From f0ff698c2252065f8de1eb650252b0b1286d38f0 Mon Sep 17 00:00:00 2001
From: antona <antona>
Date: Fri, 29 Jul 2005 09:54:02 +0000
Subject: [PATCH] Update some efs info (the 16byte fields in the header are md5
 hashes of the decrypted fek, ddfs, and drfs.  windows uses them as a sanity
 check and a check that the efs attribute has not been tampered with.)

---
 include/ntfs/layout.h | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/include/ntfs/layout.h b/include/ntfs/layout.h
index f1e31769..d70f8501 100644
--- a/include/ntfs/layout.h
+++ b/include/ntfs/layout.h
@@ -2392,9 +2392,9 @@ typedef struct {
 	u32 unknown1;		/* always 0? */
 	u32 unknown2;		/* number of DDFs? */
 	u32 unknown3;		/* number of DRFs? */
-/* 16*/	u8 unknown4[16];	/* MD5 hash related to DDFs? */
-/* 32*/	u8 unknown5[16];	/* MD5 hash related to DRFs? */
-/* 48*/	u8 unknown6[16];	/* always 0? */
+/* 16*/	u8 unknown4[16];	/* MD5 hash of decrypted FEK? */
+/* 32*/	u8 unknown5[16];	/* MD5 hash of DDFs? */
+/* 48*/	u8 unknown6[16];	/* MD5 hash of DRFs? */
 /* 64*/	u32 offset_to_ddf_array;/* Offset in bytes to the array of data
 				   decryption fields (DDF), see below.  Zero if
 				   no DDFs are present. */