LXR linux/include/linux/ecryptfs.h

   1#ifndef _LINUX_ECRYPTFS_H
   2#define _LINUX_ECRYPTFS_H
   3
   4/* Version verification for shared data structures w/ userspace */
   5#define ECRYPTFS_VERSION_MAJOR 0x00
   6#define ECRYPTFS_VERSION_MINOR 0x04
   7#define ECRYPTFS_SUPPORTED_FILE_VERSION 0x03
   8/* These flags indicate which features are supported by the kernel
   9 * module; userspace tools such as the mount helper read
  10 * ECRYPTFS_VERSIONING_MASK from a sysfs handle in order to determine
  11 * how to behave. */
  12#define ECRYPTFS_VERSIONING_PASSPHRASE            0x00000001
  13#define ECRYPTFS_VERSIONING_PUBKEY                0x00000002
  14#define ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH 0x00000004
  15#define ECRYPTFS_VERSIONING_POLICY                0x00000008
  16#define ECRYPTFS_VERSIONING_XATTR                 0x00000010
  17#define ECRYPTFS_VERSIONING_MULTKEY               0x00000020
  18#define ECRYPTFS_VERSIONING_DEVMISC               0x00000040
  19#define ECRYPTFS_VERSIONING_HMAC                  0x00000080
  20#define ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION   0x00000100
  21#define ECRYPTFS_VERSIONING_GCM                   0x00000200
  22#define ECRYPTFS_VERSIONING_MASK (ECRYPTFS_VERSIONING_PASSPHRASE \
  23                                  | ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH \
  24                                  | ECRYPTFS_VERSIONING_PUBKEY \
  25                                  | ECRYPTFS_VERSIONING_XATTR \
  26                                  | ECRYPTFS_VERSIONING_MULTKEY \
  27                                  | ECRYPTFS_VERSIONING_DEVMISC \
  28                                  | ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION)
  29#define ECRYPTFS_MAX_PASSWORD_LENGTH 64
  30#define ECRYPTFS_MAX_PASSPHRASE_BYTES ECRYPTFS_MAX_PASSWORD_LENGTH
  31#define ECRYPTFS_SALT_SIZE 8
  32#define ECRYPTFS_SALT_SIZE_HEX (ECRYPTFS_SALT_SIZE*2)
  33/* The original signature size is only for what is stored on disk; all
  34 * in-memory representations are expanded hex, so it better adapted to
  35 * be passed around or referenced on the command line */
  36#define ECRYPTFS_SIG_SIZE 8
  37#define ECRYPTFS_SIG_SIZE_HEX (ECRYPTFS_SIG_SIZE*2)
  38#define ECRYPTFS_PASSWORD_SIG_SIZE ECRYPTFS_SIG_SIZE_HEX
  39#define ECRYPTFS_MAX_KEY_BYTES 64
  40#define ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES 512
  41#define ECRYPTFS_FILE_VERSION 0x03
  42#define ECRYPTFS_MAX_PKI_NAME_BYTES 16
  43
  44#define RFC2440_CIPHER_DES3_EDE 0x02
  45#define RFC2440_CIPHER_CAST_5 0x03
  46#define RFC2440_CIPHER_BLOWFISH 0x04
  47#define RFC2440_CIPHER_AES_128 0x07
  48#define RFC2440_CIPHER_AES_192 0x08
  49#define RFC2440_CIPHER_AES_256 0x09
  50#define RFC2440_CIPHER_TWOFISH 0x0a
  51#define RFC2440_CIPHER_CAST_6 0x0b
  52
  53#define RFC2440_CIPHER_RSA 0x01
  54
  55/**
  56 * For convenience, we may need to pass around the encrypted session
  57 * key between kernel and userspace because the authentication token
  58 * may not be extractable.  For example, the TPM may not release the
  59 * private key, instead requiring the encrypted data and returning the
  60 * decrypted data.
  61 */
  62struct ecryptfs_session_key {
  63#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT 0x00000001
  64#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT 0x00000002
  65#define ECRYPTFS_CONTAINS_DECRYPTED_KEY 0x00000004
  66#define ECRYPTFS_CONTAINS_ENCRYPTED_KEY 0x00000008
  67        u32 flags;
  68        u32 encrypted_key_size;
  69        u32 decrypted_key_size;
  70        u8 encrypted_key[ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES];
  71        u8 decrypted_key[ECRYPTFS_MAX_KEY_BYTES];
  72};
  73
  74struct ecryptfs_password {
  75        u32 password_bytes;
  76        s32 hash_algo;
  77        u32 hash_iterations;
  78        u32 session_key_encryption_key_bytes;
  79#define ECRYPTFS_PERSISTENT_PASSWORD 0x01
  80#define ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET 0x02
  81        u32 flags;
  82        /* Iterated-hash concatenation of salt and passphrase */
  83        u8 session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES];
  84        u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
  85        /* Always in expanded hex */
  86        u8 salt[ECRYPTFS_SALT_SIZE];
  87};
  88
  89enum ecryptfs_token_types {ECRYPTFS_PASSWORD, ECRYPTFS_PRIVATE_KEY};
  90
  91struct ecryptfs_private_key {
  92        u32 key_size;
  93        u32 data_len;
  94        u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
  95        char pki_type[ECRYPTFS_MAX_PKI_NAME_BYTES + 1];
  96        u8 data[];
  97};
  98
  99/* May be a password or a private key */
 100struct ecryptfs_auth_tok {
 101        u16 version; /* 8-bit major and 8-bit minor */
 102        u16 token_type;
 103#define ECRYPTFS_ENCRYPT_ONLY 0x00000001
 104        u32 flags;
 105        struct ecryptfs_session_key session_key;
 106        u8 reserved[32];
 107        union {
 108                struct ecryptfs_password password;
 109                struct ecryptfs_private_key private_key;
 110        } token;
 111} __attribute__ ((packed));
 112
 113#endif /* _LINUX_ECRYPTFS_H */
 114