1 /*
2
3 File: file_ecryptfs.c
4
5 Copyright (C) 2009 Christophe GRENIER <grenier@cgsecurity.org>
6
7 This software is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License along
18 with this program; if not, write the Free Software Foundation, Inc., 51
19 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20
21 */
22
23 #ifdef HAVE_CONFIG_H
24 #include <config.h>
25 #endif
26 #ifdef HAVE_STRING_H
27 #include <string.h>
28 #endif
29 #include <stdio.h>
30 #include "types.h"
31 #include "filegen.h"
32 #include "common.h"
33
34 static void register_header_check_ecryptfs(file_stat_t *file_stat);
35 static int header_check_ecryptfs(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new);
36
37 const file_hint_t file_hint_ecryptfs= {
38 .extension="eCryptfs",
39 .description="Encrypted file by eCryptfs",
40 .max_filesize=PHOTOREC_MAX_FILE_SIZE,
41 .recover=1,
42 .enable_by_default=1,
43 .register_header_check=®ister_header_check_ecryptfs
44 };
45
46 static const unsigned char ecryptfs_header[2]= {0, 0};
47
48 struct ecrypfs_header {
49 uint64_t unencrypted_file_size;
50 uint32_t marker1;
51 uint32_t marker2;
52 unsigned char version;
53 unsigned char reserved1;
54 unsigned char reserved2;
55 uint32_t flags;
56 } __attribute__ ((gcc_struct, __packed__));
57
register_header_check_ecryptfs(file_stat_t * file_stat)58 static void register_header_check_ecryptfs(file_stat_t *file_stat)
59 {
60 register_header_check(0, ecryptfs_header, sizeof(ecryptfs_header), &header_check_ecryptfs, file_stat);
61 }
62
file_check_ecryptfs(file_recovery_t * file_recovery)63 static void file_check_ecryptfs(file_recovery_t *file_recovery)
64 {
65 if(file_recovery->file_size < file_recovery->calculated_file_size)
66 file_recovery->file_size=0;
67 else if(file_recovery->file_size > file_recovery->calculated_file_size+1024*1024)
68 file_recovery->file_size=file_recovery->calculated_file_size+1024*1024;
69 }
70
header_check_ecryptfs(const unsigned char * buffer,const unsigned int buffer_size,const unsigned int safe_header_only,const file_recovery_t * file_recovery,file_recovery_t * file_recovery_new)71 static int header_check_ecryptfs(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new)
72 {
73 const struct ecrypfs_header *e=(const struct ecrypfs_header *)buffer;
74 if((be32(e->marker1) ^ be32(e->marker2)) != 0x3c81b7f5)
75 return 0;
76 if(be64(e->unencrypted_file_size) < sizeof(struct ecrypfs_header))
77 return 0;
78 reset_file_recovery(file_recovery_new);
79 #ifdef DJGPP
80 file_recovery_new->extension="ecr";
81 #else
82 file_recovery_new->extension=file_hint_ecryptfs.extension;
83 #endif
84 file_recovery_new->min_filesize=be64(e->unencrypted_file_size);
85 file_recovery_new->calculated_file_size=be64(e->unencrypted_file_size);
86 file_recovery_new->data_check=NULL;
87 file_recovery_new->file_check=&file_check_ecryptfs;
88 return 1;
89 }
90