|
|
/*++
Copyright (c) Microsoft Corporation. All rights reserved.
Module Name:
efsstruc.h
Abstract:
EFS (Encrypting File System) defines, data and function prototypes.
Author:
Robert Reichel (RobertRe) Robert Gu (RobertG)
Environment:
Revision History:
--*/
#ifndef _EFSSTRUC_ #define _EFSSTRUC_
#ifdef __cplusplus extern "C" { #endif
#ifndef ALGIDDEF #define ALGIDDEF typedef unsigned int ALG_ID; #endif
// // Our OID. Remove from here once it's in the real headers. //
#ifndef szOID_EFS_CRYPTO #define szOID_EFS_CRYPTO "1.3.6.1.4.1.311.10.3.4" #endif
#ifndef szOID_EFS_RECOVERY #define szOID_EFS_RECOVERY "1.3.6.1.4.1.311.10.3.4.1" #endif
// // Context flag //
#define CONTEXT_FOR_EXPORT 0x00000000 #define CONTEXT_FOR_IMPORT 0x00000001 #define CONTEXT_INVALID 0x00000002 #define CONTEXT_OPEN_FOR_DIR 0x00008000
// // Context ID // #define EFS_CONTEXT_ID 0x00000001
// // Signature type // #define SIG_LENGTH 0x00000008 #define SIG_NO_MATCH 0x00000000 #define SIG_EFS_FILE 0x00000001 #define SIG_EFS_STREAM 0x00000002 #define SIG_EFS_DATA 0x00000003
// // Export file format stream flag information //
#define STREAM_NOT_ENCRYPTED 0x0001
#define EFS_EXP_FORMAT_CURRENT_VERSION 0x0100 #define EFS_SIGNATURE_LENGTH 4 #define EFS_STREAM_ID 0x1910
#define FSCTL_IMPORT_INPUT_LENGTH 4 * 1024 #define FSCTL_EXPORT_INPUT_LENGTH 128 #define FSCTL_OUTPUT_INITIAL_LENGTH 68 * 1024 #define FSCTL_OUTPUT_LESS_LENGTH 8 * 1024 #define FSCTL_OUTPUT_MIN_LENGTH 20 * 1024 #define FSCTL_OUTPUT_MISC_LENGTH 4 * 1024
// // FSCTL data shared between server and driver //
#define EFS_SET_ENCRYPT 0 #define EFS_SET_ATTRIBUTE 1 #define EFS_DEL_ATTRIBUTE 2 #define EFS_GET_ATTRIBUTE 3 #define EFS_OVERWRITE_ATTRIBUTE 4 #define EFS_ENCRYPT_DONE 5 #define EFS_DECRYPT_BEGIN 6
// // Mask for Set EFS Attribute //
#define WRITE_EFS_ATTRIBUTE 0x00000001 #define SET_EFS_KEYBLOB 0x00000002
// // Sub code of SET_ENCRYPT FSCTL //
#define EFS_FSCTL_ON_DIR 0x80000000 #define EFS_ENCRYPT_FILE 0x00000001 #define EFS_DECRYPT_FILE 0x00000002 #define EFS_ENCRYPT_STREAM 0x00000003 #define EFS_DECRYPT_STREAM 0x00000004 #define EFS_DECRYPT_DIRFILE 0x80000002 #define EFS_ENCRYPT_DIRSTR 0x80000003 #define EFS_DECRYPT_DIRSTR 0x80000004
// // EFS Version Information // // EFS_CURRENT_VERSION must always be the highest known revision // level. This value is placed in the EfsVersion field of the // $EFS header. //
#define EFS_VERSION_1 (0x00000001) #define EFS_VERSION_2 (0x00000002) #define EFS_CURRENT_VERSION EFS_VERSION_2
/////////////////////////////////////////////////////////////////////////////// // / // EFS Data structures / // / ///////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////// // / // EFS_KEY Structure / // / /////////////////////////////////////////////////////////////////////
typedef struct _EFS_KEY {
// // The length in bytes of the appended key. //
ULONG KeyLength;
// // The number of bits of entropy in the key. // For example, an 8 byte key has 56 bits of // entropy. //
ULONG Entropy;
// // The algorithm used in conjunction with this key. // // Note: this is not the algorithm used to encrypt the // actual key data itself. //
ALG_ID Algorithm;
// // This structure must be a multiple of 8 in size, // including the KeyData at the end. //
ULONG Pad;
// // KeyData is appended to the end of the structure. //
// UCHAR KeyData[1];
} EFS_KEY, *PEFS_KEY;
// // Private macros to manipulate data structures //
#define EFS_KEY_SIZE( pKey ) (sizeof( EFS_KEY ) + (pKey)->KeyLength)
#define EFS_KEY_DATA( Key ) (PUCHAR)(((PUCHAR)(Key)) + sizeof( EFS_KEY ))
#define OFFSET_TO_POINTER( FieldName, Base ) ((PCHAR)(Base) + (Base)->FieldName)
#define POINTER_TO_OFFSET( Pointer, Base ) (((PUCHAR)(Pointer)) - ((PUCHAR)(Base)))
// // We're going to use MD5 to hash the EFS stream. MD5 yields a 16 byte long hash. //
#define MD5_HASH_SIZE 16
typedef struct _EFS_DATA_STREAM_HEADER { ULONG Length; ULONG State; ULONG EfsVersion; ULONG CryptoApiVersion; GUID EfsId; UCHAR EfsHash[MD5_HASH_SIZE]; UCHAR DrfIntegrity[MD5_HASH_SIZE]; ULONG DataDecryptionField; //Offset to DDF ULONG DataRecoveryField; //Offset to DRF ULONG Reserved; ULONG Reserved2; ULONG Reserved3; } EFS_DATA_STREAM_HEADER, *PEFS_DATA_STREAM_HEADER;
/////////////////////////////////////////////////////////////////////////////// // / // EFS_PUBLIC_KEY_INFO / // / // This structure is used to contain all the information necessary to decrypt / // the FEK. / // / ///////////////////////////////////////////////////////////////////////////////
typedef struct _EFS_CERT_HASH_DATA { ULONG pbHash; // offset from start of structure ULONG cbHash; // count of bytes in hash ULONG ContainerName; // hint data, offset to LPWSTR ULONG ProviderName; // hint data, offset to LPWSTR ULONG lpDisplayInformation; // offset to an LPWSTR } EFS_CERT_HASH_DATA, *PEFS_CERT_HASH_DATA;
typedef struct _EFS_PUBLIC_KEY_INFO {
// // The length of this entire structure, including string data // appended to the end. //
ULONG Length;
// // Sid of owner of the public key (regardless of format). // This field is to be treated as a hint only. //
ULONG PossibleKeyOwner;
// // Contains information describing how to interpret // the public key information //
ULONG KeySourceTag;
union { struct {
// // The following fields contain offsets based at the // beginning of the structure. Each offset is to // a NULL terminated WCHAR string. //
ULONG ContainerName; ULONG ProviderName;
// // The exported public key used to encrypt the FEK. // This field contains an offset from the beginning of the // structure. //
ULONG PublicKeyBlob;
// // Length of the PublicKeyBlob in bytes //
ULONG PublicKeyBlobLength;
} ContainerInfo;
struct {
ULONG CertificateLength; // in bytes ULONG Certificate; // offset from start of structure
} CertificateInfo;
struct {
ULONG ThumbprintLength; // in bytes ULONG CertHashData; // offset from start of structure
} CertificateThumbprint; };
} EFS_PUBLIC_KEY_INFO, *PEFS_PUBLIC_KEY_INFO;
// // Possible KeyTag values //
typedef enum _PUBLIC_KEY_SOURCE_TAG { EfsCryptoAPIContainer = 1, EfsCertificate, EfsCertificateThumbprint } PUBLIC_KEY_SOURCE_TAG, *PPUBLIC_KEY_SOURCE_TAG;
/////////////////////////////////////////////////////////////////////////////// // / // RECOVERY_KEY Data Structure / // / ///////////////////////////////////////////////////////////////////////////////
// // Current format of recovery data. //
typedef struct _RECOVERY_KEY_1_1 { ULONG TotalLength; EFS_PUBLIC_KEY_INFO PublicKeyInfo; } RECOVERY_KEY_1_1, *PRECOVERY_KEY_1_1;
/////////////////////////////////////////////////////////////////////////////// // / // KEY_INTEGRITY_INFO / // / // The KEY_INTEGRITY_INFO structure is used to verify that / // the user's key has correctly decrypted the file's FEK. / // / ///////////////////////////////////////////////////////////////////////////////
typedef struct _KEY_INTEGRITY_INFO {
// // The length of the entire structure, including the // variable length integrity information appended to // the end //
ULONG Length;
// // The algorithm used to hash the combined FEK and // public key //
ALG_ID HashAlgorithm;
// // The length of just the hash data. //
ULONG HashDataLength;
// // Integrity information goes here //
// UCHAR Integrity Info[] } KEY_INTEGRITY_INFO, *PKEY_INTEGRITY_INFO;
typedef struct _EFS_KEY_SALT { ULONG Length; // total length of header plus data ULONG SaltType; // figure out what you want for this // // Put data here, so total length of the structure is // sizeof( EFS_KEY_SALT ) + length of your data // } EFS_KEY_SALT, *PEFS_KEY_SALT;
// // EFS Private DataStructures //
typedef struct _ENCRYPTED_KEY {
// // Total length of this structure and its data //
ULONG Length;
// // contains an offset from beginning of structure, // used to decrypt the EncryptedKey //
ULONG PublicKeyInfo;
// // Length in bytes of EncryptedFEK field //
ULONG EncryptedFEKLength;
// // offset from beginning of structure to encrypted // EFS_KEY containing the FEK // // Type is PUCHAR because data is encrypted. //
ULONG EncryptedFEK;
// // offset from beginning of structure to KEY_INTEGRITY_INFO //
ULONG EfsKeySalt;
// // FEK Data // // KEY_INTEGRITY_INFO Data // // PEFS_PUBLIC_KEY_INFO Data //
} ENCRYPTED_KEY, *PENCRYPTED_KEY;
// // The Key Ring Structure. //
typedef struct _ENCRYPTED_KEYS { ULONG KeyCount; ENCRYPTED_KEY EncryptedKey[1]; } ENCRYPTED_KEYS, *PENCRYPTED_KEYS;
typedef ENCRYPTED_KEYS DDF, *PDDF; typedef ENCRYPTED_KEYS DRF, *PDRF;
typedef struct _EFS_STREAM_SIZE { ULONG StreamFlag; LARGE_INTEGER EOFSize; LARGE_INTEGER AllocSize; } EFS_STREAM_SIZE, *PEFS_STREAM_SIZE;
#define NEXT_ENCRYPTED_KEY( pEncryptedKey ) (PENCRYPTED_KEY)(((PBYTE)(pEncryptedKey)) + *((ULONG UNALIGNED *)&((PENCRYPTED_KEY)(pEncryptedKey))->Length))
// // Import context //
typedef struct IMPORT_CONTEXT{
ULONG ContextID; //To distinguish from other LSA context. Offset is fixed across LSA. ULONG Flag; // Indicate the type of context HANDLE Handle; // File handle, used to create rest streams ULONG Attribute; ULONG CreateDisposition; ULONG CreateOptions; ULONG DesiredAccess;
} IMPORT_CONTEXT, *PIMPORT_CONTEXT;
// // Export context //
typedef struct EXPORT_CONTEXT{
ULONG ContextID; //To distinguish from other LSA context. Offset is fixed across LSA. ULONG Flag; // Indicate the type of context HANDLE Handle; // File handle, used to open rest streams ULONG NumberOfStreams; PHANDLE StreamHandles; PUNICODE_STRING StreamNames; PFILE_STREAM_INFORMATION StreamInfoBase;
} EXPORT_CONTEXT, *PEXPORT_CONTEXT;
// // EFS Export/Import RPC pipe status //
typedef struct EFS_EXIM_STATE{ PVOID ExImCallback; PVOID CallbackContext; char *WorkBuf; ULONG BufLength; ULONG Status; } EFS_EXIM_STATE, *PEFS_EXIM_STATE;
// // Export file format //
typedef struct EFSEXP_FILE_HEADER{
ULONG VersionID; // Export file version WCHAR FileSignature[EFS_SIGNATURE_LENGTH]; // Signature of the file ULONG Reserved[2]; //STREAM_DADA Streams[0]; // An array of STREAM_BLOCK
} EFSEXP_FILE_HEADER, *PEFSEXP_FILE_HEADER;
typedef struct EFSEXP_STREAM_HEADER{
ULONG Length; // Redundant information. The length of this block not including DataBlocks but // including itself; This field is to simplify the import routine. WCHAR StreamSignature[EFS_SIGNATURE_LENGTH]; // Signature of the stream ULONG Flag; // Indicating if the stream is encrypted or not and etc. ULONG Reserved[2]; // For future use ULONG NameLength; // Length of the stream name //WCHAR StreamName[0]; // ID of the stream, Binary value can be used. //DATA_BLOCK DataBlocks[0]; // Variable number of data block
} EFSEXP_STREAM_HEADER, *PEFSEXP_STREAM_HEADER;
typedef struct EFSEXP_DATA_HEADER{
ULONG Length; // Length of the block including this ULONG WCHAR DataSignature[EFS_SIGNATURE_LENGTH]; // Signature of the data ULONG Flag; // For future use. // BYTE DataBlock[N]; // N = Length - 2 * sizeof (ULONG) - 4 * sizeof (WCHAR)
} EFSEXP_DATA_HEADER, *PEFSEXP_DATA_HEADER;
// // TotalLength - total length of the RECOVERY_KEY Datastructure. // // KeyName - the storage stream will actually have the characters terminated by // a NULL character. // AlgorithmId - CryptAPI Algorithm ID - in V1 it is always RSA. // // CSPName - the storage stream will actually have the characters terminated by // a NULL character. // CSPType - CryptAPI type of CSP. // // PublicBlobLength - Length of the public blob that is importable in CryptoAPI in bytes. //
// // Recovery Policy Data Structures //
typedef struct _RECOVERY_POLICY_HEADER { USHORT MajorRevision; USHORT MinorRevision; ULONG RecoveryKeyCount; } RECOVERY_POLICY_HEADER, *PRECOVERY_POLICY_HEADER;
typedef struct _RECOVERY_POLICY_1_1 { RECOVERY_POLICY_HEADER RecoveryPolicyHeader; RECOVERY_KEY_1_1 RecoveryKeyList[1]; } RECOVERY_POLICY_1_1, *PRECOVERY_POLICY_1_1;
#define EFS_RECOVERY_POLICY_MAJOR_REVISION_1 (1) #define EFS_RECOVERY_POLICY_MINOR_REVISION_0 (0)
#define EFS_RECOVERY_POLICY_MINOR_REVISION_1 (1)
// // Major/Minor Revision - revision number of policy information. // // RecoveryKeyCount - number of recovery keys configured in this policy. // // RecoveryKeyList - array of recovery keys. //
// // Session Key Structure //
#define SESSION_KEY_SIZE 8 #define COMMON_FSCTL_HEADER_SIZE (7 * sizeof( ULONG ) + 2 * SESSION_KEY_SIZE)
typedef struct _EFS_INIT_DATAEXG { UCHAR Key[SESSION_KEY_SIZE]; HANDLE LsaProcessID; // The reason we use HANDLE is for the sake of 64 bits } EFS_INIT_DATAEXG, *PEFS_INIT_DATAEXG;
// // Server API, callable from kernel mode //
NTSTATUS EfsGenerateKey( PEFS_KEY * Fek, PEFS_DATA_STREAM_HEADER * EfsStream, PEFS_DATA_STREAM_HEADER DirectoryEfsStream, ULONG DirectoryEfsStreamLength, PVOID * BufferBase, PULONG BufferLength );
NTSTATUS GenerateDirEfs( PEFS_DATA_STREAM_HEADER DirectoryEfsStream, ULONG DirectoryEfsStreamLength, PEFS_DATA_STREAM_HEADER * NewEfs, PVOID * BufferBase, PULONG BufferLength );
#define EFS_OPEN_NORMAL 1 #define EFS_OPEN_RESTORE 2 #define EFS_OPEN_BACKUP 3
NTSTATUS EfsDecryptFek( IN OUT PEFS_KEY * Fek, IN PEFS_DATA_STREAM_HEADER CurrentEfs, IN ULONG EfsStreamLength, IN ULONG OpenType, //Normal, Recovery or Backup OUT PEFS_DATA_STREAM_HEADER *NewEfs, //In case the DDF, DRF are changed PVOID * BufferBase, PULONG BufferLength );
NTSTATUS GenerateSessionKey( OUT EFS_INIT_DATAEXG * SessionKey );
// // Private usermode server API //
ULONG EfsEncryptFileRPCClient( IN PUNICODE_STRING FileName );
ULONG EfsDecryptFileRPCClient( PUNICODE_STRING FileName, ULONG OpenFlag );
ULONG EfsOpenFileRawRPCClient( IN LPCWSTR FileName, IN ULONG Flags, OUT PVOID * Context );
VOID EfsCloseFileRawRPCClient( IN PVOID Context );
#ifdef __cplusplus } #endif
#endif // _EFSSTRUC_
|