From b646a5ff154141badef7bb1c9ee7bd5517906d4a Mon Sep 17 00:00:00 2001
From: Christophe Grenier <grenier@cgsecurity.org>
Date: Sun, 25 Oct 2009 18:37:41 +0100
Subject: [PATCH] PhotoRec: recover encrypted file by eCryptfs

---
 src/Makefile.am     |  1 +
 src/file_ecryptfs.c | 90 +++++++++++++++++++++++++++++++++++++++++++++
 src/file_list.c     |  2 +
 3 files changed, 93 insertions(+)
 create mode 100644 src/file_ecryptfs.c

diff --git a/src/Makefile.am b/src/Makefile.am
index d1e156fc..cb803326 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -81,6 +81,7 @@ file_C			= filegen.c \
 			  file_dxf.c \
 			  file_e01.c \
 			  file_edb.c \
+			  file_ecryptfs.c \
 			  file_elf.c \
 			  file_emf.c \
 			  file_evt.c \
diff --git a/src/file_ecryptfs.c b/src/file_ecryptfs.c
new file mode 100644
index 00000000..0c1ec8ce
--- /dev/null
+++ b/src/file_ecryptfs.c
@@ -0,0 +1,90 @@
+/*
+
+    File: file_ecryptfs.c
+
+    Copyright (C) 2009 Christophe GRENIER <grenier@cgsecurity.org>
+  
+    This software is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+  
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+  
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write the Free Software Foundation, Inc., 51
+    Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#ifdef HAVE_STRING_H
+#include <string.h>
+#endif
+#include <stdio.h>
+#include "types.h"
+#include "filegen.h"
+#include "common.h"
+
+static void register_header_check_ecryptfs(file_stat_t *file_stat);
+static int header_check_ecryptfs(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new);
+
+const file_hint_t file_hint_ecryptfs= {
+  .extension="eCryptfs",
+  .description="Encrypted file by eCryptfs",
+  .min_header_distance=0,
+  .max_filesize=PHOTOREC_MAX_FILE_SIZE,
+  .recover=1,
+  .enable_by_default=1,
+  .register_header_check=&register_header_check_ecryptfs
+};
+
+static const unsigned char ecryptfs_header[2]= {0, 0};
+
+struct ecrypfs_header {
+  uint64_t unencrypted_file_size;
+  uint32_t marker1;
+  uint32_t marker2;
+  unsigned char	version;
+  unsigned char reserved1;
+  unsigned char reserved2;
+  uint32_t flags;
+} __attribute__ ((__packed__));
+
+static void register_header_check_ecryptfs(file_stat_t *file_stat)
+{
+  register_header_check(0, ecryptfs_header, sizeof(ecryptfs_header), &header_check_ecryptfs, file_stat);
+}
+
+static void file_check_ecryptfs(file_recovery_t *file_recovery)
+{
+  if(file_recovery->file_size < file_recovery->calculated_file_size)
+    file_recovery->file_size=0;
+  else if(file_recovery->file_size > file_recovery->calculated_file_size+1024*1024)
+    file_recovery->file_size=file_recovery->calculated_file_size+1024*1024;
+}
+
+static int header_check_ecryptfs(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new)
+{
+  const struct ecrypfs_header *e=(const struct ecrypfs_header *)buffer;
+  if((be32(e->marker1) ^ be32(e->marker2)) == 0x3c81b7f5)
+  {
+    reset_file_recovery(file_recovery_new);
+#ifdef DJGPP
+    file_recovery_new->extension="ecr";
+#else
+    file_recovery_new->extension=file_hint_ecryptfs.extension;
+#endif
+    file_recovery_new->min_filesize=be64(e->unencrypted_file_size);
+    file_recovery_new->calculated_file_size=be64(e->unencrypted_file_size);
+    file_recovery_new->data_check=NULL;
+    file_recovery_new->file_check=&file_check_ecryptfs;
+    return 1;
+  }
+  return 0;
+}
diff --git a/src/file_list.c b/src/file_list.c
index 9c68d598..684d1a74 100644
--- a/src/file_list.c
+++ b/src/file_list.c
@@ -82,6 +82,7 @@ extern const file_hint_t file_hint_dv;
 extern const file_hint_t file_hint_dwg;
 extern const file_hint_t file_hint_dxf;
 extern const file_hint_t file_hint_e01;
+extern const file_hint_t file_hint_ecryptfs;
 extern const file_hint_t file_hint_edb;
 extern const file_hint_t file_hint_elf;
 extern const file_hint_t file_hint_emf;
@@ -277,6 +278,7 @@ file_enable_t list_file_enable[]=
   { .enable=0, .file_hint=&file_hint_dwg  },
   { .enable=0, .file_hint=&file_hint_dxf  },
   { .enable=0, .file_hint=&file_hint_e01  },
+  { .enable=0, .file_hint=&file_hint_ecryptfs },
   { .enable=0, .file_hint=&file_hint_edb  },
   { .enable=0, .file_hint=&file_hint_elf  },
   { .enable=0, .file_hint=&file_hint_emf  },