1 #ifndef _LINUX_ECRYPTFS_H
2 #define _LINUX_ECRYPTFS_H
3 
4 /* Version verification for shared data structures w/ userspace */
5 #define ECRYPTFS_VERSION_MAJOR 0x00
6 #define ECRYPTFS_VERSION_MINOR 0x04
7 #define ECRYPTFS_SUPPORTED_FILE_VERSION 0x03
8 /* These flags indicate which features are supported by the kernel
9  * module; userspace tools such as the mount helper read
10  * ECRYPTFS_VERSIONING_MASK from a sysfs handle in order to determine
11  * how to behave. */
12 #define ECRYPTFS_VERSIONING_PASSPHRASE            0x00000001
13 #define ECRYPTFS_VERSIONING_PUBKEY                0x00000002
14 #define ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH 0x00000004
15 #define ECRYPTFS_VERSIONING_POLICY                0x00000008
16 #define ECRYPTFS_VERSIONING_XATTR                 0x00000010
17 #define ECRYPTFS_VERSIONING_MULTKEY               0x00000020
18 #define ECRYPTFS_VERSIONING_DEVMISC               0x00000040
19 #define ECRYPTFS_VERSIONING_HMAC                  0x00000080
20 #define ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION   0x00000100
21 #define ECRYPTFS_VERSIONING_GCM                   0x00000200
22 #define ECRYPTFS_VERSIONING_MASK (ECRYPTFS_VERSIONING_PASSPHRASE \
23 				  | ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH \
24 				  | ECRYPTFS_VERSIONING_PUBKEY \
25 				  | ECRYPTFS_VERSIONING_XATTR \
26 				  | ECRYPTFS_VERSIONING_MULTKEY \
27 				  | ECRYPTFS_VERSIONING_DEVMISC \
28 				  | ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION)
29 #define ECRYPTFS_MAX_PASSWORD_LENGTH 64
30 #define ECRYPTFS_MAX_PASSPHRASE_BYTES ECRYPTFS_MAX_PASSWORD_LENGTH
31 #define ECRYPTFS_SALT_SIZE 8
32 #define ECRYPTFS_SALT_SIZE_HEX (ECRYPTFS_SALT_SIZE*2)
33 /* The original signature size is only for what is stored on disk; all
34  * in-memory representations are expanded hex, so it better adapted to
35  * be passed around or referenced on the command line */
36 #define ECRYPTFS_SIG_SIZE 8
37 #define ECRYPTFS_SIG_SIZE_HEX (ECRYPTFS_SIG_SIZE*2)
38 #define ECRYPTFS_PASSWORD_SIG_SIZE ECRYPTFS_SIG_SIZE_HEX
39 #define ECRYPTFS_MAX_KEY_BYTES 64
40 #define ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES 512
41 #define ECRYPTFS_FILE_VERSION 0x03
42 #define ECRYPTFS_MAX_PKI_NAME_BYTES 16
43 
44 #define RFC2440_CIPHER_DES3_EDE 0x02
45 #define RFC2440_CIPHER_CAST_5 0x03
46 #define RFC2440_CIPHER_BLOWFISH 0x04
47 #define RFC2440_CIPHER_AES_128 0x07
48 #define RFC2440_CIPHER_AES_192 0x08
49 #define RFC2440_CIPHER_AES_256 0x09
50 #define RFC2440_CIPHER_TWOFISH 0x0a
51 #define RFC2440_CIPHER_CAST_6 0x0b
52 
53 #define RFC2440_CIPHER_RSA 0x01
54 
55 /**
56  * For convenience, we may need to pass around the encrypted session
57  * key between kernel and userspace because the authentication token
58  * may not be extractable.  For example, the TPM may not release the
59  * private key, instead requiring the encrypted data and returning the
60  * decrypted data.
61  */
62 struct ecryptfs_session_key {
63 #define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT 0x00000001
64 #define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT 0x00000002
65 #define ECRYPTFS_CONTAINS_DECRYPTED_KEY 0x00000004
66 #define ECRYPTFS_CONTAINS_ENCRYPTED_KEY 0x00000008
67 	u32 flags;
68 	u32 encrypted_key_size;
69 	u32 decrypted_key_size;
70 	u8 encrypted_key[ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES];
71 	u8 decrypted_key[ECRYPTFS_MAX_KEY_BYTES];
72 };
73 
74 struct ecryptfs_password {
75 	u32 password_bytes;
76 	s32 hash_algo;
77 	u32 hash_iterations;
78 	u32 session_key_encryption_key_bytes;
79 #define ECRYPTFS_PERSISTENT_PASSWORD 0x01
80 #define ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET 0x02
81 	u32 flags;
82 	/* Iterated-hash concatenation of salt and passphrase */
83 	u8 session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES];
84 	u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
85 	/* Always in expanded hex */
86 	u8 salt[ECRYPTFS_SALT_SIZE];
87 };
88 
89 enum ecryptfs_token_types {ECRYPTFS_PASSWORD, ECRYPTFS_PRIVATE_KEY};
90 
91 struct ecryptfs_private_key {
92 	u32 key_size;
93 	u32 data_len;
94 	u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
95 	char pki_type[ECRYPTFS_MAX_PKI_NAME_BYTES + 1];
96 	u8 data[];
97 };
98 
99 /* May be a password or a private key */
100 struct ecryptfs_auth_tok {
101 	u16 version; /* 8-bit major and 8-bit minor */
102 	u16 token_type;
103 #define ECRYPTFS_ENCRYPT_ONLY 0x00000001
104 	u32 flags;
105 	struct ecryptfs_session_key session_key;
106 	u8 reserved[32];
107 	union {
108 		struct ecryptfs_password password;
109 		struct ecryptfs_private_key private_key;
110 	} token;
111 } __attribute__ ((packed));
112 
113 #endif /* _LINUX_ECRYPTFS_H */
114