From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 29 Aug 2024 10:54:40 +0000 (+0200)
Subject: cryptenroll: don't return slot 0 when we have no policy to search for
X-Git-Tag: v257-rc1~586^2~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=41bcb9308743f021f9635b35100e63106588cab9;p=thirdparty%2Fsystemd.git

cryptenroll: don't return slot 0 when we have no policy to search for

If the policy hash is empty we shouldn't return "0" from
search_policy_hash(), because that is understood as slot index 0, but
that's unlikely to match the policy.

Hence, return -ENOENT instead, indicating that we can't find a matching
slot.
---

diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c
index 583259d853e..b3d851953bf 100644
--- a/src/cryptenroll/cryptenroll-tpm2.c
+++ b/src/cryptenroll/cryptenroll-tpm2.c
@@ -26,7 +26,7 @@ static int search_policy_hash(
         assert(iovec_is_valid(hash));
 
         if (!iovec_is_set(hash))
-                return 0;
+                return -ENOENT;
 
         for (int token = 0; token < sym_crypt_token_max(CRYPT_LUKS2); token++) {
                 _cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL;