Roberto Sassu | f8f8527 | 2011-06-27 13:45:43 +0200 | [diff] [blame] | 1 | #ifndef _LINUX_ECRYPTFS_H |
| 2 | #define _LINUX_ECRYPTFS_H |
| 3 | |
| 4 | /* Version verification for shared data structures w/ userspace */ |
| 5 | #define ECRYPTFS_VERSION_MAJOR 0x00 |
| 6 | #define ECRYPTFS_VERSION_MINOR 0x04 |
| 7 | #define ECRYPTFS_SUPPORTED_FILE_VERSION 0x03 |
| 8 | /* These flags indicate which features are supported by the kernel |
| 9 | * module; userspace tools such as the mount helper read |
| 10 | * ECRYPTFS_VERSIONING_MASK from a sysfs handle in order to determine |
| 11 | * how to behave. */ |
| 12 | #define ECRYPTFS_VERSIONING_PASSPHRASE 0x00000001 |
| 13 | #define ECRYPTFS_VERSIONING_PUBKEY 0x00000002 |
| 14 | #define ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH 0x00000004 |
| 15 | #define ECRYPTFS_VERSIONING_POLICY 0x00000008 |
| 16 | #define ECRYPTFS_VERSIONING_XATTR 0x00000010 |
| 17 | #define ECRYPTFS_VERSIONING_MULTKEY 0x00000020 |
| 18 | #define ECRYPTFS_VERSIONING_DEVMISC 0x00000040 |
| 19 | #define ECRYPTFS_VERSIONING_HMAC 0x00000080 |
| 20 | #define ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION 0x00000100 |
| 21 | #define ECRYPTFS_VERSIONING_GCM 0x00000200 |
| 22 | #define ECRYPTFS_VERSIONING_MASK (ECRYPTFS_VERSIONING_PASSPHRASE \ |
| 23 | | ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH \ |
| 24 | | ECRYPTFS_VERSIONING_PUBKEY \ |
| 25 | | ECRYPTFS_VERSIONING_XATTR \ |
| 26 | | ECRYPTFS_VERSIONING_MULTKEY \ |
| 27 | | ECRYPTFS_VERSIONING_DEVMISC \ |
| 28 | | ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION) |
| 29 | #define ECRYPTFS_MAX_PASSWORD_LENGTH 64 |
| 30 | #define ECRYPTFS_MAX_PASSPHRASE_BYTES ECRYPTFS_MAX_PASSWORD_LENGTH |
| 31 | #define ECRYPTFS_SALT_SIZE 8 |
| 32 | #define ECRYPTFS_SALT_SIZE_HEX (ECRYPTFS_SALT_SIZE*2) |
| 33 | /* The original signature size is only for what is stored on disk; all |
| 34 | * in-memory representations are expanded hex, so it better adapted to |
| 35 | * be passed around or referenced on the command line */ |
| 36 | #define ECRYPTFS_SIG_SIZE 8 |
| 37 | #define ECRYPTFS_SIG_SIZE_HEX (ECRYPTFS_SIG_SIZE*2) |
| 38 | #define ECRYPTFS_PASSWORD_SIG_SIZE ECRYPTFS_SIG_SIZE_HEX |
| 39 | #define ECRYPTFS_MAX_KEY_BYTES 64 |
| 40 | #define ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES 512 |
| 41 | #define ECRYPTFS_FILE_VERSION 0x03 |
| 42 | #define ECRYPTFS_MAX_PKI_NAME_BYTES 16 |
| 43 | |
| 44 | #define RFC2440_CIPHER_DES3_EDE 0x02 |
| 45 | #define RFC2440_CIPHER_CAST_5 0x03 |
| 46 | #define RFC2440_CIPHER_BLOWFISH 0x04 |
| 47 | #define RFC2440_CIPHER_AES_128 0x07 |
| 48 | #define RFC2440_CIPHER_AES_192 0x08 |
| 49 | #define RFC2440_CIPHER_AES_256 0x09 |
| 50 | #define RFC2440_CIPHER_TWOFISH 0x0a |
| 51 | #define RFC2440_CIPHER_CAST_6 0x0b |
| 52 | |
| 53 | #define RFC2440_CIPHER_RSA 0x01 |
| 54 | |
| 55 | /** |
| 56 | * For convenience, we may need to pass around the encrypted session |
| 57 | * key between kernel and userspace because the authentication token |
| 58 | * may not be extractable. For example, the TPM may not release the |
| 59 | * private key, instead requiring the encrypted data and returning the |
| 60 | * decrypted data. |
| 61 | */ |
| 62 | struct ecryptfs_session_key { |
| 63 | #define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT 0x00000001 |
| 64 | #define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT 0x00000002 |
| 65 | #define ECRYPTFS_CONTAINS_DECRYPTED_KEY 0x00000004 |
| 66 | #define ECRYPTFS_CONTAINS_ENCRYPTED_KEY 0x00000008 |
| 67 | u32 flags; |
| 68 | u32 encrypted_key_size; |
| 69 | u32 decrypted_key_size; |
| 70 | u8 encrypted_key[ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES]; |
| 71 | u8 decrypted_key[ECRYPTFS_MAX_KEY_BYTES]; |
| 72 | }; |
| 73 | |
| 74 | struct ecryptfs_password { |
| 75 | u32 password_bytes; |
| 76 | s32 hash_algo; |
| 77 | u32 hash_iterations; |
| 78 | u32 session_key_encryption_key_bytes; |
| 79 | #define ECRYPTFS_PERSISTENT_PASSWORD 0x01 |
| 80 | #define ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET 0x02 |
| 81 | u32 flags; |
| 82 | /* Iterated-hash concatenation of salt and passphrase */ |
| 83 | u8 session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES]; |
| 84 | u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1]; |
| 85 | /* Always in expanded hex */ |
| 86 | u8 salt[ECRYPTFS_SALT_SIZE]; |
| 87 | }; |
| 88 | |
| 89 | enum ecryptfs_token_types {ECRYPTFS_PASSWORD, ECRYPTFS_PRIVATE_KEY}; |
| 90 | |
| 91 | struct ecryptfs_private_key { |
| 92 | u32 key_size; |
| 93 | u32 data_len; |
| 94 | u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1]; |
| 95 | char pki_type[ECRYPTFS_MAX_PKI_NAME_BYTES + 1]; |
| 96 | u8 data[]; |
| 97 | }; |
| 98 | |
| 99 | /* May be a password or a private key */ |
| 100 | struct ecryptfs_auth_tok { |
| 101 | u16 version; /* 8-bit major and 8-bit minor */ |
| 102 | u16 token_type; |
| 103 | #define ECRYPTFS_ENCRYPT_ONLY 0x00000001 |
| 104 | u32 flags; |
| 105 | struct ecryptfs_session_key session_key; |
| 106 | u8 reserved[32]; |
| 107 | union { |
| 108 | struct ecryptfs_password password; |
| 109 | struct ecryptfs_private_key private_key; |
| 110 | } token; |
| 111 | } __attribute__ ((packed)); |
| 112 | |
| 113 | #endif /* _LINUX_ECRYPTFS_H */ |