Commit | Line | Data |
---|---|---|
f8f85271 RS |
1 | #ifndef _LINUX_ECRYPTFS_H |
2 | #define _LINUX_ECRYPTFS_H | |
3 | ||
4 | /* Version verification for shared data structures w/ userspace */ | |
5 | #define ECRYPTFS_VERSION_MAJOR 0x00 | |
6 | #define ECRYPTFS_VERSION_MINOR 0x04 | |
7 | #define ECRYPTFS_SUPPORTED_FILE_VERSION 0x03 | |
8 | /* These flags indicate which features are supported by the kernel | |
290502be KC |
9 | * module; userspace tools such as the mount helper read the feature |
10 | * bits from a sysfs handle in order to determine how to behave. */ | |
f8f85271 RS |
11 | #define ECRYPTFS_VERSIONING_PASSPHRASE 0x00000001 |
12 | #define ECRYPTFS_VERSIONING_PUBKEY 0x00000002 | |
13 | #define ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH 0x00000004 | |
14 | #define ECRYPTFS_VERSIONING_POLICY 0x00000008 | |
15 | #define ECRYPTFS_VERSIONING_XATTR 0x00000010 | |
16 | #define ECRYPTFS_VERSIONING_MULTKEY 0x00000020 | |
17 | #define ECRYPTFS_VERSIONING_DEVMISC 0x00000040 | |
18 | #define ECRYPTFS_VERSIONING_HMAC 0x00000080 | |
19 | #define ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION 0x00000100 | |
20 | #define ECRYPTFS_VERSIONING_GCM 0x00000200 | |
f8f85271 RS |
21 | #define ECRYPTFS_MAX_PASSWORD_LENGTH 64 |
22 | #define ECRYPTFS_MAX_PASSPHRASE_BYTES ECRYPTFS_MAX_PASSWORD_LENGTH | |
23 | #define ECRYPTFS_SALT_SIZE 8 | |
24 | #define ECRYPTFS_SALT_SIZE_HEX (ECRYPTFS_SALT_SIZE*2) | |
25 | /* The original signature size is only for what is stored on disk; all | |
26 | * in-memory representations are expanded hex, so it better adapted to | |
27 | * be passed around or referenced on the command line */ | |
28 | #define ECRYPTFS_SIG_SIZE 8 | |
29 | #define ECRYPTFS_SIG_SIZE_HEX (ECRYPTFS_SIG_SIZE*2) | |
30 | #define ECRYPTFS_PASSWORD_SIG_SIZE ECRYPTFS_SIG_SIZE_HEX | |
31 | #define ECRYPTFS_MAX_KEY_BYTES 64 | |
32 | #define ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES 512 | |
33 | #define ECRYPTFS_FILE_VERSION 0x03 | |
34 | #define ECRYPTFS_MAX_PKI_NAME_BYTES 16 | |
35 | ||
36 | #define RFC2440_CIPHER_DES3_EDE 0x02 | |
37 | #define RFC2440_CIPHER_CAST_5 0x03 | |
38 | #define RFC2440_CIPHER_BLOWFISH 0x04 | |
39 | #define RFC2440_CIPHER_AES_128 0x07 | |
40 | #define RFC2440_CIPHER_AES_192 0x08 | |
41 | #define RFC2440_CIPHER_AES_256 0x09 | |
42 | #define RFC2440_CIPHER_TWOFISH 0x0a | |
43 | #define RFC2440_CIPHER_CAST_6 0x0b | |
44 | ||
45 | #define RFC2440_CIPHER_RSA 0x01 | |
46 | ||
47 | /** | |
48 | * For convenience, we may need to pass around the encrypted session | |
49 | * key between kernel and userspace because the authentication token | |
50 | * may not be extractable. For example, the TPM may not release the | |
51 | * private key, instead requiring the encrypted data and returning the | |
52 | * decrypted data. | |
53 | */ | |
54 | struct ecryptfs_session_key { | |
55 | #define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT 0x00000001 | |
56 | #define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT 0x00000002 | |
57 | #define ECRYPTFS_CONTAINS_DECRYPTED_KEY 0x00000004 | |
58 | #define ECRYPTFS_CONTAINS_ENCRYPTED_KEY 0x00000008 | |
59 | u32 flags; | |
60 | u32 encrypted_key_size; | |
61 | u32 decrypted_key_size; | |
62 | u8 encrypted_key[ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES]; | |
63 | u8 decrypted_key[ECRYPTFS_MAX_KEY_BYTES]; | |
64 | }; | |
65 | ||
66 | struct ecryptfs_password { | |
67 | u32 password_bytes; | |
68 | s32 hash_algo; | |
69 | u32 hash_iterations; | |
70 | u32 session_key_encryption_key_bytes; | |
71 | #define ECRYPTFS_PERSISTENT_PASSWORD 0x01 | |
72 | #define ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET 0x02 | |
73 | u32 flags; | |
74 | /* Iterated-hash concatenation of salt and passphrase */ | |
75 | u8 session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES]; | |
76 | u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1]; | |
77 | /* Always in expanded hex */ | |
78 | u8 salt[ECRYPTFS_SALT_SIZE]; | |
79 | }; | |
80 | ||
81 | enum ecryptfs_token_types {ECRYPTFS_PASSWORD, ECRYPTFS_PRIVATE_KEY}; | |
82 | ||
83 | struct ecryptfs_private_key { | |
84 | u32 key_size; | |
85 | u32 data_len; | |
86 | u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1]; | |
87 | char pki_type[ECRYPTFS_MAX_PKI_NAME_BYTES + 1]; | |
88 | u8 data[]; | |
89 | }; | |
90 | ||
91 | /* May be a password or a private key */ | |
92 | struct ecryptfs_auth_tok { | |
93 | u16 version; /* 8-bit major and 8-bit minor */ | |
94 | u16 token_type; | |
95 | #define ECRYPTFS_ENCRYPT_ONLY 0x00000001 | |
96 | u32 flags; | |
97 | struct ecryptfs_session_key session_key; | |
98 | u8 reserved[32]; | |
99 | union { | |
100 | struct ecryptfs_password password; | |
101 | struct ecryptfs_private_key private_key; | |
102 | } token; | |
103 | } __attribute__ ((packed)); | |
104 | ||
105 | #endif /* _LINUX_ECRYPTFS_H */ |