1#ifndef _LINUX_ECRYPTFS_H 2#define _LINUX_ECRYPTFS_H 3 4/* Version verification for shared data structures w/ userspace */ 5#define ECRYPTFS_VERSION_MAJOR 0x00 6#define ECRYPTFS_VERSION_MINOR 0x04 7#define ECRYPTFS_SUPPORTED_FILE_VERSION 0x03 8/* These flags indicate which features are supported by the kernel 9 * module; userspace tools such as the mount helper read the feature 10 * bits from a sysfs handle in order to determine how to behave. */ 11#define ECRYPTFS_VERSIONING_PASSPHRASE 0x00000001 12#define ECRYPTFS_VERSIONING_PUBKEY 0x00000002 13#define ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH 0x00000004 14#define ECRYPTFS_VERSIONING_POLICY 0x00000008 15#define ECRYPTFS_VERSIONING_XATTR 0x00000010 16#define ECRYPTFS_VERSIONING_MULTKEY 0x00000020 17#define ECRYPTFS_VERSIONING_DEVMISC 0x00000040 18#define ECRYPTFS_VERSIONING_HMAC 0x00000080 19#define ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION 0x00000100 20#define ECRYPTFS_VERSIONING_GCM 0x00000200 21#define ECRYPTFS_MAX_PASSWORD_LENGTH 64 22#define ECRYPTFS_MAX_PASSPHRASE_BYTES ECRYPTFS_MAX_PASSWORD_LENGTH 23#define ECRYPTFS_SALT_SIZE 8 24#define ECRYPTFS_SALT_SIZE_HEX (ECRYPTFS_SALT_SIZE*2) 25/* The original signature size is only for what is stored on disk; all 26 * in-memory representations are expanded hex, so it better adapted to 27 * be passed around or referenced on the command line */ 28#define ECRYPTFS_SIG_SIZE 8 29#define ECRYPTFS_SIG_SIZE_HEX (ECRYPTFS_SIG_SIZE*2) 30#define ECRYPTFS_PASSWORD_SIG_SIZE ECRYPTFS_SIG_SIZE_HEX 31#define ECRYPTFS_MAX_KEY_BYTES 64 32#define ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES 512 33#define ECRYPTFS_FILE_VERSION 0x03 34#define ECRYPTFS_MAX_PKI_NAME_BYTES 16 35 36#define RFC2440_CIPHER_DES3_EDE 0x02 37#define RFC2440_CIPHER_CAST_5 0x03 38#define RFC2440_CIPHER_BLOWFISH 0x04 39#define RFC2440_CIPHER_AES_128 0x07 40#define RFC2440_CIPHER_AES_192 0x08 41#define RFC2440_CIPHER_AES_256 0x09 42#define RFC2440_CIPHER_TWOFISH 0x0a 43#define RFC2440_CIPHER_CAST_6 0x0b 44 45#define RFC2440_CIPHER_RSA 0x01 46 47/** 48 * For convenience, we may need to pass around the encrypted session 49 * key between kernel and userspace because the authentication token 50 * may not be extractable. For example, the TPM may not release the 51 * private key, instead requiring the encrypted data and returning the 52 * decrypted data. 53 */ 54struct ecryptfs_session_key { 55#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT 0x00000001 56#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT 0x00000002 57#define ECRYPTFS_CONTAINS_DECRYPTED_KEY 0x00000004 58#define ECRYPTFS_CONTAINS_ENCRYPTED_KEY 0x00000008 59 u32 flags; 60 u32 encrypted_key_size; 61 u32 decrypted_key_size; 62 u8 encrypted_key[ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES]; 63 u8 decrypted_key[ECRYPTFS_MAX_KEY_BYTES]; 64}; 65 66struct ecryptfs_password { 67 u32 password_bytes; 68 s32 hash_algo; 69 u32 hash_iterations; 70 u32 session_key_encryption_key_bytes; 71#define ECRYPTFS_PERSISTENT_PASSWORD 0x01 72#define ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET 0x02 73 u32 flags; 74 /* Iterated-hash concatenation of salt and passphrase */ 75 u8 session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES]; 76 u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1]; 77 /* Always in expanded hex */ 78 u8 salt[ECRYPTFS_SALT_SIZE]; 79}; 80 81enum ecryptfs_token_types {ECRYPTFS_PASSWORD, ECRYPTFS_PRIVATE_KEY}; 82 83struct ecryptfs_private_key { 84 u32 key_size; 85 u32 data_len; 86 u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1]; 87 char pki_type[ECRYPTFS_MAX_PKI_NAME_BYTES + 1]; 88 u8 data[]; 89}; 90 91/* May be a password or a private key */ 92struct ecryptfs_auth_tok { 93 u16 version; /* 8-bit major and 8-bit minor */ 94 u16 token_type; 95#define ECRYPTFS_ENCRYPT_ONLY 0x00000001 96 u32 flags; 97 struct ecryptfs_session_key session_key; 98 u8 reserved[32]; 99 union { 100 struct ecryptfs_password password; 101 struct ecryptfs_private_key private_key; 102 } token; 103} __attribute__ ((packed)); 104 105#endif /* _LINUX_ECRYPTFS_H */ 106