From 1e2ad19d680b9cfe200109777f037cafcea84751 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Tue, 20 Mar 2018 17:00:10 +0100
Subject: [PATCH] Validate LUKS2 keyslot json before opening it.

---
 lib/luks2/luks2_keyslot.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/luks2/luks2_keyslot.c b/lib/luks2/luks2_keyslot.c
index 1a47bfd6..348896a6 100644
--- a/lib/luks2/luks2_keyslot.c
+++ b/lib/luks2/luks2_keyslot.c
@@ -220,6 +220,12 @@ static int LUKS2_open_and_verify(struct crypt_device *cd,
 	if (!(h = LUKS2_keyslot_handler(cd, keyslot)))
 		return -ENOENT;
 
+	r = h->validate(cd, keyslot);
+	if (r) {
+		log_dbg("Keyslot %d validation failed.", keyslot);
+		return r;
+	}
+
 	r = LUKS2_keyslot_for_segment(hdr, keyslot, segment);
 	if (r) {
 		if (r == -ENOENT)