Encryption patch follow-up

* PBKDF2 implementation changed to OpenSSL implementation.

* HKDF implementation moved to its own file and tests
  added to ensure correctness.

* Removed libzfs's now unnecessary dependency on libzpool
  and libicp.

* Ztest can now create and test encrypted datasets. This is
  currently disabled until issue #6526 is resolved, but
  otherwise functions as advertised.

* Several small bug fixes discovered after enabling ztest
  to run on encrypted datasets.

* Fixed coverity defects added by the encryption patch.

* Updated man pages for encrypted send / receive behavior.

* Fixed a bug where encrypted datasets could receive
  DRR_WRITE_EMBEDDED records.

* Minor code cleanups / consolidation.

Signed-off-by: Tom Caputi <[email protected]>

6 files changed, 172 insertions, 145 deletions

diff --git a/lib/libzfs/Makefile.am b/lib/libzfs/Makefile.am
index 7389f002d..e5b2ce765 100644
--- a/lib/libzfs/Makefile.am
+++ b/lib/libzfs/Makefile.am
@@ -30,6 +30,7 @@ USER_C = \
 	libzfs_util.c
 
 KERNEL_C = \
+	algs/sha2/sha2.c \
 	zfeature_common.c \
 	zfs_comutil.c \
 	zfs_deleg.c \
@@ -52,15 +53,13 @@ nodist_libzfs_la_SOURCES = \
 
 libzfs_la_LIBADD = \
         $(top_builddir)/lib/libefi/libefi.la \
-	$(top_builddir)/lib/libicp/libicp.la \
 	$(top_builddir)/lib/libnvpair/libnvpair.la \
 	$(top_builddir)/lib/libshare/libshare.la \
 	$(top_builddir)/lib/libtpool/libtpool.la \
 	$(top_builddir)/lib/libuutil/libuutil.la \
-	$(top_builddir)/lib/libzpool/libzpool.la \
 	$(top_builddir)/lib/libzfs_core/libzfs_core.la
 
-libzfs_la_LIBADD += -lm $(LIBBLKID) $(LIBUDEV)
+libzfs_la_LIBADD += -lm $(LIBBLKID) $(LIBUDEV) $(LIBSSL)
 libzfs_la_LDFLAGS = -version-info 2:0:0
 
 EXTRA_DIST = $(libzfs_pc_DATA) $(USER_C)
diff --git a/lib/libzfs/THIRDPARTYLICENSE.openssl b/lib/libzfs/THIRDPARTYLICENSE.openssl
new file mode 100644
index 000000000..a2c4adcbe
--- /dev/null
+++ b/lib/libzfs/THIRDPARTYLICENSE.openssl
@@ -0,0 +1,127 @@
+
+  LICENSE ISSUES
+  ==============
+
+  The OpenSSL toolkit stays under a dual license, i.e. both the conditions of
+  the OpenSSL License and the original SSLeay license apply to the toolkit.
+  See below for the actual license texts. Actually both licenses are BSD-style
+  Open Source licenses. In case of any license issues related to OpenSSL
+  please contact [email protected].
+
+  OpenSSL License
+  ---------------
+
+/* ====================================================================
+ * Copyright (c) 1998-2008 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    [email protected].
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * ([email protected]).  This product includes software written by Tim
+ * Hudson ([email protected]).
+ *
+ */
+
+ Original SSLeay License
+ -----------------------
+
+/* Copyright (C) 1995-1998 Eric Young ([email protected])
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young ([email protected]).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson ([email protected]).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young ([email protected])"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson ([email protected])"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
diff --git a/lib/libzfs/THIRDPARTYLICENSE.openssl.descrip b/lib/libzfs/THIRDPARTYLICENSE.openssl.descrip
new file mode 100644
index 000000000..a9125ea21
--- /dev/null
+++ b/lib/libzfs/THIRDPARTYLICENSE.openssl.descrip
@@ -0,0 +1 @@
+PBKDF2 IMPLEMENTATION
diff --git a/lib/libzfs/libzfs_crypto.c b/lib/libzfs/libzfs_crypto.c
index 8bd788074..b1fac2f62 100644
--- a/lib/libzfs/libzfs_crypto.c
+++ b/lib/libzfs/libzfs_crypto.c
@@ -20,11 +20,11 @@
 #include <sys/zfs_context.h>
 #include <sys/fs/zfs.h>
 #include <sys/dsl_crypt.h>
-#include <sys/crypto/icp.h>
 #include <libintl.h>
 #include <termios.h>
 #include <signal.h>
 #include <errno.h>
+#include <openssl/evp.h>
 #include <libzfs.h>
 #include "libzfs_impl.h"
 #include "zfeature_common.h"
@@ -438,139 +438,6 @@ error:
 }
 
 static int
-pbkdf2(uint8_t *passphrase, size_t passphraselen, uint8_t *salt,
-    size_t saltlen, uint64_t iterations, uint8_t *output,
-    size_t outputlen)
-{
-	int ret;
-	uint64_t iter;
-	uint32_t blockptr, i;
-	uint16_t hmac_key_len;
-	uint8_t *hmac_key;
-	uint8_t block[SHA1_DIGEST_LEN * 2];
-	uint8_t *hmacresult = block + SHA1_DIGEST_LEN;
-	crypto_mechanism_t mech;
-	crypto_key_t key;
-	crypto_data_t in_data, out_data;
-	crypto_ctx_template_t tmpl = NULL;
-
-	/* initialize output */
-	memset(output, 0, outputlen);
-
-	/* initialize icp for use */
-	icp_init();
-
-	/* HMAC key size is max(sizeof(uint32_t) + salt len, sha 256 len) */
-	if (saltlen > SHA1_DIGEST_LEN) {
-		hmac_key_len = saltlen + sizeof (uint32_t);
-	} else {
-		hmac_key_len = SHA1_DIGEST_LEN;
-	}
-
-	hmac_key = calloc(hmac_key_len, 1);
-	if (!hmac_key) {
-		ret = ENOMEM;
-		goto error;
-	}
-
-	/* initialize sha 256 hmac mechanism */
-	mech.cm_type = crypto_mech2id(SUN_CKM_SHA1_HMAC);
-	mech.cm_param = NULL;
-	mech.cm_param_len = 0;
-
-	/* initialize passphrase as a crypto key */
-	key.ck_format = CRYPTO_KEY_RAW;
-	key.ck_length = BYTES_TO_BITS(passphraselen);
-	key.ck_data = passphrase;
-
-	/*
-	 * initialize crypto data for the input data. length will change
-	 * after the first iteration, so we will initialize it in the loop.
-	 */
-	in_data.cd_format = CRYPTO_DATA_RAW;
-	in_data.cd_offset = 0;
-	in_data.cd_raw.iov_base = (char *)hmac_key;
-
-	/* initialize crypto data for the output data */
-	out_data.cd_format = CRYPTO_DATA_RAW;
-	out_data.cd_offset = 0;
-	out_data.cd_length = SHA1_DIGEST_LEN;
-	out_data.cd_raw.iov_base = (char *)hmacresult;
-	out_data.cd_raw.iov_len = out_data.cd_length;
-
-	/* initialize the context template */
-	ret = crypto_create_ctx_template(&mech, &key, &tmpl, KM_SLEEP);
-	if (ret != CRYPTO_SUCCESS) {
-		ret = EIO;
-		goto error;
-	}
-
-	/* main loop */
-	for (blockptr = 0; blockptr < outputlen; blockptr += SHA1_DIGEST_LEN) {
-
-		/*
-		 * for the first iteration, the HMAC key is the user-provided
-		 * salt concatenated with the block index (1-indexed)
-		 */
-		i = htobe32(1 + (blockptr / SHA1_DIGEST_LEN));
-		memmove(hmac_key, salt, saltlen);
-		memmove(hmac_key + saltlen, (uint8_t *)(&i), sizeof (uint32_t));
-
-		/* block initializes to zeroes (no XOR) */
-		memset(block, 0, SHA1_DIGEST_LEN);
-
-		for (iter = 0; iter < iterations; iter++) {
-			if (iter > 0) {
-				in_data.cd_length = SHA1_DIGEST_LEN;
-				in_data.cd_raw.iov_len = in_data.cd_length;
-			} else {
-				in_data.cd_length = saltlen + sizeof (uint32_t);
-				in_data.cd_raw.iov_len = in_data.cd_length;
-			}
-
-			ret = crypto_mac(&mech, &in_data, &key, tmpl,
-			    &out_data, NULL);
-			if (ret != CRYPTO_SUCCESS) {
-				ret = EIO;
-				goto error;
-			}
-
-			/* HMAC key now becomes the output of this iteration */
-			memmove(hmac_key, hmacresult, SHA1_DIGEST_LEN);
-
-			/* XOR this iteration's result with the current block */
-			for (i = 0; i < SHA1_DIGEST_LEN; i++) {
-				block[i] ^= hmacresult[i];
-			}
-		}
-
-		/*
-		 * compute length of this block, make sure we don't write
-		 * beyond the end of the output, truncating if necessary
-		 */
-		if (blockptr + SHA1_DIGEST_LEN > outputlen) {
-			memmove(output + blockptr, block, outputlen - blockptr);
-		} else {
-			memmove(output + blockptr, block, SHA1_DIGEST_LEN);
-		}
-	}
-
-	crypto_destroy_ctx_template(tmpl);
-	free(hmac_key);
-	icp_fini();
-
-	return (0);
-
-error:
-	crypto_destroy_ctx_template(tmpl);
-	if (hmac_key != NULL)
-		free(hmac_key);
-	icp_fini();
-
-	return (ret);
-}
-
-static int
 derive_key(libzfs_handle_t *hdl, zfs_keyformat_t format, uint64_t iters,
     uint8_t *key_material, size_t key_material_len, uint64_t salt,
     uint8_t **key_out)
@@ -599,10 +466,12 @@ derive_key(libzfs_handle_t *hdl, zfs_keyformat_t format, uint64_t iters,
 		break;
 	case ZFS_KEYFORMAT_PASSPHRASE:
 		salt = LE_64(salt);
-		ret = pbkdf2(key_material, strlen((char *)key_material),
-		    ((uint8_t *)&salt), sizeof (uint64_t), iters,
-		    key, WRAPPING_KEY_LEN);
-		if (ret != 0) {
+
+		ret = PKCS5_PBKDF2_HMAC_SHA1((char *)key_material,
+		    strlen((char *)key_material), ((uint8_t *)&salt),
+		    sizeof (uint64_t), iters, WRAPPING_KEY_LEN, key);
+		if (ret != 1) {
+			ret = EIO;
 			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
 			    "Failed to generate key from passphrase."));
 			goto error;
@@ -1207,9 +1076,13 @@ try_again:
 	ret = lzc_load_key(zhp->zfs_name, noop, key_data, WRAPPING_KEY_LEN);
 	if (ret != 0) {
 		switch (ret) {
+		case EPERM:
+			zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
+			    "Permission denied."));
+			break;
 		case EINVAL:
 			zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
-			    "Invalid parameters provided for %s."),
+			    "Invalid parameters provided for dataset %s."),
 			    zfs_get_name(zhp));
 			break;
 		case EEXIST:
@@ -1318,6 +1191,10 @@ zfs_crypto_unload_key(zfs_handle_t *zhp)
 
 	if (ret != 0) {
 		switch (ret) {
+		case EPERM:
+			zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
+			    "Permission denied."));
+			break;
 		case ENOENT:
 			zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
 			    "Key already unloaded for '%s'."),
@@ -1375,8 +1252,10 @@ zfs_crypto_verify_rewrap_nvlist(zfs_handle_t *zhp, nvlist_t *props,
 	new_props = zfs_valid_proplist(zhp->zfs_hdl, zhp->zfs_type, props,
 	    zfs_prop_get_int(zhp, ZFS_PROP_ZONED), NULL, zhp->zpool_hdl,
 	    B_TRUE, errbuf);
-	if (new_props == NULL)
+	if (new_props == NULL) {
+		ret = EINVAL;
 		goto error;
+	}
 
 	*props_out = new_props;
 	return (0);
@@ -1475,6 +1354,13 @@ zfs_crypto_rewrap(zfs_handle_t *zhp, nvlist_t *raw_props, boolean_t inheritkey)
 				ret = nvlist_add_uint64(props,
 				    zfs_prop_to_name(ZFS_PROP_KEYFORMAT),
 				    keyformat);
+				if (ret != 0) {
+					zfs_error_aux(zhp->zfs_hdl,
+					    dgettext(TEXT_DOMAIN, "Failed to "
+					    "get existing keyformat "
+					    "property."));
+					goto error;
+				}
 			}
 
 			if (keylocation == NULL) {
@@ -1578,6 +1464,10 @@ zfs_crypto_rewrap(zfs_handle_t *zhp, nvlist_t *raw_props, boolean_t inheritkey)
 	ret = lzc_change_key(zhp->zfs_name, cmd, props, wkeydata, wkeylen);
 	if (ret != 0) {
 		switch (ret) {
+		case EPERM:
+			zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
+			    "Permission denied."));
+			break;
 		case EINVAL:
 			zfs_error_aux(zhp->zfs_hdl, dgettext(TEXT_DOMAIN,
 			    "Invalid properties for key change."));
diff --git a/lib/libzfs/libzfs_sendrecv.c b/lib/libzfs/libzfs_sendrecv.c
index 855a297c9..934da54e1 100644
--- a/lib/libzfs/libzfs_sendrecv.c
+++ b/lib/libzfs/libzfs_sendrecv.c
@@ -2657,6 +2657,13 @@ recv_fix_encryption_heirarchy(libzfs_handle_t *hdl, const char *destname,
 	int err;
 	nvpair_t *fselem = NULL;
 	nvlist_t *stream_fss;
+	char *cp;
+	char top_zfs[ZFS_MAX_DATASET_NAME_LEN];
+
+	(void) strcpy(top_zfs, destname);
+	cp = strrchr(top_zfs, '@');
+	if (cp != NULL)
+		*cp = '\0';
 
 	VERIFY(0 == nvlist_lookup_nvlist(stream_nv, "fss", &stream_fss));
 
@@ -2758,9 +2765,11 @@ recv_fix_encryption_heirarchy(libzfs_handle_t *hdl, const char *destname,
 		/*
 		 * If the dataset is not flagged as an encryption root and is
 		 * currently an encryption root, force it to inherit from its
-		 * parent.
+		 * parent. The root of a raw send should never be
+		 * force-inherited.
 		 */
-		if (!stream_encroot && is_encroot) {
+		if (!stream_encroot && is_encroot &&
+		    strcmp(top_zfs, fsname) != 0) {
 			err = lzc_change_key(fsname, DCP_CMD_FORCE_INHERIT,
 			    NULL, NULL, 0);
 			if (err != 0) {
diff --git a/lib/libzpool/Makefile.am b/lib/libzpool/Makefile.am
index 133f1539a..95e249342 100644
--- a/lib/libzpool/Makefile.am
+++ b/lib/libzpool/Makefile.am
@@ -68,6 +68,7 @@ KERNEL_C = \
 	dsl_destroy.c \
 	dsl_userhold.c \
 	edonr_zfs.c \
+	hkdf.c \
 	fm.c \
 	gzip.c \
 	lzjb.c \