Raw receive should change key atomically

Currently, raw zfs sends transfer the encrypted master keys and
objset_phys_t encryption parameters in the DRR_BEGIN payload of
each send file. Both of these are processed as soon as they are
read in dmu_recv_stream(), meaning that the new keys are set
before the new snapshot is received. In addition to the fact that
this changes the user's keys for the dataset earlier than they
might expect, the keys were never reset to what they originally
were in the event that the receive failed. This patch splits the
processing into objset handling and key handling, the later of
which is moved to dmu_recv_end() so that they key change can be
done atomically.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #7200
This commit is contained in:
Tom Caputi 2018-02-21 15:31:03 -05:00 committed by Brian Behlendorf
parent 4a385862b7
commit b0918402dc
5 changed files with 312 additions and 225 deletions

View File

@ -64,6 +64,7 @@ typedef struct dmu_recv_cookie {
boolean_t drc_raw; boolean_t drc_raw;
boolean_t drc_clone; boolean_t drc_clone;
struct avl_tree *drc_guid_to_ds_map; struct avl_tree *drc_guid_to_ds_map;
nvlist_t *drc_keynvl;
zio_cksum_t drc_cksum; zio_cksum_t drc_cksum;
uint64_t drc_newsnapobj; uint64_t drc_newsnapobj;
void *drc_owner; void *drc_owner;

View File

@ -189,8 +189,12 @@ int spa_keystore_lookup_key(spa_t *spa, uint64_t dsobj, void *tag,
dsl_crypto_key_t **dck_out); dsl_crypto_key_t **dck_out);
int dsl_crypto_populate_key_nvlist(struct dsl_dataset *ds, nvlist_t **nvl_out); int dsl_crypto_populate_key_nvlist(struct dsl_dataset *ds, nvlist_t **nvl_out);
int dsl_crypto_recv_key(const char *poolname, uint64_t dsobj, int dsl_crypto_recv_raw_key_check(struct dsl_dataset *ds,
dmu_objset_type_t ostype, nvlist_t *nvl); nvlist_t *nvl, dmu_tx_t *tx);
void dsl_crypto_recv_raw_key_sync(struct dsl_dataset *ds,
nvlist_t *nvl, dmu_tx_t *tx);
int dsl_crypto_recv_raw(const char *poolname, uint64_t dsobj,
dmu_objset_type_t ostype, nvlist_t *nvl, boolean_t do_key);
int spa_keystore_change_key(const char *dsname, dsl_crypto_params_t *dcp); int spa_keystore_change_key(const char *dsname, dsl_crypto_params_t *dcp);
int dsl_dir_rename_crypt_check(dsl_dir_t *dd, dsl_dir_t *newparent); int dsl_dir_rename_crypt_check(dsl_dir_t *dd, dsl_dir_t *newparent);

View File

@ -3787,11 +3787,20 @@ dmu_recv_stream(dmu_recv_cookie_t *drc, vnode_t *vp, offset_t *voffp,
if (err != 0) if (err != 0)
goto out; goto out;
err = dsl_crypto_recv_key(spa_name(ra->os->os_spa), /*
* If this is a new dataset we set the key immediately.
* Otherwise we don't want to change the key until we
* are sure the rest of the receive succeeded so we stash
* the keynvl away until then.
*/
err = dsl_crypto_recv_raw(spa_name(ra->os->os_spa),
drc->drc_ds->ds_object, drc->drc_drrb->drr_type, drc->drc_ds->ds_object, drc->drc_drrb->drr_type,
keynvl); keynvl, drc->drc_newfs);
if (err != 0) if (err != 0)
goto out; goto out;
if (!drc->drc_newfs)
drc->drc_keynvl = fnvlist_dup(keynvl);
} }
if (featureflags & DMU_BACKUP_FEATURE_RESUMING) { if (featureflags & DMU_BACKUP_FEATURE_RESUMING) {
@ -3908,6 +3917,7 @@ out:
* the inconsistent state. * the inconsistent state.
*/ */
dmu_recv_cleanup_ds(drc); dmu_recv_cleanup_ds(drc);
nvlist_free(drc->drc_keynvl);
} }
*voffp = ra->voff; *voffp = ra->voff;
@ -3965,6 +3975,15 @@ dmu_recv_end_check(void *arg, dmu_tx_t *tx)
return (error); return (error);
} }
} }
if (drc->drc_keynvl != NULL) {
error = dsl_crypto_recv_raw_key_check(drc->drc_ds,
drc->drc_keynvl, tx);
if (error != 0) {
dsl_dataset_rele(origin_head, FTAG);
return (error);
}
}
error = dsl_dataset_clone_swap_check_impl(drc->drc_ds, error = dsl_dataset_clone_swap_check_impl(drc->drc_ds,
origin_head, drc->drc_force, drc->drc_owner, tx); origin_head, drc->drc_force, drc->drc_owner, tx);
if (error != 0) { if (error != 0) {
@ -4021,8 +4040,14 @@ dmu_recv_end_sync(void *arg, dmu_tx_t *tx)
dsl_dataset_rele(snap, FTAG); dsl_dataset_rele(snap, FTAG);
} }
} }
VERIFY3P(drc->drc_ds->ds_prev, ==, if (drc->drc_keynvl != NULL) {
origin_head->ds_prev); dsl_crypto_recv_raw_key_sync(drc->drc_ds,
drc->drc_keynvl, tx);
nvlist_free(drc->drc_keynvl);
drc->drc_keynvl = NULL;
}
VERIFY3P(drc->drc_ds->ds_prev, ==, origin_head->ds_prev);
dsl_dataset_clone_swap_sync_impl(drc->drc_ds, dsl_dataset_clone_swap_sync_impl(drc->drc_ds,
origin_head, tx); origin_head, tx);
@ -4174,6 +4199,7 @@ dmu_recv_end(dmu_recv_cookie_t *drc, void *owner)
if (error != 0) { if (error != 0) {
dmu_recv_cleanup_ds(drc); dmu_recv_cleanup_ds(drc);
nvlist_free(drc->drc_keynvl);
} else if (drc->drc_guid_to_ds_map != NULL) { } else if (drc->drc_guid_to_ds_map != NULL) {
(void) add_ds_to_guidmap(drc->drc_tofs, drc->drc_guid_to_ds_map, (void) add_ds_to_guidmap(drc->drc_tofs, drc->drc_guid_to_ds_map,
drc->drc_newsnapobj, drc->drc_raw); drc->drc_newsnapobj, drc->drc_raw);

View File

@ -1838,7 +1838,7 @@ dsl_dataset_create_crypt_sync(uint64_t dsobj, dsl_dir_t *dd,
/* /*
* A NULL dcp at this point indicates this is the origin dataset * A NULL dcp at this point indicates this is the origin dataset
* which does not have an objset to encrypt. Raw receives will handle * which does not have an objset to encrypt. Raw receives will handle
* encryption seperately later. In both cases we can simply return. * encryption separately later. In both cases we can simply return.
*/ */
if (dcp == NULL || dcp->cp_cmd == DCP_CMD_RAW_RECV) if (dcp == NULL || dcp->cp_cmd == DCP_CMD_RAW_RECV)
return; return;
@ -1889,187 +1889,63 @@ dsl_dataset_create_crypt_sync(uint64_t dsobj, dsl_dir_t *dd,
typedef struct dsl_crypto_recv_key_arg { typedef struct dsl_crypto_recv_key_arg {
uint64_t dcrka_dsobj; uint64_t dcrka_dsobj;
nvlist_t *dcrka_nvl;
dmu_objset_type_t dcrka_ostype; dmu_objset_type_t dcrka_ostype;
nvlist_t *dcrka_nvl;
boolean_t dcrka_do_key;
} dsl_crypto_recv_key_arg_t; } dsl_crypto_recv_key_arg_t;
int static int
dsl_crypto_recv_key_check(void *arg, dmu_tx_t *tx) dsl_crypto_recv_raw_objset_check(dsl_dataset_t *ds, dmu_objset_type_t ostype,
nvlist_t *nvl, dmu_tx_t *tx)
{ {
int ret; int ret;
objset_t *mos = tx->tx_pool->dp_meta_objset;
objset_t *os; objset_t *os;
dnode_t *mdn; dnode_t *mdn;
dsl_crypto_recv_key_arg_t *dcrka = arg;
nvlist_t *nvl = dcrka->dcrka_nvl;
dsl_dataset_t *ds = NULL;
uint8_t *buf = NULL; uint8_t *buf = NULL;
uint_t len; uint_t len;
uint64_t intval, guid, nlevels, blksz, ibs, nblkptr, maxblkid, version; uint64_t intval, nlevels, blksz, ibs, nblkptr, maxblkid;
boolean_t is_passphrase = B_FALSE;
ret = dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_dsobj, FTAG, &ds); if (ostype != DMU_OST_ZFS && ostype != DMU_OST_ZVOL)
if (ret != 0) return (SET_ERROR(EINVAL));
goto error;
ASSERT(dsl_dataset_phys(ds)->ds_flags & DS_FLAG_INCONSISTENT);
/*
* Read and check all the encryption values from the nvlist. We need
* all of the fields of a DSL Crypto Key, as well as a fully specified
* wrapping key.
*/
ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE, &intval);
if (ret != 0 || intval >= ZIO_CRYPT_FUNCTIONS ||
intval <= ZIO_CRYPT_OFF) {
ret = SET_ERROR(EINVAL);
goto error;
}
ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_GUID, &intval);
if (ret != 0) {
ret = SET_ERROR(EINVAL);
goto error;
}
/*
* If this is an incremental receive make sure the given key guid
* matches the one we already have.
*/
if (ds->ds_dir->dd_crypto_obj != 0) {
ret = zap_lookup(mos, ds->ds_dir->dd_crypto_obj,
DSL_CRYPTO_KEY_GUID, 8, 1, &guid);
if (ret != 0)
goto error;
if (intval != guid) {
ret = SET_ERROR(EACCES);
goto error;
}
}
ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY,
&buf, &len);
if (ret != 0 || len != MASTER_KEY_MAX_LEN) {
ret = SET_ERROR(EINVAL);
goto error;
}
ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY,
&buf, &len);
if (ret != 0 || len != SHA512_HMAC_KEYLEN) {
ret = SET_ERROR(EINVAL);
goto error;
}
ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_IV, &buf, &len);
if (ret != 0 || len != WRAPPING_IV_LEN) {
ret = SET_ERROR(EINVAL);
goto error;
}
ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, &buf, &len);
if (ret != 0 || len != WRAPPING_MAC_LEN) {
ret = SET_ERROR(EINVAL);
goto error;
}
/*
* We don't support receiving old on-disk formats. The version 0
* implementation protected several fields in an objset that were
* not always portable during a raw receive. As a result, we call
* the old version an on-disk errata #3.
*/
ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_VERSION, &version);
if (ret != 0 || version != ZIO_CRYPT_KEY_CURRENT_VERSION) {
ret = SET_ERROR(ENOTSUP);
goto error;
}
ret = nvlist_lookup_uint8_array(nvl, "portable_mac", &buf, &len);
if (ret != 0 || len != ZIO_OBJSET_MAC_LEN) {
ret = SET_ERROR(EINVAL);
goto error;
}
ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_KEYFORMAT),
&intval);
if (ret != 0 || intval >= ZFS_KEYFORMAT_FORMATS ||
intval == ZFS_KEYFORMAT_NONE) {
ret = SET_ERROR(EINVAL);
goto error;
}
is_passphrase = (intval == ZFS_KEYFORMAT_PASSPHRASE);
/*
* for raw receives we allow any number of pbkdf2iters since there
* won't be a chance for the user to change it.
*/
ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS),
&intval);
if (ret != 0 || (is_passphrase == (intval == 0))) {
ret = SET_ERROR(EINVAL);
goto error;
}
ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT),
&intval);
if (ret != 0 || (is_passphrase == (intval == 0))) {
ret = SET_ERROR(EINVAL);
goto error;
}
/* raw receives also need info about the structure of the metadnode */ /* raw receives also need info about the structure of the metadnode */
ret = nvlist_lookup_uint64(nvl, "mdn_checksum", &intval);
if (ret != 0 || intval >= ZIO_CHECKSUM_LEGACY_FUNCTIONS) {
ret = SET_ERROR(EINVAL);
goto error;
}
ret = nvlist_lookup_uint64(nvl, "mdn_compress", &intval); ret = nvlist_lookup_uint64(nvl, "mdn_compress", &intval);
if (ret != 0 || intval >= ZIO_COMPRESS_LEGACY_FUNCTIONS) { if (ret != 0 || intval >= ZIO_COMPRESS_LEGACY_FUNCTIONS)
ret = SET_ERROR(EINVAL); return (SET_ERROR(EINVAL));
goto error;
} ret = nvlist_lookup_uint64(nvl, "mdn_checksum", &intval);
if (ret != 0 || intval >= ZIO_CHECKSUM_LEGACY_FUNCTIONS)
return (SET_ERROR(EINVAL));
ret = nvlist_lookup_uint64(nvl, "mdn_nlevels", &nlevels); ret = nvlist_lookup_uint64(nvl, "mdn_nlevels", &nlevels);
if (ret != 0 || nlevels > DN_MAX_LEVELS) { if (ret != 0 || nlevels > DN_MAX_LEVELS)
ret = SET_ERROR(EINVAL); return (SET_ERROR(EINVAL));
goto error;
}
ret = nvlist_lookup_uint64(nvl, "mdn_blksz", &blksz); ret = nvlist_lookup_uint64(nvl, "mdn_blksz", &blksz);
if (ret != 0 || blksz < SPA_MINBLOCKSIZE) { if (ret != 0 || blksz < SPA_MINBLOCKSIZE)
ret = SET_ERROR(EINVAL); return (SET_ERROR(EINVAL));
goto error; else if (blksz > spa_maxblocksize(tx->tx_pool->dp_spa))
} else if (blksz > spa_maxblocksize(tx->tx_pool->dp_spa)) { return (SET_ERROR(ENOTSUP));
ret = SET_ERROR(ENOTSUP);
goto error;
}
ret = nvlist_lookup_uint64(nvl, "mdn_indblkshift", &ibs); ret = nvlist_lookup_uint64(nvl, "mdn_indblkshift", &ibs);
if (ret != 0 || ibs < DN_MIN_INDBLKSHIFT || if (ret != 0 || ibs < DN_MIN_INDBLKSHIFT || ibs > DN_MAX_INDBLKSHIFT)
ibs > DN_MAX_INDBLKSHIFT) { return (SET_ERROR(ENOTSUP));
ret = SET_ERROR(ENOTSUP);
goto error;
}
ret = nvlist_lookup_uint64(nvl, "mdn_nblkptr", &nblkptr); ret = nvlist_lookup_uint64(nvl, "mdn_nblkptr", &nblkptr);
if (ret != 0 || nblkptr != DN_MAX_NBLKPTR) { if (ret != 0 || nblkptr != DN_MAX_NBLKPTR)
ret = SET_ERROR(ENOTSUP); return (SET_ERROR(ENOTSUP));
goto error;
}
ret = nvlist_lookup_uint64(nvl, "mdn_maxblkid", &maxblkid); ret = nvlist_lookup_uint64(nvl, "mdn_maxblkid", &maxblkid);
if (ret != 0) { if (ret != 0)
ret = SET_ERROR(EINVAL); return (SET_ERROR(EINVAL));
goto error;
} ret = nvlist_lookup_uint8_array(nvl, "portable_mac", &buf, &len);
if (ret != 0 || len != ZIO_OBJSET_MAC_LEN)
return (SET_ERROR(EINVAL));
ret = dmu_objset_from_ds(ds, &os); ret = dmu_objset_from_ds(ds, &os);
if (ret != 0) if (ret != 0)
goto error; return (ret);
/* /*
* Useraccounting is not portable and must be done with the keys loaded. * Useraccounting is not portable and must be done with the keys loaded.
@ -2082,80 +1958,54 @@ dsl_crypto_recv_key_check(void *arg, dmu_tx_t *tx)
mdn = DMU_META_DNODE(os); mdn = DMU_META_DNODE(os);
/* /*
* If we already created the objset, make sure its unchangable * If we already created the objset, make sure its unchangeable
* properties match the ones received in the nvlist. * properties match the ones received in the nvlist.
*/ */
rrw_enter(&ds->ds_bp_rwlock, RW_READER, FTAG); rrw_enter(&ds->ds_bp_rwlock, RW_READER, FTAG);
if (!BP_IS_HOLE(dsl_dataset_get_blkptr(ds)) && if (!BP_IS_HOLE(dsl_dataset_get_blkptr(ds)) &&
(mdn->dn_nlevels != nlevels || mdn->dn_datablksz != blksz || (mdn->dn_nlevels != nlevels || mdn->dn_datablksz != blksz ||
mdn->dn_indblkshift != ibs || mdn->dn_nblkptr != nblkptr)) { mdn->dn_indblkshift != ibs || mdn->dn_nblkptr != nblkptr)) {
ret = SET_ERROR(EINVAL); rrw_exit(&ds->ds_bp_rwlock, FTAG);
goto error; return (SET_ERROR(EINVAL));
} }
rrw_exit(&ds->ds_bp_rwlock, FTAG); rrw_exit(&ds->ds_bp_rwlock, FTAG);
dsl_dataset_rele(ds, FTAG);
return (0); return (0);
error:
if (ds != NULL)
dsl_dataset_rele(ds, FTAG);
return (ret);
} }
static void static void
dsl_crypto_recv_key_sync(void *arg, dmu_tx_t *tx) dsl_crypto_recv_raw_objset_sync(dsl_dataset_t *ds, dmu_objset_type_t ostype,
nvlist_t *nvl, dmu_tx_t *tx)
{ {
dsl_crypto_recv_key_arg_t *dcrka = arg;
uint64_t dsobj = dcrka->dcrka_dsobj;
nvlist_t *nvl = dcrka->dcrka_nvl;
dsl_pool_t *dp = tx->tx_pool; dsl_pool_t *dp = tx->tx_pool;
objset_t *mos = dp->dp_meta_objset;
dsl_dataset_t *ds;
objset_t *os; objset_t *os;
dnode_t *mdn; dnode_t *mdn;
uint8_t *keydata, *hmac_keydata, *iv, *mac, *portable_mac; zio_t *zio;
uint8_t *portable_mac;
uint_t len; uint_t len;
uint64_t rddobj, one = 1;
uint64_t version = ZIO_CRYPT_KEY_CURRENT_VERSION;
uint64_t crypt, guid, keyformat, iters, salt;
uint64_t compress, checksum, nlevels, blksz, ibs, maxblkid; uint64_t compress, checksum, nlevels, blksz, ibs, maxblkid;
char *keylocation = "prompt"; boolean_t newds = B_FALSE;
VERIFY0(dsl_dataset_hold_obj(dp, dsobj, FTAG, &ds));
VERIFY0(dmu_objset_from_ds(ds, &os)); VERIFY0(dmu_objset_from_ds(ds, &os));
mdn = DMU_META_DNODE(os); mdn = DMU_META_DNODE(os);
/* lookup the values we need to create the DSL Crypto Key and objset */ /* fetch the values we need from the nvlist */
crypt = fnvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE);
guid = fnvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_GUID);
keyformat = fnvlist_lookup_uint64(nvl,
zfs_prop_to_name(ZFS_PROP_KEYFORMAT));
iters = fnvlist_lookup_uint64(nvl,
zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS));
salt = fnvlist_lookup_uint64(nvl,
zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT));
VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY,
&keydata, &len));
VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY,
&hmac_keydata, &len));
VERIFY0(nvlist_lookup_uint8_array(nvl, "portable_mac", &portable_mac,
&len));
VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_IV, &iv, &len));
VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, &mac, &len));
compress = fnvlist_lookup_uint64(nvl, "mdn_compress"); compress = fnvlist_lookup_uint64(nvl, "mdn_compress");
checksum = fnvlist_lookup_uint64(nvl, "mdn_checksum"); checksum = fnvlist_lookup_uint64(nvl, "mdn_checksum");
nlevels = fnvlist_lookup_uint64(nvl, "mdn_nlevels"); nlevels = fnvlist_lookup_uint64(nvl, "mdn_nlevels");
blksz = fnvlist_lookup_uint64(nvl, "mdn_blksz"); blksz = fnvlist_lookup_uint64(nvl, "mdn_blksz");
ibs = fnvlist_lookup_uint64(nvl, "mdn_indblkshift"); ibs = fnvlist_lookup_uint64(nvl, "mdn_indblkshift");
maxblkid = fnvlist_lookup_uint64(nvl, "mdn_maxblkid"); maxblkid = fnvlist_lookup_uint64(nvl, "mdn_maxblkid");
VERIFY0(nvlist_lookup_uint8_array(nvl, "portable_mac", &portable_mac,
&len));
/* if we haven't created an objset for the ds yet, do that now */ /* if we haven't created an objset for the ds yet, do that now */
rrw_enter(&ds->ds_bp_rwlock, RW_READER, FTAG); rrw_enter(&ds->ds_bp_rwlock, RW_READER, FTAG);
if (BP_IS_HOLE(dsl_dataset_get_blkptr(ds))) { if (BP_IS_HOLE(dsl_dataset_get_blkptr(ds))) {
(void) dmu_objset_create_impl_dnstats(dp->dp_spa, ds, (void) dmu_objset_create_impl_dnstats(dp->dp_spa, ds,
dsl_dataset_get_blkptr(ds), dcrka->dcrka_ostype, nlevels, dsl_dataset_get_blkptr(ds), ostype, nlevels, blksz,
blksz, ibs, tx); ibs, tx);
newds = B_TRUE;
} }
rrw_exit(&ds->ds_bp_rwlock, FTAG); rrw_exit(&ds->ds_bp_rwlock, FTAG);
@ -2178,35 +2028,172 @@ dsl_crypto_recv_key_sync(void *arg, dmu_tx_t *tx)
dnode_new_blkid(mdn, maxblkid, tx, B_FALSE); dnode_new_blkid(mdn, maxblkid, tx, B_FALSE);
rw_exit(&mdn->dn_struct_rwlock); rw_exit(&mdn->dn_struct_rwlock);
/*
* We can't normally dirty the dataset in syncing context unless
* we are creating a new dataset. In this case, we perform a
* pseudo txg sync here instead.
*/
if (newds) {
dsl_dataset_dirty(ds, tx); dsl_dataset_dirty(ds, tx);
} else {
zio = zio_root(dp->dp_spa, NULL, NULL, ZIO_FLAG_MUSTSUCCEED);
dsl_dataset_sync(ds, zio, tx);
VERIFY0(zio_wait(zio));
/* dsl_dataset_sync_done will drop this reference. */
dmu_buf_add_ref(ds->ds_dbuf, ds);
dsl_dataset_sync_done(ds, tx);
}
}
int
dsl_crypto_recv_raw_key_check(dsl_dataset_t *ds, nvlist_t *nvl, dmu_tx_t *tx)
{
int ret;
objset_t *mos = tx->tx_pool->dp_meta_objset;
uint8_t *buf = NULL;
uint_t len;
uint64_t intval, guid, version;
boolean_t is_passphrase = B_FALSE;
ASSERT(dsl_dataset_phys(ds)->ds_flags & DS_FLAG_INCONSISTENT);
/*
* Read and check all the encryption values from the nvlist. We need
* all of the fields of a DSL Crypto Key, as well as a fully specified
* wrapping key.
*/
ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE, &intval);
if (ret != 0 || intval >= ZIO_CRYPT_FUNCTIONS ||
intval <= ZIO_CRYPT_OFF)
return (SET_ERROR(EINVAL));
ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_GUID, &intval);
if (ret != 0)
return (SET_ERROR(EINVAL));
/*
* If this is an incremental receive make sure the given key guid
* matches the one we already have.
*/
if (ds->ds_dir->dd_crypto_obj != 0) {
ret = zap_lookup(mos, ds->ds_dir->dd_crypto_obj,
DSL_CRYPTO_KEY_GUID, 8, 1, &guid);
if (ret != 0)
return (ret);
if (intval != guid)
return (SET_ERROR(EACCES));
}
ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY,
&buf, &len);
if (ret != 0 || len != MASTER_KEY_MAX_LEN)
return (SET_ERROR(EINVAL));
ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY,
&buf, &len);
if (ret != 0 || len != SHA512_HMAC_KEYLEN)
return (SET_ERROR(EINVAL));
ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_IV, &buf, &len);
if (ret != 0 || len != WRAPPING_IV_LEN)
return (SET_ERROR(EINVAL));
ret = nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, &buf, &len);
if (ret != 0 || len != WRAPPING_MAC_LEN)
return (SET_ERROR(EINVAL));
/*
* We don't support receiving old on-disk formats. The version 0
* implementation protected several fields in an objset that were
* not always portable during a raw receive. As a result, we call
* the old version an on-disk errata #3.
*/
ret = nvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_VERSION, &version);
if (ret != 0 || version != ZIO_CRYPT_KEY_CURRENT_VERSION)
return (SET_ERROR(ENOTSUP));
ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_KEYFORMAT),
&intval);
if (ret != 0 || intval >= ZFS_KEYFORMAT_FORMATS ||
intval == ZFS_KEYFORMAT_NONE)
return (SET_ERROR(EINVAL));
is_passphrase = (intval == ZFS_KEYFORMAT_PASSPHRASE);
/*
* for raw receives we allow any number of pbkdf2iters since there
* won't be a chance for the user to change it.
*/
ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS),
&intval);
if (ret != 0 || (is_passphrase == (intval == 0)))
return (SET_ERROR(EINVAL));
ret = nvlist_lookup_uint64(nvl, zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT),
&intval);
if (ret != 0 || (is_passphrase == (intval == 0)))
return (SET_ERROR(EINVAL));
return (0);
}
void
dsl_crypto_recv_raw_key_sync(dsl_dataset_t *ds, nvlist_t *nvl, dmu_tx_t *tx)
{
dsl_pool_t *dp = tx->tx_pool;
objset_t *mos = dp->dp_meta_objset;
dsl_dir_t *dd = ds->ds_dir;
uint_t len;
uint64_t rddobj, one = 1;
uint8_t *keydata, *hmac_keydata, *iv, *mac;
uint64_t crypt, guid, keyformat, iters, salt;
uint64_t version = ZIO_CRYPT_KEY_CURRENT_VERSION;
char *keylocation = "prompt";
/* lookup the values we need to create the DSL Crypto Key */
crypt = fnvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_CRYPTO_SUITE);
guid = fnvlist_lookup_uint64(nvl, DSL_CRYPTO_KEY_GUID);
keyformat = fnvlist_lookup_uint64(nvl,
zfs_prop_to_name(ZFS_PROP_KEYFORMAT));
iters = fnvlist_lookup_uint64(nvl,
zfs_prop_to_name(ZFS_PROP_PBKDF2_ITERS));
salt = fnvlist_lookup_uint64(nvl,
zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT));
VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MASTER_KEY,
&keydata, &len));
VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_HMAC_KEY,
&hmac_keydata, &len));
VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_IV, &iv, &len));
VERIFY0(nvlist_lookup_uint8_array(nvl, DSL_CRYPTO_KEY_MAC, &mac, &len));
/* if this is a new dataset setup the DSL Crypto Key. */ /* if this is a new dataset setup the DSL Crypto Key. */
if (ds->ds_dir->dd_crypto_obj == 0) { if (dd->dd_crypto_obj == 0) {
/* zapify the dsl dir so we can add the key object to it */ /* zapify the dsl dir so we can add the key object to it */
dmu_buf_will_dirty(ds->ds_dir->dd_dbuf, tx); dmu_buf_will_dirty(dd->dd_dbuf, tx);
dsl_dir_zapify(ds->ds_dir, tx); dsl_dir_zapify(dd, tx);
/* create the DSL Crypto Key on disk and activate the feature */ /* create the DSL Crypto Key on disk and activate the feature */
ds->ds_dir->dd_crypto_obj = zap_create(mos, dd->dd_crypto_obj = zap_create(mos,
DMU_OTN_ZAP_METADATA, DMU_OT_NONE, 0, tx); DMU_OTN_ZAP_METADATA, DMU_OT_NONE, 0, tx);
VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, VERIFY0(zap_update(tx->tx_pool->dp_meta_objset,
ds->ds_dir->dd_crypto_obj, DSL_CRYPTO_KEY_REFCOUNT, dd->dd_crypto_obj, DSL_CRYPTO_KEY_REFCOUNT,
sizeof (uint64_t), 1, &one, tx)); sizeof (uint64_t), 1, &one, tx));
VERIFY0(zap_update(tx->tx_pool->dp_meta_objset, VERIFY0(zap_update(tx->tx_pool->dp_meta_objset,
ds->ds_dir->dd_crypto_obj, DSL_CRYPTO_KEY_VERSION, dd->dd_crypto_obj, DSL_CRYPTO_KEY_VERSION,
sizeof (uint64_t), 1, &version, tx)); sizeof (uint64_t), 1, &version, tx));
dsl_dataset_activate_feature(dsobj, SPA_FEATURE_ENCRYPTION, tx); dsl_dataset_activate_feature(ds->ds_object,
SPA_FEATURE_ENCRYPTION, tx);
ds->ds_feature_inuse[SPA_FEATURE_ENCRYPTION] = B_TRUE; ds->ds_feature_inuse[SPA_FEATURE_ENCRYPTION] = B_TRUE;
/* save the dd_crypto_obj on disk */ /* save the dd_crypto_obj on disk */
VERIFY0(zap_add(mos, ds->ds_dir->dd_object, VERIFY0(zap_add(mos, dd->dd_object, DD_FIELD_CRYPTO_KEY_OBJ,
DD_FIELD_CRYPTO_KEY_OBJ, sizeof (uint64_t), 1, sizeof (uint64_t), 1, &dd->dd_crypto_obj, tx));
&ds->ds_dir->dd_crypto_obj, tx));
/* /*
* Set the keylocation to prompt by default. If keylocation * Set the keylocation to prompt by default. If keylocation
* has been provided via the properties, this will be overriden * has been provided via the properties, this will be overridden
* later. * later.
*/ */
dsl_prop_set_sync_impl(ds, dsl_prop_set_sync_impl(ds,
@ -2214,16 +2201,64 @@ dsl_crypto_recv_key_sync(void *arg, dmu_tx_t *tx)
ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1, ZPROP_SRC_LOCAL, 1, strlen(keylocation) + 1,
keylocation, tx); keylocation, tx);
rddobj = ds->ds_dir->dd_object; rddobj = dd->dd_object;
} else { } else {
VERIFY0(dsl_dir_get_encryption_root_ddobj(ds->ds_dir, &rddobj)); VERIFY0(dsl_dir_get_encryption_root_ddobj(dd, &rddobj));
} }
/* sync the key data to the ZAP object on disk */ /* sync the key data to the ZAP object on disk */
dsl_crypto_key_sync_impl(mos, ds->ds_dir->dd_crypto_obj, crypt, dsl_crypto_key_sync_impl(mos, dd->dd_crypto_obj, crypt,
rddobj, guid, iv, mac, keydata, hmac_keydata, keyformat, salt, rddobj, guid, iv, mac, keydata, hmac_keydata, keyformat, salt,
iters, tx); iters, tx);
}
int
dsl_crypto_recv_key_check(void *arg, dmu_tx_t *tx)
{
int ret;
dsl_crypto_recv_key_arg_t *dcrka = arg;
dsl_dataset_t *ds = NULL;
ret = dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_dsobj,
FTAG, &ds);
if (ret != 0)
goto error;
ret = dsl_crypto_recv_raw_objset_check(ds,
dcrka->dcrka_ostype, dcrka->dcrka_nvl, tx);
if (ret != 0)
goto error;
/*
* We run this check even if we won't be doing this part of
* the receive now so that we don't make the user wait until
* the receive finishes to fail.
*/
ret = dsl_crypto_recv_raw_key_check(ds, dcrka->dcrka_nvl, tx);
if (ret != 0)
goto error;
dsl_dataset_rele(ds, FTAG);
return (0);
error:
if (ds != NULL)
dsl_dataset_rele(ds, FTAG);
return (ret);
}
void
dsl_crypto_recv_key_sync(void *arg, dmu_tx_t *tx)
{
dsl_crypto_recv_key_arg_t *dcrka = arg;
dsl_dataset_t *ds;
VERIFY0(dsl_dataset_hold_obj(tx->tx_pool, dcrka->dcrka_dsobj,
FTAG, &ds));
dsl_crypto_recv_raw_objset_sync(ds, dcrka->dcrka_ostype,
dcrka->dcrka_nvl, tx);
if (dcrka->dcrka_do_key)
dsl_crypto_recv_raw_key_sync(ds, dcrka->dcrka_nvl, tx);
dsl_dataset_rele(ds, FTAG); dsl_dataset_rele(ds, FTAG);
} }
@ -2233,14 +2268,15 @@ dsl_crypto_recv_key_sync(void *arg, dmu_tx_t *tx)
* without wrapping it. * without wrapping it.
*/ */
int int
dsl_crypto_recv_key(const char *poolname, uint64_t dsobj, dsl_crypto_recv_raw(const char *poolname, uint64_t dsobj,
dmu_objset_type_t ostype, nvlist_t *nvl) dmu_objset_type_t ostype, nvlist_t *nvl, boolean_t do_key)
{ {
dsl_crypto_recv_key_arg_t dcrka; dsl_crypto_recv_key_arg_t dcrka;
dcrka.dcrka_dsobj = dsobj; dcrka.dcrka_dsobj = dsobj;
dcrka.dcrka_nvl = nvl;
dcrka.dcrka_ostype = ostype; dcrka.dcrka_ostype = ostype;
dcrka.dcrka_nvl = nvl;
dcrka.dcrka_do_key = do_key;
return (dsl_sync_task(poolname, dsl_crypto_recv_key_check, return (dsl_sync_task(poolname, dsl_crypto_recv_key_check,
dsl_crypto_recv_key_sync, &dcrka, 1, ZFS_SPACE_CHECK_NORMAL)); dsl_crypto_recv_key_sync, &dcrka, 1, ZFS_SPACE_CHECK_NORMAL));

View File

@ -30,9 +30,12 @@
# 3. Create a file and get its checksum # 3. Create a file and get its checksum
# 4. Snapshot the dataset # 4. Snapshot the dataset
# 5. Attempt to receive a raw send stream of the first snapshot # 5. Attempt to receive a raw send stream of the first snapshot
# 6. Attempt to receive a raw incremental send stream of the second snapshot # 6. Change the passphrase required to unlock the original filesystem
# 7. Attempt load the key and mount the dataset # 7. Attempt and intentionally fail to receive the second snapshot
# 8. Verify the cheksum of the file is the same as the original # 8. Verify that the required passphrase hasn't changed on the receive side
# 9. Attempt a real raw incremental send stream of the second snapshot
# 10. Attempt load the key and mount the dataset
# 11. Verify the checksum of the file is the same as the original
# #
verify_runnable "both" verify_runnable "both"
@ -44,13 +47,18 @@ function cleanup
datasetexists $TESTPOOL/$TESTFS2 && \ datasetexists $TESTPOOL/$TESTFS2 && \
log_must zfs destroy -r $TESTPOOL/$TESTFS2 log_must zfs destroy -r $TESTPOOL/$TESTFS2
[[ -f $ibackup ]] && log_must rm -f $ibackup
} }
log_onexit cleanup log_onexit cleanup
log_assert "ZFS should receive streams from raw incremental sends" log_assert "ZFS should receive streams from raw incremental sends"
typeset ibackup="/var/tmp/ibackup.$$"
typeset ibackup_trunc="/var/tmp/ibackup_trunc.$$"
typeset passphrase="password" typeset passphrase="password"
typeset passphrase2="password2"
typeset snap1="$TESTPOOL/$TESTFS1@snap1" typeset snap1="$TESTPOOL/$TESTFS1@snap1"
typeset snap2="$TESTPOOL/$TESTFS1@snap2" typeset snap2="$TESTPOOL/$TESTFS1@snap2"
@ -65,8 +73,20 @@ typeset checksum=$(md5sum /$TESTPOOL/$TESTFS1/$TESTFILE0 | awk '{ print $1 }')
log_must zfs snapshot $snap2 log_must zfs snapshot $snap2
log_must eval "zfs send -w $snap1 | zfs receive $TESTPOOL/$TESTFS2" log_must eval "zfs send -w $snap1 | zfs receive $TESTPOOL/$TESTFS2"
log_must eval "zfs send -w -i $snap1 $snap2 | zfs receive $TESTPOOL/$TESTFS2" log_must eval "echo $passphrase2 | zfs change-key $TESTPOOL/$TESTFS1"
log_must eval "echo $passphrase | zfs mount -l $TESTPOOL/$TESTFS2" log_must eval "zfs send -w -i $snap1 $snap2 > $ibackup"
typeset trunc_size=$(stat -c %s $ibackup)
trunc_size=$(expr $trunc_size - 64)
log_must cp $ibackup $ibackup_trunc
log_must truncate -s $trunc_size $ibackup_trunc
log_mustnot eval "zfs receive $TESTPOOL/$TESTFS2 < $ibackup_trunc"
log_mustnot eval "echo $passphrase2 | zfs load-key $TESTPOOL/$TESTFS2"
log_must eval "echo $passphrase | zfs load-key $TESTPOOL/$TESTFS2"
log_must zfs unload-key $TESTPOOL/$TESTFS2
log_must eval "zfs receive $TESTPOOL/$TESTFS2 < $ibackup"
log_must eval "echo $passphrase2 | zfs mount -l $TESTPOOL/$TESTFS2"
typeset cksum1=$(md5sum /$TESTPOOL/$TESTFS2/$TESTFILE0 | awk '{ print $1 }') typeset cksum1=$(md5sum /$TESTPOOL/$TESTFS2/$TESTFILE0 | awk '{ print $1 }')
[[ "$cksum1" == "$checksum" ]] || \ [[ "$cksum1" == "$checksum" ]] || \