]> git.proxmox.com Git - mirror_zfs.git/blob - lib/libzfs/libzfs_crypto.c
projects / mirror_zfs.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
zfs filesystem skipped by df -h
[mirror_zfs.git] / lib / libzfs / libzfs_crypto.c
1 /*
2 * CDDL HEADER START
3 *
4 * This file and its contents are supplied under the terms of the
5 * Common Development and Distribution License ("CDDL"), version 1.0.
6 * You may only use this file in accordance with the terms of version
7 * 1.0 of the CDDL.
8 *
9 * A full copy of the text of the CDDL should have accompanied this
10 * source. A copy of the CDDL is also available via the Internet at
11 * http://www.illumos.org/license/CDDL.
12 *
13 * CDDL HEADER END
14 */
15
16 /*
17 * Copyright (c) 2017, Datto, Inc. All rights reserved.
18 */
19
20 #include <sys/zfs_context.h>
21 #include <sys/fs/zfs.h>
22 #include <sys/dsl_crypt.h>
23 #include <libintl.h>
24 #include <termios.h>
25 #include <signal.h>
26 #include <errno.h>
27 #include <openssl/evp.h>
28 #include <libzfs.h>
29 #include "libzfs_impl.h"
30 #include "zfeature_common.h"
31
32 /*
33 * User keys are used to decrypt the master encryption keys of a dataset. This
34 * indirection allows a user to change his / her access key without having to
35 * re-encrypt the entire dataset. User keys can be provided in one of several
36 * ways. Raw keys are simply given to the kernel as is. Similarly, hex keys
37 * are converted to binary and passed into the kernel. Password based keys are
38 * a bit more complicated. Passwords alone do not provide suitable entropy for
39 * encryption and may be too short or too long to be used. In order to derive
40 * a more appropriate key we use a PBKDF2 function. This function is designed
41 * to take a (relatively) long time to calculate in order to discourage
42 * attackers from guessing from a list of common passwords. PBKDF2 requires
43 * 2 additional parameters. The first is the number of iterations to run, which
44 * will ultimately determine how long it takes to derive the resulting key from
45 * the password. The second parameter is a salt that is randomly generated for
46 * each dataset. The salt is used to "tweak" PBKDF2 such that a group of
47 * attackers cannot reasonably generate a table of commonly known passwords to
48 * their output keys and expect it work for all past and future PBKDF2 users.
49 * We store the salt as a hidden property of the dataset (although it is
50 * technically ok if the salt is known to the attacker).
51 */
52
53 typedef enum key_locator {
54 KEY_LOCATOR_NONE,
55 KEY_LOCATOR_PROMPT,
56 KEY_LOCATOR_URI
57 } key_locator_t;
58
59 #define MIN_PASSPHRASE_LEN 8
60 #define MAX_PASSPHRASE_LEN 512
61 #define MAX_KEY_PROMPT_ATTEMPTS 3
62
63 static int caught_interrupt;
64
65 static int
66 pkcs11_get_urandom(uint8_t *buf, size_t bytes)
67 {
68 int rand;
69 ssize_t bytes_read = 0;
70
71 rand = open("/dev/urandom", O_RDONLY);
72
73 if (rand < 0)
74 return (rand);
75
76 while (bytes_read < bytes) {
77 ssize_t rc = read(rand, buf + bytes_read, bytes - bytes_read);
78 if (rc < 0)
79 break;
80 bytes_read += rc;
81 }
82
83 (void) close(rand);
84
85 return (bytes_read);
86 }
87
88 static zfs_keylocation_t
89 zfs_prop_parse_keylocation(const char *str)
90 {
91 if (strcmp("prompt", str) == 0)
92 return (ZFS_KEYLOCATION_PROMPT);
93 else if (strlen(str) > 8 && strncmp("file:///", str, 8) == 0)
94 return (ZFS_KEYLOCATION_URI);
95
96 return (ZFS_KEYLOCATION_NONE);
97 }
98
99 static int
100 hex_key_to_raw(char *hex, int hexlen, uint8_t *out)
101 {
102 int ret, i;
103 unsigned int c;
104
105 for (i = 0; i < hexlen; i += 2) {
106 if (!isxdigit(hex[i]) || !isxdigit(hex[i + 1])) {
107 ret = EINVAL;
108 goto error;
109 }
110
111 ret = sscanf(&hex[i], "%02x", &c);
112 if (ret != 1) {
113 ret = EINVAL;
114 goto error;
115 }
116
117 out[i / 2] = c;
118 }
119
120 return (0);
121
122 error:
123 return (ret);
124 }
125
126
127 static void
128 catch_signal(int sig)
129 {
130 caught_interrupt = sig;
131 }
132
133 static const char *
134 get_format_prompt_string(zfs_keyformat_t format)
135 {
136 switch (format) {
137 case ZFS_KEYFORMAT_RAW:
138 return ("raw key");
139 case ZFS_KEYFORMAT_HEX:
140 return ("hex key");
141 case ZFS_KEYFORMAT_PASSPHRASE:
142 return ("passphrase");
143 default:
144 /* shouldn't happen */
145 return (NULL);
146 }
147 }
148
149 static int
150 get_key_material_raw(FILE *fd, const char *fsname, zfs_keyformat_t keyformat,
151 boolean_t again, boolean_t newkey, uint8_t **buf, size_t *len_out)
152 {
153 int ret = 0, bytes;
154 size_t buflen = 0;
155 struct termios old_term, new_term;
156 struct sigaction act, osigint, osigtstp;
157
158 *len_out = 0;
159
160 if (isatty(fileno(fd))) {
161 /*
162 * handle SIGINT and ignore SIGSTP. This is necessary to
163 * restore the state of the terminal.
164 */
165 caught_interrupt = 0;
166 act.sa_flags = 0;
167 (void) sigemptyset(&act.sa_mask);
168 act.sa_handler = catch_signal;
169
170 (void) sigaction(SIGINT, &act, &osigint);
171 act.sa_handler = SIG_IGN;
172 (void) sigaction(SIGTSTP, &act, &osigtstp);
173
174 /* prompt for the key */
175 if (fsname != NULL) {
176 (void) printf("%s %s%s for '%s': ",
177 (again) ? "Re-enter" : "Enter",
178 (newkey) ? "new " : "",
179 get_format_prompt_string(keyformat), fsname);
180 } else {
181 (void) printf("%s %s%s: ",
182 (again) ? "Re-enter" : "Enter",
183 (newkey) ? "new " : "",
184 get_format_prompt_string(keyformat));
185
186 }
187 (void) fflush(stdout);
188
189 /* disable the terminal echo for key input */
190 (void) tcgetattr(fileno(fd), &old_term);
191
192 new_term = old_term;
193 new_term.c_lflag &= ~(ECHO | ECHOE | ECHOK | ECHONL);
194
195 ret = tcsetattr(fileno(fd), TCSAFLUSH, &new_term);
196 if (ret != 0) {
197 ret = errno;
198 errno = 0;
199 goto out;
200 }
201 }
202
203 /* read the key material */
204 if (keyformat != ZFS_KEYFORMAT_RAW) {
205 bytes = getline((char **)buf, &buflen, fd);
206 if (bytes < 0) {
207 ret = errno;
208 errno = 0;
209 goto out;
210 }
211
212 /* trim the ending newline if it exists */
213 if ((*buf)[bytes - 1] == '\n') {
214 (*buf)[bytes - 1] = '\0';
215 bytes--;
216 }
217 } else {
218 /*
219 * Raw keys may have newline characters in them and so can't
220 * use getline(). Here we attempt to read 33 bytes so that we
221 * can properly check the key length (the file should only have
222 * 32 bytes).
223 */
224 *buf = malloc((WRAPPING_KEY_LEN + 1) * sizeof (char));
225 if (*buf == NULL) {
226 ret = ENOMEM;
227 goto out;
228 }
229
230 bytes = fread(*buf, 1, WRAPPING_KEY_LEN + 1, fd);
231 if (bytes < 0) {
232 /* size errors are handled by the calling function */
233 free(*buf);
234 *buf = NULL;
235 ret = errno;
236 errno = 0;
237 goto out;
238 }
239 }
240
241 *len_out = bytes;
242
243 out:
244 if (isatty(fileno(fd))) {
245 /* reset the teminal */
246 (void) tcsetattr(fileno(fd), TCSAFLUSH, &old_term);
247 (void) sigaction(SIGINT, &osigint, NULL);
248 (void) sigaction(SIGTSTP, &osigtstp, NULL);
249
250 /* if we caught a signal, re-throw it now */
251 if (caught_interrupt != 0) {
252 (void) kill(getpid(), caught_interrupt);
253 }
254
255 /* print the newline that was not echo'd */
256 printf("\n");
257 }
258
259 return (ret);
260
261 }
262
263 /*
264 * Attempts to fetch key material, no matter where it might live. The key
265 * material is allocated and returned in km_out. *can_retry_out will be set
266 * to B_TRUE if the user is providing the key material interactively, allowing
267 * for re-entry attempts.
268 */
269 static int
270 get_key_material(libzfs_handle_t *hdl, boolean_t do_verify, boolean_t newkey,
271 zfs_keyformat_t keyformat, char *keylocation, const char *fsname,
272 uint8_t **km_out, size_t *kmlen_out, boolean_t *can_retry_out)
273 {
274 int ret, i;
275 zfs_keylocation_t keyloc = ZFS_KEYLOCATION_NONE;
276 FILE *fd = NULL;
277 uint8_t *km = NULL, *km2 = NULL;
278 size_t kmlen, kmlen2;
279 boolean_t can_retry = B_FALSE;
280
281 /* verify and parse the keylocation */
282 keyloc = zfs_prop_parse_keylocation(keylocation);
283
284 /* open the appropriate file descriptor */
285 switch (keyloc) {
286 case ZFS_KEYLOCATION_PROMPT:
287 fd = stdin;
288 if (isatty(fileno(fd))) {
289 can_retry = B_TRUE;
290
291 /* raw keys cannot be entered on the terminal */
292 if (keyformat == ZFS_KEYFORMAT_RAW) {
293 ret = EINVAL;
294 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
295 "Cannot enter raw keys on the terminal"));
296 goto error;
297 }
298 }
299 break;
300 case ZFS_KEYLOCATION_URI:
301 fd = fopen(&keylocation[7], "r");
302 if (!fd) {
303 ret = errno;
304 errno = 0;
305 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
306 "Failed to open key material file"));
307 goto error;
308 }
309 break;
310 default:
311 ret = EINVAL;
312 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
313 "Invalid keylocation."));
314 goto error;
315 }
316
317 /* fetch the key material into the buffer */
318 ret = get_key_material_raw(fd, fsname, keyformat, B_FALSE, newkey,
319 &km, &kmlen);
320 if (ret != 0)
321 goto error;
322
323 /* do basic validation of the key material */
324 switch (keyformat) {
325 case ZFS_KEYFORMAT_RAW:
326 /* verify the key length is correct */
327 if (kmlen < WRAPPING_KEY_LEN) {
328 ret = EINVAL;
329 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
330 "Raw key too short (expected %u)."),
331 WRAPPING_KEY_LEN);
332 goto error;
333 }
334
335 if (kmlen > WRAPPING_KEY_LEN) {
336 ret = EINVAL;
337 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
338 "Raw key too long (expected %u)."),
339 WRAPPING_KEY_LEN);
340 goto error;
341 }
342 break;
343 case ZFS_KEYFORMAT_HEX:
344 /* verify the key length is correct */
345 if (kmlen < WRAPPING_KEY_LEN * 2) {
346 ret = EINVAL;
347 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
348 "Hex key too short (expected %u)."),
349 WRAPPING_KEY_LEN * 2);
350 goto error;
351 }
352
353 if (kmlen > WRAPPING_KEY_LEN * 2) {
354 ret = EINVAL;
355 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
356 "Hex key too long (expected %u)."),
357 WRAPPING_KEY_LEN * 2);
358 goto error;
359 }
360
361 /* check for invalid hex digits */
362 for (i = 0; i < WRAPPING_KEY_LEN * 2; i++) {
363 if (!isxdigit((char)km[i])) {
364 ret = EINVAL;
365 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
366 "Invalid hex character detected."));
367 goto error;
368 }
369 }
370 break;
371 case ZFS_KEYFORMAT_PASSPHRASE:
372 /* verify the length is within bounds */
373 if (kmlen > MAX_PASSPHRASE_LEN) {
374 ret = EINVAL;
375 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
376 "Passphrase too long (max %u)."),
377 MAX_PASSPHRASE_LEN);
378 goto error;
379 }
380
381 if (kmlen < MIN_PASSPHRASE_LEN) {
382 ret = EINVAL;
383 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
384 "Passphrase too short (min %u)."),
385 MIN_PASSPHRASE_LEN);
386 goto error;
387 }
388 break;
389 default:
390 /* can't happen, checked above */
391 break;
392 }
393
394 if (do_verify && isatty(fileno(fd))) {
395 ret = get_key_material_raw(fd, fsname, keyformat, B_TRUE,
396 newkey, &km2, &kmlen2);
397 if (ret != 0)
398 goto error;
399
400 if (kmlen2 != kmlen ||
401 (memcmp((char *)km, (char *)km2, kmlen) != 0)) {
402 ret = EINVAL;
403 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
404 "Provided keys do not match."));
405 goto error;
406 }
407 }
408
409 if (fd != stdin)
410 fclose(fd);
411
412 if (km2 != NULL)
413 free(km2);
414
415 *km_out = km;
416 *kmlen_out = kmlen;
417 if (can_retry_out != NULL)
418 *can_retry_out = can_retry;
419
420 return (0);
421
422 error:
423 if (km != NULL)
424 free(km);
425
426 if (km2 != NULL)
427 free(km2);
428
429 if (fd != NULL && fd != stdin)
430 fclose(fd);
431
432 *km_out = NULL;
433 *kmlen_out = 0;
434 if (can_retry_out != NULL)
435 *can_retry_out = can_retry;
436
437 return (ret);
438 }
439
440 static int
441 derive_key(libzfs_handle_t *hdl, zfs_keyformat_t format, uint64_t iters,
442 uint8_t *key_material, size_t key_material_len, uint64_t salt,
443 uint8_t **key_out)
444 {
445 int ret;
446 uint8_t *key;
447
448 *key_out = NULL;
449
450 key = zfs_alloc(hdl, WRAPPING_KEY_LEN);
451 if (!key)
452 return (ENOMEM);
453
454 switch (format) {
455 case ZFS_KEYFORMAT_RAW:
456 bcopy(key_material, key, WRAPPING_KEY_LEN);
457 break;
458 case ZFS_KEYFORMAT_HEX:
459 ret = hex_key_to_raw((char *)key_material,
460 WRAPPING_KEY_LEN * 2, key);
461 if (ret != 0) {
462 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
463 "Invalid hex key provided."));
464 goto error;
465 }
466 break;
467 case ZFS_KEYFORMAT_PASSPHRASE:
468 salt = LE_64(salt);
469
470 ret = PKCS5_PBKDF2_HMAC_SHA1((char *)key_material,
471 strlen((char *)key_material), ((uint8_t *)&salt),
472 sizeof (uint64_t), iters, WRAPPING_KEY_LEN, key);
473 if (ret != 1) {
474 ret = EIO;
475 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
476 "Failed to generate key from passphrase."));
477 goto error;
478 }
479 break;
480 default:
481 ret = EINVAL;
482 goto error;
483 }
484
485 *key_out = key;
486 return (0);
487
488 error:
489 free(key);
490
491 *key_out = NULL;
492 return (ret);
493 }
494
495 static boolean_t
496 encryption_feature_is_enabled(zpool_handle_t *zph)
497 {
498 nvlist_t *features;
499 uint64_t feat_refcount;
500
501 /* check that features can be enabled */
502 if (zpool_get_prop_int(zph, ZPOOL_PROP_VERSION, NULL)
503 < SPA_VERSION_FEATURES)
504 return (B_FALSE);
505
506 /* check for crypto feature */
507 features = zpool_get_features(zph);
508 if (!features || nvlist_lookup_uint64(features,
509 spa_feature_table[SPA_FEATURE_ENCRYPTION].fi_guid,
510 &feat_refcount) != 0)
511 return (B_FALSE);
512
513 return (B_TRUE);
514 }
515
516 static int
517 populate_create_encryption_params_nvlists(libzfs_handle_t *hdl,
518 zfs_handle_t *zhp, boolean_t newkey, zfs_keyformat_t keyformat,
519 char *keylocation, nvlist_t *props, uint8_t **wkeydata, uint_t *wkeylen)
520 {
521 int ret;
522 uint64_t iters = 0, salt = 0;
523 uint8_t *key_material = NULL;
524 size_t key_material_len = 0;
525 uint8_t *key_data = NULL;
526 const char *fsname = (zhp) ? zfs_get_name(zhp) : NULL;
527
528 /* get key material from keyformat and keylocation */
529 ret = get_key_material(hdl, B_TRUE, newkey, keyformat, keylocation,
530 fsname, &key_material, &key_material_len, NULL);
531 if (ret != 0)
532 goto error;
533
534 /* passphrase formats require a salt and pbkdf2 iters property */
535 if (keyformat == ZFS_KEYFORMAT_PASSPHRASE) {
536 /* always generate a new salt */
537 ret = pkcs11_get_urandom((uint8_t *)&salt, sizeof (uint64_t));
538 if (ret != sizeof (uint64_t)) {
539 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
540 "Failed to generate salt."));
541 goto error;
542 }
543
544 ret = nvlist_add_uint64(props,
545 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), salt);
546 if (ret != 0) {
547 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
548 "Failed to add salt to properties."));
549 goto error;
550 }
551
552 /*
553 * If not otherwise specified, use the default number of
554 * pbkdf2 iterations. If specified, we have already checked
555 * that the given value is greater than MIN_PBKDF2_ITERATIONS
556 * during zfs_valid_proplist().
557 */
558 ret = nvlist_lookup_uint64(props,
559 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), &iters);
560 if (ret == ENOENT) {
561 iters = DEFAULT_PBKDF2_ITERATIONS;
562 ret = nvlist_add_uint64(props,
563 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), iters);
564 if (ret != 0)
565 goto error;
566 } else if (ret != 0) {
567 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
568 "Failed to get pbkdf2 iterations."));
569 goto error;
570 }
571 } else {
572 /* check that pbkdf2iters was not specified by the user */
573 ret = nvlist_lookup_uint64(props,
574 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), &iters);
575 if (ret == 0) {
576 ret = EINVAL;
577 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
578 "Cannot specify pbkdf2iters with a non-passphrase "
579 "keyformat."));
580 goto error;
581 }
582 }
583
584 /* derive a key from the key material */
585 ret = derive_key(hdl, keyformat, iters, key_material, key_material_len,
586 salt, &key_data);
587 if (ret != 0)
588 goto error;
589
590 free(key_material);
591
592 *wkeydata = key_data;
593 *wkeylen = WRAPPING_KEY_LEN;
594 return (0);
595
596 error:
597 if (key_material != NULL)
598 free(key_material);
599 if (key_data != NULL)
600 free(key_data);
601
602 *wkeydata = NULL;
603 *wkeylen = 0;
604 return (ret);
605 }
606
607 static boolean_t
608 proplist_has_encryption_props(nvlist_t *props)
609 {
610 int ret;
611 uint64_t intval;
612 char *strval;
613
614 ret = nvlist_lookup_uint64(props,
615 zfs_prop_to_name(ZFS_PROP_ENCRYPTION), &intval);
616 if (ret == 0 && intval != ZIO_CRYPT_OFF)
617 return (B_TRUE);
618
619 ret = nvlist_lookup_string(props,
620 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), &strval);
621 if (ret == 0 && strcmp(strval, "none") != 0)
622 return (B_TRUE);
623
624 ret = nvlist_lookup_uint64(props,
625 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), &intval);
626 if (ret == 0)
627 return (B_TRUE);
628
629 ret = nvlist_lookup_uint64(props,
630 zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), &intval);
631 if (ret == 0)
632 return (B_TRUE);
633
634 return (B_FALSE);
635 }
636
637 int
638 zfs_crypto_get_encryption_root(zfs_handle_t *zhp, boolean_t *is_encroot,
639 char *buf)
640 {
641 int ret;
642 char prop_encroot[MAXNAMELEN];
643
644 /* if the dataset isn't encrypted, just return */
645 if (zfs_prop_get_int(zhp, ZFS_PROP_ENCRYPTION) == ZIO_CRYPT_OFF) {
646 *is_encroot = B_FALSE;
647 if (buf != NULL)
648 buf[0] = '\0';
649 return (0);
650 }
651
652 ret = zfs_prop_get(zhp, ZFS_PROP_ENCRYPTION_ROOT, prop_encroot,
653 sizeof (prop_encroot), NULL, NULL, 0, B_TRUE);
654 if (ret != 0) {
655 *is_encroot = B_FALSE;
656 if (buf != NULL)
657 buf[0] = '\0';
658 return (ret);
659 }
660
661 *is_encroot = strcmp(prop_encroot, zfs_get_name(zhp)) == 0;
662 if (buf != NULL)
663 strcpy(buf, prop_encroot);
664
665 return (0);
666 }
667
668 int
669 zfs_crypto_create(libzfs_handle_t *hdl, char *parent_name, nvlist_t *props,
670 nvlist_t *pool_props, boolean_t stdin_available, uint8_t **wkeydata_out,
671 uint_t *wkeylen_out)
672 {
673 int ret;
674 char errbuf[1024];
675 uint64_t crypt = ZIO_CRYPT_INHERIT, pcrypt = ZIO_CRYPT_INHERIT;
676 uint64_t keyformat = ZFS_KEYFORMAT_NONE;
677 char *keylocation = NULL;
678 zfs_handle_t *pzhp = NULL;
679 uint8_t *wkeydata = NULL;
680 uint_t wkeylen = 0;
681 boolean_t local_crypt = B_TRUE;
682
683 (void) snprintf(errbuf, sizeof (errbuf),
684 dgettext(TEXT_DOMAIN, "Encryption create error"));
685
686 /* lookup crypt from props */
687 ret = nvlist_lookup_uint64(props,
688 zfs_prop_to_name(ZFS_PROP_ENCRYPTION), &crypt);
689 if (ret != 0)
690 local_crypt = B_FALSE;
691
692 /* lookup key location and format from props */
693 (void) nvlist_lookup_uint64(props,
694 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), &keyformat);
695 (void) nvlist_lookup_string(props,
696 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), &keylocation);
697
698 if (parent_name != NULL) {
699 /* get a reference to parent dataset */
700 pzhp = make_dataset_handle(hdl, parent_name);
701 if (pzhp == NULL) {
702 ret = ENOENT;
703 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
704 "Failed to lookup parent."));
705 goto out;
706 }
707
708 /* Lookup parent's crypt */
709 pcrypt = zfs_prop_get_int(pzhp, ZFS_PROP_ENCRYPTION);
710
711 /* Params require the encryption feature */
712 if (!encryption_feature_is_enabled(pzhp->zpool_hdl)) {
713 if (proplist_has_encryption_props(props)) {
714 ret = EINVAL;
715 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
716 "Encryption feature not enabled."));
717 goto out;
718 }
719
720 ret = 0;
721 goto out;
722 }
723 } else {
724 /*
725 * special case for root dataset where encryption feature
726 * feature won't be on disk yet
727 */
728 if (!nvlist_exists(pool_props, "feature@encryption")) {
729 if (proplist_has_encryption_props(props)) {
730 ret = EINVAL;
731 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
732 "Encryption feature not enabled."));
733 goto out;
734 }
735
736 ret = 0;
737 goto out;
738 }
739
740 pcrypt = ZIO_CRYPT_OFF;
741 }
742
743 /* Check for encryption being explicitly truned off */
744 if (crypt == ZIO_CRYPT_OFF && pcrypt != ZIO_CRYPT_OFF) {
745 ret = EINVAL;
746 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
747 "Invalid encryption value. Dataset must be encrypted."));
748 goto out;
749 }
750
751 /* Get the inherited encryption property if we don't have it locally */
752 if (!local_crypt)
753 crypt = pcrypt;
754
755 /*
756 * At this point crypt should be the actual encryption value. If
757 * encryption is off just verify that no encryption properties have
758 * been specified and return.
759 */
760 if (crypt == ZIO_CRYPT_OFF) {
761 if (proplist_has_encryption_props(props)) {
762 ret = EINVAL;
763 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
764 "Encryption must be turned on to set encryption "
765 "properties."));
766 goto out;
767 }
768
769 ret = 0;
770 goto out;
771 }
772
773 /*
774 * If we have a parent crypt it is valid to specify encryption alone.
775 * This will result in a child that is encrypted with the chosen
776 * encryption suite that will also inherit the parent's key. If
777 * the parent is not encrypted we need an encryption suite provided.
778 */
779 if (pcrypt == ZIO_CRYPT_OFF && keylocation == NULL &&
780 keyformat == ZFS_KEYFORMAT_NONE) {
781 ret = EINVAL;
782 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
783 "Keyformat required for new encryption root."));
784 goto out;
785 }
786
787 /*
788 * Specifying a keylocation implies this will be a new encryption root.
789 * Check that a keyformat is also specified.
790 */
791 if (keylocation != NULL && keyformat == ZFS_KEYFORMAT_NONE) {
792 ret = EINVAL;
793 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
794 "Keyformat required for new encryption root."));
795 goto out;
796 }
797
798 /* default to prompt if no keylocation is specified */
799 if (keyformat != ZFS_KEYFORMAT_NONE && keylocation == NULL) {
800 keylocation = "prompt";
801 ret = nvlist_add_string(props,
802 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), keylocation);
803 if (ret != 0)
804 goto out;
805 }
806
807 /*
808 * If a local key is provided, this dataset will be a new
809 * encryption root. Populate the encryption params.
810 */
811 if (keylocation != NULL) {
812 /*
813 * 'zfs recv -o keylocation=prompt' won't work because stdin
814 * is being used by the send stream, so we disallow it.
815 */
816 if (!stdin_available && strcmp(keylocation, "prompt") == 0) {
817 ret = EINVAL;
818 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN, "Cannot use "
819 "'prompt' keylocation because stdin is in use."));
820 goto out;
821 }
822
823 ret = populate_create_encryption_params_nvlists(hdl, NULL,
824 B_FALSE, keyformat, keylocation, props, &wkeydata,
825 &wkeylen);
826 if (ret != 0)
827 goto out;
828 }
829
830 if (pzhp != NULL)
831 zfs_close(pzhp);
832
833 *wkeydata_out = wkeydata;
834 *wkeylen_out = wkeylen;
835 return (0);
836
837 out:
838 if (pzhp != NULL)
839 zfs_close(pzhp);
840 if (wkeydata != NULL)
841 free(wkeydata);
842
843 *wkeydata_out = NULL;
844 *wkeylen_out = 0;
845 return (ret);
846 }
847
848 int
849 zfs_crypto_clone_check(libzfs_handle_t *hdl, zfs_handle_t *origin_zhp,
850 char *parent_name, nvlist_t *props)
851 {
852 int ret;
853 char errbuf[1024];
854 zfs_handle_t *pzhp = NULL;
855 uint64_t pcrypt, ocrypt;
856
857 (void) snprintf(errbuf, sizeof (errbuf),
858 dgettext(TEXT_DOMAIN, "Encryption clone error"));
859
860 /*
861 * No encryption properties should be specified. They will all be
862 * inherited from the origin dataset.
863 */
864 if (nvlist_exists(props, zfs_prop_to_name(ZFS_PROP_KEYFORMAT)) ||
865 nvlist_exists(props, zfs_prop_to_name(ZFS_PROP_KEYLOCATION)) ||
866 nvlist_exists(props, zfs_prop_to_name(ZFS_PROP_ENCRYPTION)) ||
867 nvlist_exists(props, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS))) {
868 ret = EINVAL;
869 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
870 "Encryption properties must inherit from origin dataset."));
871 goto out;
872 }
873
874 /* get a reference to parent dataset, should never be NULL */
875 pzhp = make_dataset_handle(hdl, parent_name);
876 if (pzhp == NULL) {
877 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
878 "Failed to lookup parent."));
879 return (ENOENT);
880 }
881
882 /* Lookup parent's crypt */
883 pcrypt = zfs_prop_get_int(pzhp, ZFS_PROP_ENCRYPTION);
884 ocrypt = zfs_prop_get_int(origin_zhp, ZFS_PROP_ENCRYPTION);
885
886 /* all children of encrypted parents must be encrypted */
887 if (pcrypt != ZIO_CRYPT_OFF && ocrypt == ZIO_CRYPT_OFF) {
888 ret = EINVAL;
889 zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
890 "Cannot create unencrypted clone as a child "
891 "of encrypted parent."));
892 goto out;
893 }
894
895 zfs_close(pzhp);
896 return (0);
897
898 out:
899 if (pzhp != NULL)
900 zfs_close(pzhp);
901 return (ret);
902 }
903
904 typedef struct loadkeys_cbdata {
905 uint64_t cb_numfailed;
906 uint64_t cb_numattempted;
907 } loadkey_cbdata_t;
908
909 static int
910 load_keys_cb(zfs_handle_t *zhp, void *arg)
911 {
912 int ret;
913 boolean_t is_encroot;
914 loadkey_cbdata_t *cb = arg;
915 uint64_t keystatus = zfs_prop_get_int(zhp, ZFS_PROP_KEYSTATUS);
916
917 /* only attempt to load keys for encryption roots */
918 ret = zfs_crypto_get_encryption_root(zhp, &is_encroot, NULL);
919 if (ret != 0 || !is_encroot)
920 goto out;
921
922 /* don't attempt to load already loaded keys */
923 if (keystatus == ZFS_KEYSTATUS_AVAILABLE)
924 goto out;
925
926 /* Attempt to load the key. Record status in cb. */
927 cb->cb_numattempted++;
928
929 ret = zfs_crypto_load_key(zhp, B_FALSE, NULL);
930 if (ret)
931 cb->cb_numfailed++;
932
933 out:
934 (void) zfs_iter_filesystems(zhp, load_keys_cb, cb);
935 zfs_close(zhp);
936
937 /* always return 0, since this function is best effort */
938 return (0);
939 }
940
941 /*
942 * This function is best effort. It attempts to load all the keys for the given
943 * filesystem and all of its children.
944 */
945 int
946 zfs_crypto_attempt_load_keys(libzfs_handle_t *hdl, char *fsname)
947 {
948 int ret;
949 zfs_handle_t *zhp = NULL;
950 loadkey_cbdata_t cb = { 0 };
951
952 zhp = zfs_open(hdl, fsname, ZFS_TYPE_FILESYSTEM | ZFS_TYPE_VOLUME);
953 if (zhp == NULL) {
954 ret = ENOENT;
955 goto error;
956 }
957
958 ret = load_keys_cb(zfs_handle_dup(zhp), &cb);
959 if (ret)
960 goto error;
961
962 (void) printf(gettext("%llu / %llu keys successfully loaded\n"),
963 (u_longlong_t)(cb.cb_numattempted - cb.cb_numfailed),
964 (u_longlong_t)cb.cb_numattempted);
965
966 if (cb.cb_numfailed != 0) {
967 ret = -1;
968 goto error;
969 }
970
971 zfs_close(zhp);
972 return (0);
973
974 error:
975 if (zhp != NULL)
976 zfs_close(zhp);
977 return (ret);
978 }
979
980 int
981 zfs_crypto_load_key(zfs_handle_t *zhp, boolean_t noop, char *alt_keylocation)
982 {
983 int ret, attempts = 0;
984 char errbuf[1024];
985 uint64_t keystatus, iters = 0, salt = 0;
986 uint64_t keyformat = ZFS_KEYFORMAT_NONE;
987 char prop_keylocation[MAXNAMELEN];
988 char prop_encroot[MAXNAMELEN];
989 char *keylocation = NULL;
990 uint8_t *key_material = NULL, *key_data = NULL;
991 size_t key_material_len;
992 boolean_t is_encroot, can_retry = B_FALSE, correctible = B_FALSE;
993
994 (void) snprintf(errbuf, sizeof (errbuf),
995 dgettext(TEXT_DOMAIN, "Key load error"));
996
997 /* check that encryption is enabled for the pool */
998 if (!encryption_feature_is_enabled(zhp->zpool_hdl)) {
999 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1000 "Encryption feature not enabled."));
1001 ret = EINVAL;
1002 goto error;
1003 }
1004
1005 /* Fetch the keyformat. Check that the dataset is encrypted. */
1006 keyformat = zfs_prop_get_int(zhp, ZFS_PROP_KEYFORMAT);
1007 if (keyformat == ZFS_KEYFORMAT_NONE) {
1008 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1009 "'%s' is not encrypted."), zfs_get_name(zhp));
1010 ret = EINVAL;
1011 goto error;
1012 }
1013
1014 /*
1015 * Fetch the key location. Check that we are working with an
1016 * encryption root.
1017 */
1018 ret = zfs_crypto_get_encryption_root(zhp, &is_encroot, prop_encroot);
1019 if (ret != 0) {
1020 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1021 "Failed to get encryption root for '%s'."),
1022 zfs_get_name(zhp));
1023 goto error;
1024 } else if (!is_encroot) {
1025 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1026 "Keys must be loaded for encryption root of '%s' (%s)."),
1027 zfs_get_name(zhp), prop_encroot);
1028 ret = EINVAL;
1029 goto error;
1030 }
1031
1032 /*
1033 * if the caller has elected to override the keylocation property
1034 * use that instead
1035 */
1036 if (alt_keylocation != NULL) {
1037 keylocation = alt_keylocation;
1038 } else {
1039 ret = zfs_prop_get(zhp, ZFS_PROP_KEYLOCATION, prop_keylocation,
1040 sizeof (prop_keylocation), NULL, NULL, 0, B_TRUE);
1041 if (ret != 0) {
1042 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1043 "Failed to get keylocation for '%s'."),
1044 zfs_get_name(zhp));
1045 goto error;
1046 }
1047
1048 keylocation = prop_keylocation;
1049 }
1050
1051 /* check that the key is unloaded unless this is a noop */
1052 if (!noop) {
1053 keystatus = zfs_prop_get_int(zhp, ZFS_PROP_KEYSTATUS);
1054 if (keystatus == ZFS_KEYSTATUS_AVAILABLE) {
1055 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1056 "Key already loaded for '%s'."), zfs_get_name(zhp));
1057 ret = EEXIST;
1058 goto error;
1059 }
1060 }
1061
1062 /* passphrase formats require a salt and pbkdf2_iters property */
1063 if (keyformat == ZFS_KEYFORMAT_PASSPHRASE) {
1064 salt = zfs_prop_get_int(zhp, ZFS_PROP_PBKDF2_SALT);
1065 iters = zfs_prop_get_int(zhp, ZFS_PROP_PBKDF2_ITERS);
1066 }
1067
1068 try_again:
1069 /* fetching and deriving the key are correctable errors. set the flag */
1070 correctible = B_TRUE;
1071
1072 /* get key material from key format and location */
1073 ret = get_key_material(zhp->zfs_hdl, B_FALSE, B_FALSE, keyformat,
1074 keylocation, zfs_get_name(zhp), &key_material, &key_material_len,
1075 &can_retry);
1076 if (ret != 0)
1077 goto error;
1078
1079 /* derive a key from the key material */
1080 ret = derive_key(zhp->zfs_hdl, keyformat, iters, key_material,
1081 key_material_len, salt, &key_data);
1082 if (ret != 0)
1083 goto error;
1084
1085 correctible = B_FALSE;
1086
1087 /* pass the wrapping key and noop flag to the ioctl */
1088 ret = lzc_load_key(zhp->zfs_name, noop, key_data, WRAPPING_KEY_LEN);
1089 if (ret != 0) {
1090 switch (ret) {
1091 case EPERM:
1092 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1093 "Permission denied."));
1094 break;
1095 case EINVAL:
1096 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1097 "Invalid parameters provided for dataset %s."),
1098 zfs_get_name(zhp));
1099 break;
1100 case EEXIST:
1101 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1102 "Key already loaded for '%s'."), zfs_get_name(zhp));
1103 break;
1104 case EBUSY:
1105 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1106 "'%s' is busy."), zfs_get_name(zhp));
1107 break;
1108 case EACCES:
1109 correctible = B_TRUE;
1110 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1111 "Incorrect key provided for '%s'."),
1112 zfs_get_name(zhp));
1113 break;
1114 }
1115 goto error;
1116 }
1117
1118 free(key_material);
1119 free(key_data);
1120
1121 return (0);
1122
1123 error:
1124 zfs_error(zhp->zfs_hdl, EZFS_CRYPTOFAILED, errbuf);
1125 if (key_material != NULL) {
1126 free(key_material);
1127 key_material = NULL;
1128 }
1129 if (key_data != NULL) {
1130 free(key_data);
1131 key_data = NULL;
1132 }
1133
1134 /*
1135 * Here we decide if it is ok to allow the user to retry entering their
1136 * key. The can_retry flag will be set if the user is entering their
1137 * key from an interactive prompt. The correctable flag will only be
1138 * set if an error that occurred could be corrected by retrying. Both
1139 * flags are needed to allow the user to attempt key entry again
1140 */
1141 attempts++;
1142 if (can_retry && correctible && attempts < MAX_KEY_PROMPT_ATTEMPTS)
1143 goto try_again;
1144
1145 return (ret);
1146 }
1147
1148 int
1149 zfs_crypto_unload_key(zfs_handle_t *zhp)
1150 {
1151 int ret;
1152 char errbuf[1024];
1153 char prop_encroot[MAXNAMELEN];
1154 uint64_t keystatus, keyformat;
1155 boolean_t is_encroot;
1156
1157 (void) snprintf(errbuf, sizeof (errbuf),
1158 dgettext(TEXT_DOMAIN, "Key unload error"));
1159
1160 /* check that encryption is enabled for the pool */
1161 if (!encryption_feature_is_enabled(zhp->zpool_hdl)) {
1162 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1163 "Encryption feature not enabled."));
1164 ret = EINVAL;
1165 goto error;
1166 }
1167
1168 /* Fetch the keyformat. Check that the dataset is encrypted. */
1169 keyformat = zfs_prop_get_int(zhp, ZFS_PROP_KEYFORMAT);
1170 if (keyformat == ZFS_KEYFORMAT_NONE) {
1171 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1172 "'%s' is not encrypted."), zfs_get_name(zhp));
1173 ret = EINVAL;
1174 goto error;
1175 }
1176
1177 /*
1178 * Fetch the key location. Check that we are working with an
1179 * encryption root.
1180 */
1181 ret = zfs_crypto_get_encryption_root(zhp, &is_encroot, prop_encroot);
1182 if (ret != 0) {
1183 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1184 "Failed to get encryption root for '%s'."),
1185 zfs_get_name(zhp));
1186 goto error;
1187 } else if (!is_encroot) {
1188 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1189 "Keys must be unloaded for encryption root of '%s' (%s)."),
1190 zfs_get_name(zhp), prop_encroot);
1191 ret = EINVAL;
1192 goto error;
1193 }
1194
1195 /* check that the key is loaded */
1196 keystatus = zfs_prop_get_int(zhp, ZFS_PROP_KEYSTATUS);
1197 if (keystatus == ZFS_KEYSTATUS_UNAVAILABLE) {
1198 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1199 "Key already unloaded for '%s'."), zfs_get_name(zhp));
1200 ret = EACCES;
1201 goto error;
1202 }
1203
1204 /* call the ioctl */
1205 ret = lzc_unload_key(zhp->zfs_name);
1206
1207 if (ret != 0) {
1208 switch (ret) {
1209 case EPERM:
1210 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1211 "Permission denied."));
1212 break;
1213 case EACCES:
1214 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1215 "Key already unloaded for '%s'."),
1216 zfs_get_name(zhp));
1217 break;
1218 case EBUSY:
1219 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1220 "'%s' is busy."), zfs_get_name(zhp));
1221 break;
1222 }
1223 zfs_error(zhp->zfs_hdl, EZFS_CRYPTOFAILED, errbuf);
1224 }
1225
1226 return (ret);
1227
1228 error:
1229 zfs_error(zhp->zfs_hdl, EZFS_CRYPTOFAILED, errbuf);
1230 return (ret);
1231 }
1232
1233 static int
1234 zfs_crypto_verify_rewrap_nvlist(zfs_handle_t *zhp, nvlist_t *props,
1235 nvlist_t **props_out, char *errbuf)
1236 {
1237 int ret;
1238 nvpair_t *elem = NULL;
1239 zfs_prop_t prop;
1240 nvlist_t *new_props = NULL;
1241
1242 new_props = fnvlist_alloc();
1243
1244 /*
1245 * loop through all provided properties, we should only have
1246 * keyformat, keylocation and pbkdf2iters. The actual validation of
1247 * values is done by zfs_valid_proplist().
1248 */
1249 while ((elem = nvlist_next_nvpair(props, elem)) != NULL) {
1250 const char *propname = nvpair_name(elem);
1251 prop = zfs_name_to_prop(propname);
1252
1253 switch (prop) {
1254 case ZFS_PROP_PBKDF2_ITERS:
1255 case ZFS_PROP_KEYFORMAT:
1256 case ZFS_PROP_KEYLOCATION:
1257 break;
1258 default:
1259 ret = EINVAL;
1260 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1261 "Only keyformat, keylocation and pbkdf2iters may "
1262 "be set with this command."));
1263 goto error;
1264 }
1265 }
1266
1267 new_props = zfs_valid_proplist(zhp->zfs_hdl, zhp->zfs_type, props,
1268 zfs_prop_get_int(zhp, ZFS_PROP_ZONED), NULL, zhp->zpool_hdl,
1269 B_TRUE, errbuf);
1270 if (new_props == NULL) {
1271 ret = EINVAL;
1272 goto error;
1273 }
1274
1275 *props_out = new_props;
1276 return (0);
1277
1278 error:
1279 nvlist_free(new_props);
1280 *props_out = NULL;
1281 return (ret);
1282 }
1283
1284 int
1285 zfs_crypto_rewrap(zfs_handle_t *zhp, nvlist_t *raw_props, boolean_t inheritkey)
1286 {
1287 int ret;
1288 char errbuf[1024];
1289 boolean_t is_encroot;
1290 nvlist_t *props = NULL;
1291 uint8_t *wkeydata = NULL;
1292 uint_t wkeylen = 0;
1293 dcp_cmd_t cmd = (inheritkey) ? DCP_CMD_INHERIT : DCP_CMD_NEW_KEY;
1294 uint64_t crypt, pcrypt, keystatus, pkeystatus;
1295 uint64_t keyformat = ZFS_KEYFORMAT_NONE;
1296 zfs_handle_t *pzhp = NULL;
1297 char *keylocation = NULL;
1298 char origin_name[MAXNAMELEN];
1299 char prop_keylocation[MAXNAMELEN];
1300 char parent_name[ZFS_MAX_DATASET_NAME_LEN];
1301
1302 (void) snprintf(errbuf, sizeof (errbuf),
1303 dgettext(TEXT_DOMAIN, "Key change error"));
1304
1305 /* check that encryption is enabled for the pool */
1306 if (!encryption_feature_is_enabled(zhp->zpool_hdl)) {
1307 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1308 "Encryption feature not enabled."));
1309 ret = EINVAL;
1310 goto error;
1311 }
1312
1313 /* get crypt from dataset */
1314 crypt = zfs_prop_get_int(zhp, ZFS_PROP_ENCRYPTION);
1315 if (crypt == ZIO_CRYPT_OFF) {
1316 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1317 "Dataset not encrypted."));
1318 ret = EINVAL;
1319 goto error;
1320 }
1321
1322 /* get the encryption root of the dataset */
1323 ret = zfs_crypto_get_encryption_root(zhp, &is_encroot, NULL);
1324 if (ret != 0) {
1325 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1326 "Failed to get encryption root for '%s'."),
1327 zfs_get_name(zhp));
1328 goto error;
1329 }
1330
1331 /* Clones use their origin's key and cannot rewrap it */
1332 ret = zfs_prop_get(zhp, ZFS_PROP_ORIGIN, origin_name,
1333 sizeof (origin_name), NULL, NULL, 0, B_TRUE);
1334 if (ret == 0 && strcmp(origin_name, "") != 0) {
1335 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1336 "Keys cannot be changed on clones."));
1337 ret = EINVAL;
1338 goto error;
1339 }
1340
1341 /*
1342 * If the user wants to use the inheritkey variant of this function
1343 * we don't need to collect any crypto arguments.
1344 */
1345 if (!inheritkey) {
1346 /* validate the provided properties */
1347 ret = zfs_crypto_verify_rewrap_nvlist(zhp, raw_props, &props,
1348 errbuf);
1349 if (ret != 0)
1350 goto error;
1351
1352 /*
1353 * Load keyformat and keylocation from the nvlist. Fetch from
1354 * the dataset properties if not specified.
1355 */
1356 (void) nvlist_lookup_uint64(props,
1357 zfs_prop_to_name(ZFS_PROP_KEYFORMAT), &keyformat);
1358 (void) nvlist_lookup_string(props,
1359 zfs_prop_to_name(ZFS_PROP_KEYLOCATION), &keylocation);
1360
1361 if (is_encroot) {
1362 /*
1363 * If this is already an ecryption root, just keep
1364 * any properties not set by the user.
1365 */
1366 if (keyformat == ZFS_KEYFORMAT_NONE) {
1367 keyformat = zfs_prop_get_int(zhp,
1368 ZFS_PROP_KEYFORMAT);
1369 ret = nvlist_add_uint64(props,
1370 zfs_prop_to_name(ZFS_PROP_KEYFORMAT),
1371 keyformat);
1372 if (ret != 0) {
1373 zfs_error_aux(zhp->zfs_hdl,
1374 dgettext(TEXT_DOMAIN, "Failed to "
1375 "get existing keyformat "
1376 "property."));
1377 goto error;
1378 }
1379 }
1380
1381 if (keylocation == NULL) {
1382 ret = zfs_prop_get(zhp, ZFS_PROP_KEYLOCATION,
1383 prop_keylocation, sizeof (prop_keylocation),
1384 NULL, NULL, 0, B_TRUE);
1385 if (ret != 0) {
1386 zfs_error_aux(zhp->zfs_hdl,
1387 dgettext(TEXT_DOMAIN, "Failed to "
1388 "get existing keylocation "
1389 "property."));
1390 goto error;
1391 }
1392
1393 keylocation = prop_keylocation;
1394 }
1395 } else {
1396 /* need a new key for non-encryption roots */
1397 if (keyformat == ZFS_KEYFORMAT_NONE) {
1398 ret = EINVAL;
1399 zfs_error_aux(zhp->zfs_hdl,
1400 dgettext(TEXT_DOMAIN, "Keyformat required "
1401 "for new encryption root."));
1402 goto error;
1403 }
1404
1405 /* default to prompt if no keylocation is specified */
1406 if (keylocation == NULL) {
1407 keylocation = "prompt";
1408 ret = nvlist_add_string(props,
1409 zfs_prop_to_name(ZFS_PROP_KEYLOCATION),
1410 keylocation);
1411 if (ret != 0)
1412 goto error;
1413 }
1414 }
1415
1416 /* fetch the new wrapping key and associated properties */
1417 ret = populate_create_encryption_params_nvlists(zhp->zfs_hdl,
1418 zhp, B_TRUE, keyformat, keylocation, props, &wkeydata,
1419 &wkeylen);
1420 if (ret != 0)
1421 goto error;
1422 } else {
1423 /* check that zhp is an encryption root */
1424 if (!is_encroot) {
1425 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1426 "Key inheritting can only be performed on "
1427 "encryption roots."));
1428 ret = EINVAL;
1429 goto error;
1430 }
1431
1432 /* get the parent's name */
1433 ret = zfs_parent_name(zhp, parent_name, sizeof (parent_name));
1434 if (ret != 0) {
1435 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1436 "Root dataset cannot inherit key."));
1437 ret = EINVAL;
1438 goto error;
1439 }
1440
1441 /* get a handle to the parent */
1442 pzhp = make_dataset_handle(zhp->zfs_hdl, parent_name);
1443 if (pzhp == NULL) {
1444 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1445 "Failed to lookup parent."));
1446 ret = ENOENT;
1447 goto error;
1448 }
1449
1450 /* parent must be encrypted */
1451 pcrypt = zfs_prop_get_int(pzhp, ZFS_PROP_ENCRYPTION);
1452 if (pcrypt == ZIO_CRYPT_OFF) {
1453 zfs_error_aux(pzhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1454 "Parent must be encrypted."));
1455 ret = EINVAL;
1456 goto error;
1457 }
1458
1459 /* check that the parent's key is loaded */
1460 pkeystatus = zfs_prop_get_int(pzhp, ZFS_PROP_KEYSTATUS);
1461 if (pkeystatus == ZFS_KEYSTATUS_UNAVAILABLE) {
1462 zfs_error_aux(pzhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1463 "Parent key must be loaded."));
1464 ret = EACCES;
1465 goto error;
1466 }
1467 }
1468
1469 /* check that the key is loaded */
1470 keystatus = zfs_prop_get_int(zhp, ZFS_PROP_KEYSTATUS);
1471 if (keystatus == ZFS_KEYSTATUS_UNAVAILABLE) {
1472 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1473 "Key must be loaded."));
1474 ret = EACCES;
1475 goto error;
1476 }
1477
1478 /* call the ioctl */
1479 ret = lzc_change_key(zhp->zfs_name, cmd, props, wkeydata, wkeylen);
1480 if (ret != 0) {
1481 switch (ret) {
1482 case EPERM:
1483 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1484 "Permission denied."));
1485 break;
1486 case EINVAL:
1487 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1488 "Invalid properties for key change."));
1489 break;
1490 case EACCES:
1491 zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1492 "Key is not currently loaded."));
1493 break;
1494 }
1495 zfs_error(zhp->zfs_hdl, EZFS_CRYPTOFAILED, errbuf);
1496 }
1497
1498 if (pzhp != NULL)
1499 zfs_close(pzhp);
1500 if (props != NULL)
1501 nvlist_free(props);
1502 if (wkeydata != NULL)
1503 free(wkeydata);
1504
1505 return (ret);
1506
1507 error:
1508 if (pzhp != NULL)
1509 zfs_close(pzhp);
1510 if (props != NULL)
1511 nvlist_free(props);
1512 if (wkeydata != NULL)
1513 free(wkeydata);
1514
1515 zfs_error(zhp->zfs_hdl, EZFS_CRYPTOFAILED, errbuf);
1516 return (ret);
1517 }
ZFS On Linux mirror for PVE