[deliverable/linux.git] / include / linux / ecryptfs.h

#ifndef _LINUX_ECRYPTFS_H
#define _LINUX_ECRYPTFS_H

/* Version verification for shared data structures w/ userspace */
#define ECRYPTFS_VERSION_MAJOR 0x00
#define ECRYPTFS_VERSION_MINOR 0x04
#define ECRYPTFS_SUPPORTED_FILE_VERSION 0x03
/* These flags indicate which features are supported by the kernel
 * module; userspace tools such as the mount helper read
 * ECRYPTFS_VERSIONING_MASK from a sysfs handle in order to determine
 * how to behave. */
#define ECRYPTFS_VERSIONING_PASSPHRASE            0x00000001
#define ECRYPTFS_VERSIONING_PUBKEY                0x00000002
#define ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH 0x00000004
#define ECRYPTFS_VERSIONING_POLICY                0x00000008
#define ECRYPTFS_VERSIONING_XATTR                 0x00000010
#define ECRYPTFS_VERSIONING_MULTKEY               0x00000020
#define ECRYPTFS_VERSIONING_DEVMISC               0x00000040
#define ECRYPTFS_VERSIONING_HMAC                  0x00000080
#define ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION   0x00000100
#define ECRYPTFS_VERSIONING_GCM                   0x00000200
#define ECRYPTFS_VERSIONING_MASK (ECRYPTFS_VERSIONING_PASSPHRASE \
				  | ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH \
				  | ECRYPTFS_VERSIONING_PUBKEY \
				  | ECRYPTFS_VERSIONING_XATTR \
				  | ECRYPTFS_VERSIONING_MULTKEY \
				  | ECRYPTFS_VERSIONING_DEVMISC \
				  | ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION)
#define ECRYPTFS_MAX_PASSWORD_LENGTH 64
#define ECRYPTFS_MAX_PASSPHRASE_BYTES ECRYPTFS_MAX_PASSWORD_LENGTH
#define ECRYPTFS_SALT_SIZE 8
#define ECRYPTFS_SALT_SIZE_HEX (ECRYPTFS_SALT_SIZE*2)
/* The original signature size is only for what is stored on disk; all
 * in-memory representations are expanded hex, so it better adapted to
 * be passed around or referenced on the command line */
#define ECRYPTFS_SIG_SIZE 8
#define ECRYPTFS_SIG_SIZE_HEX (ECRYPTFS_SIG_SIZE*2)
#define ECRYPTFS_PASSWORD_SIG_SIZE ECRYPTFS_SIG_SIZE_HEX
#define ECRYPTFS_MAX_KEY_BYTES 64
#define ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES 512
#define ECRYPTFS_FILE_VERSION 0x03
#define ECRYPTFS_MAX_PKI_NAME_BYTES 16

#define RFC2440_CIPHER_DES3_EDE 0x02
#define RFC2440_CIPHER_CAST_5 0x03
#define RFC2440_CIPHER_BLOWFISH 0x04
#define RFC2440_CIPHER_AES_128 0x07
#define RFC2440_CIPHER_AES_192 0x08
#define RFC2440_CIPHER_AES_256 0x09
#define RFC2440_CIPHER_TWOFISH 0x0a
#define RFC2440_CIPHER_CAST_6 0x0b

#define RFC2440_CIPHER_RSA 0x01

/**
 * For convenience, we may need to pass around the encrypted session
 * key between kernel and userspace because the authentication token
 * may not be extractable.  For example, the TPM may not release the
 * private key, instead requiring the encrypted data and returning the
 * decrypted data.
 */
struct ecryptfs_session_key {
#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT 0x00000001
#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT 0x00000002
#define ECRYPTFS_CONTAINS_DECRYPTED_KEY 0x00000004
#define ECRYPTFS_CONTAINS_ENCRYPTED_KEY 0x00000008
	u32 flags;
	u32 encrypted_key_size;
	u32 decrypted_key_size;
	u8 encrypted_key[ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES];
	u8 decrypted_key[ECRYPTFS_MAX_KEY_BYTES];
};

struct ecryptfs_password {
	u32 password_bytes;
	s32 hash_algo;
	u32 hash_iterations;
	u32 session_key_encryption_key_bytes;
#define ECRYPTFS_PERSISTENT_PASSWORD 0x01
#define ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET 0x02
	u32 flags;
	/* Iterated-hash concatenation of salt and passphrase */
	u8 session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES];
	u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
	/* Always in expanded hex */
	u8 salt[ECRYPTFS_SALT_SIZE];
};

enum ecryptfs_token_types {ECRYPTFS_PASSWORD, ECRYPTFS_PRIVATE_KEY};

struct ecryptfs_private_key {
	u32 key_size;
	u32 data_len;
	u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
	char pki_type[ECRYPTFS_MAX_PKI_NAME_BYTES + 1];
	u8 data[];
};

/* May be a password or a private key */
struct ecryptfs_auth_tok {
	u16 version; /* 8-bit major and 8-bit minor */
	u16 token_type;
#define ECRYPTFS_ENCRYPT_ONLY 0x00000001
	u32 flags;
	struct ecryptfs_session_key session_key;
	u8 reserved[32];
	union {
		struct ecryptfs_password password;
		struct ecryptfs_private_key private_key;
	} token;
} __attribute__ ((packed));

#endif /* _LINUX_ECRYPTFS_H */
Commit	Line	Data
f8f85271 RS	1	#ifndef _LINUX_ECRYPTFS_H
	2	#define _LINUX_ECRYPTFS_H
	3
	4	/* Version verification for shared data structures w/ userspace */
	5	#define ECRYPTFS_VERSION_MAJOR 0x00
	6	#define ECRYPTFS_VERSION_MINOR 0x04
	7	#define ECRYPTFS_SUPPORTED_FILE_VERSION 0x03
	8	/* These flags indicate which features are supported by the kernel
	9	* module; userspace tools such as the mount helper read
	10	* ECRYPTFS_VERSIONING_MASK from a sysfs handle in order to determine
	11	* how to behave. */
	12	#define ECRYPTFS_VERSIONING_PASSPHRASE 0x00000001
	13	#define ECRYPTFS_VERSIONING_PUBKEY 0x00000002
	14	#define ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH 0x00000004
	15	#define ECRYPTFS_VERSIONING_POLICY 0x00000008
	16	#define ECRYPTFS_VERSIONING_XATTR 0x00000010
	17	#define ECRYPTFS_VERSIONING_MULTKEY 0x00000020
	18	#define ECRYPTFS_VERSIONING_DEVMISC 0x00000040
	19	#define ECRYPTFS_VERSIONING_HMAC 0x00000080
	20	#define ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION 0x00000100
	21	#define ECRYPTFS_VERSIONING_GCM 0x00000200
	22	#define ECRYPTFS_VERSIONING_MASK (ECRYPTFS_VERSIONING_PASSPHRASE \
	23	\| ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH \
	24	\| ECRYPTFS_VERSIONING_PUBKEY \
	25	\| ECRYPTFS_VERSIONING_XATTR \
	26	\| ECRYPTFS_VERSIONING_MULTKEY \
	27	\| ECRYPTFS_VERSIONING_DEVMISC \
	28	\| ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION)
	29	#define ECRYPTFS_MAX_PASSWORD_LENGTH 64
	30	#define ECRYPTFS_MAX_PASSPHRASE_BYTES ECRYPTFS_MAX_PASSWORD_LENGTH
	31	#define ECRYPTFS_SALT_SIZE 8
	32	#define ECRYPTFS_SALT_SIZE_HEX (ECRYPTFS_SALT_SIZE*2)
	33	/* The original signature size is only for what is stored on disk; all
	34	* in-memory representations are expanded hex, so it better adapted to
	35	* be passed around or referenced on the command line */
	36	#define ECRYPTFS_SIG_SIZE 8
	37	#define ECRYPTFS_SIG_SIZE_HEX (ECRYPTFS_SIG_SIZE*2)
	38	#define ECRYPTFS_PASSWORD_SIG_SIZE ECRYPTFS_SIG_SIZE_HEX
	39	#define ECRYPTFS_MAX_KEY_BYTES 64
	40	#define ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES 512
	41	#define ECRYPTFS_FILE_VERSION 0x03
	42	#define ECRYPTFS_MAX_PKI_NAME_BYTES 16
	43
	44	#define RFC2440_CIPHER_DES3_EDE 0x02
	45	#define RFC2440_CIPHER_CAST_5 0x03
	46	#define RFC2440_CIPHER_BLOWFISH 0x04
	47	#define RFC2440_CIPHER_AES_128 0x07
	48	#define RFC2440_CIPHER_AES_192 0x08
	49	#define RFC2440_CIPHER_AES_256 0x09
	50	#define RFC2440_CIPHER_TWOFISH 0x0a
	51	#define RFC2440_CIPHER_CAST_6 0x0b
	52
	53	#define RFC2440_CIPHER_RSA 0x01
	54
	55	/**
	56	* For convenience, we may need to pass around the encrypted session
	57	* key between kernel and userspace because the authentication token
	58	* may not be extractable. For example, the TPM may not release the
	59	* private key, instead requiring the encrypted data and returning the
	60	* decrypted data.
	61	*/
	62	struct ecryptfs_session_key {
	63	#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT 0x00000001
	64	#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT 0x00000002
65	#define ECRYPTFS_CONTAINS_DECRYPTED_KEY 0x00000004
66	#define ECRYPTFS_CONTAINS_ENCRYPTED_KEY 0x00000008
67	u32 flags;
68	u32 encrypted_key_size;
69	u32 decrypted_key_size;
70	u8 encrypted_key[ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES];
71	u8 decrypted_key[ECRYPTFS_MAX_KEY_BYTES];
72	};
73
74	struct ecryptfs_password {
75	u32 password_bytes;
76	s32 hash_algo;
77	u32 hash_iterations;
78	u32 session_key_encryption_key_bytes;
79	#define ECRYPTFS_PERSISTENT_PASSWORD 0x01
80	#define ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET 0x02
81	u32 flags;
82	/* Iterated-hash concatenation of salt and passphrase */
83	u8 session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES];
84	u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
85	/* Always in expanded hex */
86	u8 salt[ECRYPTFS_SALT_SIZE];
87	};
88
89	enum ecryptfs_token_types {ECRYPTFS_PASSWORD, ECRYPTFS_PRIVATE_KEY};
90
91	struct ecryptfs_private_key {
92	u32 key_size;
93	u32 data_len;
94	u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
95	char pki_type[ECRYPTFS_MAX_PKI_NAME_BYTES + 1];
96	u8 data[];
97	};
98
99	/* May be a password or a private key */
100	struct ecryptfs_auth_tok {
101	u16 version; /* 8-bit major and 8-bit minor */
102	u16 token_type;
103	#define ECRYPTFS_ENCRYPT_ONLY 0x00000001
104	u32 flags;
105	struct ecryptfs_session_key session_key;
106	u8 reserved[32];
107	union {
108	struct ecryptfs_password password;
109	struct ecryptfs_private_key private_key;
110	} token;
111	} __attribute__ ((packed));
112
113	#endif /* _LINUX_ECRYPTFS_H */