nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-04-05 09:08:04 -05:00
Code Issues Projects Releases Wiki Activity

Fix more fuzzer errors

Browse Source
This commit is contained in:
olszomal 2022-02-11 15:18:04 +01:00 committed by Michał Trojnara
parent e177ded9a5
commit 45fedd9e50
2 changed files with 274 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

125
msi.c
View File

@ -20,6 +20,7 @@ static const u_char *sector_offset_to_address(MSI_FILE *msi, uint32_t sector, ui
{ {
if (sector >= MAXREGSECT || offset >= msi->m_sectorSize || if (sector >= MAXREGSECT || offset >= msi->m_sectorSize ||
msi->m_bufferLen <= msi->m_sectorSize * sector + msi->m_sectorSize + offset) { msi->m_bufferLen <= msi->m_sectorSize * sector + msi->m_sectorSize + offset) {
printf("Corrupted file\n");
return NULL; /* FAILED */ return NULL; /* FAILED */
} }
return msi->m_buffer + msi->m_sectorSize + msi->m_sectorSize * sector + offset; return msi->m_buffer + msi->m_sectorSize + msi->m_sectorSize * sector + offset;
@ -39,30 +40,55 @@ static uint32_t get_fat_sector_location(MSI_FILE *msi, uint32_t fatSectorNumber)
while (fatSectorNumber >= entriesPerSector) { while (fatSectorNumber >= entriesPerSector) {
fatSectorNumber -= entriesPerSector; fatSectorNumber -= entriesPerSector;
address = sector_offset_to_address(msi, difatSectorLocation, msi->m_sectorSize - 4); address = sector_offset_to_address(msi, difatSectorLocation, msi->m_sectorSize - 4);
if (!address) {
printf("Failed to get a next sector address\n");
return 0; /* FAILED */
}
difatSectorLocation = GET_UINT32_LE(address); difatSectorLocation = GET_UINT32_LE(address);
} }
return GET_UINT32_LE(sector_offset_to_address(msi, difatSectorLocation, fatSectorNumber * 4)); address = sector_offset_to_address(msi, difatSectorLocation, fatSectorNumber * 4);
if (!address) {
printf("Failed to get a next sector address\n");
return 0; /* FAILED */
}
return GET_UINT32_LE(address);
} }
} }
/* Lookup FAT */ /* Lookup FAT */
static uint32_t get_next_sector(MSI_FILE *msi, uint32_t sector) static uint32_t get_next_sector(MSI_FILE *msi, uint32_t sector)
{ {
const u_char *address;
uint32_t entriesPerSector = msi->m_sectorSize / 4; uint32_t entriesPerSector = msi->m_sectorSize / 4;
uint32_t fatSectorNumber = sector / entriesPerSector; uint32_t fatSectorNumber = sector / entriesPerSector;
uint32_t fatSectorLocation = get_fat_sector_location(msi, fatSectorNumber); uint32_t fatSectorLocation = get_fat_sector_location(msi, fatSectorNumber);
return GET_UINT32_LE(sector_offset_to_address(msi, fatSectorLocation, sector % entriesPerSector * 4));
if (fatSectorLocation == 0) {
printf("Failed to get a fat sector location\n");
return 0; /* FAILED */
}
address = sector_offset_to_address(msi, fatSectorLocation, sector % entriesPerSector * 4);
if (!address) {
printf("Failed to get a next sector address\n");
return 0; /* FAILED */
}
return GET_UINT32_LE(address);
} }
/* Locate the final sector/offset when original offset expands multiple sectors */ /* Locate the final sector/offset when original offset expands multiple sectors */
static void locate_final_sector(MSI_FILE *msi, uint32_t sector, uint32_t offset, uint32_t *finalSector, uint32_t *finalOffset) static int locate_final_sector(MSI_FILE *msi, uint32_t sector, uint32_t offset, uint32_t *finalSector, uint32_t *finalOffset)
{ {
while (offset >= msi->m_sectorSize) { while (offset >= msi->m_sectorSize) {
offset -= msi->m_sectorSize; offset -= msi->m_sectorSize;
sector = get_next_sector(msi, sector); sector = get_next_sector(msi, sector);
if (sector == 0) {
printf("Failed to get a next sector\n");
return 0; /* FAILED */
}
} }
*finalSector = sector; *finalSector = sector;
*finalOffset = offset; *finalOffset = offset;
return 1; /* OK */
} }
/* Get absolute address from mini sector and offset */ /* Get absolute address from mini sector and offset */
@ -70,9 +96,13 @@ static const u_char *mini_sector_offset_to_address(MSI_FILE *msi, uint32_t secto
{ {
if (sector >= MAXREGSECT || offset >= msi->m_minisectorSize || if (sector >= MAXREGSECT || offset >= msi->m_minisectorSize ||
msi->m_bufferLen <= msi->m_minisectorSize * sector + offset) { msi->m_bufferLen <= msi->m_minisectorSize * sector + offset) {
printf("Corrupted file\n");
return NULL; /* FAILED */
}
if (!locate_final_sector(msi, msi->m_miniStreamStartSector, sector * msi->m_minisectorSize + offset, &sector, &offset)) {
printf("Failed to locate a final sector\n");
return NULL; /* FAILED */ return NULL; /* FAILED */
} }
locate_final_sector(msi, msi->m_miniStreamStartSector, sector * msi->m_minisectorSize + offset, &sector, &offset);
return sector_offset_to_address(msi, sector, offset); return sector_offset_to_address(msi, sector, offset);
} }
@ -82,28 +112,52 @@ static const u_char *mini_sector_offset_to_address(MSI_FILE *msi, uint32_t secto
*/ */
static int read_stream(MSI_FILE *msi, uint32_t sector, uint32_t offset, char *buffer, uint32_t len) static int read_stream(MSI_FILE *msi, uint32_t sector, uint32_t offset, char *buffer, uint32_t len)
{ {
locate_final_sector(msi, sector, offset, &sector, &offset); if (!locate_final_sector(msi, sector, offset, &sector, &offset)) {
printf("Failed to locate a final sector\n");
return 0; /* FAILED */
}
while (len > 0) { while (len > 0) {
const u_char *address = sector_offset_to_address(msi, sector, offset); const u_char *address;
uint32_t copylen = MIN(len, msi->m_sectorSize - offset); uint32_t copylen;
address = sector_offset_to_address(msi, sector, offset);
if (!address) {
printf("Failed to get a next sector address\n");
return 0; /* FAILED */
}
copylen = MIN(len, msi->m_sectorSize - offset);
if (msi->m_buffer + msi->m_bufferLen < address + copylen) { if (msi->m_buffer + msi->m_bufferLen < address + copylen) {
printf("Corrupted file\n");
return 0; /* FAILED */ return 0; /* FAILED */
} }
memcpy(buffer, address, copylen); memcpy(buffer, address, copylen);
buffer += copylen; buffer += copylen;
len -= copylen; len -= copylen;
sector = get_next_sector(msi, sector); sector = get_next_sector(msi, sector);
if (sector == 0) {
printf("Failed to get a next sector\n");
return 0; /* FAILED */
}
offset = 0; offset = 0;
} }
return 1; return 1; /* OK */
} }
/* Lookup miniFAT */ /* Lookup miniFAT */
static uint32_t get_next_mini_sector(MSI_FILE *msi, uint32_t miniSector) static uint32_t get_next_mini_sector(MSI_FILE *msi, uint32_t miniSector)
{ {
uint32_t sector, offset; uint32_t sector, offset;
locate_final_sector(msi, msi->m_hdr->firstMiniFATSectorLocation, miniSector * 4, &sector, &offset); const u_char *address;
return GET_UINT32_LE(sector_offset_to_address(msi, sector, offset));
if (!locate_final_sector(msi, msi->m_hdr->firstMiniFATSectorLocation, miniSector * 4, &sector, &offset)) {
printf("Failed to locate a final sector\n");
return 0; /* FAILED */
}
address = sector_offset_to_address(msi, sector, offset);
if (!address) {
printf("Failed to get a next mini sector address\n");
return 0; /* FAILED */
}
return GET_UINT32_LE(address);
} }
static void locate_final_mini_sector(MSI_FILE *msi, uint32_t sector, uint32_t offset, uint32_t *finalSector, uint32_t *finalOffset) static void locate_final_mini_sector(MSI_FILE *msi, uint32_t sector, uint32_t offset, uint32_t *finalSector, uint32_t *finalOffset)
@ -121,9 +175,16 @@ static int read_mini_stream(MSI_FILE *msi, uint32_t sector, uint32_t offset, cha
{ {
locate_final_mini_sector(msi, sector, offset, &sector, &offset); locate_final_mini_sector(msi, sector, offset, &sector, &offset);
while (len > 0) { while (len > 0) {
const u_char *address = mini_sector_offset_to_address(msi, sector, offset); const u_char *address;
uint32_t copylen = MIN(len, msi->m_minisectorSize - offset); uint32_t copylen;
if (!address || msi->m_buffer + msi->m_bufferLen < address + copylen) { address = mini_sector_offset_to_address(msi, sector, offset);
if (!address) {
printf("Failed to get a next mini sector address\n");
return 0; /* FAILED */
}
copylen = MIN(len, msi->m_minisectorSize - offset);
if (msi->m_buffer + msi->m_bufferLen < address + copylen) {
printf("Corrupted file\n");
return 0; /* FAILED */ return 0; /* FAILED */
} }
memcpy(buffer, address, copylen); memcpy(buffer, address, copylen);
@ -132,7 +193,7 @@ static int read_mini_stream(MSI_FILE *msi, uint32_t sector, uint32_t offset, cha
sector = get_next_mini_sector(msi, sector); sector = get_next_mini_sector(msi, sector);
offset = 0; offset = 0;
} }
return 1; return 1; /* OK */
} }
/* /*
@ -148,7 +209,7 @@ int msi_file_read(MSI_FILE *msi, MSI_ENTRY *entry, uint32_t offset, char *buffer
if (!read_stream(msi, entry->startSectorLocation, offset, buffer, len)) if (!read_stream(msi, entry->startSectorLocation, offset, buffer, len))
return 0; /* FAILED */ return 0; /* FAILED */
} }
return 1; return 1; /* OK */
} }
/* Parse MSI_FILE_HDR struct */ /* Parse MSI_FILE_HDR struct */
@ -184,6 +245,11 @@ static MSI_ENTRY *parse_entry(const u_char *data)
{ {
MSI_ENTRY *entry = (MSI_ENTRY *)OPENSSL_malloc(sizeof(MSI_ENTRY)); MSI_ENTRY *entry = (MSI_ENTRY *)OPENSSL_malloc(sizeof(MSI_ENTRY));
entry->nameLen = GET_UINT16_LE(data + DIRENT_NAME_LEN); entry->nameLen = GET_UINT16_LE(data + DIRENT_NAME_LEN);
if (entry->nameLen == 0 || entry->nameLen > 64) {
printf("Corrupted file\n");
OPENSSL_free(entry);
return NULL; /* FAILED */
}
memcpy(entry->name, data + DIRENT_NAME, entry->nameLen); memcpy(entry->name, data + DIRENT_NAME, entry->nameLen);
entry->type = GET_UINT8_LE(data + DIRENT_TYPE); entry->type = GET_UINT8_LE(data + DIRENT_TYPE);
entry->colorFlag = GET_UINT8_LE(data + DIRENT_COLOUR); entry->colorFlag = GET_UINT8_LE(data + DIRENT_COLOUR);
@ -223,8 +289,15 @@ static MSI_ENTRY *get_entry(MSI_FILE *msi, uint32_t entryID, int is_root)
printf("Invalid argument entryID\n"); printf("Invalid argument entryID\n");
return NULL; /* FAILED */ return NULL; /* FAILED */
} }
locate_final_sector(msi, msi->m_hdr->firstDirectorySectorLocation, entryID * sizeof(MSI_ENTRY), &sector, &offset); if (!locate_final_sector(msi, msi->m_hdr->firstDirectorySectorLocation, entryID * sizeof(MSI_ENTRY), &sector, &offset)) {
printf("Failed to locate a final sector\n");
return NULL; /* FAILED */
}
address = sector_offset_to_address(msi, sector, offset); address = sector_offset_to_address(msi, sector, offset);
if (!address) {
printf("Failed to get a final address\n");
return 0; /* FAILED */
}
return parse_entry(address); return parse_entry(address);
} }
@ -254,6 +327,7 @@ MSI_FILE *msi_file_new(char *buffer, uint32_t len)
if (msi->m_bufferLen < sizeof *(msi->m_hdr) || if (msi->m_bufferLen < sizeof *(msi->m_hdr) ||
memcmp(msi->m_hdr->signature, msi_magic, sizeof msi_magic)) { memcmp(msi->m_hdr->signature, msi_magic, sizeof msi_magic)) {
printf("Wrong file format\n"); printf("Wrong file format\n");
msi_file_free(msi);
return NULL; /* FAILED */ return NULL; /* FAILED */
} }
msi->m_sectorSize = msi->m_hdr->majorVersion == 3 ? 512 : 4096; msi->m_sectorSize = msi->m_hdr->majorVersion == 3 ? 512 : 4096;
@ -261,10 +335,13 @@ MSI_FILE *msi_file_new(char *buffer, uint32_t len)
/* The file must contains at least 3 sectors */ /* The file must contains at least 3 sectors */
if (msi->m_bufferLen < msi->m_sectorSize * 3) { if (msi->m_bufferLen < msi->m_sectorSize * 3) {
printf("The file must contains at least 3 sectors\n"); printf("The file must contains at least 3 sectors\n");
msi_file_free(msi);
return NULL; /* FAILED */ return NULL; /* FAILED */
} }
root = msi_root_entry_get(msi); root = msi_root_entry_get(msi);
if (root == NULL) { if (root == NULL) {
printf("Failed to get msi root entry\n");
msi_file_free(msi);
return NULL; /* FAILED */ return NULL; /* FAILED */
} }
msi->m_miniStreamStartSector = root->startSectorLocation; msi->m_miniStreamStartSector = root->startSectorLocation;
@ -285,6 +362,10 @@ MSI_DIRENT *msi_dirent_new(MSI_FILE *msi, MSI_ENTRY *entry, MSI_DIRENT *parent)
if (!entry) { if (!entry) {
return NULL; return NULL;
} }
if (entry->nameLen == 0 || entry->nameLen > 64) {
printf("Corrupted file\n");
return NULL; /* FAILED */
}
dirent = (MSI_DIRENT *)OPENSSL_malloc(sizeof(MSI_DIRENT)); dirent = (MSI_DIRENT *)OPENSSL_malloc(sizeof(MSI_DIRENT));
memcpy(dirent->name, entry->name, entry->nameLen); memcpy(dirent->name, entry->name, entry->nameLen);
dirent->nameLen = entry->nameLen; dirent->nameLen = entry->nameLen;
@ -293,7 +374,11 @@ MSI_DIRENT *msi_dirent_new(MSI_FILE *msi, MSI_ENTRY *entry, MSI_DIRENT *parent)
dirent->children = sk_MSI_DIRENT_new_null(); dirent->children = sk_MSI_DIRENT_new_null();
if (parent != NULL) { if (parent != NULL) {
sk_MSI_DIRENT_push(parent->children, dirent); if (!sk_MSI_DIRENT_push(parent->children, dirent)) {
printf("Failed to insert MSI_DIRENT\n");
msi_dirent_free(dirent);
return NULL; /* FAILED */
}
} }
/* NOTE : These links are a tree, not a linked list */ /* NOTE : These links are a tree, not a linked list */
msi_dirent_new(msi, get_entry(msi, entry->leftSiblingID, FALSE), parent); msi_dirent_new(msi, get_entry(msi, entry->leftSiblingID, FALSE), parent);
@ -460,7 +545,8 @@ int msi_hash_dir(MSI_FILE *msi, MSI_DIRENT *dirent, BIO *hash, int is_root)
} }
indata = (char *)OPENSSL_malloc(inlen); indata = (char *)OPENSSL_malloc(inlen);
if (!msi_file_read(msi, child->entry, 0, indata, inlen)) { if (!msi_file_read(msi, child->entry, 0, indata, inlen)) {
printf("Read stream data error\n\n"); printf("Failed to read stream data\n");
OPENSSL_free(indata);
goto out; goto out;
} }
BIO_write(hash, indata, inlen); BIO_write(hash, indata, inlen);
@ -468,6 +554,7 @@ int msi_hash_dir(MSI_FILE *msi, MSI_DIRENT *dirent, BIO *hash, int is_root)
} }
if (child->type == DIR_STORAGE) { if (child->type == DIR_STORAGE) {
if (!msi_hash_dir(msi, child, hash, 0)) { if (!msi_hash_dir(msi, child, hash, 0)) {
printf("Failed to hash a MSI storage\n");
goto out; goto out;
} }
} }
@ -637,7 +724,7 @@ static int stream_read(MSI_FILE *msi, MSI_ENTRY *entry, u_char *p_msi, int len_m
inlen = len_msiex; inlen = len_msiex;
} else { } else {
if (!msi_file_read(msi, entry, 0, *indata, inlen)) { if (!msi_file_read(msi, entry, 0, *indata, inlen)) {
printf("Read stream data error\n"); printf("Failed to read stream data\n");
return 0; /* FAILED */ return 0; /* FAILED */
} }
} }

220
osslsigncode.c
View File

@ -826,6 +826,13 @@ static BIO *encode_rfc3161_request(PKCS7 *sig, const EVP_MD *md)
BIO *bout; BIO *bout;
u_char *p; u_char *p;
int len; int len;
STACK_OF(PKCS7_SIGNER_INFO) *signer_info = PKCS7_get_signer_info(sig);
if (!signer_info)
return NULL; /* FAILED */
si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0);
if (!si)
return NULL; /* FAILED */
mdctx = EVP_MD_CTX_new(); mdctx = EVP_MD_CTX_new();
if (!EVP_DigestInit(mdctx, md)) { if (!EVP_DigestInit(mdctx, md)) {
@ -833,7 +840,6 @@ static BIO *encode_rfc3161_request(PKCS7 *sig, const EVP_MD *md)
printf("Unable to set up the digest context\n"); printf("Unable to set up the digest context\n");
return NULL; /* FAILED */ return NULL; /* FAILED */
} }
si = sk_PKCS7_SIGNER_INFO_value(sig->d.sign->signer_info, 0);
EVP_DigestUpdate(mdctx, si->enc_digest->data, si->enc_digest->length); EVP_DigestUpdate(mdctx, si->enc_digest->data, si->enc_digest->length);
EVP_DigestFinal(mdctx, mdbuf, NULL); EVP_DigestFinal(mdctx, mdbuf, NULL);
EVP_MD_CTX_free(mdctx); EVP_MD_CTX_free(mdctx);
@ -869,11 +875,17 @@ static BIO *encode_authenticode_request(PKCS7 *sig)
BIO *bout, *b64; BIO *bout, *b64;
u_char *p; u_char *p;
int len; int len;
STACK_OF(PKCS7_SIGNER_INFO) *signer_info = PKCS7_get_signer_info(sig);
if (!signer_info)
return 0; /* FAILED */
si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0);
if (!si)
return 0; /* FAILED */
req = TimeStampRequest_new(); req = TimeStampRequest_new();
req->type = OBJ_txt2obj(SPC_TIME_STAMP_REQUEST_OBJID, 1); req->type = OBJ_txt2obj(SPC_TIME_STAMP_REQUEST_OBJID, 1);
req->blob->type = OBJ_nid2obj(NID_pkcs7_data); req->blob->type = OBJ_nid2obj(NID_pkcs7_data);
si = sk_PKCS7_SIGNER_INFO_value(sig->d.sign->signer_info, 0);
req->blob->signature = si->enc_digest; req->blob->signature = si->enc_digest;
len = i2d_TimeStampRequest(req, NULL); len = i2d_TimeStampRequest(req, NULL);
@ -904,6 +916,13 @@ static int decode_rfc3161_response(PKCS7 *sig, BIO *bin, int verbose)
TimeStampResp *reply; TimeStampResp *reply;
u_char *p; u_char *p;
int len; int len;
STACK_OF(PKCS7_SIGNER_INFO) *signer_info = PKCS7_get_signer_info(sig);
if (!signer_info)
return 1; /* FAILED */
si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0);
if (!si)
return 1; /* FAILED */
reply = ASN1_item_d2i_bio(ASN1_ITEM_rptr(TimeStampResp), bin, NULL); reply = ASN1_item_d2i_bio(ASN1_ITEM_rptr(TimeStampResp), bin, NULL);
BIO_free_all(bin); BIO_free_all(bin);
@ -931,7 +950,6 @@ static int decode_rfc3161_response(PKCS7 *sig, BIO *bin, int verbose)
attrs = X509at_add1_attr_by_txt(&attrs, SPC_RFC3161_OBJID, V_ASN1_SET, p, len); attrs = X509at_add1_attr_by_txt(&attrs, SPC_RFC3161_OBJID, V_ASN1_SET, p, len);
OPENSSL_free(p); OPENSSL_free(p);
si = sk_PKCS7_SIGNER_INFO_value(sig->d.sign->signer_info, 0);
PKCS7_set_attributes(si, attrs); PKCS7_set_attributes(si, attrs);
sk_X509_ATTRIBUTE_pop_free(attrs, X509_ATTRIBUTE_free); sk_X509_ATTRIBUTE_pop_free(attrs, X509_ATTRIBUTE_free);
return 0; /* OK */ return 0; /* OK */
@ -950,6 +968,7 @@ static int decode_authenticode_response(PKCS7 *sig, BIO *bin, int verbose)
BIO* b64, *b64_bin; BIO* b64, *b64_bin;
u_char *p; u_char *p;
int len, i; int len, i;
STACK_OF(PKCS7_SIGNER_INFO) *signer_info;
b64 = BIO_new(BIO_f_base64()); b64 = BIO_new(BIO_f_base64());
if (!blob_has_nl) if (!blob_has_nl)
@ -963,7 +982,12 @@ static int decode_authenticode_response(PKCS7 *sig, BIO *bin, int verbose)
for(i = sk_X509_num(p7->d.sign->cert)-1; i>=0; i--) for(i = sk_X509_num(p7->d.sign->cert)-1; i>=0; i--)
PKCS7_add_certificate(sig, sk_X509_value(p7->d.sign->cert, i)); PKCS7_add_certificate(sig, sk_X509_value(p7->d.sign->cert, i));
info = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0); signer_info = PKCS7_get_signer_info(p7);
if (!signer_info)
return 1; /* FAILED */
info = sk_PKCS7_SIGNER_INFO_value(signer_info, 0);
if (!info)
return 1; /* FAILED */
if (((len = i2d_PKCS7_SIGNER_INFO(info, NULL)) <= 0) || (p = OPENSSL_malloc(len)) == NULL) { if (((len = i2d_PKCS7_SIGNER_INFO(info, NULL)) <= 0) || (p = OPENSSL_malloc(len)) == NULL) {
if (verbose) { if (verbose) {
printf("Failed to convert signer info: %d\n", len); printf("Failed to convert signer info: %d\n", len);
@ -980,7 +1004,12 @@ static int decode_authenticode_response(PKCS7 *sig, BIO *bin, int verbose)
attrs = X509at_add1_attr_by_txt(&attrs, PKCS9_COUNTER_SIGNATURE, V_ASN1_SET, p, len); attrs = X509at_add1_attr_by_txt(&attrs, PKCS9_COUNTER_SIGNATURE, V_ASN1_SET, p, len);
OPENSSL_free(p); OPENSSL_free(p);
si = sk_PKCS7_SIGNER_INFO_value(sig->d.sign->signer_info, 0); signer_info = PKCS7_get_signer_info(sig);
if (!signer_info)
return 1; /* FAILED */
si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0);
if (!si)
return 1; /* FAILED */
/* /*
* PKCS7_set_attributes() frees up all elements of si->unauth_attr * PKCS7_set_attributes() frees up all elements of si->unauth_attr
* and sets there a copy of attrs so overrides the previous timestamp * and sets there a copy of attrs so overrides the previous timestamp
@ -1751,14 +1780,13 @@ static int set_indirect_data_blob(PKCS7 *sig, BIO *hash, file_type_t type,
static uint32_t pe_calc_checksum(BIO *bio, FILE_HEADER *header) static uint32_t pe_calc_checksum(BIO *bio, FILE_HEADER *header)
{ {
uint32_t checkSum = 0, size = 0; uint32_t checkSum = 0, size = 0;
unsigned short val; static u_char buf[65536]; /* 2^16 */
unsigned short *buf;
int nread; int nread;
/* recalculate the checksum */ /* recalculate the checksum */
buf = OPENSSL_malloc(sizeof(unsigned short)*32768);
(void)BIO_seek(bio, 0); (void)BIO_seek(bio, 0);
while ((nread = BIO_read(bio, buf, sizeof(unsigned short)*32768)) > 0) { while ((nread = BIO_read(bio, buf, 65536)) > 0) {
unsigned short val;
int i; int i;
for (i = 0; i < nread / 2; i++) { for (i = 0; i < nread / 2; i++) {
val = buf[i]; val = buf[i];
@ -1769,7 +1797,6 @@ static uint32_t pe_calc_checksum(BIO *bio, FILE_HEADER *header)
size += 2; size += 2;
} }
} }
OPENSSL_free(buf);
checkSum = 0xffff & (checkSum + (checkSum >> 0x10)); checkSum = 0xffff & (checkSum + (checkSum >> 0x10));
checkSum += size; checkSum += size;
return checkSum; return checkSum;
@ -1880,10 +1907,13 @@ static int print_time_t(const time_t time)
} }
static time_t asn1_get_time_t(ASN1_TIME *s) static time_t asn1_get_time_t(const ASN1_TIME *s)
{ {
struct tm tm; struct tm tm;
if ((s == NULL) || (!ASN1_TIME_check(s))) {
return INVALID_TIME;
}
if (ASN1_TIME_to_tm(s, &tm)) { if (ASN1_TIME_to_tm(s, &tm)) {
return mktime(&tm); return mktime(&tm);
} else { } else {
@ -2105,7 +2135,7 @@ static int cms_print_timestamp(CMS_ContentInfo *cms, time_t time)
char *issuer_name, *serial; char *issuer_name, *serial;
BIGNUM *serialbn; BIGNUM *serialbn;
X509_ALGOR *pdig; X509_ALGOR *pdig;
X509_NAME *issuer; X509_NAME *issuer = NULL;
sinfos = CMS_get0_SignerInfos(cms); sinfos = CMS_get0_SignerInfos(cms);
if (sinfos == NULL) if (sinfos == NULL)
@ -2120,7 +2150,7 @@ static int cms_print_timestamp(CMS_ContentInfo *cms, time_t time)
return 0; /* FAILED */ return 0; /* FAILED */
md_nid = OBJ_obj2nid(pdig->algorithm); md_nid = OBJ_obj2nid(pdig->algorithm);
printf("Hash Algorithm: %s\n", (md_nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(md_nid)); printf("Hash Algorithm: %s\n", (md_nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(md_nid));
if (!CMS_SignerInfo_get0_signer_id(si, NULL, &issuer, &serialno) || !issuer || !serialno) if (!CMS_SignerInfo_get0_signer_id(si, NULL, &issuer, &serialno) || !issuer)
return 0; /* FAILED */ return 0; /* FAILED */
issuer_name = X509_NAME_oneline(issuer, NULL, 0); issuer_name = X509_NAME_oneline(issuer, NULL, 0);
serialbn = ASN1_INTEGER_to_BN(serialno, NULL); serialbn = ASN1_INTEGER_to_BN(serialno, NULL);
@ -2282,7 +2312,9 @@ static void get_signed_attributes(SIGNATURE *signature, STACK_OF(X509_ATTRIBUTE)
if (value == NULL) if (value == NULL)
continue; continue;
data = ASN1_STRING_get0_data(value); data = ASN1_STRING_get0_data(value);
opus = d2i_SpcSpOpusInfo(NULL, &data, value->length); opus = d2i_SpcSpOpusInfo(NULL, &data, ASN1_STRING_length(value));
if (opus == NULL)
continue;
if (opus->moreInfo && opus->moreInfo->type == 0) if (opus->moreInfo && opus->moreInfo->type == 0)
signature->url = OPENSSL_strdup((char *)opus->moreInfo->value.url->data); signature->url = OPENSSL_strdup((char *)opus->moreInfo->value.url->data);
if (opus->programName) { if (opus->programName) {
@ -2355,9 +2387,12 @@ static void get_unsigned_attributes(STACK_OF(SIGNATURE) **signatures, SIGNATURE
if (value == NULL) if (value == NULL)
continue; continue;
data = ASN1_STRING_get0_data(value); data = ASN1_STRING_get0_data(value);
countersi = d2i_PKCS7_SIGNER_INFO(NULL, &data, value->length); countersi = d2i_PKCS7_SIGNER_INFO(NULL, &data, ASN1_STRING_length(value));
if (countersi == NULL) if (countersi == NULL) {
printf("Error: Authenticode Timestamp could not be decoded correctly\n");
ERR_print_errors_fp(stdout);
continue; continue;
}
time = si_get_time(countersi); time = si_get_time(countersi);
if (time != INVALID_TIME) { if (time != INVALID_TIME) {
timestamp = cms_get_timestamp(p7->d.sign, countersi); timestamp = cms_get_timestamp(p7->d.sign, countersi);
@ -2365,11 +2400,10 @@ static void get_unsigned_attributes(STACK_OF(SIGNATURE) **signatures, SIGNATURE
signature->time = time; signature->time = time;
signature->timestamp = timestamp; signature->timestamp = timestamp;
} else { } else {
printf("Error: Authenticode Timestamp could not be decoded correctly\n\n"); printf("Error: Corrupt Authenticode Timestamp embedded content\n");
PKCS7_SIGNER_INFO_free(countersi);
} }
} else { } else {
printf("Error: PKCS9_TIMESTAMP_SIGNING_TIME attribute not found\n\n"); printf("Error: PKCS9_TIMESTAMP_SIGNING_TIME attribute not found\n");
PKCS7_SIGNER_INFO_free(countersi); PKCS7_SIGNER_INFO_free(countersi);
} }
} else if (!strcmp(object_txt, SPC_RFC3161_OBJID)) { } else if (!strcmp(object_txt, SPC_RFC3161_OBJID)) {
@ -2380,18 +2414,19 @@ static void get_unsigned_attributes(STACK_OF(SIGNATURE) **signatures, SIGNATURE
if (value == NULL) if (value == NULL)
continue; continue;
data = ASN1_STRING_get0_data(value); data = ASN1_STRING_get0_data(value);
timestamp = d2i_CMS_ContentInfo(NULL, &data, value->length); timestamp = d2i_CMS_ContentInfo(NULL, &data, ASN1_STRING_length(value));
if (timestamp) { if (timestamp == NULL) {
printf("Error: RFC3161 Timestamp could not be decoded correctly\n");
ERR_print_errors_fp(stdout);
continue;
}
time = cms_get_time(timestamp); time = cms_get_time(timestamp);
if (time != INVALID_TIME) { if (time != INVALID_TIME) {
signature->time = time; signature->time = time;
signature->timestamp = timestamp; signature->timestamp = timestamp;
} else { } else {
printf("Error: Corrupt RFC3161 Timestamp embedded content\n\n"); printf("Error: Corrupt RFC3161 Timestamp embedded content\n");
ERR_print_errors_fp(stdout); CMS_ContentInfo_free(timestamp);
}
} else {
printf("Error: RFC3161 Timestamp could not be decoded correctly\n\n");
ERR_print_errors_fp(stdout); ERR_print_errors_fp(stdout);
} }
} else if (allownest && !strcmp(object_txt, SPC_NESTED_SIGNATURE_OBJID)) { } else if (allownest && !strcmp(object_txt, SPC_NESTED_SIGNATURE_OBJID)) {
@ -2402,9 +2437,12 @@ static void get_unsigned_attributes(STACK_OF(SIGNATURE) **signatures, SIGNATURE
if (value == NULL) if (value == NULL)
continue; continue;
data = ASN1_STRING_get0_data(value); data = ASN1_STRING_get0_data(value);
nested = d2i_PKCS7(NULL, &data, value->length); nested = d2i_PKCS7(NULL, &data, ASN1_STRING_length(value));
if (nested) if (nested)
(void)append_signature_list(signatures, nested, 0); if (!append_signature_list(signatures, nested, 0)) {
printf("Failed to append signature list\n\n");
PKCS7_free(nested);
}
} }
} else if (!strcmp(object_txt, SPC_UNAUTHENTICATED_DATA_BLOB_OBJID)) { } else if (!strcmp(object_txt, SPC_UNAUTHENTICATED_DATA_BLOB_OBJID)) {
/* Unauthenticated Data Blob - Policy OID: 1.3.6.1.4.1.42921.1.2.1 */ /* Unauthenticated Data Blob - Policy OID: 1.3.6.1.4.1.42921.1.2.1 */
@ -2419,9 +2457,12 @@ static int append_signature_list(STACK_OF(SIGNATURE) **signatures, PKCS7 *p7, in
SIGNATURE *signature = NULL; SIGNATURE *signature = NULL;
PKCS7_SIGNER_INFO *si; PKCS7_SIGNER_INFO *si;
STACK_OF(X509_ATTRIBUTE) *auth_attr, *unauth_attr; STACK_OF(X509_ATTRIBUTE) *auth_attr, *unauth_attr;
STACK_OF(PKCS7_SIGNER_INFO) *signer_info = PKCS7_get_signer_info(p7);
si = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0); if (!signer_info)
if (si == NULL) return 0; /* FAILED */
si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0);
if (!si)
return 0; /* FAILED */ return 0; /* FAILED */
signature = OPENSSL_malloc(sizeof(SIGNATURE)); signature = OPENSSL_malloc(sizeof(SIGNATURE));
@ -2446,6 +2487,7 @@ static int append_signature_list(STACK_OF(SIGNATURE) **signatures, PKCS7 *p7, in
get_unsigned_attributes(signatures, signature, unauth_attr, p7, allownest); get_unsigned_attributes(signatures, signature, unauth_attr, p7, allownest);
if (!sk_SIGNATURE_unshift(*signatures, signature)) { if (!sk_SIGNATURE_unshift(*signatures, signature)) {
printf("Failed to insert signature\n");
signature_free(signature); signature_free(signature);
return 0; /* FAILED */ return 0; /* FAILED */
} }
@ -2550,21 +2592,26 @@ static int pkcs7_set_nested_signature(PKCS7 *p7, PKCS7 *p7nest, time_t signing_t
u_char *p = NULL; u_char *p = NULL;
int len = 0; int len = 0;
PKCS7_SIGNER_INFO *si; PKCS7_SIGNER_INFO *si;
STACK_OF(PKCS7_SIGNER_INFO) *signer_info = PKCS7_get_signer_info(p7);
if (!signer_info)
return 0; /* FAILED */
si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0);
if (!si)
return 0; /* FAILED */
if (((len = i2d_PKCS7(p7nest, NULL)) <= 0) || if (((len = i2d_PKCS7(p7nest, NULL)) <= 0) ||
(p = OPENSSL_malloc(len)) == NULL) (p = OPENSSL_malloc(len)) == NULL)
return 0; return 0; /* FAILED */
i2d_PKCS7(p7nest, &p); i2d_PKCS7(p7nest, &p);
p -= len; p -= len;
si = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0);
pkcs7_add_signing_time(si, signing_time); pkcs7_add_signing_time(si, signing_time);
if (!append_nested_signature(&(si->unauth_attr), p, len)) { if (!append_nested_signature(&(si->unauth_attr), p, len)) {
OPENSSL_free(p); OPENSSL_free(p);
return 0; return 0; /* FAILED */
} }
OPENSSL_free(p); OPENSSL_free(p);
return 1; return 1; /* OK */
} }
static char *get_clrdp_url(X509 *cert) static char *get_clrdp_url(X509 *cert)
@ -2646,6 +2693,7 @@ static int verify_timestamp(SIGNATURE *signature, GLOBAL_OPTIONS *options)
{ {
X509_STORE *store; X509_STORE *store;
STACK_OF(CMS_SignerInfo) *sinfos; STACK_OF(CMS_SignerInfo) *sinfos;
STACK_OF(PKCS7_SIGNER_INFO) *signer_info;
CMS_SignerInfo *cmssi; CMS_SignerInfo *cmssi;
X509 *signer; X509 *signer;
STACK_OF(X509_CRL) *crls; STACK_OF(X509_CRL) *crls;
@ -2715,7 +2763,12 @@ static int verify_timestamp(SIGNATURE *signature, GLOBAL_OPTIONS *options)
} }
/* verify the hash provided from the trusted timestamp */ /* verify the hash provided from the trusted timestamp */
si = sk_PKCS7_SIGNER_INFO_value(signature->p7->d.sign->signer_info, 0); signer_info = PKCS7_get_signer_info(signature->p7);
if (!signer_info)
goto out;
si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0);
if (!si)
goto out;
if (!TST_verify(signature->timestamp, si)) if (!TST_verify(signature->timestamp, si))
goto out; goto out;
@ -2861,6 +2914,9 @@ static int msi_verify_header(char *indata, uint32_t filesize, MSI_PARAMS *msipar
return 0; /* FAILED */ return 0; /* FAILED */
} }
root = msi_root_entry_get(msiparams->msi); root = msi_root_entry_get(msiparams->msi);
if (!root) {
return 0; /* FAILED */
}
msiparams->dirent = msi_dirent_new(msiparams->msi, root, NULL); msiparams->dirent = msi_dirent_new(msiparams->msi, root, NULL);
hdr = msi_header_get(msiparams->msi); hdr = msi_header_get(msiparams->msi);
@ -2938,11 +2994,19 @@ static int msi_verify_pkcs7(SIGNATURE *signature, MSI_FILE *msi, MSI_DIRENT *dir
printf("Message digest algorithm : %s\n", OBJ_nid2sn(mdtype)); printf("Message digest algorithm : %s\n", OBJ_nid2sn(mdtype));
md = EVP_get_digestbynid(mdtype); md = EVP_get_digestbynid(mdtype);
hash = BIO_new(BIO_f_md()); hash = BIO_new(BIO_f_md());
BIO_set_md(hash, md); if (!BIO_set_md(hash, md)) {
printf("Unable to set the message digest of BIO\n");
BIO_free_all(hash);
goto out;
}
BIO_push(hash, BIO_new(BIO_s_null())); BIO_push(hash, BIO_new(BIO_s_null()));
if (exdata) { if (exdata) {
BIO *prehash = BIO_new(BIO_f_md()); BIO *prehash = BIO_new(BIO_f_md());
BIO_set_md(prehash, md); if (!BIO_set_md(prehash, md)) {
printf("Unable to set the message digest of BIO\n");
BIO_free_all(prehash);
goto out;
}
BIO_push(prehash, BIO_new(BIO_s_null())); BIO_push(prehash, BIO_new(BIO_s_null()));
tohex((u_char *)exdata, hexbuf, exlen); tohex((u_char *)exdata, hexbuf, exlen);
@ -2977,10 +3041,9 @@ static int msi_verify_pkcs7(SIGNATURE *signature, MSI_FILE *msi, MSI_DIRENT *dir
printf("Signature verification: failed\n\n"); printf("Signature verification: failed\n\n");
goto out; goto out;
} }
ret = verify_signature(signature, options); ret = verify_signature(signature, options);
out: out:
if (!ret) if (ret)
ERR_print_errors_fp(stdout); ERR_print_errors_fp(stdout);
return ret; return ret;
} }
@ -3024,7 +3087,6 @@ static int msi_verify_file(MSI_PARAMS *msiparams, GLOBAL_OPTIONS *options)
printf("Failed to extract PKCS7 data\n\n"); printf("Failed to extract PKCS7 data\n\n");
goto out; goto out;
} }
if (!append_signature_list(&signatures, p7, 1)) { if (!append_signature_list(&signatures, p7, 1)) {
printf("Failed to create signature list\n\n"); printf("Failed to create signature list\n\n");
PKCS7_free(p7); PKCS7_free(p7);
@ -3150,7 +3212,11 @@ static int msi_remove_file(MSI_PARAMS *msiparams, BIO *outdata)
static int msi_calc_MsiDigitalSignatureEx(MSI_PARAMS *msiparams, const EVP_MD *md, BIO *hash) static int msi_calc_MsiDigitalSignatureEx(MSI_PARAMS *msiparams, const EVP_MD *md, BIO *hash)
{ {
BIO *prehash = BIO_new(BIO_f_md()); BIO *prehash = BIO_new(BIO_f_md());
BIO_set_md(prehash, md); if (!BIO_set_md(prehash, md)) {
printf("Unable to set the message digest of BIO\n");
BIO_free_all(prehash);
return 0; /* FAILED */
}
BIO_push(prehash, BIO_new(BIO_s_null())); BIO_push(prehash, BIO_new(BIO_s_null()));
if (!msi_prehash_dir(msiparams->dirent, prehash, 1)) { if (!msi_prehash_dir(msiparams->dirent, prehash, 1)) {
@ -3227,7 +3293,7 @@ err:
return ret; return ret;
} }
static void pe_extract_page_hash(SpcAttributeTypeAndOptionalValue *obj, static int pe_extract_page_hash(SpcAttributeTypeAndOptionalValue *obj,
u_char **ph, int *phlen, int *phtype) u_char **ph, int *phlen, int *phtype)
{ {
const u_char *blob; const u_char *blob;
@ -3237,19 +3303,21 @@ static void pe_extract_page_hash(SpcAttributeTypeAndOptionalValue *obj,
char buf[128]; char buf[128];
*phlen = 0; *phlen = 0;
if (!obj || !obj->value)
return 0; /* FAILED */
blob = obj->value->value.sequence->data; blob = obj->value->value.sequence->data;
id = d2i_SpcPeImageData(NULL, &blob, obj->value->value.sequence->length); id = d2i_SpcPeImageData(NULL, &blob, obj->value->value.sequence->length);
if (id == NULL) if (id == NULL)
return; return 0; /* FAILED */
if (id->file->type != 1) { if (id->file->type != 1) {
SpcPeImageData_free(id); SpcPeImageData_free(id);
return; return 1; /* OK - this is not SpcSerializedObject structure that contains page hashes */
} }
so = id->file->value.moniker; so = id->file->value.moniker;
if (so->classId->length != sizeof classid_page_hash || if (so->classId->length != sizeof classid_page_hash ||
memcmp(so->classId->data, classid_page_hash, sizeof classid_page_hash)) { memcmp(so->classId->data, classid_page_hash, sizeof classid_page_hash)) {
SpcPeImageData_free(id); SpcPeImageData_free(id);
return; return 0; /* FAILED */
} }
/* skip ASN.1 SET hdr */ /* skip ASN.1 SET hdr */
l = asn1_simple_hdr_len(so->serializedData->data, so->serializedData->length); l = asn1_simple_hdr_len(so->serializedData->data, so->serializedData->length);
@ -3257,7 +3325,7 @@ static void pe_extract_page_hash(SpcAttributeTypeAndOptionalValue *obj,
obj = d2i_SpcAttributeTypeAndOptionalValue(NULL, &blob, so->serializedData->length - l); obj = d2i_SpcAttributeTypeAndOptionalValue(NULL, &blob, so->serializedData->length - l);
SpcPeImageData_free(id); SpcPeImageData_free(id);
if (!obj) if (!obj)
return; return 0; /* FAILED */
*phtype = 0; *phtype = 0;
buf[0] = 0x00; buf[0] = 0x00;
@ -3268,7 +3336,7 @@ static void pe_extract_page_hash(SpcAttributeTypeAndOptionalValue *obj,
*phtype = NID_sha256; *phtype = NID_sha256;
} else { } else {
SpcAttributeTypeAndOptionalValue_free(obj); SpcAttributeTypeAndOptionalValue_free(obj);
return; return 0; /* FAILED */
} }
/* Skip ASN.1 SET hdr */ /* Skip ASN.1 SET hdr */
l2 = asn1_simple_hdr_len(obj->value->value.sequence->data, obj->value->value.sequence->length); l2 = asn1_simple_hdr_len(obj->value->value.sequence->data, obj->value->value.sequence->length);
@ -3279,6 +3347,7 @@ static void pe_extract_page_hash(SpcAttributeTypeAndOptionalValue *obj,
*ph = OPENSSL_malloc(*phlen); *ph = OPENSSL_malloc(*phlen);
memcpy(*ph, obj->value->value.sequence->data + l, *phlen); memcpy(*ph, obj->value->value.sequence->data + l, *phlen);
SpcAttributeTypeAndOptionalValue_free(obj); SpcAttributeTypeAndOptionalValue_free(obj);
return 1; /* OK */
} }
static int pe_verify_pkcs7(SIGNATURE *signature, char *indata, FILE_HEADER *header, static int pe_verify_pkcs7(SIGNATURE *signature, char *indata, FILE_HEADER *header,
@ -3297,7 +3366,11 @@ static int pe_verify_pkcs7(SIGNATURE *signature, char *indata, FILE_HEADER *head
const u_char *p = content_val->data; const u_char *p = content_val->data;
SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, content_val->length); SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, content_val->length);
if (idc) { if (idc) {
pe_extract_page_hash(idc->data, &ph, &phlen, &phtype); if (!pe_extract_page_hash(idc->data, &ph, &phlen, &phtype)) {
printf("Failed to extract a page hash\n\n");
SpcIndirectDataContent_free(idc);
goto out;
}
if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) { if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) {
mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm); mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm);
memcpy(mdbuf, idc->messageDigest->digest->data, idc->messageDigest->digest->length); memcpy(mdbuf, idc->messageDigest->digest->data, idc->messageDigest->digest->length);
@ -3344,7 +3417,7 @@ static int pe_verify_pkcs7(SIGNATURE *signature, char *indata, FILE_HEADER *head
ret = verify_signature(signature, options); ret = verify_signature(signature, options);
out: out:
if (!ret) if (ret)
ERR_print_errors_fp(stdout); ERR_print_errors_fp(stdout);
OPENSSL_free(ph); OPENSSL_free(ph);
return ret; return ret;
@ -3387,7 +3460,7 @@ static int pe_verify_file(char *indata, FILE_HEADER *header, GLOBAL_OPTIONS *opt
/* check PE checksum */ /* check PE checksum */
printf("Current PE checksum : %08X\n", header->pe_checksum); printf("Current PE checksum : %08X\n", header->pe_checksum);
bio = BIO_new_mem_buf(indata, header->sigpos + header->siglen); bio = BIO_new_mem_buf(indata, header->fileend);
real_pe_checksum = pe_calc_checksum(bio, header); real_pe_checksum = pe_calc_checksum(bio, header);
BIO_free(bio); BIO_free(bio);
if (header->pe_checksum && header->pe_checksum != real_pe_checksum) if (header->pe_checksum && header->pe_checksum != real_pe_checksum)
@ -3488,10 +3561,15 @@ static int pe_verify_header(char *indata, char *infile, uint32_t filesize, FILE_
/* Since fix for MS Bulletin MS12-024 we can really assume /* Since fix for MS Bulletin MS12-024 we can really assume
that signature should be last part of file */ that signature should be last part of file */
if (header->sigpos > 0 && header->sigpos < filesize && header->sigpos + header->siglen != filesize) { if ((header->sigpos > 0 && header->sigpos < filesize && header->sigpos + header->siglen != filesize)
|| (header->sigpos >= filesize)) {
printf("Corrupt PE file - current signature not at end of file: %s\n", infile); printf("Corrupt PE file - current signature not at end of file: %s\n", infile);
return 0; /* FAILED */ return 0; /* FAILED */
} }
if ((header->sigpos > 0 && header->siglen == 0) || (header->sigpos == 0 && header->siglen > 0)) {
printf("Corrupt signature\n");
return 0; /* FAILED */
}
return 1; /* OK */ return 1; /* OK */
} }
@ -3535,6 +3613,7 @@ static int cab_verify_header(char *indata, char *infile, uint32_t filesize, FILE
printf("Corrupt cab file - too short: %s\n", infile); printf("Corrupt cab file - too short: %s\n", infile);
ret = 0; /* FAILED */ ret = 0; /* FAILED */
} }
header->fileend = filesize;
reserved = GET_UINT32_LE(indata + 4); reserved = GET_UINT32_LE(indata + 4);
if (reserved) { if (reserved) {
printf("Reserved1: 0x%08X\n", reserved); printf("Reserved1: 0x%08X\n", reserved);
@ -3762,7 +3841,7 @@ static int cab_verify_pkcs7(SIGNATURE *signature, char *indata, FILE_HEADER *hea
ret = verify_signature(signature, options); ret = verify_signature(signature, options);
out: out:
if (!ret) if (ret)
ERR_print_errors_fp(stdout); ERR_print_errors_fp(stdout);
return ret; return ret;
} }
@ -3787,6 +3866,10 @@ static int cab_verify_file(char *indata, FILE_HEADER *header, GLOBAL_OPTIONS *op
printf("No signature found\n\n"); printf("No signature found\n\n");
goto out; goto out;
} }
if (header->sigpos == 0 || header->siglen == 0 || header->sigpos > header->fileend) {
printf("No signature found\n\n");
goto out;
}
p7 = extract_existing_pkcs7(indata, header); p7 = extract_existing_pkcs7(indata, header);
if (!p7) { if (!p7) {
printf("Failed to extract PKCS7 data\n\n"); printf("Failed to extract PKCS7 data\n\n");
@ -4071,6 +4154,7 @@ static int cat_verify_header(char *indata, uint32_t filesize, FILE_HEADER *heade
{ {
PKCS7 *p7; PKCS7 *p7;
PKCS7_SIGNER_INFO *si; PKCS7_SIGNER_INFO *si;
STACK_OF(PKCS7_SIGNER_INFO) *signer_info;
p7 = cat_extract_existing_pkcs7(indata, header); p7 = cat_extract_existing_pkcs7(indata, header);
if (!p7) { if (!p7) {
@ -4080,8 +4164,11 @@ static int cat_verify_header(char *indata, uint32_t filesize, FILE_HEADER *heade
PKCS7_free(p7); PKCS7_free(p7);
return 0; /* FAILED */ return 0; /* FAILED */
} }
si = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0); signer_info = PKCS7_get_signer_info(p7);
if (si == NULL) { if (!signer_info)
return 0; /* FAILED */
si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0);
if (!si) {
/* catalog file is unsigned */ /* catalog file is unsigned */
header->sigpos = filesize; header->sigpos = filesize;
} }
@ -4126,7 +4213,11 @@ static int cat_verify_member(CatalogAuthAttr *attribute, char *indata, FILE_HEAD
if (idc) { if (idc) {
if (header->sigpos) { if (header->sigpos) {
/* try to get a page hash if the file is signed */ /* try to get a page hash if the file is signed */
pe_extract_page_hash(idc->data, &ph, &phlen, &phtype); if (!pe_extract_page_hash(idc->data, &ph, &phlen, &phtype)) {
printf("Failed to extract a page hash\n\n");
SpcIndirectDataContent_free(idc);
goto out;
}
} }
if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) { if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) {
/* get a digest algorithm a message digest of the file from the content */ /* get a digest algorithm a message digest of the file from the content */
@ -4240,7 +4331,7 @@ static int cat_verify_pkcs7(SIGNATURE *signature, char *indata, FILE_HEADER *hea
} else { } else {
printf("File not found in the specified catalog.\n\n"); printf("File not found in the specified catalog.\n\n");
} }
if (!ret) if (ret)
ERR_print_errors_fp(stdout); ERR_print_errors_fp(stdout);
return ret; return ret;
} }
@ -4429,10 +4520,15 @@ static int add_unauthenticated_blob(PKCS7 *sig)
/* Length data for ASN1 attribute plus prefix */ /* Length data for ASN1 attribute plus prefix */
char prefix[] = "\x0c\x82\x04\x00---BEGIN_BLOB---"; char prefix[] = "\x0c\x82\x04\x00---BEGIN_BLOB---";
char postfix[] = "---END_BLOB---"; char postfix[] = "---END_BLOB---";
STACK_OF(PKCS7_SIGNER_INFO) *signer_info = PKCS7_get_signer_info(sig);
if (!signer_info)
return 0; /* FAILED */
si = sk_PKCS7_SIGNER_INFO_value(sig->d.sign->signer_info, 0); si = sk_PKCS7_SIGNER_INFO_value(sig->d.sign->signer_info, 0);
if (!si)
return 0; /* FAILED */
if ((p = OPENSSL_malloc(len)) == NULL) if ((p = OPENSSL_malloc(len)) == NULL)
return 1; /* FAILED */ return 0; /* FAILED */
memset(p, 0, len); memset(p, 0, len);
memcpy(p, prefix, sizeof prefix); memcpy(p, prefix, sizeof prefix);
memcpy(p + len - sizeof postfix, postfix, sizeof postfix); memcpy(p + len - sizeof postfix, postfix, sizeof postfix);
@ -4442,7 +4538,7 @@ static int add_unauthenticated_blob(PKCS7 *sig)
"unauthenticatedData", "unauthenticatedData"); "unauthenticatedData", "unauthenticatedData");
PKCS7_add_attribute(si, nid, V_ASN1_SEQUENCE, astr); PKCS7_add_attribute(si, nid, V_ASN1_SEQUENCE, astr);
OPENSSL_free(p); OPENSSL_free(p);
return 0; /* OK */ return 1; /* OK */
} }
/* /*
@ -5896,7 +5992,11 @@ int main(int argc, char **argv)
} }
hash = BIO_new(BIO_f_md()); hash = BIO_new(BIO_f_md());
BIO_set_md(hash, options.md); if (!BIO_set_md(hash, options.md)) {
printf("Unable to set the message digest of BIO\n");
BIO_free_all(hash);
goto err_cleanup;
}
if (cmd != CMD_VERIFY) { if (cmd != CMD_VERIFY) {
/* Create outdata file */ /* Create outdata file */
@ -5988,7 +6088,7 @@ int main(int argc, char **argv)
DO_EXIT_0("RFC 3161 timestamping failed\n"); DO_EXIT_0("RFC 3161 timestamping failed\n");
#endif /* ENABLE_CURL */ #endif /* ENABLE_CURL */
if (options.addBlob && add_unauthenticated_blob(sig)) if (options.addBlob && !add_unauthenticated_blob(sig))
DO_EXIT_0("Adding unauthenticated blob failed\n"); DO_EXIT_0("Adding unauthenticated blob failed\n");
#if 0 #if 0