diff options
author | Frantisek Sumsal <frantisek@sumsal.cz> | 2023-05-10 11:47:57 +0200 |
---|---|---|
committer | Luca Boccassi <luca.boccassi@gmail.com> | 2023-05-11 13:12:08 +0100 |
commit | b0582f6b635011506fdf68d0afdc128ab10f6c6a (patch) | |
tree | 31888c6e476c270c992bbc543c126ef2e9dc099f | |
parent | 885b5cabe29d98ba7406d03aa5b4a2560c892504 (diff) | |
download | systemd-b0582f6b635011506fdf68d0afdc128ab10f6c6a.tar.gz |
cryptenroll: actually allow using multiple "special" strings when wiping
The systemd-cryptenroll man page states:
Takes a comma separated list of numeric slot indexes, or the special
strings ..., or any combination of these strings or numeric
indexes, in which case all slots matching either are wiped.
but we'd allow only one special string at any given time as the value
was not ORed when assigning. So, for example, --wipe=recovery,password
would actually become --wipe=password, etc.
-rw-r--r-- | src/cryptenroll/cryptenroll.c | 10 | ||||
-rwxr-xr-x | test/units/testsuite-70.sh | 2 |
2 files changed, 6 insertions, 6 deletions
diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c index be57873ee4..fe25619d85 100644 --- a/src/cryptenroll/cryptenroll.c +++ b/src/cryptenroll/cryptenroll.c @@ -415,15 +415,15 @@ static int parse_argv(int argc, char *argv[]) { if (arg_wipe_slots_scope != WIPE_ALL) /* if "all" was specified before, that wins */ arg_wipe_slots_scope = WIPE_EMPTY_PASSPHRASE; } else if (streq(slot, "password")) - arg_wipe_slots_mask = 1U << ENROLL_PASSWORD; + arg_wipe_slots_mask |= 1U << ENROLL_PASSWORD; else if (streq(slot, "recovery")) - arg_wipe_slots_mask = 1U << ENROLL_RECOVERY; + arg_wipe_slots_mask |= 1U << ENROLL_RECOVERY; else if (streq(slot, "pkcs11")) - arg_wipe_slots_mask = 1U << ENROLL_PKCS11; + arg_wipe_slots_mask |= 1U << ENROLL_PKCS11; else if (streq(slot, "fido2")) - arg_wipe_slots_mask = 1U << ENROLL_FIDO2; + arg_wipe_slots_mask |= 1U << ENROLL_FIDO2; else if (streq(slot, "tpm2")) - arg_wipe_slots_mask = 1U << ENROLL_TPM2; + arg_wipe_slots_mask |= 1U << ENROLL_TPM2; else { int *a; diff --git a/test/units/testsuite-70.sh b/test/units/testsuite-70.sh index c86a9ab2db..571a93faa0 100755 --- a/test/units/testsuite-70.sh +++ b/test/units/testsuite-70.sh @@ -258,7 +258,7 @@ systemd-cryptenroll "$img" | grep recovery cryptenroll_wipe_and_check "$img" --wipe=empty (! cryptenroll_wipe_and_check "$img" --wipe=empty) cryptenroll_wipe_and_check "$img" --wipe=empty,0 -cryptenroll_wipe_and_check "$img" --wipe=0,0,empty,0,pkcs11,fido2,000,recovery +PASSWORD=foo NEWPASSWORD=foo cryptenroll_wipe_and_check "$img" --wipe=0,0,empty,0,pkcs11,fido2,000,recovery,password --password systemd-cryptenroll "$img" | grep password (! systemd-cryptenroll "$img" | grep recovery) # We shouldn't be able to wipe all keyslots without enrolling a new key first |