#ifndef _LINUX_ECRYPTFS_H #define _LINUX_ECRYPTFS_H /* Version verification for shared data structures w/ userspace */ #define ECRYPTFS_VERSION_MAJOR 0x00 #define ECRYPTFS_VERSION_MINOR 0x04 #define ECRYPTFS_SUPPORTED_FILE_VERSION 0x03 /* These flags indicate which features are supported by the kernel * module; userspace tools such as the mount helper read * ECRYPTFS_VERSIONING_MASK from a sysfs handle in order to determine * how to behave. */ #define ECRYPTFS_VERSIONING_PASSPHRASE 0x00000001 #define ECRYPTFS_VERSIONING_PUBKEY 0x00000002 #define ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH 0x00000004 #define ECRYPTFS_VERSIONING_POLICY 0x00000008 #define ECRYPTFS_VERSIONING_XATTR 0x00000010 #define ECRYPTFS_VERSIONING_MULTKEY 0x00000020 #define ECRYPTFS_VERSIONING_DEVMISC 0x00000040 #define ECRYPTFS_VERSIONING_HMAC 0x00000080 #define ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION 0x00000100 #define ECRYPTFS_VERSIONING_GCM 0x00000200 #define ECRYPTFS_VERSIONING_MASK (ECRYPTFS_VERSIONING_PASSPHRASE \ | ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH \ | ECRYPTFS_VERSIONING_PUBKEY \ | ECRYPTFS_VERSIONING_XATTR \ | ECRYPTFS_VERSIONING_MULTKEY \ | ECRYPTFS_VERSIONING_DEVMISC \ | ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION) #define ECRYPTFS_MAX_PASSWORD_LENGTH 64 #define ECRYPTFS_MAX_PASSPHRASE_BYTES ECRYPTFS_MAX_PASSWORD_LENGTH #define ECRYPTFS_SALT_SIZE 8 #define ECRYPTFS_SALT_SIZE_HEX (ECRYPTFS_SALT_SIZE*2) /* The original signature size is only for what is stored on disk; all * in-memory representations are expanded hex, so it better adapted to * be passed around or referenced on the command line */ #define ECRYPTFS_SIG_SIZE 8 #define ECRYPTFS_SIG_SIZE_HEX (ECRYPTFS_SIG_SIZE*2) #define ECRYPTFS_PASSWORD_SIG_SIZE ECRYPTFS_SIG_SIZE_HEX #define ECRYPTFS_MAX_KEY_BYTES 64 #define ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES 512 #define ECRYPTFS_FILE_VERSION 0x03 #define ECRYPTFS_MAX_PKI_NAME_BYTES 16 #define RFC2440_CIPHER_DES3_EDE 0x02 #define RFC2440_CIPHER_CAST_5 0x03 #define RFC2440_CIPHER_BLOWFISH 0x04 #define RFC2440_CIPHER_AES_128 0x07 #define RFC2440_CIPHER_AES_192 0x08 #define RFC2440_CIPHER_AES_256 0x09 #define RFC2440_CIPHER_TWOFISH 0x0a #define RFC2440_CIPHER_CAST_6 0x0b #define RFC2440_CIPHER_RSA 0x01 /** * For convenience, we may need to pass around the encrypted session * key between kernel and userspace because the authentication token * may not be extractable. For example, the TPM may not release the * private key, instead requiring the encrypted data and returning the * decrypted data. */ struct ecryptfs_session_key { #define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT 0x00000001 #define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT 0x00000002 #define ECRYPTFS_CONTAINS_DECRYPTED_KEY 0x00000004 #define ECRYPTFS_CONTAINS_ENCRYPTED_KEY 0x00000008 u32 flags; u32 encrypted_key_size; u32 decrypted_key_size; u8 encrypted_key[ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES]; u8 decrypted_key[ECRYPTFS_MAX_KEY_BYTES]; }; struct ecryptfs_password { u32 password_bytes; s32 hash_algo; u32 hash_iterations; u32 session_key_encryption_key_bytes; #define ECRYPTFS_PERSISTENT_PASSWORD 0x01 #define ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET 0x02 u32 flags; /* Iterated-hash concatenation of salt and passphrase */ u8 session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES]; u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1]; /* Always in expanded hex */ u8 salt[ECRYPTFS_SALT_SIZE]; }; enum ecryptfs_token_types {ECRYPTFS_PASSWORD, ECRYPTFS_PRIVATE_KEY}; struct ecryptfs_private_key { u32 key_size; u32 data_len; u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1]; char pki_type[ECRYPTFS_MAX_PKI_NAME_BYTES + 1]; u8 data[]; }; /* May be a password or a private key */ struct ecryptfs_auth_tok { u16 version; /* 8-bit major and 8-bit minor */ u16 token_type; #define ECRYPTFS_ENCRYPT_ONLY 0x00000001 u32 flags; struct ecryptfs_session_key session_key; u8 reserved[32]; union { struct ecryptfs_password password; struct ecryptfs_private_key private_key; } token; } __attribute__ ((packed)); #endif /* _LINUX_ECRYPTFS_H */