sd-id128: do not allow null 'app_id' param

If it is null, we get the 'base' param unchanged:
$ build/systemd-id128 show 00000000000000000000000000000001 \
  --app-specific=00000000000000000000000000000000
00000000000000000000000000000001

This is not good, because it breaks our promise that the base (usually either
machine-id or boot-id) cannot be derived from the result. Some application
using the library could use a null app id, inadvertently exposing the machine
or boot id. (This could happen because of forgotten initialization, or maybe
because the app id is configurable, and the user configures it wrongly.)

Note: the other way the secret is not exposed:
$ build/systemd-id128 show 00000000000000000000000000000000 \
  --app-specific=00000000000000000000000000000002
4f63080959264900b0d88d999dae2d3a

Normally systemd would not allow a null machine-id or boot-id, but we can let
the user do the calculation that if they want to.

diff --git a/man/sd_id128_get_machine.xml b/man/sd_id128_get_machine.xml
index fc13ae50f492a205ec85d4d90e7f00c56a12de52..31e4b02d9bbc44c2eafe663d21a63b6aa5f8e7ca 100644 (file)
--- a/man/sd_id128_get_machine.xml
+++ b/man/sd_id128_get_machine.xml
@@ -198,7 +198,10 @@
           <term><constant>-ENXIO</constant></term>
 
           <listitem><para>Returned by <function>sd_id128_get_invocation()</function> if no invocation ID is
-          set.</para>
+          set. Also returned by <function>sd_id128_get_app_specific()</function>,
+          <function>sd_id128_get_machine_app_specific()</function>, and
+          <function>sd_id128_get_boot_app_specific()</function> when the <parameter>app_id</parameter>
+          parameter is all zeros.</para>
 
           <xi:include href="version-info.xml" xpointer="v242"/></listitem>
         </varlistentry>

diff --git a/src/id128/id128.c b/src/id128/id128.c
index 29cd2e2dc0e10dac80c4db7d16849a9dbf046423..18e08808057ac20953f23ba2333c5855cc3d6a67 100644 (file)
--- a/src/id128/id128.c
+++ b/src/id128/id128.c
@@ -235,7 +235,9 @@ static int parse_argv(int argc, char *argv[]) {
                         break;
 
                 case 'a':
-                        r = sd_id128_from_string(optarg, &arg_app);
+                        r = id128_from_string_nonzero(optarg, &arg_app);
+                        if (r == -ENXIO)
+                                return log_error_errno(r, "Application ID cannot be all zeros.");
                         if (r < 0)
                                 return log_error_errno(r, "Failed to parse \"%s\" as application-ID: %m", optarg);
                         break;

diff --git a/src/libsystemd/sd-id128/sd-id128.c b/src/libsystemd/sd-id128/sd-id128.c
index adc73e4fdcd372cddb43194db06333e5e876baea..9fda79ae266cf716634d36f0f4359c79963c429d 100644 (file)
--- a/src/libsystemd/sd-id128/sd-id128.c
+++ b/src/libsystemd/sd-id128/sd-id128.c
@@ -346,6 +346,7 @@ _public_ int sd_id128_get_app_specific(sd_id128_t base, sd_id128_t app_id, sd_id
         } buf;
 
         assert_return(ret, -EINVAL);
+        assert_return(!sd_id128_is_null(app_id), -ENXIO);
 
         hmac_sha256(&base, sizeof(base), &app_id, sizeof(app_id), buf.hmac);
 

diff --git a/src/test/test-id128.c b/src/test/test-id128.c
index 10c061b917a45d0f8ba00078a3a057ca70a7e9cf..ae7df27d8f9e3297d56688ab000b729c6175781b 100644 (file)
--- a/src/test/test-id128.c
+++ b/src/test/test-id128.c
@@ -192,6 +192,10 @@ TEST(id128) {
                 assert_se(sd_id128_get_machine_app_specific(SD_ID128_MAKE(51,df,0b,4b,c3,b0,4c,97,80,e2,99,b9,8c,a3,73,b8), &id2) >= 0);
                 assert_se(!sd_id128_equal(id, id2));
         }
+
+        /* Check return values */
+        assert_se(sd_id128_get_app_specific(SD_ID128_ALLF, SD_ID128_NULL, &id) == -ENXIO);
+        assert_se(sd_id128_get_app_specific(SD_ID128_NULL, SD_ID128_ALLF, &id) == 0);
 }
 
 TEST(sd_id128_get_invocation) {