#define ECRYPTFS_VERSION_MINOR 0x04
#define ECRYPTFS_VERSION ((ECRYPTFS_VERSION_MAJOR << 8) | ECRYPTFS_VERSION_MINOR)
-#define ECRYPTFS_MAX_KEY_BYTES 64
-#define ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES 512
-#define ECRYPTFS_SIG_SIZE 8
-#define ECRYPTFS_SIG_SIZE_HEX (ECRYPTFS_SIG_SIZE*2)
-#define ECRYPTFS_PASSWORD_SIG_SIZE ECRYPTFS_SIG_SIZE_HEX
#define ECRYPTFS_SALT_SIZE 8
-#define ECRYPTFS_MAX_KEY_MOD_NAME_BYTES 16
-
-struct ecryptfs_session_key {
-#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT 0x00000001
-#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT 0x00000002
-#define ECRYPTFS_CONTAINS_DECRYPTED_KEY 0x00000004
-#define ECRYPTFS_CONTAINS_ENCRYPTED_KEY 0x00000008
- int32_t flags;
- int32_t encrypted_key_size;
- int32_t decrypted_key_size;
- uint8_t encrypted_key[ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES];
- uint8_t decrypted_key[ECRYPTFS_MAX_KEY_BYTES];
-};
+#define ECRYPTFS_SIGNATURE_SIZE 16
+#define ECRYPTFS_MAX_KEY_SIZE 64
+#define ECRYPTFS_MAX_KEY_MOD_NAME_SIZE 16
+#define ECRYPTFS_MAX_ENCRYPTED_KEY_SIZE 512
+
+struct EcryptfsPassword {
+ enum Flag {
+ PersistentPassword = 0x01,
+ SessionKeyEncryptionKeySet = 0x02
+ };
-struct ecryptfs_password {
- int32_t password_bytes;
- int32_t hash_algo;
- int32_t hash_iterations;
- int32_t session_key_encryption_key_bytes;
-#define ECRYPTFS_PERSISTENT_PASSWORD 0x01
-#define ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET 0x02
+ int32_t passwordSize;
+ int32_t hashAlgorithm;
+ int32_t hashIterations;
+ int32_t sessionKeyEncryptionKeySize;
uint32_t flags;
- uint8_t session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES];
- uint8_t signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
+ uint8_t sessionKeyEncryptionKey[ECRYPTFS_MAX_KEY_SIZE];
+ uint8_t signature[ECRYPTFS_SIGNATURE_SIZE + 1];
uint8_t salt[ECRYPTFS_SALT_SIZE];
};
-struct ecryptfs_private_key {
- uint32_t key_size;
- uint32_t data_len;
- uint8_t signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
- char key_mod_alias[ECRYPTFS_MAX_KEY_MOD_NAME_BYTES + 1];
+struct EcryptfsPrivateKey {
+ uint32_t keySize;
+ uint32_t dataSize;
+ uint8_t signature[ECRYPTFS_SIGNATURE_SIZE + 1];
+ char keyModAlias[ECRYPTFS_MAX_KEY_MOD_NAME_SIZE + 1];
uint8_t data[];
};
-enum ecryptfs_token_types {ECRYPTFS_PASSWORD, ECRYPTFS_PRIVATE_KEY};
+struct EcryptfsSessionKey {
+ enum Flag {
+ UserspaceShouldTryToDecrypt = 0x00000001,
+ UserspaceShouldTryToEncrypt = 0x00000002,
+ ContainsDecryptedKey = 0x00000004,
+ ContainsEncryptedKey = 0x00000008
+ };
+
+ int32_t flags;
+ int32_t encryptedKeySize;
+ int32_t decryptedKeySize;
+ uint8_t encryptedKey[ECRYPTFS_MAX_ENCRYPTED_KEY_SIZE];
+ uint8_t decryptedKey[ECRYPTFS_MAX_KEY_SIZE];
+
+ EcryptfsSessionKey()
+ : flags(0), encryptedKeySize(0), decryptedKeySize(0),
+ encryptedKey{0, }, decryptedKey{0, }
+ {};
+} __attribute__((packed));
+
+struct EcryptfsPayload {
+ enum Type {
+ PasswordToken,
+ PrivateKeyToken
+ };
+ enum Flag {
+ EncryptOnly
+ };
-struct ecryptfs_auth_tok {
uint16_t version;
- uint16_t token_type;
-#define ECRYPTFS_ENCRYPT_ONLY 0x00000001
+ uint16_t type;
uint32_t flags;
- struct ecryptfs_session_key session_key;
+ EcryptfsSessionKey sessionKey;
uint8_t reserved[32];
union {
- struct ecryptfs_password password;
- struct ecryptfs_private_key private_key;
+ EcryptfsPassword password;
+ EcryptfsPrivateKey privateKey;
} token;
+
+ EcryptfsPayload(Type type)
+ : version(ECRYPTFS_VERSION), type(type), flags(0), reserved{0, }
+ {
+ ::memset(&token, 0, sizeof(token));
+ };
} __attribute__((packed));
#if 0
void ecryptfsMount(const std::string &source, const std::string &destination, const std::vector<unsigned char> &key, unsigned int options)
{
- ecryptfs_auth_tok payload;
+ EcryptfsPayload payload(EcryptfsPayload::Type::PasswordToken);
std::string mountOption;
- ::memset(&(payload), 0, sizeof(ecryptfs_auth_tok));
-
- payload.version = ECRYPTFS_VERSION;
- payload.token_type = ECRYPTFS_PASSWORD;
- payload.token.password.flags = ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET;
- payload.token.password.session_key_encryption_key_bytes =
- (ECRYPTFS_MAX_KEY_BYTES > key.size())? key.size() :
- ECRYPTFS_MAX_KEY_BYTES;
- ::memcpy(payload.token.password.session_key_encryption_key, key.data(),
- payload.token.password.session_key_encryption_key_bytes);
+ payload.token.password.flags = EcryptfsPassword::Flag::
+ SessionKeyEncryptionKeySet;
+ payload.token.password.sessionKeyEncryptionKeySize =
+ (ECRYPTFS_MAX_KEY_SIZE > key.size())? key.size() :
+ ECRYPTFS_MAX_KEY_SIZE;
+ ::memcpy(payload.token.password.sessionKeyEncryptionKey, key.data(),
+ payload.token.password.sessionKeyEncryptionKeySize);
std::stringstream signature;
signature<< std::hex << std::setfill('0') << std::setw(2);
for (unsigned int byte : key) {
signature << byte;
}
- for (int i = key.size(); i < ECRYPTFS_SIG_SIZE; i++) {
+ for (int i = key.size(); i < ECRYPTFS_SIGNATURE_SIZE / 2; i++) {
signature << (unsigned int) 0;
}
::memcpy((char *)payload.token.password.signature,
- signature.str().c_str(), ECRYPTFS_PASSWORD_SIG_SIZE);
+ signature.str().c_str(), ECRYPTFS_SIGNATURE_SIZE);
if (KernelKeyRing::search(KEY_SPEC_USER_KEYRING, ECRYPTFS_AUTH_TOKEN_TYPE,
(char *)payload.token.password.signature, 0) < 0) {
mountOption = "ecryptfs_passthrough"
",ecryptfs_cipher=" CIPHER_MODE
",ecryptfs_sig=" + std::string((char *)payload.token.password.signature) +
- ",ecryptfs_key_bytes=" + std::to_string(payload.token.password.session_key_encryption_key_bytes);
+ ",ecryptfs_key_bytes=" + std::to_string(payload.token.password.sessionKeyEncryptionKeySize);
if (options & OPTION_EXCEPT_FOR_MEDIA_FILE) {
mountOption += ",ecryptfs_enable_filtering=" MEDIA_EXCLUSION_LIST;