2
* Copyright (C) 2011 Sourcefire, Inc.
6
* This program is free software; you can redistribute it and/or modify
7
* it under the terms of the GNU General Public License version 2 as
8
* published by the Free Software Foundation.
10
* This program is distributed in the hope that it will be useful,
11
* but WITHOUT ANY WARRANTY; without even the implied warranty of
12
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13
* GNU General Public License for more details.
15
* You should have received a copy of the GNU General Public License
16
* along with this program; if not, write to the Free Software
17
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
22
#include "clamav-config.h"
31
#include "matcher-hash.h"
33
/* --------------------------------------------------------------------------- OIDS */
34
#define OID_1_3_14_3_2_26 "\x2b\x0e\x03\x02\x1a"
35
#define OID_sha1 OID_1_3_14_3_2_26
37
#define OID_1_3_14_3_2_29 "\x2b\x0e\x03\x02\x1d"
38
#define OID_sha1WithRSA OID_1_3_14_3_2_29
40
#define OID_1_2_840_113549_1_1_1 "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01"
41
#define OID_rsaEncryption OID_1_2_840_113549_1_1_1
43
#define OID_1_2_840_113549_1_1_4 "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x04"
44
#define OID_md5WithRSAEncryption OID_1_2_840_113549_1_1_4
46
#define OID_1_2_840_113549_1_1_5 "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x05"
47
#define OID_sha1WithRSAEncryption OID_1_2_840_113549_1_1_5
49
#define OID_1_2_840_113549_1_7_1 "\x2a\x86\x48\x86\xf7\x0d\x01\x07\x01"
50
#define OID_pkcs7_data OID_1_2_840_113549_1_7_1
52
#define OID_1_2_840_113549_1_7_2 "\x2a\x86\x48\x86\xf7\x0d\x01\x07\x02"
53
#define OID_signedData OID_1_2_840_113549_1_7_2
55
#define OID_1_2_840_113549_1_9_3 "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x03"
56
#define OID_contentType OID_1_2_840_113549_1_9_3
58
#define OID_1_2_840_113549_1_9_4 "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x04"
59
#define OID_messageDigest OID_1_2_840_113549_1_9_4
61
#define OID_1_2_840_113549_1_9_5 "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x05"
62
#define OID_signingTime OID_1_2_840_113549_1_9_5
64
#define OID_1_2_840_113549_2_5 "\x2a\x86\x48\x86\xf7\x0d\x02\x05"
65
#define OID_md5 OID_1_2_840_113549_2_5
67
#define OID_1_2_840_113549_1_9_6 "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x06"
68
#define OID_countersignature OID_1_2_840_113549_1_9_6
71
#define OID_1_3_6_1_4_1_311_2_1_4 "\x2b\x06\x01\x04\x01\x82\x37\x02\x01\x04"
72
#define OID_SPC_INDIRECT_DATA_OBJID OID_1_3_6_1_4_1_311_2_1_4
74
#define OID_1_3_6_1_4_1_311_2_1_15 "\x2b\x06\x01\x04\x01\x82\x37\x02\x01\x0f"
75
#define OID_SPC_PE_IMAGE_DATA_OBJID OID_1_3_6_1_4_1_311_2_1_15
77
#define OID_1_3_6_1_4_1_311_2_1_25 "\x2b\x06\x01\x04\x01\x82\x37\x02\x01\x19"
78
#define OID_SPC_CAB_DATA_OBJID OID_1_3_6_1_4_1_311_2_1_25
80
#define OID_1_3_6_1_4_1_311_10_1 "\x2b\x06\x01\x04\x01\x82\x37\x0a\x01"
81
#define OID_szOID_CTL OID_1_3_6_1_4_1_311_10_1
83
#define OID_1_3_6_1_4_1_311_12_1_1 "\x2b\x06\x01\x04\x01\x82\x37\x0c\x01\x01"
84
#define OID_szOID_CATALOG_LIST OID_1_3_6_1_4_1_311_12_1_1
86
#define OID_1_3_6_1_4_1_311_12_1_2 "\x2b\x06\x01\x04\x01\x82\x37\x0c\x01\x02"
87
#define OID_szOID_CATALOG_LIST_MEMBER OID_1_3_6_1_4_1_311_12_1_2
89
#define lenof(x) (sizeof((x))-1)
90
/* --------------------------------------------------------------------------- OIDS */
99
static int map_sha1(fmap_t *map, const void *data, unsigned int len, uint8_t sha1[SHA1_HASH_SIZE]) {
101
if(!fmap_need_ptr_once(map, data, len)) {
102
cli_dbgmsg("map_sha1: failed to read hash data\n");
107
unsigned int todo = MIN(len, map->pgsz);
108
SHA1Update(&ctx, data, todo);
109
data = (uint8_t *)data + todo;
112
SHA1Final(&ctx, sha1);
116
static int map_md5(fmap_t *map, const void *data, unsigned int len, uint8_t *md5) {
118
if(!fmap_need_ptr_once(map, data, len)) {
119
cli_dbgmsg("map_md5: failed to read hash data\n");
124
unsigned int todo = MIN(len, map->pgsz);
125
cli_md5_update(&ctx, data, len);
126
data = (uint8_t *)data + todo;
129
cli_md5_final(md5, &ctx);
134
static int asn1_get_obj(fmap_t *map, const void *asn1data, unsigned int *asn1len, struct cli_asn1 *obj) {
135
unsigned int asn1_sz = *asn1len;
136
unsigned int readbytes = MIN(6, asn1_sz), i;
140
cli_dbgmsg("asn1_get_obj: insufficient data length\n");
143
data = fmap_need_ptr_once(map, asn1data, readbytes);
145
cli_dbgmsg("asn1_get_obj: obj out of file\n");
154
/* Not allowed in DER */
155
cli_dbgmsg("asn1_get_obj: unsupported indefinite length object\n");
159
if(i > readbytes - 2) {
160
cli_dbgmsg("asn1_get_obj: len octets overflow (or just too many)\n");
172
asn1_sz -= data - (uint8_t *)asn1data;
173
if(obj->size > asn1_sz) {
174
cli_dbgmsg("asn1_get_obj: content overflow\n");
179
if(obj->size == asn1_sz)
182
obj->next = data + obj->size;
183
*asn1len = asn1_sz - obj->size;
187
static int asn1_expect_objtype(fmap_t *map, const void *asn1data, unsigned int *asn1len, struct cli_asn1 *obj, uint8_t type) {
188
int ret = asn1_get_obj(map, asn1data, asn1len, obj);
191
if(obj->type != type) {
192
cli_dbgmsg("asn1_expect_objtype: expected type %02x, got %02x\n", type, obj->type);
198
static int asn1_expect_obj(fmap_t *map, const void **asn1data, unsigned int *asn1len, uint8_t type, unsigned int size, const void *content) {
200
int ret = asn1_expect_objtype(map, *asn1data, asn1len, &obj, type);
203
if(obj.size != size) {
204
cli_dbgmsg("asn1_expect_obj: expected size %u, got %u\n", size, obj.size);
208
if(!fmap_need_ptr_once(map, obj.content, size)) {
209
cli_dbgmsg("asn1_expect_obj: failed to read content\n");
212
if(memcmp(obj.content, content, size)) {
213
cli_dbgmsg("asn1_expect_obj: content mismatch\n");
217
*asn1data = obj.next;
221
static int asn1_expect_algo(fmap_t *map, const void **asn1data, unsigned int *asn1len, unsigned int algo_size, const void *algo) {
225
if((ret = asn1_expect_objtype(map, *asn1data, asn1len, &obj, 0x30))) /* SEQUENCE */
228
*asn1data = obj.next;
230
if((ret = asn1_expect_obj(map, &obj.content, &avail, 0x06, algo_size, algo))) /* ALGO */
232
if(avail && (ret = asn1_expect_obj(map, &obj.content, &avail, 0x05, 0, NULL))) /* NULL */
235
cli_dbgmsg("asn1_expect_algo: extra data found in SEQUENCE\n");
242
static int asn1_expect_rsa(fmap_t *map, const void **asn1data, unsigned int *asn1len, cli_crt_hashtype *hashtype) {
246
if((ret = asn1_expect_objtype(map, *asn1data, asn1len, &obj, 0x30))) /* SEQUENCE */
249
*asn1data = obj.next;
251
if(asn1_expect_objtype(map, obj.content, &avail, &obj, 0x06))
253
if(obj.size != lenof(OID_sha1WithRSA) && obj.size != lenof(OID_sha1WithRSAEncryption)) { /* lenof(OID_sha1WithRSAEncryption) = lenof(OID_md5WithRSAEncryption) = 9 */
254
cli_dbgmsg("asn1_expect_rsa: expecting OID with size 5 or 9, got %02x with size %u\n", obj.type, obj.size);
257
if(!fmap_need_ptr_once(map, obj.content, obj.size)) {
258
cli_dbgmsg("asn1_expect_rsa: failed to read OID\n");
261
if(obj.size == lenof(OID_sha1WithRSA) && !memcmp(obj.content, OID_sha1WithRSA, lenof(OID_sha1WithRSA)))
262
*hashtype = CLI_SHA1RSA; /* Obsolete sha1rsa 1.3.14.3.2.29 */
263
else if(obj.size == lenof(OID_sha1WithRSAEncryption) && !memcmp(obj.content, OID_sha1WithRSAEncryption, lenof(OID_sha1WithRSAEncryption)))
264
*hashtype = CLI_SHA1RSA; /* sha1withRSAEncryption 1.2.840.113549.1.1.5 */
265
else if(obj.size == lenof(OID_md5WithRSAEncryption) && !memcmp(obj.content, OID_md5WithRSAEncryption, lenof(OID_md5WithRSAEncryption)))
266
*hashtype = CLI_MD5RSA; /* md5withRSAEncryption 1.2.840.113549.1.1.4 */
268
cli_dbgmsg("asn1_expect_rsa: OID mismatch\n");
271
if((ret = asn1_expect_obj(map, &obj.next, &avail, 0x05, 0, NULL))) /* NULL */
274
cli_dbgmsg("asn1_expect_rsa: extra data found in SEQUENCE\n");
280
static int asn1_getnum(const char *s) {
281
if(s[0] < '0' || s[0] >'9' || s[1] < '0' || s[1] > '9') {
282
cli_dbgmsg("asn1_getnum: expecting digits, found '%c%c'\n", s[0], s[1]);
285
return (s[0] - '0')*10 + (s[1] - '0');
288
static int asn1_get_time(fmap_t *map, const void **asn1data, unsigned int *size, time_t *tm) {
290
int ret = asn1_get_obj(map, *asn1data, size, &obj);
299
if(obj.type == 0x17) /* UTCTime - YYMMDDHHMMSSZ */
301
else if(obj.type == 0x18) /* GeneralizedTime - YYYYMMDDHHMMSSZ */
304
cli_dbgmsg("asn1_get_time: expected UTCTime or GeneralizedTime, got %02x\n", obj.type);
308
if(!fmap_need_ptr_once(map, obj.content, len)) {
309
cli_dbgmsg("asn1_get_time: failed to read content\n");
313
memset(&t, 0, sizeof(t));
314
ptr = (char *)obj.content;
315
if(obj.type == 0x18) {
316
t.tm_year = asn1_getnum(ptr) * 100;
319
n = asn1_getnum(ptr);
325
n = asn1_getnum(ptr);
329
t.tm_year = 1900 + n;
331
t.tm_year = 2000 + n;
335
n = asn1_getnum(ptr);
337
cli_dbgmsg("asn1_get_time: invalid month %u\n", n);
343
n = asn1_getnum(ptr);
345
cli_dbgmsg("asn1_get_time: invalid day %u\n", n);
351
n = asn1_getnum(ptr);
353
cli_dbgmsg("asn1_get_time: invalid hour %u\n", n);
359
n = asn1_getnum(ptr);
361
cli_dbgmsg("asn1_get_time: invalid minute %u\n", n);
367
n = asn1_getnum(ptr);
369
cli_dbgmsg("asn1_get_time: invalid second %u\n", n);
376
cli_dbgmsg("asn1_get_time: expected UTC time 'Z', got '%c'\n", *ptr);
381
*asn1data = obj.next;
385
static int asn1_get_rsa_pubkey(fmap_t *map, const void **asn1data, unsigned int *size, cli_crt *x509) {
387
unsigned int avail, avail2;
389
if(asn1_expect_objtype(map, *asn1data, size, &obj, 0x30)) /* subjectPublicKeyInfo */
391
*asn1data = obj.next;
394
if(asn1_expect_algo(map, &obj.content, &avail, lenof(OID_rsaEncryption), OID_rsaEncryption)) /* rsaEncryption */
397
if(asn1_expect_objtype(map, obj.content, &avail, &obj, 0x03)) /* BIT STRING - subjectPublicKey */
400
cli_dbgmsg("asn1_get_rsa_pubkey: found unexpected extra data in subjectPublicKeyInfo\n");
403
/* if(obj.size != 141 && obj.size != 271) /\* encoded len of 1024 and 2048 bit public keys *\/ */
406
if(!fmap_need_ptr_once(map, obj.content, 1)) {
407
cli_dbgmsg("asn1_get_rsa_pubkey: cannot read public key content\n");
410
if(((uint8_t *)obj.content)[0] != 0) { /* no byte fragments */
411
cli_dbgmsg("asn1_get_rsa_pubkey: unexpected byte frags in public key\n");
415
avail = obj.size - 1;
416
obj.content = ((uint8_t *)obj.content) + 1;
417
if(asn1_expect_objtype(map, obj.content, &avail, &obj, 0x30)) /* SEQUENCE */
420
cli_dbgmsg("asn1_get_rsa_pubkey: found unexpected extra data in public key content\n");
425
if(asn1_expect_objtype(map, obj.content, &avail, &obj, 0x02)) /* INTEGER - mod */
427
if(obj.size < 1024/8 || obj.size > 4096/8+1) {
428
cli_dbgmsg("asn1_get_rsa_pubkey: modulus has got an unsupported length (%u)\n", obj.size * 8);
432
if(!fmap_need_ptr_once(map, obj.content, avail2)) {
433
cli_dbgmsg("asn1_get_rsa_pubkey: cannot read n\n");
436
if(mp_read_unsigned_bin(&x509->n, obj.content, avail2)) {
437
cli_dbgmsg("asn1_get_rsa_pubkey: cannot convert n to big number\n");
441
if(asn1_expect_objtype(map, obj.next, &avail, &obj, 0x02)) /* INTEGER - exp */
444
cli_dbgmsg("asn1_get_rsa_pubkey: found unexpected extra data after exp\n");
447
if(obj.size < 1 || obj.size > avail2) {
448
cli_dbgmsg("asn1_get_rsa_pubkey: exponent has got an unsupported length (%u)\n", obj.size * 8);
451
if(!fmap_need_ptr_once(map, obj.content, obj.size)) {
452
cli_dbgmsg("asn1_get_rsa_pubkey: cannot read e\n");
455
if(mp_read_unsigned_bin(&x509->e, obj.content, obj.size)) {
456
cli_dbgmsg("asn1_get_rsa_pubkey: cannot convert e to big number\n");
462
static int asn1_get_x509(fmap_t *map, const void **asn1data, unsigned int *size, crtmgr *master, crtmgr *other) {
463
struct cli_asn1 crt, tbs, obj;
464
unsigned int avail, tbssize, issuersize;
465
cli_crt_hashtype hashtype1, hashtype2;
467
const uint8_t *tbsdata;
468
const void *next, *issuer;
470
if(cli_crt_init(&x509))
474
if(asn1_expect_objtype(map, *asn1data, size, &crt, 0x30)) /* SEQUENCE */
476
*asn1data = crt.next;
478
tbsdata = crt.content;
479
if(asn1_expect_objtype(map, crt.content, &crt.size, &tbs, 0x30)) /* SEQUENCE - TBSCertificate */
481
tbssize = (uint8_t *)tbs.next - tbsdata;
483
if(asn1_expect_objtype(map, tbs.content, &tbs.size, &obj, 0xa0)) /* [0] */
487
if(asn1_expect_obj(map, &obj.content, &avail, 0x02, 1, "\x02")) /* version 3 only */
490
cli_dbgmsg("asn1_get_x509: found unexpected extra data in version\n");
494
if(asn1_expect_objtype(map, next, &tbs.size, &obj, 0x02)) /* serialNumber */
496
if(map_sha1(map, obj.content, obj.size, x509.serial))
499
if(asn1_expect_rsa(map, &obj.next, &tbs.size, &hashtype1)) /* algo = sha1WithRSAEncryption | md5WithRSAEncryption */
502
if(asn1_expect_objtype(map, obj.next, &tbs.size, &obj, 0x30)) /* issuer */
504
issuer = obj.content;
505
issuersize = obj.size;
507
if(asn1_expect_objtype(map, obj.next, &tbs.size, &obj, 0x30)) /* validity */
512
if(asn1_get_time(map, &next, &avail, &x509.not_before)) /* notBefore */
514
if(asn1_get_time(map, &next, &avail, &x509.not_after)) /* notAfter */
516
if(x509.not_before >= x509.not_after) {
517
cli_dbgmsg("asn1_get_x509: bad validity\n");
521
cli_dbgmsg("asn1_get_x509: found unexpected extra data in validity\n");
525
if(asn1_expect_objtype(map, obj.next, &tbs.size, &obj, 0x30)) /* subject */
527
if(map_sha1(map, obj.content, obj.size, x509.subject))
529
if(asn1_get_rsa_pubkey(map, &obj.next, &tbs.size, &x509))
534
if(asn1_get_obj(map, obj.next, &tbs.size, &obj)) {
538
if(obj.type <= 0xa0 + avail || obj.type > 0xa3) {
539
cli_dbgmsg("asn1_get_x509: found type %02x in extensions, expecting a1, a2 or a3\n", obj.type);
543
avail = obj.type - 0xa0;
544
if(obj.type == 0xa3) {
545
struct cli_asn1 exts;
546
int have_ext_key = 0;
547
if(asn1_expect_objtype(map, obj.content, &obj.size, &exts, 0x30)) {
552
cli_dbgmsg("asn1_get_x509: found unexpected extra data in extensions\n");
556
struct cli_asn1 ext, id, value;
557
if(asn1_expect_objtype(map, exts.content, &exts.size, &ext, 0x30)) {
561
exts.content = ext.next;
562
if(asn1_expect_objtype(map, ext.content, &ext.size, &id, 0x06)) {
566
if(asn1_get_obj(map, id.next, &ext.size, &value)) {
570
if(value.type == 0x01) {
572
if(value.size != 1) {
573
cli_dbgmsg("asn1_get_x509: found boolean with wrong length\n");
577
if(asn1_get_obj(map, value.next, &ext.size, &value)) {
582
if(value.type != 0x04) {
583
cli_dbgmsg("asn1_get_x509: bad extension value type %u\n", value.type);
588
cli_dbgmsg("asn1_get_x509: extra data in extension\n");
595
if(!fmap_need_ptr_once(map, id.content, 3)) {
599
if(!memcmp("\x55\x1d\x0f", id.content, 3)) {
600
/* KeyUsage 2.5.29.15 */
601
const uint8_t *keyusage = value.content;
603
if(value.size < 4 || value.size > 5) {
604
cli_dbgmsg("asn1_get_x509: bad KeyUsage\n");
608
if(!fmap_need_ptr_once(map, value.content, value.size)) {
612
if(keyusage[0] != 0x03 || keyusage[1] != value.size - 2 || keyusage[2] > 7) {
613
cli_dbgmsg("asn1_get_x509: bad KeyUsage\n");
619
usage &= ~((1 << keyusage[2])-1);
620
x509.certSign = ((usage & 4) != 0);
623
if(!memcmp("\x55\x1d\x25", id.content, 3)) {
624
/* ExtKeyUsage 2.5.29.37 */
625
struct cli_asn1 keypurp;
627
if(asn1_expect_objtype(map, value.content, &value.size, &keypurp, 0x30)) {
632
cli_dbgmsg("asn1_get_x509: extra data in ExtKeyUsage\n");
636
ext.next = keypurp.content;
637
while(keypurp.size) {
638
if(asn1_expect_objtype(map, ext.next, &keypurp.size, &ext, 0x06)) {
644
if(!fmap_need_ptr_once(map, ext.content, 8)) {
648
if(!memcmp("\x2b\x06\x01\x05\x05\x07\x03\x03", ext.content, 8)) /* id_kp_codeSigning */
650
else if(!memcmp("\x2b\x06\x01\x05\x05\x07\x03\x08", ext.content, 8)) /* id_kp_timeStamping */
655
if(!memcmp("\x55\x1d\x13", id.content, 3)) {
656
/* Basic Constraints 2.5.29.19 */
657
struct cli_asn1 constr;
658
if(asn1_expect_objtype(map, value.content, &value.size, &constr, 0x30)) {
665
if(asn1_expect_objtype(map, constr.content, &constr.size, &ext, 0x01)) {
670
cli_dbgmsg("asn1_get_x509: wrong bool size in basic constraint %u\n", ext.size);
674
if(!fmap_need_ptr_once(map, ext.content, 1)) {
678
x509.certSign = (((uint8_t *)(ext.content))[0] != 0);
687
x509.codeSign = x509.timeSign = 1;
694
if(crtmgr_lookup(master, &x509) || crtmgr_lookup(other, &x509)) {
695
cli_dbgmsg("asn1_get_x509: certificate already exists\n");
696
cli_crt_clear(&x509);
700
if(map_sha1(map, issuer, issuersize, x509.issuer))
703
if(asn1_expect_rsa(map, &tbs.next, &crt.size, &hashtype2)) /* signature algo = sha1WithRSAEncryption | md5WithRSAEncryption */
706
if(hashtype1 != hashtype2) {
707
cli_dbgmsg("asn1_get_x509: found conflicting rsa hash types\n");
710
x509.hashtype = hashtype1;
712
if(asn1_expect_objtype(map, tbs.next, &crt.size, &obj, 0x03)) /* signature */
715
cli_dbgmsg("asn1_get_x509: signature too long\n");
718
if(!fmap_need_ptr_once(map, obj.content, obj.size)) {
719
cli_dbgmsg("asn1_get_x509: cannot read signature\n");
722
if(mp_read_unsigned_bin(&x509.sig, obj.content, obj.size)) {
723
cli_dbgmsg("asn1_get_x509: cannot convert signature to big number\n");
727
cli_dbgmsg("asn1_get_x509: found unexpected extra data in signature\n");
731
if((x509.hashtype == CLI_SHA1RSA && map_sha1(map, tbsdata, tbssize, x509.tbshash)) || (x509.hashtype == CLI_MD5RSA && (map_md5(map, tbsdata, tbssize, x509.tbshash))))
734
if(crtmgr_add(other, &x509))
736
cli_crt_clear(&x509);
739
cli_crt_clear(&x509);
743
static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmgr *cmgr, int embedded, const void **hashes, unsigned int *hashes_size, struct cl_engine *engine) {
744
struct cli_asn1 asn1, deep, deeper;
745
uint8_t sha1[SHA1_HASH_SIZE], issuer[SHA1_HASH_SIZE], md[SHA1_HASH_SIZE], serial[SHA1_HASH_SIZE];
746
const uint8_t *message, *attrs;
747
unsigned int dsize, message_size, attrs_size;
748
cli_crt_hashtype hashtype;
752
int isBlacklisted = 0;
754
cli_dbgmsg("in asn1_parse_mscat\n");
757
if(!(message = fmap_need_off_once(map, offset, 1))) {
758
cli_dbgmsg("asn1_parse_mscat: failed to read pkcs#7 entry\n");
762
if(asn1_expect_objtype(map, message, &size, &asn1, 0x30)) /* SEQUENCE */
765
/* cli_dbgmsg("asn1_parse_mscat: found extra data after pkcs#7 %u\n", size); */
769
if(asn1_expect_obj(map, &asn1.content, &size, 0x06, lenof(OID_signedData), OID_signedData)) /* OBJECT 1.2.840.113549.1.7.2 - contentType = signedData */
771
if(asn1_expect_objtype(map, asn1.content, &size, &asn1, 0xa0)) /* [0] - content */
774
cli_dbgmsg("asn1_parse_mscat: found extra data in pkcs#7\n");
778
if(asn1_expect_objtype(map, asn1.content, &size, &asn1, 0x30)) /* SEQUENCE */
781
cli_dbgmsg("asn1_parse_mscat: found extra data in signedData\n");
785
if(asn1_expect_obj(map, &asn1.content, &size, 0x02, 1, "\x01")) /* INTEGER - VERSION 1 */
788
if(asn1_expect_objtype(map, asn1.content, &size, &asn1, 0x31)) /* SET OF DigestAlgorithmIdentifier */
791
if(asn1_expect_algo(map, &asn1.content, &asn1.size, lenof(OID_sha1), OID_sha1)) /* DigestAlgorithmIdentifier[0] == sha1 */
794
cli_dbgmsg("asn1_parse_mscat: only one digestAlgorithmIdentifier is allowed\n");
798
if(asn1_expect_objtype(map, asn1.next, &size, &asn1, 0x30)) /* SEQUENCE - contentInfo */
800
/* Here there is either a PKCS #7 ContentType Object Identifier for Certificate Trust List (szOID_CTL)
801
* or a single SPC_INDIRECT_DATA_OBJID */
803
(!embedded && asn1_expect_obj(map, &asn1.content, &asn1.size, 0x06, lenof(OID_szOID_CTL), OID_szOID_CTL)) ||
804
(embedded && asn1_expect_obj(map, &asn1.content, &asn1.size, 0x06, lenof(OID_SPC_INDIRECT_DATA_OBJID), OID_SPC_INDIRECT_DATA_OBJID))
808
if(asn1_expect_objtype(map, asn1.content, &asn1.size, &deep, 0xa0))
811
cli_dbgmsg("asn1_parse_mscat: found extra data in contentInfo\n");
815
if(asn1_expect_objtype(map, deep.content, &dsize, &deep, 0x30))
818
cli_dbgmsg("asn1_parse_mscat: found extra data in content\n");
821
*hashes = deep.content;
822
*hashes_size = deep.size;
824
if(asn1_expect_objtype(map, asn1.next, &size, &asn1, 0xa0)) /* certificates */
830
crtmgr_init(&newcerts);
832
if(asn1_get_x509(map, &asn1.content, &dsize, cmgr, &newcerts)) {
840
x509 = newcerts.crts;
841
cli_dbgmsg("asn1_parse_mscat: %u new certificates collected\n", newcerts.items);
843
cli_crt *parent = crtmgr_verify_crt(cmgr, x509);
845
/* Dump the cert if requested before anything happens to it */
846
if (engine->dconf->pe & PE_CONF_DUMPCERT) {
847
char issuer[SHA1_HASH_SIZE*2+1], subject[SHA1_HASH_SIZE*2+1], serial[SHA1_HASH_SIZE*2+1];
848
char mod[1024], exp[1024];
851
fp_toradix_n(&x509->n, mod, 16, j);
852
fp_toradix_n(&x509->e, exp, 16, j);
853
for (j=0; j < SHA1_HASH_SIZE; j++) {
854
sprintf(&issuer[j*2], "%02x", x509->issuer[j]);
855
sprintf(&subject[j*2], "%02x", x509->subject[j]);
856
sprintf(&serial[j*2], "%02x", x509->serial[j]);
859
cli_dbgmsg_internal("cert subject:%s serial:%s pubkey:%s i:%s %lu->%lu %s %s %s\n", subject, serial, mod, issuer, (unsigned long)x509->not_before, (unsigned long)x509->not_after, x509->certSign ? "cert" : "", x509->codeSign ? "code" : "", x509->timeSign ? "time" : "");
863
if (parent->isBlacklisted) {
865
cli_dbgmsg("asn1_parse_mscat: Authenticode certificate %s is revoked. Flagging sample as virus.\n", (parent->name ? parent->name : "(no name)"));
868
x509->codeSign &= parent->codeSign;
869
x509->timeSign &= parent->timeSign;
870
if(crtmgr_add(cmgr, x509))
872
crtmgr_del(&newcerts, x509);
873
x509 = newcerts.crts;
881
cli_dbgmsg("asn1_parse_mscat: %u certificates did not verify\n", newcerts.items);
882
crtmgr_free(&newcerts);
886
if(asn1_get_obj(map, asn1.next, &size, &asn1))
888
if(asn1.type == 0xa1 && asn1_get_obj(map, asn1.next, &size, &asn1)) /* crls - unused shouldn't be present */
890
if(asn1.type != 0x31) { /* signerInfos */
891
cli_dbgmsg("asn1_parse_mscat: unexpected type %02x for signerInfos\n", asn1.type);
895
cli_dbgmsg("asn1_parse_mscat: unexpected extra data after signerInfos\n");
899
if(asn1_expect_objtype(map, asn1.content, &size, &asn1, 0x30))
902
cli_dbgmsg("asn1_parse_mscat: only one signerInfo shall be present\n");
906
if(asn1_expect_obj(map, &asn1.content, &size, 0x02, 1, "\x01")) /* Version = 1 */
908
if(asn1_expect_objtype(map, asn1.content, &size, &asn1, 0x30)) /* issuerAndSerialNumber */
911
if(asn1_expect_objtype(map, asn1.content, &dsize, &deep, 0x30)) /* issuer */
913
if(map_sha1(map, deep.content, deep.size, issuer))
916
if(asn1_expect_objtype(map, deep.next, &dsize, &deep, 0x02)) /* serial */
918
if(map_sha1(map, deep.content, deep.size, serial))
921
cli_dbgmsg("asn1_parse_mscat: extra data inside issuerAndSerialNumber\n");
924
if(asn1_expect_algo(map, &asn1.next, &size, lenof(OID_sha1), OID_sha1)) /* digestAlgorithm == sha1 */
928
if(asn1_expect_objtype(map, asn1.next, &size, &asn1, 0xa0)) /* authenticatedAttributes */
930
attrs_size = (uint8_t *)(asn1.next) - attrs;
932
cli_dbgmsg("asn1_parse_mscat: authenticatedAttributes size is too small\n");
937
deep.next = asn1.content;
940
struct cli_asn1 cobj;
942
if(asn1_expect_objtype(map, deep.next, &dsize, &deep, 0x30)) { /* attribute */
946
if(asn1_expect_objtype(map, deep.content, &deep.size, &deeper, 0x06)) { /* attribute type */
950
if(deeper.size != lenof(OID_contentType))
952
if(!fmap_need_ptr_once(map, deeper.content, lenof(OID_contentType))) {
953
cli_dbgmsg("asn1_parse_mscat: failed to read authenticated attribute\n");
957
if(!memcmp(deeper.content, OID_contentType, lenof(OID_contentType)))
958
content = 0; /* contentType */
959
else if(!memcmp(deeper.content, OID_messageDigest, lenof(OID_messageDigest)))
960
content = 1; /* messageDigest */
963
if(asn1_expect_objtype(map, deeper.next, &deep.size, &deeper, 0x31)) { /* set - contents */
968
cli_dbgmsg("asn1_parse_mscat: extra data in authenticated attributes\n");
973
if(result & (1<<content)) {
974
cli_dbgmsg("asn1_parse_mscat: contentType or messageDigest appear twice\n");
979
if(content == 0) { /* contentType */
981
(!embedded && asn1_expect_obj(map, &deeper.content, &deeper.size, 0x06, lenof(OID_szOID_CTL), OID_szOID_CTL)) || /* cat file */
982
(embedded && asn1_expect_obj(map, &deeper.content, &deeper.size, 0x06, lenof(OID_SPC_INDIRECT_DATA_OBJID), OID_SPC_INDIRECT_DATA_OBJID)) /* embedded cat */
988
} else { /* messageDigest */
989
if(asn1_expect_objtype(map, deeper.content, &deeper.size, &cobj, 0x04)) {
993
if(cobj.size != SHA1_HASH_SIZE) {
994
cli_dbgmsg("asn1_parse_mscat: messageDigest attribute has got the wrong size (%u)\n", cobj.size);
998
if(!fmap_need_ptr_once(map, cobj.content, SHA1_HASH_SIZE)) {
999
cli_dbgmsg("asn1_parse_mscat: failed to read authenticated attribute\n");
1003
memcpy(md, cobj.content, SHA1_HASH_SIZE);
1007
cli_dbgmsg("asn1_parse_mscat: extra data in authenticated attribute\n");
1015
cli_dbgmsg("asn1_parse_mscat: contentType or messageDigest are missing\n");
1019
if(asn1_expect_algo(map, &asn1.next, &size, lenof(OID_rsaEncryption), OID_rsaEncryption)) /* digestEncryptionAlgorithm == sha1 */
1022
if(asn1_expect_objtype(map, asn1.next, &size, &asn1, 0x04)) /* encryptedDigest */
1024
if(asn1.size > 513) {
1025
cli_dbgmsg("asn1_parse_mscat: encryptedDigest too long\n");
1028
if(map_sha1(map, *hashes, *hashes_size, sha1))
1030
if(memcmp(sha1, md, sizeof(sha1))) {
1031
cli_dbgmsg("asn1_parse_mscat: messageDigest mismatch\n");
1035
if(!fmap_need_ptr_once(map, attrs, attrs_size)) {
1036
cli_dbgmsg("asn1_parse_mscat: failed to read authenticatedAttributes\n");
1041
SHA1Update(&ctx, "\x31", 1);
1042
SHA1Update(&ctx, attrs + 1, attrs_size - 1);
1043
SHA1Final(&ctx, sha1);
1045
if(!fmap_need_ptr_once(map, asn1.content, asn1.size)) {
1046
cli_dbgmsg("asn1_parse_mscat: failed to read encryptedDigest\n");
1049
if(!(x509 = crtmgr_verify_pkcs7(cmgr, issuer, serial, asn1.content, asn1.size, CLI_SHA1RSA, sha1, VRFY_CODE))) {
1050
cli_dbgmsg("asn1_parse_mscat: pkcs7 signature verification failed\n");
1053
message = asn1.content;
1054
message_size = asn1.size;
1057
cli_dbgmsg("asn1_parse_mscat: countersignature is missing\n");
1061
if(size && asn1_expect_objtype(map, asn1.next, &size, &asn1, 0xa1)) /* unauthenticatedAttributes */
1065
cli_dbgmsg("asn1_parse_mscat: extra data inside signerInfo\n");
1070
if(asn1_expect_objtype(map, asn1.content, &size, &asn1, 0x30))
1073
cli_dbgmsg("asn1_parse_mscat: extra data inside unauthenticatedAttributes\n");
1078
/* 1.2.840.113549.1.9.6 - counterSignature */
1079
if(asn1_expect_obj(map, &asn1.content, &size, 0x06, lenof(OID_countersignature), OID_countersignature))
1081
if(asn1_expect_objtype(map, asn1.content, &size, &asn1, 0x31))
1084
cli_dbgmsg("asn1_parse_mscat: extra data inside counterSignature\n");
1089
if(asn1_expect_objtype(map, asn1.content, &size, &asn1, 0x30))
1092
cli_dbgmsg("asn1_parse_mscat: extra data inside unauthenticatedAttributes\n");
1097
if(asn1_expect_obj(map, &asn1.content, &size, 0x02, 1, "\x01")) /* Version = 1*/
1100
if(asn1_expect_objtype(map, asn1.content, &size, &asn1, 0x30)) /* issuerAndSerialNumber */
1103
if(asn1_expect_objtype(map, asn1.content, &asn1.size, &deep, 0x30)) /* issuer */
1105
if(map_sha1(map, deep.content, deep.size, issuer))
1108
if(asn1_expect_objtype(map, deep.next, &asn1.size, &deep, 0x02)) /* serial */
1110
if(map_sha1(map, deep.content, deep.size, serial))
1114
cli_dbgmsg("asn1_parse_mscat: extra data inside countersignature issuer\n");
1118
if(asn1_expect_objtype(map, asn1.next, &size, &asn1, 0x30)) /* digestAlgorithm */
1120
if(asn1_expect_objtype(map, asn1.content, &asn1.size, &deep, 0x06))
1122
if(deep.size != lenof(OID_sha1) && deep.size != lenof(OID_md5)) {
1123
cli_dbgmsg("asn1_parse_mscat: wrong digestAlgorithm size\n");
1126
if(!fmap_need_ptr_once(map, deep.content, deep.size)) {
1127
cli_dbgmsg("asn1_parse_mscat: failed to read digestAlgorithm OID\n");
1130
if(deep.size == lenof(OID_sha1) && !memcmp(deep.content, OID_sha1, lenof(OID_sha1))) {
1131
hashtype = CLI_SHA1RSA;
1132
if(map_sha1(map, message, message_size, md))
1134
} else if(deep.size == lenof(OID_md5) && !memcmp(deep.content, OID_md5, lenof(OID_md5))) {
1135
hashtype = CLI_MD5RSA;
1136
if(map_md5(map, message, message_size, md))
1139
cli_dbgmsg("asn1_parse_mscat: unknown digest oid in countersignature\n");
1142
if(asn1.size && asn1_expect_obj(map, &deep.next, &asn1.size, 0x05, 0, NULL))
1145
cli_dbgmsg("asn1_parse_mscat: extra data in countersignature oid\n");
1150
if(asn1_expect_objtype(map, asn1.next, &size, &asn1, 0xa0)) /* authenticatedAttributes */
1152
attrs_size = (uint8_t *)(asn1.next) - attrs;
1153
if(attrs_size < 2) {
1154
cli_dbgmsg("asn1_parse_mscat: countersignature authenticatedAttributes are too small\n");
1159
deep.next = asn1.content;
1162
if(asn1_expect_objtype(map, deep.next, &dsize, &deep, 0x30)) { /* attribute */
1166
if(asn1_expect_objtype(map, deep.content, &deep.size, &deeper, 0x06)) { /* attribute type */
1170
if(deeper.size != lenof(OID_contentType)) /* lenof(contentType) = lenof(messageDigest) = lenof(signingTime) = 9 */
1173
if(!fmap_need_ptr_once(map, deeper.content, lenof(OID_contentType))) {
1177
if(!memcmp(deeper.content, OID_contentType, lenof(OID_contentType)))
1178
content = 0; /* contentType */
1179
else if(!memcmp(deeper.content, OID_messageDigest, lenof(OID_messageDigest)))
1180
content = 1; /* messageDigest */
1181
else if(!memcmp(deeper.content, OID_signingTime, lenof(OID_signingTime)))
1182
content = 2; /* signingTime */
1185
if(result & (1<<content)) {
1186
cli_dbgmsg("asn1_parse_mscat: duplicate field in countersignature\n");
1190
result |= (1<<content);
1191
if(asn1_expect_objtype(map, deeper.next, &deep.size, &deeper, 0x31)) { /* attribute type */
1196
cli_dbgmsg("asn1_parse_mscat: extra data in countersignature value\n");
1200
deep.size = deeper.size;
1202
case 0: /* contentType = pkcs7-data */
1203
if(asn1_expect_obj(map, &deeper.content, &deep.size, 0x06, lenof(OID_pkcs7_data), OID_pkcs7_data))
1206
cli_dbgmsg("asn1_parse_mscat: extra data in countersignature content-type\n");
1208
case 1: /* messageDigest */
1209
if(asn1_expect_obj(map, &deeper.content, &deep.size, 0x04, (hashtype == CLI_SHA1RSA) ? SHA1_HASH_SIZE : 16, md)) {
1211
cli_dbgmsg("asn1_parse_mscat: countersignature hash mismatch\n");
1212
} else if(deep.size)
1213
cli_dbgmsg("asn1_parse_mscat: extra data in countersignature message-digest\n");
1215
case 2: /* signingTime */
1217
time_t sigdate; /* FIXME shall i use it?! */
1218
if(asn1_get_time(map, &deeper.content, &deep.size, &sigdate))
1221
cli_dbgmsg("asn1_parse_mscat: extra data in countersignature signing-time\n");
1222
else if(sigdate < x509->not_before || sigdate > x509->not_after) {
1223
cli_dbgmsg("asn1_parse_mscat: countersignature timestamp outside cert validity\n");
1237
cli_dbgmsg("asn1_parse_mscat: some important attributes are missing in countersignature\n");
1241
if(asn1_expect_objtype(map, asn1.next, &size, &asn1, 0x30)) /* digestEncryptionAlgorithm == sha1 */
1243
if(asn1_expect_objtype(map, asn1.content, &asn1.size, &deep, 0x06)) /* digestEncryptionAlgorithm == sha1 */
1245
if(deep.size != lenof(OID_rsaEncryption)) { /* lenof(OID_rsaEncryption) = lenof(OID_sha1WithRSAEncryption) = 9 */
1246
cli_dbgmsg("asn1_parse_mscat: wrong digestEncryptionAlgorithm size in countersignature\n");
1249
if(!fmap_need_ptr_once(map, deep.content, lenof(OID_rsaEncryption))) {
1250
cli_dbgmsg("asn1_parse_mscat: cannot read digestEncryptionAlgorithm in countersignature\n");
1253
/* rsaEncryption or sha1withRSAEncryption */
1254
if(memcmp(deep.content, OID_rsaEncryption, lenof(OID_rsaEncryption)) && memcmp(deep.content, OID_sha1WithRSAEncryption, lenof(OID_sha1WithRSAEncryption))) {
1255
cli_dbgmsg("asn1_parse_mscat: digestEncryptionAlgorithm in countersignature is not sha1\n");
1258
if(asn1.size && asn1_expect_obj(map, &deep.next, &asn1.size, 0x05, 0, NULL))
1261
cli_dbgmsg("asn1_parse_mscat: extra data in digestEncryptionAlgorithm in countersignature\n");
1265
if(asn1_expect_objtype(map, asn1.next, &size, &asn1, 0x04)) /* encryptedDigest */
1267
if(asn1.size > 513) {
1268
cli_dbgmsg("asn1_parse_mscat: countersignature encryptedDigest too long\n");
1272
cli_dbgmsg("asn1_parse_mscat: extra data inside countersignature\n");
1275
if(!fmap_need_ptr_once(map, attrs, attrs_size)) {
1276
cli_dbgmsg("asn1_parse_mscat: failed to read authenticatedAttributes\n");
1280
if(hashtype == CLI_SHA1RSA) {
1282
SHA1Update(&ctx, "\x31", 1);
1283
SHA1Update(&ctx, attrs + 1, attrs_size - 1);
1284
SHA1Final(&ctx, sha1);
1288
cli_md5_update(&ctx, "\x31", 1);
1289
cli_md5_update(&ctx, attrs + 1, attrs_size - 1);
1290
cli_md5_final(sha1, &ctx);
1293
if(!fmap_need_ptr_once(map, asn1.content, asn1.size)) {
1294
cli_dbgmsg("asn1_parse_mscat: failed to read countersignature encryptedDigest\n");
1297
if(!crtmgr_verify_pkcs7(cmgr, issuer, serial, asn1.content, asn1.size, hashtype, sha1, VRFY_TIME)) {
1298
cli_dbgmsg("asn1_parse_mscat: pkcs7 countersignature verification failed\n");
1302
cli_dbgmsg("asn1_parse_mscat: catalog succesfully parsed\n");
1303
if (isBlacklisted) {
1309
cli_dbgmsg("asn1_parse_mscat: failed to parse catalog\n");
1313
int asn1_load_mscat(fmap_t *map, struct cl_engine *engine) {
1316
struct cli_matcher *db;
1319
if(asn1_parse_mscat(map, 0, map->len, &engine->cmgr, 0, &c.next, &size, engine))
1322
if(asn1_expect_objtype(map, c.next, &size, &c, 0x30))
1324
if(asn1_expect_obj(map, &c.content, &c.size, 0x06, lenof(OID_szOID_CATALOG_LIST), OID_szOID_CATALOG_LIST))
1327
cli_dbgmsg("asn1_load_mscat: found extra data in szOID_CATALOG_LIST content\n");
1330
if(asn1_expect_objtype(map, c.next, &size, &c, 0x4)) /* List ID */
1332
if(asn1_expect_objtype(map, c.next, &size, &c, 0x17)) /* Effective date - WTF?! */
1334
if(asn1_expect_algo(map, &c.next, &size, lenof(OID_szOID_CATALOG_LIST_MEMBER), OID_szOID_CATALOG_LIST_MEMBER)) /* szOID_CATALOG_LIST_MEMBER */
1336
if(asn1_expect_objtype(map, c.next, &size, &c, 0x30)) /* hashes here */
1338
/* [0] is next but we don't care as it's really descriptives stuff */
1343
struct cli_asn1 tag;
1344
if(asn1_expect_objtype(map, c.next, &size, &c, 0x30))
1346
if(asn1_expect_objtype(map, c.content, &c.size, &tag, 0x04)) /* TAG NAME */
1348
if(asn1_expect_objtype(map, tag.next, &c.size, &tag, 0x31)) /* set */
1351
cli_dbgmsg("asn1_load_mscat: found extra data in tag\n");
1355
struct cli_asn1 tagval1, tagval2, tagval3;
1358
if(asn1_expect_objtype(map, tag.content, &tag.size, &tagval1, 0x30))
1360
tag.content = tagval1.next;
1362
if(asn1_expect_objtype(map, tagval1.content, &tagval1.size, &tagval2, 0x06))
1364
if(tagval2.size != lenof(OID_SPC_INDIRECT_DATA_OBJID))
1367
if(!fmap_need_ptr_once(map, tagval2.content, lenof(OID_SPC_INDIRECT_DATA_OBJID))) {
1368
cli_dbgmsg("asn1_load_mscat: cannot read SPC_INDIRECT_DATA\n");
1371
if(memcmp(tagval2.content, OID_SPC_INDIRECT_DATA_OBJID, lenof(OID_SPC_INDIRECT_DATA_OBJID)))
1372
continue; /* stuff like CAT_NAMEVALUE_OBJID(1.3.6.1.4.1.311.12.2.1) and CAT_MEMBERINFO_OBJID(.2).. */
1374
if(asn1_expect_objtype(map, tagval2.next, &tagval1.size, &tagval2, 0x31))
1377
cli_dbgmsg("asn1_load_mscat: found extra data in tag value\n");
1381
if(asn1_expect_objtype(map, tagval2.content, &tagval2.size, &tagval1, 0x30))
1384
cli_dbgmsg("asn1_load_mscat: found extra data in SPC_INDIRECT_DATA_OBJID tag\n");
1388
if(asn1_expect_objtype(map, tagval1.content, &tagval1.size, &tagval2, 0x30))
1391
if(asn1_expect_objtype(map, tagval2.content, &tagval2.size, &tagval3, 0x06)) /* shall have an obj 1.3.6.1.4.1.311.2.1.15 or 1.3.6.1.4.1.311.2.1.25 inside */
1393
if(tagval3.size != lenof(OID_SPC_PE_IMAGE_DATA_OBJID)) { /* lenof(OID_SPC_PE_IMAGE_DATA_OBJID) = lenof(OID_SPC_CAB_DATA_OBJID) = 10*/
1394
cli_dbgmsg("asn1_load_mscat: bad hash type size\n");
1397
if(!fmap_need_ptr_once(map, tagval3.content, lenof(OID_SPC_PE_IMAGE_DATA_OBJID))) {
1398
cli_dbgmsg("asn1_load_mscat: cannot read hash type\n");
1401
if(!memcmp(tagval3.content, OID_SPC_PE_IMAGE_DATA_OBJID, lenof(OID_SPC_PE_IMAGE_DATA_OBJID)))
1403
else if(!memcmp(tagval3.content, OID_SPC_CAB_DATA_OBJID, lenof(OID_SPC_CAB_DATA_OBJID)))
1406
cli_dbgmsg("asn1_load_mscat: unexpected hash type\n");
1410
if(asn1_expect_objtype(map, tagval2.next, &tagval1.size, &tagval2, 0x30))
1413
cli_dbgmsg("asn1_load_mscat: found extra data after hash\n");
1417
if(asn1_expect_algo(map, &tagval2.content, &tagval2.size, lenof(OID_sha1), OID_sha1)) /* objid 1.3.14.3.2.26 - sha1 */
1420
if(asn1_expect_objtype(map, tagval2.content, &tagval2.size, &tagval3, 0x04))
1423
cli_dbgmsg("asn1_load_mscat: found extra data in hash\n");
1426
if(tagval3.size != SHA1_HASH_SIZE) {
1427
cli_dbgmsg("asn1_load_mscat: bad hash size %u\n", tagval3.size);
1430
if(!fmap_need_ptr_once(map, tagval3.content, SHA1_HASH_SIZE)) {
1431
cli_dbgmsg("asn1_load_mscat: cannot read hash\n");
1435
if(cli_debug_flag) {
1436
char sha1[SHA1_HASH_SIZE*2+1];
1437
for(i=0;i<SHA1_HASH_SIZE;i++)
1438
sprintf(&sha1[i*2], "%02x", ((uint8_t *)(tagval3.content))[i]);
1439
cli_dbgmsg("asn1_load_mscat: got hash %s (%s)\n", sha1, (hashtype == 2) ? "PE" : "CAB");
1441
if(!engine->hm_fp) {
1442
if(!(engine->hm_fp = mpool_calloc(engine->mempool, 1, sizeof(*db)))) {
1447
engine->hm_fp->mempool = engine->mempool;
1450
if(hm_addhash_bin(engine->hm_fp, tagval3.content, CLI_HASH_SHA1, hashtype, NULL)) {
1451
cli_warnmsg("asn1_load_mscat: failed to add hash\n");
1460
int asn1_check_mscat(struct cl_engine *engine, fmap_t *map, size_t offset, unsigned int size, uint8_t *computed_sha1) {
1461
unsigned int content_size;
1463
const void *content;
1467
if (engine->dconf->pe & PE_CONF_DISABLECERT)
1470
cli_dbgmsg("in asn1_check_mscat (offset: %lu)\n", offset);
1471
crtmgr_init(&certs);
1472
if(crtmgr_add_roots(engine, &certs)) {
1473
crtmgr_free(&certs);
1476
ret = asn1_parse_mscat(map, offset, size, &certs, 1, &content, &content_size, engine);
1477
crtmgr_free(&certs);
1481
if(asn1_expect_objtype(map, content, &content_size, &c, 0x30))
1483
if(asn1_expect_obj(map, &c.content, &c.size, 0x06, lenof(OID_SPC_PE_IMAGE_DATA_OBJID), OID_SPC_PE_IMAGE_DATA_OBJID))
1485
if(asn1_expect_objtype(map, c.next, &content_size, &c, 0x30))
1488
cli_dbgmsg("asn1_check_mscat: extra data in content\n");
1491
if(asn1_expect_algo(map, &c.content, &c.size, lenof(OID_sha1), OID_sha1))
1494
if(asn1_expect_obj(map, &c.content, &c.size, 0x04, SHA1_HASH_SIZE, computed_sha1))
1497
cli_dbgmsg("asn1_check_mscat: file with valid authenicode signature, whitelisted\n");