root/include/linux/ecryptfs.h

INCLUDED FROM

   1 /* SPDX-License-Identifier: GPL-2.0 */
   2 #ifndef _LINUX_ECRYPTFS_H
   3 #define _LINUX_ECRYPTFS_H
   4 
   5 /* Version verification for shared data structures w/ userspace */
   6 #define ECRYPTFS_VERSION_MAJOR 0x00
   7 #define ECRYPTFS_VERSION_MINOR 0x04
   8 #define ECRYPTFS_SUPPORTED_FILE_VERSION 0x03
   9 /* These flags indicate which features are supported by the kernel
  10  * module; userspace tools such as the mount helper read the feature
  11  * bits from a sysfs handle in order to determine how to behave. */
  12 #define ECRYPTFS_VERSIONING_PASSPHRASE            0x00000001
  13 #define ECRYPTFS_VERSIONING_PUBKEY                0x00000002
  14 #define ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH 0x00000004
  15 #define ECRYPTFS_VERSIONING_POLICY                0x00000008
  16 #define ECRYPTFS_VERSIONING_XATTR                 0x00000010
  17 #define ECRYPTFS_VERSIONING_MULTKEY               0x00000020
  18 #define ECRYPTFS_VERSIONING_DEVMISC               0x00000040
  19 #define ECRYPTFS_VERSIONING_HMAC                  0x00000080
  20 #define ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION   0x00000100
  21 #define ECRYPTFS_VERSIONING_GCM                   0x00000200
  22 #define ECRYPTFS_MAX_PASSWORD_LENGTH 64
  23 #define ECRYPTFS_MAX_PASSPHRASE_BYTES ECRYPTFS_MAX_PASSWORD_LENGTH
  24 #define ECRYPTFS_SALT_SIZE 8
  25 #define ECRYPTFS_SALT_SIZE_HEX (ECRYPTFS_SALT_SIZE*2)
  26 /* The original signature size is only for what is stored on disk; all
  27  * in-memory representations are expanded hex, so it better adapted to
  28  * be passed around or referenced on the command line */
  29 #define ECRYPTFS_SIG_SIZE 8
  30 #define ECRYPTFS_SIG_SIZE_HEX (ECRYPTFS_SIG_SIZE*2)
  31 #define ECRYPTFS_PASSWORD_SIG_SIZE ECRYPTFS_SIG_SIZE_HEX
  32 #define ECRYPTFS_MAX_KEY_BYTES 64
  33 #define ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES 512
  34 #define ECRYPTFS_FILE_VERSION 0x03
  35 #define ECRYPTFS_MAX_PKI_NAME_BYTES 16
  36 
  37 #define RFC2440_CIPHER_DES3_EDE 0x02
  38 #define RFC2440_CIPHER_CAST_5 0x03
  39 #define RFC2440_CIPHER_BLOWFISH 0x04
  40 #define RFC2440_CIPHER_AES_128 0x07
  41 #define RFC2440_CIPHER_AES_192 0x08
  42 #define RFC2440_CIPHER_AES_256 0x09
  43 #define RFC2440_CIPHER_TWOFISH 0x0a
  44 #define RFC2440_CIPHER_CAST_6 0x0b
  45 
  46 #define RFC2440_CIPHER_RSA 0x01
  47 
  48 /**
  49  * For convenience, we may need to pass around the encrypted session
  50  * key between kernel and userspace because the authentication token
  51  * may not be extractable.  For example, the TPM may not release the
  52  * private key, instead requiring the encrypted data and returning the
  53  * decrypted data.
  54  */
  55 struct ecryptfs_session_key {
  56 #define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT 0x00000001
  57 #define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT 0x00000002
  58 #define ECRYPTFS_CONTAINS_DECRYPTED_KEY 0x00000004
  59 #define ECRYPTFS_CONTAINS_ENCRYPTED_KEY 0x00000008
  60         u32 flags;
  61         u32 encrypted_key_size;
  62         u32 decrypted_key_size;
  63         u8 encrypted_key[ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES];
  64         u8 decrypted_key[ECRYPTFS_MAX_KEY_BYTES];
  65 };
  66 
  67 struct ecryptfs_password {
  68         u32 password_bytes;
  69         s32 hash_algo;
  70         u32 hash_iterations;
  71         u32 session_key_encryption_key_bytes;
  72 #define ECRYPTFS_PERSISTENT_PASSWORD 0x01
  73 #define ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET 0x02
  74         u32 flags;
  75         /* Iterated-hash concatenation of salt and passphrase */
  76         u8 session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES];
  77         u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
  78         /* Always in expanded hex */
  79         u8 salt[ECRYPTFS_SALT_SIZE];
  80 };
  81 
  82 enum ecryptfs_token_types {ECRYPTFS_PASSWORD, ECRYPTFS_PRIVATE_KEY};
  83 
  84 struct ecryptfs_private_key {
  85         u32 key_size;
  86         u32 data_len;
  87         u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
  88         char pki_type[ECRYPTFS_MAX_PKI_NAME_BYTES + 1];
  89         u8 data[];
  90 };
  91 
  92 /* May be a password or a private key */
  93 struct ecryptfs_auth_tok {
  94         u16 version; /* 8-bit major and 8-bit minor */
  95         u16 token_type;
  96 #define ECRYPTFS_ENCRYPT_ONLY 0x00000001
  97         u32 flags;
  98         struct ecryptfs_session_key session_key;
  99         u8 reserved[32];
 100         union {
 101                 struct ecryptfs_password password;
 102                 struct ecryptfs_private_key private_key;
 103         } token;
 104 } __attribute__ ((packed));
 105 
 106 #endif /* _LINUX_ECRYPTFS_H */