Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

671 lines
17 KiB

  1. /*++
  2. Copyright (c) Microsoft Corporation. All rights reserved.
  3. Module Name:
  4. efsstruc.h
  5. Abstract:
  6. EFS (Encrypting File System) defines, data and function prototypes.
  7. Author:
  8. Robert Reichel (RobertRe)
  9. Robert Gu (RobertG)
  10. Environment:
  11. Revision History:
  12. --*/
  13. #ifndef _EFSSTRUC_
  14. #define _EFSSTRUC_
  15. #ifdef __cplusplus
  16. extern "C" {
  17. #endif
  18. #ifndef ALGIDDEF
  19. #define ALGIDDEF
  20. typedef unsigned int ALG_ID;
  21. #endif
  22. //
  23. // Our OID. Remove from here once it's in the real headers.
  24. //
  25. #ifndef szOID_EFS_CRYPTO
  26. #define szOID_EFS_CRYPTO "1.3.6.1.4.1.311.10.3.4"
  27. #endif
  28. #ifndef szOID_EFS_RECOVERY
  29. #define szOID_EFS_RECOVERY "1.3.6.1.4.1.311.10.3.4.1"
  30. #endif
  31. //
  32. // Context flag
  33. //
  34. #define CONTEXT_FOR_EXPORT 0x00000000
  35. #define CONTEXT_FOR_IMPORT 0x00000001
  36. #define CONTEXT_INVALID 0x00000002
  37. #define CONTEXT_OPEN_FOR_DIR 0x00008000
  38. //
  39. // Context ID
  40. //
  41. #define EFS_CONTEXT_ID 0x00000001
  42. //
  43. // Signature type
  44. //
  45. #define SIG_LENGTH 0x00000008
  46. #define SIG_NO_MATCH 0x00000000
  47. #define SIG_EFS_FILE 0x00000001
  48. #define SIG_EFS_STREAM 0x00000002
  49. #define SIG_EFS_DATA 0x00000003
  50. //
  51. // Export file format stream flag information
  52. //
  53. #define STREAM_NOT_ENCRYPTED 0x0001
  54. #define EFS_EXP_FORMAT_CURRENT_VERSION 0x0100
  55. #define EFS_SIGNATURE_LENGTH 4
  56. #define EFS_STREAM_ID 0x1910
  57. #define FSCTL_IMPORT_INPUT_LENGTH 4 * 1024
  58. #define FSCTL_EXPORT_INPUT_LENGTH 128
  59. #define FSCTL_OUTPUT_INITIAL_LENGTH 68 * 1024
  60. #define FSCTL_OUTPUT_LESS_LENGTH 8 * 1024
  61. #define FSCTL_OUTPUT_MIN_LENGTH 20 * 1024
  62. #define FSCTL_OUTPUT_MISC_LENGTH 4 * 1024
  63. //
  64. // FSCTL data shared between server and driver
  65. //
  66. #define EFS_SET_ENCRYPT 0
  67. #define EFS_SET_ATTRIBUTE 1
  68. #define EFS_DEL_ATTRIBUTE 2
  69. #define EFS_GET_ATTRIBUTE 3
  70. #define EFS_OVERWRITE_ATTRIBUTE 4
  71. #define EFS_ENCRYPT_DONE 5
  72. #define EFS_DECRYPT_BEGIN 6
  73. //
  74. // Mask for Set EFS Attribute
  75. //
  76. #define WRITE_EFS_ATTRIBUTE 0x00000001
  77. #define SET_EFS_KEYBLOB 0x00000002
  78. //
  79. // Sub code of SET_ENCRYPT FSCTL
  80. //
  81. #define EFS_FSCTL_ON_DIR 0x80000000
  82. #define EFS_ENCRYPT_FILE 0x00000001
  83. #define EFS_DECRYPT_FILE 0x00000002
  84. #define EFS_ENCRYPT_STREAM 0x00000003
  85. #define EFS_DECRYPT_STREAM 0x00000004
  86. #define EFS_DECRYPT_DIRFILE 0x80000002
  87. #define EFS_ENCRYPT_DIRSTR 0x80000003
  88. #define EFS_DECRYPT_DIRSTR 0x80000004
  89. //
  90. // EFS Version Information
  91. //
  92. // EFS_CURRENT_VERSION must always be the highest known revision
  93. // level. This value is placed in the EfsVersion field of the
  94. // $EFS header.
  95. //
  96. #define EFS_VERSION_1 (0x00000001)
  97. #define EFS_VERSION_2 (0x00000002)
  98. #define EFS_CURRENT_VERSION EFS_VERSION_2
  99. ///////////////////////////////////////////////////////////////////////////////
  100. // /
  101. // EFS Data structures /
  102. // /
  103. ///////////////////////////////////////////////////////////////////////////////
  104. /////////////////////////////////////////////////////////////////////
  105. // /
  106. // EFS_KEY Structure /
  107. // /
  108. /////////////////////////////////////////////////////////////////////
  109. typedef struct _EFS_KEY {
  110. //
  111. // The length in bytes of the appended key.
  112. //
  113. ULONG KeyLength;
  114. //
  115. // The number of bits of entropy in the key.
  116. // For example, an 8 byte key has 56 bits of
  117. // entropy.
  118. //
  119. ULONG Entropy;
  120. //
  121. // The algorithm used in conjunction with this key.
  122. //
  123. // Note: this is not the algorithm used to encrypt the
  124. // actual key data itself.
  125. //
  126. ALG_ID Algorithm;
  127. //
  128. // This structure must be a multiple of 8 in size,
  129. // including the KeyData at the end.
  130. //
  131. ULONG Pad;
  132. //
  133. // KeyData is appended to the end of the structure.
  134. //
  135. // UCHAR KeyData[1];
  136. } EFS_KEY, *PEFS_KEY;
  137. //
  138. // Private macros to manipulate data structures
  139. //
  140. #define EFS_KEY_SIZE( pKey ) (sizeof( EFS_KEY ) + (pKey)->KeyLength)
  141. #define EFS_KEY_DATA( Key ) (PUCHAR)(((PUCHAR)(Key)) + sizeof( EFS_KEY ))
  142. #define OFFSET_TO_POINTER( FieldName, Base ) ((PCHAR)(Base) + (Base)->FieldName)
  143. #define POINTER_TO_OFFSET( Pointer, Base ) (((PUCHAR)(Pointer)) - ((PUCHAR)(Base)))
  144. //
  145. // We're going to use MD5 to hash the EFS stream. MD5 yields a 16 byte long hash.
  146. //
  147. #define MD5_HASH_SIZE 16
  148. typedef struct _EFS_DATA_STREAM_HEADER {
  149. ULONG Length;
  150. ULONG State;
  151. ULONG EfsVersion;
  152. ULONG CryptoApiVersion;
  153. GUID EfsId;
  154. UCHAR EfsHash[MD5_HASH_SIZE];
  155. UCHAR DrfIntegrity[MD5_HASH_SIZE];
  156. ULONG DataDecryptionField; //Offset to DDF
  157. ULONG DataRecoveryField; //Offset to DRF
  158. ULONG Reserved;
  159. ULONG Reserved2;
  160. ULONG Reserved3;
  161. } EFS_DATA_STREAM_HEADER, *PEFS_DATA_STREAM_HEADER;
  162. ///////////////////////////////////////////////////////////////////////////////
  163. // /
  164. // EFS_PUBLIC_KEY_INFO /
  165. // /
  166. // This structure is used to contain all the information necessary to decrypt /
  167. // the FEK. /
  168. // /
  169. ///////////////////////////////////////////////////////////////////////////////
  170. typedef struct _EFS_CERT_HASH_DATA {
  171. ULONG pbHash; // offset from start of structure
  172. ULONG cbHash; // count of bytes in hash
  173. ULONG ContainerName; // hint data, offset to LPWSTR
  174. ULONG ProviderName; // hint data, offset to LPWSTR
  175. ULONG lpDisplayInformation; // offset to an LPWSTR
  176. } EFS_CERT_HASH_DATA, *PEFS_CERT_HASH_DATA;
  177. typedef struct _EFS_PUBLIC_KEY_INFO {
  178. //
  179. // The length of this entire structure, including string data
  180. // appended to the end.
  181. //
  182. ULONG Length;
  183. //
  184. // Sid of owner of the public key (regardless of format).
  185. // This field is to be treated as a hint only.
  186. //
  187. ULONG PossibleKeyOwner;
  188. //
  189. // Contains information describing how to interpret
  190. // the public key information
  191. //
  192. ULONG KeySourceTag;
  193. union {
  194. struct {
  195. //
  196. // The following fields contain offsets based at the
  197. // beginning of the structure. Each offset is to
  198. // a NULL terminated WCHAR string.
  199. //
  200. ULONG ContainerName;
  201. ULONG ProviderName;
  202. //
  203. // The exported public key used to encrypt the FEK.
  204. // This field contains an offset from the beginning of the
  205. // structure.
  206. //
  207. ULONG PublicKeyBlob;
  208. //
  209. // Length of the PublicKeyBlob in bytes
  210. //
  211. ULONG PublicKeyBlobLength;
  212. } ContainerInfo;
  213. struct {
  214. ULONG CertificateLength; // in bytes
  215. ULONG Certificate; // offset from start of structure
  216. } CertificateInfo;
  217. struct {
  218. ULONG ThumbprintLength; // in bytes
  219. ULONG CertHashData; // offset from start of structure
  220. } CertificateThumbprint;
  221. };
  222. } EFS_PUBLIC_KEY_INFO, *PEFS_PUBLIC_KEY_INFO;
  223. //
  224. // Possible KeyTag values
  225. //
  226. typedef enum _PUBLIC_KEY_SOURCE_TAG {
  227. EfsCryptoAPIContainer = 1,
  228. EfsCertificate,
  229. EfsCertificateThumbprint
  230. } PUBLIC_KEY_SOURCE_TAG, *PPUBLIC_KEY_SOURCE_TAG;
  231. ///////////////////////////////////////////////////////////////////////////////
  232. // /
  233. // RECOVERY_KEY Data Structure /
  234. // /
  235. ///////////////////////////////////////////////////////////////////////////////
  236. //
  237. // Current format of recovery data.
  238. //
  239. typedef struct _RECOVERY_KEY_1_1 {
  240. ULONG TotalLength;
  241. EFS_PUBLIC_KEY_INFO PublicKeyInfo;
  242. } RECOVERY_KEY_1_1, *PRECOVERY_KEY_1_1;
  243. ///////////////////////////////////////////////////////////////////////////////
  244. // /
  245. // KEY_INTEGRITY_INFO /
  246. // /
  247. // The KEY_INTEGRITY_INFO structure is used to verify that /
  248. // the user's key has correctly decrypted the file's FEK. /
  249. // /
  250. ///////////////////////////////////////////////////////////////////////////////
  251. typedef struct _KEY_INTEGRITY_INFO {
  252. //
  253. // The length of the entire structure, including the
  254. // variable length integrity information appended to
  255. // the end
  256. //
  257. ULONG Length;
  258. //
  259. // The algorithm used to hash the combined FEK and
  260. // public key
  261. //
  262. ALG_ID HashAlgorithm;
  263. //
  264. // The length of just the hash data.
  265. //
  266. ULONG HashDataLength;
  267. //
  268. // Integrity information goes here
  269. //
  270. // UCHAR Integrity Info[]
  271. } KEY_INTEGRITY_INFO, *PKEY_INTEGRITY_INFO;
  272. typedef struct _EFS_KEY_SALT {
  273. ULONG Length; // total length of header plus data
  274. ULONG SaltType; // figure out what you want for this
  275. //
  276. // Put data here, so total length of the structure is
  277. // sizeof( EFS_KEY_SALT ) + length of your data
  278. //
  279. } EFS_KEY_SALT, *PEFS_KEY_SALT;
  280. //
  281. // EFS Private DataStructures
  282. //
  283. typedef struct _ENCRYPTED_KEY {
  284. //
  285. // Total length of this structure and its data
  286. //
  287. ULONG Length;
  288. //
  289. // contains an offset from beginning of structure,
  290. // used to decrypt the EncryptedKey
  291. //
  292. ULONG PublicKeyInfo;
  293. //
  294. // Length in bytes of EncryptedFEK field
  295. //
  296. ULONG EncryptedFEKLength;
  297. //
  298. // offset from beginning of structure to encrypted
  299. // EFS_KEY containing the FEK
  300. //
  301. // Type is PUCHAR because data is encrypted.
  302. //
  303. ULONG EncryptedFEK;
  304. //
  305. // offset from beginning of structure to KEY_INTEGRITY_INFO
  306. //
  307. ULONG EfsKeySalt;
  308. //
  309. // FEK Data
  310. //
  311. // KEY_INTEGRITY_INFO Data
  312. //
  313. // PEFS_PUBLIC_KEY_INFO Data
  314. //
  315. } ENCRYPTED_KEY, *PENCRYPTED_KEY;
  316. //
  317. // The Key Ring Structure.
  318. //
  319. typedef struct _ENCRYPTED_KEYS {
  320. ULONG KeyCount;
  321. ENCRYPTED_KEY EncryptedKey[1];
  322. } ENCRYPTED_KEYS, *PENCRYPTED_KEYS;
  323. typedef ENCRYPTED_KEYS DDF, *PDDF;
  324. typedef ENCRYPTED_KEYS DRF, *PDRF;
  325. typedef struct _EFS_STREAM_SIZE {
  326. ULONG StreamFlag;
  327. LARGE_INTEGER EOFSize;
  328. LARGE_INTEGER AllocSize;
  329. } EFS_STREAM_SIZE, *PEFS_STREAM_SIZE;
  330. #define NEXT_ENCRYPTED_KEY( pEncryptedKey ) (PENCRYPTED_KEY)(((PBYTE)(pEncryptedKey)) + *((ULONG UNALIGNED *)&((PENCRYPTED_KEY)(pEncryptedKey))->Length))
  331. //
  332. // Import context
  333. //
  334. typedef struct IMPORT_CONTEXT{
  335. ULONG ContextID; //To distinguish from other LSA context. Offset is fixed across LSA.
  336. ULONG Flag; // Indicate the type of context
  337. HANDLE Handle; // File handle, used to create rest streams
  338. ULONG Attribute;
  339. ULONG CreateDisposition;
  340. ULONG CreateOptions;
  341. ULONG DesiredAccess;
  342. } IMPORT_CONTEXT, *PIMPORT_CONTEXT;
  343. //
  344. // Export context
  345. //
  346. typedef struct EXPORT_CONTEXT{
  347. ULONG ContextID; //To distinguish from other LSA context. Offset is fixed across LSA.
  348. ULONG Flag; // Indicate the type of context
  349. HANDLE Handle; // File handle, used to open rest streams
  350. ULONG NumberOfStreams;
  351. PHANDLE StreamHandles;
  352. PUNICODE_STRING StreamNames;
  353. PFILE_STREAM_INFORMATION StreamInfoBase;
  354. } EXPORT_CONTEXT, *PEXPORT_CONTEXT;
  355. //
  356. // EFS Export/Import RPC pipe status
  357. //
  358. typedef struct EFS_EXIM_STATE{
  359. PVOID ExImCallback;
  360. PVOID CallbackContext;
  361. char *WorkBuf;
  362. ULONG BufLength;
  363. ULONG Status;
  364. } EFS_EXIM_STATE, *PEFS_EXIM_STATE;
  365. //
  366. // Export file format
  367. //
  368. typedef struct EFSEXP_FILE_HEADER{
  369. ULONG VersionID; // Export file version
  370. WCHAR FileSignature[EFS_SIGNATURE_LENGTH]; // Signature of the file
  371. ULONG Reserved[2];
  372. //STREAM_DADA Streams[0]; // An array of STREAM_BLOCK
  373. } EFSEXP_FILE_HEADER, *PEFSEXP_FILE_HEADER;
  374. typedef struct EFSEXP_STREAM_HEADER{
  375. ULONG Length; // Redundant information. The length of this block not including DataBlocks but
  376. // including itself; This field is to simplify the import routine.
  377. WCHAR StreamSignature[EFS_SIGNATURE_LENGTH]; // Signature of the stream
  378. ULONG Flag; // Indicating if the stream is encrypted or not and etc.
  379. ULONG Reserved[2]; // For future use
  380. ULONG NameLength; // Length of the stream name
  381. //WCHAR StreamName[0]; // ID of the stream, Binary value can be used.
  382. //DATA_BLOCK DataBlocks[0]; // Variable number of data block
  383. } EFSEXP_STREAM_HEADER, *PEFSEXP_STREAM_HEADER;
  384. typedef struct EFSEXP_DATA_HEADER{
  385. ULONG Length; // Length of the block including this ULONG
  386. WCHAR DataSignature[EFS_SIGNATURE_LENGTH]; // Signature of the data
  387. ULONG Flag; // For future use.
  388. // BYTE DataBlock[N]; // N = Length - 2 * sizeof (ULONG) - 4 * sizeof (WCHAR)
  389. } EFSEXP_DATA_HEADER, *PEFSEXP_DATA_HEADER;
  390. //
  391. // TotalLength - total length of the RECOVERY_KEY Datastructure.
  392. //
  393. // KeyName - the storage stream will actually have the characters terminated by
  394. // a NULL character.
  395. // AlgorithmId - CryptAPI Algorithm ID - in V1 it is always RSA.
  396. //
  397. // CSPName - the storage stream will actually have the characters terminated by
  398. // a NULL character.
  399. // CSPType - CryptAPI type of CSP.
  400. //
  401. // PublicBlobLength - Length of the public blob that is importable in CryptoAPI in bytes.
  402. //
  403. //
  404. // Recovery Policy Data Structures
  405. //
  406. typedef struct _RECOVERY_POLICY_HEADER {
  407. USHORT MajorRevision;
  408. USHORT MinorRevision;
  409. ULONG RecoveryKeyCount;
  410. } RECOVERY_POLICY_HEADER, *PRECOVERY_POLICY_HEADER;
  411. typedef struct _RECOVERY_POLICY_1_1 {
  412. RECOVERY_POLICY_HEADER RecoveryPolicyHeader;
  413. RECOVERY_KEY_1_1 RecoveryKeyList[1];
  414. } RECOVERY_POLICY_1_1, *PRECOVERY_POLICY_1_1;
  415. #define EFS_RECOVERY_POLICY_MAJOR_REVISION_1 (1)
  416. #define EFS_RECOVERY_POLICY_MINOR_REVISION_0 (0)
  417. #define EFS_RECOVERY_POLICY_MINOR_REVISION_1 (1)
  418. //
  419. // Major/Minor Revision - revision number of policy information.
  420. //
  421. // RecoveryKeyCount - number of recovery keys configured in this policy.
  422. //
  423. // RecoveryKeyList - array of recovery keys.
  424. //
  425. //
  426. // Session Key Structure
  427. //
  428. #define SESSION_KEY_SIZE 8
  429. #define COMMON_FSCTL_HEADER_SIZE (7 * sizeof( ULONG ) + 2 * SESSION_KEY_SIZE)
  430. typedef struct _EFS_INIT_DATAEXG {
  431. UCHAR Key[SESSION_KEY_SIZE];
  432. HANDLE LsaProcessID; // The reason we use HANDLE is for the sake of 64 bits
  433. } EFS_INIT_DATAEXG, *PEFS_INIT_DATAEXG;
  434. //
  435. // Server API, callable from kernel mode
  436. //
  437. NTSTATUS
  438. EfsGenerateKey(
  439. PEFS_KEY * Fek,
  440. PEFS_DATA_STREAM_HEADER * EfsStream,
  441. PEFS_DATA_STREAM_HEADER DirectoryEfsStream,
  442. ULONG DirectoryEfsStreamLength,
  443. PVOID * BufferBase,
  444. PULONG BufferLength
  445. );
  446. NTSTATUS
  447. GenerateDirEfs(
  448. PEFS_DATA_STREAM_HEADER DirectoryEfsStream,
  449. ULONG DirectoryEfsStreamLength,
  450. PEFS_DATA_STREAM_HEADER * NewEfs,
  451. PVOID * BufferBase,
  452. PULONG BufferLength
  453. );
  454. #define EFS_OPEN_NORMAL 1
  455. #define EFS_OPEN_RESTORE 2
  456. #define EFS_OPEN_BACKUP 3
  457. NTSTATUS
  458. EfsDecryptFek(
  459. IN OUT PEFS_KEY * Fek,
  460. IN PEFS_DATA_STREAM_HEADER CurrentEfs,
  461. IN ULONG EfsStreamLength,
  462. IN ULONG OpenType, //Normal, Recovery or Backup
  463. OUT PEFS_DATA_STREAM_HEADER *NewEfs, //In case the DDF, DRF are changed
  464. PVOID * BufferBase,
  465. PULONG BufferLength
  466. );
  467. NTSTATUS
  468. GenerateSessionKey(
  469. OUT EFS_INIT_DATAEXG * SessionKey
  470. );
  471. //
  472. // Private usermode server API
  473. //
  474. ULONG
  475. EfsEncryptFileRPCClient(
  476. IN PUNICODE_STRING FileName
  477. );
  478. ULONG
  479. EfsDecryptFileRPCClient(
  480. PUNICODE_STRING FileName,
  481. ULONG OpenFlag
  482. );
  483. ULONG
  484. EfsOpenFileRawRPCClient(
  485. IN LPCWSTR FileName,
  486. IN ULONG Flags,
  487. OUT PVOID * Context
  488. );
  489. VOID
  490. EfsCloseFileRawRPCClient(
  491. IN PVOID Context
  492. );
  493. #ifdef __cplusplus
  494. }
  495. #endif
  496. #endif // _EFSSTRUC_