cryptenroll: actually allow using multiple "special" strings when wiping

The systemd-cryptenroll man page states:

    Takes a comma separated list of numeric slot indexes, or the special
    strings ..., or any combination of these strings or numeric
    indexes, in which case all slots matching either are wiped.

but we'd allow only one special string at any given time as the value
was not ORed when assigning. So, for example, --wipe=recovery,password
would actually become --wipe=password, etc.

diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c
index be57873ee447045cd30ced6ee2686122524c45fb..fe25619d858dccf9ee3d42521b2e157717b19f3f 100644 (file)
--- a/src/cryptenroll/cryptenroll.c
+++ b/src/cryptenroll/cryptenroll.c
@@ -415,15 +415,15 @@ static int parse_argv(int argc, char *argv[]) {
                                         if (arg_wipe_slots_scope != WIPE_ALL) /* if "all" was specified before, that wins */
                                                 arg_wipe_slots_scope = WIPE_EMPTY_PASSPHRASE;
                                 } else if (streq(slot, "password"))
-                                        arg_wipe_slots_mask = 1U << ENROLL_PASSWORD;
+                                        arg_wipe_slots_mask |= 1U << ENROLL_PASSWORD;
                                 else if (streq(slot, "recovery"))
-                                        arg_wipe_slots_mask = 1U << ENROLL_RECOVERY;
+                                        arg_wipe_slots_mask |= 1U << ENROLL_RECOVERY;
                                 else if (streq(slot, "pkcs11"))
-                                        arg_wipe_slots_mask = 1U << ENROLL_PKCS11;
+                                        arg_wipe_slots_mask |= 1U << ENROLL_PKCS11;
                                 else if (streq(slot, "fido2"))
-                                        arg_wipe_slots_mask = 1U << ENROLL_FIDO2;
+                                        arg_wipe_slots_mask |= 1U << ENROLL_FIDO2;
                                 else if (streq(slot, "tpm2"))
-                                        arg_wipe_slots_mask = 1U << ENROLL_TPM2;
+                                        arg_wipe_slots_mask |= 1U << ENROLL_TPM2;
                                 else {
                                         int *a;
 

diff --git a/test/units/testsuite-70.sh b/test/units/testsuite-70.sh
index c86a9ab2db938052a2565dc061d161531c494139..571a93faa02b3f8a908c0facc7a4e90fd1e9fa88 100755 (executable)
--- a/test/units/testsuite-70.sh
+++ b/test/units/testsuite-70.sh
@@ -258,7 +258,7 @@ systemd-cryptenroll "$img" | grep recovery
 cryptenroll_wipe_and_check "$img" --wipe=empty
 (! cryptenroll_wipe_and_check "$img" --wipe=empty)
 cryptenroll_wipe_and_check "$img" --wipe=empty,0
-cryptenroll_wipe_and_check "$img" --wipe=0,0,empty,0,pkcs11,fido2,000,recovery
+PASSWORD=foo NEWPASSWORD=foo cryptenroll_wipe_and_check "$img" --wipe=0,0,empty,0,pkcs11,fido2,000,recovery,password --password
 systemd-cryptenroll "$img" | grep password
 (! systemd-cryptenroll "$img" | grep recovery)
 # We shouldn't be able to wipe all keyslots without enrolling a new key first