From 51abb74eabb8351e319fd12865c2e11abd8c8966 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 24 Oct 2023 22:54:39 +0200
Subject: [PATCH] cryptenroll: validate positional arguments before looking at
 detail parameters

Let's switch the order in which we process positional arguments and
analyze/tweak detail parameters. Let's look at the positional arguments
first (i.e. the "big picture") and then look at the switches (i.e.
"little details").

THis doesn't matter much, but makes for better error messages I think.
At least I was very confused that a completely borked cmdline I passed
to cryptenrolled complained about some detail and let the major fuckup
pass...
---
 src/cryptenroll/cryptenroll.c | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c
index 4362e435294..174247907da 100644
--- a/src/cryptenroll/cryptenroll.c
+++ b/src/cryptenroll/cryptenroll.c
@@ -474,6 +474,18 @@ static int parse_argv(int argc, char *argv[]) {
                 }
         }
 
+        if (optind >= argc)
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+                                       "No block device node specified, refusing.");
+
+        if (argc > optind+1)
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+                                       "Too many arguments, refusing.");
+
+        r = parse_path_argument(argv[optind], false, &arg_node);
+        if (r < 0)
+                return r;
+
         if (arg_enroll_type == ENROLL_FIDO2) {
 
                 if (arg_unlock_type == UNLOCK_FIDO2 && !(arg_fido2_device && arg_unlock_fido2_device))
@@ -488,18 +500,6 @@ static int parse_argv(int argc, char *argv[]) {
                 }
         }
 
-        if (optind >= argc)
-                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
-                                       "No block device node specified, refusing.");
-
-        if (argc > optind+1)
-                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
-                                       "Too many arguments, refusing.");
-
-        r = parse_path_argument(argv[optind], false, &arg_node);
-        if (r < 0)
-                return r;
-
         if (auto_public_key_pcr_mask && arg_tpm2_public_key) {
                 assert(arg_tpm2_public_key_pcr_mask == 0);
                 arg_tpm2_public_key_pcr_mask = INDEX_TO_MASK(uint32_t, TPM2_PCR_KERNEL_BOOT);
-- 
2.47.3