lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110105082440.GB15439@boyd.l.tihix.com>
Date:	Wed, 5 Jan 2011 02:25:12 -0600
From:	Tyler Hicks <tyhicks@...ux.vnet.ibm.com>
To:	Roberto Sassu <roberto.sassu@...ito.it>
Cc:	linux-security-module@...r.kernel.org, keyrings@...ux-nfs.org,
	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
	zohar@...ux.vnet.ibm.com, dhowells@...hat.com, jmorris@...ei.org,
	safford@...son.ibm.com, ramunno@...ito.it, kirkland@...onical.com
Subject: Re: [RFC][PATCH v2 4/6] eCryptfs: export global eCryptfs definitions
 to include/linux/ecryptfs.h

On Tue Dec 28, 2010 at 11:48:14AM +0100, Roberto Sassu <roberto.sassu@...ito.it> wrote:
> Some eCryptfs specific definitions, such as the current version and the
> authentication token structure, are moved to the new include file
> 'include/linux/ecryptfs.h', in order to be available for all kernel
> subsystems.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@...ito.it>

Acked-by: Tyler Hicks <tyhicks@...ux.vnet.ibm.com>

> ---
>  fs/ecryptfs/ecryptfs_kernel.h |  109 +---------------------------------------
>  include/linux/ecryptfs.h      |  113 +++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 114 insertions(+), 108 deletions(-)
>  create mode 100644 include/linux/ecryptfs.h
> 
> diff --git a/fs/ecryptfs/ecryptfs_kernel.h b/fs/ecryptfs/ecryptfs_kernel.h
> index 0032a9f..a27cad4 100644
> --- a/fs/ecryptfs/ecryptfs_kernel.h
> +++ b/fs/ecryptfs/ecryptfs_kernel.h
> @@ -36,125 +36,18 @@
>  #include <linux/hash.h>
>  #include <linux/nsproxy.h>
>  #include <linux/backing-dev.h>
> +#include <linux/ecryptfs.h>
> 
> -/* Version verification for shared data structures w/ userspace */
> -#define ECRYPTFS_VERSION_MAJOR 0x00
> -#define ECRYPTFS_VERSION_MINOR 0x04
> -#define ECRYPTFS_SUPPORTED_FILE_VERSION 0x03
> -/* These flags indicate which features are supported by the kernel
> - * module; userspace tools such as the mount helper read
> - * ECRYPTFS_VERSIONING_MASK from a sysfs handle in order to determine
> - * how to behave. */
> -#define ECRYPTFS_VERSIONING_PASSPHRASE            0x00000001
> -#define ECRYPTFS_VERSIONING_PUBKEY                0x00000002
> -#define ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH 0x00000004
> -#define ECRYPTFS_VERSIONING_POLICY                0x00000008
> -#define ECRYPTFS_VERSIONING_XATTR                 0x00000010
> -#define ECRYPTFS_VERSIONING_MULTKEY               0x00000020
> -#define ECRYPTFS_VERSIONING_DEVMISC               0x00000040
> -#define ECRYPTFS_VERSIONING_HMAC                  0x00000080
> -#define ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION   0x00000100
> -#define ECRYPTFS_VERSIONING_GCM                   0x00000200
> -#define ECRYPTFS_VERSIONING_MASK (ECRYPTFS_VERSIONING_PASSPHRASE \
> -				  | ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH \
> -				  | ECRYPTFS_VERSIONING_PUBKEY \
> -				  | ECRYPTFS_VERSIONING_XATTR \
> -				  | ECRYPTFS_VERSIONING_MULTKEY \
> -				  | ECRYPTFS_VERSIONING_DEVMISC \
> -				  | ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION)
> -#define ECRYPTFS_MAX_PASSWORD_LENGTH 64
> -#define ECRYPTFS_MAX_PASSPHRASE_BYTES ECRYPTFS_MAX_PASSWORD_LENGTH
> -#define ECRYPTFS_SALT_SIZE 8
> -#define ECRYPTFS_SALT_SIZE_HEX (ECRYPTFS_SALT_SIZE*2)
> -/* The original signature size is only for what is stored on disk; all
> - * in-memory representations are expanded hex, so it better adapted to
> - * be passed around or referenced on the command line */
> -#define ECRYPTFS_SIG_SIZE 8
> -#define ECRYPTFS_SIG_SIZE_HEX (ECRYPTFS_SIG_SIZE*2)
> -#define ECRYPTFS_PASSWORD_SIG_SIZE ECRYPTFS_SIG_SIZE_HEX
> -#define ECRYPTFS_MAX_KEY_BYTES 64
> -#define ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES 512
>  #define ECRYPTFS_DEFAULT_IV_BYTES 16
> -#define ECRYPTFS_FILE_VERSION 0x03
>  #define ECRYPTFS_DEFAULT_EXTENT_SIZE 4096
>  #define ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE 8192
>  #define ECRYPTFS_DEFAULT_MSG_CTX_ELEMS 32
>  #define ECRYPTFS_DEFAULT_SEND_TIMEOUT HZ
>  #define ECRYPTFS_MAX_MSG_CTX_TTL (HZ*3)
> -#define ECRYPTFS_MAX_PKI_NAME_BYTES 16
>  #define ECRYPTFS_DEFAULT_NUM_USERS 4
>  #define ECRYPTFS_MAX_NUM_USERS 32768
>  #define ECRYPTFS_XATTR_NAME "user.ecryptfs"
> 
> -#define RFC2440_CIPHER_DES3_EDE 0x02
> -#define RFC2440_CIPHER_CAST_5 0x03
> -#define RFC2440_CIPHER_BLOWFISH 0x04
> -#define RFC2440_CIPHER_AES_128 0x07
> -#define RFC2440_CIPHER_AES_192 0x08
> -#define RFC2440_CIPHER_AES_256 0x09
> -#define RFC2440_CIPHER_TWOFISH 0x0a
> -#define RFC2440_CIPHER_CAST_6 0x0b
> -
> -#define RFC2440_CIPHER_RSA 0x01
> -
> -/**
> - * For convenience, we may need to pass around the encrypted session
> - * key between kernel and userspace because the authentication token
> - * may not be extractable.  For example, the TPM may not release the
> - * private key, instead requiring the encrypted data and returning the
> - * decrypted data.
> - */
> -struct ecryptfs_session_key {
> -#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT 0x00000001
> -#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT 0x00000002
> -#define ECRYPTFS_CONTAINS_DECRYPTED_KEY 0x00000004
> -#define ECRYPTFS_CONTAINS_ENCRYPTED_KEY 0x00000008
> -	u32 flags;
> -	u32 encrypted_key_size;
> -	u32 decrypted_key_size;
> -	u8 encrypted_key[ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES];
> -	u8 decrypted_key[ECRYPTFS_MAX_KEY_BYTES];
> -};
> -
> -struct ecryptfs_password {
> -	u32 password_bytes;
> -	s32 hash_algo;
> -	u32 hash_iterations;
> -	u32 session_key_encryption_key_bytes;
> -#define ECRYPTFS_PERSISTENT_PASSWORD 0x01
> -#define ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET 0x02
> -	u32 flags;
> -	/* Iterated-hash concatenation of salt and passphrase */
> -	u8 session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES];
> -	u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
> -	/* Always in expanded hex */
> -	u8 salt[ECRYPTFS_SALT_SIZE];
> -};
> -
> -enum ecryptfs_token_types {ECRYPTFS_PASSWORD, ECRYPTFS_PRIVATE_KEY};
> -
> -struct ecryptfs_private_key {
> -	u32 key_size;
> -	u32 data_len;
> -	u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
> -	char pki_type[ECRYPTFS_MAX_PKI_NAME_BYTES + 1];
> -	u8 data[];
> -};
> -
> -/* May be a password or a private key */
> -struct ecryptfs_auth_tok {
> -	u16 version; /* 8-bit major and 8-bit minor */
> -	u16 token_type;
> -#define ECRYPTFS_ENCRYPT_ONLY 0x00000001
> -	u32 flags;
> -	struct ecryptfs_session_key session_key;
> -	u8 reserved[32];
> -	union {
> -		struct ecryptfs_password password;
> -		struct ecryptfs_private_key private_key;
> -	} token;
> -} __attribute__ ((packed));
> -
>  void ecryptfs_dump_auth_tok(struct ecryptfs_auth_tok *auth_tok);
>  extern void ecryptfs_to_hex(char *dst, char *src, size_t src_size);
>  extern void ecryptfs_from_hex(char *dst, char *src, int dst_size);
> diff --git a/include/linux/ecryptfs.h b/include/linux/ecryptfs.h
> new file mode 100644
> index 0000000..2224a8c
> --- /dev/null
> +++ b/include/linux/ecryptfs.h
> @@ -0,0 +1,113 @@
> +#ifndef _LINUX_ECRYPTFS_H
> +#define _LINUX_ECRYPTFS_H
> +
> +/* Version verification for shared data structures w/ userspace */
> +#define ECRYPTFS_VERSION_MAJOR 0x00
> +#define ECRYPTFS_VERSION_MINOR 0x04
> +#define ECRYPTFS_SUPPORTED_FILE_VERSION 0x03
> +/* These flags indicate which features are supported by the kernel
> + * module; userspace tools such as the mount helper read
> + * ECRYPTFS_VERSIONING_MASK from a sysfs handle in order to determine
> + * how to behave. */
> +#define ECRYPTFS_VERSIONING_PASSPHRASE            0x00000001
> +#define ECRYPTFS_VERSIONING_PUBKEY                0x00000002
> +#define ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH 0x00000004
> +#define ECRYPTFS_VERSIONING_POLICY                0x00000008
> +#define ECRYPTFS_VERSIONING_XATTR                 0x00000010
> +#define ECRYPTFS_VERSIONING_MULTKEY               0x00000020
> +#define ECRYPTFS_VERSIONING_DEVMISC               0x00000040
> +#define ECRYPTFS_VERSIONING_HMAC                  0x00000080
> +#define ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION   0x00000100
> +#define ECRYPTFS_VERSIONING_GCM                   0x00000200
> +#define ECRYPTFS_VERSIONING_MASK (ECRYPTFS_VERSIONING_PASSPHRASE \
> +				  | ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH \
> +				  | ECRYPTFS_VERSIONING_PUBKEY \
> +				  | ECRYPTFS_VERSIONING_XATTR \
> +				  | ECRYPTFS_VERSIONING_MULTKEY \
> +				  | ECRYPTFS_VERSIONING_DEVMISC \
> +				  | ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION)
> +#define ECRYPTFS_MAX_PASSWORD_LENGTH 64
> +#define ECRYPTFS_MAX_PASSPHRASE_BYTES ECRYPTFS_MAX_PASSWORD_LENGTH
> +#define ECRYPTFS_SALT_SIZE 8
> +#define ECRYPTFS_SALT_SIZE_HEX (ECRYPTFS_SALT_SIZE*2)
> +/* The original signature size is only for what is stored on disk; all
> + * in-memory representations are expanded hex, so it better adapted to
> + * be passed around or referenced on the command line */
> +#define ECRYPTFS_SIG_SIZE 8
> +#define ECRYPTFS_SIG_SIZE_HEX (ECRYPTFS_SIG_SIZE*2)
> +#define ECRYPTFS_PASSWORD_SIG_SIZE ECRYPTFS_SIG_SIZE_HEX
> +#define ECRYPTFS_MAX_KEY_BYTES 64
> +#define ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES 512
> +#define ECRYPTFS_FILE_VERSION 0x03
> +#define ECRYPTFS_MAX_PKI_NAME_BYTES 16
> +
> +#define RFC2440_CIPHER_DES3_EDE 0x02
> +#define RFC2440_CIPHER_CAST_5 0x03
> +#define RFC2440_CIPHER_BLOWFISH 0x04
> +#define RFC2440_CIPHER_AES_128 0x07
> +#define RFC2440_CIPHER_AES_192 0x08
> +#define RFC2440_CIPHER_AES_256 0x09
> +#define RFC2440_CIPHER_TWOFISH 0x0a
> +#define RFC2440_CIPHER_CAST_6 0x0b
> +
> +#define RFC2440_CIPHER_RSA 0x01
> +
> +/**
> + * For convenience, we may need to pass around the encrypted session
> + * key between kernel and userspace because the authentication token
> + * may not be extractable.  For example, the TPM may not release the
> + * private key, instead requiring the encrypted data and returning the
> + * decrypted data.
> + */
> +struct ecryptfs_session_key {
> +#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT 0x00000001
> +#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT 0x00000002
> +#define ECRYPTFS_CONTAINS_DECRYPTED_KEY 0x00000004
> +#define ECRYPTFS_CONTAINS_ENCRYPTED_KEY 0x00000008
> +	u32 flags;
> +	u32 encrypted_key_size;
> +	u32 decrypted_key_size;
> +	u8 encrypted_key[ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES];
> +	u8 decrypted_key[ECRYPTFS_MAX_KEY_BYTES];
> +};
> +
> +struct ecryptfs_password {
> +	u32 password_bytes;
> +	s32 hash_algo;
> +	u32 hash_iterations;
> +	u32 session_key_encryption_key_bytes;
> +#define ECRYPTFS_PERSISTENT_PASSWORD 0x01
> +#define ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET 0x02
> +	u32 flags;
> +	/* Iterated-hash concatenation of salt and passphrase */
> +	u8 session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES];
> +	u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
> +	/* Always in expanded hex */
> +	u8 salt[ECRYPTFS_SALT_SIZE];
> +};
> +
> +enum ecryptfs_token_types {ECRYPTFS_PASSWORD, ECRYPTFS_PRIVATE_KEY};
> +
> +struct ecryptfs_private_key {
> +	u32 key_size;
> +	u32 data_len;
> +	u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
> +	char pki_type[ECRYPTFS_MAX_PKI_NAME_BYTES + 1];
> +	u8 data[];
> +};
> +
> +/* May be a password or a private key */
> +struct ecryptfs_auth_tok {
> +	u16 version; /* 8-bit major and 8-bit minor */
> +	u16 token_type;
> +#define ECRYPTFS_ENCRYPT_ONLY 0x00000001
> +	u32 flags;
> +	struct ecryptfs_session_key session_key;
> +	u8 reserved[32];
> +	union {
> +		struct ecryptfs_password password;
> +		struct ecryptfs_private_key private_key;
> +	} token;
> +} __attribute__ ((packed));
> +
> +#endif /* _LINUX_ECRYPTFS_H */
> -- 
> 1.7.2.3
> 


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ