summaryrefslogtreecommitdiffstats
path: root/src/file_ecryptfs.c
diff options
context:
space:
mode:
authorChristophe Grenier <grenier@cgsecurity.org>2009-10-25 18:37:41 +0100
committerChristophe Grenier <grenier@cgsecurity.org>2009-10-25 18:37:41 +0100
commitb646a5ff154141badef7bb1c9ee7bd5517906d4a (patch)
treec0037cf1cfacafc8bbc0736dbcab40af029e8ce5 /src/file_ecryptfs.c
parent5e2419cf2afce35a91acbf40bd1e7907cfc63288 (diff)
PhotoRec: recover encrypted file by eCryptfs
Diffstat (limited to 'src/file_ecryptfs.c')
-rw-r--r--src/file_ecryptfs.c90
1 files changed, 90 insertions, 0 deletions
diff --git a/src/file_ecryptfs.c b/src/file_ecryptfs.c
new file mode 100644
index 0000000..0c1ec8c
--- /dev/null
+++ b/src/file_ecryptfs.c
@@ -0,0 +1,90 @@
+/*
+
+ File: file_ecryptfs.c
+
+ Copyright (C) 2009 Christophe GRENIER <grenier@cgsecurity.org>
+
+ This software is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along
+ with this program; if not, write the Free Software Foundation, Inc., 51
+ Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#ifdef HAVE_STRING_H
+#include <string.h>
+#endif
+#include <stdio.h>
+#include "types.h"
+#include "filegen.h"
+#include "common.h"
+
+static void register_header_check_ecryptfs(file_stat_t *file_stat);
+static int header_check_ecryptfs(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new);
+
+const file_hint_t file_hint_ecryptfs= {
+ .extension="eCryptfs",
+ .description="Encrypted file by eCryptfs",
+ .min_header_distance=0,
+ .max_filesize=PHOTOREC_MAX_FILE_SIZE,
+ .recover=1,
+ .enable_by_default=1,
+ .register_header_check=&register_header_check_ecryptfs
+};
+
+static const unsigned char ecryptfs_header[2]= {0, 0};
+
+struct ecrypfs_header {
+ uint64_t unencrypted_file_size;
+ uint32_t marker1;
+ uint32_t marker2;
+ unsigned char version;
+ unsigned char reserved1;
+ unsigned char reserved2;
+ uint32_t flags;
+} __attribute__ ((__packed__));
+
+static void register_header_check_ecryptfs(file_stat_t *file_stat)
+{
+ register_header_check(0, ecryptfs_header, sizeof(ecryptfs_header), &header_check_ecryptfs, file_stat);
+}
+
+static void file_check_ecryptfs(file_recovery_t *file_recovery)
+{
+ if(file_recovery->file_size < file_recovery->calculated_file_size)
+ file_recovery->file_size=0;
+ else if(file_recovery->file_size > file_recovery->calculated_file_size+1024*1024)
+ file_recovery->file_size=file_recovery->calculated_file_size+1024*1024;
+}
+
+static int header_check_ecryptfs(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new)
+{
+ const struct ecrypfs_header *e=(const struct ecrypfs_header *)buffer;
+ if((be32(e->marker1) ^ be32(e->marker2)) == 0x3c81b7f5)
+ {
+ reset_file_recovery(file_recovery_new);
+#ifdef DJGPP
+ file_recovery_new->extension="ecr";
+#else
+ file_recovery_new->extension=file_hint_ecryptfs.extension;
+#endif
+ file_recovery_new->min_filesize=be64(e->unencrypted_file_size);
+ file_recovery_new->calculated_file_size=be64(e->unencrypted_file_size);
+ file_recovery_new->data_check=NULL;
+ file_recovery_new->file_check=&file_check_ecryptfs;
+ return 1;
+ }
+ return 0;
+}