diff --git a/.cryptsetup.metadata b/.cryptsetup.metadata
index b45bee0..65fb1bd 100644
--- a/.cryptsetup.metadata
+++ b/.cryptsetup.metadata
@@ -1 +1 @@
-a2590635ff89a7c2fdb2fbbaaecfb2a27617efef SOURCES/cryptsetup-2.0.6.tar.xz
+bb89099b839b962a13efacdd52d6ce6e408ca971 SOURCES/cryptsetup-2.2.0.tar.xz
diff --git a/.gitignore b/.gitignore
index 8ee04b7..51ae054 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/cryptsetup-2.0.6.tar.xz
+SOURCES/cryptsetup-2.2.0.tar.xz
diff --git a/SOURCES/cryptsetup-2.2.1-add-opt-io-size-parameter-to-LUKS2-reencrypt-test-de.patch b/SOURCES/cryptsetup-2.2.1-add-opt-io-size-parameter-to-LUKS2-reencrypt-test-de.patch
new file mode 100644
index 0000000..c95ca7e
--- /dev/null
+++ b/SOURCES/cryptsetup-2.2.1-add-opt-io-size-parameter-to-LUKS2-reencrypt-test-de.patch
@@ -0,0 +1,70 @@
+From 4862e22cd0ac9ed8395003c209d048889a009969 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Fri, 23 Aug 2019 16:34:33 +0200
+Subject: [PATCH 2/5] Add opt-io size parameter to LUKS2 reencrypt test device.
+
+So that we can test recovery is not broken for optimal io size
+optimization added to reencryption code.
+---
+ tests/luks2-reencryption-test | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
+index f88e7f1..558b8dd 100755
+--- a/tests/luks2-reencryption-test
++++ b/tests/luks2-reencryption-test
+@@ -244,15 +244,16 @@ function fix_writes() { # $1 dmdev, $2 data dev
+ }
+ 
+ function prepare_linear_dev() {
+-	if [ "$1" -gt 32 ]; then
+-		preparebig $1
++	local _sizemb=$1
++	shift
++
++	if [ "$_sizemb" -gt 32 ]; then
++		preparebig $_sizemb
+ 	else
+-		prepare dev_size_mb=$1
++		prepare dev_size_mb=$_sizemb $@
+ 	fi
+ 
+-	local _size=$(blockdev --getsz $DEV)
+-
+-	dmsetup create $OVRDEV --table "0 $_size linear $DEV 0" || fail
++	dmsetup create $OVRDEV --table "0 $((_sizemb*1024*2)) linear $DEV 0" || fail
+ 
+ 	OLD_DEV=$DEV
+ 	DEV=/dev/mapper/$OVRDEV
+@@ -875,7 +876,9 @@ if ! dm_delay_features; then
+ fi
+ 
+ echo "[6] Reencryption recovery"
+-prepare_linear_dev 32
++# (check opt-io size optimization in reencryption code does not affect recovery)
++# device with opt-io size 32k
++prepare_linear_dev 32 opt_blks=64 opt_xferlen_exp=6
+ OFFSET=8192
+ 
+ echo "sector size 512->512"
+@@ -957,7 +960,7 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
+ fi
+ 
+ echo "[8] Reencryption with detached header recovery"
+-prepare_linear_dev 31
++prepare_linear_dev 31 opt_blks=64 opt_xferlen_exp=6
+ 
+ echo "sector size 512->512"
+ 
+@@ -1076,7 +1079,7 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
+ fi
+ 
+ echo "[12] Encryption with detached header recovery"
+-prepare_linear_dev 31
++prepare_linear_dev 31 opt_blks=64 opt_xferlen_exp=6
+ 
+ get_error_offsets 31 0
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.2.1-fix-mapped-segments-overflow-on-32bit-architectures.patch b/SOURCES/cryptsetup-2.2.1-fix-mapped-segments-overflow-on-32bit-architectures.patch
new file mode 100644
index 0000000..2a54dd5
--- /dev/null
+++ b/SOURCES/cryptsetup-2.2.1-fix-mapped-segments-overflow-on-32bit-architectures.patch
@@ -0,0 +1,158 @@
+From 8f8f0b3258152a260c6a40be89b485f943f81484 Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Mon, 26 Aug 2019 10:01:17 +0200
+Subject: [PATCH] Fix mapped segments overflow on 32bit architectures.
+
+All set_segment funcions must use uin64_t everywhere,
+not size_t that is platform dependent.
+
+The code later uses it correctly, it is just wrong function
+prototype definitions.
+
+Reported in
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935702
+
+(TODO: add a test for other segment types.)
+---
+ lib/libdevmapper.c          | 12 ++++++------
+ lib/utils_dm.h              | 12 ++++++------
+ tests/integrity-compat-test | 26 ++++++++++++++++++++++++++
+ 3 files changed, 38 insertions(+), 12 deletions(-)
+
+diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
+index e92ceda..9c40bb1 100644
+--- a/lib/libdevmapper.c
++++ b/lib/libdevmapper.c
+@@ -2759,9 +2759,9 @@ int dm_is_dm_kernel_name(const char *name)
+ 	return strncmp(name, "dm-", 3) ? 0 : 1;
+ }
+ 
+-int dm_crypt_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
++int dm_crypt_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
+ 	struct device *data_device, struct volume_key *vk, const char *cipher,
+-	size_t iv_offset, size_t data_offset, const char *integrity, uint32_t tag_size,
++	uint64_t iv_offset, uint64_t data_offset, const char *integrity, uint32_t tag_size,
+ 	uint32_t sector_size)
+ {
+ 	int r = -EINVAL;
+@@ -2800,7 +2800,7 @@ err:
+ 	return r;
+ }
+ 
+-int dm_verity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
++int dm_verity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
+ 	struct device *data_device, struct device *hash_device, struct device *fec_device,
+ 	const char *root_hash, uint32_t root_hash_size, uint64_t hash_offset_block,
+ 	uint64_t hash_blocks, struct crypt_params_verity *vp)
+@@ -2826,7 +2826,7 @@ int dm_verity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_si
+ 	return 0;
+ }
+ 
+-int dm_integrity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
++int dm_integrity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
+ 			struct device *meta_device,
+ 		        struct device *data_device, uint64_t tag_size, uint64_t offset,
+ 			uint32_t sector_size, struct volume_key *vk,
+@@ -2865,8 +2865,8 @@ int dm_integrity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg
+ 	return 0;
+ }
+ 
+-int dm_linear_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
+-	struct device *data_device, size_t data_offset)
++int dm_linear_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
++	struct device *data_device, uint64_t data_offset)
+ {
+ 	if (!data_device)
+ 		return -EINVAL;
+diff --git a/lib/utils_dm.h b/lib/utils_dm.h
+index 4a1e1d3..124a1c7 100644
+--- a/lib/utils_dm.h
++++ b/lib/utils_dm.h
+@@ -168,22 +168,22 @@ void dm_backend_exit(struct crypt_device *cd);
+ int dm_targets_allocate(struct dm_target *first, unsigned count);
+ void dm_targets_free(struct crypt_device *cd, struct crypt_dm_active_device *dmd);
+ 
+-int dm_crypt_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
++int dm_crypt_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
+ 	struct device *data_device, struct volume_key *vk, const char *cipher,
+-	size_t iv_offset, size_t data_offset, const char *integrity,
++	uint64_t iv_offset, uint64_t data_offset, const char *integrity,
+ 	uint32_t tag_size, uint32_t sector_size);
+-int dm_verity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
++int dm_verity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
+ 	struct device *data_device, struct device *hash_device, struct device *fec_device,
+ 	const char *root_hash, uint32_t root_hash_size, uint64_t hash_offset_block,
+ 	uint64_t hash_blocks, struct crypt_params_verity *vp);
+-int dm_integrity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
++int dm_integrity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
+ 	struct device *meta_device,
+ 	struct device *data_device, uint64_t tag_size, uint64_t offset, uint32_t sector_size,
+ 	struct volume_key *vk,
+ 	struct volume_key *journal_crypt_key, struct volume_key *journal_mac_key,
+ 	const struct crypt_params_integrity *ip);
+-int dm_linear_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
+-	struct device *data_device, size_t data_offset);
++int dm_linear_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
++	struct device *data_device, uint64_t data_offset);
+ 
+ int dm_remove_device(struct crypt_device *cd, const char *name, uint32_t flags);
+ int dm_status_device(struct crypt_device *cd, const char *name);
+diff --git a/tests/integrity-compat-test b/tests/integrity-compat-test
+index 5f2c14e..836975d 100755
+--- a/tests/integrity-compat-test
++++ b/tests/integrity-compat-test
+@@ -9,6 +9,8 @@ INTSETUP_VALGRIND=../.libs/integritysetup
+ INTSETUP_LIB_VALGRIND=../.libs
+ 
+ DEV_NAME=dmc_test
++DEV_NAME_BIG=dmc_fake
++DEV_LOOP=""
+ DEV=test123.img
+ DEV2=test124.img
+ KEY_FILE=key.img
+@@ -20,6 +22,9 @@ dmremove() { # device
+ 
+ cleanup() {
+ 	[ -b /dev/mapper/$DEV_NAME ] && dmremove $DEV_NAME
++	[ -b /dev/mapper/$DEV_NAME_BIG ] && dmremove $DEV_NAME_BIG
++	[ -n "$DEV_LOOP" ] && losetup -d "$DEV_LOOP"
++	DEV_LOOP=""
+ 	rm -f $DEV $DEV2 $KEY_FILE >/dev/null 2>&1
+ }
+ 
+@@ -292,6 +297,7 @@ int_mode() # alg tag_size sector_size [keyfile keysize]
+ 
+ [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
+ [ ! -x "$INTSETUP" ] && skip "Cannot find $INTSETUP, test skipped."
++which blockdev >/dev/null || skip "Cannot find blockdev utility, test skipped."
+ 
+ [ -n "$VALG" ] && valgrind_setup && INTSETUP=valgrind_run
+ which hexdump >/dev/null 2>&1 || skip "WARNING: hexdump tool required."
+@@ -389,4 +395,24 @@ else
+ 	echo "[N/A]"
+ fi
+ 
++echo -n "Big device:"
++add_device
++DEV_LOOP=$(losetup -f $DEV --show)
++if [ -n "$DEV_LOOP" ] ; then
++dmsetup create $DEV_NAME_BIG <<EOF
++0 16284 linear $DEV_LOOP 0
++16284 80000000000 zero
++EOF
++	[ ! -b /dev/mapper/$DEV_NAME_BIG ] && fail
++	$INTSETUP format -q -s 512 --no-wipe /dev/mapper/$DEV_NAME_BIG
++	$INTSETUP open /dev/mapper/$DEV_NAME_BIG $DEV_NAME || fail
++	D_SIZE=$($INTSETUP dump /dev/mapper/$DEV_NAME_BIG | grep provided_data_sectors | sed -e 's/.*provided_data_sectors\ \+//g')
++	A_SIZE=$(blockdev --getsz /dev/mapper/$DEV_NAME)
++	# Compare strings (to avoid 64bit integers), not integers
++	[ -n "$A_SIZE" -a "$D_SIZE" != "$A_SIZE" ] && fail
++	echo "[OK]"
++else
++	echo "[N/A]"
++fi
++
+ cleanup
+-- 
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.2.1-take-optimal-io-size-in-account-with-LUKS2-reencrypt.patch b/SOURCES/cryptsetup-2.2.1-take-optimal-io-size-in-account-with-LUKS2-reencrypt.patch
new file mode 100644
index 0000000..79bbeda
--- /dev/null
+++ b/SOURCES/cryptsetup-2.2.1-take-optimal-io-size-in-account-with-LUKS2-reencrypt.patch
@@ -0,0 +1,65 @@
+From d13a6f7487eb7519bc1e4302085b21ca98afabc0 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Thu, 22 Aug 2019 17:05:43 +0200
+Subject: [PATCH 1/5] Take optimal io size in account with LUKS2 reencryption.
+
+If device properly exposes optimal io size, let's align
+reencryption hotzone to it. Otherwise device-mapper driver
+complaints about misaligned tables and reencryption performance
+is not optimal.
+---
+ lib/luks2/luks2_reencrypt.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c
+index 1d70aaf..1f5eb5f 100644
+--- a/lib/luks2/luks2_reencrypt.c
++++ b/lib/luks2/luks2_reencrypt.c
+@@ -817,8 +817,13 @@ static int reencrypt_offset(struct luks2_hdr *hdr,
+ 	return -EINVAL;
+ }
+ 
+-static uint64_t reencrypt_length(struct luks2_hdr *hdr, struct luks2_reenc_context *rh, uint64_t keyslot_area_length, uint64_t length_max)
++static uint64_t reencrypt_length(struct crypt_device *cd,
++		struct luks2_hdr *hdr,
++		struct luks2_reenc_context *rh,
++		uint64_t keyslot_area_length,
++		uint64_t length_max)
+ {
++	unsigned long dummy, optimal_alignment;
+ 	uint64_t length;
+ 
+ 	if (rh->rp.type == REENC_PROTECTION_NONE)
+@@ -835,6 +840,20 @@ static uint64_t reencrypt_length(struct luks2_hdr *hdr, struct luks2_reenc_conte
+ 
+ 	length -= (length % rh->alignment);
+ 
++	/* Emits error later */
++	if (!length)
++		return length;
++
++	device_topology_alignment(cd, crypt_data_device(cd), &optimal_alignment, &dummy, length);
++
++	/* we have to stick with encryption sector size alignment */
++	if (optimal_alignment % rh->alignment)
++		return length;
++
++	/* align to opt-io size only if remaining size allows it */
++	if (length > optimal_alignment)
++		length -= (length % optimal_alignment);
++
+ 	return length;
+ }
+ 
+@@ -920,7 +939,7 @@ static int reencrypt_context_init(struct crypt_device *cd, struct luks2_hdr *hdr
+ 	} else
+ 		rh->fixed_length = false;
+ 
+-	rh->length = reencrypt_length(hdr, rh, area_length, params->max_hotzone_size << SECTOR_SHIFT);
++	rh->length = reencrypt_length(cd, hdr, rh, area_length, params->max_hotzone_size << SECTOR_SHIFT);
+ 	if (reencrypt_offset(hdr, rh->direction, device_size, &rh->length, &rh->offset)) {
+ 		log_dbg(cd, "Failed to get reencryption offset.");
+ 		return -EINVAL;
+-- 
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-disable-luks2-integrity-test-until-next-usptream-rel.patch b/SOURCES/cryptsetup-disable-luks2-integrity-test-until-next-usptream-rel.patch
deleted file mode 100644
index aed5fc9..0000000
--- a/SOURCES/cryptsetup-disable-luks2-integrity-test-until-next-usptream-rel.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From 620f0cc8c0b69f9c9c56b5d13f3411f217ae9925 Mon Sep 17 00:00:00 2001
-From: Ondrej Kozina <okozina@redhat.com>
-Date: Wed, 8 Aug 2018 11:40:55 +0200
-Subject: [PATCH 6/7] Disable luks2-integrity-test until next usptream release.
-
----
- tests/luks2-integrity-test | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/tests/luks2-integrity-test b/tests/luks2-integrity-test
-index 0b7ddf0..d69df1c 100755
---- a/tests/luks2-integrity-test
-+++ b/tests/luks2-integrity-test
-@@ -114,6 +114,7 @@ intformat() # alg integrity integrity_out key_size int_key_size sector_size csum
- }
- 
- 
-+skip "WARNING: This test can't be run with current build due to some hard coded values bound to old LUKS2 header size."
- [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
- [ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
- modprobe dm-integrity >/dev/null 2>&1
--- 
-1.8.3.1
-
diff --git a/SOURCES/cryptsetup-disable-verity-compat-test.patch b/SOURCES/cryptsetup-disable-verity-compat-test.patch
new file mode 100644
index 0000000..efc3363
--- /dev/null
+++ b/SOURCES/cryptsetup-disable-verity-compat-test.patch
@@ -0,0 +1,13 @@
+diff --git a/tests/Makefile.localtest b/tests/Makefile.localtest
+index 29a62f3..da2183e 100644
+--- a/tests/Makefile.localtest
++++ b/tests/Makefile.localtest
+@@ -5,7 +5,7 @@
+ CPPFLAGS=-I../lib/ -I../lib/luks1 -DHAVE_DECL_DM_TASK_RETRY_REMOVE -DKERNEL_KEYRING -DHAVE_SYS_SYSMACROS_H -DNO_CRYPTSETUP_PATH
+ CFLAGS=-O2 -g -Wall
+ LDLIBS=-lcryptsetup -ldevmapper
+-TESTS=$(wildcard *-test *-test2) api-test api-test-2
++TESTS=$(filter-out verity-compat-test, $(wildcard *-test *-test2)) api-test api-test-2
+ 
+ differ: differ.o
+ 	$(CC) -o $@ $^
diff --git a/SOURCES/cryptsetup-increase-default-LUKS2-header-size-to-8MiBs.patch b/SOURCES/cryptsetup-increase-default-LUKS2-header-size-to-8MiBs.patch
deleted file mode 100644
index 76e86a7..0000000
--- a/SOURCES/cryptsetup-increase-default-LUKS2-header-size-to-8MiBs.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 18ec689f77a66f4d0632ee2829efccb542ba5f3b Mon Sep 17 00:00:00 2001
-From: Ondrej Kozina <okozina@redhat.com>
-Date: Fri, 3 Aug 2018 15:42:00 +0200
-Subject: [PATCH 7/7] Increase default LUKS2 header size to 8MiBs.
-
----
- lib/luks2/luks2.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/luks2/luks2.h b/lib/luks2/luks2.h
-index 2a49618..892e847 100644
---- a/lib/luks2/luks2.h
-+++ b/lib/luks2/luks2.h
-@@ -124,7 +124,7 @@ struct luks2_keyslot_params {
- 
- #define LUKS2_HDR_BIN_LEN sizeof(struct luks2_hdr_disk)
- 
--#define LUKS2_HDR_DEFAULT_LEN 0x400000 /* 4 MiB */
-+#define LUKS2_HDR_DEFAULT_LEN 0x800000 /* 8 MiB */
- 
- #define LUKS2_MAX_KEYSLOTS_SIZE 0x8000000 /* 128 MiB */
- 
--- 
-1.8.3.1
-
diff --git a/SOURCES/cryptsetup-make-align-test-ready-for-larger-LUKS2-hdr.patch b/SOURCES/cryptsetup-make-align-test-ready-for-larger-LUKS2-hdr.patch
deleted file mode 100644
index 735c608..0000000
--- a/SOURCES/cryptsetup-make-align-test-ready-for-larger-LUKS2-hdr.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff -rupN cryptsetup-2.0.6.old/tests/align-test2 cryptsetup-2.0.6/tests/align-test2
---- cryptsetup-2.0.6.old/tests/align-test2	2018-12-03 12:53:41.293185399 +0100
-+++ cryptsetup-2.0.6/tests/align-test2	2018-12-03 12:54:27.821936718 +0100
-@@ -9,7 +9,9 @@ PWD1="93R4P4pIqAH8"
- PWD2="mymJeD8ivEhE"
- FAST_PBKDF="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
- 
--EXPCT=8192
-+# FIXME: we need some sane API to get this information. This is hack.
-+LUKS2_HDR_DEFAULT_LEN=$(grep -e "#define LUKS2_HDR_DEFAULT_LEN" ../lib/luks2/luks2.h | cut -d ' ' -f 3)
-+EXPCT=$((LUKS2_HDR_DEFAULT_LEN/512))
- 
- cleanup() {
- 	udevadm settle >/dev/null 2>&1
diff --git a/SOURCES/cryptsetup-make-api-test-2-default-LUKS2-hdr-size-aware.patch b/SOURCES/cryptsetup-make-api-test-2-default-LUKS2-hdr-size-aware.patch
deleted file mode 100644
index 67192f7..0000000
--- a/SOURCES/cryptsetup-make-api-test-2-default-LUKS2-hdr-size-aware.patch
+++ /dev/null
@@ -1,439 +0,0 @@
-diff -rupN cryptsetup-2.0.4.old/tests/api-test-2.c cryptsetup-2.0.4/tests/api-test-2.c
---- cryptsetup-2.0.4.old/tests/api-test-2.c	2018-08-08 14:05:02.000387826 +0200
-+++ cryptsetup-2.0.4/tests/api-test-2.c	2018-08-08 14:05:35.946311814 +0200
-@@ -41,6 +41,7 @@ typedef int32_t key_serial_t;
- 
- #include "api_test.h"
- #include "luks.h"
-+#include "luks2.h"
- #include "libcryptsetup.h"
- 
- #define DMDIR "/dev/mapper/"
-@@ -165,31 +166,18 @@ static unsigned _min(unsigned a, unsigne
- 	return a < b ? a : b;
- }
- 
--/* FIXME: will fail with various LUKS2 header sizes */
--static int get_luks2_offsets(int metadata_device,
--			    unsigned int alignpayload_sec,
--			    unsigned int alignoffset_sec, /* unused in LUKS2, bug? */
--			    unsigned int sector_size,
-+static int get_luks2_offsets(unsigned int alignpayload_sec,
- 			    uint64_t *r_header_size,
- 			    uint64_t *r_payload_offset)
- {
--	if (!sector_size)
--		sector_size = 512; /* default? */
--
--	if ((sector_size % 512) && (sector_size % 4096))
--		return -1;
--
- 	if (r_payload_offset) {
--		if (metadata_device)
--			*r_payload_offset = DIV_ROUND_UP_MODULO(4*1024*1024, (alignpayload_sec ?: 1) * sector_size);
--		else
--			*r_payload_offset = alignpayload_sec * sector_size;
-+			*r_payload_offset = DIV_ROUND_UP_MODULO(LUKS2_HDR_DEFAULT_LEN, (alignpayload_sec ?: 1) * SECTOR_SIZE);
- 
--		*r_payload_offset /= sector_size;
-+		*r_payload_offset >>= SECTOR_SHIFT;
- 	}
- 
- 	if (r_header_size)
--		*r_header_size = (4*1024*1024) / sector_size;
-+		*r_header_size = LUKS2_HDR_DEFAULT_LEN >> SECTOR_SHIFT;
- 
- 	return 0;
- }
-@@ -585,7 +573,7 @@ static void AddDeviceLuks2(void)
- 	crypt_decode_key(key3, mk_hex2, key_size);
- 
- 	// init test devices
--	OK_(get_luks2_offsets(1, 0, 0, 0, &r_header_size, &r_payload_offset));
-+	OK_(get_luks2_offsets(0, &r_header_size, &r_payload_offset));
- 	OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size));
- 	OK_(create_dmdevice_over_loop(H_DEVICE_WRONG, r_header_size - 1));
- 
-@@ -613,8 +601,8 @@ static void AddDeviceLuks2(void)
- 	/*
- 	 * test limit values for backing device size
- 	 */
--	params.data_alignment = 8192;
--	OK_(get_luks2_offsets(0, params.data_alignment, 0, 0, NULL, &r_payload_offset));
-+	params.data_alignment = LUKS2_HDR_DEFAULT_LEN >> SECTOR_SHIFT;
-+	OK_(get_luks2_offsets(params.data_alignment, NULL, &r_payload_offset));
- 	OK_(create_dmdevice_over_loop(L_DEVICE_0S, r_payload_offset));
- 	OK_(create_dmdevice_over_loop(L_DEVICE_1S, r_payload_offset + 1));
- 	OK_(create_dmdevice_over_loop(L_DEVICE_WRONG, r_payload_offset - 1));
-@@ -767,7 +755,7 @@ static void AddDeviceLuks2(void)
- 	OK_(strcmp(cipher, crypt_get_cipher(cd)));
- 	OK_(strcmp(cipher_mode, crypt_get_cipher_mode(cd)));
- 	EQ_((int)key_size, crypt_get_volume_key_size(cd));
--	EQ_(8192, crypt_get_data_offset(cd));
-+	EQ_((LUKS2_HDR_DEFAULT_LEN >> SECTOR_SHIFT), crypt_get_data_offset(cd));
- 	OK_(strcmp(DEVICE_2, crypt_get_device_name(cd)));
- 
- 	reset_log();
-@@ -809,7 +797,7 @@ static void AddDeviceLuks2(void)
- 	FAIL_(crypt_keyslot_add_by_volume_key(cd, 1, key, key_size, PASSPHRASE, strlen(PASSPHRASE)), "VK doesn't match any digest");
- 	crypt_free(cd);
- 
--	OK_(create_dmdevice_over_loop(L_DEVICE_1S, 8193));
-+	OK_(create_dmdevice_over_loop(L_DEVICE_1S, (LUKS2_HDR_DEFAULT_LEN >> SECTOR_SHIFT) + 1));
- 	OK_(crypt_init(&cd, DMDIR L_DEVICE_1S));
- 	crypt_set_iteration_time(cd, 1);
- 	OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, key, key_size, NULL));
-@@ -900,7 +888,7 @@ static void Luks2HeaderRestore(void)
- 
- 	crypt_decode_key(key, mk_hex, key_size);
- 
--	OK_(get_luks2_offsets(0, params.data_alignment, 0, 0, NULL, &r_payload_offset));
-+	OK_(get_luks2_offsets(params.data_alignment, NULL, &r_payload_offset));
- 	OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 5000));
- 
- 	// do not restore header over plain device
-@@ -976,18 +964,20 @@ static void Luks2HeaderLoad(void)
- 	size_t key_size = strlen(mk_hex) / 2;
- 	const char *cipher = "aes";
- 	const char *cipher_mode = "cbc-essiv:sha256";
--	uint64_t r_payload_offset, r_header_size;
-+	uint64_t r_payload_offset, r_header_size, r_header_size_compat;
- 
- 	crypt_decode_key(key, mk_hex, key_size);
- 
- 	// prepare test env
--	OK_(get_luks2_offsets(0, params.data_alignment, 0, 0, &r_header_size, &r_payload_offset));
-+	OK_(t_device_size(IMAGE1, &r_header_size_compat));
-+	r_header_size_compat >>= SECTOR_SHIFT;
-+	OK_(get_luks2_offsets(params.data_alignment, &r_header_size, &r_payload_offset));
- 	// external header device
- 	OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size));
- 	// prepared header on a device too small to contain header and payload
--	//OK_(create_dmdevice_over_loop(H_DEVICE_WRONG, r_payload_offset - 1));
--	OK_(create_dmdevice_over_loop(H_DEVICE_WRONG, r_header_size - 1));
--	snprintf(cmd, sizeof(cmd), "dd if=" IMAGE1 " of=" DMDIR H_DEVICE_WRONG " bs=%" PRIu32 " count=%" PRIu64 " 2>/dev/null", params.sector_size, r_header_size - 1);
-+	// compatimage2.img contains one sector of data. to create wrong device we need one sector less than the header size
-+	OK_(create_dmdevice_over_loop(H_DEVICE_WRONG, r_header_size_compat - 2));
-+	snprintf(cmd, sizeof(cmd), "dd if=" IMAGE1 " of=" DMDIR H_DEVICE_WRONG " bs=%" PRIu32 " count=%" PRIu64 " 2>/dev/null", params.sector_size, r_header_size_compat - 2);
- 	OK_(_system(cmd, 1));
- 	// some device
- 	OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1000));
-@@ -1092,7 +1082,7 @@ static void Luks2HeaderBackup(void)
- 
- 	crypt_decode_key(key, mk_hex, key_size);
- 
--	OK_(get_luks2_offsets(0, params.data_alignment, 0, 0, NULL, &r_payload_offset));
-+	OK_(get_luks2_offsets(params.data_alignment, NULL, &r_payload_offset));
- 	OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1));
- 
- 	// create LUKS device and backup the header
-@@ -1180,8 +1170,8 @@ static void ResizeDeviceLuks2(void)
- 	crypt_decode_key(key, mk_hex, key_size);
- 
- 	// prepare env
--	OK_(get_luks2_offsets(0, params.data_alignment, 0, 0, NULL, &r_payload_offset));
--	OK_(get_luks2_offsets(1, 0, 0, 0, &r_header_size, NULL));
-+	OK_(get_luks2_offsets(params.data_alignment, NULL, &r_payload_offset));
-+	OK_(get_luks2_offsets(0, &r_header_size, NULL));
- 	OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size));
- 	OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1000));
- 	OK_(create_dmdevice_over_loop(L_DEVICE_0S, 1000));
-@@ -1303,7 +1293,7 @@ static void TokenActivationByKeyring(voi
- 	}
- 
- 	// prepare the device
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	crypt_set_iteration_time(cd, 1);
- 	OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL));
- 	EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0);
-@@ -1312,7 +1302,7 @@ static void TokenActivationByKeyring(voi
- 	crypt_free(cd);
- 
- 	// test thread keyring key in token 0
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
- 	EQ_(crypt_activate_by_token(cd, CDEVICE_1, 3, NULL, 0), 0);
- 	FAIL_(crypt_activate_by_token(cd, CDEVICE_1, 3, NULL, 0), "already open");
-@@ -1331,7 +1321,7 @@ static void TokenActivationByKeyring(voi
- 	}
- 
- 	// add token 1 with process keyring key
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
- 	EQ_(crypt_token_json_set(cd, 3, NULL), 3);
- 	EQ_(crypt_token_luks2_keyring_set(cd, 1, &params), 1);
-@@ -1339,7 +1329,7 @@ static void TokenActivationByKeyring(voi
- 	crypt_free(cd);
- 
- 	// test process keyring key in token 1
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
- 	EQ_(crypt_activate_by_token(cd, CDEVICE_1, 1, NULL, 0), 0);
- 	FAIL_(crypt_activate_by_token(cd, CDEVICE_1, 1, NULL, 0), "already open");
-@@ -1364,7 +1354,7 @@ static void TokenActivationByKeyring(voi
- 		exit(1);
- 	}
- 
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
- 	EQ_(crypt_token_luks2_keyring_set(cd, 0, &params), 0);
- 	EQ_(crypt_token_assign_keyslot(cd, 0, 0), 0);
-@@ -1376,7 +1366,7 @@ static void TokenActivationByKeyring(voi
- 	crypt_free(cd);
- 
- 	// activate by specific token
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
- 	EQ_(crypt_activate_by_token(cd, CDEVICE_1, 0, NULL, 0), 0);
- 	OK_(crypt_deactivate(cd, CDEVICE_1));
-@@ -1390,7 +1380,7 @@ static void TokenActivationByKeyring(voi
- 	}
- 
- 	// activate by any token with token 0 having absent pass from keyring
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
- 	EQ_(crypt_activate_by_token(cd, CDEVICE_1, CRYPT_ANY_TOKEN, NULL, 0), 1);
- 	OK_(crypt_deactivate(cd, CDEVICE_1));
-@@ -1403,7 +1393,7 @@ static void TokenActivationByKeyring(voi
- 	}
- 
- 	// replace pass for keyslot 0 making token 0 invalid
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
- 	OK_(crypt_keyslot_destroy(cd, 0));
- 	crypt_set_iteration_time(cd, 1);
-@@ -1411,7 +1401,7 @@ static void TokenActivationByKeyring(voi
- 	crypt_free(cd);
- 
- 	// activate by any token with token 0 having wrong pass for keyslot 0
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
- 	EQ_(crypt_activate_by_token(cd, CDEVICE_1, CRYPT_ANY_TOKEN, NULL, 0), 1);
- 	OK_(crypt_deactivate(cd, CDEVICE_1));
-@@ -1420,7 +1410,7 @@ static void TokenActivationByKeyring(voi
- 	 // create new device, with two tokens:
- 	 // 1st token being invalid (missing key in keyring)
- 	 // 2nd token can activate keyslot 1 after failing to do so w/ keyslot 0 (wrong pass)
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	crypt_set_iteration_time(cd, 1);
- 	OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL));
- 	EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0);
-@@ -1442,7 +1432,7 @@ static void TokenActivationByKeyring(voi
- 		exit(1);
- 	}
- 
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
- 	EQ_(crypt_activate_by_token(cd, CDEVICE_1, CRYPT_ANY_TOKEN, NULL, 0), 1);
- 	OK_(crypt_deactivate(cd, CDEVICE_1));
-@@ -1507,7 +1497,7 @@ static void Tokens(void)
- 	FAIL_(crypt_token_register(&th_reserved), "luks2- is reserved prefix");
- 
- 	// basic token API tests
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	crypt_set_iteration_time(cd, 1);
- 	OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL));
- 	EQ_(crypt_token_status(cd, -1, NULL), CRYPT_TOKEN_INVALID);
-@@ -1706,7 +1696,7 @@ static void LuksConvert(void)
- 	crypt_free(cd);
- 
- 	// exercice non-pbkdf2 LUKSv2 conversion
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL));
- 	OK_(crypt_set_pbkdf_type(cd, &argon));
- 	EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0);
-@@ -1714,7 +1704,7 @@ static void LuksConvert(void)
- 	crypt_free(cd);
- 
- 	// exercice non LUKS1 compatible keyslot
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, &luks2));
- 	EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0);
- 	EQ_(crypt_keyslot_add_by_key(cd, 1, NULL, 32, PASSPHRASE1, strlen(PASSPHRASE1), CRYPT_VOLUME_KEY_NO_SEGMENT), 1);
-@@ -1723,7 +1713,7 @@ static void LuksConvert(void)
- 	crypt_free(cd);
- 
- 	// exercice LUKSv2 conversion with single pbkdf2 keyslot being active
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL));
- 	offset = crypt_get_data_offset(cd);
- 	OK_(crypt_set_pbkdf_type(cd, &pbkdf2));
-@@ -1731,13 +1721,13 @@ static void LuksConvert(void)
- 	OK_(crypt_convert(cd, CRYPT_LUKS1, NULL));
- 	EQ_(crypt_get_data_offset(cd), offset);
- 	crypt_free(cd);
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	OK_(crypt_load(cd, CRYPT_LUKS, NULL));
- 	EQ_(crypt_get_data_offset(cd), offset);
- 	crypt_free(cd);
- 
- 	// do not allow conversion on keyslot No > 7
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, &luks2));
- 	EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0);
- 	EQ_(crypt_keyslot_add_by_volume_key(cd, 8, NULL, 32, PASSPHRASE1, strlen(PASSPHRASE1)), 8);
-@@ -1745,14 +1735,14 @@ static void LuksConvert(void)
- 	crypt_free(cd);
- 
- 	// do not allow conversion with token
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, &luks2));
- 	OK_(crypt_token_json_set(cd, CRYPT_ANY_TOKEN, json));
- 	FAIL_(crypt_convert(cd, CRYPT_LUKS1, NULL), "Can't convert header with token.");
- 	crypt_free(cd);
- 
- 	// should be enough for both luks1 and luks2 devices with all vk lengths
--	OK_(get_luks2_offsets(1, 0, 0, 0, NULL, &r_payload_offset));
-+	OK_(get_luks2_offsets(0, NULL, &r_payload_offset));
- 	OK_(create_dmdevice_over_loop(L_DEVICE_1S, r_payload_offset + 1));
- 
- 	// do not allow conversion for legacy luks1 device (non-aligned keyslot offset)
-@@ -2202,7 +2192,7 @@ static void Pbkdf(void)
- 
- 	// test LUKSv2 device
- 	// test default values are set
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	OK_(crypt_format(cd, CRYPT_LUKS2, cipher, mode, NULL, NULL, 32, NULL));
- 	NOTNULL_(pbkdf = crypt_get_pbkdf_type(cd));
- 	OK_(strcmp(pbkdf->type, DEFAULT_LUKS2_PBKDF));
-@@ -2259,7 +2249,7 @@ static void Pbkdf(void)
- 	FAIL_(crypt_set_pbkdf_type(cd, &pbkdf2), "Unknown hash member");
- 	crypt_free(cd);
- 	// test whether crypt_get_pbkdf_type() behaves accordingly after second crypt_load() call
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	OK_(crypt_load(cd, CRYPT_LUKS, NULL));
- 	NOTNULL_(pbkdf = crypt_get_pbkdf_type(cd));
- 	OK_(strcmp(pbkdf->type, DEFAULT_LUKS2_PBKDF));
-@@ -2277,7 +2267,7 @@ static void Pbkdf(void)
- 	crypt_free(cd);
- 
- 	// test crypt_set_pbkdf_type() overwrites invalid value set by crypt_set_iteration_time()
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	crypt_set_iteration_time(cd, 0);
- 	OK_(crypt_set_pbkdf_type(cd, &argon2));
- 	NOTNULL_(pbkdf = crypt_get_pbkdf_type(cd));
-@@ -2352,7 +2342,7 @@ static void Luks2KeyslotAdd(void)
- 	crypt_decode_key(key2, mk_hex2, key_size);
- 
- 	/* test crypt_keyslot_add_by_key */
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	crypt_set_iteration_time(cd, 1);
- 	OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, key, key_size, NULL));
- 	EQ_(crypt_keyslot_add_by_key(cd, 1, key2, key_size, PASSPHRASE1, strlen(PASSPHRASE1), CRYPT_VOLUME_KEY_NO_SEGMENT), 1);
-@@ -2432,7 +2422,7 @@ static void Luks2ActivateByKeyring(void)
- 	}
- 
- 	// prepare the device
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	crypt_set_iteration_time(cd, 1);
- 	OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL));
- 	EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0);
-@@ -2442,7 +2432,7 @@ static void Luks2ActivateByKeyring(void)
- 
- 	// FIXME: all following tests work as expected but most error messages are missing
- 	// check activate by keyring works exactly same as by passphrase
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
- 	EQ_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, 0), 0);
- 	EQ_(crypt_activate_by_keyring(cd, CDEVICE_1, KEY_DESC_TEST0, 0, 0), 0);
-@@ -2472,7 +2462,7 @@ static void Luks2ActivateByKeyring(void)
- 		exit(1);
- 	}
- 
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
- 	FAIL_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, CRYPT_ANY_SLOT, 0), "no such key in keyring");
- 	FAIL_(crypt_activate_by_keyring(cd, CDEVICE_1, KEY_DESC_TEST0, CRYPT_ANY_SLOT, 0), "no such key in keyring");
-@@ -2718,7 +2708,7 @@ static void Luks2Requirements(void)
- 	OK_(crypt_activate_by_token(cd, NULL, 1, NULL, 0));
- 	OK_(crypt_activate_by_token(cd, NULL, 1, NULL, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
- #endif
--	OK_(get_luks2_offsets(1, 8192, 0, 0, NULL, &r_payload_offset));
-+	OK_(get_luks2_offsets(8192, NULL, &r_payload_offset));
- 	OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 2));
- 	//OK_(_system("dd if=" NO_REQS_LUKS2_HEADER " of=" NO_REQS_LUKS2_HEADER " bs=4096 2>/dev/null", 1));
- 	OK_(_system("dd if=" NO_REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
-@@ -2863,7 +2853,7 @@ static void Luks2Flags(void)
- 	struct crypt_device *cd;
- 	uint32_t flags = 42;
- 
--	OK_(crypt_init(&cd, DEVICE_1));
-+	OK_(crypt_init(&cd, DEVICE_2));
- 	OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
- 
- 	/* check library erase passed variable on success when no flags set */
-diff -rupN cryptsetup-2.0.4.old/tests/Makefile.am cryptsetup-2.0.4/tests/Makefile.am
---- cryptsetup-2.0.4.old/tests/Makefile.am	2018-08-08 14:05:02.008387808 +0200
-+++ cryptsetup-2.0.4/tests/Makefile.am	2018-08-08 14:05:35.944311818 +0200
-@@ -80,7 +80,7 @@ api_test_CPPFLAGS = $(AM_CPPFLAGS) -incl
- api_test_2_SOURCES = api-test-2.c api_test.h test_utils.c
- api_test_2_LDADD = ../libcryptsetup.la
- api_test_2_LDFLAGS = $(AM_LDFLAGS) -static
--api_test_2_CFLAGS = -g -Wall -O0 $(AM_CFLAGS) -I$(top_srcdir)/lib/ -I$(top_srcdir)/lib/luks1
-+api_test_2_CFLAGS = -g -Wall -O0 $(AM_CFLAGS) -I$(top_srcdir)/lib/ -I$(top_srcdir)/lib/luks1 -I$(top_srcdir)/lib/luks2
- api_test_2_CPPFLAGS = $(AM_CPPFLAGS) -include config.h
- 
- vectors_test_SOURCES = crypto-vectors.c
-diff -rupN cryptsetup-2.0.4.old/tests/Makefile.in cryptsetup-2.0.4/tests/Makefile.in
---- cryptsetup-2.0.4.old/tests/Makefile.in	2018-08-08 14:05:02.000387826 +0200
-+++ cryptsetup-2.0.4/tests/Makefile.in	2018-08-08 14:08:28.749924872 +0200
-@@ -466,7 +466,7 @@ api_test_CPPFLAGS = $(AM_CPPFLAGS) -incl
- api_test_2_SOURCES = api-test-2.c api_test.h test_utils.c
- api_test_2_LDADD = ../libcryptsetup.la
- api_test_2_LDFLAGS = $(AM_LDFLAGS) -static
--api_test_2_CFLAGS = -g -Wall -O0 $(AM_CFLAGS) -I$(top_srcdir)/lib/ -I$(top_srcdir)/lib/luks1
-+api_test_2_CFLAGS = -g -Wall -O0 $(AM_CFLAGS) -I$(top_srcdir)/lib/ -I$(top_srcdir)/lib/luks1 -I$(top_srcdir)/lib/luks2
- api_test_2_CPPFLAGS = $(AM_CPPFLAGS) -include config.h
- vectors_test_SOURCES = crypto-vectors.c
- vectors_test_LDADD = ../libcrypto_backend.la @CRYPTO_LIBS@ @LIBARGON2_LIBS@
-diff -rupN cryptsetup-2.0.4.old/tests/test_utils.c cryptsetup-2.0.4/tests/test_utils.c
---- cryptsetup-2.0.4.old/tests/test_utils.c	2018-08-08 14:05:02.008387808 +0200
-+++ cryptsetup-2.0.4/tests/test_utils.c	2018-08-08 14:05:35.947311812 +0200
-@@ -118,13 +118,21 @@ void xlog(const char *msg, const char *t
- 
- int t_device_size(const char *device, uint64_t *size)
- {
-+	struct stat st;
- 	int devfd, r = 0;
- 
- 	devfd = open(device, O_RDONLY);
- 	if(devfd == -1)
- 		return -EINVAL;
- 
--	if (ioctl(devfd, BLKGETSIZE64, size) < 0)
-+	if (fstat(devfd, &st) < 0) {
-+		close(devfd);
-+		return -EINVAL;
-+	}
-+
-+	if (S_ISREG(st.st_mode))
-+		*size = (uint64_t)st.st_size;
-+	else if (ioctl(devfd, BLKGETSIZE64, size) < 0)
- 		r = -EINVAL;
- 	close(devfd);
- 	return r;
diff --git a/SOURCES/cryptsetup-make-reencryption-compat-test2-ready-for-different-L.patch b/SOURCES/cryptsetup-make-reencryption-compat-test2-ready-for-different-L.patch
deleted file mode 100644
index 2274f2e..0000000
--- a/SOURCES/cryptsetup-make-reencryption-compat-test2-ready-for-different-L.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From 619b533bfbb8e6782687eda9e2ba16fc2f73bd15 Mon Sep 17 00:00:00 2001
-From: Ondrej Kozina <okozina@redhat.com>
-Date: Tue, 7 Aug 2018 10:17:31 +0200
-Subject: [PATCH 5/7] Make reencryption-compat-test2 ready for different LUKS2
- hdr size.
-
----
- tests/reencryption-compat-test2 | 40 +++++++++++++++++++++++++++++-----------
- 1 file changed, 29 insertions(+), 11 deletions(-)
-
-diff --git a/tests/reencryption-compat-test2 b/tests/reencryption-compat-test2
-index 411df1f..9656c7b 100755
---- a/tests/reencryption-compat-test2
-+++ b/tests/reencryption-compat-test2
-@@ -19,6 +19,10 @@ PWD3="1-9Qu5Ejfnqv"
- MNT_DIR=./mnt_luks
- START_DIR=$(pwd)
- 
-+# FIXME: we need some sane API to get this information. This is hack.
-+LUKS2_HDR_DEFAULT_LEN=$(grep -e "#define LUKS2_HDR_DEFAULT_LEN" ../lib/luks2/luks2.h | cut -d ' ' -f 3)
-+LUKS2_HDR_DEFAULT_LEN_SECTORS=$((LUKS2_HDR_DEFAULT_LEN/512))
-+
- function dm_crypt_features()
- {
- 	local VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
-@@ -48,6 +52,7 @@ function remove_mapping()
- 	umount $MNT_DIR > /dev/null 2>&1
- 	rmdir $MNT_DIR > /dev/null 2>&1
- 	del_scsi_device
-+	test -z "$TMP_LOOP" || losetup -d "$TMP_LOOP"
- }
- 
- function fail()
-@@ -113,9 +118,21 @@ function prepare() # $1 dev1_siz
- 	fi
- }
- 
--function check_hash_dev() # $1 dev, $2 hash
-+function check_hash_dev() # $1 dev, $2 hash, [$3 optional max size in KiBs]
- {
--	HASH=$(sha256sum $1 | cut -d' ' -f 1)
-+	local _dev=$1
-+	if [ $# -gt 2 ]; then
-+		_dev=$(losetup -f)
-+		losetup -f --sizelimit $3K $1 || fail
-+		TMP_LOOP=$_dev
-+		test -b $TMP_LOOP || fail
-+	fi
-+
-+	HASH=$(sha256sum $_dev | cut -d' ' -f 1)
-+	test -b "$TMP_LOOP" && {
-+		losetup -d "$TMP_LOOP"
-+		unset TMP_LOOP
-+	}
- 	[ $HASH != "$2" ] && fail "HASH differs ($HASH)"
- }
- 
-@@ -218,7 +235,7 @@ HASH5=bb9f8df61474d25e71fa00722318cd387396ca1736605e1248821cc0de3d3af8
- HASH6=4d9cbaf3aa0935a8c113f139691b3daf9c94c8d6c278aedc8eec66a4b9f6c8ae
- 
- echo "[1] Reencryption"
--prepare 8192
-+prepare $((4096+LUKS2_HDR_DEFAULT_LEN_SECTORS/2))
- echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-plain $FAST_PBKDF_ARGON --align-payload 4096 $IMG || fail
- wipe $PWD1
- check_hash $PWD1 $HASH5
-@@ -260,9 +277,9 @@ $CRYPTSETUP luksDump $IMG | grep -q "luks2" > /dev/null || fail
- 
- echo "[4] Encryption of not yet encrypted device"
- # well, movin' zeroes :-)
--OFFSET=8192 # default LUKS2 header size
--prepare 8192
--check_hash_dev $IMG $HASH4
-+OFFSET=$LUKS2_HDR_DEFAULT_LEN_SECTORS # default LUKS2 header size
-+prepare $((4096+$OFFSET/2)) # in KiBs
-+check_hash_dev $IMG $HASH4 8192
- echo $PWD1 | $REENC --type luks2 $IMG -c aes-cbc-essiv:sha256 -s 128 --new --reduce-device-size "$OFFSET"S -q $FAST_PBKDF_ARGON
- check_hash $PWD1 $HASH5
- $CRYPTSETUP luksDump $IMG | grep -q "luks2" > /dev/null || fail
-@@ -299,11 +316,11 @@ echo -e "$PWD2\n$PWD1\n$PWD2\n$PWD1\n$PWD2\n$PWD1\n$PWD2\n$PWD3" | $REENC -q $IM
- check_slot 0 1 2 3 4 5 6 22 || fail "All keyslots expected to be enabled"
- 
- echo "[7] Reencryption of block devices with different block size"
--add_scsi_device sector_size=512 dev_size_mb=8
-+add_scsi_device sector_size=512 dev_size_mb=16
- simple_scsi_reenc "[512 sector]"
--add_scsi_device sector_size=4096 dev_size_mb=8
-+add_scsi_device sector_size=4096 dev_size_mb=16
- simple_scsi_reenc "[4096 sector]"
--add_scsi_device sector_size=512 physblk_exp=3 dev_size_mb=8
-+add_scsi_device sector_size=512 physblk_exp=3 dev_size_mb=16
- simple_scsi_reenc "[4096/512 sector]"
- echo "[OK]"
- 
-@@ -350,7 +367,7 @@ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $IMG || fa
- wipe $PWD1
- check_hash $PWD1 $HASH5
- echo $PWD1 | $REENC $IMG -q --decrypt
--check_hash_dev $IMG $HASH4
-+check_hash_dev $IMG $HASH4 8192
- 
- echo "[11] Reencryption with tokens"
- echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $IMG || fail
-@@ -403,7 +420,7 @@ $CRYPTSETUP isLuks $IMG_HDR || fail
- $CRYPTSETUP luksDump $IMG_HDR | grep -q "0: luks2" || fail
- 
- echo "[14] Reencryption with unbound keyslot"
--prepare 8192
-+prepare $((4096+LUKS2_HDR_DEFAULT_LEN_SECTORS/2))
- echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $IMG || fail
- echo $PWD2 | $CRYPTSETUP -q luksAddKey -S 3 --unbound --key-size 64 $FAST_PBKDF_ARGON $IMG || fail
- wipe $PWD1
-@@ -421,6 +438,7 @@ check_hash $PWD1 $HASH1
- $CRYPTSETUP -q convert --type luks2 $IMG || fail
- echo $PWD1 | $REENC $IMG -q $FAST_PBKDF_PBKDF2 || fail
- check_hash $PWD1 $HASH1
-+prepare $((4096+LUKS2_HDR_DEFAULT_LEN_SECTORS/2))
- echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_PBKDF2 $IMG || fail
- wipe $PWD1
- check_hash $PWD1 $HASH5
--- 
-1.8.3.1
-
diff --git a/SPECS/cryptsetup.spec b/SPECS/cryptsetup.spec
index d790f01..5431380 100644
--- a/SPECS/cryptsetup.spec
+++ b/SPECS/cryptsetup.spec
@@ -1,42 +1,16 @@
-%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
-
-%if 0%{?fedora}
-%if 0%{?fedora} >= 29
 Obsoletes: python2-cryptsetup
-Obsoletes: cryptsetup-python3
-%global python2_enable 0
-%global python3_enable 0
-%else
-%global python2_enable 1
-%global python3_enable 1
-%endif
-%else
-Obsoletes: cryptsetup-python3
-%global python3_enable 0
-%if 0%{?rhel} == 7
-%global python2_enable 1
-%else
 Obsoletes: cryptsetup-python
-Obsoletes: python2-cryptsetup
-%global python2_enable 0
-%endif
-%endif
+Obsoletes: cryptsetup-python3
 
 Summary: A utility for setting up encrypted disks
 Name: cryptsetup
-Version: 2.0.6
-Release: 1%{?dist}
+Version: 2.2.0
+Release: 2%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: Applications/System
 URL: https://gitlab.com/cryptsetup/cryptsetup
 BuildRequires: openssl-devel, popt-devel, device-mapper-devel
 BuildRequires: libuuid-devel, gcc, libblkid-devel
-%if %{python2_enable}
-BuildRequires: python2-devel
-%endif
-%if %{python3_enable}
-BuildRequires: python3-devel
-%endif
 BuildRequires: libpwquality-devel, json-c-devel
 Provides: cryptsetup-luks = %{version}-%{release}
 Obsoletes: cryptsetup-luks < 1.4.0
@@ -45,13 +19,13 @@ Requires: libpwquality >= 1.2.0
 
 %global upstream_version %{version}
 Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{upstream_version}.tar.xz
-Patch0:  %{name}-make-api-test-2-default-LUKS2-hdr-size-aware.patch
-Patch1:  %{name}-make-reencryption-compat-test2-ready-for-different-L.patch
-Patch2:  %{name}-disable-luks2-integrity-test-until-next-usptream-rel.patch
-Patch3:  %{name}-increase-default-LUKS2-header-size-to-8MiBs.patch
-Patch4:  %{name}-make-align-test-ready-for-larger-LUKS2-hdr.patch
 # Following patch has to applied last
-Patch5:  %{name}-add-system-library-paths.patch
+Patch0:  %{name}-add-system-library-paths.patch
+# Remove the patch when (if ever) osci infrastructure gets stable enough
+Patch1:  %{name}-disable-verity-compat-test.patch
+Patch2:  %{name}-2.2.1-fix-mapped-segments-overflow-on-32bit-architectures.patch
+Patch3:  %{name}-2.2.1-take-optimal-io-size-in-account-with-LUKS2-reencrypt.patch
+Patch4:  %{name}-2.2.1-add-opt-io-size-parameter-to-LUKS2-reencrypt-test-de.patch
 
 %description
 The cryptsetup package contains a utility for setting up
@@ -105,76 +79,23 @@ Requires: cryptsetup-libs = %{version}-%{release}
 This package contains cryptsetup-reencrypt utility which
 can be used for offline reencryption of disk in situ.
 
-%if %{python2_enable}
-%package -n python2-cryptsetup
-Group: System Environment/Libraries
-Summary: Python bindings for libcryptsetup
-Requires: %{name}-libs = %{version}-%{release}
-%{?python_provide:%python_provide python2-cryptsetup}
-# Remove before F30
-Provides: %{name}-python = %{version}-%{release}
-Provides: %{name}-python%{?_isa} = %{version}-%{release}
-Obsoletes: %{name}-python < %{version}-%{release}
-Obsoletes: python-cryptsetup < 1.4.0
-
-%description -n python2-cryptsetup
-This package provides Python bindings for libcryptsetup, a library
-for setting up disk encryption using dm-crypt kernel module.
-%endif
-
-%if %{python3_enable}
-%package python3
-Group: System Environment/Libraries
-Summary: Python3 bindings for libcryptsetup
-Requires: %{name}-libs = %{version}-%{release}
-Provides: python3-cryptsetup = %{version}-%{release}
-
-%description python3
-This package provides Python bindings for libcryptsetup, a library
-for setting up disk encryption using dm-crypt kernel module.
-%endif
-
 %prep
 %setup -q -n cryptsetup-%{upstream_version}
-%patch0 -p1
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
-%patch5 -p1
-chmod -x python/pycryptsetup-test.py
+%patch0 -p1
 chmod -x misc/dracut_90reencrypt/*
 
-# copy the whole directory for the python3 build
-%if %{python3_enable}
-cp -a . %{py3dir}
-%endif
-
 %build
-%if %{python2_enable} || %{python3_enable}
-%configure --enable-python --enable-fips --enable-pwquality --enable-internal-sse-argon2 --with-crypto_backend=openssl --with-default-luks-format=LUKS2
-%else
 %configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --with-crypto_backend=openssl --with-default-luks-format=LUKS2
-%endif
 make %{?_smp_mflags}
 
-%if %{python3_enable}
-pushd %{py3dir}
-%configure --enable-python --with-python_version=3 --enable-fips --enable-pwquality --enable-internal-sse-argon2 --with-crypto_backend=openssl --with-default-luks-format=LUKS2
-make %{?_smp_mflags}
-popd
-%endif
-
 %install
 make install DESTDIR=%{buildroot}
 rm -rf %{buildroot}/%{_libdir}/*.la
 
-%if %{python3_enable}
-pushd %{py3dir}
-make install DESTDIR=%{buildroot}
-rm -rf %{buildroot}/%{_libdir}/*.la
-popd
-%endif
 %find_lang cryptsetup
 
 %post -n cryptsetup-libs -p /sbin/ldconfig
@@ -220,27 +141,31 @@ popd
 %{_tmpfilesdir}/cryptsetup.conf
 %ghost %attr(700, -, -) %dir /run/cryptsetup
 
-%if %{python2_enable}
-%files -n python2-cryptsetup
-%{!?_licensedir:%global license %%doc}
-%license COPYING.LGPL
-%doc python/pycryptsetup-test.py
-%exclude %{python_sitearch}/pycryptsetup.la
-%{python_sitearch}/pycryptsetup.so
-%endif
-
-%if %{python3_enable}
-%files python3
-%{!?_licensedir:%global license %%doc}
-%license COPYING.LGPL
-%doc python/pycryptsetup-test.py
-%exclude %{python3_sitearch}/pycryptsetup.la
-%{python3_sitearch}/pycryptsetup.so
-%endif
-
 %clean
 
 %changelog
+* Fri Aug 30 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-2
+- patch: Fix mapped segments overflow on 32bit architectures.
+- patch: Take optimal io size in account with LUKS2 reencryption.
+- Resolves: #1742815 #1746532
+
+* Thu Aug 15 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-1
+- Update to cryptsetup 2.2.0 (final)
+- Resolves: #1738263 #1740342 #1733391 #1729600 #1733390
+
+* Fri Jun 14 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-0.2
+- Updates to reencryption feature.
+- Resolves: #1676622
+
+* Fri May 03 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-0.1
+- Update to cryptsetup 2.2.0
+- remove python bits from spec file.
+- Resolves: #1676622
+
+* Thu Mar 21 2019 Milan Broz <mbroz@redhat.com> - 2.0.6-2
+- Add gating tests.
+- Resolves: #1682539
+
 * Mon Dec 03 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.6-1
 - Update to cryptsetup 2.0.6
 - Enables all supported metadata sizes in LUKS2 validation code.