xref: /freebsd/sys/contrib/openzfs/lib/libzfs/libzfs_crypto.c (revision d5b0e70f7e04d971691517ce1304d86a1e367e2e)
1 /*
2  * CDDL HEADER START
3  *
4  * This file and its contents are supplied under the terms of the
5  * Common Development and Distribution License ("CDDL"), version 1.0.
6  * You may only use this file in accordance with the terms of version
7  * 1.0 of the CDDL.
8  *
9  * A full copy of the text of the CDDL should have accompanied this
10  * source.  A copy of the CDDL is also available via the Internet at
11  * http://www.illumos.org/license/CDDL.
12  *
13  * CDDL HEADER END
14  */
15 
16 /*
17  * Copyright (c) 2017, Datto, Inc. All rights reserved.
18  * Copyright 2020 Joyent, Inc.
19  */
20 
21 #include <sys/zfs_context.h>
22 #include <sys/fs/zfs.h>
23 #include <sys/dsl_crypt.h>
24 #include <libintl.h>
25 #include <termios.h>
26 #include <signal.h>
27 #include <errno.h>
28 #include <openssl/evp.h>
29 #if LIBFETCH_DYNAMIC
30 #include <dlfcn.h>
31 #endif
32 #if LIBFETCH_IS_FETCH
33 #include <sys/param.h>
34 #include <stdio.h>
35 #include <fetch.h>
36 #elif LIBFETCH_IS_LIBCURL
37 #include <curl/curl.h>
38 #endif
39 #include <libzfs.h>
40 #include "libzfs_impl.h"
41 #include "zfeature_common.h"
42 
43 /*
44  * User keys are used to decrypt the master encryption keys of a dataset. This
45  * indirection allows a user to change his / her access key without having to
46  * re-encrypt the entire dataset. User keys can be provided in one of several
47  * ways. Raw keys are simply given to the kernel as is. Similarly, hex keys
48  * are converted to binary and passed into the kernel. Password based keys are
49  * a bit more complicated. Passwords alone do not provide suitable entropy for
50  * encryption and may be too short or too long to be used. In order to derive
51  * a more appropriate key we use a PBKDF2 function. This function is designed
52  * to take a (relatively) long time to calculate in order to discourage
53  * attackers from guessing from a list of common passwords. PBKDF2 requires
54  * 2 additional parameters. The first is the number of iterations to run, which
55  * will ultimately determine how long it takes to derive the resulting key from
56  * the password. The second parameter is a salt that is randomly generated for
57  * each dataset. The salt is used to "tweak" PBKDF2 such that a group of
58  * attackers cannot reasonably generate a table of commonly known passwords to
59  * their output keys and expect it work for all past and future PBKDF2 users.
60  * We store the salt as a hidden property of the dataset (although it is
61  * technically ok if the salt is known to the attacker).
62  */
63 
64 #define	MIN_PASSPHRASE_LEN 8
65 #define	MAX_PASSPHRASE_LEN 512
66 #define	MAX_KEY_PROMPT_ATTEMPTS 3
67 
68 static int caught_interrupt;
69 
70 static int get_key_material_file(libzfs_handle_t *, const char *, const char *,
71     zfs_keyformat_t, boolean_t, uint8_t **, size_t *);
72 static int get_key_material_https(libzfs_handle_t *, const char *, const char *,
73     zfs_keyformat_t, boolean_t, uint8_t **, size_t *);
74 
75 static zfs_uri_handler_t uri_handlers[] = {
76 	{ "file", get_key_material_file },
77 	{ "https", get_key_material_https },
78 	{ "http", get_key_material_https },
79 	{ NULL, NULL }
80 };
81 
82 static int
83 pkcs11_get_urandom(uint8_t *buf, size_t bytes)
84 {
85 	int rand;
86 	ssize_t bytes_read = 0;
87 
88 	rand = open("/dev/urandom", O_RDONLY | O_CLOEXEC);
89 
90 	if (rand < 0)
91 		return (rand);
92 
93 	while (bytes_read < bytes) {
94 		ssize_t rc = read(rand, buf + bytes_read, bytes - bytes_read);
95 		if (rc < 0)
96 			break;
97 		bytes_read += rc;
98 	}
99 
100 	(void) close(rand);
101 
102 	return (bytes_read);
103 }
104 
105 static int
106 zfs_prop_parse_keylocation(libzfs_handle_t *restrict hdl, const char *str,
107     zfs_keylocation_t *restrict locp, char **restrict schemep)
108 {
109 	*locp = ZFS_KEYLOCATION_NONE;
110 	*schemep = NULL;
111 
112 	if (strcmp("prompt", str) == 0) {
113 		*locp = ZFS_KEYLOCATION_PROMPT;
114 		return (0);
115 	}
116 
117 	regmatch_t pmatch[2];
118 
119 	if (regexec(&hdl->libzfs_urire, str, ARRAY_SIZE(pmatch),
120 	    pmatch, 0) == 0) {
121 		size_t scheme_len;
122 
123 		if (pmatch[1].rm_so == -1) {
124 			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
125 			    "Invalid URI"));
126 			return (EINVAL);
127 		}
128 
129 		scheme_len = pmatch[1].rm_eo - pmatch[1].rm_so;
130 
131 		*schemep = calloc(1, scheme_len + 1);
132 		if (*schemep == NULL) {
133 			int ret = errno;
134 
135 			errno = 0;
136 			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
137 			    "Invalid URI"));
138 			return (ret);
139 		}
140 
141 		(void) memcpy(*schemep, str + pmatch[1].rm_so, scheme_len);
142 		*locp = ZFS_KEYLOCATION_URI;
143 		return (0);
144 	}
145 
146 	zfs_error_aux(hdl, dgettext(TEXT_DOMAIN, "Invalid keylocation"));
147 	return (EINVAL);
148 }
149 
150 static int
151 hex_key_to_raw(char *hex, int hexlen, uint8_t *out)
152 {
153 	int ret, i;
154 	unsigned int c;
155 
156 	for (i = 0; i < hexlen; i += 2) {
157 		if (!isxdigit(hex[i]) || !isxdigit(hex[i + 1])) {
158 			ret = EINVAL;
159 			goto error;
160 		}
161 
162 		ret = sscanf(&hex[i], "%02x", &c);
163 		if (ret != 1) {
164 			ret = EINVAL;
165 			goto error;
166 		}
167 
168 		out[i / 2] = c;
169 	}
170 
171 	return (0);
172 
173 error:
174 	return (ret);
175 }
176 
177 
178 static void
179 catch_signal(int sig)
180 {
181 	caught_interrupt = sig;
182 }
183 
184 static const char *
185 get_format_prompt_string(zfs_keyformat_t format)
186 {
187 	switch (format) {
188 	case ZFS_KEYFORMAT_RAW:
189 		return ("raw key");
190 	case ZFS_KEYFORMAT_HEX:
191 		return ("hex key");
192 	case ZFS_KEYFORMAT_PASSPHRASE:
193 		return ("passphrase");
194 	default:
195 		/* shouldn't happen */
196 		return (NULL);
197 	}
198 }
199 
200 /* do basic validation of the key material */
201 static int
202 validate_key(libzfs_handle_t *hdl, zfs_keyformat_t keyformat,
203     const char *key, size_t keylen, boolean_t do_verify)
204 {
205 	switch (keyformat) {
206 	case ZFS_KEYFORMAT_RAW:
207 		/* verify the key length is correct */
208 		if (keylen < WRAPPING_KEY_LEN) {
209 			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
210 			    "Raw key too short (expected %u)."),
211 			    WRAPPING_KEY_LEN);
212 			return (EINVAL);
213 		}
214 
215 		if (keylen > WRAPPING_KEY_LEN) {
216 			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
217 			    "Raw key too long (expected %u)."),
218 			    WRAPPING_KEY_LEN);
219 			return (EINVAL);
220 		}
221 		break;
222 	case ZFS_KEYFORMAT_HEX:
223 		/* verify the key length is correct */
224 		if (keylen < WRAPPING_KEY_LEN * 2) {
225 			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
226 			    "Hex key too short (expected %u)."),
227 			    WRAPPING_KEY_LEN * 2);
228 			return (EINVAL);
229 		}
230 
231 		if (keylen > WRAPPING_KEY_LEN * 2) {
232 			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
233 			    "Hex key too long (expected %u)."),
234 			    WRAPPING_KEY_LEN * 2);
235 			return (EINVAL);
236 		}
237 
238 		/* check for invalid hex digits */
239 		for (size_t i = 0; i < WRAPPING_KEY_LEN * 2; i++) {
240 			if (!isxdigit(key[i])) {
241 				zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
242 				    "Invalid hex character detected."));
243 				return (EINVAL);
244 			}
245 		}
246 		break;
247 	case ZFS_KEYFORMAT_PASSPHRASE:
248 		/*
249 		 * Verify the length is within bounds when setting a new key,
250 		 * but not when loading an existing key.
251 		 */
252 		if (!do_verify)
253 			break;
254 		if (keylen > MAX_PASSPHRASE_LEN) {
255 			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
256 			    "Passphrase too long (max %u)."),
257 			    MAX_PASSPHRASE_LEN);
258 			return (EINVAL);
259 		}
260 
261 		if (keylen < MIN_PASSPHRASE_LEN) {
262 			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
263 			    "Passphrase too short (min %u)."),
264 			    MIN_PASSPHRASE_LEN);
265 			return (EINVAL);
266 		}
267 		break;
268 	default:
269 		/* can't happen, checked above */
270 		break;
271 	}
272 
273 	return (0);
274 }
275 
276 static int
277 libzfs_getpassphrase(zfs_keyformat_t keyformat, boolean_t is_reenter,
278     boolean_t new_key, const char *fsname,
279     char **restrict res, size_t *restrict reslen)
280 {
281 	FILE *f = stdin;
282 	size_t buflen = 0;
283 	ssize_t bytes;
284 	int ret = 0;
285 	struct termios old_term, new_term;
286 	struct sigaction act, osigint, osigtstp;
287 
288 	*res = NULL;
289 	*reslen = 0;
290 
291 	/*
292 	 * handle SIGINT and ignore SIGSTP. This is necessary to
293 	 * restore the state of the terminal.
294 	 */
295 	caught_interrupt = 0;
296 	act.sa_flags = 0;
297 	(void) sigemptyset(&act.sa_mask);
298 	act.sa_handler = catch_signal;
299 
300 	(void) sigaction(SIGINT, &act, &osigint);
301 	act.sa_handler = SIG_IGN;
302 	(void) sigaction(SIGTSTP, &act, &osigtstp);
303 
304 	(void) printf("%s %s%s",
305 	    is_reenter ? "Re-enter" : "Enter",
306 	    new_key ? "new " : "",
307 	    get_format_prompt_string(keyformat));
308 	if (fsname != NULL)
309 		(void) printf(" for '%s'", fsname);
310 	(void) fputc(':', stdout);
311 	(void) fflush(stdout);
312 
313 	/* disable the terminal echo for key input */
314 	(void) tcgetattr(fileno(f), &old_term);
315 
316 	new_term = old_term;
317 	new_term.c_lflag &= ~(ECHO | ECHOE | ECHOK | ECHONL);
318 
319 	ret = tcsetattr(fileno(f), TCSAFLUSH, &new_term);
320 	if (ret != 0) {
321 		ret = errno;
322 		errno = 0;
323 		goto out;
324 	}
325 
326 	bytes = getline(res, &buflen, f);
327 	if (bytes < 0) {
328 		ret = errno;
329 		errno = 0;
330 		goto out;
331 	}
332 
333 	/* trim the ending newline if it exists */
334 	if (bytes > 0 && (*res)[bytes - 1] == '\n') {
335 		(*res)[bytes - 1] = '\0';
336 		bytes--;
337 	}
338 
339 	*reslen = bytes;
340 
341 out:
342 	/* reset the terminal */
343 	(void) tcsetattr(fileno(f), TCSAFLUSH, &old_term);
344 	(void) sigaction(SIGINT, &osigint, NULL);
345 	(void) sigaction(SIGTSTP, &osigtstp, NULL);
346 
347 	/* if we caught a signal, re-throw it now */
348 	if (caught_interrupt != 0)
349 		(void) kill(getpid(), caught_interrupt);
350 
351 	/* print the newline that was not echo'd */
352 	(void) printf("\n");
353 
354 	return (ret);
355 }
356 
357 static int
358 get_key_interactive(libzfs_handle_t *restrict hdl, const char *fsname,
359     zfs_keyformat_t keyformat, boolean_t confirm_key, boolean_t newkey,
360     uint8_t **restrict outbuf, size_t *restrict len_out)
361 {
362 	char *buf = NULL, *buf2 = NULL;
363 	size_t buflen = 0, buf2len = 0;
364 	int ret = 0;
365 
366 	ASSERT(isatty(fileno(stdin)));
367 
368 	/* raw keys cannot be entered on the terminal */
369 	if (keyformat == ZFS_KEYFORMAT_RAW) {
370 		ret = EINVAL;
371 		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
372 		    "Cannot enter raw keys on the terminal"));
373 		goto out;
374 	}
375 
376 	/* prompt for the key */
377 	if ((ret = libzfs_getpassphrase(keyformat, B_FALSE, newkey, fsname,
378 	    &buf, &buflen)) != 0) {
379 		free(buf);
380 		buf = NULL;
381 		buflen = 0;
382 		goto out;
383 	}
384 
385 	if (!confirm_key)
386 		goto out;
387 
388 	if ((ret = validate_key(hdl, keyformat, buf, buflen, confirm_key)) !=
389 	    0) {
390 		free(buf);
391 		return (ret);
392 	}
393 
394 	ret = libzfs_getpassphrase(keyformat, B_TRUE, newkey, fsname, &buf2,
395 	    &buf2len);
396 	if (ret != 0) {
397 		free(buf);
398 		free(buf2);
399 		buf = buf2 = NULL;
400 		buflen = buf2len = 0;
401 		goto out;
402 	}
403 
404 	if (buflen != buf2len || strcmp(buf, buf2) != 0) {
405 		free(buf);
406 		buf = NULL;
407 		buflen = 0;
408 
409 		ret = EINVAL;
410 		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
411 		    "Provided keys do not match."));
412 	}
413 
414 	free(buf2);
415 
416 out:
417 	*outbuf = (uint8_t *)buf;
418 	*len_out = buflen;
419 	return (ret);
420 }
421 
422 static int
423 get_key_material_raw(FILE *fd, zfs_keyformat_t keyformat,
424     uint8_t **buf, size_t *len_out)
425 {
426 	int ret = 0;
427 	size_t buflen = 0;
428 
429 	*len_out = 0;
430 
431 	/* read the key material */
432 	if (keyformat != ZFS_KEYFORMAT_RAW) {
433 		ssize_t bytes;
434 
435 		bytes = getline((char **)buf, &buflen, fd);
436 		if (bytes < 0) {
437 			ret = errno;
438 			errno = 0;
439 			goto out;
440 		}
441 
442 		/* trim the ending newline if it exists */
443 		if (bytes > 0 && (*buf)[bytes - 1] == '\n') {
444 			(*buf)[bytes - 1] = '\0';
445 			bytes--;
446 		}
447 
448 		*len_out = bytes;
449 	} else {
450 		size_t n;
451 
452 		/*
453 		 * Raw keys may have newline characters in them and so can't
454 		 * use getline(). Here we attempt to read 33 bytes so that we
455 		 * can properly check the key length (the file should only have
456 		 * 32 bytes).
457 		 */
458 		*buf = malloc((WRAPPING_KEY_LEN + 1) * sizeof (uint8_t));
459 		if (*buf == NULL) {
460 			ret = ENOMEM;
461 			goto out;
462 		}
463 
464 		n = fread(*buf, 1, WRAPPING_KEY_LEN + 1, fd);
465 		if (n == 0 || ferror(fd)) {
466 			/* size errors are handled by the calling function */
467 			free(*buf);
468 			*buf = NULL;
469 			ret = errno;
470 			errno = 0;
471 			goto out;
472 		}
473 
474 		*len_out = n;
475 	}
476 out:
477 	return (ret);
478 }
479 
480 static int
481 get_key_material_file(libzfs_handle_t *hdl, const char *uri,
482     const char *fsname, zfs_keyformat_t keyformat, boolean_t newkey,
483     uint8_t **restrict buf, size_t *restrict len_out)
484 {
485 	(void) fsname, (void) newkey;
486 	FILE *f = NULL;
487 	int ret = 0;
488 
489 	if (strlen(uri) < 7)
490 		return (EINVAL);
491 
492 	if ((f = fopen(uri + 7, "re")) == NULL) {
493 		ret = errno;
494 		errno = 0;
495 		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
496 		    "Failed to open key material file: %s"), strerror(ret));
497 		return (ret);
498 	}
499 
500 	ret = get_key_material_raw(f, keyformat, buf, len_out);
501 
502 	(void) fclose(f);
503 
504 	return (ret);
505 }
506 
507 static int
508 get_key_material_https(libzfs_handle_t *hdl, const char *uri,
509     const char *fsname, zfs_keyformat_t keyformat, boolean_t newkey,
510     uint8_t **restrict buf, size_t *restrict len_out)
511 {
512 	(void) fsname, (void) newkey;
513 	int ret = 0;
514 	FILE *key = NULL;
515 	boolean_t is_http = strncmp(uri, "http:", strlen("http:")) == 0;
516 
517 	if (strlen(uri) < (is_http ? 7 : 8)) {
518 		ret = EINVAL;
519 		goto end;
520 	}
521 
522 #if LIBFETCH_DYNAMIC
523 #define	LOAD_FUNCTION(func) \
524 	__typeof__(func) *func = dlsym(hdl->libfetch, #func);
525 
526 	if (hdl->libfetch == NULL)
527 		hdl->libfetch = dlopen(LIBFETCH_SONAME, RTLD_LAZY);
528 
529 	if (hdl->libfetch == NULL) {
530 		hdl->libfetch = (void *)-1;
531 		char *err = dlerror();
532 		if (err)
533 			hdl->libfetch_load_error = strdup(err);
534 	}
535 
536 	if (hdl->libfetch == (void *)-1) {
537 		ret = ENOSYS;
538 		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
539 		    "Couldn't load %s: %s"),
540 		    LIBFETCH_SONAME, hdl->libfetch_load_error ?: "(?)");
541 		goto end;
542 	}
543 
544 	boolean_t ok;
545 #if LIBFETCH_IS_FETCH
546 	LOAD_FUNCTION(fetchGetURL);
547 	char *fetchLastErrString = dlsym(hdl->libfetch, "fetchLastErrString");
548 
549 	ok = fetchGetURL && fetchLastErrString;
550 #elif LIBFETCH_IS_LIBCURL
551 	LOAD_FUNCTION(curl_easy_init);
552 	LOAD_FUNCTION(curl_easy_setopt);
553 	LOAD_FUNCTION(curl_easy_perform);
554 	LOAD_FUNCTION(curl_easy_cleanup);
555 	LOAD_FUNCTION(curl_easy_strerror);
556 	LOAD_FUNCTION(curl_easy_getinfo);
557 
558 	ok = curl_easy_init && curl_easy_setopt && curl_easy_perform &&
559 	    curl_easy_cleanup && curl_easy_strerror && curl_easy_getinfo;
560 #endif
561 	if (!ok) {
562 		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
563 		    "keylocation=%s back-end %s missing symbols."),
564 		    is_http ? "http://" : "https://", LIBFETCH_SONAME);
565 		ret = ENOSYS;
566 		goto end;
567 	}
568 #endif
569 
570 #if LIBFETCH_IS_FETCH
571 	key = fetchGetURL(uri, "");
572 	if (key == NULL) {
573 		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
574 		    "Couldn't GET %s: %s"),
575 		    uri, fetchLastErrString);
576 		ret = ENETDOWN;
577 	}
578 #elif LIBFETCH_IS_LIBCURL
579 	CURL *curl = curl_easy_init();
580 	if (curl == NULL) {
581 		ret = ENOTSUP;
582 		goto end;
583 	}
584 
585 	int kfd = -1;
586 #ifdef O_TMPFILE
587 	kfd = open(getenv("TMPDIR") ?: "/tmp",
588 	    O_RDWR | O_TMPFILE | O_EXCL | O_CLOEXEC, 0600);
589 	if (kfd != -1)
590 		goto kfdok;
591 #endif
592 
593 	char *path;
594 	if (asprintf(&path,
595 	    "%s/libzfs-XXXXXXXX.https", getenv("TMPDIR") ?: "/tmp") == -1) {
596 		ret = ENOMEM;
597 		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN, "%s"),
598 		    strerror(ret));
599 		goto end;
600 	}
601 
602 	kfd = mkostemps(path, strlen(".https"), O_CLOEXEC);
603 	if (kfd == -1) {
604 		ret = errno;
605 		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
606 		    "Couldn't create temporary file %s: %s"),
607 		    path, strerror(ret));
608 		free(path);
609 		goto end;
610 	}
611 	(void) unlink(path);
612 	free(path);
613 
614 kfdok:
615 	if ((key = fdopen(kfd, "r+")) == NULL) {
616 		ret = errno;
617 		(void) close(kfd);
618 		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
619 		    "Couldn't reopen temporary file: %s"), strerror(ret));
620 		goto end;
621 	}
622 
623 	char errbuf[CURL_ERROR_SIZE] = "";
624 	char *cainfo = getenv("SSL_CA_CERT_FILE"); /* matches fetch(3) */
625 	char *capath = getenv("SSL_CA_CERT_PATH"); /* matches fetch(3) */
626 	char *clcert = getenv("SSL_CLIENT_CERT_FILE"); /* matches fetch(3) */
627 	char *clkey  = getenv("SSL_CLIENT_KEY_FILE"); /* matches fetch(3) */
628 	(void) curl_easy_setopt(curl, CURLOPT_URL, uri);
629 	(void) curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L);
630 	(void) curl_easy_setopt(curl, CURLOPT_TIMEOUT_MS, 30000L);
631 	(void) curl_easy_setopt(curl, CURLOPT_WRITEDATA, key);
632 	(void) curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errbuf);
633 	if (cainfo != NULL)
634 		(void) curl_easy_setopt(curl, CURLOPT_CAINFO, cainfo);
635 	if (capath != NULL)
636 		(void) curl_easy_setopt(curl, CURLOPT_CAPATH, capath);
637 	if (clcert != NULL)
638 		(void) curl_easy_setopt(curl, CURLOPT_SSLCERT, clcert);
639 	if (clkey != NULL)
640 		(void) curl_easy_setopt(curl, CURLOPT_SSLKEY, clkey);
641 
642 	CURLcode res = curl_easy_perform(curl);
643 
644 	if (res != CURLE_OK) {
645 		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
646 		    "Failed to connect to %s: %s"),
647 		    uri, strlen(errbuf) ? errbuf : curl_easy_strerror(res));
648 		ret = ENETDOWN;
649 	} else {
650 		long resp = 200;
651 		(void) curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &resp);
652 
653 		if (resp < 200 || resp >= 300) {
654 			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
655 			    "Couldn't GET %s: %ld"),
656 			    uri, resp);
657 			ret = ENOENT;
658 		} else
659 			rewind(key);
660 	}
661 
662 	curl_easy_cleanup(curl);
663 #else
664 	zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
665 	    "No keylocation=%s back-end."), is_http ? "http://" : "https://");
666 	ret = ENOSYS;
667 #endif
668 
669 end:
670 	if (ret == 0)
671 		ret = get_key_material_raw(key, keyformat, buf, len_out);
672 
673 	if (key != NULL)
674 		fclose(key);
675 
676 	return (ret);
677 }
678 
679 /*
680  * Attempts to fetch key material, no matter where it might live. The key
681  * material is allocated and returned in km_out. *can_retry_out will be set
682  * to B_TRUE if the user is providing the key material interactively, allowing
683  * for re-entry attempts.
684  */
685 static int
686 get_key_material(libzfs_handle_t *hdl, boolean_t do_verify, boolean_t newkey,
687     zfs_keyformat_t keyformat, const char *keylocation, const char *fsname,
688     uint8_t **km_out, size_t *kmlen_out, boolean_t *can_retry_out)
689 {
690 	int ret;
691 	zfs_keylocation_t keyloc = ZFS_KEYLOCATION_NONE;
692 	uint8_t *km = NULL;
693 	size_t kmlen = 0;
694 	char *uri_scheme = NULL;
695 	zfs_uri_handler_t *handler = NULL;
696 	boolean_t can_retry = B_FALSE;
697 
698 	/* verify and parse the keylocation */
699 	ret = zfs_prop_parse_keylocation(hdl, keylocation, &keyloc,
700 	    &uri_scheme);
701 	if (ret != 0)
702 		goto error;
703 
704 	/* open the appropriate file descriptor */
705 	switch (keyloc) {
706 	case ZFS_KEYLOCATION_PROMPT:
707 		if (isatty(fileno(stdin))) {
708 			can_retry = keyformat != ZFS_KEYFORMAT_RAW;
709 			ret = get_key_interactive(hdl, fsname, keyformat,
710 			    do_verify, newkey, &km, &kmlen);
711 		} else {
712 			/* fetch the key material into the buffer */
713 			ret = get_key_material_raw(stdin, keyformat, &km,
714 			    &kmlen);
715 		}
716 
717 		if (ret != 0)
718 			goto error;
719 
720 		break;
721 	case ZFS_KEYLOCATION_URI:
722 		ret = ENOTSUP;
723 
724 		for (handler = uri_handlers; handler->zuh_scheme != NULL;
725 		    handler++) {
726 			if (strcmp(handler->zuh_scheme, uri_scheme) != 0)
727 				continue;
728 
729 			if ((ret = handler->zuh_handler(hdl, keylocation,
730 			    fsname, keyformat, newkey, &km, &kmlen)) != 0)
731 				goto error;
732 
733 			break;
734 		}
735 
736 		if (ret == ENOTSUP) {
737 			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
738 			    "URI scheme is not supported"));
739 			goto error;
740 		}
741 
742 		break;
743 	default:
744 		ret = EINVAL;
745 		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
746 		    "Invalid keylocation."));
747 		goto error;
748 	}
749 
750 	if ((ret = validate_key(hdl, keyformat, (const char *)km, kmlen,
751 	    do_verify)) != 0)
752 		goto error;
753 
754 	*km_out = km;
755 	*kmlen_out = kmlen;
756 	if (can_retry_out != NULL)
757 		*can_retry_out = can_retry;
758 
759 	free(uri_scheme);
760 	return (0);
761 
762 error:
763 	free(km);
764 
765 	*km_out = NULL;
766 	*kmlen_out = 0;
767 
768 	if (can_retry_out != NULL)
769 		*can_retry_out = can_retry;
770 
771 	free(uri_scheme);
772 	return (ret);
773 }
774 
775 static int
776 derive_key(libzfs_handle_t *hdl, zfs_keyformat_t format, uint64_t iters,
777     uint8_t *key_material, uint64_t salt,
778     uint8_t **key_out)
779 {
780 	int ret;
781 	uint8_t *key;
782 
783 	*key_out = NULL;
784 
785 	key = zfs_alloc(hdl, WRAPPING_KEY_LEN);
786 
787 	switch (format) {
788 	case ZFS_KEYFORMAT_RAW:
789 		memcpy(key, key_material, WRAPPING_KEY_LEN);
790 		break;
791 	case ZFS_KEYFORMAT_HEX:
792 		ret = hex_key_to_raw((char *)key_material,
793 		    WRAPPING_KEY_LEN * 2, key);
794 		if (ret != 0) {
795 			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
796 			    "Invalid hex key provided."));
797 			goto error;
798 		}
799 		break;
800 	case ZFS_KEYFORMAT_PASSPHRASE:
801 		salt = LE_64(salt);
802 
803 		ret = PKCS5_PBKDF2_HMAC_SHA1((char *)key_material,
804 		    strlen((char *)key_material), ((uint8_t *)&salt),
805 		    sizeof (uint64_t), iters, WRAPPING_KEY_LEN, key);
806 		if (ret != 1) {
807 			ret = EIO;
808 			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
809 			    "Failed to generate key from passphrase."));
810 			goto error;
811 		}
812 		break;
813 	default:
814 		ret = EINVAL;
815 		goto error;
816 	}
817 
818 	*key_out = key;
819 	return (0);
820 
821 error:
822 	free(key);
823 
824 	*key_out = NULL;
825 	return (ret);
826 }
827 
828 static boolean_t
829 encryption_feature_is_enabled(zpool_handle_t *zph)
830 {
831 	nvlist_t *features;
832 	uint64_t feat_refcount;
833 
834 	/* check that features can be enabled */
835 	if (zpool_get_prop_int(zph, ZPOOL_PROP_VERSION, NULL)
836 	    < SPA_VERSION_FEATURES)
837 		return (B_FALSE);
838 
839 	/* check for crypto feature */
840 	features = zpool_get_features(zph);
841 	if (!features || nvlist_lookup_uint64(features,
842 	    spa_feature_table[SPA_FEATURE_ENCRYPTION].fi_guid,
843 	    &feat_refcount) != 0)
844 		return (B_FALSE);
845 
846 	return (B_TRUE);
847 }
848 
849 static int
850 populate_create_encryption_params_nvlists(libzfs_handle_t *hdl,
851     zfs_handle_t *zhp, boolean_t newkey, zfs_keyformat_t keyformat,
852     const char *keylocation, nvlist_t *props, uint8_t **wkeydata,
853     uint_t *wkeylen)
854 {
855 	int ret;
856 	uint64_t iters = 0, salt = 0;
857 	uint8_t *key_material = NULL;
858 	size_t key_material_len = 0;
859 	uint8_t *key_data = NULL;
860 	const char *fsname = (zhp) ? zfs_get_name(zhp) : NULL;
861 
862 	/* get key material from keyformat and keylocation */
863 	ret = get_key_material(hdl, B_TRUE, newkey, keyformat, keylocation,
864 	    fsname, &key_material, &key_material_len, NULL);
865 	if (ret != 0)
866 		goto error;
867 
868 	/* passphrase formats require a salt and pbkdf2 iters property */
869 	if (keyformat == ZFS_KEYFORMAT_PASSPHRASE) {
870 		/* always generate a new salt */
871 		ret = pkcs11_get_urandom((uint8_t *)&salt, sizeof (uint64_t));
872 		if (ret != sizeof (uint64_t)) {
873 			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
874 			    "Failed to generate salt."));
875 			goto error;
876 		}
877 
878 		ret = nvlist_add_uint64(props,
879 		    zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT), salt);
880 		if (ret != 0) {
881 			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
882 			    "Failed to add salt to properties."));
883 			goto error;
884 		}
885 
886 		/*
887 		 * If not otherwise specified, use the default number of
888 		 * pbkdf2 iterations. If specified, we have already checked
889 		 * that the given value is greater than MIN_PBKDF2_ITERATIONS
890 		 * during zfs_valid_proplist().
891 		 */
892 		ret = nvlist_lookup_uint64(props,
893 		    zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), &iters);
894 		if (ret == ENOENT) {
895 			iters = DEFAULT_PBKDF2_ITERATIONS;
896 			ret = nvlist_add_uint64(props,
897 			    zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), iters);
898 			if (ret != 0)
899 				goto error;
900 		} else if (ret != 0) {
901 			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
902 			    "Failed to get pbkdf2 iterations."));
903 			goto error;
904 		}
905 	} else {
906 		/* check that pbkdf2iters was not specified by the user */
907 		ret = nvlist_lookup_uint64(props,
908 		    zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), &iters);
909 		if (ret == 0) {
910 			ret = EINVAL;
911 			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
912 			    "Cannot specify pbkdf2iters with a non-passphrase "
913 			    "keyformat."));
914 			goto error;
915 		}
916 	}
917 
918 	/* derive a key from the key material */
919 	ret = derive_key(hdl, keyformat, iters, key_material, salt, &key_data);
920 	if (ret != 0)
921 		goto error;
922 
923 	free(key_material);
924 
925 	*wkeydata = key_data;
926 	*wkeylen = WRAPPING_KEY_LEN;
927 	return (0);
928 
929 error:
930 	if (key_material != NULL)
931 		free(key_material);
932 	if (key_data != NULL)
933 		free(key_data);
934 
935 	*wkeydata = NULL;
936 	*wkeylen = 0;
937 	return (ret);
938 }
939 
940 static boolean_t
941 proplist_has_encryption_props(nvlist_t *props)
942 {
943 	int ret;
944 	uint64_t intval;
945 	char *strval;
946 
947 	ret = nvlist_lookup_uint64(props,
948 	    zfs_prop_to_name(ZFS_PROP_ENCRYPTION), &intval);
949 	if (ret == 0 && intval != ZIO_CRYPT_OFF)
950 		return (B_TRUE);
951 
952 	ret = nvlist_lookup_string(props,
953 	    zfs_prop_to_name(ZFS_PROP_KEYLOCATION), &strval);
954 	if (ret == 0 && strcmp(strval, "none") != 0)
955 		return (B_TRUE);
956 
957 	ret = nvlist_lookup_uint64(props,
958 	    zfs_prop_to_name(ZFS_PROP_KEYFORMAT), &intval);
959 	if (ret == 0)
960 		return (B_TRUE);
961 
962 	ret = nvlist_lookup_uint64(props,
963 	    zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS), &intval);
964 	if (ret == 0)
965 		return (B_TRUE);
966 
967 	return (B_FALSE);
968 }
969 
970 int
971 zfs_crypto_get_encryption_root(zfs_handle_t *zhp, boolean_t *is_encroot,
972     char *buf)
973 {
974 	int ret;
975 	char prop_encroot[MAXNAMELEN];
976 
977 	/* if the dataset isn't encrypted, just return */
978 	if (zfs_prop_get_int(zhp, ZFS_PROP_ENCRYPTION) == ZIO_CRYPT_OFF) {
979 		*is_encroot = B_FALSE;
980 		if (buf != NULL)
981 			buf[0] = '\0';
982 		return (0);
983 	}
984 
985 	ret = zfs_prop_get(zhp, ZFS_PROP_ENCRYPTION_ROOT, prop_encroot,
986 	    sizeof (prop_encroot), NULL, NULL, 0, B_TRUE);
987 	if (ret != 0) {
988 		*is_encroot = B_FALSE;
989 		if (buf != NULL)
990 			buf[0] = '\0';
991 		return (ret);
992 	}
993 
994 	*is_encroot = strcmp(prop_encroot, zfs_get_name(zhp)) == 0;
995 	if (buf != NULL)
996 		strcpy(buf, prop_encroot);
997 
998 	return (0);
999 }
1000 
1001 int
1002 zfs_crypto_create(libzfs_handle_t *hdl, char *parent_name, nvlist_t *props,
1003     nvlist_t *pool_props, boolean_t stdin_available, uint8_t **wkeydata_out,
1004     uint_t *wkeylen_out)
1005 {
1006 	int ret;
1007 	char errbuf[ERRBUFLEN];
1008 	uint64_t crypt = ZIO_CRYPT_INHERIT, pcrypt = ZIO_CRYPT_INHERIT;
1009 	uint64_t keyformat = ZFS_KEYFORMAT_NONE;
1010 	char *keylocation = NULL;
1011 	zfs_handle_t *pzhp = NULL;
1012 	uint8_t *wkeydata = NULL;
1013 	uint_t wkeylen = 0;
1014 	boolean_t local_crypt = B_TRUE;
1015 
1016 	(void) snprintf(errbuf, sizeof (errbuf),
1017 	    dgettext(TEXT_DOMAIN, "Encryption create error"));
1018 
1019 	/* lookup crypt from props */
1020 	ret = nvlist_lookup_uint64(props,
1021 	    zfs_prop_to_name(ZFS_PROP_ENCRYPTION), &crypt);
1022 	if (ret != 0)
1023 		local_crypt = B_FALSE;
1024 
1025 	/* lookup key location and format from props */
1026 	(void) nvlist_lookup_uint64(props,
1027 	    zfs_prop_to_name(ZFS_PROP_KEYFORMAT), &keyformat);
1028 	(void) nvlist_lookup_string(props,
1029 	    zfs_prop_to_name(ZFS_PROP_KEYLOCATION), &keylocation);
1030 
1031 	if (parent_name != NULL) {
1032 		/* get a reference to parent dataset */
1033 		pzhp = make_dataset_handle(hdl, parent_name);
1034 		if (pzhp == NULL) {
1035 			ret = ENOENT;
1036 			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1037 			    "Failed to lookup parent."));
1038 			goto out;
1039 		}
1040 
1041 		/* Lookup parent's crypt */
1042 		pcrypt = zfs_prop_get_int(pzhp, ZFS_PROP_ENCRYPTION);
1043 
1044 		/* Params require the encryption feature */
1045 		if (!encryption_feature_is_enabled(pzhp->zpool_hdl)) {
1046 			if (proplist_has_encryption_props(props)) {
1047 				ret = EINVAL;
1048 				zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1049 				    "Encryption feature not enabled."));
1050 				goto out;
1051 			}
1052 
1053 			ret = 0;
1054 			goto out;
1055 		}
1056 	} else {
1057 		/*
1058 		 * special case for root dataset where encryption feature
1059 		 * feature won't be on disk yet
1060 		 */
1061 		if (!nvlist_exists(pool_props, "feature@encryption")) {
1062 			if (proplist_has_encryption_props(props)) {
1063 				ret = EINVAL;
1064 				zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1065 				    "Encryption feature not enabled."));
1066 				goto out;
1067 			}
1068 
1069 			ret = 0;
1070 			goto out;
1071 		}
1072 
1073 		pcrypt = ZIO_CRYPT_OFF;
1074 	}
1075 
1076 	/* Get the inherited encryption property if we don't have it locally */
1077 	if (!local_crypt)
1078 		crypt = pcrypt;
1079 
1080 	/*
1081 	 * At this point crypt should be the actual encryption value. If
1082 	 * encryption is off just verify that no encryption properties have
1083 	 * been specified and return.
1084 	 */
1085 	if (crypt == ZIO_CRYPT_OFF) {
1086 		if (proplist_has_encryption_props(props)) {
1087 			ret = EINVAL;
1088 			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1089 			    "Encryption must be turned on to set encryption "
1090 			    "properties."));
1091 			goto out;
1092 		}
1093 
1094 		ret = 0;
1095 		goto out;
1096 	}
1097 
1098 	/*
1099 	 * If we have a parent crypt it is valid to specify encryption alone.
1100 	 * This will result in a child that is encrypted with the chosen
1101 	 * encryption suite that will also inherit the parent's key. If
1102 	 * the parent is not encrypted we need an encryption suite provided.
1103 	 */
1104 	if (pcrypt == ZIO_CRYPT_OFF && keylocation == NULL &&
1105 	    keyformat == ZFS_KEYFORMAT_NONE) {
1106 		ret = EINVAL;
1107 		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1108 		    "Keyformat required for new encryption root."));
1109 		goto out;
1110 	}
1111 
1112 	/*
1113 	 * Specifying a keylocation implies this will be a new encryption root.
1114 	 * Check that a keyformat is also specified.
1115 	 */
1116 	if (keylocation != NULL && keyformat == ZFS_KEYFORMAT_NONE) {
1117 		ret = EINVAL;
1118 		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1119 		    "Keyformat required for new encryption root."));
1120 		goto out;
1121 	}
1122 
1123 	/* default to prompt if no keylocation is specified */
1124 	if (keyformat != ZFS_KEYFORMAT_NONE && keylocation == NULL) {
1125 		keylocation = (char *)"prompt";
1126 		ret = nvlist_add_string(props,
1127 		    zfs_prop_to_name(ZFS_PROP_KEYLOCATION), keylocation);
1128 		if (ret != 0)
1129 			goto out;
1130 	}
1131 
1132 	/*
1133 	 * If a local key is provided, this dataset will be a new
1134 	 * encryption root. Populate the encryption params.
1135 	 */
1136 	if (keylocation != NULL) {
1137 		/*
1138 		 * 'zfs recv -o keylocation=prompt' won't work because stdin
1139 		 * is being used by the send stream, so we disallow it.
1140 		 */
1141 		if (!stdin_available && strcmp(keylocation, "prompt") == 0) {
1142 			ret = EINVAL;
1143 			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN, "Cannot use "
1144 			    "'prompt' keylocation because stdin is in use."));
1145 			goto out;
1146 		}
1147 
1148 		ret = populate_create_encryption_params_nvlists(hdl, NULL,
1149 		    B_TRUE, keyformat, keylocation, props, &wkeydata,
1150 		    &wkeylen);
1151 		if (ret != 0)
1152 			goto out;
1153 	}
1154 
1155 	if (pzhp != NULL)
1156 		zfs_close(pzhp);
1157 
1158 	*wkeydata_out = wkeydata;
1159 	*wkeylen_out = wkeylen;
1160 	return (0);
1161 
1162 out:
1163 	if (pzhp != NULL)
1164 		zfs_close(pzhp);
1165 	if (wkeydata != NULL)
1166 		free(wkeydata);
1167 
1168 	*wkeydata_out = NULL;
1169 	*wkeylen_out = 0;
1170 	return (ret);
1171 }
1172 
1173 int
1174 zfs_crypto_clone_check(libzfs_handle_t *hdl, zfs_handle_t *origin_zhp,
1175     char *parent_name, nvlist_t *props)
1176 {
1177 	(void) origin_zhp, (void) parent_name;
1178 	char errbuf[ERRBUFLEN];
1179 
1180 	(void) snprintf(errbuf, sizeof (errbuf),
1181 	    dgettext(TEXT_DOMAIN, "Encryption clone error"));
1182 
1183 	/*
1184 	 * No encryption properties should be specified. They will all be
1185 	 * inherited from the origin dataset.
1186 	 */
1187 	if (nvlist_exists(props, zfs_prop_to_name(ZFS_PROP_KEYFORMAT)) ||
1188 	    nvlist_exists(props, zfs_prop_to_name(ZFS_PROP_KEYLOCATION)) ||
1189 	    nvlist_exists(props, zfs_prop_to_name(ZFS_PROP_ENCRYPTION)) ||
1190 	    nvlist_exists(props, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS))) {
1191 		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
1192 		    "Encryption properties must inherit from origin dataset."));
1193 		return (EINVAL);
1194 	}
1195 
1196 	return (0);
1197 }
1198 
1199 typedef struct loadkeys_cbdata {
1200 	uint64_t cb_numfailed;
1201 	uint64_t cb_numattempted;
1202 } loadkey_cbdata_t;
1203 
1204 static int
1205 load_keys_cb(zfs_handle_t *zhp, void *arg)
1206 {
1207 	int ret;
1208 	boolean_t is_encroot;
1209 	loadkey_cbdata_t *cb = arg;
1210 	uint64_t keystatus = zfs_prop_get_int(zhp, ZFS_PROP_KEYSTATUS);
1211 
1212 	/* only attempt to load keys for encryption roots */
1213 	ret = zfs_crypto_get_encryption_root(zhp, &is_encroot, NULL);
1214 	if (ret != 0 || !is_encroot)
1215 		goto out;
1216 
1217 	/* don't attempt to load already loaded keys */
1218 	if (keystatus == ZFS_KEYSTATUS_AVAILABLE)
1219 		goto out;
1220 
1221 	/* Attempt to load the key. Record status in cb. */
1222 	cb->cb_numattempted++;
1223 
1224 	ret = zfs_crypto_load_key(zhp, B_FALSE, NULL);
1225 	if (ret)
1226 		cb->cb_numfailed++;
1227 
1228 out:
1229 	(void) zfs_iter_filesystems(zhp, load_keys_cb, cb);
1230 	zfs_close(zhp);
1231 
1232 	/* always return 0, since this function is best effort */
1233 	return (0);
1234 }
1235 
1236 /*
1237  * This function is best effort. It attempts to load all the keys for the given
1238  * filesystem and all of its children.
1239  */
1240 int
1241 zfs_crypto_attempt_load_keys(libzfs_handle_t *hdl, const char *fsname)
1242 {
1243 	int ret;
1244 	zfs_handle_t *zhp = NULL;
1245 	loadkey_cbdata_t cb = { 0 };
1246 
1247 	zhp = zfs_open(hdl, fsname, ZFS_TYPE_FILESYSTEM | ZFS_TYPE_VOLUME);
1248 	if (zhp == NULL) {
1249 		ret = ENOENT;
1250 		goto error;
1251 	}
1252 
1253 	ret = load_keys_cb(zfs_handle_dup(zhp), &cb);
1254 	if (ret)
1255 		goto error;
1256 
1257 	(void) printf(gettext("%llu / %llu keys successfully loaded\n"),
1258 	    (u_longlong_t)(cb.cb_numattempted - cb.cb_numfailed),
1259 	    (u_longlong_t)cb.cb_numattempted);
1260 
1261 	if (cb.cb_numfailed != 0) {
1262 		ret = -1;
1263 		goto error;
1264 	}
1265 
1266 	zfs_close(zhp);
1267 	return (0);
1268 
1269 error:
1270 	if (zhp != NULL)
1271 		zfs_close(zhp);
1272 	return (ret);
1273 }
1274 
1275 int
1276 zfs_crypto_load_key(zfs_handle_t *zhp, boolean_t noop,
1277     const char *alt_keylocation)
1278 {
1279 	int ret, attempts = 0;
1280 	char errbuf[ERRBUFLEN];
1281 	uint64_t keystatus, iters = 0, salt = 0;
1282 	uint64_t keyformat = ZFS_KEYFORMAT_NONE;
1283 	char prop_keylocation[MAXNAMELEN];
1284 	char prop_encroot[MAXNAMELEN];
1285 	const char *keylocation = NULL;
1286 	uint8_t *key_material = NULL, *key_data = NULL;
1287 	size_t key_material_len;
1288 	boolean_t is_encroot, can_retry = B_FALSE, correctible = B_FALSE;
1289 
1290 	(void) snprintf(errbuf, sizeof (errbuf),
1291 	    dgettext(TEXT_DOMAIN, "Key load error"));
1292 
1293 	/* check that encryption is enabled for the pool */
1294 	if (!encryption_feature_is_enabled(zhp->zpool_hdl)) {
1295 		zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1296 		    "Encryption feature not enabled."));
1297 		ret = EINVAL;
1298 		goto error;
1299 	}
1300 
1301 	/* Fetch the keyformat. Check that the dataset is encrypted. */
1302 	keyformat = zfs_prop_get_int(zhp, ZFS_PROP_KEYFORMAT);
1303 	if (keyformat == ZFS_KEYFORMAT_NONE) {
1304 		zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1305 		    "'%s' is not encrypted."), zfs_get_name(zhp));
1306 		ret = EINVAL;
1307 		goto error;
1308 	}
1309 
1310 	/*
1311 	 * Fetch the key location. Check that we are working with an
1312 	 * encryption root.
1313 	 */
1314 	ret = zfs_crypto_get_encryption_root(zhp, &is_encroot, prop_encroot);
1315 	if (ret != 0) {
1316 		zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1317 		    "Failed to get encryption root for '%s'."),
1318 		    zfs_get_name(zhp));
1319 		goto error;
1320 	} else if (!is_encroot) {
1321 		zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1322 		    "Keys must be loaded for encryption root of '%s' (%s)."),
1323 		    zfs_get_name(zhp), prop_encroot);
1324 		ret = EINVAL;
1325 		goto error;
1326 	}
1327 
1328 	/*
1329 	 * if the caller has elected to override the keylocation property
1330 	 * use that instead
1331 	 */
1332 	if (alt_keylocation != NULL) {
1333 		keylocation = alt_keylocation;
1334 	} else {
1335 		ret = zfs_prop_get(zhp, ZFS_PROP_KEYLOCATION, prop_keylocation,
1336 		    sizeof (prop_keylocation), NULL, NULL, 0, B_TRUE);
1337 		if (ret != 0) {
1338 			zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1339 			    "Failed to get keylocation for '%s'."),
1340 			    zfs_get_name(zhp));
1341 			goto error;
1342 		}
1343 
1344 		keylocation = prop_keylocation;
1345 	}
1346 
1347 	/* check that the key is unloaded unless this is a noop */
1348 	if (!noop) {
1349 		keystatus = zfs_prop_get_int(zhp, ZFS_PROP_KEYSTATUS);
1350 		if (keystatus == ZFS_KEYSTATUS_AVAILABLE) {
1351 			zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1352 			    "Key already loaded for '%s'."), zfs_get_name(zhp));
1353 			ret = EEXIST;
1354 			goto error;
1355 		}
1356 	}
1357 
1358 	/* passphrase formats require a salt and pbkdf2_iters property */
1359 	if (keyformat == ZFS_KEYFORMAT_PASSPHRASE) {
1360 		salt = zfs_prop_get_int(zhp, ZFS_PROP_PBKDF2_SALT);
1361 		iters = zfs_prop_get_int(zhp, ZFS_PROP_PBKDF2_ITERS);
1362 	}
1363 
1364 try_again:
1365 	/* fetching and deriving the key are correctable errors. set the flag */
1366 	correctible = B_TRUE;
1367 
1368 	/* get key material from key format and location */
1369 	ret = get_key_material(zhp->zfs_hdl, B_FALSE, B_FALSE, keyformat,
1370 	    keylocation, zfs_get_name(zhp), &key_material, &key_material_len,
1371 	    &can_retry);
1372 	if (ret != 0)
1373 		goto error;
1374 
1375 	/* derive a key from the key material */
1376 	ret = derive_key(zhp->zfs_hdl, keyformat, iters, key_material, salt,
1377 	    &key_data);
1378 	if (ret != 0)
1379 		goto error;
1380 
1381 	correctible = B_FALSE;
1382 
1383 	/* pass the wrapping key and noop flag to the ioctl */
1384 	ret = lzc_load_key(zhp->zfs_name, noop, key_data, WRAPPING_KEY_LEN);
1385 	if (ret != 0) {
1386 		switch (ret) {
1387 		case EPERM:
1388 			zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1389 			    "Permission denied."));
1390 			break;
1391 		case EINVAL:
1392 			zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1393 			    "Invalid parameters provided for dataset %s."),
1394 			    zfs_get_name(zhp));
1395 			break;
1396 		case EEXIST:
1397 			zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1398 			    "Key already loaded for '%s'."), zfs_get_name(zhp));
1399 			break;
1400 		case EBUSY:
1401 			zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1402 			    "'%s' is busy."), zfs_get_name(zhp));
1403 			break;
1404 		case EACCES:
1405 			correctible = B_TRUE;
1406 			zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1407 			    "Incorrect key provided for '%s'."),
1408 			    zfs_get_name(zhp));
1409 			break;
1410 		}
1411 		goto error;
1412 	}
1413 
1414 	free(key_material);
1415 	free(key_data);
1416 
1417 	return (0);
1418 
1419 error:
1420 	zfs_error(zhp->zfs_hdl, EZFS_CRYPTOFAILED, errbuf);
1421 	if (key_material != NULL) {
1422 		free(key_material);
1423 		key_material = NULL;
1424 	}
1425 	if (key_data != NULL) {
1426 		free(key_data);
1427 		key_data = NULL;
1428 	}
1429 
1430 	/*
1431 	 * Here we decide if it is ok to allow the user to retry entering their
1432 	 * key. The can_retry flag will be set if the user is entering their
1433 	 * key from an interactive prompt. The correctable flag will only be
1434 	 * set if an error that occurred could be corrected by retrying. Both
1435 	 * flags are needed to allow the user to attempt key entry again
1436 	 */
1437 	attempts++;
1438 	if (can_retry && correctible && attempts < MAX_KEY_PROMPT_ATTEMPTS)
1439 		goto try_again;
1440 
1441 	return (ret);
1442 }
1443 
1444 int
1445 zfs_crypto_unload_key(zfs_handle_t *zhp)
1446 {
1447 	int ret;
1448 	char errbuf[ERRBUFLEN];
1449 	char prop_encroot[MAXNAMELEN];
1450 	uint64_t keystatus, keyformat;
1451 	boolean_t is_encroot;
1452 
1453 	(void) snprintf(errbuf, sizeof (errbuf),
1454 	    dgettext(TEXT_DOMAIN, "Key unload error"));
1455 
1456 	/* check that encryption is enabled for the pool */
1457 	if (!encryption_feature_is_enabled(zhp->zpool_hdl)) {
1458 		zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1459 		    "Encryption feature not enabled."));
1460 		ret = EINVAL;
1461 		goto error;
1462 	}
1463 
1464 	/* Fetch the keyformat. Check that the dataset is encrypted. */
1465 	keyformat = zfs_prop_get_int(zhp, ZFS_PROP_KEYFORMAT);
1466 	if (keyformat == ZFS_KEYFORMAT_NONE) {
1467 		zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1468 		    "'%s' is not encrypted."), zfs_get_name(zhp));
1469 		ret = EINVAL;
1470 		goto error;
1471 	}
1472 
1473 	/*
1474 	 * Fetch the key location. Check that we are working with an
1475 	 * encryption root.
1476 	 */
1477 	ret = zfs_crypto_get_encryption_root(zhp, &is_encroot, prop_encroot);
1478 	if (ret != 0) {
1479 		zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1480 		    "Failed to get encryption root for '%s'."),
1481 		    zfs_get_name(zhp));
1482 		goto error;
1483 	} else if (!is_encroot) {
1484 		zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1485 		    "Keys must be unloaded for encryption root of '%s' (%s)."),
1486 		    zfs_get_name(zhp), prop_encroot);
1487 		ret = EINVAL;
1488 		goto error;
1489 	}
1490 
1491 	/* check that the key is loaded */
1492 	keystatus = zfs_prop_get_int(zhp, ZFS_PROP_KEYSTATUS);
1493 	if (keystatus == ZFS_KEYSTATUS_UNAVAILABLE) {
1494 		zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1495 		    "Key already unloaded for '%s'."), zfs_get_name(zhp));
1496 		ret = EACCES;
1497 		goto error;
1498 	}
1499 
1500 	/* call the ioctl */
1501 	ret = lzc_unload_key(zhp->zfs_name);
1502 
1503 	if (ret != 0) {
1504 		switch (ret) {
1505 		case EPERM:
1506 			zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1507 			    "Permission denied."));
1508 			break;
1509 		case EACCES:
1510 			zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1511 			    "Key already unloaded for '%s'."),
1512 			    zfs_get_name(zhp));
1513 			break;
1514 		case EBUSY:
1515 			zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1516 			    "'%s' is busy."), zfs_get_name(zhp));
1517 			break;
1518 		}
1519 		zfs_error(zhp->zfs_hdl, EZFS_CRYPTOFAILED, errbuf);
1520 	}
1521 
1522 	return (ret);
1523 
1524 error:
1525 	zfs_error(zhp->zfs_hdl, EZFS_CRYPTOFAILED, errbuf);
1526 	return (ret);
1527 }
1528 
1529 static int
1530 zfs_crypto_verify_rewrap_nvlist(zfs_handle_t *zhp, nvlist_t *props,
1531     nvlist_t **props_out, char *errbuf)
1532 {
1533 	int ret;
1534 	nvpair_t *elem = NULL;
1535 	zfs_prop_t prop;
1536 	nvlist_t *new_props = NULL;
1537 
1538 	new_props = fnvlist_alloc();
1539 
1540 	/*
1541 	 * loop through all provided properties, we should only have
1542 	 * keyformat, keylocation and pbkdf2iters. The actual validation of
1543 	 * values is done by zfs_valid_proplist().
1544 	 */
1545 	while ((elem = nvlist_next_nvpair(props, elem)) != NULL) {
1546 		const char *propname = nvpair_name(elem);
1547 		prop = zfs_name_to_prop(propname);
1548 
1549 		switch (prop) {
1550 		case ZFS_PROP_PBKDF2_ITERS:
1551 		case ZFS_PROP_KEYFORMAT:
1552 		case ZFS_PROP_KEYLOCATION:
1553 			break;
1554 		default:
1555 			ret = EINVAL;
1556 			zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1557 			    "Only keyformat, keylocation and pbkdf2iters may "
1558 			    "be set with this command."));
1559 			goto error;
1560 		}
1561 	}
1562 
1563 	new_props = zfs_valid_proplist(zhp->zfs_hdl, zhp->zfs_type, props,
1564 	    zfs_prop_get_int(zhp, ZFS_PROP_ZONED), NULL, zhp->zpool_hdl,
1565 	    B_TRUE, errbuf);
1566 	if (new_props == NULL) {
1567 		ret = EINVAL;
1568 		goto error;
1569 	}
1570 
1571 	*props_out = new_props;
1572 	return (0);
1573 
1574 error:
1575 	nvlist_free(new_props);
1576 	*props_out = NULL;
1577 	return (ret);
1578 }
1579 
1580 int
1581 zfs_crypto_rewrap(zfs_handle_t *zhp, nvlist_t *raw_props, boolean_t inheritkey)
1582 {
1583 	int ret;
1584 	char errbuf[ERRBUFLEN];
1585 	boolean_t is_encroot;
1586 	nvlist_t *props = NULL;
1587 	uint8_t *wkeydata = NULL;
1588 	uint_t wkeylen = 0;
1589 	dcp_cmd_t cmd = (inheritkey) ? DCP_CMD_INHERIT : DCP_CMD_NEW_KEY;
1590 	uint64_t crypt, pcrypt, keystatus, pkeystatus;
1591 	uint64_t keyformat = ZFS_KEYFORMAT_NONE;
1592 	zfs_handle_t *pzhp = NULL;
1593 	char *keylocation = NULL;
1594 	char origin_name[MAXNAMELEN];
1595 	char prop_keylocation[MAXNAMELEN];
1596 	char parent_name[ZFS_MAX_DATASET_NAME_LEN];
1597 
1598 	(void) snprintf(errbuf, sizeof (errbuf),
1599 	    dgettext(TEXT_DOMAIN, "Key change error"));
1600 
1601 	/* check that encryption is enabled for the pool */
1602 	if (!encryption_feature_is_enabled(zhp->zpool_hdl)) {
1603 		zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1604 		    "Encryption feature not enabled."));
1605 		ret = EINVAL;
1606 		goto error;
1607 	}
1608 
1609 	/* get crypt from dataset */
1610 	crypt = zfs_prop_get_int(zhp, ZFS_PROP_ENCRYPTION);
1611 	if (crypt == ZIO_CRYPT_OFF) {
1612 		zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1613 		    "Dataset not encrypted."));
1614 		ret = EINVAL;
1615 		goto error;
1616 	}
1617 
1618 	/* get the encryption root of the dataset */
1619 	ret = zfs_crypto_get_encryption_root(zhp, &is_encroot, NULL);
1620 	if (ret != 0) {
1621 		zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1622 		    "Failed to get encryption root for '%s'."),
1623 		    zfs_get_name(zhp));
1624 		goto error;
1625 	}
1626 
1627 	/* Clones use their origin's key and cannot rewrap it */
1628 	ret = zfs_prop_get(zhp, ZFS_PROP_ORIGIN, origin_name,
1629 	    sizeof (origin_name), NULL, NULL, 0, B_TRUE);
1630 	if (ret == 0 && strcmp(origin_name, "") != 0) {
1631 		zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1632 		    "Keys cannot be changed on clones."));
1633 		ret = EINVAL;
1634 		goto error;
1635 	}
1636 
1637 	/*
1638 	 * If the user wants to use the inheritkey variant of this function
1639 	 * we don't need to collect any crypto arguments.
1640 	 */
1641 	if (!inheritkey) {
1642 		/* validate the provided properties */
1643 		ret = zfs_crypto_verify_rewrap_nvlist(zhp, raw_props, &props,
1644 		    errbuf);
1645 		if (ret != 0)
1646 			goto error;
1647 
1648 		/*
1649 		 * Load keyformat and keylocation from the nvlist. Fetch from
1650 		 * the dataset properties if not specified.
1651 		 */
1652 		(void) nvlist_lookup_uint64(props,
1653 		    zfs_prop_to_name(ZFS_PROP_KEYFORMAT), &keyformat);
1654 		(void) nvlist_lookup_string(props,
1655 		    zfs_prop_to_name(ZFS_PROP_KEYLOCATION), &keylocation);
1656 
1657 		if (is_encroot) {
1658 			/*
1659 			 * If this is already an encryption root, just keep
1660 			 * any properties not set by the user.
1661 			 */
1662 			if (keyformat == ZFS_KEYFORMAT_NONE) {
1663 				keyformat = zfs_prop_get_int(zhp,
1664 				    ZFS_PROP_KEYFORMAT);
1665 				ret = nvlist_add_uint64(props,
1666 				    zfs_prop_to_name(ZFS_PROP_KEYFORMAT),
1667 				    keyformat);
1668 				if (ret != 0) {
1669 					zfs_error_aux(zhp->zfs_hdl,
1670 					    dgettext(TEXT_DOMAIN, "Failed to "
1671 					    "get existing keyformat "
1672 					    "property."));
1673 					goto error;
1674 				}
1675 			}
1676 
1677 			if (keylocation == NULL) {
1678 				ret = zfs_prop_get(zhp, ZFS_PROP_KEYLOCATION,
1679 				    prop_keylocation, sizeof (prop_keylocation),
1680 				    NULL, NULL, 0, B_TRUE);
1681 				if (ret != 0) {
1682 					zfs_error_aux(zhp->zfs_hdl,
1683 					    dgettext(TEXT_DOMAIN, "Failed to "
1684 					    "get existing keylocation "
1685 					    "property."));
1686 					goto error;
1687 				}
1688 
1689 				keylocation = prop_keylocation;
1690 			}
1691 		} else {
1692 			/* need a new key for non-encryption roots */
1693 			if (keyformat == ZFS_KEYFORMAT_NONE) {
1694 				ret = EINVAL;
1695 				zfs_error_aux(zhp->zfs_hdl,
1696 				    dgettext(TEXT_DOMAIN, "Keyformat required "
1697 				    "for new encryption root."));
1698 				goto error;
1699 			}
1700 
1701 			/* default to prompt if no keylocation is specified */
1702 			if (keylocation == NULL) {
1703 				keylocation = (char *)"prompt";
1704 				ret = nvlist_add_string(props,
1705 				    zfs_prop_to_name(ZFS_PROP_KEYLOCATION),
1706 				    keylocation);
1707 				if (ret != 0)
1708 					goto error;
1709 			}
1710 		}
1711 
1712 		/* fetch the new wrapping key and associated properties */
1713 		ret = populate_create_encryption_params_nvlists(zhp->zfs_hdl,
1714 		    zhp, B_TRUE, keyformat, keylocation, props, &wkeydata,
1715 		    &wkeylen);
1716 		if (ret != 0)
1717 			goto error;
1718 	} else {
1719 		/* check that zhp is an encryption root */
1720 		if (!is_encroot) {
1721 			zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1722 			    "Key inheritting can only be performed on "
1723 			    "encryption roots."));
1724 			ret = EINVAL;
1725 			goto error;
1726 		}
1727 
1728 		/* get the parent's name */
1729 		ret = zfs_parent_name(zhp, parent_name, sizeof (parent_name));
1730 		if (ret != 0) {
1731 			zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1732 			    "Root dataset cannot inherit key."));
1733 			ret = EINVAL;
1734 			goto error;
1735 		}
1736 
1737 		/* get a handle to the parent */
1738 		pzhp = make_dataset_handle(zhp->zfs_hdl, parent_name);
1739 		if (pzhp == NULL) {
1740 			zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1741 			    "Failed to lookup parent."));
1742 			ret = ENOENT;
1743 			goto error;
1744 		}
1745 
1746 		/* parent must be encrypted */
1747 		pcrypt = zfs_prop_get_int(pzhp, ZFS_PROP_ENCRYPTION);
1748 		if (pcrypt == ZIO_CRYPT_OFF) {
1749 			zfs_error_aux(pzhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1750 			    "Parent must be encrypted."));
1751 			ret = EINVAL;
1752 			goto error;
1753 		}
1754 
1755 		/* check that the parent's key is loaded */
1756 		pkeystatus = zfs_prop_get_int(pzhp, ZFS_PROP_KEYSTATUS);
1757 		if (pkeystatus == ZFS_KEYSTATUS_UNAVAILABLE) {
1758 			zfs_error_aux(pzhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1759 			    "Parent key must be loaded."));
1760 			ret = EACCES;
1761 			goto error;
1762 		}
1763 	}
1764 
1765 	/* check that the key is loaded */
1766 	keystatus = zfs_prop_get_int(zhp, ZFS_PROP_KEYSTATUS);
1767 	if (keystatus == ZFS_KEYSTATUS_UNAVAILABLE) {
1768 		zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1769 		    "Key must be loaded."));
1770 		ret = EACCES;
1771 		goto error;
1772 	}
1773 
1774 	/* call the ioctl */
1775 	ret = lzc_change_key(zhp->zfs_name, cmd, props, wkeydata, wkeylen);
1776 	if (ret != 0) {
1777 		switch (ret) {
1778 		case EPERM:
1779 			zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1780 			    "Permission denied."));
1781 			break;
1782 		case EINVAL:
1783 			zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1784 			    "Invalid properties for key change."));
1785 			break;
1786 		case EACCES:
1787 			zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
1788 			    "Key is not currently loaded."));
1789 			break;
1790 		}
1791 		zfs_error(zhp->zfs_hdl, EZFS_CRYPTOFAILED, errbuf);
1792 	}
1793 
1794 	if (pzhp != NULL)
1795 		zfs_close(pzhp);
1796 	if (props != NULL)
1797 		nvlist_free(props);
1798 	if (wkeydata != NULL)
1799 		free(wkeydata);
1800 
1801 	return (ret);
1802 
1803 error:
1804 	if (pzhp != NULL)
1805 		zfs_close(pzhp);
1806 	if (props != NULL)
1807 		nvlist_free(props);
1808 	if (wkeydata != NULL)
1809 		free(wkeydata);
1810 
1811 	zfs_error(zhp->zfs_hdl, EZFS_CRYPTOFAILED, errbuf);
1812 	return (ret);
1813 }
1814