(void) { - /* load the legacy provider if not loaded already */ - if (!OSSL_PROVIDER_available(NULL, "legacy")) { - if (!provider_load(NULL, "legacy")) - return 0; /* FAILED */ - /* load the default provider explicitly */ - if (!provider_load(NULL, "default")) - return 0; /* FAILED */ - } - return 1; /* OK */ + /* load the legacy provider if not loaded already */ + if (!OSSL_PROVIDER_available(NULL, "legacy")) { + if (!provider_load(NULL, "legacy")) + return 0; /* FAILED */ + /* load the default provider explicitly */ + if (!provider_load(NULL, "default")) + return 0; /* FAILED */ + } + return 1; /* OK */ } #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */ @@ -3135,481 +3135,481 @@ static int use_legacy(void) */ static int main_configure(int argc, char **argv, GLOBAL_OPTIONS *options) { - int i; - char *failarg = NULL; - const char *argv0; - cmd_type_t cmd = CMD_SIGN; + int i; + char *failarg = NULL; + const char *argv0; + cmd_type_t cmd = CMD_SIGN; - argv0 = argv[0]; - if (argc > 1) { - cmd = get_command(argv); - if (cmd == CMD_DEFAULT) { - cmd = CMD_SIGN; - } else { - argv++; - argc--; - } - } - options->cmd = cmd; - options->md = EVP_sha256(); - options->time = INVALID_TIME; - options->jp = -1; + argv0 = argv[0]; + if (argc > 1) { + cmd = get_command(argv); + if (cmd == CMD_DEFAULT) { + cmd = CMD_SIGN; + } else { + argv++; + argc--; + } + } + options->cmd = cmd; + options->md = EVP_sha256(); + options->time = INVALID_TIME; + options->jp = -1; #if OPENSSL_VERSION_NUMBER>=0x30000000L /* Use legacy PKCS#12 container with RC2-40-CBC private key and certificate encryption algorithm */ - options->legacy = 1; + options->legacy = 1; #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */ - if (cmd == CMD_HELP) { - return 0; /* FAILED */ - } - if (cmd == CMD_VERIFY || cmd == CMD_ATTACH) { - options->cafile = get_cafile(); - options->tsa_cafile = get_cafile(); - } - for (argc--,argv++; argc >= 1; argc--,argv++) { - if (!strcmp(*argv, "-in")) { - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - options->infile = *(++argv); - } else if (!strcmp(*argv, "-out")) { - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - options->outfile = *(++argv); - } else if (!strcmp(*argv, "-sigin")) { - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - options->sigfile = *(++argv); - } else if ((cmd == CMD_SIGN) && (!strcmp(*argv, "-spc") || !strcmp(*argv, "-certs"))) { - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - options->certfile = *(++argv); - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ac")) { - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - options->xcertfile = *(++argv); - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-key")) { - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - options->keyfile = *(++argv); - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-pkcs12")) { - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - options->pkcs12file = *(++argv); - } else if ((cmd == CMD_EXTRACT) && !strcmp(*argv, "-pem")) { - options->output_pkcs7 = 1; + if (cmd == CMD_HELP) { + return 0; /* FAILED */ + } + if (cmd == CMD_VERIFY || cmd == CMD_ATTACH) { + options->cafile = get_cafile(); + options->tsa_cafile = get_cafile(); + } + for (argc--,argv++; argc >= 1; argc--,argv++) { + if (!strcmp(*argv, "-in")) { + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + options->infile = *(++argv); + } else if (!strcmp(*argv, "-out")) { + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + options->outfile = *(++argv); + } else if (!strcmp(*argv, "-sigin")) { + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + options->sigfile = *(++argv); + } else if ((cmd == CMD_SIGN) && (!strcmp(*argv, "-spc") || !strcmp(*argv, "-certs"))) { + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + options->certfile = *(++argv); + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ac")) { + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + options->xcertfile = *(++argv); + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-key")) { + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + options->keyfile = *(++argv); + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-pkcs12")) { + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + options->pkcs12file = *(++argv); + } else if ((cmd == CMD_EXTRACT) && !strcmp(*argv, "-pem")) { + options->output_pkcs7 = 1; #ifndef OPENSSL_NO_ENGINE - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-pkcs11cert")) { - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - options->p11cert = *(++argv); - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-pkcs11engine")) { - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - options->p11engine = *(++argv); - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-pkcs11module")) { - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - options->p11module = *(++argv); + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-pkcs11cert")) { + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + options->p11cert = *(++argv); + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-pkcs11engine")) { + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + options->p11engine = *(++argv); + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-pkcs11module")) { + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + options->p11module = *(++argv); #endif /* OPENSSL_NO_ENGINE */ #if OPENSSL_VERSION_NUMBER>=0x30000000L - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-nolegacy")) { - options->legacy = 0; + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-nolegacy")) { + options->legacy = 0; #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */ - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-pass")) { - if (options->askpass || options->readpass) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - options->pass = OPENSSL_strdup(*(++argv)); - memset(*argv, 0, strlen(*argv)); + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-pass")) { + if (options->askpass || options->readpass) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + options->pass = OPENSSL_strdup(*(++argv)); + memset(*argv, 0, strlen(*argv)); #ifdef PROVIDE_ASKPASS - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-askpass")) { - if (options->pass || options->readpass) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - options->askpass = 1; + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-askpass")) { + if (options->pass || options->readpass) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + options->askpass = 1; #endif - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-readpass")) { - if (options->askpass || options->pass) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - options->readpass = *(++argv); - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-comm")) { - options->comm = 1; - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ph")) { - options->pagehash = 1; - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) { - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - options->desc = *(++argv); - } else if ((cmd == CMD_SIGN|| cmd == CMD_ADD || cmd == CMD_ATTACH) - && !strcmp(*argv, "-h")) { - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - ++argv; - if (!strcmp(*argv, "md5")) { - options->md = EVP_md5(); - } else if (!strcmp(*argv, "sha1")) { - options->md = EVP_sha1(); - } else if (!strcmp(*argv, "sha2") || !strcmp(*argv, "sha256")) { - options->md = EVP_sha256(); - } else if (!strcmp(*argv, "sha384")) { - options->md = EVP_sha384(); - } else if (!strcmp(*argv, "sha512")) { - options->md = EVP_sha512(); - } else { - usage(argv0, "all"); - return 0; /* FAILED */ - } - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-i")) { - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - options->url = *(++argv); - } else if ((cmd == CMD_ATTACH || cmd == CMD_SIGN || cmd == CMD_VERIFY) - && (!strcmp(*argv, "-time") || !strcmp(*argv, "-st"))) { - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - options->time = (time_t)strtoull(*(++argv), NULL, 10); + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-readpass")) { + if (options->askpass || options->pass) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + options->readpass = *(++argv); + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-comm")) { + options->comm = 1; + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ph")) { + options->pagehash = 1; + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) { + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + options->desc = *(++argv); + } else if ((cmd == CMD_SIGN|| cmd == CMD_ADD || cmd == CMD_ATTACH) + && !strcmp(*argv, "-h")) { + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + ++argv; + if (!strcmp(*argv, "md5")) { + options->md = EVP_md5(); + } else if (!strcmp(*argv, "sha1")) { + options->md = EVP_sha1(); + } else if (!strcmp(*argv, "sha2") || !strcmp(*argv, "sha256")) { + options->md = EVP_sha256(); + } else if (!strcmp(*argv, "sha384")) { + options->md = EVP_sha384(); + } else if (!strcmp(*argv, "sha512")) { + options->md = EVP_sha512(); + } else { + usage(argv0, "all"); + return 0; /* FAILED */ + } + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-i")) { + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + options->url = *(++argv); + } else if ((cmd == CMD_ATTACH || cmd == CMD_SIGN || cmd == CMD_VERIFY) + && (!strcmp(*argv, "-time") || !strcmp(*argv, "-st"))) { + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + options->time = (time_t)strtoull(*(++argv), NULL, 10); #ifdef ENABLE_CURL - } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-t")) { - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - options->turl[options->nturl++] = *(++argv); - } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-ts")) { - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - options->tsurl[options->ntsurl++] = *(++argv); - } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-p")) { - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - options->proxy = *(++argv); - } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-noverifypeer")) { - options->noverifypeer = 1; + } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-t")) { + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + options->turl[options->nturl++] = *(++argv); + } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-ts")) { + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + options->tsurl[options->ntsurl++] = *(++argv); + } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-p")) { + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + options->proxy = *(++argv); + } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-noverifypeer")) { + options->noverifypeer = 1; #endif - } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-addUnauthenticatedBlob")) { - options->addBlob = 1; - } else if ((cmd == CMD_SIGN || cmd == CMD_ATTACH) && !strcmp(*argv, "-nest")) { - options->nest = 1; - } else if ((cmd == CMD_VERIFY) && !strcmp(*argv, "-ignore-timestamp")) { - options->ignore_timestamp = 1; - } else if ((cmd == CMD_SIGN || cmd == CMD_ADD || cmd == CMD_VERIFY) && !strcmp(*argv, "-verbose")) { - options->verbose = 1; - } else if ((cmd == CMD_SIGN || cmd == CMD_ADD || cmd == CMD_ATTACH) && !strcmp(*argv, "-add-msi-dse")) { - options->add_msi_dse = 1; - } else if ((cmd == CMD_VERIFY) && (!strcmp(*argv, "-c") || !strcmp(*argv, "-catalog"))) { - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - options->catalog = *(++argv); - } else if ((cmd == CMD_VERIFY || cmd == CMD_ATTACH) && !strcmp(*argv, "-CAfile")) { - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - OPENSSL_free(options->cafile); - options->cafile = OPENSSL_strdup(*++argv); - } else if ((cmd == CMD_VERIFY || cmd == CMD_ATTACH) && !strcmp(*argv, "-CRLfile")) { - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - options->crlfile = OPENSSL_strdup(*++argv); - } else if ((cmd == CMD_VERIFY || cmd == CMD_ATTACH) && (!strcmp(*argv, "-untrusted") || !strcmp(*argv, "-TSA-CAfile"))) { - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ + } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-addUnauthenticatedBlob")) { + options->addBlob = 1; + } else if ((cmd == CMD_SIGN || cmd == CMD_ATTACH) && !strcmp(*argv, "-nest")) { + options->nest = 1; + } else if ((cmd == CMD_VERIFY) && !strcmp(*argv, "-ignore-timestamp")) { + options->ignore_timestamp = 1; + } else if ((cmd == CMD_SIGN || cmd == CMD_ADD || cmd == CMD_VERIFY) && !strcmp(*argv, "-verbose")) { + options->verbose = 1; + } else if ((cmd == CMD_SIGN || cmd == CMD_ADD || cmd == CMD_ATTACH) && !strcmp(*argv, "-add-msi-dse")) { + options->add_msi_dse = 1; + } else if ((cmd == CMD_VERIFY) && (!strcmp(*argv, "-c") || !strcmp(*argv, "-catalog"))) { + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + options->catalog = *(++argv); + } else if ((cmd == CMD_VERIFY || cmd == CMD_ATTACH) && !strcmp(*argv, "-CAfile")) { + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + OPENSSL_free(options->cafile); + options->cafile = OPENSSL_strdup(*++argv); + } else if ((cmd == CMD_VERIFY || cmd == CMD_ATTACH) && !strcmp(*argv, "-CRLfile")) { + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + options->crlfile = OPENSSL_strdup(*++argv); + } else if ((cmd == CMD_VERIFY || cmd == CMD_ATTACH) && (!strcmp(*argv, "-untrusted") || !strcmp(*argv, "-TSA-CAfile"))) { + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ } - OPENSSL_free(options->tsa_cafile); - options->tsa_cafile = OPENSSL_strdup(*++argv); - } else if ((cmd == CMD_VERIFY || cmd == CMD_ATTACH) && (!strcmp(*argv, "-CRLuntrusted") || !strcmp(*argv, "-TSA-CRLfile"))) { - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - options->tsa_crlfile = OPENSSL_strdup(*++argv); - } else if ((cmd == CMD_VERIFY || cmd == CMD_ATTACH) && !strcmp(*argv, "-require-leaf-hash")) { - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - options->leafhash = (*++argv); - } else if ((cmd == CMD_ADD) && !strcmp(*argv, "--help")) { - help_for(argv0, "add"); - cmd = CMD_HELP; - return 0; /* FAILED */ - } else if ((cmd == CMD_ATTACH) && !strcmp(*argv, "--help")) { - help_for(argv0, "attach-signature"); - cmd = CMD_HELP; - return 0; /* FAILED */ - } else if ((cmd == CMD_EXTRACT) && !strcmp(*argv, "--help")) { - help_for(argv0, "extract-signature"); - cmd = CMD_HELP; - return 0; /* FAILED */ - } else if ((cmd == CMD_REMOVE) && !strcmp(*argv, "--help")) { - help_for(argv0, "remove-signature"); - cmd = CMD_HELP; - return 0; /* FAILED */ - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "--help")) { - help_for(argv0, "sign"); - cmd = CMD_HELP; - return 0; /* FAILED */ - } else if ((cmd == CMD_VERIFY) && !strcmp(*argv, "--help")) { - help_for(argv0, "verify"); - cmd = CMD_HELP; - return 0; /* FAILED */ - } else if (!strcmp(*argv, "-jp")) { - char *ap; - if (--argc < 1) { - usage(argv0, "all"); - return 0; /* FAILED */ - } - ap = *(++argv); - for (i=0; ap[i]; i++) ap[i] = (char)tolower((int)ap[i]); - if (!strcmp(ap, "low")) { - options->jp = 0; - } else if (!strcmp(ap, "medium")) { - options->jp = 1; - } else if (!strcmp(ap, "high")) { - options->jp = 2; - } - if (options->jp != 0) { /* XXX */ - usage(argv0, "all"); - return 0; /* FAILED */ - } - } else { - failarg = *argv; - break; - } - } - if (!options->infile && argc > 0) { - options->infile = *(argv++); - argc--; - } - if (cmd != CMD_VERIFY && (!options->outfile && argc > 0)) { - if (!strcmp(*argv, "-out")) { - argv++; - argc--; - } - if (argc > 0) { - options->outfile = *(argv++); - argc--; - } - } - if (argc > 0 || + OPENSSL_free(options->tsa_cafile); + options->tsa_cafile = OPENSSL_strdup(*++argv); + } else if ((cmd == CMD_VERIFY || cmd == CMD_ATTACH) && (!strcmp(*argv, "-CRLuntrusted") || !strcmp(*argv, "-TSA-CRLfile"))) { + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + options->tsa_crlfile = OPENSSL_strdup(*++argv); + } else if ((cmd == CMD_VERIFY || cmd == CMD_ATTACH) && !strcmp(*argv, "-require-leaf-hash")) { + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + options->leafhash = (*++argv); + } else if ((cmd == CMD_ADD) && !strcmp(*argv, "--help")) { + help_for(argv0, "add"); + cmd = CMD_HELP; + return 0; /* FAILED */ + } else if ((cmd == CMD_ATTACH) && !strcmp(*argv, "--help")) { + help_for(argv0, "attach-signature"); + cmd = CMD_HELP; + return 0; /* FAILED */ + } else if ((cmd == CMD_EXTRACT) && !strcmp(*argv, "--help")) { + help_for(argv0, "extract-signature"); + cmd = CMD_HELP; + return 0; /* FAILED */ + } else if ((cmd == CMD_REMOVE) && !strcmp(*argv, "--help")) { + help_for(argv0, "remove-signature"); + cmd = CMD_HELP; + return 0; /* FAILED */ + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "--help")) { + help_for(argv0, "sign"); + cmd = CMD_HELP; + return 0; /* FAILED */ + } else if ((cmd == CMD_VERIFY) && !strcmp(*argv, "--help")) { + help_for(argv0, "verify"); + cmd = CMD_HELP; + return 0; /* FAILED */ + } else if (!strcmp(*argv, "-jp")) { + char *ap; + if (--argc < 1) { + usage(argv0, "all"); + return 0; /* FAILED */ + } + ap = *(++argv); + for (i=0; ap[i]; i++) ap[i] = (char)tolower((int)ap[i]); + if (!strcmp(ap, "low")) { + options->jp = 0; + } else if (!strcmp(ap, "medium")) { + options->jp = 1; + } else if (!strcmp(ap, "high")) { + options->jp = 2; + } + if (options->jp != 0) { /* XXX */ + usage(argv0, "all"); + return 0; /* FAILED */ + } + } else { + failarg = *argv; + break; + } + } + if (!options->infile && argc > 0) { + options->infile = *(argv++); + argc--; + } + if (cmd != CMD_VERIFY && (!options->outfile && argc > 0)) { + if (!strcmp(*argv, "-out")) { + argv++; + argc--; + } + if (argc > 0) { + options->outfile = *(argv++); + argc--; + } + } + if (argc > 0 || #ifdef ENABLE_CURL - (options->nturl && options->ntsurl) || + (options->nturl && options->ntsurl) || #endif - !options->infile || - (cmd != CMD_VERIFY && !options->outfile) || - (cmd == CMD_SIGN && !((options->certfile && options->keyfile) || + !options->infile || + (cmd != CMD_VERIFY && !options->outfile) || + (cmd == CMD_SIGN && !((options->certfile && options->keyfile) || #ifndef OPENSSL_NO_ENGINE - options->p11engine || options->p11module || + options->p11engine || options->p11module || #endif /* OPENSSL_NO_ENGINE */ - options->pkcs12file))) { - if (failarg) - printf("Unknown option: %s\n", failarg); - usage(argv0, "all"); - return 0; /* FAILED */ - } + options->pkcs12file))) { + if (failarg) + printf("Unknown option: %s\n", failarg); + usage(argv0, "all"); + return 0; /* FAILED */ + } #ifndef WIN32 - if ((cmd == CMD_VERIFY || cmd == CMD_ATTACH) && access(options->cafile, R_OK)) { - printf("Use the \"-CAfile\" option to add one or more trusted CA certificates to verify the signature.\n"); - return 0; /* FAILED */ - } + if ((cmd == CMD_VERIFY || cmd == CMD_ATTACH) && access(options->cafile, R_OK)) { + printf("Use the \"-CAfile\" option to add one or more trusted CA certificates to verify the signature.\n"); + return 0; /* FAILED */ + } #endif /* WIN32 */ #if OPENSSL_VERSION_NUMBER>=0x30000000L - if (cmd == CMD_SIGN && options->legacy && !use_legacy()) { - printf("Warning: Legacy mode disabled\n"); - } + if (cmd == CMD_SIGN && options->legacy && !use_legacy()) { + printf("Warning: Legacy mode disabled\n"); + } #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */ - return 1; /* OK */ + return 1; /* OK */ } int main(int argc, char **argv) { - FILE_FORMAT_CTX *ctx = NULL; - GLOBAL_OPTIONS options; - PKCS7 *p7 = NULL; - BIO *outdata = NULL; - BIO *hash = NULL; - int ret = -1; + FILE_FORMAT_CTX *ctx = NULL; + GLOBAL_OPTIONS options; + PKCS7 *p7 = NULL; + BIO *outdata = NULL; + BIO *hash = NULL; + int ret = -1; - /* reset options */ - memset(&options, 0, sizeof(GLOBAL_OPTIONS)); + /* reset options */ + memset(&options, 0, sizeof(GLOBAL_OPTIONS)); - /* Set up OpenSSL */ - if (!OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS - | OPENSSL_INIT_ADD_ALL_CIPHERS - | OPENSSL_INIT_ADD_ALL_DIGESTS - | OPENSSL_INIT_LOAD_CONFIG, NULL)) - DO_EXIT_0("Failed to init crypto\n"); + /* Set up OpenSSL */ + if (!OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS + | OPENSSL_INIT_ADD_ALL_CIPHERS + | OPENSSL_INIT_ADD_ALL_DIGESTS + | OPENSSL_INIT_LOAD_CONFIG, NULL)) + DO_EXIT_0("Failed to init crypto\n"); - /* create some MS Authenticode OIDS we need later on */ - if (!OBJ_create(SPC_STATEMENT_TYPE_OBJID, NULL, NULL) - || !OBJ_create(MS_JAVA_SOMETHING, NULL, NULL) - || !OBJ_create(SPC_SP_OPUS_INFO_OBJID, NULL, NULL) - || !OBJ_create(SPC_NESTED_SIGNATURE_OBJID, NULL, NULL)) - DO_EXIT_0("Failed to create objects\n"); + /* create some MS Authenticode OIDS we need later on */ + if (!OBJ_create(SPC_STATEMENT_TYPE_OBJID, NULL, NULL) + || !OBJ_create(MS_JAVA_SOMETHING, NULL, NULL) + || !OBJ_create(SPC_SP_OPUS_INFO_OBJID, NULL, NULL) + || !OBJ_create(SPC_NESTED_SIGNATURE_OBJID, NULL, NULL)) + DO_EXIT_0("Failed to create objects\n"); - /* commands and options initialization */ - if (!main_configure(argc, argv, &options)) - goto err_cleanup; - if (!read_password(&options)) { - DO_EXIT_1("Failed to read password from file: %s\n", options.readpass); - } + /* commands and options initialization */ + if (!main_configure(argc, argv, &options)) + goto err_cleanup; + if (!read_password(&options)) { + DO_EXIT_1("Failed to read password from file: %s\n", options.readpass); + } - /* read key and certificates */ - if (options.cmd == CMD_SIGN && !read_crypto_params(&options)) - DO_EXIT_0("Failed to read key or certificates\n"); + /* read key and certificates */ + if (options.cmd == CMD_SIGN && !read_crypto_params(&options)) + DO_EXIT_0("Failed to read key or certificates\n"); - if (options.cmd != CMD_VERIFY) { - /* Create message digest BIO */ - hash = BIO_new(BIO_f_md()); - if (!BIO_set_md(hash, options.md)) { - DO_EXIT_0("Unable to set the message digest of BIO\n"); - } - /* Create outdata file */ - outdata = BIO_new_file(options.outfile, FILE_CREATE_MODE); - if (outdata == NULL) { - BIO_free_all(hash); - DO_EXIT_1("Failed to create file: %s\n", options.outfile); - } - } - ctx = file_format_msi.ctx_new(&options, hash, outdata); - if (!ctx) - ctx = file_format_pe.ctx_new(&options, hash, outdata); - if (!ctx) - ctx = file_format_cab.ctx_new(&options, hash, outdata); - if (!ctx) - ctx = file_format_cat.ctx_new(&options, hash, outdata); - if (!ctx) { - ret = 1; /* FAILED */ - BIO_free_all(hash); - BIO_free_all(outdata); - DO_EXIT_0("Initialization error or unsupported input file type.\n"); - } - if (options.cmd == CMD_VERIFY) { - ret = verify_signed_file(ctx, &options); - goto skip_signing; - } else if (options.cmd == CMD_EXTRACT && ctx->format->pkcs7_extract) { - p7 = ctx->format->pkcs7_extract(ctx); - if (!p7) { - DO_EXIT_0("Unable to extract existing signature\n"); - } - ret = save_extracted_pkcs7(ctx, outdata, p7); - PKCS7_free(p7); - goto skip_signing; - } else if (options.cmd == CMD_REMOVE && ctx->format->remove_pkcs7) { - ret = ctx->format->remove_pkcs7(ctx, hash, outdata); - goto skip_signing; - } else if (ctx->format->pkcs7_prepare) { - p7 = ctx->format->pkcs7_prepare(ctx, hash, outdata); - if (!p7) { - DO_EXIT_0("Unable to prepare new signature\n"); - } - } else { - DO_EXIT_0("Unsupported command\n"); - } - ret = add_timestamp_and_blob(p7, ctx); - if (ret) { - PKCS7_free(p7); - DO_EXIT_0("Unable to set unauthenticated attributes\n"); - } - if (ctx->format->append_pkcs7) { - ret = ctx->format->append_pkcs7(ctx, outdata, p7); - if (ret) { - PKCS7_free(p7); - DO_EXIT_0("Append signature to outfile failed\n"); - } - } - if (ctx->format->update_data_size) { - ctx->format->update_data_size(ctx, outdata, p7); - } - PKCS7_free(p7); + if (options.cmd != CMD_VERIFY) { + /* Create message digest BIO */ + hash = BIO_new(BIO_f_md()); + if (!BIO_set_md(hash, options.md)) { + DO_EXIT_0("Unable to set the message digest of BIO\n"); + } + /* Create outdata file */ + outdata = BIO_new_file(options.outfile, FILE_CREATE_MODE); + if (outdata == NULL) { + BIO_free_all(hash); + DO_EXIT_1("Failed to create file: %s\n", options.outfile); + } + } + ctx = file_format_msi.ctx_new(&options, hash, outdata); + if (!ctx) + ctx = file_format_pe.ctx_new(&options, hash, outdata); + if (!ctx) + ctx = file_format_cab.ctx_new(&options, hash, outdata); + if (!ctx) + ctx = file_format_cat.ctx_new(&options, hash, outdata); + if (!ctx) { + ret = 1; /* FAILED */ + BIO_free_all(hash); + BIO_free_all(outdata); + DO_EXIT_0("Initialization error or unsupported input file type.\n"); + } + if (options.cmd == CMD_VERIFY) { + ret = verify_signed_file(ctx, &options); + goto skip_signing; + } else if (options.cmd == CMD_EXTRACT && ctx->format->pkcs7_extract) { + p7 = ctx->format->pkcs7_extract(ctx); + if (!p7) { + DO_EXIT_0("Unable to extract existing signature\n"); + } + ret = save_extracted_pkcs7(ctx, outdata, p7); + PKCS7_free(p7); + goto skip_signing; + } else if (options.cmd == CMD_REMOVE && ctx->format->remove_pkcs7) { + ret = ctx->format->remove_pkcs7(ctx, hash, outdata); + goto skip_signing; + } else if (ctx->format->pkcs7_prepare) { + p7 = ctx->format->pkcs7_prepare(ctx, hash, outdata); + if (!p7) { + DO_EXIT_0("Unable to prepare new signature\n"); + } + } else { + DO_EXIT_0("Unsupported command\n"); + } + ret = add_timestamp_and_blob(p7, ctx); + if (ret) { + PKCS7_free(p7); + DO_EXIT_0("Unable to set unauthenticated attributes\n"); + } + if (ctx->format->append_pkcs7) { + ret = ctx->format->append_pkcs7(ctx, outdata, p7); + if (ret) { + PKCS7_free(p7); + DO_EXIT_0("Append signature to outfile failed\n"); + } + } + if (ctx->format->update_data_size) { + ctx->format->update_data_size(ctx, outdata, p7); + } + PKCS7_free(p7); skip_signing: - if (ctx->format->bio_free) { - outdata = ctx->format->bio_free(hash, outdata); - } - if (!ret && options.cmd == CMD_ATTACH) { - ret = check_attached_data(&options); - if (!ret) - printf("Signature successfully attached\n"); - /* else - * the new PKCS#7 signature has been successfully appended to the outfile - * but only its verification failed (incorrect verification parameters?) - * so the output file is not deleted - */ - } + if (ctx->format->bio_free) { + outdata = ctx->format->bio_free(hash, outdata); + } + if (!ret && options.cmd == CMD_ATTACH) { + ret = check_attached_data(&options); + if (!ret) + printf("Signature successfully attached\n"); + /* else + * the new PKCS#7 signature has been successfully appended to the outfile + * but only its verification failed (incorrect verification parameters?) + * so the output file is not deleted + */ + } err_cleanup: - if (ctx && ctx->format->ctx_cleanup) { - ctx->format->ctx_cleanup(ctx, hash, outdata); - } + if (ctx && ctx->format->ctx_cleanup) { + ctx->format->ctx_cleanup(ctx, hash, outdata); + } #if OPENSSL_VERSION_NUMBER>=0x30000000L - providers_cleanup(); + providers_cleanup(); #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */ - if (ret) - ERR_print_errors_fp(stdout); - if (options.cmd == CMD_HELP) - ret = 0; /* OK */ - else - printf(ret ? "Failed\n" : "Succeeded\n"); - free_options(&options); - return ret; + if (ret) + ERR_print_errors_fp(stdout); + if (options.cmd == CMD_HELP) + ret = 0; /* OK */ + else + printf(ret ? "Failed\n" : "Succeeded\n"); + free_options(&options); + return ret; } /* Local Variables: c-basic-offset: 4 tab-width: 4 - indent-tabs-mode: t + indent-tabs-mode: nil End: - vim: set ts=4 noexpandtab: + vim: set ts=4 expandtab: */ diff --git a/osslsigncode.h b/osslsigncode.h index ffe0083..597d1ae 100644 --- a/osslsigncode.h +++ b/osslsigncode.h @@ -211,151 +211,151 @@ #define DO_EXIT_2(x, y, z) { printf(x, y, z); goto err_cleanup; } typedef enum { - CMD_SIGN, - CMD_EXTRACT, - CMD_REMOVE, - CMD_VERIFY, - CMD_ADD, - CMD_ATTACH, - CMD_HELP, - CMD_DEFAULT + CMD_SIGN, + CMD_EXTRACT, + CMD_REMOVE, + CMD_VERIFY, + CMD_ADD, + CMD_ATTACH, + CMD_HELP, + CMD_DEFAULT } cmd_type_t; typedef unsigned char u_char; typedef struct { - char *infile; - char *outfile; - char *sigfile; - char *certfile; - char *xcertfile; - char *keyfile; - char *pvkfile; - char *pkcs12file; - int output_pkcs7; + char *infile; + char *outfile; + char *sigfile; + char *certfile; + char *xcertfile; + char *keyfile; + char *pvkfile; + char *pkcs12file; + int output_pkcs7; #ifndef OPENSSL_NO_ENGINE - char *p11engine; - char *p11module; - char *p11cert; + char *p11engine; + char *p11module; + char *p11cert; #endif /* OPENSSL_NO_ENGINE */ - int askpass; - char *readpass; - char *pass; - int comm; - int pagehash; - char *desc; - const EVP_MD *md; - char *url; - time_t time; + int askpass; + char *readpass; + char *pass; + int comm; + int pagehash; + char *desc; + const EVP_MD *md; + char *url; + time_t time; #ifdef ENABLE_CURL - char *turl[MAX_TS_SERVERS]; - int nturl; - char *tsurl[MAX_TS_SERVERS]; - int ntsurl; - char *proxy; - int noverifypeer; + char *turl[MAX_TS_SERVERS]; + int nturl; + char *tsurl[MAX_TS_SERVERS]; + int ntsurl; + char *proxy; + int noverifypeer; #endif /* ENABLE_CURL */ - int addBlob; - int nest; - int ignore_timestamp; - int verbose; - int add_msi_dse; - char *catalog; - char *cafile; - char *crlfile; - char *tsa_cafile; - char *tsa_crlfile; - char *leafhash; - int jp; + int addBlob; + int nest; + int ignore_timestamp; + int verbose; + int add_msi_dse; + char *catalog; + char *cafile; + char *crlfile; + char *tsa_cafile; + char *tsa_crlfile; + char *leafhash; + int jp; #if OPENSSL_VERSION_NUMBER>=0x30000000L - int legacy; + int legacy; #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */ - EVP_PKEY *pkey; - X509 *cert; - STACK_OF(X509) *certs; - STACK_OF(X509) *xcerts; - STACK_OF(X509_CRL) *crls; - cmd_type_t cmd; - char *indata; + EVP_PKEY *pkey; + X509 *cert; + STACK_OF(X509) *certs; + STACK_OF(X509) *xcerts; + STACK_OF(X509_CRL) *crls; + cmd_type_t cmd; + char *indata; } GLOBAL_OPTIONS; /* * ASN.1 definitions (more or less from official MS Authenticode docs) */ typedef struct { - int type; - union { - ASN1_BMPSTRING *unicode; - ASN1_IA5STRING *ascii; - } value; + int type; + union { + ASN1_BMPSTRING *unicode; + ASN1_IA5STRING *ascii; + } value; } SpcString; DECLARE_ASN1_FUNCTIONS(SpcString) typedef struct { - ASN1_OCTET_STRING *classId; - ASN1_OCTET_STRING *serializedData; + ASN1_OCTET_STRING *classId; + ASN1_OCTET_STRING *serializedData; } SpcSerializedObject; DECLARE_ASN1_FUNCTIONS(SpcSerializedObject) typedef struct { - int type; - union { - ASN1_IA5STRING *url; - SpcSerializedObject *moniker; - SpcString *file; - } value; + int type; + union { + ASN1_IA5STRING *url; + SpcSerializedObject *moniker; + SpcString *file; + } value; } SpcLink; DECLARE_ASN1_FUNCTIONS(SpcLink) typedef struct { - SpcString *programName; - SpcLink *moreInfo; + SpcString *programName; + SpcLink *moreInfo; } SpcSpOpusInfo; DECLARE_ASN1_FUNCTIONS(SpcSpOpusInfo) typedef struct { - ASN1_OBJECT *type; - ASN1_TYPE *value; + ASN1_OBJECT *type; + ASN1_TYPE *value; } SpcAttributeTypeAndOptionalValue; DECLARE_ASN1_FUNCTIONS(SpcAttributeTypeAndOptionalValue) typedef struct { - ASN1_OBJECT *algorithm; - ASN1_TYPE *parameters; + ASN1_OBJECT *algorithm; + ASN1_TYPE *parameters; } AlgorithmIdentifier; DECLARE_ASN1_FUNCTIONS(AlgorithmIdentifier) typedef struct { - AlgorithmIdentifier *digestAlgorithm; - ASN1_OCTET_STRING *digest; + AlgorithmIdentifier *digestAlgorithm; + ASN1_OCTET_STRING *digest; } DigestInfo; DECLARE_ASN1_FUNCTIONS(DigestInfo) typedef struct { - SpcAttributeTypeAndOptionalValue *data; - DigestInfo *messageDigest; + SpcAttributeTypeAndOptionalValue *data; + DigestInfo *messageDigest; } SpcIndirectDataContent; DECLARE_ASN1_FUNCTIONS(SpcIndirectDataContent) typedef struct CatalogAuthAttr_st { - ASN1_OBJECT *type; - ASN1_TYPE *contents; + ASN1_OBJECT *type; + ASN1_TYPE *contents; } CatalogAuthAttr; DEFINE_STACK_OF(CatalogAuthAttr) DECLARE_ASN1_FUNCTIONS(CatalogAuthAttr) typedef struct { - AlgorithmIdentifier *digestAlgorithm; - ASN1_OCTET_STRING *digest; + AlgorithmIdentifier *digestAlgorithm; + ASN1_OCTET_STRING *digest; } MessageImprint; DECLARE_ASN1_FUNCTIONS(MessageImprint) @@ -363,15 +363,15 @@ DECLARE_ASN1_FUNCTIONS(MessageImprint) #ifdef ENABLE_CURL typedef struct { - ASN1_OBJECT *type; - ASN1_OCTET_STRING *signature; + ASN1_OBJECT *type; + ASN1_OCTET_STRING *signature; } TimeStampRequestBlob; DECLARE_ASN1_FUNCTIONS(TimeStampRequestBlob) typedef struct { - ASN1_OBJECT *type; - TimeStampRequestBlob *blob; + ASN1_OBJECT *type; + TimeStampRequestBlob *blob; } TimeStampRequest; DECLARE_ASN1_FUNCTIONS(TimeStampRequest) @@ -379,27 +379,27 @@ DECLARE_ASN1_FUNCTIONS(TimeStampRequest) /* RFC3161 Time stamping */ typedef struct { - ASN1_INTEGER *status; - STACK_OF(ASN1_UTF8STRING) *statusString; - ASN1_BIT_STRING *failInfo; + ASN1_INTEGER *status; + STACK_OF(ASN1_UTF8STRING) *statusString; + ASN1_BIT_STRING *failInfo; } PKIStatusInfo; DECLARE_ASN1_FUNCTIONS(PKIStatusInfo) typedef struct { - PKIStatusInfo *status; - PKCS7 *token; + PKIStatusInfo *status; + PKCS7 *token; } TimeStampResp; DECLARE_ASN1_FUNCTIONS(TimeStampResp) typedef struct { - ASN1_INTEGER *version; - MessageImprint *messageImprint; - ASN1_OBJECT *reqPolicy; - ASN1_INTEGER *nonce; - ASN1_BOOLEAN certReq; - STACK_OF(X509_EXTENSION) *extensions; + ASN1_INTEGER *version; + MessageImprint *messageImprint; + ASN1_OBJECT *reqPolicy; + ASN1_INTEGER *nonce; + ASN1_BOOLEAN certReq; + STACK_OF(X509_EXTENSION) *extensions; } TimeStampReq; DECLARE_ASN1_FUNCTIONS(TimeStampReq) @@ -407,47 +407,47 @@ DECLARE_ASN1_FUNCTIONS(TimeStampReq) #endif /* ENABLE_CURL */ typedef struct { - ASN1_INTEGER *seconds; - ASN1_INTEGER *millis; - ASN1_INTEGER *micros; + ASN1_INTEGER *seconds; + ASN1_INTEGER *millis; + ASN1_INTEGER *micros; } TimeStampAccuracy; DECLARE_ASN1_FUNCTIONS(TimeStampAccuracy) typedef struct { - ASN1_INTEGER *version; - ASN1_OBJECT *policy_id; - MessageImprint *messageImprint; - ASN1_INTEGER *serial; - ASN1_GENERALIZEDTIME *time; - TimeStampAccuracy *accuracy; - ASN1_BOOLEAN ordering; - ASN1_INTEGER *nonce; - GENERAL_NAME *tsa; - STACK_OF(X509_EXTENSION) *extensions; + ASN1_INTEGER *version; + ASN1_OBJECT *policy_id; + MessageImprint *messageImprint; + ASN1_INTEGER *serial; + ASN1_GENERALIZEDTIME *time; + TimeStampAccuracy *accuracy; + ASN1_BOOLEAN ordering; + ASN1_INTEGER *nonce; + GENERAL_NAME *tsa; + STACK_OF(X509_EXTENSION) *extensions; } TimeStampToken; DECLARE_ASN1_FUNCTIONS(TimeStampToken) typedef struct { - ASN1_OCTET_STRING *digest; - STACK_OF(CatalogAuthAttr) *attributes; + ASN1_OCTET_STRING *digest; + STACK_OF(CatalogAuthAttr) *attributes; } CatalogInfo; DEFINE_STACK_OF(CatalogInfo) DECLARE_ASN1_FUNCTIONS(CatalogInfo) typedef struct { - /* 1.3.6.1.4.1.311.12.1.1 MS_CATALOG_LIST */ - SpcAttributeTypeAndOptionalValue *type; - ASN1_OCTET_STRING *identifier; - ASN1_UTCTIME *time; - /* 1.3.6.1.4.1.311.12.1.2 CatalogVersion = 1 - * 1.3.6.1.4.1.311.12.1.3 CatalogVersion = 2 */ - SpcAttributeTypeAndOptionalValue *version; - STACK_OF(CatalogInfo) *header_attributes; - /* 1.3.6.1.4.1.311.12.2.1 CAT_NAMEVALUE_OBJID */ - ASN1_TYPE *filename; + /* 1.3.6.1.4.1.311.12.1.1 MS_CATALOG_LIST */ + SpcAttributeTypeAndOptionalValue *type; + ASN1_OCTET_STRING *identifier; + ASN1_UTCTIME *time; + /* 1.3.6.1.4.1.311.12.1.2 CatalogVersion = 1 + * 1.3.6.1.4.1.311.12.1.3 CatalogVersion = 2 */ + SpcAttributeTypeAndOptionalValue *version; + STACK_OF(CatalogInfo) *header_attributes; + /* 1.3.6.1.4.1.311.12.2.1 CAT_NAMEVALUE_OBJID */ + ASN1_TYPE *filename; } MsCtlContent; DECLARE_ASN1_FUNCTIONS(MsCtlContent) @@ -459,8 +459,8 @@ typedef struct cab_ctx_st CAB_CTX; typedef struct cat_ctx_st CAT_CTX; typedef struct { - FILE_FORMAT *format; - GLOBAL_OPTIONS *options; + FILE_FORMAT *format; + GLOBAL_OPTIONS *options; union { MSI_CTX *msi_ctx; PE_CTX *pe_ctx; @@ -475,27 +475,27 @@ extern FILE_FORMAT file_format_cab; extern FILE_FORMAT file_format_cat; struct file_format_st { - FILE_FORMAT_CTX *(*ctx_new) (GLOBAL_OPTIONS *option, BIO *hash, BIO *outdata); - ASN1_OBJECT *(*data_blob_get) (u_char **p, int *plen, FILE_FORMAT_CTX *ctx); - int (*check_file) (FILE_FORMAT_CTX *ctx, int detached); - u_char *(*digest_calc) (FILE_FORMAT_CTX *ctx, const EVP_MD *md); - int (*verify_digests) (FILE_FORMAT_CTX *ctx, PKCS7 *p7); - int (*verify_indirect_data) (FILE_FORMAT_CTX *ctx, SpcAttributeTypeAndOptionalValue *obj); - PKCS7 *(*pkcs7_extract) (FILE_FORMAT_CTX *ctx); - int (*remove_pkcs7) (FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata); - PKCS7 *(*pkcs7_prepare) (FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata); - int (*append_pkcs7) (FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7); - void (*update_data_size) (FILE_FORMAT_CTX *data, BIO *outdata, PKCS7 *p7); - BIO *(*bio_free) (BIO *hash, BIO *outdata); - void (*ctx_cleanup) (FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata); + FILE_FORMAT_CTX *(*ctx_new) (GLOBAL_OPTIONS *option, BIO *hash, BIO *outdata); + ASN1_OBJECT *(*data_blob_get) (u_char **p, int *plen, FILE_FORMAT_CTX *ctx); + int (*check_file) (FILE_FORMAT_CTX *ctx, int detached); + u_char *(*digest_calc) (FILE_FORMAT_CTX *ctx, const EVP_MD *md); + int (*verify_digests) (FILE_FORMAT_CTX *ctx, PKCS7 *p7); + int (*verify_indirect_data) (FILE_FORMAT_CTX *ctx, SpcAttributeTypeAndOptionalValue *obj); + PKCS7 *(*pkcs7_extract) (FILE_FORMAT_CTX *ctx); + int (*remove_pkcs7) (FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata); + PKCS7 *(*pkcs7_prepare) (FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata); + int (*append_pkcs7) (FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7); + void (*update_data_size) (FILE_FORMAT_CTX *data, BIO *outdata, PKCS7 *p7); + BIO *(*bio_free) (BIO *hash, BIO *outdata); + void (*ctx_cleanup) (FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata); }; /* Local Variables: c-basic-offset: 4 tab-width: 4 - indent-tabs-mode: t + indent-tabs-mode: nil End: - vim: set ts=4 noexpandtab: + vim: set ts=4 expandtab: */ diff --git a/pe.c b/pe.c index a32bc8b..9abb4c0 100644 --- a/pe.c +++ b/pe.c @@ -12,33 +12,33 @@ #include "helpers.h" const u_char classid_page_hash[] = { - 0xa6, 0xb5, 0x86, 0xd5, 0xb4, 0xa1, 0x24, 0x66, - 0xae, 0x05, 0xa2, 0x17, 0xda, 0x8e, 0x60, 0xd6 + 0xa6, 0xb5, 0x86, 0xd5, 0xb4, 0xa1, 0x24, 0x66, + 0xae, 0x05, 0xa2, 0x17, 0xda, 0x8e, 0x60, 0xd6 }; typedef struct { - ASN1_BIT_STRING *flags; - SpcLink *file; + ASN1_BIT_STRING *flags; + SpcLink *file; } SpcPeImageData; DECLARE_ASN1_FUNCTIONS(SpcPeImageData) ASN1_SEQUENCE(SpcPeImageData) = { - ASN1_SIMPLE(SpcPeImageData, flags, ASN1_BIT_STRING), - ASN1_EXP_OPT(SpcPeImageData, file, SpcLink, 0) + ASN1_SIMPLE(SpcPeImageData, flags, ASN1_BIT_STRING), + ASN1_EXP_OPT(SpcPeImageData, file, SpcLink, 0) } ASN1_SEQUENCE_END(SpcPeImageData) IMPLEMENT_ASN1_FUNCTIONS(SpcPeImageData) struct pe_ctx_st { - uint32_t header_size; - uint32_t pe32plus; - uint16_t magic; - uint32_t pe_checksum; - uint32_t nrvas; - uint32_t sigpos; - uint32_t siglen; - uint32_t fileend; + uint32_t header_size; + uint32_t pe32plus; + uint16_t magic; + uint32_t pe_checksum; + uint32_t nrvas; + uint32_t sigpos; + uint32_t siglen; + uint32_t fileend; }; /* FILE_FORMAT method prototypes */ @@ -57,19 +57,19 @@ static BIO *pe_bio_free(BIO *hash, BIO *outdata); static void pe_ctx_cleanup(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata); FILE_FORMAT file_format_pe = { - .ctx_new = pe_ctx_new, - .data_blob_get = pe_spc_image_data_get, - .check_file = pe_check_file, - .digest_calc = pe_digest_calc, - .verify_digests = pe_verify_digests, - .verify_indirect_data = pe_verify_indirect_data, - .pkcs7_extract = pe_pkcs7_extract, - .remove_pkcs7 = pe_remove_pkcs7, - .pkcs7_prepare = pe_pkcs7_prepare, - .append_pkcs7 = pe_append_pkcs7, - .update_data_size = pe_update_data_size, - .bio_free = pe_bio_free, - .ctx_cleanup = pe_ctx_cleanup + .ctx_new = pe_ctx_new, + .data_blob_get = pe_spc_image_data_get, + .check_file = pe_check_file, + .digest_calc = pe_digest_calc, + .verify_digests = pe_verify_digests, + .verify_indirect_data = pe_verify_indirect_data, + .pkcs7_extract = pe_pkcs7_extract, + .remove_pkcs7 = pe_remove_pkcs7, + .pkcs7_prepare = pe_pkcs7_prepare, + .append_pkcs7 = pe_append_pkcs7, + .update_data_size = pe_update_data_size, + .bio_free = pe_bio_free, + .ctx_cleanup = pe_ctx_cleanup }; /* Prototypes */ @@ -97,40 +97,40 @@ static SpcLink *pe_page_hash_link_get(FILE_FORMAT_CTX *ctx, int phtype); */ static FILE_FORMAT_CTX *pe_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *outdata) { - FILE_FORMAT_CTX *ctx; - PE_CTX *pe_ctx; - uint32_t filesize; - - filesize = get_file_size(options->infile); - if (filesize == 0) - return NULL; /* FAILED */ + FILE_FORMAT_CTX *ctx; + PE_CTX *pe_ctx; + uint32_t filesize; - options->indata = map_file(options->infile, filesize); - if (!options->indata) { - return NULL; /* FAILED */ - } - if (memcmp(options->indata, "MZ", 2)) { - unmap_file(options->infile, filesize); - return NULL; /* FAILED */ - } - pe_ctx = pe_ctx_get(options->indata, filesize); - if (!pe_ctx) { - unmap_file(options->infile, filesize); - return NULL; /* FAILED */ - } - ctx = OPENSSL_malloc(sizeof(FILE_FORMAT_CTX)); - ctx->format = &file_format_pe; - ctx->options = options; - ctx->pe_ctx = pe_ctx; + filesize = get_file_size(options->infile); + if (filesize == 0) + return NULL; /* FAILED */ - /* Push hash on outdata, if hash is NULL the function does nothing */ - BIO_push(hash, outdata); + options->indata = map_file(options->infile, filesize); + if (!options->indata) { + return NULL; /* FAILED */ + } + if (memcmp(options->indata, "MZ", 2)) { + unmap_file(options->infile, filesize); + return NULL; /* FAILED */ + } + pe_ctx = pe_ctx_get(options->indata, filesize); + if (!pe_ctx) { + unmap_file(options->infile, filesize); + return NULL; /* FAILED */ + } + ctx = OPENSSL_malloc(sizeof(FILE_FORMAT_CTX)); + ctx->format = &file_format_pe; + ctx->options = options; + ctx->pe_ctx = pe_ctx; - if (options->jp >= 0) - printf("Warning: -jp option is only valid for CAB files\n"); - if (options->add_msi_dse == 1) - printf("Warning: -add-msi-dse option is only valid for MSI files\n"); - return ctx; + /* Push hash on outdata, if hash is NULL the function does nothing */ + BIO_push(hash, outdata); + + if (options->jp >= 0) + printf("Warning: -jp option is only valid for CAB files\n"); + if (options->add_msi_dse == 1) + printf("Warning: -add-msi-dse option is only valid for MSI files\n"); + return ctx; } /* @@ -142,30 +142,30 @@ static FILE_FORMAT_CTX *pe_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *outd */ static ASN1_OBJECT *pe_spc_image_data_get(u_char **p, int *plen, FILE_FORMAT_CTX *ctx) { - int phtype; - ASN1_OBJECT *dtype; - SpcPeImageData *pid = SpcPeImageData_new(); + int phtype; + ASN1_OBJECT *dtype; + SpcPeImageData *pid = SpcPeImageData_new(); - ASN1_BIT_STRING_set_bit(pid->flags, 0, 1); - if (ctx->options->pagehash) { - SpcLink *link; - phtype = NID_sha1; - if (EVP_MD_size(ctx->options->md) > EVP_MD_size(EVP_sha1())) - phtype = NID_sha256; - link = pe_page_hash_link_get(ctx, phtype); - if (!link) - return NULL; /* FAILED */ - pid->file = link; - } else { - pid->file = spc_link_obsolete_get(); - } - *plen = i2d_SpcPeImageData(pid, NULL); - *p = OPENSSL_malloc((size_t)*plen); - i2d_SpcPeImageData(pid, p); - *p -= *plen; - dtype = OBJ_txt2obj(SPC_PE_IMAGE_DATA_OBJID, 1); - SpcPeImageData_free(pid); - return dtype; /* OK */ + ASN1_BIT_STRING_set_bit(pid->flags, 0, 1); + if (ctx->options->pagehash) { + SpcLink *link; + phtype = NID_sha1; + if (EVP_MD_size(ctx->options->md) > EVP_MD_size(EVP_sha1())) + phtype = NID_sha256; + link = pe_page_hash_link_get(ctx, phtype); + if (!link) + return NULL; /* FAILED */ + pid->file = link; + } else { + pid->file = spc_link_obsolete_get(); + } + *plen = i2d_SpcPeImageData(pid, NULL); + *p = OPENSSL_malloc((size_t)*plen); + i2d_SpcPeImageData(pid, p); + *p -= *plen; + dtype = OBJ_txt2obj(SPC_PE_IMAGE_DATA_OBJID, 1); + SpcPeImageData_free(pid); + return dtype; /* OK */ } /* @@ -177,35 +177,35 @@ static ASN1_OBJECT *pe_spc_image_data_get(u_char **p, int *plen, FILE_FORMAT_CTX */ static int pe_check_file(FILE_FORMAT_CTX *ctx, int detached) { - int peok = 1; - uint32_t real_pe_checksum; + int peok = 1; + uint32_t real_pe_checksum; - if (!ctx) { - printf("Init error\n\n"); - return 0; /* FAILED */ - } - printf("Current PE checksum : %08X\n", ctx->pe_ctx->pe_checksum); - real_pe_checksum = pe_calc_realchecksum(ctx); - if (ctx->pe_ctx->pe_checksum && ctx->pe_ctx->pe_checksum != real_pe_checksum) { - peok = 0; - } - printf("Calculated PE checksum: %08X%s\n\n", real_pe_checksum, - peok ? "" : " MISMATCH!!!"); + if (!ctx) { + printf("Init error\n\n"); + return 0; /* FAILED */ + } + printf("Current PE checksum : %08X\n", ctx->pe_ctx->pe_checksum); + real_pe_checksum = pe_calc_realchecksum(ctx); + if (ctx->pe_ctx->pe_checksum && ctx->pe_ctx->pe_checksum != real_pe_checksum) { + peok = 0; + } + printf("Calculated PE checksum: %08X%s\n\n", real_pe_checksum, + peok ? "" : " MISMATCH!!!"); - if (detached) { - printf("Checking the specified catalog file\n\n"); - return 1; /* OK */ - } - if (ctx->pe_ctx->sigpos == 0 || ctx->pe_ctx->siglen == 0 - || ctx->pe_ctx->sigpos > ctx->pe_ctx->fileend) { - printf("No signature found\n\n"); - return 0; /* FAILED */ - } - if (ctx->pe_ctx->siglen != GET_UINT32_LE(ctx->options->indata + ctx->pe_ctx->sigpos)) { - printf("Invalid signature\n\n"); - return 0; /* FAILED */ - } - return 1; /* OK */ + if (detached) { + printf("Checking the specified catalog file\n\n"); + return 1; /* OK */ + } + if (ctx->pe_ctx->sigpos == 0 || ctx->pe_ctx->siglen == 0 + || ctx->pe_ctx->sigpos > ctx->pe_ctx->fileend) { + printf("No signature found\n\n"); + return 0; /* FAILED */ + } + if (ctx->pe_ctx->siglen != GET_UINT32_LE(ctx->options->indata + ctx->pe_ctx->sigpos)) { + printf("Invalid signature\n\n"); + return 0; /* FAILED */ + } + return 1; /* OK */ } /* Compute a message digest value of a signed or unsigned PE file. @@ -215,55 +215,55 @@ static int pe_check_file(FILE_FORMAT_CTX *ctx, int detached) */ static u_char *pe_digest_calc(FILE_FORMAT_CTX *ctx, const EVP_MD *md) { - size_t written; - uint32_t idx = 0, fileend; - u_char *mdbuf = NULL; - BIO *bhash = BIO_new(BIO_f_md()); + size_t written; + uint32_t idx = 0, fileend; + u_char *mdbuf = NULL; + BIO *bhash = BIO_new(BIO_f_md()); - if (!BIO_set_md(bhash, md)) { - printf("Unable to set the message digest of BIO\n"); - BIO_free_all(bhash); - return 0; /* FAILED */ - } - BIO_push(bhash, BIO_new(BIO_s_null())); - if (ctx->pe_ctx->sigpos) - fileend = ctx->pe_ctx->sigpos; - else - fileend = ctx->pe_ctx->fileend; + if (!BIO_set_md(bhash, md)) { + printf("Unable to set the message digest of BIO\n"); + BIO_free_all(bhash); + return 0; /* FAILED */ + } + BIO_push(bhash, BIO_new(BIO_s_null())); + if (ctx->pe_ctx->sigpos) + fileend = ctx->pe_ctx->sigpos; + else + fileend = ctx->pe_ctx->fileend; - /* ctx->pe_ctx->header_size + 88 + 4 + 60 + ctx->pe_ctx->pe32plus * 16 + 8 */ - if (!BIO_write_ex(bhash, ctx->options->indata, ctx->pe_ctx->header_size + 88, &written) - || written != ctx->pe_ctx->header_size + 88) { - BIO_free_all(bhash); - return 0; /* FAILED */ - } - idx += (uint32_t)written + 4; - if (!BIO_write_ex(bhash, ctx->options->indata + idx, - 60 + ctx->pe_ctx->pe32plus * 16, &written) - || written != 60 + ctx->pe_ctx->pe32plus * 16) { - BIO_free_all(bhash); - return 0; /* FAILED */ - } - idx += (uint32_t)written + 8; - if (!bio_hash_data(bhash, ctx->options->indata, idx, fileend)) { - printf("Unable to calculate digest\n"); - BIO_free_all(bhash); - return 0; /* FAILED */ - } - if (!ctx->pe_ctx->sigpos) { - /* pad (with 0's) unsigned PE file to 8 byte boundary */ - int len = 8 - ctx->pe_ctx->fileend % 8; - if (len > 0 && len != 8) { - char *buf = OPENSSL_malloc(8); - memset(buf, 0, (size_t)len); - BIO_write(bhash, buf, len); - OPENSSL_free(buf); - } - } - mdbuf = OPENSSL_malloc((size_t)EVP_MD_size(md)); - BIO_gets(bhash, (char*)mdbuf, EVP_MD_size(md)); - BIO_free_all(bhash); - return mdbuf; /* OK */ + /* ctx->pe_ctx->header_size + 88 + 4 + 60 + ctx->pe_ctx->pe32plus * 16 + 8 */ + if (!BIO_write_ex(bhash, ctx->options->indata, ctx->pe_ctx->header_size + 88, &written) + || written != ctx->pe_ctx->header_size + 88) { + BIO_free_all(bhash); + return 0; /* FAILED */ + } + idx += (uint32_t)written + 4; + if (!BIO_write_ex(bhash, ctx->options->indata + idx, + 60 + ctx->pe_ctx->pe32plus * 16, &written) + || written != 60 + ctx->pe_ctx->pe32plus * 16) { + BIO_free_all(bhash); + return 0; /* FAILED */ + } + idx += (uint32_t)written + 8; + if (!bio_hash_data(bhash, ctx->options->indata, idx, fileend)) { + printf("Unable to calculate digest\n"); + BIO_free_all(bhash); + return 0; /* FAILED */ + } + if (!ctx->pe_ctx->sigpos) { + /* pad (with 0's) unsigned PE file to 8 byte boundary */ + int len = 8 - ctx->pe_ctx->fileend % 8; + if (len > 0 && len != 8) { + char *buf = OPENSSL_malloc(8); + memset(buf, 0, (size_t)len); + BIO_write(bhash, buf, len); + OPENSSL_free(buf); + } + } + mdbuf = OPENSSL_malloc((size_t)EVP_MD_size(md)); + BIO_gets(bhash, (char*)mdbuf, EVP_MD_size(md)); + BIO_free_all(bhash); + return mdbuf; /* OK */ } @@ -276,58 +276,58 @@ static u_char *pe_digest_calc(FILE_FORMAT_CTX *ctx, const EVP_MD *md) */ static int pe_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7) { - int mdtype = -1, phtype = -1; - const EVP_MD *md; - u_char mdbuf[EVP_MAX_MD_SIZE]; - u_char *cmdbuf = NULL; - u_char *ph = NULL; - int phlen = 0; + int mdtype = -1, phtype = -1; + const EVP_MD *md; + u_char mdbuf[EVP_MAX_MD_SIZE]; + u_char *cmdbuf = NULL; + u_char *ph = NULL; + int phlen = 0; - if (is_content_type(p7, SPC_INDIRECT_DATA_OBJID)) { - ASN1_STRING *content_val = p7->d.sign->contents->d.other->value.sequence; - const u_char *p = content_val->data; - SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, content_val->length); - if (idc) { - phlen = pe_page_hash_get(&ph, &phtype, idc->data); - if (phlen == 0) { - printf("Failed to extract a page hash\n\n"); - SpcIndirectDataContent_free(idc); - return 0; /* FAILED */ - } - if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) { - mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm); - memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)idc->messageDigest->digest->length); - } - SpcIndirectDataContent_free(idc); - } - } - if (mdtype == -1) { - printf("Failed to extract current message digest\n\n"); - OPENSSL_free(ph); - return 0; /* FAILED */ - } - md = EVP_get_digestbynid(mdtype); - cmdbuf = pe_digest_calc(ctx, md); - if (!cmdbuf) { - printf("Failed to calculate message digest\n\n"); - OPENSSL_free(ph); - return 0; /* FAILED */ - } - if (!compare_digests(mdbuf, cmdbuf, mdtype)) { - printf("Signature verification: failed\n\n"); - OPENSSL_free(ph); - OPENSSL_free(cmdbuf); - return 0; /* FAILED */ - } - if (phlen > 0 && !pe_verify_page_hash(ctx, ph, phlen, phtype)) { - printf("Signature verification: failed\n\n"); - OPENSSL_free(ph); - OPENSSL_free(cmdbuf); - return 0; /* FAILED */ - } - OPENSSL_free(ph); - OPENSSL_free(cmdbuf); - return 1; /* OK */ + if (is_content_type(p7, SPC_INDIRECT_DATA_OBJID)) { + ASN1_STRING *content_val = p7->d.sign->contents->d.other->value.sequence; + const u_char *p = content_val->data; + SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, content_val->length); + if (idc) { + phlen = pe_page_hash_get(&ph, &phtype, idc->data); + if (phlen == 0) { + printf("Failed to extract a page hash\n\n"); + SpcIndirectDataContent_free(idc); + return 0; /* FAILED */ + } + if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) { + mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm); + memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)idc->messageDigest->digest->length); + } + SpcIndirectDataContent_free(idc); + } + } + if (mdtype == -1) { + printf("Failed to extract current message digest\n\n"); + OPENSSL_free(ph); + return 0; /* FAILED */ + } + md = EVP_get_digestbynid(mdtype); + cmdbuf = pe_digest_calc(ctx, md); + if (!cmdbuf) { + printf("Failed to calculate message digest\n\n"); + OPENSSL_free(ph); + return 0; /* FAILED */ + } + if (!compare_digests(mdbuf, cmdbuf, mdtype)) { + printf("Signature verification: failed\n\n"); + OPENSSL_free(ph); + OPENSSL_free(cmdbuf); + return 0; /* FAILED */ + } + if (phlen > 0 && !pe_verify_page_hash(ctx, ph, phlen, phtype)) { + printf("Signature verification: failed\n\n"); + OPENSSL_free(ph); + OPENSSL_free(cmdbuf); + return 0; /* FAILED */ + } + OPENSSL_free(ph); + OPENSSL_free(cmdbuf); + return 1; /* OK */ } /* @@ -338,19 +338,19 @@ static int pe_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7) */ static int pe_verify_indirect_data(FILE_FORMAT_CTX *ctx, SpcAttributeTypeAndOptionalValue *obj) { - int phtype = -1, phlen = 0; - u_char *ph = NULL; + int phtype = -1, phlen = 0; + u_char *ph = NULL; - phlen = pe_page_hash_get(&ph, &phtype, obj); - if (phlen == 0) { - printf("Failed to extract a page hash\n\n"); - return 0; /* FAILED */ - } - if (!pe_verify_page_hash(ctx, ph, phlen, phtype)) { - printf("Page hash verification: failed\n\n"); - return 0; /* FAILED */ - } - return 1; /* OK */ + phlen = pe_page_hash_get(&ph, &phtype, obj); + if (phlen == 0) { + printf("Failed to extract a page hash\n\n"); + return 0; /* FAILED */ + } + if (!pe_verify_page_hash(ctx, ph, phlen, phtype)) { + printf("Page hash verification: failed\n\n"); + return 0; /* FAILED */ + } + return 1; /* OK */ } /* @@ -360,11 +360,11 @@ static int pe_verify_indirect_data(FILE_FORMAT_CTX *ctx, SpcAttributeTypeAndOpti */ static PKCS7 *pe_pkcs7_extract(FILE_FORMAT_CTX *ctx) { - if (ctx->pe_ctx->sigpos == 0 || ctx->pe_ctx->siglen == 0 - || ctx->pe_ctx->sigpos > ctx->pe_ctx->fileend) { - return NULL; /* FAILED */ - } - return pe_pkcs7_get_file(ctx->options->indata, ctx->pe_ctx); + if (ctx->pe_ctx->sigpos == 0 || ctx->pe_ctx->siglen == 0 + || ctx->pe_ctx->sigpos > ctx->pe_ctx->fileend) { + return NULL; /* FAILED */ + } + return pe_pkcs7_get_file(ctx->options->indata, ctx->pe_ctx); } /* @@ -376,17 +376,17 @@ static PKCS7 *pe_pkcs7_extract(FILE_FORMAT_CTX *ctx) */ static int pe_remove_pkcs7(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) { - if (ctx->pe_ctx->sigpos == 0) { - printf("PE file does not have any signature\n"); - return 1; /* FAILED */ - } - /* Strip current signature */ - ctx->pe_ctx->fileend = ctx->pe_ctx->sigpos; - if (!pe_modify_header(ctx, hash, outdata)) { - printf("Unable to modify file header\n"); - return 1; /* FAILED */ - } - return 0; /* OK */ + if (ctx->pe_ctx->sigpos == 0) { + printf("PE file does not have any signature\n"); + return 1; /* FAILED */ + } + /* Strip current signature */ + ctx->pe_ctx->fileend = ctx->pe_ctx->sigpos; + if (!pe_modify_header(ctx, hash, outdata)) { + printf("Unable to modify file header\n"); + return 1; /* FAILED */ + } + return 0; /* OK */ } /* @@ -398,60 +398,60 @@ static int pe_remove_pkcs7(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) */ static PKCS7 *pe_pkcs7_prepare(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) { - PKCS7 *cursig = NULL, *p7 = NULL; - - /* Strip current signature */ - if (ctx->pe_ctx->sigpos > 0) { - ctx->pe_ctx->fileend = ctx->pe_ctx->sigpos; - } - if (!pe_modify_header(ctx, hash, outdata)) { - printf("Unable to modify file header\n"); - return NULL; /* FAILED */ - } - /* Obtain a current signature from previously-signed file */ - if ((ctx->options->cmd == CMD_SIGN && ctx->options->nest) - || (ctx->options->cmd == CMD_ATTACH && ctx->options->nest) - || ctx->options->cmd == CMD_ADD) { - cursig = pe_pkcs7_get_file(ctx->options->indata, ctx->pe_ctx); - if (!cursig) { - printf("Unable to extract existing signature\n"); - return NULL; /* FAILED */ - } - if (ctx->options->cmd == CMD_ADD) - p7 = cursig; - } - if (ctx->options->cmd == CMD_ATTACH) { - /* Obtain an existing PKCS#7 signature */ - p7 = pkcs7_get_sigfile(ctx); - if (!p7) { - printf("Unable to extract valid signature\n"); - PKCS7_free(cursig); - return NULL; /* FAILED */ - } - } else if (ctx->options->cmd == CMD_SIGN) { - /* Create a new PKCS#7 signature */ - p7 = pkcs7_create(ctx); - if (!p7) { - printf("Creating a new signature failed\n"); - return NULL; /* FAILED */ - } - if (!add_indirect_data_object(p7, hash, ctx)) { - printf("Adding SPC_INDIRECT_DATA_OBJID failed\n"); - PKCS7_free(p7); - return NULL; /* FAILED */ - } - } - if (ctx->options->nest) { - if (!cursig_set_nested(cursig, p7, ctx)) { - printf("Unable to append the nested signature to the current signature\n"); - PKCS7_free(p7); - PKCS7_free(cursig); - return NULL; /* FAILED */ - } - PKCS7_free(p7); - return cursig; - } - return p7; + PKCS7 *cursig = NULL, *p7 = NULL; + + /* Strip current signature */ + if (ctx->pe_ctx->sigpos > 0) { + ctx->pe_ctx->fileend = ctx->pe_ctx->sigpos; + } + if (!pe_modify_header(ctx, hash, outdata)) { + printf("Unable to modify file header\n"); + return NULL; /* FAILED */ + } + /* Obtain a current signature from previously-signed file */ + if ((ctx->options->cmd == CMD_SIGN && ctx->options->nest) + || (ctx->options->cmd == CMD_ATTACH && ctx->options->nest) + || ctx->options->cmd == CMD_ADD) { + cursig = pe_pkcs7_get_file(ctx->options->indata, ctx->pe_ctx); + if (!cursig) { + printf("Unable to extract existing signature\n"); + return NULL; /* FAILED */ + } + if (ctx->options->cmd == CMD_ADD) + p7 = cursig; + } + if (ctx->options->cmd == CMD_ATTACH) { + /* Obtain an existing PKCS#7 signature */ + p7 = pkcs7_get_sigfile(ctx); + if (!p7) { + printf("Unable to extract valid signature\n"); + PKCS7_free(cursig); + return NULL; /* FAILED */ + } + } else if (ctx->options->cmd == CMD_SIGN) { + /* Create a new PKCS#7 signature */ + p7 = pkcs7_create(ctx); + if (!p7) { + printf("Creating a new signature failed\n"); + return NULL; /* FAILED */ + } + if (!add_indirect_data_object(p7, hash, ctx)) { + printf("Adding SPC_INDIRECT_DATA_OBJID failed\n"); + PKCS7_free(p7); + return NULL; /* FAILED */ + } + } + if (ctx->options->nest) { + if (!cursig_set_nested(cursig, p7, ctx)) { + printf("Unable to append the nested signature to the current signature\n"); + PKCS7_free(p7); + PKCS7_free(cursig); + return NULL; /* FAILED */ + } + PKCS7_free(p7); + return cursig; + } + return p7; } /* @@ -463,36 +463,36 @@ static PKCS7 *pe_pkcs7_prepare(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) */ static int pe_append_pkcs7(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7) { - u_char *p = NULL; - int len; /* signature length */ - int padlen; /* signature padding length */ - u_char buf[] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - }; + u_char *p = NULL; + int len; /* signature length */ + int padlen; /* signature padding length */ + u_char buf[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + }; - /* squash the unused parameter warning */ - (void)ctx; + /* squash the unused parameter warning */ + (void)ctx; - if (((len = i2d_PKCS7(p7, NULL)) <= 0) - || (p = OPENSSL_malloc((size_t)len)) == NULL) { - printf("i2d_PKCS memory allocation failed: %d\n", len); - return 1; /* FAILED */ - } - i2d_PKCS7(p7, &p); - p -= len; - padlen = (8 - len % 8) % 8; - PUT_UINT32_LE(len + 8 + padlen, buf); - PUT_UINT16_LE(WIN_CERT_REVISION_2_0, buf + 4); - PUT_UINT16_LE(WIN_CERT_TYPE_PKCS_SIGNED_DATA, buf + 6); - BIO_write(outdata, buf, 8); - BIO_write(outdata, p, len); - /* pad (with 0's) asn1 blob to 8 byte boundary */ - if (padlen > 0) { - memset(p, 0, (size_t)padlen); - BIO_write(outdata, p, padlen); - } - OPENSSL_free(p); - return 0; /* OK */ + if (((len = i2d_PKCS7(p7, NULL)) <= 0) + || (p = OPENSSL_malloc((size_t)len)) == NULL) { + printf("i2d_PKCS memory allocation failed: %d\n", len); + return 1; /* FAILED */ + } + i2d_PKCS7(p7, &p); + p -= len; + padlen = (8 - len % 8) % 8; + PUT_UINT32_LE(len + 8 + padlen, buf); + PUT_UINT16_LE(WIN_CERT_REVISION_2_0, buf + 4); + PUT_UINT16_LE(WIN_CERT_TYPE_PKCS_SIGNED_DATA, buf + 6); + BIO_write(outdata, buf, 8); + BIO_write(outdata, p, len); + /* pad (with 0's) asn1 blob to 8 byte boundary */ + if (padlen > 0) { + memset(p, 0, (size_t)padlen); + BIO_write(outdata, p, padlen); + } + OPENSSL_free(p); + return 0; /* OK */ } /* @@ -504,32 +504,32 @@ static int pe_append_pkcs7(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7) */ static void pe_update_data_size(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7) { - uint32_t checksum; - u_char buf[] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - }; - - if (ctx->options->cmd == CMD_VERIFY || ctx->options->cmd == CMD_EXTRACT) { - return; - } - if (ctx->options->cmd != CMD_REMOVE) { - int len = i2d_PKCS7(p7, NULL); - int padlen = (8 - len % 8) % 8; + uint32_t checksum; + u_char buf[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + }; - /* Update signature position and size */ - (void)BIO_seek(outdata, - ctx->pe_ctx->header_size + 152 + ctx->pe_ctx->pe32plus * 16); - /* Previous file end = signature table start */ - PUT_UINT32_LE(ctx->pe_ctx->fileend, buf); - BIO_write(outdata, buf, 4); - PUT_UINT32_LE(len + 8 + padlen, buf); - BIO_write(outdata, buf, 4); - } - checksum = pe_calc_checksum(outdata, ctx->pe_ctx->header_size); - /* write back checksum */ - (void)BIO_seek(outdata, ctx->pe_ctx->header_size + 88); - PUT_UINT32_LE(checksum, buf); - BIO_write(outdata, buf, 4); + if (ctx->options->cmd == CMD_VERIFY || ctx->options->cmd == CMD_EXTRACT) { + return; + } + if (ctx->options->cmd != CMD_REMOVE) { + int len = i2d_PKCS7(p7, NULL); + int padlen = (8 - len % 8) % 8; + + /* Update signature position and size */ + (void)BIO_seek(outdata, + ctx->pe_ctx->header_size + 152 + ctx->pe_ctx->pe32plus * 16); + /* Previous file end = signature table start */ + PUT_UINT32_LE(ctx->pe_ctx->fileend, buf); + BIO_write(outdata, buf, 4); + PUT_UINT32_LE(len + 8 + padlen, buf); + BIO_write(outdata, buf, 4); + } + checksum = pe_calc_checksum(outdata, ctx->pe_ctx->header_size); + /* write back checksum */ + (void)BIO_seek(outdata, ctx->pe_ctx->header_size + 88); + PUT_UINT32_LE(checksum, buf); + BIO_write(outdata, buf, 4); } /* @@ -540,11 +540,11 @@ static void pe_update_data_size(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7) */ static BIO *pe_bio_free(BIO *hash, BIO *outdata) { - /* squash the unused parameter warning */ - (void)outdata; + /* squash the unused parameter warning */ + (void)outdata; - BIO_free_all(hash); - return NULL; + BIO_free_all(hash); + return NULL; } /* @@ -557,19 +557,19 @@ static BIO *pe_bio_free(BIO *hash, BIO *outdata) */ static void pe_ctx_cleanup(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) { - if (outdata) { - BIO_free_all(hash); - if (ctx->options->outfile) { + if (outdata) { + BIO_free_all(hash); + if (ctx->options->outfile) { #ifdef WIN32 - _unlink(ctx->options->outfile); + _unlink(ctx->options->outfile); #else - unlink(ctx->options->outfile); + unlink(ctx->options->outfile); #endif /* WIN32 */ - } - } - unmap_file(ctx->options->indata, ctx->pe_ctx->fileend); - OPENSSL_free(ctx->pe_ctx); - OPENSSL_free(ctx); + } + } + unmap_file(ctx->options->indata, ctx->pe_ctx->fileend); + OPENSSL_free(ctx->pe_ctx); + OPENSSL_free(ctx); } /* @@ -584,77 +584,77 @@ static void pe_ctx_cleanup(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) */ static PE_CTX *pe_ctx_get(char *indata, uint32_t filesize) { - PE_CTX *pe_ctx; - uint32_t header_size, pe32plus, pe_checksum, nrvas, sigpos, siglen; - uint16_t magic; + PE_CTX *pe_ctx; + uint32_t header_size, pe32plus, pe_checksum, nrvas, sigpos, siglen; + uint16_t magic; - if (filesize < 64) { - printf("Corrupt DOS file - too short\n"); - return NULL; /* FAILED */ - } - /* SizeOfHeaders field specifies the combined size of an MS-DOS stub, PE header, - * and section headers rounded up to a multiple of FileAlignment. - * SizeOfHeaders must be < filesize and cannot be < 0x0000002C (44) in Windows 7 - * because of a bug when checking section names for compatibility purposes */ - header_size = GET_UINT32_LE(indata + 60); - if (header_size < 44 || header_size > filesize) { - printf("Unexpected SizeOfHeaders field: 0x%08X\n", header_size); - return NULL; /* FAILED */ - } - if (filesize < header_size + 176) { - printf("Corrupt PE file - too short\n"); - return NULL; /* FAILED */ - } - if (memcmp(indata + header_size, "PE\0\0", 4)) { - printf("Unrecognized DOS file type\n"); - return NULL; /* FAILED */ - } - /* Magic field identifies the state of the image file. The most common number is - * 0x10B, which identifies it as a normal executable file, - * 0x20B identifies it as a PE32+ executable, - * 0x107 identifies it as a ROM image (not supported) */ - magic = GET_UINT16_LE(indata + header_size + 24); - if (magic == 0x20b) { - pe32plus = 1; - } else if (magic == 0x10b) { - pe32plus = 0; - } else { - printf("Corrupt PE file - found unknown magic %04X\n", magic); - return NULL; /* FAILED */ - } - /* The image file checksum */ - pe_checksum = GET_UINT32_LE(indata + header_size + 88); - /* NumberOfRvaAndSizes field specifies the number of data-directory entries - * in the remainder of the optional header. Each describes a location and size. */ - nrvas = GET_UINT32_LE(indata + header_size + 116 + pe32plus * 16); - if (nrvas < 5) { - printf("Can not handle PE files without certificate table resource\n"); - return NULL; /* FAILED */ - } - /* Certificate Table field specifies the attribute certificate table address (4 bytes) and size (4 bytes) */ - sigpos = GET_UINT32_LE(indata + header_size + 152 + pe32plus * 16); - siglen = GET_UINT32_LE(indata + header_size + 152 + pe32plus * 16 + 4); - /* Since fix for MS Bulletin MS12-024 we can really assume - that signature should be last part of file */ - if ((sigpos > 0 && sigpos < filesize && sigpos + siglen != filesize) - || (sigpos >= filesize)) { - printf("Corrupt PE file - current signature not at the end of the file\n"); - return NULL; /* FAILED */ - } - if ((sigpos > 0 && siglen == 0) || (sigpos == 0 && siglen > 0)) { - printf("Corrupt signature\n"); - return NULL; /* FAILED */ - } - pe_ctx = OPENSSL_zalloc(sizeof(PE_CTX)); - pe_ctx->header_size = header_size; - pe_ctx->pe32plus = pe32plus; - pe_ctx->magic = magic; - pe_ctx->pe_checksum = pe_checksum; - pe_ctx->nrvas = nrvas; - pe_ctx->sigpos = sigpos; - pe_ctx->siglen = siglen; - pe_ctx->fileend = filesize; - return pe_ctx; /* OK */ + if (filesize < 64) { + printf("Corrupt DOS file - too short\n"); + return NULL; /* FAILED */ + } + /* SizeOfHeaders field specifies the combined size of an MS-DOS stub, PE header, + * and section headers rounded up to a multiple of FileAlignment. + * SizeOfHeaders must be < filesize and cannot be < 0x0000002C (44) in Windows 7 + * because of a bug when checking section names for compatibility purposes */ + header_size = GET_UINT32_LE(indata + 60); + if (header_size < 44 || header_size > filesize) { + printf("Unexpected SizeOfHeaders field: 0x%08X\n", header_size); + return NULL; /* FAILED */ + } + if (filesize < header_size + 176) { + printf("Corrupt PE file - too short\n"); + return NULL; /* FAILED */ + } + if (memcmp(indata + header_size, "PE\0\0", 4)) { + printf("Unrecognized DOS file type\n"); + return NULL; /* FAILED */ + } + /* Magic field identifies the state of the image file. The most common number is + * 0x10B, which identifies it as a normal executable file, + * 0x20B identifies it as a PE32+ executable, + * 0x107 identifies it as a ROM image (not supported) */ + magic = GET_UINT16_LE(indata + header_size + 24); + if (magic == 0x20b) { + pe32plus = 1; + } else if (magic == 0x10b) { + pe32plus = 0; + } else { + printf("Corrupt PE file - found unknown magic %04X\n", magic); + return NULL; /* FAILED */ + } + /* The image file checksum */ + pe_checksum = GET_UINT32_LE(indata + header_size + 88); + /* NumberOfRvaAndSizes field specifies the number of data-directory entries + * in the remainder of the optional header. Each describes a location and size. */ + nrvas = GET_UINT32_LE(indata + header_size + 116 + pe32plus * 16); + if (nrvas < 5) { + printf("Can not handle PE files without certificate table resource\n"); + return NULL; /* FAILED */ + } + /* Certificate Table field specifies the attribute certificate table address (4 bytes) and size (4 bytes) */ + sigpos = GET_UINT32_LE(indata + header_size + 152 + pe32plus * 16); + siglen = GET_UINT32_LE(indata + header_size + 152 + pe32plus * 16 + 4); + /* Since fix for MS Bulletin MS12-024 we can really assume + that signature should be last part of file */ + if ((sigpos > 0 && sigpos < filesize && sigpos + siglen != filesize) + || (sigpos >= filesize)) { + printf("Corrupt PE file - current signature not at the end of the file\n"); + return NULL; /* FAILED */ + } + if ((sigpos > 0 && siglen == 0) || (sigpos == 0 && siglen > 0)) { + printf("Corrupt signature\n"); + return NULL; /* FAILED */ + } + pe_ctx = OPENSSL_zalloc(sizeof(PE_CTX)); + pe_ctx->header_size = header_size; + pe_ctx->pe32plus = pe32plus; + pe_ctx->magic = magic; + pe_ctx->pe_checksum = pe_checksum; + pe_ctx->nrvas = nrvas; + pe_ctx->sigpos = sigpos; + pe_ctx->siglen = siglen; + pe_ctx->fileend = filesize; + return pe_ctx; /* OK */ } /* @@ -666,25 +666,25 @@ static PE_CTX *pe_ctx_get(char *indata, uint32_t filesize) */ static PKCS7 *pe_pkcs7_get_file(char *indata, PE_CTX *pe_ctx) { - uint32_t pos = 0; + uint32_t pos = 0; - if (pe_ctx->siglen == 0 || pe_ctx->siglen > pe_ctx->fileend) { - printf("Corrupted signature length: 0x%08X\n", pe_ctx->siglen); - return NULL; /* FAILED */ - } - while (pos < pe_ctx->siglen) { - uint32_t l = GET_UINT32_LE(indata + pe_ctx->sigpos + pos); - uint16_t certrev = GET_UINT16_LE(indata + pe_ctx->sigpos + pos + 4); - uint16_t certtype = GET_UINT16_LE(indata + pe_ctx->sigpos + pos + 6); - if (certrev == WIN_CERT_REVISION_2_0 && certtype == WIN_CERT_TYPE_PKCS_SIGNED_DATA) { - const u_char *blob = (u_char *)indata + pe_ctx->sigpos + pos + 8; - return d2i_PKCS7(NULL, &blob, l - 8); - } - if (l%8) - l += (8 - l%8); - pos += l; - } - return NULL; /* FAILED */ + if (pe_ctx->siglen == 0 || pe_ctx->siglen > pe_ctx->fileend) { + printf("Corrupted signature length: 0x%08X\n", pe_ctx->siglen); + return NULL; /* FAILED */ + } + while (pos < pe_ctx->siglen) { + uint32_t l = GET_UINT32_LE(indata + pe_ctx->sigpos + pos); + uint16_t certrev = GET_UINT16_LE(indata + pe_ctx->sigpos + pos + 4); + uint16_t certtype = GET_UINT16_LE(indata + pe_ctx->sigpos + pos + 6); + if (certrev == WIN_CERT_REVISION_2_0 && certtype == WIN_CERT_TYPE_PKCS_SIGNED_DATA) { + const u_char *blob = (u_char *)indata + pe_ctx->sigpos + pos + 8; + return d2i_PKCS7(NULL, &blob, l - 8); + } + if (l%8) + l += (8 - l%8); + pos += l; + } + return NULL; /* FAILED */ } /* @@ -697,28 +697,28 @@ static PKCS7 *pe_pkcs7_get_file(char *indata, PE_CTX *pe_ctx) */ static uint32_t pe_calc_checksum(BIO *outdata, uint32_t header_size) { - uint32_t checkSum = 0, offset = 0; - int nread; - unsigned short *buf = OPENSSL_malloc(SIZE_64K); + uint32_t checkSum = 0, offset = 0; + int nread; + unsigned short *buf = OPENSSL_malloc(SIZE_64K); - /* recalculate the checksum */ - (void)BIO_seek(outdata, 0); - while ((nread = BIO_read(outdata, buf, SIZE_64K)) > 0) { - unsigned short val; - int i; - for (i = 0; i < nread / 2; i++) { - val = LE_UINT16(buf[i]); - if (offset == header_size + 88 || offset == header_size + 90) - val = 0; - checkSum += val; - checkSum = LOWORD(LOWORD(checkSum) + HIWORD(checkSum)); - offset += 2; - } - } - OPENSSL_free(buf); - checkSum = LOWORD(LOWORD(checkSum) + HIWORD(checkSum)); - checkSum += offset; - return checkSum; + /* recalculate the checksum */ + (void)BIO_seek(outdata, 0); + while ((nread = BIO_read(outdata, buf, SIZE_64K)) > 0) { + unsigned short val; + int i; + for (i = 0; i < nread / 2; i++) { + val = LE_UINT16(buf[i]); + if (offset == header_size + 88 || offset == header_size + 90) + val = 0; + checkSum += val; + checkSum = LOWORD(LOWORD(checkSum) + HIWORD(checkSum)); + offset += 2; + } + } + OPENSSL_free(buf); + checkSum = LOWORD(LOWORD(checkSum) + HIWORD(checkSum)); + checkSum += offset; + return checkSum; } /* @@ -728,40 +728,40 @@ static uint32_t pe_calc_checksum(BIO *outdata, uint32_t header_size) */ static uint32_t pe_calc_realchecksum(FILE_FORMAT_CTX *ctx) { - uint32_t n = 0, checkSum = 0, offset = 0; - BIO *bio = BIO_new(BIO_s_mem()); - unsigned short *buf = OPENSSL_malloc(SIZE_64K); + uint32_t n = 0, checkSum = 0, offset = 0; + BIO *bio = BIO_new(BIO_s_mem()); + unsigned short *buf = OPENSSL_malloc(SIZE_64K); - /* calculate the checkSum */ - while (n < ctx->pe_ctx->fileend) { - size_t i, written, nread; - size_t left = ctx->pe_ctx->fileend - n; - unsigned short val; - if (left > SIZE_64K) - left = SIZE_64K; - if (!BIO_write_ex(bio, ctx->options->indata + n, left, &written)) - goto err; /* FAILED */ - (void)BIO_seek(bio, 0); - n += (uint32_t)written; - if (!BIO_read_ex(bio, buf, written, &nread)) - goto err; /* FAILED */ - for (i = 0; i < nread / 2; i++) { - val = LE_UINT16(buf[i]); - if (offset == ctx->pe_ctx->header_size + 88 - || offset == ctx->pe_ctx->header_size + 90) { - val = 0; - } - checkSum += val; - checkSum = LOWORD(LOWORD(checkSum) + HIWORD(checkSum)); - offset += 2; - } - } - checkSum = LOWORD(LOWORD(checkSum) + HIWORD(checkSum)); - checkSum += offset; + /* calculate the checkSum */ + while (n < ctx->pe_ctx->fileend) { + size_t i, written, nread; + size_t left = ctx->pe_ctx->fileend - n; + unsigned short val; + if (left > SIZE_64K) + left = SIZE_64K; + if (!BIO_write_ex(bio, ctx->options->indata + n, left, &written)) + goto err; /* FAILED */ + (void)BIO_seek(bio, 0); + n += (uint32_t)written; + if (!BIO_read_ex(bio, buf, written, &nread)) + goto err; /* FAILED */ + for (i = 0; i < nread / 2; i++) { + val = LE_UINT16(buf[i]); + if (offset == ctx->pe_ctx->header_size + 88 + || offset == ctx->pe_ctx->header_size + 90) { + val = 0; + } + checkSum += val; + checkSum = LOWORD(LOWORD(checkSum) + HIWORD(checkSum)); + offset += 2; + } + } + checkSum = LOWORD(LOWORD(checkSum) + HIWORD(checkSum)); + checkSum += offset; err: - OPENSSL_free(buf); - BIO_free(bio); - return checkSum; + OPENSSL_free(buf); + BIO_free(bio); + return checkSum; } /* @@ -773,49 +773,49 @@ err: */ static int pe_modify_header(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) { - size_t i, len, written; - char *buf; + size_t i, len, written; + char *buf; - i = len = ctx->pe_ctx->header_size + 88; - if (!BIO_write_ex(hash, ctx->options->indata, len, &written) - || written != len) { - return 0; /* FAILED */ - } - buf = OPENSSL_malloc(SIZE_64K); - memset(buf, 0, 4); - BIO_write(outdata, buf, 4); /* zero out checksum */ - i += 4; - len = 60 + ctx->pe_ctx->pe32plus * 16; - if (!BIO_write_ex(hash, ctx->options->indata + i, len, &written) - || written != len) { - OPENSSL_free(buf); - return 0; /* FAILED */ - } - i += 60 + ctx->pe_ctx->pe32plus * 16; - memset(buf, 0, 8); - BIO_write(outdata, buf, 8); /* zero out sigtable offset + pos */ - i += 8; - len = ctx->pe_ctx->fileend - i; - while (len > 0) { - if (!BIO_write_ex(hash, ctx->options->indata + i, len, &written)) { - OPENSSL_free(buf); - return 0; /* FAILED */ - } - len -= written; - i += written; - } - /* pad (with 0's) pe file to 8 byte boundary */ - len = 8 - ctx->pe_ctx->fileend % 8; - if (len != 8) { - memset(buf, 0, len); - if (!BIO_write_ex(hash, buf, len, &written) || written != len) { - OPENSSL_free(buf); - return 0; /* FAILED */ - } - ctx->pe_ctx->fileend += (uint32_t)len; - } - OPENSSL_free(buf); - return 1; /* OK */ + i = len = ctx->pe_ctx->header_size + 88; + if (!BIO_write_ex(hash, ctx->options->indata, len, &written) + || written != len) { + return 0; /* FAILED */ + } + buf = OPENSSL_malloc(SIZE_64K); + memset(buf, 0, 4); + BIO_write(outdata, buf, 4); /* zero out checksum */ + i += 4; + len = 60 + ctx->pe_ctx->pe32plus * 16; + if (!BIO_write_ex(hash, ctx->options->indata + i, len, &written) + || written != len) { + OPENSSL_free(buf); + return 0; /* FAILED */ + } + i += 60 + ctx->pe_ctx->pe32plus * 16; + memset(buf, 0, 8); + BIO_write(outdata, buf, 8); /* zero out sigtable offset + pos */ + i += 8; + len = ctx->pe_ctx->fileend - i; + while (len > 0) { + if (!BIO_write_ex(hash, ctx->options->indata + i, len, &written)) { + OPENSSL_free(buf); + return 0; /* FAILED */ + } + len -= written; + i += written; + } + /* pad (with 0's) pe file to 8 byte boundary */ + len = 8 - ctx->pe_ctx->fileend % 8; + if (len != 8) { + memset(buf, 0, len); + if (!BIO_write_ex(hash, buf, len, &written) || written != len) { + OPENSSL_free(buf); + return 0; /* FAILED */ + } + ctx->pe_ctx->fileend += (uint32_t)len; + } + OPENSSL_free(buf); + return 1; /* OK */ } /* @@ -831,62 +831,62 @@ static int pe_modify_header(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) */ static int pe_page_hash_get(u_char **ph, int *phtype, SpcAttributeTypeAndOptionalValue *obj) { - const u_char *blob; - SpcPeImageData *id; - SpcSerializedObject *so; - int l, l2, phlen = 0; - char buf[128]; + const u_char *blob; + SpcPeImageData *id; + SpcSerializedObject *so; + int l, l2, phlen = 0; + char buf[128]; - if (!obj || !obj->value) - return 0; /* FAILED */ - blob = obj->value->value.sequence->data; - id = d2i_SpcPeImageData(NULL, &blob, obj->value->value.sequence->length); - if (!id) { - return 0; /* FAILED */ - } - if (!id->file) { - SpcPeImageData_free(id); - return 0; /* FAILED */ - } - if (id->file->type != 1) { - SpcPeImageData_free(id); - return 0; /* This is not SpcSerializedObject structure that contains page hashes */ - } - so = id->file->value.moniker; - if (so->classId->length != sizeof classid_page_hash || - memcmp(so->classId->data, classid_page_hash, sizeof classid_page_hash)) { - SpcPeImageData_free(id); - return 0; /* FAILED */ - } - /* skip ASN.1 SET hdr */ - l = asn1_simple_hdr_len(so->serializedData->data, so->serializedData->length); - blob = so->serializedData->data + l; - obj = d2i_SpcAttributeTypeAndOptionalValue(NULL, &blob, so->serializedData->length - l); - SpcPeImageData_free(id); - if (!obj) - return 0; /* FAILED */ + if (!obj || !obj->value) + return 0; /* FAILED */ + blob = obj->value->value.sequence->data; + id = d2i_SpcPeImageData(NULL, &blob, obj->value->value.sequence->length); + if (!id) { + return 0; /* FAILED */ + } + if (!id->file) { + SpcPeImageData_free(id); + return 0; /* FAILED */ + } + if (id->file->type != 1) { + SpcPeImageData_free(id); + return 0; /* This is not SpcSerializedObject structure that contains page hashes */ + } + so = id->file->value.moniker; + if (so->classId->length != sizeof classid_page_hash || + memcmp(so->classId->data, classid_page_hash, sizeof classid_page_hash)) { + SpcPeImageData_free(id); + return 0; /* FAILED */ + } + /* skip ASN.1 SET hdr */ + l = asn1_simple_hdr_len(so->serializedData->data, so->serializedData->length); + blob = so->serializedData->data + l; + obj = d2i_SpcAttributeTypeAndOptionalValue(NULL, &blob, so->serializedData->length - l); + SpcPeImageData_free(id); + if (!obj) + return 0; /* FAILED */ - *phtype = 0; - buf[0] = 0x00; - OBJ_obj2txt(buf, sizeof buf, obj->type, 1); - if (!strcmp(buf, SPC_PE_IMAGE_PAGE_HASHES_V1)) { - *phtype = NID_sha1; - } else if (!strcmp(buf, SPC_PE_IMAGE_PAGE_HASHES_V2)) { - *phtype = NID_sha256; - } else { - SpcAttributeTypeAndOptionalValue_free(obj); - return 0; /* FAILED */ - } - /* Skip ASN.1 SET hdr */ - l2 = asn1_simple_hdr_len(obj->value->value.sequence->data, obj->value->value.sequence->length); - /* Skip ASN.1 OCTET STRING hdr */ - l = asn1_simple_hdr_len(obj->value->value.sequence->data + l2, obj->value->value.sequence->length - l2); - l += l2; - phlen = obj->value->value.sequence->length - l; - *ph = OPENSSL_malloc((size_t)phlen); - memcpy(*ph, obj->value->value.sequence->data + l, (size_t)phlen); - SpcAttributeTypeAndOptionalValue_free(obj); - return phlen; /* OK */ + *phtype = 0; + buf[0] = 0x00; + OBJ_obj2txt(buf, sizeof buf, obj->type, 1); + if (!strcmp(buf, SPC_PE_IMAGE_PAGE_HASHES_V1)) { + *phtype = NID_sha1; + } else if (!strcmp(buf, SPC_PE_IMAGE_PAGE_HASHES_V2)) { + *phtype = NID_sha256; + } else { + SpcAttributeTypeAndOptionalValue_free(obj); + return 0; /* FAILED */ + } + /* Skip ASN.1 SET hdr */ + l2 = asn1_simple_hdr_len(obj->value->value.sequence->data, obj->value->value.sequence->length); + /* Skip ASN.1 OCTET STRING hdr */ + l = asn1_simple_hdr_len(obj->value->value.sequence->data + l2, obj->value->value.sequence->length - l2); + l += l2; + phlen = obj->value->value.sequence->length - l; + *ph = OPENSSL_malloc((size_t)phlen); + memcpy(*ph, obj->value->value.sequence->data + l, (size_t)phlen); + SpcAttributeTypeAndOptionalValue_free(obj); + return phlen; /* OK */ } /* @@ -898,151 +898,151 @@ static int pe_page_hash_get(u_char **ph, int *phtype, SpcAttributeTypeAndOptiona */ static u_char *pe_page_hash_calc(int *rphlen, FILE_FORMAT_CTX *ctx, int phtype) { - uint16_t nsections, opthdr_size; - uint32_t alignment, pagesize, hdrsize; - uint32_t rs, ro, l, lastpos = 0; - int pphlen, phlen, i, pi = 1; - size_t written; - u_char *res, *zeroes; - char *sections; - const EVP_MD *md = EVP_get_digestbynid(phtype); - BIO *bhash; + uint16_t nsections, opthdr_size; + uint32_t alignment, pagesize, hdrsize; + uint32_t rs, ro, l, lastpos = 0; + int pphlen, phlen, i, pi = 1; + size_t written; + u_char *res, *zeroes; + char *sections; + const EVP_MD *md = EVP_get_digestbynid(phtype); + BIO *bhash; - /* NumberOfSections indicates the size of the section table, - * which immediately follows the headers, can be up to 65535 under Vista and later */ - nsections = GET_UINT16_LE(ctx->options->indata + ctx->pe_ctx->header_size + 6); - if (nsections == 0 || nsections > UINT16_MAX) { - printf("Corrupted number of sections: 0x%08X\n", nsections); - return NULL; /* FAILED */ - } - /* FileAlignment is the alignment factor (in bytes) that is used to align - * the raw data of sections in the image file. The value should be a power - * of 2 between 512 and 64 K, inclusive. The default is 512. */ - alignment = GET_UINT32_LE(ctx->options->indata + ctx->pe_ctx->header_size + 60); - if (alignment < 512 || alignment > UINT16_MAX) { - printf("Corrupted file alignment factor: 0x%08X\n", alignment); - return NULL; /* FAILED */ - } - /* SectionAlignment is the alignment (in bytes) of sections when they are - * loaded into memory. It must be greater than or equal to FileAlignment. - * The default is the page size for the architecture. - * The large page size is at most 4 MB. - * https://devblogs.microsoft.com/oldnewthing/20210510-00/?p=105200 */ - pagesize = GET_UINT32_LE(ctx->options->indata + ctx->pe_ctx->header_size + 56); - if (pagesize == 0 || pagesize < alignment || pagesize > 4194304) { - printf("Corrupted page size: 0x%08X\n", pagesize); - return NULL; /* FAILED */ - } - /* SizeOfHeaders is the combined size of an MS-DOS stub, PE header, - * and section headers rounded up to a multiple of FileAlignment. */ - hdrsize = GET_UINT32_LE(ctx->options->indata + ctx->pe_ctx->header_size + 84); - if (hdrsize < ctx->pe_ctx->header_size || hdrsize > UINT32_MAX) { - printf("Corrupted headers size: 0x%08X\n", hdrsize); - return NULL; /* FAILED */ - } - /* SizeOfOptionalHeader is the size of the optional header, which is - * required for executable files, but for object files should be zero, - * and can't be bigger than the file */ - opthdr_size = GET_UINT16_LE(ctx->options->indata + ctx->pe_ctx->header_size + 20); - if (opthdr_size == 0 || opthdr_size > ctx->pe_ctx->fileend) { - printf("Corrupted optional header size: 0x%08X\n", opthdr_size); - return NULL; /* FAILED */ - } - pphlen = 4 + EVP_MD_size(md); - phlen = pphlen * (3 + (int)nsections + (int)(ctx->pe_ctx->fileend / pagesize)); + /* NumberOfSections indicates the size of the section table, + * which immediately follows the headers, can be up to 65535 under Vista and later */ + nsections = GET_UINT16_LE(ctx->options->indata + ctx->pe_ctx->header_size + 6); + if (nsections == 0 || nsections > UINT16_MAX) { + printf("Corrupted number of sections: 0x%08X\n", nsections); + return NULL; /* FAILED */ + } + /* FileAlignment is the alignment factor (in bytes) that is used to align + * the raw data of sections in the image file. The value should be a power + * of 2 between 512 and 64 K, inclusive. The default is 512. */ + alignment = GET_UINT32_LE(ctx->options->indata + ctx->pe_ctx->header_size + 60); + if (alignment < 512 || alignment > UINT16_MAX) { + printf("Corrupted file alignment factor: 0x%08X\n", alignment); + return NULL; /* FAILED */ + } + /* SectionAlignment is the alignment (in bytes) of sections when they are + * loaded into memory. It must be greater than or equal to FileAlignment. + * The default is the page size for the architecture. + * The large page size is at most 4 MB. + * https://devblogs.microsoft.com/oldnewthing/20210510-00/?p=105200 */ + pagesize = GET_UINT32_LE(ctx->options->indata + ctx->pe_ctx->header_size + 56); + if (pagesize == 0 || pagesize < alignment || pagesize > 4194304) { + printf("Corrupted page size: 0x%08X\n", pagesize); + return NULL; /* FAILED */ + } + /* SizeOfHeaders is the combined size of an MS-DOS stub, PE header, + * and section headers rounded up to a multiple of FileAlignment. */ + hdrsize = GET_UINT32_LE(ctx->options->indata + ctx->pe_ctx->header_size + 84); + if (hdrsize < ctx->pe_ctx->header_size || hdrsize > UINT32_MAX) { + printf("Corrupted headers size: 0x%08X\n", hdrsize); + return NULL; /* FAILED */ + } + /* SizeOfOptionalHeader is the size of the optional header, which is + * required for executable files, but for object files should be zero, + * and can't be bigger than the file */ + opthdr_size = GET_UINT16_LE(ctx->options->indata + ctx->pe_ctx->header_size + 20); + if (opthdr_size == 0 || opthdr_size > ctx->pe_ctx->fileend) { + printf("Corrupted optional header size: 0x%08X\n", opthdr_size); + return NULL; /* FAILED */ + } + pphlen = 4 + EVP_MD_size(md); + phlen = pphlen * (3 + (int)nsections + (int)(ctx->pe_ctx->fileend / pagesize)); - bhash = BIO_new(BIO_f_md()); - if (!BIO_set_md(bhash, md)) { - printf("Unable to set the message digest of BIO\n"); - BIO_free_all(bhash); - return NULL; /* FAILED */ - } - BIO_push(bhash, BIO_new(BIO_s_null())); - if (!BIO_write_ex(bhash, ctx->options->indata, ctx->pe_ctx->header_size + 88, &written) - || written != ctx->pe_ctx->header_size + 88) { - BIO_free_all(bhash); - return NULL; /* FAILED */ - } - if (!BIO_write_ex(bhash, ctx->options->indata + ctx->pe_ctx->header_size + 92, - 60 + ctx->pe_ctx->pe32plus*16, &written) - || written != 60 + ctx->pe_ctx->pe32plus*16) { - BIO_free_all(bhash); - return NULL; /* FAILED */ - } - if (!BIO_write_ex(bhash, - ctx->options->indata + ctx->pe_ctx->header_size + 160 + ctx->pe_ctx->pe32plus*16, - hdrsize - (ctx->pe_ctx->header_size + 160 + ctx->pe_ctx->pe32plus*16), &written) - || written != hdrsize - (ctx->pe_ctx->header_size + 160 + ctx->pe_ctx->pe32plus*16)) { - BIO_free_all(bhash); - return NULL; /* FAILED */ - } - zeroes = OPENSSL_zalloc((size_t)pagesize); - if (!BIO_write_ex(bhash, zeroes, pagesize - hdrsize, &written) - || written != pagesize - hdrsize) { - BIO_free_all(bhash); - OPENSSL_free(zeroes); - return NULL; /* FAILED */ - } - res = OPENSSL_malloc((size_t)phlen); - memset(res, 0, 4); - BIO_gets(bhash, (char*)res + 4, EVP_MD_size(md)); - BIO_free_all(bhash); - sections = ctx->options->indata + ctx->pe_ctx->header_size + 24 + opthdr_size; - for (i=0; i= UINT32_MAX) { - sections += 40; - continue; - } - for (l=0; loptions->indata + ro + l, rs - l, &written) - || written != rs - l) { - BIO_free_all(bhash); - OPENSSL_free(zeroes); - OPENSSL_free(res); - return NULL; /* FAILED */ - } - if (!BIO_write_ex(bhash, zeroes, pagesize - (rs - l), &written) - || written != pagesize - (rs - l)) { - BIO_free_all(bhash); - OPENSSL_free(zeroes); - OPENSSL_free(res); - return NULL; /* FAILED */ - } - } else { - if (!BIO_write_ex(bhash, ctx->options->indata + ro + l, pagesize, &written) - || written != pagesize) { - BIO_free_all(bhash); - OPENSSL_free(zeroes); - OPENSSL_free(res); - return NULL; /* FAILED */ - } - } - BIO_gets(bhash, (char*)res + pi*pphlen + 4, EVP_MD_size(md)); - BIO_free_all(bhash); - } - lastpos = ro + rs; - sections += 40; - } - PUT_UINT32_LE(lastpos, res + pi*pphlen); - memset(res + pi*pphlen + 4, 0, (size_t)EVP_MD_size(md)); - pi++; - OPENSSL_free(zeroes); - *rphlen = pi*pphlen; - return res; + bhash = BIO_new(BIO_f_md()); + if (!BIO_set_md(bhash, md)) { + printf("Unable to set the message digest of BIO\n"); + BIO_free_all(bhash); + return NULL; /* FAILED */ + } + BIO_push(bhash, BIO_new(BIO_s_null())); + if (!BIO_write_ex(bhash, ctx->options->indata, ctx->pe_ctx->header_size + 88, &written) + || written != ctx->pe_ctx->header_size + 88) { + BIO_free_all(bhash); + return NULL; /* FAILED */ + } + if (!BIO_write_ex(bhash, ctx->options->indata + ctx->pe_ctx->header_size + 92, + 60 + ctx->pe_ctx->pe32plus*16, &written) + || written != 60 + ctx->pe_ctx->pe32plus*16) { + BIO_free_all(bhash); + return NULL; /* FAILED */ + } + if (!BIO_write_ex(bhash, + ctx->options->indata + ctx->pe_ctx->header_size + 160 + ctx->pe_ctx->pe32plus*16, + hdrsize - (ctx->pe_ctx->header_size + 160 + ctx->pe_ctx->pe32plus*16), &written) + || written != hdrsize - (ctx->pe_ctx->header_size + 160 + ctx->pe_ctx->pe32plus*16)) { + BIO_free_all(bhash); + return NULL; /* FAILED */ + } + zeroes = OPENSSL_zalloc((size_t)pagesize); + if (!BIO_write_ex(bhash, zeroes, pagesize - hdrsize, &written) + || written != pagesize - hdrsize) { + BIO_free_all(bhash); + OPENSSL_free(zeroes); + return NULL; /* FAILED */ + } + res = OPENSSL_malloc((size_t)phlen); + memset(res, 0, 4); + BIO_gets(bhash, (char*)res + 4, EVP_MD_size(md)); + BIO_free_all(bhash); + sections = ctx->options->indata + ctx->pe_ctx->header_size + 24 + opthdr_size; + for (i=0; i= UINT32_MAX) { + sections += 40; + continue; + } + for (l=0; loptions->indata + ro + l, rs - l, &written) + || written != rs - l) { + BIO_free_all(bhash); + OPENSSL_free(zeroes); + OPENSSL_free(res); + return NULL; /* FAILED */ + } + if (!BIO_write_ex(bhash, zeroes, pagesize - (rs - l), &written) + || written != pagesize - (rs - l)) { + BIO_free_all(bhash); + OPENSSL_free(zeroes); + OPENSSL_free(res); + return NULL; /* FAILED */ + } + } else { + if (!BIO_write_ex(bhash, ctx->options->indata + ro + l, pagesize, &written) + || written != pagesize) { + BIO_free_all(bhash); + OPENSSL_free(zeroes); + OPENSSL_free(res); + return NULL; /* FAILED */ + } + } + BIO_gets(bhash, (char*)res + pi*pphlen + 4, EVP_MD_size(md)); + BIO_free_all(bhash); + } + lastpos = ro + rs; + sections += 40; + } + PUT_UINT32_LE(lastpos, res + pi*pphlen); + memset(res + pi*pphlen + 4, 0, (size_t)EVP_MD_size(md)); + pi++; + OPENSSL_free(zeroes); + *rphlen = pi*pphlen; + return res; } /* @@ -1055,21 +1055,21 @@ static u_char *pe_page_hash_calc(int *rphlen, FILE_FORMAT_CTX *ctx, int phtype) */ static int pe_verify_page_hash(FILE_FORMAT_CTX *ctx, u_char *ph, int phlen, int phtype) { - int mdok, cphlen = 0; - u_char *cph; + int mdok, cphlen = 0; + u_char *cph; - cph = pe_page_hash_calc(&cphlen, ctx, phtype); - mdok = (phlen == cphlen) && !memcmp(ph, cph, (size_t)phlen); - printf("Page hash algorithm : %s\n", OBJ_nid2sn(phtype)); - if (ctx->options->verbose) { - print_hash("Page hash ", "", ph, phlen); - print_hash("Calculated page hash ", mdok ? "\n" : "... MISMATCH!!!\n", cph, cphlen); - } else { - print_hash("Page hash ", "...", ph, (phlen < 32) ? phlen : 32); - print_hash("Calculated page hash ", mdok ? "...\n" : "... MISMATCH!!!\n", cph, (cphlen < 32) ? cphlen : 32); - } - OPENSSL_free(cph); - return mdok; + cph = pe_page_hash_calc(&cphlen, ctx, phtype); + mdok = (phlen == cphlen) && !memcmp(ph, cph, (size_t)phlen); + printf("Page hash algorithm : %s\n", OBJ_nid2sn(phtype)); + if (ctx->options->verbose) { + print_hash("Page hash ", "", ph, phlen); + print_hash("Calculated page hash ", mdok ? "\n" : "... MISMATCH!!!\n", cph, cphlen); + } else { + print_hash("Page hash ", "...", ph, (phlen < 32) ? phlen : 32); + print_hash("Calculated page hash ", mdok ? "...\n" : "... MISMATCH!!!\n", cph, (cphlen < 32) ? cphlen : 32); + } + OPENSSL_free(cph); + return mdok; } /* @@ -1080,83 +1080,83 @@ static int pe_verify_page_hash(FILE_FORMAT_CTX *ctx, u_char *ph, int phlen, int */ static SpcLink *pe_page_hash_link_get(FILE_FORMAT_CTX *ctx, int phtype) { - u_char *ph, *p, *tmp; - int l, phlen; - ASN1_TYPE *tostr; - SpcAttributeTypeAndOptionalValue *aval; - ASN1_TYPE *taval; - SpcSerializedObject *so; - SpcLink *link; - STACK_OF(ASN1_TYPE) *oset, *aset; + u_char *ph, *p, *tmp; + int l, phlen; + ASN1_TYPE *tostr; + SpcAttributeTypeAndOptionalValue *aval; + ASN1_TYPE *taval; + SpcSerializedObject *so; + SpcLink *link; + STACK_OF(ASN1_TYPE) *oset, *aset; - ph = pe_page_hash_calc(&phlen, ctx, phtype); - if (!ph) { - printf("Failed to calculate page hash\n"); - return NULL; /* FAILED */ - } - if (ctx->options->verbose) - print_hash("Calculated page hash ", "", ph, phlen); - else - print_hash("Calculated page hash ", "...", ph, (phlen < 32) ? phlen : 32); + ph = pe_page_hash_calc(&phlen, ctx, phtype); + if (!ph) { + printf("Failed to calculate page hash\n"); + return NULL; /* FAILED */ + } + if (ctx->options->verbose) + print_hash("Calculated page hash ", "", ph, phlen); + else + print_hash("Calculated page hash ", "...", ph, (phlen < 32) ? phlen : 32); - tostr = ASN1_TYPE_new(); - tostr->type = V_ASN1_OCTET_STRING; - tostr->value.octet_string = ASN1_OCTET_STRING_new(); - ASN1_OCTET_STRING_set(tostr->value.octet_string, ph, phlen); - OPENSSL_free(ph); + tostr = ASN1_TYPE_new(); + tostr->type = V_ASN1_OCTET_STRING; + tostr->value.octet_string = ASN1_OCTET_STRING_new(); + ASN1_OCTET_STRING_set(tostr->value.octet_string, ph, phlen); + OPENSSL_free(ph); - oset = sk_ASN1_TYPE_new_null(); - sk_ASN1_TYPE_push(oset, tostr); - l = i2d_ASN1_SET_ANY(oset, NULL); - tmp = p = OPENSSL_malloc((size_t)l); - i2d_ASN1_SET_ANY(oset, &tmp); - ASN1_TYPE_free(tostr); - sk_ASN1_TYPE_free(oset); + oset = sk_ASN1_TYPE_new_null(); + sk_ASN1_TYPE_push(oset, tostr); + l = i2d_ASN1_SET_ANY(oset, NULL); + tmp = p = OPENSSL_malloc((size_t)l); + i2d_ASN1_SET_ANY(oset, &tmp); + ASN1_TYPE_free(tostr); + sk_ASN1_TYPE_free(oset); - aval = SpcAttributeTypeAndOptionalValue_new(); - aval->type = OBJ_txt2obj((phtype == NID_sha1) ? - SPC_PE_IMAGE_PAGE_HASHES_V1 : SPC_PE_IMAGE_PAGE_HASHES_V2, 1); - aval->value = ASN1_TYPE_new(); - aval->value->type = V_ASN1_SET; - aval->value->value.set = ASN1_STRING_new(); - ASN1_STRING_set(aval->value->value.set, p, l); - OPENSSL_free(p); - l = i2d_SpcAttributeTypeAndOptionalValue(aval, NULL); - tmp = p = OPENSSL_malloc((size_t)l); - i2d_SpcAttributeTypeAndOptionalValue(aval, &tmp); - SpcAttributeTypeAndOptionalValue_free(aval); + aval = SpcAttributeTypeAndOptionalValue_new(); + aval->type = OBJ_txt2obj((phtype == NID_sha1) ? + SPC_PE_IMAGE_PAGE_HASHES_V1 : SPC_PE_IMAGE_PAGE_HASHES_V2, 1); + aval->value = ASN1_TYPE_new(); + aval->value->type = V_ASN1_SET; + aval->value->value.set = ASN1_STRING_new(); + ASN1_STRING_set(aval->value->value.set, p, l); + OPENSSL_free(p); + l = i2d_SpcAttributeTypeAndOptionalValue(aval, NULL); + tmp = p = OPENSSL_malloc((size_t)l); + i2d_SpcAttributeTypeAndOptionalValue(aval, &tmp); + SpcAttributeTypeAndOptionalValue_free(aval); - taval = ASN1_TYPE_new(); - taval->type = V_ASN1_SEQUENCE; - taval->value.sequence = ASN1_STRING_new(); - ASN1_STRING_set(taval->value.sequence, p, l); - OPENSSL_free(p); + taval = ASN1_TYPE_new(); + taval->type = V_ASN1_SEQUENCE; + taval->value.sequence = ASN1_STRING_new(); + ASN1_STRING_set(taval->value.sequence, p, l); + OPENSSL_free(p); - aset = sk_ASN1_TYPE_new_null(); - sk_ASN1_TYPE_push(aset, taval); - l = i2d_ASN1_SET_ANY(aset, NULL); - tmp = p = OPENSSL_malloc((size_t)l); - l = i2d_ASN1_SET_ANY(aset, &tmp); - ASN1_TYPE_free(taval); - sk_ASN1_TYPE_free(aset); + aset = sk_ASN1_TYPE_new_null(); + sk_ASN1_TYPE_push(aset, taval); + l = i2d_ASN1_SET_ANY(aset, NULL); + tmp = p = OPENSSL_malloc((size_t)l); + l = i2d_ASN1_SET_ANY(aset, &tmp); + ASN1_TYPE_free(taval); + sk_ASN1_TYPE_free(aset); - so = SpcSerializedObject_new(); - ASN1_OCTET_STRING_set(so->classId, classid_page_hash, sizeof classid_page_hash); - ASN1_OCTET_STRING_set(so->serializedData, p, l); - OPENSSL_free(p); + so = SpcSerializedObject_new(); + ASN1_OCTET_STRING_set(so->classId, classid_page_hash, sizeof classid_page_hash); + ASN1_OCTET_STRING_set(so->serializedData, p, l); + OPENSSL_free(p); - link = SpcLink_new(); - link->type = 1; - link->value.moniker = so; - return link; + link = SpcLink_new(); + link->type = 1; + link->value.moniker = so; + return link; } /* Local Variables: c-basic-offset: 4 tab-width: 4 - indent-tabs-mode: t + indent-tabs-mode: nil End: - vim: set ts=4 noexpandtab: + vim: set ts=4 expandtab: */