From 1641c2b1123617f7be249bb7f2b2c408defb3b96 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 28 Sep 2021 12:11:53 +0200
Subject: cryptsetup: handle more gracefully if "keyslots" LUKS2 JSON header
 field is invalid

The field is not owned by us (even though is in our JSON objects) but by
the LUKS2 spec. Hence let's handle this a bit more gracefully: let's not
get confused by it, just warn and skip over it.

Fixes: #20847
---
 src/cryptenroll/cryptenroll-tpm2.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'src/cryptenroll')

diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c
index 23deeed272..801014af11 100644
--- a/src/cryptenroll/cryptenroll-tpm2.c
+++ b/src/cryptenroll/cryptenroll-tpm2.c
@@ -34,8 +34,12 @@ static int search_policy_hash(
                         return log_error_errno(r, "Failed to read JSON token data off disk: %m");
 
                 keyslot = cryptsetup_get_keyslot_from_token(v);
-                if (keyslot < 0)
-                        return log_error_errno(keyslot, "Failed to determine keyslot of JSON token: %m");
+                if (keyslot < 0) {
+                        /* Handle parsing errors of the keyslots field gracefully, since it's not 'owned' by
+                         * us, but by the LUKS2 spec */
+                        log_warning_errno(keyslot, "Failed to determine keyslot of JSON token %i, skipping: %m", token);
+                        continue;
+                }
 
                 w = json_variant_by_key(v, "tpm2-policy-hash");
                 if (!w || !json_variant_is_string(w))
-- 
cgit v1.2.3