1 #ifndef _LINUX_ECRYPTFS_H
2 #define _LINUX_ECRYPTFS_H
4 /* Version verification for shared data structures w/ userspace */
5 #define ECRYPTFS_VERSION_MAJOR 0x00
6 #define ECRYPTFS_VERSION_MINOR 0x04
7 #define ECRYPTFS_SUPPORTED_FILE_VERSION 0x03
8 /* These flags indicate which features are supported by the kernel
9 * module; userspace tools such as the mount helper read the feature
10 * bits from a sysfs handle in order to determine how to behave. */
11 #define ECRYPTFS_VERSIONING_PASSPHRASE 0x00000001
12 #define ECRYPTFS_VERSIONING_PUBKEY 0x00000002
13 #define ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH 0x00000004
14 #define ECRYPTFS_VERSIONING_POLICY 0x00000008
15 #define ECRYPTFS_VERSIONING_XATTR 0x00000010
16 #define ECRYPTFS_VERSIONING_MULTKEY 0x00000020
17 #define ECRYPTFS_VERSIONING_DEVMISC 0x00000040
18 #define ECRYPTFS_VERSIONING_HMAC 0x00000080
19 #define ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION 0x00000100
20 #define ECRYPTFS_VERSIONING_GCM 0x00000200
21 #define ECRYPTFS_MAX_PASSWORD_LENGTH 64
22 #define ECRYPTFS_MAX_PASSPHRASE_BYTES ECRYPTFS_MAX_PASSWORD_LENGTH
23 #define ECRYPTFS_SALT_SIZE 8
24 #define ECRYPTFS_SALT_SIZE_HEX (ECRYPTFS_SALT_SIZE*2)
25 /* The original signature size is only for what is stored on disk; all
26 * in-memory representations are expanded hex, so it better adapted to
27 * be passed around or referenced on the command line */
28 #define ECRYPTFS_SIG_SIZE 8
29 #define ECRYPTFS_SIG_SIZE_HEX (ECRYPTFS_SIG_SIZE*2)
30 #define ECRYPTFS_PASSWORD_SIG_SIZE ECRYPTFS_SIG_SIZE_HEX
31 #define ECRYPTFS_MAX_KEY_BYTES 64
32 #define ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES 512
33 #define ECRYPTFS_FILE_VERSION 0x03
34 #define ECRYPTFS_MAX_PKI_NAME_BYTES 16
36 #define RFC2440_CIPHER_DES3_EDE 0x02
37 #define RFC2440_CIPHER_CAST_5 0x03
38 #define RFC2440_CIPHER_BLOWFISH 0x04
39 #define RFC2440_CIPHER_AES_128 0x07
40 #define RFC2440_CIPHER_AES_192 0x08
41 #define RFC2440_CIPHER_AES_256 0x09
42 #define RFC2440_CIPHER_TWOFISH 0x0a
43 #define RFC2440_CIPHER_CAST_6 0x0b
45 #define RFC2440_CIPHER_RSA 0x01
48 * For convenience, we may need to pass around the encrypted session
49 * key between kernel and userspace because the authentication token
50 * may not be extractable. For example, the TPM may not release the
51 * private key, instead requiring the encrypted data and returning the
54 struct ecryptfs_session_key
{
55 #define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT 0x00000001
56 #define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT 0x00000002
57 #define ECRYPTFS_CONTAINS_DECRYPTED_KEY 0x00000004
58 #define ECRYPTFS_CONTAINS_ENCRYPTED_KEY 0x00000008
60 u32 encrypted_key_size
;
61 u32 decrypted_key_size
;
62 u8 encrypted_key
[ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES
];
63 u8 decrypted_key
[ECRYPTFS_MAX_KEY_BYTES
];
66 struct ecryptfs_password
{
70 u32 session_key_encryption_key_bytes
;
71 #define ECRYPTFS_PERSISTENT_PASSWORD 0x01
72 #define ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET 0x02
74 /* Iterated-hash concatenation of salt and passphrase */
75 u8 session_key_encryption_key
[ECRYPTFS_MAX_KEY_BYTES
];
76 u8 signature
[ECRYPTFS_PASSWORD_SIG_SIZE
+ 1];
77 /* Always in expanded hex */
78 u8 salt
[ECRYPTFS_SALT_SIZE
];
81 enum ecryptfs_token_types
{ECRYPTFS_PASSWORD
, ECRYPTFS_PRIVATE_KEY
};
83 struct ecryptfs_private_key
{
86 u8 signature
[ECRYPTFS_PASSWORD_SIG_SIZE
+ 1];
87 char pki_type
[ECRYPTFS_MAX_PKI_NAME_BYTES
+ 1];
91 /* May be a password or a private key */
92 struct ecryptfs_auth_tok
{
93 u16 version
; /* 8-bit major and 8-bit minor */
95 #define ECRYPTFS_ENCRYPT_ONLY 0x00000001
97 struct ecryptfs_session_key session_key
;
100 struct ecryptfs_password password
;
101 struct ecryptfs_private_key private_key
;
103 } __attribute__ ((packed
));
105 #endif /* _LINUX_ECRYPTFS_H */