creds: allow null when decrypting

pcrlock writes a credential file using null key. Make sure systemd-creds
can show the file

diff --git a/man/systemd-creds.xml b/man/systemd-creds.xml
index 169d1a1da23e3d72bac8eae106fbafcc217e76a4..79ede4904d7485cbf94242aed68c4256d99fac25 100644 (file)
--- a/man/systemd-creds.xml
+++ b/man/systemd-creds.xml
@@ -433,6 +433,14 @@
         <xi:include href="version-info.xml" xpointer="v252"/></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>--allow-null</option></term>
+
+        <listitem><para>Allow decrypting credentials that use an empty key.</para>
+
+        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><option>--quiet</option></term>
         <term><option>-q</option></term>

diff --git a/src/creds/creds.c b/src/creds/creds.c
index 6a62df5e3beae8ccca75262703f36d8fc2559483..9039c99d0435259db3a89925d5a99abca68d3ccd 100644 (file)
--- a/src/creds/creds.c
+++ b/src/creds/creds.c
@@ -60,6 +60,7 @@ static bool arg_pretty = false;
 static bool arg_quiet = false;
 static bool arg_varlink = false;
 static uid_t arg_uid = UID_INVALID;
+static bool arg_allow_null = false;
 
 STATIC_DESTRUCTOR_REGISTER(arg_tpm2_public_key, freep);
 STATIC_DESTRUCTOR_REGISTER(arg_tpm2_signature, freep);
@@ -623,7 +624,7 @@ static int verb_decrypt(int argc, char **argv, void *userdata) {
                                 arg_tpm2_signature,
                                 arg_uid,
                                 &input,
-                                /* flags= */ 0,
+                                arg_allow_null ? CREDENTIAL_ALLOW_NULL : 0,
                                 &plaintext);
         if (r < 0)
                 return r;
@@ -741,6 +742,7 @@ static int verb_help(int argc, char **argv, void *userdata) {
                "                          Specify signature for public key PCR policy\n"
                "     --user               Select user-scoped credential encryption\n"
                "     --uid=UID            Select user for scoped credentials\n"
+               "     --allow-null         Allow decrypting credentials with empty key\n"
                "  -q --quiet              Suppress output for 'has-tpm2' verb\n"
                "\nSee the %2$s for details.\n",
                program_invocation_short_name,
@@ -774,6 +776,7 @@ static int parse_argv(int argc, char *argv[]) {
                 ARG_NOT_AFTER,
                 ARG_USER,
                 ARG_UID,
+                ARG_ALLOW_NULL,
         };
 
         static const struct option options[] = {
@@ -798,6 +801,7 @@ static int parse_argv(int argc, char *argv[]) {
                 { "quiet",                no_argument,       NULL, 'q'                      },
                 { "user",                 no_argument,       NULL, ARG_USER                 },
                 { "uid",                  required_argument, NULL, ARG_UID                  },
+                { "allow-null",           no_argument,       NULL, ARG_ALLOW_NULL           },
                 {}
         };
 
@@ -985,6 +989,10 @@ static int parse_argv(int argc, char *argv[]) {
                         }
                         break;
 
+                case ARG_ALLOW_NULL:
+                        arg_allow_null = true;
+                        break;
+
                 case 'q':
                         arg_quiet = true;
                         break;