diff -rupN cryptsetup-2.4.3.old/tests/api-test.c cryptsetup-2.4.3/tests/api-test.c

--- cryptsetup-2.4.3.old/tests/api-test.c	2022-02-17 16:37:09.535345938 +0100

+++ cryptsetup-2.4.3/tests/api-test.c	2022-02-17 16:37:29.156459763 +0100

@@ -312,7 +312,7 @@ static int _setup(void)

 static void AddDevicePlain(void)

 {

 	struct crypt_params_plain params = {

-		.hash = "sha1",

+		.hash = "sha256",

 		.skip = 0,

 		.offset = 0,

 		.size = 0

@@ -322,7 +322,7 @@ static void AddDevicePlain(void)

 	const char *passphrase = PASSPHRASE;

 	// hashed hex version of PASSPHRASE

-	const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";

+	const char *mk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea";

 	size_t key_size = strlen(mk_hex) / 2;

 	const char *cipher = "aes";

 	const char *cipher_mode = "cbc-essiv:sha256";

@@ -438,7 +438,7 @@ static void AddDevicePlain(void)

 	OK_(crypt_deactivate(cd,CDEVICE_1));

 	CRYPT_FREE(cd);

-	params.hash = "sha1";

+	params.hash = "sha256";

 	params.offset = 0;

 	params.size = 0;

 	params.skip = 0;

@@ -620,7 +620,7 @@ static void new_log(int level, const cha

 static void CallbacksTest(void)

 {

 	struct crypt_params_plain params = {

-		.hash = "sha1",

+		.hash = "sha256",

 		.skip = 0,

 		.offset = 0,

 	};

@@ -1116,7 +1116,7 @@ static void LuksHeaderRestore(void)

 		.data_alignment = 2048, // 4M, data offset will be 4096

 	};

 	struct crypt_params_plain pl_params = {

-		.hash = "sha1",

+		.hash = "sha256",

 		.skip = 0,

 		.offset = 0,

 		.size = 0

@@ -1203,7 +1203,7 @@ static void LuksHeaderLoad(void)

 		.data_alignment = 2048,

 	};

 	struct crypt_params_plain pl_params = {

-		.hash = "sha1",

+		.hash = "sha256",

 		.skip = 0,

 		.offset = 0,

 		.size = 0

diff -rupN cryptsetup-2.4.3.old/tests/api-test-2.c cryptsetup-2.4.3/tests/api-test-2.c

--- cryptsetup-2.4.3.old/tests/api-test-2.c	2022-02-17 16:37:09.535345938 +0100

+++ cryptsetup-2.4.3/tests/api-test-2.c	2022-02-17 16:37:29.155459758 +0100

@@ -1232,7 +1232,7 @@ static void Luks2HeaderRestore(void)

 		.sector_size = 512

 	};

 	struct crypt_params_plain pl_params = {

-		.hash = "sha1",

+		.hash = "sha256",

 		.skip = 0,

 		.offset = 0,

 		.size = 0

@@ -1242,7 +1242,7 @@ static void Luks2HeaderRestore(void)

 	};

 	uint32_t flags = 0;

-	const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";

+	const char *mk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea";

 	size_t key_size = strlen(mk_hex) / 2;

 	const char *cipher = "aes";

 	const char *cipher_mode = "cbc-essiv:sha256";

@@ -1337,7 +1337,7 @@ static void Luks2HeaderLoad(void)

 		.sector_size = 512

 	};

 	struct crypt_params_plain pl_params = {

-		.hash = "sha1",

+		.hash = "sha256",

 		.skip = 0,

 		.offset = 0,

 		.size = 0

@@ -2142,7 +2142,7 @@ static void LuksConvert(void)

 		.parallel_threads = 1

 	}, pbkdf2 = {

 		.type = CRYPT_KDF_PBKDF2,

-		.hash = "sha1",

+		.hash = "sha256",

 		.time_ms = 1

 	};

@@ -2675,7 +2675,7 @@ static void Pbkdf(void)

 		.hash = default_luks1_hash

 	};

 	struct crypt_params_plain params = {

-		.hash = "sha1",

+		.hash = "sha256",

 		.skip = 0,

 		.offset = 0,

 		.size = 0

@@ -2874,11 +2874,11 @@ static void Pbkdf(void)

 	pbkdf2.time_ms = 9;

 	pbkdf2.hash = NULL;

 	FAIL_(crypt_set_pbkdf_type(cd, &pbkdf2), "Hash is mandatory for pbkdf2");

-	pbkdf2.hash = "sha1";

+	pbkdf2.hash = "sha256";

 	OK_(crypt_set_pbkdf_type(cd, &pbkdf2));

 	argon2.time_ms = 9;

-	argon2.hash = "sha1"; // will be ignored

+	argon2.hash = "sha256"; // will be ignored

 	OK_(crypt_set_pbkdf_type(cd, &argon2));

 	argon2.hash = NULL;

 	OK_(crypt_set_pbkdf_type(cd, &argon2));

@@ -3839,7 +3839,7 @@ static void Luks2Reencryption(void)

 	struct crypt_params_reencrypt retparams = {}, rparams = {

 		.direction = CRYPT_REENCRYPT_FORWARD,

 		.resilience = "checksum",

-		.hash = "sha1",

+		.hash = "sha256",

 		.luks2 = &params2,

 	};

 	dev_t devno;

@@ -3983,7 +3983,7 @@ static void Luks2Reencryption(void)

 	rparams.hash = "hamSter";

 	FAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 21, 9, "aes", "xts-plain64", &rparams), "Invalid resilience hash.");

-	rparams.hash = "sha1";

+	rparams.hash = "sha256";

 	OK_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 21, 9, "aes", "xts-plain64", &rparams));

 	OK_(crypt_reencrypt_run(cd, NULL, NULL));

diff -rupN cryptsetup-2.4.3.old/tests/compat-test cryptsetup-2.4.3/tests/compat-test

--- cryptsetup-2.4.3.old/tests/compat-test	2022-02-17 16:37:09.541345973 +0100

+++ cryptsetup-2.4.3/tests/compat-test	2022-02-17 16:37:29.157459769 +0100

@@ -302,8 +302,8 @@ $CRYPTSETUP -q luksUUID $IMG | grep -q $

 prepare	"[1] open - compat image - acceptance check" new

 echo $PWD0 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail

 check_exists

-ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')

-[ "$ORG_SHA1" = 676062b66ebf36669dab705442ea0762dfc091b0 ] || fail

+ORG_SHA256=$(sha256sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')

+[ "$ORG_SHA256" = 7428e8f2436882a07eb32765086f5c899474c08b5576f556b573d2aabdf923e8 ] || fail

 $CRYPTSETUP -q luksClose  $DEV_NAME || fail

 # Check it can be opened from header backup as well

@@ -315,6 +315,7 @@ $CRYPTSETUP -q luksClose  $DEV_NAME || f

 $CRYPTSETUP luksHeaderRestore -q $IMG --header-backup-file $HEADER_IMG || fail

 # Repeat for V1.0 header - not aligned first keyslot

+if [ ! fips_mode ] ; then

 echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME || fail

 check_exists

 ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')

@@ -326,6 +327,7 @@ $CRYPTSETUP luksHeaderBackup $IMG10 --he

 echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME --header $HEADER_IMG || fail

 check_exists

 $CRYPTSETUP -q luksClose  $DEV_NAME || fail

+fi

 prepare "[2] open - compat image - denial check" new

 echo $PWDW | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail

@@ -526,7 +528,7 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q

 prepare "[19] create & status & resize" wipe

 echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash xxx 2>/dev/null && fail

-echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail

+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail

 $CRYPTSETUP -q status  $DEV_NAME | grep "offset:" | grep -q "3 sectors" || fail

 $CRYPTSETUP -q status  $DEV_NAME | grep "skipped:" | grep -q "4 sectors" || fail

 $CRYPTSETUP -q status  $DEV_NAME | grep "mode:" | grep -q "readonly" || fail

@@ -546,15 +548,15 @@ $CRYPTSETUP -q resize  $DEV_NAME || fail

 $CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "32765 sectors" || fail

 $CRYPTSETUP -q remove  $DEV_NAME || fail

 $CRYPTSETUP -q status  $DEV_NAME >/dev/null && fail

-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail

+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail

 $CRYPTSETUP -q remove  $DEV_NAME || fail

-echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 $LOOPDEV || fail

+echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 $LOOPDEV || fail

 $CRYPTSETUP -q remove  $DEV_NAME || fail

-echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 --size 100 $LOOPDEV || fail

+echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 --size 100 $LOOPDEV || fail

 $CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail

 $CRYPTSETUP -q remove  $DEV_NAME || fail

 # 4k sector resize (if kernel supports it)

-echo $PWD1 | $CRYPTSETUP -q open --type plain $LOOPDEV $DEV_NAME --sector-size 4096 --size 8  >/dev/null 2>&1

+echo $PWD1 | $CRYPTSETUP -q open --type plain --hash sha256 $LOOPDEV $DEV_NAME --sector-size 4096 --size 8  >/dev/null 2>&1

 if [ $? -eq 0 ] ; then

 	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "8 sectors" || fail

 	$CRYPTSETUP -q resize  $DEV_NAME --size 16 || fail

@@ -567,7 +569,7 @@ if [ $? -eq 0 ] ; then

 fi

 # Resize not aligned to logical block size

 add_scsi_device dev_size_mb=32 sector_size=4096

-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV || fail

+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV || fail

 OLD_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/')

 $CRYPTSETUP resize $DEV_NAME -b 7 2> /dev/null && fail

 dmsetup info $DEV_NAME | grep -q SUSPENDED && fail

@@ -575,10 +577,10 @@ NEW_SIZE=$($CRYPTSETUP status $DEV_NAME

 test $OLD_SIZE -eq $NEW_SIZE || fail

 $CRYPTSETUP close $DEV_NAME || fail

 # Add check for unaligned plain crypt activation

-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV -b 7 2>/dev/null && fail

+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV -b 7 2>/dev/null && fail

 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail

 # verify is ignored on non-tty input

-echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --verify-passphrase 2>/dev/null || fail

+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --verify-passphrase 2>/dev/null || fail

 $CRYPTSETUP -q remove  $DEV_NAME || fail

 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size 255 2>/dev/null && fail

 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size -1 2>/dev/null && fail

@@ -695,15 +697,15 @@ $CRYPTSETUP luksChangeKey $LOOPDEV $FAST

 dmsetup remove --retry $DEV_NAME2

 prepare "[25] Create shared segments" wipe

-echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV  --hash sha1 --offset   0 --size 256 || fail

-echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 2>/dev/null && fail

-echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 --shared || fail

+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV  --hash sha256 --offset   0 --size 256 || fail

+echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 2>/dev/null && fail

+echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 --shared || fail

 $CRYPTSETUP -q remove  $DEV_NAME2 || fail

 $CRYPTSETUP -q remove  $DEV_NAME || fail

 prepare "[26] Suspend/Resume" wipe

 # only LUKS is supported

-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail

+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail

 $CRYPTSETUP luksSuspend $DEV_NAME 2>/dev/null && fail

 $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail

 $CRYPTSETUP -q remove  $DEV_NAME || fail

diff -rupN cryptsetup-2.4.3.old/tests/compat-test2 cryptsetup-2.4.3/tests/compat-test2

--- cryptsetup-2.4.3.old/tests/compat-test2	2022-02-17 16:37:09.541345973 +0100

+++ cryptsetup-2.4.3/tests/compat-test2	2022-02-17 16:37:29.158459775 +0100

@@ -774,7 +774,7 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q

 $CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail

 $CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail

 # hash test

-$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha1 || fail

+$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha512 || fail

 $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 --hash sha256 || fail

 $CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail

 $CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail

diff -rupN cryptsetup-2.4.3.old/tests/discards-test cryptsetup-2.4.3/tests/discards-test

--- cryptsetup-2.4.3.old/tests/discards-test	2022-02-17 16:37:09.541345973 +0100

+++ cryptsetup-2.4.3/tests/discards-test	2022-02-17 16:37:29.158459775 +0100

@@ -80,7 +80,7 @@ dmsetup table $DEV_NAME | grep allow_dis

 $CRYPTSETUP luksClose $DEV_NAME || fail

 echo "[2] Allowing discards for plain device"

-echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha1 --allow-discards || fail

+echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha256 --allow-discards || fail

 $CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail

 $CRYPTSETUP resize $DEV_NAME --size 100 || fail

 $CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail

diff -rupN cryptsetup-2.4.3.old/tests/integrity-compat-test cryptsetup-2.4.3/tests/integrity-compat-test

--- cryptsetup-2.4.3.old/tests/integrity-compat-test	2022-02-17 16:37:09.542345979 +0100

+++ cryptsetup-2.4.3/tests/integrity-compat-test	2022-02-17 16:37:29.159459781 +0100

@@ -168,7 +168,7 @@ intformat() # alg alg_out tagsize outtag

 	echo -n "[FORMAT]"

 	$INTSETUP format --integrity-legacy-padding -q --integrity $1 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV >/dev/null 2>&1

 	if [ $? -ne 0 ] ; then

-		if [[ $1 =~ "sha" || $1 =~ "crc" ]] ; then

+		if [[ $1 =~ "sha2" || $1 =~ "crc" ]] ; then

 			fail "Cannot format device."

 		fi

 		echo "[N/A]"

@@ -214,7 +214,14 @@ int_error_detection() # mode alg tagsize

 	echo -n "[INTEGRITY:$1:$2:$4:$5]"

 	echo -n "[FORMAT]"

-	$INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null || fail "Cannot format device."

+	$INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null 2>&1

+	if [ $? -ne 0 ] ; then

+		if [[ $2 =~ "sha2" || $2 =~ "crc" ]] ; then

+			fail "Cannot format device."

+		fi

+		echo "[N/A]"

+		return

+	fi

 	echo -n "[ACTIVATE]"

 	$INTSETUP open $DEV $DEV_NAME --integrity $2 --integrity-no-journal $KEY_PARAMS $INT_MODE || fail "Cannot activate device."

diff -rupN cryptsetup-2.4.3.old/tests/keyring-compat-test cryptsetup-2.4.3/tests/keyring-compat-test

--- cryptsetup-2.4.3.old/tests/keyring-compat-test	2022-02-17 16:37:09.542345979 +0100

+++ cryptsetup-2.4.3/tests/keyring-compat-test	2022-02-17 16:39:07.132028140 +0100

@@ -119,7 +119,7 @@ add_device() {

 which dmsetup >/dev/null 2>&1 || skip "Cannot find dmsetup, test skipped"

 which keyctl >/dev/null 2>&1 || skip "Cannot find keyctl, test skipped"

 which xxd >/dev/null 2>&1 || skip "Cannot find xxd, test skipped"

-which sha1sum > /dev/null 2>&1 || skip "Cannot find sha1sum, test skipped"

+which sha256sum >/dev/null 2>&1 || skip "Cannot find sha256sum, test skipped"

 modprobe dm-crypt >/dev/null 2>&1 || fail "dm-crypt failed to load"

 dm_crypt_keyring_support || skip "dm-crypt doesn't support kernel keyring, test skipped."

@@ -132,23 +132,23 @@ dd if=/dev/urandom of=$DEV bs=1M count=$

 #test aes cipher with xts mode, plain IV

 echo -n "Testing $CIPHER_XTS_PLAIN..."

 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail

-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail

+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail

 dmsetup remove --retry $NAME || fail

 load_key "$HEXKEY_32" logon  $LOGON_KEY_32_OK "$TEST_KEYRING" || fail "Cannot load 32 byte logon key type"

 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN :32:logon:$LOGON_KEY_32_OK 0 $DEV 0" || fail

-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail

+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail

 dmsetup remove --retry $NAME || fail

 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"

 # same test using message

 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail

-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail

+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail

 dmsetup remove --retry $NAME || fail

 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail

 dmsetup suspend $NAME || fail

 dmsetup message $NAME 0 key wipe || fail

 dmsetup message $NAME 0 "key set :32:logon:$LOGON_KEY_32_OK" || fail

 dmsetup resume $NAME || fail

-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail

+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail

 dmsetup remove --retry $NAME || fail

 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"

 echo "OK"

@@ -156,23 +156,23 @@ echo "OK"

 #test aes cipher, xts mode, essiv IV

 echo -n "Testing $CIPHER_CBC_ESSIV..."

 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail

-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail

+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail

 dmsetup remove --retry $NAME || fail

 load_key "$HEXKEY_16" logon  $LOGON_KEY_16_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type"

 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV :16:logon:$LOGON_KEY_16_OK 0 $DEV 0" || fail

-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail

+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail

 dmsetup remove --retry $NAME || fail

 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"

 # same test using message

 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail

-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail

+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail

 dmsetup remove --retry $NAME || fail

 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail

 dmsetup suspend $NAME || fail

 dmsetup message $NAME 0 key wipe || fail

 dmsetup message $NAME 0 "key set :16:logon:$LOGON_KEY_16_OK" || fail

 dmsetup resume $NAME || fail

-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail

+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail

 dmsetup remove --retry $NAME || fail

 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"

 echo "OK"

@@ -181,23 +181,23 @@ echo "OK"

 fips_mode || {

 echo -n "Testing $CIPHER_CBC_TCW..."

 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail

-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail

+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail

 dmsetup remove --retry $NAME || fail

 load_key "$HEXKEY_64" logon  $LOGON_KEY_64_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type"

 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW :64:logon:$LOGON_KEY_64_OK 0 $DEV 0" || fail

-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail

+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail

 dmsetup remove --retry $NAME || fail

 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)"

 # same test using message

 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail

-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail

+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail

 dmsetup remove --retry $NAME || fail

 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail

 dmsetup suspend $NAME || fail

 dmsetup message $NAME 0 key wipe || fail

 dmsetup message $NAME 0 "key set :64:logon:$LOGON_KEY_64_OK" || fail

 dmsetup resume $NAME || fail

-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail

+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail

 dmsetup remove --retry $NAME || fail

 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"

 echo "OK"

@@ -207,10 +207,10 @@ echo -n "Test LUKS2 key refresh..."

 echo $PWD | $CRYPTSETUP luksFormat --type luks2 --luks2-metadata-size 16k --luks2-keyslots-size 4064k --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --force-password $DEV || fail

 echo $PWD | $CRYPTSETUP open $DEV $NAME || fail

 $CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" || skip "LUKS2 can't use keyring. Test skipped."

-dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_KEYRING || fail

+dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha256sum > $CHKS_KEYRING || fail

 echo $PWD | $CRYPTSETUP refresh $NAME --disable-keyring || fail

 $CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" && fail "Key is still in keyring"

-dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_DMCRYPT || fail

+dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha256sum > $CHKS_DMCRYPT || fail

 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)"

 echo "OK"

diff -rupN cryptsetup-2.4.3.old/tests/password-hash-test cryptsetup-2.4.3/tests/password-hash-test

--- cryptsetup-2.4.3.old/tests/password-hash-test	2022-02-17 16:37:09.541345973 +0100

+++ cryptsetup-2.4.3/tests/password-hash-test	2022-02-17 16:37:29.160459787 +0100

@@ -75,7 +75,7 @@ crypt_key() # hash keysize pwd/file name

 	esac

 	# ignore these cases, not all libs/kernel supports it

-	if [ "$1" != "sha1" -a "$1" != "sha256" ] || [ $2 -gt 256 ] ; then

+	if [ "$1" != "sha256" ] || [ $2 -gt 256 ] ; then

 		if [ $ret -ne 0 ] ; then

 			echo " [N/A] ($ret, SKIPPED)"

 			return

diff -rupN cryptsetup-2.4.3.old/tests/reencryption-compat-test cryptsetup-2.4.3/tests/reencryption-compat-test

--- cryptsetup-2.4.3.old/tests/reencryption-compat-test	2022-02-17 16:37:09.541345973 +0100

+++ cryptsetup-2.4.3/tests/reencryption-compat-test	2022-02-17 16:37:29.160459787 +0100

@@ -338,7 +338,7 @@ simple_scsi_reenc "[4096/512 sector]"

 echo "[OK]"

 echo "[8] Header only reencryption (hash and iteration time)"

-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --hash sha1 $FAST_PBKDF $LOOPDEV1 || fail

+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --hash sha512 $FAST_PBKDF $LOOPDEV1 || fail

 wipe $PWD1

 check_hash $PWD1 $HASH1

 echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key || fail

diff -rupN cryptsetup-2.4.3.old/tests/verity-compat-test cryptsetup-2.4.3/tests/verity-compat-test

--- cryptsetup-2.4.3.old/tests/verity-compat-test	2022-02-17 16:37:09.541345973 +0100

+++ cryptsetup-2.4.3/tests/verity-compat-test	2022-02-17 16:37:29.161459793 +0100

@@ -148,7 +148,13 @@ function check_root_hash() # $1 size, $2

 	for fail in data hash; do

 	wipe

 	echo -n "V$4(sb=$sb root_hash_as_file=$root_hash_as_file) $5 block size $1: "

-	$VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >$DEV_OUT || fail

+	$VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >$DEV_OUT

+	if [ $? -ne 0 ] ; then

+		if [[ $1 =~ "sha2" ]] ; then

+			fail "Cannot format device."

+		fi

+		return

+	fi

 	echo -n "[root hash]"

 	compare_out "root hash" $2