2
* Header file for eCryptfs userspace tools.
4
* Copyright (C) 2004-2006 International Business Machines Corp.
5
* Author(s): Michael A. Halcrow <mahalcro@us.ibm.com>
7
* The structs here are shared between kernel and userspace, so if you
8
* are running a 64-bit kernel, you need to compile your userspace
9
* applications as 64-bit binaries.
11
* This program is free software; you can redistribute it and/or
12
* modify it under the terms of the GNU General Public License as
13
* published by the Free Software Foundation; either version 2 of the
14
* License, or (at your option) any later version.
16
* This program is distributed in the hope that it will be useful, but
17
* WITHOUT ANY WARRANTY; without even the implied warranty of
18
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19
* General Public License for more details.
21
* You should have received a copy of the GNU General Public License
22
* along with this program; if not, write to the Free Software
23
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
39
#include <sys/types.h>
40
#include <linux/types.h>
41
#include <linux/netlink.h>
44
#ifndef NETLINK_ECRYPTFS
45
#warning NETLINK_ECRYPTFS not defined in netlink.h
46
#define NETLINK_ECRYPTFS 19
49
/* Version verification for shared data structures w/ userspace */
50
#ifndef ECRYPTFS_VERSION_MAJOR
51
#define ECRYPTFS_VERSION_MAJOR 0x00
53
#ifndef ECRYPTFS_VERSION_MINOR
54
#define ECRYPTFS_VERSION_MINOR 0x04
57
#ifndef ECRYPTFS_SUPPORTED_FILE_VERSION
58
#define ECRYPTFS_SUPPORTED_FILE_VERSION 0x02
61
/* These flags indicate which features are supported by the kernel
62
* module; userspace tools such as the mount helper read from a sysfs
63
* handle in order to determine how to behave. */
64
#define ECRYPTFS_VERSIONING_PASSPHRASE 0x00000001
65
#define ECRYPTFS_VERSIONING_PUBKEY 0x00000002
66
#define ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH 0x00000004
67
#define ECRYPTFS_VERSIONING_POLICY 0x00000008
68
#define ECRYPTFS_VERSIONING_XATTR 0x00000010
70
#define ECRYPTFS_MAX_PASSWORD_LENGTH 64
71
#define ECRYPTFS_MAX_PASSPHRASE_BYTES ECRYPTFS_MAX_PASSWORD_LENGTH
72
#define ECRYPTFS_SALT_SIZE 8
73
#define ECRYPTFS_SALT_SIZE_HEX (ECRYPTFS_SALT_SIZE*2)
74
#define ECRYPTFS_DEFAULT_SALT_HEX "0011223344556677"
75
/* The original signature size is only for what is stored on disk; all
76
* in-memory representations are expanded hex, so it better adapted to
77
* be passed around on the command line */
78
#define ECRYPTFS_SIG_SIZE 8
79
#define ECRYPTFS_SIG_SIZE_HEX (ECRYPTFS_SIG_SIZE*2)
80
#define ECRYPTFS_PASSWORD_SIG_SIZE ECRYPTFS_SIG_SIZE_HEX
81
#define ECRYPTFS_MAX_KEY_BYTES 64
82
#define ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES 512
83
#define ECRYPTFS_DEFAULT_IV_BYTES 16
84
#define ECRYPTFS_FILE_VERSION 0x02
85
#define ECRYPTFS_DEFAULT_EXTENT_SIZE 4096
86
#define ECRPYTFS_STRING_LENGTH 128
87
#ifndef MAGIC_ECRYPTFS_MARKER_STR
88
#define MAGIC_ECRYPTFS_MARKER_STR "3c81b7f5"
90
#define MAX_PATH_SIZE 1024
91
#define MAX_NAME_SIZE 128
92
#define MAX_KEY_MOD_VALUE_SIZE 4096
93
#define ECRYPTFS_NLMSG_HELO 100
94
#define ECRYPTFS_NLMSG_QUIT 101
95
#define ECRYPTFS_NLMSG_REQUEST 102
96
#define ECRYPTFS_NLMSG_RESPONSE 103
97
#define ECRYPTFS_NETLINK_ERROR_COUNT_THRESHOLD 8
98
#define ECRYPTFS_MAX_KEY_MOD_NAME_BYTES 16
100
#ifndef SHA512_DIGEST_LENGTH
101
#define SHA512_DIGEST_LENGTH 64
104
#ifndef SHA1_DIGEST_LENGTH
105
#define SHA1_DIGEST_LENGTH 20
108
#define PGP_DIGEST_ALGO_SHA512 10
110
/* TODO: Put this in configure.in, and make this ECRYPTFS_DEFAULT_KEY_MOD */
111
#define ECRYPTFS_KEY_MOD_OPENSSL "openssl"
113
#define ECRYPTFS_NOT_SALTLESS 0
114
#define ECRYPTFS_SALTLESS 1
115
#define ECRYPTFS_DEFAULT_NUM_HASH_ITERATIONS 65536
117
#define ECRYPTFS_TAG_64_PACKET 0x40
118
#define ECRYPTFS_TAG_65_PACKET 0x41
119
#define ECRYPTFS_TAG_66_PACKET 0x42
120
#define ECRYPTFS_TAG_67_PACKET 0x43
122
#define ecryptfs_syslog(type, fmt, arg...) \
123
syslog(type, "%s: " fmt, __FUNCTION__, ## arg);
125
#define ECRYPTFS_MAX_NUM_CIPHERS 64
126
#define ECRYPTFS_ECHO_ON 1
127
#define ECRYPTFS_ECHO_OFF 0
129
#define ECRYPTFS_AES_BLOCK_SIZE 16
130
#define ECRYPTFS_AES_KEY_BYTES 16
132
#define ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME "wrapped-passphrase"
134
extern int ecryptfs_verbosity;
137
* For convenience, we may need to pass around the encrypted session
138
* key between kernel and userspace because the authentication token
139
* may not be extractable. For example, the TPM may not release the
140
* private key, instead requiring the encrypted data and returning the
143
struct ecryptfs_session_key {
144
#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT 0x00000001
145
#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT 0x00000002
146
#define ECRYPTFS_CONTAINS_DECRYPTED_KEY 0x00000004
147
#define ECRYPTFS_CONTAINS_ENCRYPTED_KEY 0x00000008
149
int32_t encrypted_key_size;
150
int32_t decrypted_key_size;
151
uint8_t encrypted_key[ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES];
152
uint8_t decrypted_key[ECRYPTFS_MAX_KEY_BYTES];
155
static const char common_salt[ECRYPTFS_SALT_SIZE] =
156
{ (char)0x00, (char)0x11, (char)0x22, (char)0x33, (char)0x44,
157
(char)0x55, (char)0x66, (char)0x77 };
159
struct ecryptfs_password {
160
int32_t password_bytes;
162
int32_t hash_iterations;
163
int32_t session_key_encryption_key_bytes;
164
#define ECRYPTFS_PERSISTENT_PASSWORD 0x01
165
#define ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET 0x02
167
/* Iterated-hash concatenation of salt and passphrase */
168
uint8_t session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES];
169
uint8_t signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
170
/* Always in expanded hex */
171
uint8_t salt[ECRYPTFS_SALT_SIZE];
174
struct ecryptfs_private_key {
177
uint8_t signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
178
char key_mod_alias[ECRYPTFS_MAX_KEY_MOD_NAME_BYTES + 1];
182
enum ecryptfs_token_types {ECRYPTFS_PASSWORD, ECRYPTFS_PRIVATE_KEY};
184
/* May be a password or a private key */
185
struct ecryptfs_auth_tok {
186
uint16_t version; /* 8-bit major and 8-bit minor */
188
#define ECRYPTFS_ENCRYPT_ONLY 0x00000001
190
struct ecryptfs_session_key session_key;
191
uint8_t reserved[32];
193
struct ecryptfs_password password;
194
struct ecryptfs_private_key private_key;
196
} __attribute__ ((packed));
198
struct ecryptfs_name_val_pair {
199
#define ECRYPTFS_DEFAULT_VALUE_SET 0x00000004
200
#define ECRYPTFS_PROCESSED 0x00000008
201
#define ECRYPTFS_NO_ECHO 0x00000010
205
struct ecryptfs_name_val_pair *parent;
206
#define NV_MAX_CHILDREN 16
207
struct ecryptfs_name_val_pair *children[NV_MAX_CHILDREN];
208
struct ecryptfs_name_val_pair *next;
211
void dump_auth_tok( struct ecryptfs_auth_tok *auth_tok );
212
extern void to_hex( char *dst, char *src, int src_size );
213
extern void from_hex( char *dst, char *src, int dst_size );
214
extern int generate_version_from_string(unsigned char *major,
215
unsigned char *minor,
218
struct ecryptfs_daemon_info {
219
char socket_file_full_path[MAX_PATH_SIZE];
222
struct ecryptfs_cipher_elem {
223
uint8_t loaded_cipher;
227
struct ecryptfs_cipher_elem *next;
230
struct ecryptfs_netlink_message {
236
struct transition_node;
239
* @id: Internal (to the key module) identifier for this module
240
* parameter. The key module will use the key_mod_param id to
241
* match the given value for this parameter
242
* @val: The value provided
244
struct key_mod_param_val {
250
* @id: Internal (to the key module) identifier for this module
251
* parameter. The key module will use the key_mod_param_val id to
252
* match the given value for this parameter
253
* @option: The parameter option
254
* @description: A long text description of the parameter option
255
* @suggested_val: The value that will presented to the user as the
257
* @default_val: The value that will be assigned by default if none is
259
* @val: Pointer to the struct key_mod_param_val provided for this
260
* struct key_mod_param. This is matched based on @id
262
struct key_mod_param {
269
struct key_mod_param_val *val;
272
#define ECRYPTFS_BLOB_TYPE_BLOB 0
273
#define ECRYPTFS_BLOB_TYPE_HINT 1
275
#define ECRYPTFS_KEY_MOD_SUCCESS 0
276
#define ECRYPTFS_KEY_MOD_BADPARAM 1
277
#define ECRYPTFS_KEY_MOD_BUFTOOSMALL 2
278
#define ECRYPTFS_KEY_MOD_INSUFFICIENT_PARAMS 3
279
#define ECRYPTFS_KEY_MOD_DATA_TOO_LARGE 4
280
#define ECRYPTFS_KEY_MOD_ENCRYPT_FAILED 5
281
#define ECRYPTFS_KEY_MOD_DECRYPT_FAILED 6
282
#define ECRYPTFS_KEY_MOD_NO_SUCH_KEY 7
283
#define ECRYPTFS_KEY_MOD_HINT_INSUFFICIENT 8
285
struct ecryptfs_ctx_ops {
286
int (*prompt)(char *prompt_type, char *prompt, char *input,
291
* @init: Allocates memory on the heap and sets the alias into that
292
* memory; callee will free
294
* @get_key_data: The first uint32_t (big-endian) bytes indicate the
295
* key type. If key_data_len is 0, then libecryptfs
296
* will call get_key_sig() so that the key module can
297
* generate its own sig.
298
* @get_key_sig: Optional. Allows the key module to generate its own
299
* key signature. Used in cases where libecryptfs does
300
* not know about the key type, so @get_key_data is of
301
* no use. @get_key_sig is not called if @get_key_data
302
* returns valid key data.
303
* @encrypt: If to is NULL, only fill in to_size with the amount
304
* that the callee needs to allocate.
305
* @decrypt: If to is NULL, only fill in to_size with the amount
306
* that the callee needs to allocate.
307
* @finalize: Call when the entire key module is shutting down
309
struct ecryptfs_key_mod_ops {
310
int (*init)(char **alias);
311
int (*get_gen_key_params)(struct key_mod_param **params,
312
uint32_t *num_params);
313
int (*get_gen_key_subgraph_trans_node)(struct transition_node **trans,
315
int (*get_params)(struct key_mod_param **params, uint32_t *num_params);
316
int (*get_param_subgraph_trans_node)(struct transition_node **trans,
318
int (*get_blob)(unsigned char *blob, size_t *blob_size,
319
struct key_mod_param_val *param_vals,
320
uint32_t num_param_vals);
321
int (*get_key_data)(unsigned char *key_data, size_t *key_data_len,
322
unsigned char *blob);
323
int (*get_key_sig)(unsigned char *sig, unsigned char *blob);
324
int (*get_key_hint)(unsigned char *hint, size_t *hint_len,
325
unsigned char *blob);
326
int (*encrypt)(char *to, size_t *to_size, char *from, size_t from_size,
327
unsigned char *blob, int blob_type);
328
int (*decrypt)(char *to, size_t *to_size, char *from, size_t from_size,
329
unsigned char *blob, int blob_type);
330
int (*destroy)(unsigned char *blob);
331
int (*finalize)(void);
338
* @trans_into_mod_subgraph:
345
struct ecryptfs_key_mod {
349
struct transition_node *trans_into_mod_subgraph;
350
struct transition_node *trans_into_mod_key_gen_subgraph;
351
struct ecryptfs_key_mod_ops *ops;
352
struct key_mod_param_val *param_vals;
353
uint32_t num_param_vals;
356
struct ecryptfs_key_mod *next;
359
struct ecryptfs_ctx {
361
struct ecryptfs_key_mod key_mod_list_head;
363
int (*get_string)(char **val, char *prompt, int echo);
366
struct ecryptfs_name_val_pair *nvp_head;
369
struct cipher_str_name_map_elem {
375
enum main_menu_enum {
377
MME_MOUNT_PASSPHRASE,
386
int ecryptfs_get_version(uint32_t *version);
387
int ecryptfs_supports_passphrase(uint32_t version);
388
int ecryptfs_supports_pubkey(uint32_t version);
389
int ecryptfs_supports_plaintext_passthrough(uint32_t version);
390
int ecryptfs_supports_policy(uint32_t version);
391
#define ECRYPTFS_ASK_FOR_ALL_MOUNT_OPTIONS 0
392
#define ECRYPTFS_KEY_MODULE_ONLY 1
393
int ecryptfs_process_decision_graph(struct ecryptfs_ctx *ctx,
394
struct val_node **head, uint32_t version,
395
char *opts_str, int key_module_only);
396
int get_string(char *val, int len, int echo);
397
int get_string_stdin(char **val, char *prompt, int echo);
398
int stack_pop_val(struct val_node **head, void **val);
399
int ecryptfs_mount(char *source, char *target, unsigned long flags, char *opts);
400
int ecryptfs_get_current_kernel_ciphers(
401
struct ecryptfs_cipher_elem *cipher_list_head);
402
int ecryptfs_default_cipher(struct ecryptfs_cipher_elem **default_cipher,
403
struct ecryptfs_cipher_elem *cipher_list_head);
404
int stack_push(struct val_node **head, void *val);
405
int ecryptfs_free_cipher_list(struct ecryptfs_cipher_elem cipher_list_head);
406
int ecryptfs_get_key_mod_list(struct ecryptfs_ctx* ctx);
407
int ecryptfs_parse_options(char *opts, struct ecryptfs_name_val_pair *head);
408
int ecryptfs_eval_decision_graph(struct ecryptfs_ctx *ctx,
409
struct val_node **head,
410
struct param_node *root_node,
411
struct ecryptfs_name_val_pair *nvp_head);
412
int ecryptfs_add_passphrase_key_to_keyring(char *auth_tok_sig, char *passphrase,
414
int ecryptfs_add_key_module_key_to_keyring(char *auth_tok_sig,
415
struct ecryptfs_key_mod *key_mod);
416
int ecryptfs_read_salt_hex_from_rc(char *salt_hex);
417
int ecryptfs_generate_key(void);
418
int ecryptfs_free_key_mod_list(struct ecryptfs_ctx *ctx);
419
int create_default_dir(char *home, struct ecryptfs_key_mod *key_mod);
421
create_subdirectory(char *file, char *home, struct ecryptfs_key_mod *key_mod);
422
int ecryptfs_get_loaded_ciphers(struct ecryptfs_cipher_elem *cipher_list_head);
423
int ecryptfs_add_crypto_modules(struct ecryptfs_cipher_elem *cipher_list_head);
424
int parse_packet(struct ecryptfs_ctx *ctx,
425
struct ecryptfs_netlink_message *emsg,
426
struct ecryptfs_netlink_message **reply);
427
int ecryptfs_find_key_mod(struct ecryptfs_key_mod **key_mod,
428
struct ecryptfs_ctx *ctx, char *key_mod_alias);
430
generate_passphrase_sig(char *passphrase_sig, char *passphrase, char *salt,
431
char *session_key_encryption_key);
433
generate_payload(struct ecryptfs_auth_tok *auth_tok, char *passphrase_sig,
434
char *salt, char *session_key_encryption_key);
436
ecryptfs_generate_key_payload(struct ecryptfs_auth_tok *auth_tok,
437
struct ecryptfs_key_mod *key_mod, char *sig,
439
int parse_options_file(int fd, struct ecryptfs_name_val_pair *head);
440
int free_name_val_pairs(struct ecryptfs_name_val_pair *pair);
441
int ecryptfs_send_netlink(int sk_fd, struct ecryptfs_netlink_message *emsg,
442
uint16_t msg_type, uint16_t msg_flags,
444
void ecryptfs_release_netlink(int sk_fd);
445
int init_netlink_daemon(void);
446
int ecryptfs_run_netlink_daemon(int sk_fd);
447
int ecryptfs_init_netlink(int *sk_fd);
448
int ecryptfs_nvp_list_union(struct ecryptfs_name_val_pair *dst,
449
struct ecryptfs_name_val_pair *src,
450
struct ecryptfs_name_val_pair *allowed_duplicates);
451
int ecryptfs_read_salt_hex_from_rc(char *salt_hex);
452
#define ECRYPTFS_SIG_FLAG_NOENT 0x00000001
453
int ecryptfs_check_sig(char *auth_tok_sig, char *sig_cache_filename,
455
int ecryptfs_append_sig(char *auth_tok_sig, char *sig_cache_filename);
456
int ecryptfs_wrap_passphrase(char *filename, char *wrapping_passphrase,
457
char *wrapping_salt, char *decrypted_passphrase);
458
int ecryptfs_unwrap_passphrase(char *decrypted_passphrase, char *filename,
459
char *wrapping_passphrase, char *wrapping_salt);
460
int ecryptfs_insert_wrapped_passphrase_into_keyring(
461
char *auth_tok_sig, char *filename, char *wrapping_passphrase,
463
struct ecryptfs_key_mod_ops *passphrase_get_key_mod_ops(void);
464
int ecryptfs_validate_keyring(void);
465
#define ECRYPTFS_SHM_KEY 0x3c81b7f5
466
#define ECRYPTFS_SEM_KEY 0x3c81b7f6
467
#define ECRYPTFS_SHM_SIZE 4096
468
#define ECRYPTFS_ZOMBIE_SLEEP_SECONDS 300
469
int ecryptfs_set_zombie_session_placeholder(void);
470
int ecryptfs_kill_and_clear_zombie_session_placeholder(void);
471
int ecryptfs_list_zombie_session_placeholders(void);
472
int ecryptfs_build_linear_subgraph_from_nvp(struct transition_node **trans_node,
473
struct ecryptfs_key_mod *key_mod);
474
int ecryptfs_generate_sig_from_key_data(unsigned char *sig,
475
unsigned char *key_data,
476
size_t key_data_len);
477
int ecryptfs_fill_in_dummy_ops(struct ecryptfs_key_mod_ops *key_mod_ops);
478
int ecryptfs_register_key_modules(struct ecryptfs_ctx* ctx);
480
/* TEMP TEMP TEMP - BEGIN
481
* until context will be forwarded into key modules */
482
struct ecryptfs_ctx_ops *cryptfs_get_ctx_opts(void);
483
/* TEMP TEMP TEMP - END */
added
removed
src/include/ecryptfs.h
