HFS fixes from Rob

CHANGES.txt

@@ -24,6 +24,8 @@ to meta type).  (Bug: 2389901). Reported by Barry Grundy.
 
 1/11/09: Update: Support for HFS Wrappers was added.  Patch by Rob Joyce.
 
+1/11/09: Update: Lots of bug fixes in HFS code from Rob Joyce.
+
 
 ---------------- VERSION 3.0.0 -------------- 
 0/00/00: Update: Many, many, many API changes.

tsk3/fs/hfs.c

@@ -2750,8 +2750,10 @@ print_inode_file(FILE * hFile, TSK_FS_INFO * fs, TSK_INUM_T inum)
     if (inum == HFS_ROOT_INUM)
         tsk_fprintf(hFile, "/");
     else {
-        if (print_parent_path(hFile, fs, inum))
+        if (print_parent_path(hFile, fs, inum)) {
+            tsk_fprintf(hFile, "unknown]");
             return 1;
+        }
     }
     tsk_fprintf(hFile, "]");
     return 0;
@@ -2819,6 +2821,12 @@ hfs_fsstat(TSK_FS_INFO * fs, FILE * hFile)
         tsk_fprintf(hFile, " (Mac OS X, Journaled)\n");
     else if (tsk_getu32(fs->endian, sb->last_mnt_ver) == FSK_MOUNT_VERSION)
         tsk_fprintf(hFile, " (failed journal replay)\n");
+    else if (tsk_getu32(fs->endian,
+            sb->last_mnt_ver) == FSCK_MOUNT_VERSION)
+        tsk_fprintf(hFile, " (fsck_hfs)\n");
+    else if (tsk_getu32(fs->endian,
+            sb->last_mnt_ver) == OS89_MOUNT_VERSION)
+        tsk_fprintf(hFile, " (Mac OS 8.1 - 9.2.2)\n");
     else
         tsk_fprintf(hFile, "\n");
 
@@ -2847,8 +2855,8 @@ hfs_fsstat(TSK_FS_INFO * fs, FILE * hFile)
 
     /* State of the file system */
     if ((tsk_getu32(fs->endian, hfs->fs->attr) & HFS_BIT_VOLUME_UNMOUNTED)
-        || ((tsk_getu32(fs->endian,
-                    hfs->fs->attr) & HFS_BIT_VOLUME_INCONSISTENT) == 0))
+        && (!(tsk_getu32(fs->endian,
+                    hfs->fs->attr) & HFS_BIT_VOLUME_INCONSISTENT)))
         tsk_fprintf(hFile, "Volume Unmounted Properly\n");
     else
         tsk_fprintf(hFile, "Volume Unmounted Improperly\n");
@@ -2856,6 +2864,10 @@ hfs_fsstat(TSK_FS_INFO * fs, FILE * hFile)
     if (tsk_getu32(fs->endian, hfs->fs->attr) & HFS_BIT_VOLUME_BADBLOCKS)
         tsk_fprintf(hFile, "Volume has bad blocks\n");
 
+    if (tsk_getu32(fs->endian,
+            hfs->fs->attr) & HFS_BIT_VOLUME_SOFTWARE_LOCK)
+        tsk_fprintf(hFile, "Software write protect enabled\n");
+
     tsk_fprintf(hFile, "Write count: %" PRIu32 "\n",
         tsk_getu32(fs->endian, sb->write_cnt));
 
@@ -2876,39 +2888,34 @@ hfs_fsstat(TSK_FS_INFO * fs, FILE * hFile)
 
     inode = tsk_getu32(fs->endian, &(sb->finder_info[0]));
     tsk_fprintf(hFile, "Bootable Folder ID: %" PRIuINUM, inode);
-    if (inode > HFS_ROOT_INUM)
-        if (print_inode_file(hFile, fs, inode))
-            return 1;
+    if (inode > 0)
+        print_inode_file(hFile, fs, inode);
     tsk_fprintf(hFile, "\n");
 
     inode = tsk_getu32(fs->endian, &(sb->finder_info[4]));
     tsk_fprintf(hFile, "Startup App ID: %" PRIuINUM, inode);
-    if (inode > HFS_ROOT_INUM)
-        if (print_inode_file(hFile, fs, inode))
-            return 1;
+    if (inode > 0)
+        print_inode_file(hFile, fs, inode);
     tsk_fprintf(hFile, "\n");
 
     inode = tsk_getu32(fs->endian, &(sb->finder_info[8]));
     tsk_fprintf(hFile, "Startup Open Folder ID: %" PRIuINUM, inode);
-    if (inode > HFS_ROOT_INUM)
-        if (print_inode_file(hFile, fs, inode))
-            return 1;
+    if (inode > 0)
+        print_inode_file(hFile, fs, inode);
     tsk_fprintf(hFile, "\n");
 
     inode = tsk_getu32(fs->endian, &(sb->finder_info[12]));
     tsk_fprintf(hFile, "Mac OS 8/9 Blessed System Folder ID: %" PRIuINUM,
         inode);
-    if (inode > HFS_ROOT_INUM)
-        if (print_inode_file(hFile, fs, inode))
-            return 1;
+    if (inode > 0)
+        print_inode_file(hFile, fs, inode);
     tsk_fprintf(hFile, "\n");
 
     inode = tsk_getu32(fs->endian, &(sb->finder_info[20]));
     tsk_fprintf(hFile, "Mac OS X Blessed System Folder ID: %" PRIuINUM,
         inode);
-    if (inode > HFS_ROOT_INUM)
-        if (print_inode_file(hFile, fs, inode))
-            return 1;
+    if (inode > 0)
+        print_inode_file(hFile, fs, inode);
     tsk_fprintf(hFile, "\n");
 
     tsk_fprintf(hFile, "Volume Identifier: %08" PRIx32 "%08" PRIx32 "\n",
@@ -2958,7 +2965,18 @@ print_addr_act(TSK_FS_FILE * fs_file, TSK_OFF_T a_off, TSK_DADDR_T addr,
     return TSK_WALK_CONT;
 }
 
-uint8_t
+/**
+ * Print details on a specific file to a file handle. 
+ *
+ * @param fs File system file is located in
+ * @param hFile File name to print text to
+ * @param inum Address of file in file system
+ * @param numblock The number of blocks in file to force print (can go beyond file size)
+ * @param sec_skew Clock skew in seconds to also print times in
+ * 
+ * @returns 1 on error and 0 on success
+ */
+static uint8_t
 hfs_istat(TSK_FS_INFO * fs, FILE * hFile, TSK_INUM_T inum,
     TSK_DADDR_T numblock, int32_t sec_skew)
 {
@@ -2973,11 +2991,11 @@ hfs_istat(TSK_FS_INFO * fs, FILE * hFile, TSK_INUM_T inum,
             "hfs_istat: inum: %" PRIuINUM " numblock: %" PRIu32 "\n",
             inum, numblock);
 
-
-
-
-    if ((fs_file = tsk_fs_file_open_meta(fs, NULL, inum)) == NULL)
+    if ((fs_file = tsk_fs_file_open_meta(fs, NULL, inum)) == NULL) {
+        strncat(tsk_errstr2, " - istat",
+            TSK_ERRSTR_L - strlen(tsk_errstr2));
         return 1;
+    }
 
     tsk_fprintf(hFile, "\nINODE INFORMATION\n");
     tsk_fprintf(hFile, "Entry:\t%" PRIuINUM "\n", inum);
@@ -2993,6 +3011,29 @@ hfs_istat(TSK_FS_INFO * fs, FILE * hFile, TSK_INUM_T inum,
     tsk_fs_make_ls(fs_file->meta, hfs_mode);
     tsk_fprintf(hFile, "Mode:\t%s\n", hfs_mode);
 
+    if (sec_skew != 0) {
+        tsk_fprintf(hFile, "\nAdjusted times:\n");
+        fs_file->meta->mtime -= sec_skew;
+        fs_file->meta->atime -= sec_skew;
+        fs_file->meta->ctime -= sec_skew;
+        fs_file->meta->crtime -= sec_skew;
+        fs_file->meta->time2.hfs.bkup_time -= sec_skew;
+        tsk_fprintf(hFile, "Created:\t%s", ctime(&fs_file->meta->crtime));
+        tsk_fprintf(hFile, "Content Modified:\t%s",
+            ctime(&fs_file->meta->mtime));
+        tsk_fprintf(hFile, "Attributes Modified:\t%s",
+            ctime(&fs_file->meta->ctime));
+        tsk_fprintf(hFile, "Accessed:\t%s", ctime(&fs_file->meta->atime));
+        tsk_fprintf(hFile, "Backed Up:\t%s",
+            ctime(&fs_file->meta->time2.hfs.bkup_time));
+        fs_file->meta->mtime += sec_skew;
+        fs_file->meta->atime += sec_skew;
+        fs_file->meta->ctime += sec_skew;
+        fs_file->meta->crtime += sec_skew;
+        fs_file->meta->time2.hfs.bkup_time += sec_skew;
+        tsk_fprintf(hFile, "\nOriginal times:\n");
+    }
+
     tsk_fprintf(hFile, "Created:\t%s", ctime(&fs_file->meta->crtime));
     tsk_fprintf(hFile, "Content Modified:\t%s",
         ctime(&fs_file->meta->mtime));
@@ -3195,8 +3236,7 @@ hfs_open(TSK_IMG_INFO * img_info, TSK_OFF_T offset,
                 tsk_getu16(fs->endian, wrapper_sb->drAlBlSt);
             uint32_t drAlBlkSiz =
                 tsk_getu32(fs->endian, wrapper_sb->drAlBlkSiz);
-            uint16_t startBlock =
-                tsk_getu16(fs->endian,
+            uint16_t startBlock = tsk_getu16(fs->endian,
                 wrapper_sb->drEmbedExtent_startBlock);
             TSK_OFF_T hfsplus_offset =
                 (drAlBlSt * (TSK_OFF_T) 512) +

tsk3/fs/hfs_dent.c

@@ -73,7 +73,7 @@
 #define UTF16_NULL 0x0000
 #define UTF16_NULL_REPLACE 0xfffd
 #define UTF16_SLASH 0x002f
-#define UTF16_COLON 0x001a
+#define UTF16_COLON 0x003a
 
 /* convert HFS+'s UTF16 to UTF8
  * replaces null characters with another character (0xfffd)

tsk3/fs/ifind_lib.c

@@ -26,6 +26,7 @@
  */
 
 #include "tsk_fs_i.h"
+#include "tsk_hfs.h"
 
 
 /*******************************************************************************
@@ -240,6 +241,8 @@ tsk_fs_path2inum(TSK_FS_INFO * a_fs, const char *a_path,
                 return -1;
             }
 
+            // @@@ It seems that we could abstract this and have a name comparison
+            // function for each file system that hides the case sensitive details...
             /* 
              * Check if this is the name that we are currently looking for,
              * as identified in 'cur_dir'
@@ -302,6 +305,29 @@ tsk_fs_path2inum(TSK_FS_INFO * a_fs, const char *a_path,
                 }
             }
 
+            /* HFS+ can be case-sensitive or case-insensitive */
+            else if (TSK_FS_TYPE_ISHFS(a_fs->ftype)) {
+                HFS_INFO *hfs = (HFS_INFO *)a_fs;
+                if ( hfs->is_case_sensitive ) {
+                    if (strcmp(fs_file->name->name, cur_dir) == 0) {
+                        found_name = 1;
+                    }
+                } else {
+                    if (strcasecmp(fs_file->name->name, cur_dir) == 0) {
+                        found_name = 1;
+                    }
+                }
+            }
+
+            /* Unknown how to compare names in this filesystem */
+            else {
+                tsk_errno = TSK_ERR_FS_GENFS;
+                snprintf(tsk_errstr, TSK_ERRSTR_L,
+                         "tsk_fs_path2inum: File System type not supported for file name comparison (%X)",
+                         a_fs->ftype);
+                return TSK_WALK_ERROR;
+            }
+			
             /* if found_name is 1, this entry was our target.  Update
              * data and move on to the next step, if needed. */
             if (found_name) {

tsk3/fs/tsk_hfs.h

@@ -80,16 +80,18 @@
  * Constants
  */
 
-#define HFS_MAGIC	0x4244  /* BD in big endian */
+#define HFS_MAGIC	    0x4244      /* BD in big endian */
 #define HFSPLUS_MAGIC	0x482b  /* H+ in big endian */
 #define HFSX_MAGIC      0x4858  /* HX in big endian */
 
 #define HFSPLUS_VERSION 0x0004  /* all HFS+ volumes are version 4 */
 #define HFSX_VERSION    0x0005  /* HFSX volumes start with version 5 */
 
-#define HFSPLUS_MOUNT_VERSION 0x31302e30        /* '10.0 for Mac OS X */
-#define HFSJ_MOUNT_VERSION    0x4846534a        /* 'HFSJ' for jounraled HFS+ on Mac OS X */
+#define HFSPLUS_MOUNT_VERSION 0x31302e30        /* '10.0' for Mac OS X */
+#define HFSJ_MOUNT_VERSION    0x4846534a        /* 'HFSJ' for journaled HFS+ on Mac OS X */
 #define FSK_MOUNT_VERSION     0x46534b21        /* 'FSK!' for failed journal replay */
+#define FSCK_MOUNT_VERSION    0x6673636b        /* 'fsck' for fsck_hfs */
+#define OS89_MOUNT_VERSION    0x382e3130        /* '8.10' for Mac OS 8.1-9.2.2 */
 
 #define HFS_SBOFF	1024
 #define HFS_FILE_CONTENT_LEN 160        // size of two hfs_fork data structures
@@ -116,11 +118,12 @@
  */
 #define NSEC_BTWN_1904_1970	(uint32_t) 2082844800U
 
-#define HFS_BIT_VOLUME_UNMOUNTED	(uint32_t)(1 << 8)      /* set if the volume was unmounted properly; as per TN 1150, modern Macintosh OSes always leave this bit set */
+#define HFS_BIT_VOLUME_UNMOUNTED	(uint32_t)(1 << 8)      /* set if the volume was unmounted properly; as per TN 1150, modern Macintosh OSes always leave this bit set for the boot volume */
 #define HFS_BIT_VOLUME_BADBLOCKS        (uint32_t)(1 << 9)      /* set if there are any bad blocks for this volume (in the Extents B-tree) */
 #define HFS_BIT_VOLUME_INCONSISTENT	(uint32_t)(1 << 11)     /* cleared if the volume was unmounted properly */
-#define HFS_BIT_VOLUME_JOURNALED	(uint32_t)(1 << 13)
 #define HFS_BIT_VOLUME_CNIDS_REUSED     (uint32_t)(1 << 12)     /* set if CNIDs have wrapped around past the maximum value and are being reused; in this case, there are CNIDs on the disk larger than the nextCatalogId field */
+#define HFS_BIT_VOLUME_JOURNALED	(uint32_t)(1 << 13)
+#define HFS_BIT_VOLUME_SOFTWARE_LOCK	(uint32_t)(1 << 14)     /* set if volume should be write-protected in software */
 
 /* constants for BTree header record attributes */
 #define HFS_BT_BIGKEYS 0x00000002       /* kBTBigKeysMask : key length field is 16 bits */