From 06b2cd9335ec4524ac66e0391c365bf3484ee4f8 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <patrick@puiterwijk.org>
Date: Tue, 10 Nov 2020 10:52:18 +0100
Subject: [PATCH] Add fix for extra argument from clevis v15

Clevis v15 added an additional argument, which is either an empty string
or the string "-y".
This argument is not used in this PIN, but we checked the exact number of
arguments to parse, which got changed.
This also accepts more additional arguments, and just ignores them.

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
---
 Cargo.toml     | 2 +-
 src/cli.rs     | 4 ++--
 tests/test_pcr | 4 ++++
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index b1f8bde..c0c90bd 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "clevis-pin-tpm2"
-version = "0.1.3"
+version = "0.1.4"
 description = "Clevis TPM2 PIN with policy support"
 authors = ["Patrick Uiterwijk <patrick@puiterwijk.org>"]
 edition = "2018"
diff --git a/src/cli.rs b/src/cli.rs
index b861ed9..353c6cc 100644
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -184,12 +184,12 @@ pub(super) fn get_mode_and_cfg(
     if atty::is(atty::Stream::Stdin) {
         return Ok((ActionMode::Help, None));
     }
-    let (mode, cfgstr) = if args[0].contains("encrypt") && args.len() == 2 {
+    let (mode, cfgstr) = if args[0].contains("encrypt") && args.len() >= 2 {
         (ActionMode::Encrypt, Some(&args[1]))
     } else if args[0].contains("decrypt") {
         (ActionMode::Decrypt, None)
     } else if args.len() > 1 {
-        if args[1] == "encrypt" && args.len() == 3 {
+        if args[1] == "encrypt" && args.len() >= 3 {
             (ActionMode::Encrypt, Some(&args[2]))
         } else if args[1] == "decrypt" {
             (ActionMode::Decrypt, None)
diff --git a/tests/test_pcr b/tests/test_pcr
index 31f1f0d..c5a86bb 100755
--- a/tests/test_pcr
+++ b/tests/test_pcr
@@ -5,6 +5,10 @@ ln -s clevis-pin-tpm2 target/debug/clevis-encrypt-tpm2plus
 ln -s clevis-pin-tpm2 target/debug/clevis-decrypt-tpm2plus
 
 echo "Working: no sealing" | ./target/debug/clevis-pin-tpm2 encrypt '{}' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: no sealing"; exit 1)
+# This tests we can handle the extra argument (either empty string or -y) from Clevis v15
+# https://github.com/latchset/clevis/commit/36fae7c2dbf030d6c74abaed945db7bf3c25d054
+echo "Working: no sealing (clevis v15, empty)" | ./target/debug/clevis-pin-tpm2 encrypt '{}' '' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: no sealing"; exit 1)
+echo "Working: no sealing (clevis v15, -y)" | ./target/debug/clevis-pin-tpm2 encrypt '{}' '-y' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: no sealing"; exit 1)
 echo "Working: no sealing (clevis decrypt)" | ./target/debug/clevis-pin-tpm2 encrypt '{}' | clevis decrypt || (echo "Failed: no sealing (clevis decrypt)"; exit 1)
 echo "Working: no sealing (clevis encrypt)" | clevis encrypt tpm2 '{}' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: no sealing (clevis encrypt)"; exit 1)
 echo "Working: no sealing (renamed encrypt)" | ./target/debug/clevis-encrypt-tpm2plus '{}' | ./target/debug/clevis-pin-tpm2 decrypt || (echo "Failed: no sealing"; exit 1)