creds: allow null when decrypting

pcrlock writes a credential file using null key. Make sure systemd-creds can show the file
2025-02-03 17:47:28 +03:00 · 2024-04-04 17:05:18 +02:00 · 2024-04-04 17:05:18 +02:00 · aadbe55925
commit aadbe55925
parent eff0a82534
2 changed files with 17 additions and 1 deletions
--- a/man/systemd-creds.xml
+++ b/man/systemd-creds.xml
@ -433,6 +433,14 @@
        <xi:include href="version-info.xml" xpointer="v252"/></listitem>
      </varlistentry>

+      <varlistentry>
+        <term><option>--allow-null</option></term>
+
+        <listitem><para>Allow decrypting credentials that use an empty key.</para>
+
+        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><option>--quiet</option></term>
        <term><option>-q</option></term>
--- a/src/creds/creds.c
+++ b/src/creds/creds.c
@ -60,6 +60,7 @@ static bool arg_pretty = false;
 static bool arg_quiet = false;
 static bool arg_varlink = false;
 static uid_t arg_uid = UID_INVALID;
+static bool arg_allow_null = false;

 STATIC_DESTRUCTOR_REGISTER(arg_tpm2_public_key, freep);
 STATIC_DESTRUCTOR_REGISTER(arg_tpm2_signature, freep);
@ -623,7 +624,7 @@ static int verb_decrypt(int argc, char **argv, void *userdata) {
                                arg_tpm2_signature,
                                arg_uid,
                                &input,
-                                /* flags= */ 0,
+                                arg_allow_null ? CREDENTIAL_ALLOW_NULL : 0,
                                &plaintext);
        if (r < 0)
                return r;
@ -741,6 +742,7 @@ static int verb_help(int argc, char **argv, void *userdata) {
               "                          Specify signature for public key PCR policy\n"
               "     --user               Select user-scoped credential encryption\n"
               "     --uid=UID            Select user for scoped credentials\n"
+               "     --allow-null         Allow decrypting credentials with empty key\n"
               "  -q --quiet              Suppress output for 'has-tpm2' verb\n"
               "\nSee the %2$s for details.\n",
               program_invocation_short_name,
@ -774,6 +776,7 @@ static int parse_argv(int argc, char *argv[]) {
                ARG_NOT_AFTER,
                ARG_USER,
                ARG_UID,
+                ARG_ALLOW_NULL,
        };

        static const struct option options[] = {
@ -798,6 +801,7 @@ static int parse_argv(int argc, char *argv[]) {
                { "quiet",                no_argument,       NULL, 'q'                      },
                { "user",                 no_argument,       NULL, ARG_USER                 },
                { "uid",                  required_argument, NULL, ARG_UID                  },
+                { "allow-null",           no_argument,       NULL, ARG_ALLOW_NULL           },
                {}
        };

@ -985,6 +989,10 @@ static int parse_argv(int argc, char *argv[]) {
                        }
                        break;

+                case ARG_ALLOW_NULL:
+                        arg_allow_null = true;
+                        break;
+
                case 'q':
                        arg_quiet = true;
                        break;