From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 14 Apr 2022 13:26:02 +0000 (+0200)
Subject: creds-util: refuse unexpected key types explicitly
X-Git-Tag: v251-rc2~93^2~3
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7cac4a2e2d8d7886df00e085c8299741d66cf1d0;p=thirdparty%2Fsystemd.git

creds-util: refuse unexpected key types explicitly
---

diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c
index c4dcc396ac2..93c8b93fa98 100644
--- a/src/shared/creds-util.c
+++ b/src/shared/creds-util.c
@@ -483,6 +483,13 @@ int encrypt_credential_and_warn(
         assert(ret);
         assert(ret_size);
 
+        if (!sd_id128_in_set(with_key,
+                             SD_ID128_NULL,
+                             CRED_AES256_GCM_BY_HOST,
+                             CRED_AES256_GCM_BY_TPM2_HMAC,
+                             CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC))
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid key type: " SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(with_key));
+
         if (name && !credential_name_valid(name))
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid credential name: %s", name);