diff --git a/.cryptsetup.metadata b/.cryptsetup.metadata
index f0f9c04..3eba3f7 100644
--- a/.cryptsetup.metadata
+++ b/.cryptsetup.metadata
@@ -1,2 +1,2 @@
-1597b4642a9ef6b73ad191516f26bd2292055680 SOURCES/cryptsetup-2.4.3.tar.xz
-23cea5fef57d512c9e80c01c9ff76c641cb356b0 SOURCES/tests.tar.xz
+8098a06269c4268b0446b34f7b20e8fa6032e006 SOURCES/cryptsetup-2.6.0.tar.xz
+ae06fbc13edb47b59ba17eb8faff9959b5eefe93 SOURCES/tests.tar.xz
diff --git a/.gitignore b/.gitignore
index e48f09c..d1221a6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/cryptsetup-2.4.3.tar.xz
+SOURCES/cryptsetup-2.6.0.tar.xz
SOURCES/tests.tar.xz
diff --git a/SOURCES/cryptsetup-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch b/SOURCES/cryptsetup-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch
deleted file mode 100644
index fa075eb..0000000
--- a/SOURCES/cryptsetup-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From f671febe64d8f40cdcb1677a08436a8907ccbb7e Mon Sep 17 00:00:00 2001
-From: Ondrej Kozina <okozina@redhat.com>
-Date: Wed, 23 Feb 2022 12:27:57 +0100
-Subject: [PATCH 2/3] Add more tests for --test-passphrase parameter.
-
----
- tests/compat-test-args | 4 ++++
- tests/luks2-reencryption-test | 18 ++++++++++++++++++
- 2 files changed, 22 insertions(+)
-
-diff --git a/tests/compat-test-args b/tests/compat-test-args
-index faeddd00..8bbe5563 100755
---- a/tests/compat-test-args
-+++ b/tests/compat-test-args
-@@ -258,6 +258,10 @@ exp_fail luksAddKey DEV --unbound --key-size 0
- exp_pass luksAddKey DEV --unbound --key-size 8
- exp_pass luksDump DEV --unbound -S5
- exp_fail luksDump DEV --unbound
-+exp_pass open DEV --unbound --test-passphrase
-+exp_pass open DEV --unbound --test-passphrase -S5
-+exp_fail open DEV --unbound NAME
-+exp_fail open DEV --unbound -S5 NAME
-
- exp_fail resize NAME --refresh
- exp_fail open DEV NAME --test-passphrase --refresh
-diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
-index 6f156016..73818b5d 100755
---- a/tests/luks2-reencryption-test
-+++ b/tests/luks2-reencryption-test
-@@ -1606,5 +1606,23 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
- reencrypt_recover_online 4096 journal $HASH1
- fi
-
-+echo "[27] Verify test passphrase mode works with reencryption metadata"
-+echo $PWD1 | $CRYPTSETUP -S5 -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV || fail
-+echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $DEV || fail
-+echo $PWD1 | $CRYPTSETUP reencrypt --init-only $DEV || fail
-+echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail
-+
-+echo $PWD1 | $CRYPTSETUP -q luksFormat -S5 --header $IMG_HDR --type luks2 $FAST_PBKDF_ARGON $DEV || fail
-+echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $IMG_HDR || fail
-+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --init-only --header $IMG_HDR $DEV || fail
-+echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail
-+
-+echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --init-only --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
-+echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail
-+
-+wipe_dev_head $DEV 1
-+echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 8M $FAST_PBKDF_ARGON $DEV || fail
-+echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail
-+
- remove_mapping
- exit 0
---
-2.27.0
-
diff --git a/SOURCES/cryptsetup-2.5.0-Do-not-use-too-small-key-in-tests.patch b/SOURCES/cryptsetup-2.5.0-Do-not-use-too-small-key-in-tests.patch
deleted file mode 100644
index 40f7269..0000000
--- a/SOURCES/cryptsetup-2.5.0-Do-not-use-too-small-key-in-tests.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 34f033b2549d95833270d657cf099ee4f6faff37 Mon Sep 17 00:00:00 2001
-From: Milan Broz <gmazyland@gmail.com>
-Date: Fri, 21 Jan 2022 09:55:34 +0100
-Subject: [PATCH 3/3] Do not use too small key in tests.
-
-Apparently FIPS mode enforces somewhere minimal key size.
-As 64bit key is no longer useful anyway, just remove it.
-
-Apparently cipher_null is now more safer with the longer key,
-isn't? :-)
----
- tests/align-test | 10 ----------
- 1 file changed, 10 deletions(-)
-
-diff --git a/tests/align-test b/tests/align-test
-index 9ae606ca..a00103c2 100755
---- a/tests/align-test
-+++ b/tests/align-test
-@@ -262,11 +262,6 @@ cleanup
- echo "# Offset check: 512B sector drive"
- add_device dev_size_mb=16 sector_size=512 num_tgts=1
- # |k| expO reqO expected slot offsets
--format_null 64 2048 0 8:72:136:200:264:328:392:456
--format_null 64 520 1
--format_null 64 520 8
--format_null 64 640 128
--format_null 64 2048 2048
- format_null 128 2048 0 8:136:264:392:520:648:776:904
- format_null 128 1032 1
- format_null 128 1032 8
-@@ -286,11 +281,6 @@ cleanup
-
- echo "# Offset check: 4096B sector drive"
- add_device dev_size_mb=16 sector_size=4096 num_tgts=1 opt_blks=64
--format_null 64 2048 0 8:72:136:200:264:328:392:456
--format_null 64 520 1
--format_null 64 520 8
--format_null 64 640 128
--format_null 64 2048 2048
- format_null 128 2048 0 8:136:264:392:520:648:776:904
- format_null 128 1032 1
- format_null 128 1032 8
---
-2.27.0
-
diff --git a/SOURCES/cryptsetup-2.5.0-Fix-PBKDF-benchmark-in-OpenSSL3-FIPS-mode.patch b/SOURCES/cryptsetup-2.5.0-Fix-PBKDF-benchmark-in-OpenSSL3-FIPS-mode.patch
deleted file mode 100644
index aebf06e..0000000
--- a/SOURCES/cryptsetup-2.5.0-Fix-PBKDF-benchmark-in-OpenSSL3-FIPS-mode.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 05a237be2a6c7a342fb5aba4433aec487a08317f Mon Sep 17 00:00:00 2001
-From: Milan Broz <gmazyland@gmail.com>
-Date: Fri, 21 Jan 2022 09:47:13 +0100
-Subject: [PATCH 1/3] Fix PBKDF benchmark in OpenSSL3 FIPS mode.
-
-OpenSSL now enforces minimal parameters for PBKDF2 according to SP 800-132
-key length (112 bits), minimal salt length (128 bits) and minimal number
-of iterations (1000).
-
-Our benchmark violates this, causeing cryptsetup misbehave for luksFormat.
-
-Just inrease tet salt to 16 bytes here, it will little bit influence benchmark,
-but there is no way back.
----
- lib/utils_benchmark.c | 2 +-
- src/cryptsetup.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/lib/utils_benchmark.c b/lib/utils_benchmark.c
-index 7a9736d8..24e7bccc 100644
---- a/lib/utils_benchmark.c
-+++ b/lib/utils_benchmark.c
-@@ -184,7 +184,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd,
- pbkdf->parallel_threads = 0; /* N/A in PBKDF2 */
- pbkdf->max_memory_kb = 0; /* N/A in PBKDF2 */
-
-- r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3, "bar", 3,
-+ r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3, "01234567890abcdef", 16,
- volume_key_size, &benchmark_callback, &u);
- pbkdf->time_ms = ms_tmp;
- if (r < 0) {
-diff --git a/src/cryptsetup.c b/src/cryptsetup.c
-index e529b7ac..37d35c92 100644
---- a/src/cryptsetup.c
-+++ b/src/cryptsetup.c
-@@ -860,7 +860,7 @@ static int action_benchmark_kdf(const char *kdf, const char *hash, size_t key_si
- .time_ms = 1000,
- };
-
-- r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3, "bar", 3, key_size,
-+ r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3, "0123456789abcdef", 16, key_size,
- &benchmark_callback, &pbkdf);
- if (r < 0)
- log_std(_("PBKDF2-%-9s N/A\n"), hash);
---
-2.27.0
-
diff --git a/SOURCES/cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch b/SOURCES/cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch
deleted file mode 100644
index 4aaa5a4..0000000
--- a/SOURCES/cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-diff -rupN cryptsetup-2.4.3.old/man/cryptsetup.8 cryptsetup-2.4.3/man/cryptsetup.8
---- cryptsetup-2.4.3.old/man/cryptsetup.8 2022-02-23 16:33:42.449525744 +0100
-+++ cryptsetup-2.4.3/man/cryptsetup.8 2022-02-24 08:57:43.036396289 +0100
-@@ -321,7 +321,8 @@ the command prompts for it interactively
- \-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase,
- \-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id,
- \-\-token\-only, \-\-token-type, \-\-disable\-external\-tokens, \-\-disable\-keyring,
--\-\-disable\-locks, \-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf].
-+\-\-disable\-locks, \-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf,
-+\-\-unbound].
- .PP
- \fIluksSuspend\fR <name>
- .IP
-@@ -1465,10 +1466,14 @@ aligned to page size and page-cache init
- integrity tag.
- .TP
- .B "\-\-unbound"
--
- Creates new or dumps existing LUKS2 unbound keyslot. See \fIluksAddKey\fR or
- \fIluksDump\fR actions for more details.
-
-+When used in \fIluksOpen\fR action (allowed only together with
-+\-\-test\-passphrase parameter), it allows to test passphrase for unbound LUKS2
-+keyslot. Otherwise, unbound keyslot passphrase can be tested only when specific
-+keyslot is selected via \-\-key\-slot parameter.
-+
- .TP
- .B "\-\-tcrypt\-hidden"
- .B "\-\-tcrypt\-system"
-diff -rupN cryptsetup-2.4.3.old/src/cryptsetup_args.h cryptsetup-2.4.3/src/cryptsetup_args.h
---- cryptsetup-2.4.3.old/src/cryptsetup_args.h 2022-02-23 16:33:42.450525749 +0100
-+++ cryptsetup-2.4.3/src/cryptsetup_args.h 2022-02-24 08:57:43.036396289 +0100
-@@ -75,7 +75,7 @@
- #define OPT_TCRYPT_HIDDEN_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION }
- #define OPT_TCRYPT_SYSTEM_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION }
- #define OPT_TEST_PASSPHRASE_ACTIONS { OPEN_ACTION }
--#define OPT_UNBOUND_ACTIONS { ADDKEY_ACTION, LUKSDUMP_ACTION }
-+#define OPT_UNBOUND_ACTIONS { ADDKEY_ACTION, LUKSDUMP_ACTION, OPEN_ACTION }
- #define OPT_USE_RANDOM_ACTIONS { FORMAT_ACTION }
- #define OPT_USE_URANDOM_ACTIONS { FORMAT_ACTION }
- #define OPT_UUID_ACTIONS { FORMAT_ACTION, UUID_ACTION }
-diff -rupN cryptsetup-2.4.3.old/src/cryptsetup.c cryptsetup-2.4.3/src/cryptsetup.c
---- cryptsetup-2.4.3.old/src/cryptsetup.c 2022-02-23 16:33:42.450525749 +0100
-+++ cryptsetup-2.4.3/src/cryptsetup.c 2022-02-24 08:57:43.036396289 +0100
-@@ -140,7 +140,8 @@ static void _set_activation_flags(uint32
- *flags |= CRYPT_ACTIVATE_IGNORE_PERSISTENT;
-
- /* Only for LUKS2 but ignored elsewhere */
-- if (ARG_SET(OPT_TEST_PASSPHRASE_ID))
-+ if (ARG_SET(OPT_TEST_PASSPHRASE_ID) &&
-+ (ARG_SET(OPT_KEY_SLOT_ID) || ARG_SET(OPT_UNBOUND_ID)))
- *flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY;
-
- if (ARG_SET(OPT_SERIALIZE_MEMORY_HARD_PBKDF_ID))
-@@ -3982,6 +3983,18 @@ int main(int argc, const char **argv)
- _("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."),
- poptGetInvocationName(popt_context));
-
-+ if (ARG_SET(OPT_UNBOUND_ID) && !strcmp(aname, OPEN_ACTION) && device_type &&
-+ strncmp(device_type, "luks", 4))
-+ usage(popt_context, EXIT_FAILURE,
-+ _("Option --unbound is allowed only for open of luks device."),
-+ poptGetInvocationName(popt_context));
-+
-+ if (ARG_SET(OPT_UNBOUND_ID) && !ARG_SET(OPT_TEST_PASSPHRASE_ID) &&
-+ !strcmp(aname, OPEN_ACTION))
-+ usage(popt_context, EXIT_FAILURE,
-+ _("Option --unbound cannot be used without --test-passphrase."),
-+ poptGetInvocationName(popt_context));
-+
- if (ARG_SET(OPT_TCRYPT_HIDDEN_ID) && ARG_SET(OPT_ALLOW_DISCARDS_ID))
- usage(popt_context, EXIT_FAILURE,
- _("Option --tcrypt-hidden cannot be combined with --allow-discards."),
-diff -rupN cryptsetup-2.4.3.old/tests/compat-test2 cryptsetup-2.4.3/tests/compat-test2
---- cryptsetup-2.4.3.old/tests/compat-test2 2022-02-23 16:33:42.444525716 +0100
-+++ cryptsetup-2.4.3/tests/compat-test2 2022-02-24 09:05:38.716422307 +0100
-@@ -699,7 +699,7 @@ $CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOP
- # otoh it should be allowed to test for proper passphrase
- prepare "" new
- echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
--echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
-+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
- echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
- [ -b /dev/mapper/$DEV_NAME ] && fail
- echo $PWD1 | $CRYPTSETUP open $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
-@@ -708,7 +708,7 @@ echo $PWD0 | $CRYPTSETUP open -S1 --test
- $CRYPTSETUP luksKillSlot -q $HEADER_KEYU 0
- $CRYPTSETUP luksDump $HEADER_KEYU | grep -q "0: luks2" && fail
- echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
--echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
-+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
- echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
-
- prepare "[28] Detached LUKS header" wipe
-@@ -967,11 +967,9 @@ echo $PWD3 | $CRYPTSETUP -q luksAddKey -
- # do not allow to replace keyslot by unbound slot
- echo $PWD1 | $CRYPTSETUP -q luksAddKey -S5 --unbound -s 32 $LOOPDEV 2>/dev/null && fail
- echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
--echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
- echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV $DEV_NAME 2> /dev/null && fail
- echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV --test-passphrase || fail
- echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
--echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
- # check we're able to change passphrase for unbound keyslot
- echo -e "$PWD2\n$PWD3" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail
- echo $PWD3 | $CRYPTSETUP open --test-passphrase $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail
diff --git a/SOURCES/cryptsetup-2.5.0-Fix-typo-in-repair-prompt.patch b/SOURCES/cryptsetup-2.5.0-Fix-typo-in-repair-prompt.patch
deleted file mode 100644
index 5bf54fb..0000000
--- a/SOURCES/cryptsetup-2.5.0-Fix-typo-in-repair-prompt.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -rupN cryptsetup-2.4.3.old/src/cryptsetup.c cryptsetup-2.4.3/src/cryptsetup.c
---- cryptsetup-2.4.3.old/src/cryptsetup.c 2022-01-21 13:14:56.864817351 +0100
-+++ cryptsetup-2.4.3/src/cryptsetup.c 2022-01-21 13:15:15.579947027 +0100
-@@ -1188,7 +1188,7 @@ static int reencrypt_metadata_repair(str
- _("Operation aborted.\n")))
- return -EINVAL;
-
-- r = tools_get_key(_("Enter passphrase to protect and uppgrade reencryption metadata: "),
-+ r = tools_get_key(_("Enter passphrase to protect and upgrade reencryption metadata: "),
- &password, &passwordLen, ARG_UINT64(OPT_KEYFILE_OFFSET_ID),
- ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID), ARG_UINT32(OPT_TIMEOUT_ID),
- _verify_passphrase(0), 0, cd);
diff --git a/SOURCES/cryptsetup-2.5.0-Get-rid-of-SHA1-in-tests.patch b/SOURCES/cryptsetup-2.5.0-Get-rid-of-SHA1-in-tests.patch
deleted file mode 100644
index 4708329..0000000
--- a/SOURCES/cryptsetup-2.5.0-Get-rid-of-SHA1-in-tests.patch
+++ /dev/null
@@ -1,441 +0,0 @@
-diff -rupN cryptsetup-2.4.3.old/tests/api-test.c cryptsetup-2.4.3/tests/api-test.c
---- cryptsetup-2.4.3.old/tests/api-test.c 2022-02-17 16:37:09.535345938 +0100
-+++ cryptsetup-2.4.3/tests/api-test.c 2022-02-17 16:37:29.156459763 +0100
-@@ -312,7 +312,7 @@ static int _setup(void)
- static void AddDevicePlain(void)
- {
- struct crypt_params_plain params = {
-- .hash = "sha1",
-+ .hash = "sha256",
- .skip = 0,
- .offset = 0,
- .size = 0
-@@ -322,7 +322,7 @@ static void AddDevicePlain(void)
-
- const char *passphrase = PASSPHRASE;
- // hashed hex version of PASSPHRASE
-- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
-+ const char *mk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea";
- size_t key_size = strlen(mk_hex) / 2;
- const char *cipher = "aes";
- const char *cipher_mode = "cbc-essiv:sha256";
-@@ -438,7 +438,7 @@ static void AddDevicePlain(void)
- OK_(crypt_deactivate(cd,CDEVICE_1));
-
- CRYPT_FREE(cd);
-- params.hash = "sha1";
-+ params.hash = "sha256";
- params.offset = 0;
- params.size = 0;
- params.skip = 0;
-@@ -620,7 +620,7 @@ static void new_log(int level, const cha
- static void CallbacksTest(void)
- {
- struct crypt_params_plain params = {
-- .hash = "sha1",
-+ .hash = "sha256",
- .skip = 0,
- .offset = 0,
- };
-@@ -1116,7 +1116,7 @@ static void LuksHeaderRestore(void)
- .data_alignment = 2048, // 4M, data offset will be 4096
- };
- struct crypt_params_plain pl_params = {
-- .hash = "sha1",
-+ .hash = "sha256",
- .skip = 0,
- .offset = 0,
- .size = 0
-@@ -1203,7 +1203,7 @@ static void LuksHeaderLoad(void)
- .data_alignment = 2048,
- };
- struct crypt_params_plain pl_params = {
-- .hash = "sha1",
-+ .hash = "sha256",
- .skip = 0,
- .offset = 0,
- .size = 0
-diff -rupN cryptsetup-2.4.3.old/tests/api-test-2.c cryptsetup-2.4.3/tests/api-test-2.c
---- cryptsetup-2.4.3.old/tests/api-test-2.c 2022-02-17 16:37:09.535345938 +0100
-+++ cryptsetup-2.4.3/tests/api-test-2.c 2022-02-17 16:37:29.155459758 +0100
-@@ -1232,7 +1232,7 @@ static void Luks2HeaderRestore(void)
- .sector_size = 512
- };
- struct crypt_params_plain pl_params = {
-- .hash = "sha1",
-+ .hash = "sha256",
- .skip = 0,
- .offset = 0,
- .size = 0
-@@ -1242,7 +1242,7 @@ static void Luks2HeaderRestore(void)
- };
- uint32_t flags = 0;
-
-- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
-+ const char *mk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea";
- size_t key_size = strlen(mk_hex) / 2;
- const char *cipher = "aes";
- const char *cipher_mode = "cbc-essiv:sha256";
-@@ -1337,7 +1337,7 @@ static void Luks2HeaderLoad(void)
- .sector_size = 512
- };
- struct crypt_params_plain pl_params = {
-- .hash = "sha1",
-+ .hash = "sha256",
- .skip = 0,
- .offset = 0,
- .size = 0
-@@ -2142,7 +2142,7 @@ static void LuksConvert(void)
- .parallel_threads = 1
- }, pbkdf2 = {
- .type = CRYPT_KDF_PBKDF2,
-- .hash = "sha1",
-+ .hash = "sha256",
- .time_ms = 1
- };
-
-@@ -2675,7 +2675,7 @@ static void Pbkdf(void)
- .hash = default_luks1_hash
- };
- struct crypt_params_plain params = {
-- .hash = "sha1",
-+ .hash = "sha256",
- .skip = 0,
- .offset = 0,
- .size = 0
-@@ -2874,11 +2874,11 @@ static void Pbkdf(void)
- pbkdf2.time_ms = 9;
- pbkdf2.hash = NULL;
- FAIL_(crypt_set_pbkdf_type(cd, &pbkdf2), "Hash is mandatory for pbkdf2");
-- pbkdf2.hash = "sha1";
-+ pbkdf2.hash = "sha256";
- OK_(crypt_set_pbkdf_type(cd, &pbkdf2));
-
- argon2.time_ms = 9;
-- argon2.hash = "sha1"; // will be ignored
-+ argon2.hash = "sha256"; // will be ignored
- OK_(crypt_set_pbkdf_type(cd, &argon2));
- argon2.hash = NULL;
- OK_(crypt_set_pbkdf_type(cd, &argon2));
-@@ -3839,7 +3839,7 @@ static void Luks2Reencryption(void)
- struct crypt_params_reencrypt retparams = {}, rparams = {
- .direction = CRYPT_REENCRYPT_FORWARD,
- .resilience = "checksum",
-- .hash = "sha1",
-+ .hash = "sha256",
- .luks2 = ¶ms2,
- };
- dev_t devno;
-@@ -3983,7 +3983,7 @@ static void Luks2Reencryption(void)
- rparams.hash = "hamSter";
- FAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 21, 9, "aes", "xts-plain64", &rparams), "Invalid resilience hash.");
-
-- rparams.hash = "sha1";
-+ rparams.hash = "sha256";
- OK_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 21, 9, "aes", "xts-plain64", &rparams));
- OK_(crypt_reencrypt_run(cd, NULL, NULL));
-
-diff -rupN cryptsetup-2.4.3.old/tests/compat-test cryptsetup-2.4.3/tests/compat-test
---- cryptsetup-2.4.3.old/tests/compat-test 2022-02-17 16:37:09.541345973 +0100
-+++ cryptsetup-2.4.3/tests/compat-test 2022-02-17 16:37:29.157459769 +0100
-@@ -302,8 +302,8 @@ $CRYPTSETUP -q luksUUID $IMG | grep -q $
- prepare "[1] open - compat image - acceptance check" new
- echo $PWD0 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
- check_exists
--ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
--[ "$ORG_SHA1" = 676062b66ebf36669dab705442ea0762dfc091b0 ] || fail
-+ORG_SHA256=$(sha256sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
-+[ "$ORG_SHA256" = 7428e8f2436882a07eb32765086f5c899474c08b5576f556b573d2aabdf923e8 ] || fail
- $CRYPTSETUP -q luksClose $DEV_NAME || fail
-
- # Check it can be opened from header backup as well
-@@ -315,6 +315,7 @@ $CRYPTSETUP -q luksClose $DEV_NAME || f
- $CRYPTSETUP luksHeaderRestore -q $IMG --header-backup-file $HEADER_IMG || fail
-
- # Repeat for V1.0 header - not aligned first keyslot
-+if [ ! fips_mode ] ; then
- echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME || fail
- check_exists
- ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
-@@ -326,6 +327,7 @@ $CRYPTSETUP luksHeaderBackup $IMG10 --he
- echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME --header $HEADER_IMG || fail
- check_exists
- $CRYPTSETUP -q luksClose $DEV_NAME || fail
-+fi
-
- prepare "[2] open - compat image - denial check" new
- echo $PWDW | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
-@@ -526,7 +528,7 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q
-
- prepare "[19] create & status & resize" wipe
- echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash xxx 2>/dev/null && fail
--echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail
-+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail
- $CRYPTSETUP -q status $DEV_NAME | grep "offset:" | grep -q "3 sectors" || fail
- $CRYPTSETUP -q status $DEV_NAME | grep "skipped:" | grep -q "4 sectors" || fail
- $CRYPTSETUP -q status $DEV_NAME | grep "mode:" | grep -q "readonly" || fail
-@@ -546,15 +548,15 @@ $CRYPTSETUP -q resize $DEV_NAME || fail
- $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "32765 sectors" || fail
- $CRYPTSETUP -q remove $DEV_NAME || fail
- $CRYPTSETUP -q status $DEV_NAME >/dev/null && fail
--echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail
-+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail
- $CRYPTSETUP -q remove $DEV_NAME || fail
--echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 $LOOPDEV || fail
-+echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 $LOOPDEV || fail
- $CRYPTSETUP -q remove $DEV_NAME || fail
--echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 --size 100 $LOOPDEV || fail
-+echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 --size 100 $LOOPDEV || fail
- $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
- $CRYPTSETUP -q remove $DEV_NAME || fail
- # 4k sector resize (if kernel supports it)
--echo $PWD1 | $CRYPTSETUP -q open --type plain $LOOPDEV $DEV_NAME --sector-size 4096 --size 8 >/dev/null 2>&1
-+echo $PWD1 | $CRYPTSETUP -q open --type plain --hash sha256 $LOOPDEV $DEV_NAME --sector-size 4096 --size 8 >/dev/null 2>&1
- if [ $? -eq 0 ] ; then
- $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "8 sectors" || fail
- $CRYPTSETUP -q resize $DEV_NAME --size 16 || fail
-@@ -567,7 +569,7 @@ if [ $? -eq 0 ] ; then
- fi
- # Resize not aligned to logical block size
- add_scsi_device dev_size_mb=32 sector_size=4096
--echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV || fail
-+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV || fail
- OLD_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/')
- $CRYPTSETUP resize $DEV_NAME -b 7 2> /dev/null && fail
- dmsetup info $DEV_NAME | grep -q SUSPENDED && fail
-@@ -575,10 +577,10 @@ NEW_SIZE=$($CRYPTSETUP status $DEV_NAME
- test $OLD_SIZE -eq $NEW_SIZE || fail
- $CRYPTSETUP close $DEV_NAME || fail
- # Add check for unaligned plain crypt activation
--echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV -b 7 2>/dev/null && fail
-+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV -b 7 2>/dev/null && fail
- $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
- # verify is ignored on non-tty input
--echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --verify-passphrase 2>/dev/null || fail
-+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --verify-passphrase 2>/dev/null || fail
- $CRYPTSETUP -q remove $DEV_NAME || fail
- $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size 255 2>/dev/null && fail
- $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size -1 2>/dev/null && fail
-@@ -695,15 +697,15 @@ $CRYPTSETUP luksChangeKey $LOOPDEV $FAST
- dmsetup remove --retry $DEV_NAME2
-
- prepare "[25] Create shared segments" wipe
--echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --offset 0 --size 256 || fail
--echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 2>/dev/null && fail
--echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 --shared || fail
-+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --offset 0 --size 256 || fail
-+echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 2>/dev/null && fail
-+echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 --shared || fail
- $CRYPTSETUP -q remove $DEV_NAME2 || fail
- $CRYPTSETUP -q remove $DEV_NAME || fail
-
- prepare "[26] Suspend/Resume" wipe
- # only LUKS is supported
--echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail
-+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail
- $CRYPTSETUP luksSuspend $DEV_NAME 2>/dev/null && fail
- $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
- $CRYPTSETUP -q remove $DEV_NAME || fail
-diff -rupN cryptsetup-2.4.3.old/tests/compat-test2 cryptsetup-2.4.3/tests/compat-test2
---- cryptsetup-2.4.3.old/tests/compat-test2 2022-02-17 16:37:09.541345973 +0100
-+++ cryptsetup-2.4.3/tests/compat-test2 2022-02-17 16:37:29.158459775 +0100
-@@ -774,7 +774,7 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q
- $CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
- $CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail
- # hash test
--$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha1 || fail
-+$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha512 || fail
- $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 --hash sha256 || fail
- $CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail
- $CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail
-diff -rupN cryptsetup-2.4.3.old/tests/discards-test cryptsetup-2.4.3/tests/discards-test
---- cryptsetup-2.4.3.old/tests/discards-test 2022-02-17 16:37:09.541345973 +0100
-+++ cryptsetup-2.4.3/tests/discards-test 2022-02-17 16:37:29.158459775 +0100
-@@ -80,7 +80,7 @@ dmsetup table $DEV_NAME | grep allow_dis
- $CRYPTSETUP luksClose $DEV_NAME || fail
-
- echo "[2] Allowing discards for plain device"
--echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha1 --allow-discards || fail
-+echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha256 --allow-discards || fail
- $CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail
- $CRYPTSETUP resize $DEV_NAME --size 100 || fail
- $CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail
-diff -rupN cryptsetup-2.4.3.old/tests/integrity-compat-test cryptsetup-2.4.3/tests/integrity-compat-test
---- cryptsetup-2.4.3.old/tests/integrity-compat-test 2022-02-17 16:37:09.542345979 +0100
-+++ cryptsetup-2.4.3/tests/integrity-compat-test 2022-02-17 16:37:29.159459781 +0100
-@@ -168,7 +168,7 @@ intformat() # alg alg_out tagsize outtag
- echo -n "[FORMAT]"
- $INTSETUP format --integrity-legacy-padding -q --integrity $1 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV >/dev/null 2>&1
- if [ $? -ne 0 ] ; then
-- if [[ $1 =~ "sha" || $1 =~ "crc" ]] ; then
-+ if [[ $1 =~ "sha2" || $1 =~ "crc" ]] ; then
- fail "Cannot format device."
- fi
- echo "[N/A]"
-@@ -214,7 +214,14 @@ int_error_detection() # mode alg tagsize
-
- echo -n "[INTEGRITY:$1:$2:$4:$5]"
- echo -n "[FORMAT]"
-- $INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null || fail "Cannot format device."
-+ $INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null 2>&1
-+ if [ $? -ne 0 ] ; then
-+ if [[ $2 =~ "sha2" || $2 =~ "crc" ]] ; then
-+ fail "Cannot format device."
-+ fi
-+ echo "[N/A]"
-+ return
-+ fi
- echo -n "[ACTIVATE]"
- $INTSETUP open $DEV $DEV_NAME --integrity $2 --integrity-no-journal $KEY_PARAMS $INT_MODE || fail "Cannot activate device."
-
-diff -rupN cryptsetup-2.4.3.old/tests/keyring-compat-test cryptsetup-2.4.3/tests/keyring-compat-test
---- cryptsetup-2.4.3.old/tests/keyring-compat-test 2022-02-17 16:37:09.542345979 +0100
-+++ cryptsetup-2.4.3/tests/keyring-compat-test 2022-02-17 16:39:07.132028140 +0100
-@@ -119,7 +119,7 @@ add_device() {
- which dmsetup >/dev/null 2>&1 || skip "Cannot find dmsetup, test skipped"
- which keyctl >/dev/null 2>&1 || skip "Cannot find keyctl, test skipped"
- which xxd >/dev/null 2>&1 || skip "Cannot find xxd, test skipped"
--which sha1sum > /dev/null 2>&1 || skip "Cannot find sha1sum, test skipped"
-+which sha256sum >/dev/null 2>&1 || skip "Cannot find sha256sum, test skipped"
- modprobe dm-crypt >/dev/null 2>&1 || fail "dm-crypt failed to load"
- dm_crypt_keyring_support || skip "dm-crypt doesn't support kernel keyring, test skipped."
-
-@@ -132,23 +132,23 @@ dd if=/dev/urandom of=$DEV bs=1M count=$
- #test aes cipher with xts mode, plain IV
- echo -n "Testing $CIPHER_XTS_PLAIN..."
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
--sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
- dmsetup remove --retry $NAME || fail
- load_key "$HEXKEY_32" logon $LOGON_KEY_32_OK "$TEST_KEYRING" || fail "Cannot load 32 byte logon key type"
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN :32:logon:$LOGON_KEY_32_OK 0 $DEV 0" || fail
--sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
- dmsetup remove --retry $NAME || fail
- diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
- # same test using message
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
--sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
- dmsetup remove --retry $NAME || fail
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
- dmsetup suspend $NAME || fail
- dmsetup message $NAME 0 key wipe || fail
- dmsetup message $NAME 0 "key set :32:logon:$LOGON_KEY_32_OK" || fail
- dmsetup resume $NAME || fail
--sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
- dmsetup remove --retry $NAME || fail
- diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
- echo "OK"
-@@ -156,23 +156,23 @@ echo "OK"
- #test aes cipher, xts mode, essiv IV
- echo -n "Testing $CIPHER_CBC_ESSIV..."
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
--sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
- dmsetup remove --retry $NAME || fail
- load_key "$HEXKEY_16" logon $LOGON_KEY_16_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type"
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV :16:logon:$LOGON_KEY_16_OK 0 $DEV 0" || fail
--sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
- dmsetup remove --retry $NAME || fail
- diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
- # same test using message
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
--sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
- dmsetup remove --retry $NAME || fail
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
- dmsetup suspend $NAME || fail
- dmsetup message $NAME 0 key wipe || fail
- dmsetup message $NAME 0 "key set :16:logon:$LOGON_KEY_16_OK" || fail
- dmsetup resume $NAME || fail
--sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
- dmsetup remove --retry $NAME || fail
- diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
- echo "OK"
-@@ -181,23 +181,23 @@ echo "OK"
- fips_mode || {
- echo -n "Testing $CIPHER_CBC_TCW..."
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
--sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
- dmsetup remove --retry $NAME || fail
- load_key "$HEXKEY_64" logon $LOGON_KEY_64_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type"
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW :64:logon:$LOGON_KEY_64_OK 0 $DEV 0" || fail
--sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
- dmsetup remove --retry $NAME || fail
- diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)"
- # same test using message
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
--sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
- dmsetup remove --retry $NAME || fail
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
- dmsetup suspend $NAME || fail
- dmsetup message $NAME 0 key wipe || fail
- dmsetup message $NAME 0 "key set :64:logon:$LOGON_KEY_64_OK" || fail
- dmsetup resume $NAME || fail
--sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
- dmsetup remove --retry $NAME || fail
- diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
- echo "OK"
-@@ -207,10 +207,10 @@ echo -n "Test LUKS2 key refresh..."
- echo $PWD | $CRYPTSETUP luksFormat --type luks2 --luks2-metadata-size 16k --luks2-keyslots-size 4064k --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --force-password $DEV || fail
- echo $PWD | $CRYPTSETUP open $DEV $NAME || fail
- $CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" || skip "LUKS2 can't use keyring. Test skipped."
--dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_KEYRING || fail
-+dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha256sum > $CHKS_KEYRING || fail
- echo $PWD | $CRYPTSETUP refresh $NAME --disable-keyring || fail
- $CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" && fail "Key is still in keyring"
--dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_DMCRYPT || fail
-+dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha256sum > $CHKS_DMCRYPT || fail
- diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)"
- echo "OK"
-
-diff -rupN cryptsetup-2.4.3.old/tests/password-hash-test cryptsetup-2.4.3/tests/password-hash-test
---- cryptsetup-2.4.3.old/tests/password-hash-test 2022-02-17 16:37:09.541345973 +0100
-+++ cryptsetup-2.4.3/tests/password-hash-test 2022-02-17 16:37:29.160459787 +0100
-@@ -75,7 +75,7 @@ crypt_key() # hash keysize pwd/file name
- esac
-
- # ignore these cases, not all libs/kernel supports it
-- if [ "$1" != "sha1" -a "$1" != "sha256" ] || [ $2 -gt 256 ] ; then
-+ if [ "$1" != "sha256" ] || [ $2 -gt 256 ] ; then
- if [ $ret -ne 0 ] ; then
- echo " [N/A] ($ret, SKIPPED)"
- return
-diff -rupN cryptsetup-2.4.3.old/tests/reencryption-compat-test cryptsetup-2.4.3/tests/reencryption-compat-test
---- cryptsetup-2.4.3.old/tests/reencryption-compat-test 2022-02-17 16:37:09.541345973 +0100
-+++ cryptsetup-2.4.3/tests/reencryption-compat-test 2022-02-17 16:37:29.160459787 +0100
-@@ -338,7 +338,7 @@ simple_scsi_reenc "[4096/512 sector]"
- echo "[OK]"
-
- echo "[8] Header only reencryption (hash and iteration time)"
--echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --hash sha1 $FAST_PBKDF $LOOPDEV1 || fail
-+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --hash sha512 $FAST_PBKDF $LOOPDEV1 || fail
- wipe $PWD1
- check_hash $PWD1 $HASH1
- echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key || fail
-diff -rupN cryptsetup-2.4.3.old/tests/verity-compat-test cryptsetup-2.4.3/tests/verity-compat-test
---- cryptsetup-2.4.3.old/tests/verity-compat-test 2022-02-17 16:37:09.541345973 +0100
-+++ cryptsetup-2.4.3/tests/verity-compat-test 2022-02-17 16:37:29.161459793 +0100
-@@ -148,7 +148,13 @@ function check_root_hash() # $1 size, $2
- for fail in data hash; do
- wipe
- echo -n "V$4(sb=$sb root_hash_as_file=$root_hash_as_file) $5 block size $1: "
-- $VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >$DEV_OUT || fail
-+ $VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >$DEV_OUT
-+ if [ $? -ne 0 ] ; then
-+ if [[ $1 =~ "sha2" ]] ; then
-+ fail "Cannot format device."
-+ fi
-+ return
-+ fi
-
- echo -n "[root hash]"
- compare_out "root hash" $2
diff --git a/SOURCES/cryptsetup-2.5.1-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch b/SOURCES/cryptsetup-2.5.1-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch
deleted file mode 100644
index 2cd9115..0000000
--- a/SOURCES/cryptsetup-2.5.1-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch
+++ /dev/null
@@ -1,364 +0,0 @@
-diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_backend.h cryptsetup-2.4.3/lib/crypto_backend/crypto_backend.h
---- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_backend.h 2022-01-13 10:14:51.000000000 +0100
-+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_backend.h 2022-08-10 17:04:13.727162964 +0200
-@@ -134,5 +134,8 @@ static inline void crypt_backend_memzero
- while(n--) *p++ = 0;
- #endif
- }
-+
-+/* crypto backend running in FIPS mode */
-+bool crypt_fips_mode(void);
-
- #endif /* _CRYPTO_BACKEND_H */
-diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_gcrypt.c cryptsetup-2.4.3/lib/crypto_backend/crypto_gcrypt.c
---- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_gcrypt.c 2022-01-13 10:14:51.000000000 +0100
-+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_gcrypt.c 2022-08-10 17:06:28.163895662 +0200
-@@ -550,3 +550,20 @@ out:
- return -ENOTSUP;
- #endif
- }
-+
-+#if !ENABLE_FIPS
-+bool crypt_fips_mode(void) { return false; }
-+#else
-+bool crypt_fips_mode(void)
-+{
-+ static bool fips_mode = false, fips_checked = false;
-+
-+ if (fips_checked)
-+ return fips_mode;
-+
-+ fips_mode = gcry_fips_mode_active();
-+ fips_checked = true;
-+
-+ return fips_mode;
-+}
-+#endif /* ENABLE FIPS */
-diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_kernel.c cryptsetup-2.4.3/lib/crypto_backend/crypto_kernel.c
---- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_kernel.c 2022-01-13 10:14:51.000000000 +0100
-+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_kernel.c 2022-08-10 17:07:06.720105794 +0200
-@@ -416,3 +416,8 @@ int crypt_bitlk_decrypt_key(const void *
- return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
- iv, iv_length, tag, tag_length);
- }
-+
-+bool crypt_fips_mode(void)
-+{
-+ return false;
-+}
-diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_nettle.c cryptsetup-2.4.3/lib/crypto_backend/crypto_nettle.c
---- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_nettle.c 2022-01-13 10:14:51.000000000 +0100
-+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_nettle.c 2022-08-10 17:07:18.127167962 +0200
-@@ -446,3 +446,8 @@ int crypt_bitlk_decrypt_key(const void *
- return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
- iv, iv_length, tag, tag_length);
- }
-+
-+bool crypt_fips_mode(void)
-+{
-+ return false;
-+}
-diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_nss.c cryptsetup-2.4.3/lib/crypto_backend/crypto_nss.c
---- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_nss.c 2022-01-13 10:14:51.000000000 +0100
-+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_nss.c 2022-08-10 17:07:24.547202954 +0200
-@@ -395,3 +395,8 @@ int crypt_bitlk_decrypt_key(const void *
- return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
- iv, iv_length, tag, tag_length);
- }
-+
-+bool crypt_fips_mode(void)
-+{
-+ return false;
-+}
-diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_openssl.c cryptsetup-2.4.3/lib/crypto_backend/crypto_openssl.c
---- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_openssl.c 2022-01-13 10:14:51.000000000 +0100
-+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_openssl.c 2022-08-10 17:05:51.483695770 +0200
-@@ -809,3 +809,29 @@ out:
- return -ENOTSUP;
- #endif
- }
-+
-+#if !ENABLE_FIPS
-+bool crypt_fips_mode(void) { return false; }
-+#else
-+static bool openssl_fips_mode(void)
-+{
-+#if OPENSSL_VERSION_MAJOR >= 3
-+ return EVP_default_properties_is_fips_enabled(NULL);
-+#else
-+ return FIPS_mode();
-+#endif
-+}
-+
-+bool crypt_fips_mode(void)
-+{
-+ static bool fips_mode = false, fips_checked = false;
-+
-+ if (fips_checked)
-+ return fips_mode;
-+
-+ fips_mode = openssl_fips_mode();
-+ fips_checked = true;
-+
-+ return fips_mode;
-+}
-+#endif /* ENABLE FIPS */
-diff -rupN cryptsetup-2.4.3.old/lib/internal.h cryptsetup-2.4.3/lib/internal.h
---- cryptsetup-2.4.3.old/lib/internal.h 2022-01-13 10:14:51.000000000 +0100
-+++ cryptsetup-2.4.3/lib/internal.h 2022-08-10 17:03:00.348765820 +0200
-@@ -38,7 +38,6 @@
- #include "utils_crypt.h"
- #include "utils_loop.h"
- #include "utils_dm.h"
--#include "utils_fips.h"
- #include "utils_keyring.h"
- #include "utils_io.h"
- #include "crypto_backend/crypto_backend.h"
-diff -rupN cryptsetup-2.4.3.old/lib/Makemodule.am cryptsetup-2.4.3/lib/Makemodule.am
---- cryptsetup-2.4.3.old/lib/Makemodule.am 2022-01-13 10:14:51.000000000 +0100
-+++ cryptsetup-2.4.3/lib/Makemodule.am 2022-08-10 17:03:00.342765787 +0200
-@@ -54,8 +54,6 @@ libcryptsetup_la_SOURCES = \
- lib/utils_loop.h \
- lib/utils_devpath.c \
- lib/utils_wipe.c \
-- lib/utils_fips.c \
-- lib/utils_fips.h \
- lib/utils_device.c \
- lib/utils_keyring.c \
- lib/utils_keyring.h \
-diff -rupN cryptsetup-2.4.3.old/lib/utils_fips.c cryptsetup-2.4.3/lib/utils_fips.c
---- cryptsetup-2.4.3.old/lib/utils_fips.c 2022-01-13 10:14:51.000000000 +0100
-+++ cryptsetup-2.4.3/lib/utils_fips.c 1970-01-01 01:00:00.000000000 +0100
-@@ -1,55 +0,0 @@
--/*
-- * FIPS mode utilities
-- *
-- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * as published by the Free Software Foundation; either version 2
-- * of the License, or (at your option) any later version.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- *
-- * You should have received a copy of the GNU General Public License
-- * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-- */
--
--#include <unistd.h>
--#include <fcntl.h>
--#include <errno.h>
--#include "utils_fips.h"
--
--#if !ENABLE_FIPS
--bool crypt_fips_mode(void) { return false; }
--#else
--static bool fips_checked = false;
--static bool fips_mode = false;
--
--static bool kernel_fips_mode(void)
--{
-- int fd;
-- char buf[1] = "";
--
-- if ((fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY)) >= 0) {
-- while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
-- close(fd);
-- }
--
-- return (buf[0] == '1');
--}
--
--bool crypt_fips_mode(void)
--{
-- if (fips_checked)
-- return fips_mode;
--
-- fips_mode = kernel_fips_mode() && !access("/etc/system-fips", F_OK);
-- fips_checked = true;
--
-- return fips_mode;
--}
--#endif /* ENABLE_FIPS */
-diff -rupN cryptsetup-2.4.3.old/lib/utils_fips.h cryptsetup-2.4.3/lib/utils_fips.h
---- cryptsetup-2.4.3.old/lib/utils_fips.h 2022-01-13 10:14:51.000000000 +0100
-+++ cryptsetup-2.4.3/lib/utils_fips.h 1970-01-01 01:00:00.000000000 +0100
-@@ -1,28 +0,0 @@
--/*
-- * FIPS mode utilities
-- *
-- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * as published by the Free Software Foundation; either version 2
-- * of the License, or (at your option) any later version.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- * GNU General Public License for more details.
-- *
-- * You should have received a copy of the GNU General Public License
-- * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-- */
--
--#ifndef _UTILS_FIPS_H
--#define _UTILS_FIPS_H
--
--#include <stdbool.h>
--
--bool crypt_fips_mode(void);
--
--#endif /* _UTILS_FIPS_H */
-diff -rupN cryptsetup-2.4.3.old/Makefile.in cryptsetup-2.4.3/Makefile.in
---- cryptsetup-2.4.3.old/Makefile.in 2022-01-13 10:24:33.000000000 +0100
-+++ cryptsetup-2.4.3/Makefile.in 2022-08-10 17:28:09.508914077 +0200
-@@ -281,7 +281,6 @@ am_libcryptsetup_la_OBJECTS = lib/libcry
- lib/libcryptsetup_la-utils_loop.lo \
- lib/libcryptsetup_la-utils_devpath.lo \
- lib/libcryptsetup_la-utils_wipe.lo \
-- lib/libcryptsetup_la-utils_fips.lo \
- lib/libcryptsetup_la-utils_device.lo \
- lib/libcryptsetup_la-utils_keyring.lo \
- lib/libcryptsetup_la-utils_device_locking.lo \
-@@ -547,7 +546,6 @@ am__depfiles_remade = lib/$(DEPDIR)/cryp
- lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo \
- lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo \
- lib/$(DEPDIR)/libcryptsetup_la-utils_devpath.Plo \
-- lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo \
- lib/$(DEPDIR)/libcryptsetup_la-utils_keyring.Plo \
- lib/$(DEPDIR)/libcryptsetup_la-utils_loop.Plo \
- lib/$(DEPDIR)/libcryptsetup_la-utils_pbkdf.Plo \
-@@ -1036,8 +1034,6 @@ libcryptsetup_la_SOURCES = \
- lib/utils_loop.h \
- lib/utils_devpath.c \
- lib/utils_wipe.c \
-- lib/utils_fips.c \
-- lib/utils_fips.h \
- lib/utils_device.c \
- lib/utils_keyring.c \
- lib/utils_keyring.h \
-@@ -1551,8 +1547,6 @@ lib/libcryptsetup_la-utils_devpath.lo: l
- lib/$(DEPDIR)/$(am__dirstamp)
- lib/libcryptsetup_la-utils_wipe.lo: lib/$(am__dirstamp) \
- lib/$(DEPDIR)/$(am__dirstamp)
--lib/libcryptsetup_la-utils_fips.lo: lib/$(am__dirstamp) \
-- lib/$(DEPDIR)/$(am__dirstamp)
- lib/libcryptsetup_la-utils_device.lo: lib/$(am__dirstamp) \
- lib/$(DEPDIR)/$(am__dirstamp)
- lib/libcryptsetup_la-utils_keyring.lo: lib/$(am__dirstamp) \
-@@ -1811,7 +1805,6 @@ distclean-compile:
- @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo@am__quote@ # am--include-marker
- @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo@am__quote@ # am--include-marker
- @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_devpath.Plo@am__quote@ # am--include-marker
--@AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo@am__quote@ # am--include-marker
- @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_keyring.Plo@am__quote@ # am--include-marker
- @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_loop.Plo@am__quote@ # am--include-marker
- @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_pbkdf.Plo@am__quote@ # am--include-marker
-@@ -2105,13 +2098,6 @@ lib/libcryptsetup_la-utils_wipe.lo: lib/
- @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -c -o lib/libcryptsetup_la-utils_wipe.lo `test -f 'lib/utils_wipe.c' || echo '$(srcdir)/'`lib/utils_wipe.c
-
--lib/libcryptsetup_la-utils_fips.lo: lib/utils_fips.c
--@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -MT lib/libcryptsetup_la-utils_fips.lo -MD -MP -MF lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Tpo -c -o lib/libcryptsetup_la-utils_fips.lo `test -f 'lib/utils_fips.c' || echo '$(srcdir)/'`lib/utils_fips.c
--@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Tpo lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo
--@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='lib/utils_fips.c' object='lib/libcryptsetup_la-utils_fips.lo' libtool=yes @AMDEPBACKSLASH@
--@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
--@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -c -o lib/libcryptsetup_la-utils_fips.lo `test -f 'lib/utils_fips.c' || echo '$(srcdir)/'`lib/utils_fips.c
--
- lib/libcryptsetup_la-utils_device.lo: lib/utils_device.c
- @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -MT lib/libcryptsetup_la-utils_device.lo -MD -MP -MF lib/$(DEPDIR)/libcryptsetup_la-utils_device.Tpo -c -o lib/libcryptsetup_la-utils_device.lo `test -f 'lib/utils_device.c' || echo '$(srcdir)/'`lib/utils_device.c
- @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) lib/$(DEPDIR)/libcryptsetup_la-utils_device.Tpo lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo
-@@ -2987,7 +2973,6 @@ distclean: distclean-recursive
- -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo
- -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo
- -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_devpath.Plo
-- -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo
- -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_keyring.Plo
- -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_loop.Plo
- -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_pbkdf.Plo
-@@ -3124,7 +3109,6 @@ maintainer-clean: maintainer-clean-recur
- -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo
- -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo
- -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_devpath.Plo
-- -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo
- -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_keyring.Plo
- -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_loop.Plo
- -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_pbkdf.Plo
-diff -rupN cryptsetup-2.4.3.old/po/POTFILES.in cryptsetup-2.4.3/po/POTFILES.in
---- cryptsetup-2.4.3.old/po/POTFILES.in 2022-01-13 10:23:53.000000000 +0100
-+++ cryptsetup-2.4.3/po/POTFILES.in 2022-08-10 17:03:30.306926994 +0200
-@@ -6,7 +6,6 @@ lib/volumekey.c
- lib/crypt_plain.c
- lib/utils_crypt.c
- lib/utils_loop.c
--lib/utils_fips.c
- lib/utils_device.c
- lib/utils_devpath.c
- lib/utils_pbkdf.c
-diff -rupN cryptsetup-2.4.3.old/src/cryptsetup.h cryptsetup-2.4.3/src/cryptsetup.h
---- cryptsetup-2.4.3.old/src/cryptsetup.h 2022-01-13 10:14:51.000000000 +0100
-+++ cryptsetup-2.4.3/src/cryptsetup.h 2022-08-10 17:03:30.307926999 +0200
-@@ -44,7 +44,6 @@
- #include "lib/bitops.h"
- #include "lib/utils_crypt.h"
- #include "lib/utils_loop.h"
--#include "lib/utils_fips.h"
- #include "lib/utils_io.h"
- #include "lib/utils_blkid.h"
- #include "lib/libcryptsetup_macros.h"
-diff -rupN cryptsetup-2.4.3.old/tests/compat-test cryptsetup-2.4.3/tests/compat-test
---- cryptsetup-2.4.3.old/tests/compat-test 2022-08-10 16:36:36.593578847 +0200
-+++ cryptsetup-2.4.3/tests/compat-test 2022-08-10 17:03:30.308927004 +0200
-@@ -44,7 +44,7 @@ KEY_MATERIAL5_EXT="S331776-395264"
- TEST_UUID="12345678-1234-1234-1234-123456789abc"
-
- LOOPDEV=$(losetup -f 2>/dev/null)
--[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
-+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
-
- function remove_mapping()
- {
-diff -rupN cryptsetup-2.4.3.old/tests/compat-test2 cryptsetup-2.4.3/tests/compat-test2
---- cryptsetup-2.4.3.old/tests/compat-test2 2022-08-10 16:36:57.610677161 +0200
-+++ cryptsetup-2.4.3/tests/compat-test2 2022-08-10 17:03:30.308927004 +0200
-@@ -42,7 +42,7 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-f
- TEST_UUID="12345678-1234-1234-1234-123456789abc"
-
- LOOPDEV=$(losetup -f 2>/dev/null)
--[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
-+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
-
- function remove_mapping()
- {
-diff -rupN cryptsetup-2.4.3.old/tests/keyring-compat-test cryptsetup-2.4.3/tests/keyring-compat-test
---- cryptsetup-2.4.3.old/tests/keyring-compat-test 2022-08-10 16:36:36.594578852 +0200
-+++ cryptsetup-2.4.3/tests/keyring-compat-test 2022-08-10 17:09:55.062022004 +0200
-@@ -26,7 +26,7 @@ PWD="aaa"
- [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
- CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
-
--[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
-+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
-
- function remove_mapping()
- {
-diff -rupN cryptsetup-2.4.3.old/tests/luks2-reencryption-test cryptsetup-2.4.3/tests/luks2-reencryption-test
---- cryptsetup-2.4.3.old/tests/luks2-reencryption-test 2022-08-10 16:37:14.711757148 +0200
-+++ cryptsetup-2.4.3/tests/luks2-reencryption-test 2022-08-10 17:03:30.310927015 +0200
-@@ -25,7 +25,7 @@ PWD2="1cND4319812f"
- PWD3="1-9Qu5Ejfnqv"
- DEV_LINK="reenc-test-link"
-
--[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
-+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
-
- function dm_crypt_features()
- {
diff --git a/SOURCES/cryptsetup-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch b/SOURCES/cryptsetup-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch
new file mode 100644
index 0000000..bc50c82
--- /dev/null
+++ b/SOURCES/cryptsetup-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch
@@ -0,0 +1,161 @@
+From c18dcfaa0b91eb48006232fbfadce9e6a9b4a790 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Fri, 2 Dec 2022 15:39:36 +0100
+Subject: [PATCH 2/2] Abort encryption when header and data devices are same.
+
+If data device reduction is not requsted this led
+to data corruption since LUKS metadata was written
+over the data device.
+---
+ src/utils_reencrypt.c | 42 ++++++++++++++++++++++++++++++----
+ tests/luks2-reencryption-test | 16 +++++++++++++
+ tests/reencryption-compat-test | 20 +++++++++++++---
+ 3 files changed, 70 insertions(+), 8 deletions(-)
+
+diff --git a/src/utils_reencrypt.c b/src/utils_reencrypt.c
+index 87ead680..73e0bca8 100644
+--- a/src/utils_reencrypt.c
++++ b/src/utils_reencrypt.c
+@@ -467,6 +467,26 @@ static int reencrypt_check_active_device_sb_block_size(const char *active_device
+ return reencrypt_check_data_sb_block_size(dm_device, new_sector_size);
+ }
+
++static int reencrypt_is_header_detached(const char *header_device, const char *data_device)
++{
++ int r;
++ struct stat st;
++ struct crypt_device *cd;
++
++ if (!header_device)
++ return 0;
++
++ if (header_device && stat(header_device, &st) < 0 && errno == ENOENT)
++ return 1;
++
++ if ((r = crypt_init_data_device(&cd, header_device, data_device)))
++ return r;
++
++ r = crypt_header_is_detached(cd);
++ crypt_free(cd);
++ return r;
++}
++
+ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device, const char *device_name)
+ {
+ int keyslot, r, fd;
+@@ -490,9 +510,14 @@ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device,
+
+ _set_reencryption_flags(¶ms.flags);
+
+- if (!data_shift && !ARG_SET(OPT_HEADER_ID)) {
+- log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
+- return -ENOTSUP;
++ if (!data_shift) {
++ r = reencrypt_is_header_detached(ARG_STR(OPT_HEADER_ID), data_device);
++ if (r < 0)
++ return r;
++ if (!r) {
++ log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
++ return -ENOTSUP;
++ }
+ }
+
+ if (!ARG_SET(OPT_HEADER_ID) && ARG_UINT64(OPT_OFFSET_ID) &&
+@@ -1358,9 +1383,16 @@ static int _encrypt(struct crypt_device *cd, const char *type, enum device_statu
+ if (!type)
+ type = crypt_get_default_type();
+
+- if (dev_st == DEVICE_LUKS1_UNUSABLE || isLUKS1(type))
++ if (dev_st == DEVICE_LUKS1_UNUSABLE || isLUKS1(type)) {
++ r = reencrypt_is_header_detached(ARG_STR(OPT_HEADER_ID), action_argv[0]);
++ if (r < 0)
++ return r;
++ if (!r && !ARG_SET(OPT_REDUCE_DEVICE_SIZE_ID)) {
++ log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
++ return -ENOTSUP;
++ }
+ return reencrypt_luks1(action_argv[0]);
+- else if (dev_st == DEVICE_NOT_LUKS) {
++ } else if (dev_st == DEVICE_NOT_LUKS) {
+ r = encrypt_luks2_init(&encrypt_cd, action_argv[0], action_argc > 1 ? action_argv[1] : NULL);
+ if (r < 0 || ARG_SET(OPT_INIT_ONLY_ID)) {
+ crypt_free(encrypt_cd);
+diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
+index bab54353..a647a8c2 100755
+--- a/tests/luks2-reencryption-test
++++ b/tests/luks2-reencryption-test
+@@ -1080,6 +1080,22 @@ $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
+ $CRYPTSETUP close $DEV_NAME
+ echo $PWD1 | $CRYPTSETUP open --header $IMG_HDR $DEV --test-passphrase || fail
+
++# Encrypt without size reduction must not allow header device same as data device
++wipe_dev_head $DEV 1
++echo $PWD1 | $CRYPTSETUP reencrypt $DEV --type luks2 --encrypt --header $DEV -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $DEV 2>/dev/null && fail
++ln -s $DEV $DEV_LINK || fail
++echo $PWD1 | $CRYPTSETUP reencrypt $DEV --type luks2 --encrypt --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $DEV 2>/dev/null && fail
++rm -f $DEV_LINK || fail
++
++dd if=/dev/zero of=$IMG bs=4k count=1 >/dev/null 2>&1
++echo $PWD1 | $CRYPTSETUP reencrypt $IMG --type luks2 --encrypt --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
++ln -s $IMG $DEV_LINK || fail
++echo $PWD1 | $CRYPTSETUP reencrypt $IMG --type luks2 --encrypt --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
++
+ echo "[4] Reencryption with detached header"
+ wipe $PWD1 $IMG_HDR
+ echo $PWD1 | $CRYPTSETUP reencrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
+diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test
+index f6a84137..453831d1 100755
+--- a/tests/reencryption-compat-test
++++ b/tests/reencryption-compat-test
+@@ -15,6 +15,7 @@ IMG=reenc-data
+ IMG_HDR=$IMG.hdr
+ HEADER_LUKS2_PV=blkid-luks2-pv.img
+ ORIG_IMG=reenc-data-orig
++DEV_LINK="reenc-test-link"
+ KEY1=key1
+ PWD1="93R4P4pIqAH8"
+ PWD2="1cND4319812f"
+@@ -40,7 +41,7 @@ function remove_mapping()
+ [ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
+ [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
+ [ ! -z "$LOOPDEV1" ] && losetup -d $LOOPDEV1 >/dev/null 2>&1
+- rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $HEADER_LUKS2_PV >/dev/null 2>&1
++ rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $HEADER_LUKS2_PV $DEV_LINK >/dev/null 2>&1
+ umount $MNT_DIR > /dev/null 2>&1
+ rmdir $MNT_DIR > /dev/null 2>&1
+ LOOPDEV1=""
+@@ -302,12 +303,25 @@ check_slot 0 || fail "Only keyslot 0 expected to be enabled"
+ $REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q || fail
+ # FIXME echo $PWD1 | $REENC ...
+
+-if [ ! fips_mode ]; then
+ echo "[4] Encryption of not yet encrypted device"
++# Encrypt without size reduction must not allow header device same as data device
++wipe_dev $LOOPDEV1
++echo $PWD1 | $REENC $LOOPDEV1 --type luks1 --new --header $LOOPDEV1 -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $LOOPDEV1 2>/dev/null && fail
++ln -s $LOOPDEV1 $DEV_LINK || fail
++echo $PWD1 | $REENC $LOOPDEV1 --type luks1 --new --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $LOOPDEV1 2>/dev/null && fail
++rm -f $DEV_LINK || fail
++echo $PWD1 | $REENC $IMG --type luks1 --new --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
++ln -s $IMG $DEV_LINK || fail
++echo $PWD1 | $REENC $IMG --type luks1 --new --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
++
++if [ ! fips_mode ]; then
+ # well, movin' zeroes :-)
+ OFFSET=2048
+ SIZE=$(blockdev --getsz $LOOPDEV1)
+-wipe_dev $LOOPDEV1
+ dmsetup create $DEV_NAME2 --table "0 $(($SIZE - $OFFSET)) linear $LOOPDEV1 0" || fail
+ check_hash_dev /dev/mapper/$DEV_NAME2 $HASH3
+ dmsetup remove --retry $DEV_NAME2 || fail
+--
+2.38.1
+
diff --git a/SOURCES/cryptsetup-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch b/SOURCES/cryptsetup-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch
new file mode 100644
index 0000000..6a401f2
--- /dev/null
+++ b/SOURCES/cryptsetup-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch
@@ -0,0 +1,662 @@
+From e7a1f18d976771efc06987107da12ccae4d0b360 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Fri, 2 Dec 2022 11:40:24 +0100
+Subject: [PATCH 2/3] Change tests to use passphrases with minimal 8 chars
+ length.
+
+Skip tests that can not satisfy minimal test passphrase length:
+
+- empty passphrase
+- LUKS1 cipher_null tests (empty passphrase is mandatory)
+- LUKS1 encryption
+---
+ tests/Makefile.am | 3 +-
+ tests/align-test | 10 +++
+ tests/api-test-2.c | 117 +++++++++++++++++----------------
+ tests/api-test.c | 14 ++--
+ tests/compat-test | 8 ++-
+ tests/compat-test2 | 16 +++--
+ tests/keyring-compat-test | 2 +-
+ tests/reencryption-compat-test | 10 +++
+ tests/ssh-test-plugin | 2 +-
+ 9 files changed, 110 insertions(+), 72 deletions(-)
+
+diff --git a/tests/align-test b/tests/align-test
+index eedf8b77..5941cde2 100755
+--- a/tests/align-test
++++ b/tests/align-test
+@@ -10,9 +10,16 @@ PWD1="93R4P4pIqAH8"
+ PWD2="mymJeD8ivEhE"
+ FAST_PBKDF="--pbkdf-force-iterations 1000"
+
++FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
++
+ CRYPTSETUP_VALGRIND=../.libs/cryptsetup
+ CRYPTSETUP_LIB_VALGRIND=../.libs
+
++function fips_mode()
++{
++ [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
++}
++
+ cleanup() {
+ udevadm settle >/dev/null 2>&1
+ if [ -d "$MNT_DIR" ] ; then
+@@ -276,6 +283,8 @@ format_plain_fail 2048
+ format_plain_fail 4096
+ cleanup
+
++# skip tests using empty passphrase (LUKS1 cipher_null)
++if [ ! fips_mode ]; then
+ echo "# Offset check: 512B sector drive"
+ add_device dev_size_mb=16 sector_size=512 num_tgts=1
+ # |k| expO reqO expected slot offsets
+@@ -314,6 +323,7 @@ format_null 512 4040 8
+ format_null 512 4096 128
+ format_null 512 4096 2048
+ cleanup
++fi
+
+ echo "# Create enterprise-class 4K drive with fs and LUKS images."
+ # loop device here presents 512 block but images have 4k block
+diff --git a/tests/api-test-2.c b/tests/api-test-2.c
+index b7c762d9..2c39191b 100644
+--- a/tests/api-test-2.c
++++ b/tests/api-test-2.c
+@@ -74,8 +74,8 @@ typedef int32_t key_serial_t;
+ #define KEYFILE2 "key2.file"
+ #define KEY2 "0123456789abcdef"
+
+-#define PASSPHRASE "blabla"
+-#define PASSPHRASE1 "albalb"
++#define PASSPHRASE "blablabl"
++#define PASSPHRASE1 "albalbal"
+
+ #define DEVICE_TEST_UUID "12345678-1234-1234-1234-123456789abc"
+
+@@ -107,15 +107,15 @@ typedef int32_t key_serial_t;
+ #define CONV_L2_512_DET_FULL "l2_512b_det_full"
+ #define CONV_L1_256_LEGACY "l1_256b_legacy_offset"
+ #define CONV_L1_256_UNMOVABLE "l1_256b_unmovable"
+-#define PASS0 "aaa"
+-#define PASS1 "hhh"
+-#define PASS2 "ccc"
+-#define PASS3 "ddd"
+-#define PASS4 "eee"
+-#define PASS5 "fff"
+-#define PASS6 "ggg"
+-#define PASS7 "bbb"
+-#define PASS8 "iii"
++#define PASS0 "aaablabl"
++#define PASS1 "hhhblabl"
++#define PASS2 "cccblabl"
++#define PASS3 "dddblabl"
++#define PASS4 "eeeblabl"
++#define PASS5 "fffblabl"
++#define PASS6 "gggblabl"
++#define PASS7 "bbbblabl"
++#define PASS8 "iiiblabl"
+
+ static int _fips_mode = 0;
+
+@@ -429,11 +429,11 @@ static int _setup(void)
+
+ _system("dd if=/dev/zero of=" IMAGE_EMPTY_SMALL_2 " bs=512 count=2050 2>/dev/null", 1);
+
+- _system(" [ ! -e " NO_REQS_LUKS2_HEADER " ] && xz -dk " NO_REQS_LUKS2_HEADER ".xz", 1);
++ _system(" [ ! -e " NO_REQS_LUKS2_HEADER " ] && tar xJf " REQS_LUKS2_HEADER ".tar.xz", 1);
+ fd = loop_attach(&DEVICE_4, NO_REQS_LUKS2_HEADER, 0, 0, &ro);
+ close(fd);
+
+- _system(" [ ! -e " REQS_LUKS2_HEADER " ] && xz -dk " REQS_LUKS2_HEADER ".xz", 1);
++ _system(" [ ! -e " REQS_LUKS2_HEADER " ] && tar xJf " REQS_LUKS2_HEADER ".tar.xz", 1);
+ fd = loop_attach(&DEVICE_5, REQS_LUKS2_HEADER, 0, 0, &ro);
+ close(fd);
+
+@@ -709,7 +709,7 @@ static void AddDeviceLuks2(void)
+ };
+ char key[128], key2[128], key3[128];
+
+- const char *tmp_buf, *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
++ const char *tmp_buf, *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd";
+ const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
+ size_t key_size = strlen(vk_hex) / 2;
+@@ -1056,7 +1056,6 @@ static void Luks2MetadataSize(void)
+ };
+ char key[128], tmp[128];
+
+- const char *passphrase = "blabla";
+ const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ size_t key_size = strlen(vk_hex) / 2;
+ const char *cipher = "aes";
+@@ -1103,7 +1102,7 @@ static void Luks2MetadataSize(void)
+ OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ OK_(crypt_set_metadata_size(cd, 0x080000, 0x080000));
+ OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, key, key_size, ¶ms));
+- EQ_(crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, passphrase, strlen(passphrase)), 7);
++ EQ_(crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, PASSPHRASE, strlen(PASSPHRASE)), 7);
+ CRYPT_FREE(cd);
+ OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
+@@ -3306,8 +3305,8 @@ static void Luks2Requirements(void)
+ .key_description = KEY_DESC_TEST0
+ };
+
+- OK_(prepare_keyfile(KEYFILE1, "aaa", 3));
+- OK_(prepare_keyfile(KEYFILE2, "xxx", 3));
++ OK_(prepare_keyfile(KEYFILE1, PASSPHRASE, strlen(PASSPHRASE)));
++ OK_(prepare_keyfile(KEYFILE2, PASSPHRASE1, strlen(PASSPHRASE1)));
+
+ /* crypt_load (unrestricted) */
+ OK_(crypt_init(&cd, DEVICE_5));
+@@ -3361,11 +3360,11 @@ static void Luks2Requirements(void)
+ OK_(crypt_repair(cd, CRYPT_LUKS2, NULL));
+
+ /* crypt_keyslot_add_passphrase (restricted) */
+- FAIL_((r = crypt_keyslot_add_by_passphrase(cd, CRYPT_ANY_SLOT, "aaa", 3, "bbb", 3)), "Unmet requirements detected");
++ FAIL_((r = crypt_keyslot_add_by_passphrase(cd, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), "bbb", 3)), "Unmet requirements detected");
+ EQ_(r, -ETXTBSY);
+
+ /* crypt_keyslot_change_by_passphrase (restricted) */
+- FAIL_((r = crypt_keyslot_change_by_passphrase(cd, CRYPT_ANY_SLOT, 9, "aaa", 3, "bbb", 3)), "Unmet requirements detected");
++ FAIL_((r = crypt_keyslot_change_by_passphrase(cd, CRYPT_ANY_SLOT, 9, PASSPHRASE, strlen(PASSPHRASE), "bbb", 3)), "Unmet requirements detected");
+ EQ_(r, -ETXTBSY);
+
+ /* crypt_keyslot_add_by_keyfile (restricted) */
+@@ -3377,18 +3376,18 @@ static void Luks2Requirements(void)
+ EQ_(r, -ETXTBSY);
+
+ /* crypt_volume_key_get (unrestricted, but see below) */
+- OK_(crypt_volume_key_get(cd, 0, key, &key_size, "aaa", 3));
++ OK_(crypt_volume_key_get(cd, 0, key, &key_size, PASSPHRASE, strlen(PASSPHRASE)));
+
+ /* crypt_keyslot_add_by_volume_key (restricted) */
+- FAIL_((r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, key_size, "xxx", 3)), "Unmet requirements detected");
++ FAIL_((r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, key_size, PASSPHRASE1, strlen(PASSPHRASE1))), "Unmet requirements detected");
+ EQ_(r, -ETXTBSY);
+
+ /* crypt_keyslot_add_by_key (restricted) */
+- FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, NULL, key_size, "xxx", 3, CRYPT_VOLUME_KEY_NO_SEGMENT)), "Unmet requirements detected");
++ FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, NULL, key_size, PASSPHRASE1, strlen(PASSPHRASE1), CRYPT_VOLUME_KEY_NO_SEGMENT)), "Unmet requirements detected");
+ EQ_(r, -ETXTBSY);
+
+ /* crypt_keyslot_add_by_key (restricted) */
+- FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, key, key_size, "xxx", 3, 0)), "Unmet requirements detected");
++ FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, key, key_size, PASSPHRASE1, strlen(PASSPHRASE1), 0)), "Unmet requirements detected");
+ EQ_(r, -ETXTBSY);
+
+ /* crypt_persistent_flasgs_set (restricted) */
+@@ -3400,10 +3399,10 @@ static void Luks2Requirements(void)
+ EQ_(flags, CRYPT_REQUIREMENT_UNKNOWN);
+
+ /* crypt_activate_by_passphrase (restricted for activation only) */
+- FAIL_((r = crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0)), "Unmet requirements detected");
++ FAIL_((r = crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0)), "Unmet requirements detected");
+ EQ_(r, -ETXTBSY);
+- OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, 0));
+- OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
++ OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
++ OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
+ EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
+
+ /* crypt_activate_by_keyfile (restricted for activation only) */
+@@ -3420,7 +3419,7 @@ static void Luks2Requirements(void)
+
+ #ifdef KERNEL_KEYRING
+ if (t_dm_crypt_keyring_support()) {
+- kid = add_key("user", KEY_DESC_TEST0, "aaa", 3, KEY_SPEC_THREAD_KEYRING);
++ kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE, strlen(PASSPHRASE), KEY_SPEC_THREAD_KEYRING);
+ NOTFAIL_(kid, "Test or kernel keyring are broken.");
+
+ /* crypt_activate_by_keyring (restricted for activation only) */
+@@ -3428,6 +3427,8 @@ static void Luks2Requirements(void)
+ EQ_(r, t_dm_crypt_keyring_support() ? -ETXTBSY : -EINVAL);
+ OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, 0));
+ OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, CRYPT_ACTIVATE_KEYRING_KEY));
++
++ NOTFAIL_(keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING), "Test or kernel keyring are broken.");
+ }
+ #endif
+
+@@ -3513,10 +3514,15 @@ static void Luks2Requirements(void)
+ /* crypt_activate_by_token (restricted for activation only) */
+ #ifdef KERNEL_KEYRING
+ if (t_dm_crypt_keyring_support()) {
++ kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE, strlen(PASSPHRASE), KEY_SPEC_THREAD_KEYRING);
++ NOTFAIL_(kid, "Test or kernel keyring are broken.");
++
+ FAIL_((r = crypt_activate_by_token(cd, CDEVICE_1, 1, NULL, 0)), ""); // supposed to be silent
+ EQ_(r, -ETXTBSY);
+ OK_(crypt_activate_by_token(cd, NULL, 1, NULL, 0));
+ OK_(crypt_activate_by_token(cd, NULL, 1, NULL, CRYPT_ACTIVATE_KEYRING_KEY));
++
++ NOTFAIL_(keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING), "Test or kernel keyring are broken.");
+ }
+ #endif
+ OK_(get_luks2_offsets(0, 8192, 0, NULL, &r_payload_offset));
+@@ -3528,7 +3534,7 @@ static void Luks2Requirements(void)
+ CRYPT_FREE(cd);
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+ OK_(crypt_load(cd, CRYPT_LUKS, NULL));
+- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0));
++ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
+ OK_(crypt_header_backup(cd, CRYPT_LUKS2, BACKUP_FILE));
+ /* replace header with no requirements */
+ OK_(_system("dd if=" REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
+@@ -3566,7 +3572,7 @@ static void Luks2Requirements(void)
+ OK_(crypt_init_by_name(&cd, CDEVICE_1));
+
+ /* crypt_resume_by_passphrase (restricted) */
+- FAIL_((r = crypt_resume_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3)), "Unmet requirements detected");
++ FAIL_((r = crypt_resume_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE))), "Unmet requirements detected");
+ EQ_(r, -ETXTBSY);
+
+ /* crypt_resume_by_keyfile (restricted) */
+@@ -3580,13 +3586,13 @@ static void Luks2Requirements(void)
+
+ OK_(_system("dd if=" NO_REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
+ OK_(crypt_init_by_name(&cd, CDEVICE_1));
+- OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3));
++ OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE)));
+ CRYPT_FREE(cd);
+ OK_(_system("dd if=" REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
+
+ OK_(crypt_init_by_name(&cd, CDEVICE_1));
+ /* load VK in keyring */
+- OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
++ OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
+ /* crypt_resize (restricted) */
+ FAIL_((r = crypt_resize(cd, CDEVICE_1, 1)), "Unmet requirements detected");
+ EQ_(r, -ETXTBSY);
+@@ -3622,7 +3628,6 @@ static void Luks2Integrity(void)
+ .integrity = "hmac(sha256)"
+ };
+ size_t key_size = 32 + 32;
+- const char *passphrase = "blabla";
+ const char *cipher = "aes";
+ const char *cipher_mode = "xts-random";
+ int ret;
+@@ -3636,8 +3641,8 @@ static void Luks2Integrity(void)
+ return;
+ }
+
+- EQ_(crypt_keyslot_add_by_volume_key(cd, 7, NULL, key_size, passphrase, strlen(passphrase)), 7);
+- EQ_(crypt_activate_by_passphrase(cd, CDEVICE_2, 7, passphrase, strlen(passphrase) ,0), 7);
++ EQ_(crypt_keyslot_add_by_volume_key(cd, 7, NULL, key_size, PASSPHRASE, strlen(PASSPHRASE)), 7);
++ EQ_(crypt_activate_by_passphrase(cd, CDEVICE_2, 7, PASSPHRASE, strlen(PASSPHRASE) ,0), 7);
+ GE_(crypt_status(cd, CDEVICE_2), CRYPT_ACTIVE);
+ CRYPT_FREE(cd);
+
+@@ -3689,36 +3694,36 @@ static void Luks2Refresh(void)
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+ OK_(set_fast_pbkdf(cd));
+ OK_(crypt_format(cd, CRYPT_LUKS2, cipher, mode, NULL, key, 32, NULL));
+- OK_(crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, 32, "aaa", 3));
+- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0));
++ OK_(crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
++ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
+
+ /* check we can refresh significant flags */
+ if (t_dm_crypt_discard_support()) {
+- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_ALLOW_DISCARDS));
++ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_ALLOW_DISCARDS));
+ OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ OK_(check_flag(cad.flags, CRYPT_ACTIVATE_ALLOW_DISCARDS));
+ cad.flags = 0;
+ }
+
+ if (t_dm_crypt_cpu_switch_support()) {
+- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SAME_CPU_CRYPT));
++ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SAME_CPU_CRYPT));
+ OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SAME_CPU_CRYPT));
+ cad.flags = 0;
+
+- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
++ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
+ OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
+ cad.flags = 0;
+
+- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
++ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
+ OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
+ cad.flags = 0;
+ }
+
+ OK_(crypt_volume_key_keyring(cd, 0));
+- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
++ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
+ OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_KEYRING_KEY), "Unexpected flag raised.");
+ cad.flags = 0;
+@@ -3726,7 +3731,7 @@ static void Luks2Refresh(void)
+ #ifdef KERNEL_KEYRING
+ if (t_dm_crypt_keyring_support()) {
+ OK_(crypt_volume_key_keyring(cd, 1));
+- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
++ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
+ OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ OK_(check_flag(cad.flags, CRYPT_ACTIVATE_KEYRING_KEY));
+ cad.flags = 0;
+@@ -3735,26 +3740,26 @@ static void Luks2Refresh(void)
+
+ /* multiple flags at once */
+ if (t_dm_crypt_discard_support() && t_dm_crypt_cpu_switch_support()) {
+- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
++ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
+ OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
+ cad.flags = 0;
+ }
+
+ /* do not allow reactivation with read-only (and drop flag silently because activation behaves exactly same) */
+- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_READONLY));
++ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_READONLY));
+ OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_READONLY), "Reactivated with read-only flag.");
+ cad.flags = 0;
+
+ /* reload flag is dropped silently */
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
++ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
+
+ /* check read-only flag is not lost after reload */
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_READONLY));
+- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
++ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_READONLY));
++ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
+ OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ OK_(check_flag(cad.flags, CRYPT_ACTIVATE_READONLY));
+ cad.flags = 0;
+@@ -3762,7 +3767,7 @@ static void Luks2Refresh(void)
+ /* check LUKS2 with auth. enc. reload */
+ OK_(crypt_init(&cd2, DMDIR L_DEVICE_WRONG));
+ if (!crypt_format(cd2, CRYPT_LUKS2, "aes", "gcm-random", crypt_get_uuid(cd), key, 32, ¶ms)) {
+- OK_(crypt_keyslot_add_by_volume_key(cd2, 0, key, 32, "aaa", 3));
++ OK_(crypt_keyslot_add_by_volume_key(cd2, 0, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
+ OK_(crypt_activate_by_volume_key(cd2, CDEVICE_2, key, 32, 0));
+ OK_(crypt_activate_by_volume_key(cd2, CDEVICE_2, key, 32, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_NO_JOURNAL));
+ OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
+@@ -3772,11 +3777,11 @@ static void Luks2Refresh(void)
+ OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
+ OK_(check_flag(cad.flags, CRYPT_ACTIVATE_NO_JOURNAL | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
+ cad.flags = 0;
+- OK_(crypt_activate_by_passphrase(cd2, CDEVICE_2, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
++ OK_(crypt_activate_by_passphrase(cd2, CDEVICE_2, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
+ OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
+ FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_NO_JOURNAL), "");
+ FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS), "");
+- FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS2/aead context");
++ FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS2/aead context");
+ OK_(crypt_deactivate(cd2, CDEVICE_2));
+ } else {
+ printf("WARNING: cannot format integrity device, skipping few reload tests.\n");
+@@ -3786,8 +3791,8 @@ static void Luks2Refresh(void)
+ /* Use LUKS1 context on LUKS2 device */
+ OK_(crypt_init(&cd2, DMDIR L_DEVICE_1S));
+ OK_(crypt_format(cd2, CRYPT_LUKS1, cipher, mode, crypt_get_uuid(cd), key, 32, NULL));
+- OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, NULL, 32, "aaa", 3));
+- FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS1 context");
++ OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)));
++ FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS1 context");
+ CRYPT_FREE(cd2);
+
+ /* Use PLAIN context on LUKS2 device */
+@@ -3803,8 +3808,8 @@ static void Luks2Refresh(void)
+ OK_(crypt_init(&cd2, DMDIR L_DEVICE_WRONG));
+ OK_(set_fast_pbkdf(cd2));
+ OK_(crypt_format(cd2, CRYPT_LUKS2, cipher, mode, crypt_get_uuid(cd), key, 32, NULL));
+- OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, key, 32, "aaa", 3));
+- FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed dm-crypt mapped over mismatching data device");
++ OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
++ FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed dm-crypt mapped over mismatching data device");
+
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+
+@@ -4825,7 +4830,7 @@ static void LuksKeyslotAdd(void)
+ crypt_keyslot_context_free(um2);
+
+ // generate new unbound key
+- OK_(crypt_keyslot_context_init_by_volume_key(cd, NULL, 1, &um1));
++ OK_(crypt_keyslot_context_init_by_volume_key(cd, NULL, 9, &um1));
+ OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &um2));
+ EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 10, um2, CRYPT_VOLUME_KEY_NO_SEGMENT), 10);
+ EQ_(crypt_keyslot_status(cd, 10), CRYPT_SLOT_UNBOUND);
+diff --git a/tests/api-test.c b/tests/api-test.c
+index 2b2f0813..9bb6d2f1 100644
+--- a/tests/api-test.c
++++ b/tests/api-test.c
+@@ -65,8 +65,8 @@
+ #define KEYFILE2 "key2.file"
+ #define KEY2 "0123456789abcdef"
+
+-#define PASSPHRASE "blabla"
+-#define PASSPHRASE1 "albalb"
++#define PASSPHRASE "blablabl"
++#define PASSPHRASE1 "albalbal"
+
+ #define DEVICE_TEST_UUID "12345678-1234-1234-1234-123456789abc"
+
+@@ -327,7 +327,7 @@ static void AddDevicePlain(void)
+ char key[128], key2[128], path[128];
+ struct crypt_keyslot_context *kc = NULL;
+
+- const char *passphrase = PASSPHRASE;
++ const char *passphrase = "blabla";
+ // hashed hex version of PASSPHRASE
+ const char *vk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea";
+ size_t key_size = strlen(vk_hex) / 2;
+@@ -772,6 +772,10 @@ static void SuspendDevice(void)
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ CRYPT_FREE(cd);
+
++ /* skip tests using empty passphrase */
++ if(_fips_mode)
++ return;
++
+ OK_(get_luks_offsets(0, key_size, 1024*2, 0, NULL, &r_payload_offset));
+ OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1));
+
+@@ -806,7 +810,7 @@ static void AddDeviceLuks(void)
+ };
+ char key[128], key2[128], key3[128];
+
+- const char *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
++ const char *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd";
+ const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
+ size_t key_size = strlen(vk_hex) / 2;
+@@ -2105,7 +2109,7 @@ static void LuksKeyslotAdd(void)
+ };
+ char key[128], key3[128];
+
+- const char *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
++ const char *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd";
+ const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
+ size_t key_size = strlen(vk_hex) / 2;
+diff --git a/tests/compat-test b/tests/compat-test
+index 356b7283..6dc80041 100755
+--- a/tests/compat-test
++++ b/tests/compat-test
+@@ -450,10 +450,13 @@ if [ -d /dev/disk/by-uuid ] ; then
+ $CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
+ $CRYPTSETUP -q luksClose $DEV_NAME || fail
+ fi
++# skip tests using empty passphrase
++if [ ! fips_mode ]; then
+ # empty keyfile
+ $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEYE || fail
+ $CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
+ $CRYPTSETUP -q luksClose $DEV_NAME || fail
++fi
+ # open by volume key
+ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT -s 256 --volume-key-file $KEY1 $LOOPDEV || fail
+ $CRYPTSETUP luksOpen --volume-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
+@@ -503,7 +506,7 @@ echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --
+ echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
+ # keyfile/passphrase
+-echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail
++echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 8 || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: ENABLED" || fail
+
+ prepare "[18] RemoveKey passphrase and keyfile" reuse
+@@ -728,12 +731,15 @@ echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
+ [ $? -ne 2 ] && fail "luksResume should return EPERM exit code"
+ echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME || fail
+ $CRYPTSETUP -q luksClose $DEV_NAME || fail
++# skip tests using empty passphrase
++if [ ! fips_mode ]; then
+ echo | $CRYPTSETUP -q luksFormat -c null $FAST_PBKDF_OPT --type luks1 $LOOPDEV || fail
+ echo | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
+ $CRYPTSETUP luksSuspend $DEV_NAME || fail
+ $CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail
+ echo | $CRYPTSETUP luksResume $DEV_NAME || fail
+ $CRYPTSETUP -q luksClose $DEV_NAME || fail
++fi
+
+ prepare "[27] luksOpen/luksResume with specified key slot number" wipe
+ # first, let's try passphrase option
+diff --git a/tests/compat-test2 b/tests/compat-test2
+index 2f18d7b6..c54dc7ea 100755
+--- a/tests/compat-test2
++++ b/tests/compat-test2
+@@ -427,10 +427,14 @@ if [ -d /dev/disk/by-uuid ] ; then
+ $CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
+ $CRYPTSETUP -q luksClose $DEV_NAME || fail
+ fi
++# skip tests using empty passphrases
++if [ ! fips_mode ]; then
+ # empty keyfile
+ $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEYE || fail
+ $CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
+ $CRYPTSETUP -q luksClose $DEV_NAME || fail
++fi
++
+ # open by volume key
+ echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT -s 256 --volume-key-file $KEY1 --type luks2 $LOOPDEV || fail
+ $CRYPTSETUP luksOpen --volume-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
+@@ -477,7 +481,7 @@ echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --
+ echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
+ # keyfile/passphrase
+-echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail
++echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 8 || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" || fail
+
+ prepare "[18] RemoveKey passphrase and keyfile" reuse
+@@ -1001,14 +1005,14 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail
+ echo $PWD1 | $CRYPTSETUP -q luksConvertKey $LOOPDEV -S 1 --pbkdf argon2i -i1 --pbkdf-memory 32 || can_fail_fips
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || can_fail_fips
+-echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 21 --unbound -s 16 $LOOPDEV || fail
++echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 21 --unbound -s 72 $LOOPDEV || fail
+ echo $PWD3 | $CRYPTSETUP luksConvertKey --pbkdf-force-iterations 1001 --pbkdf pbkdf2 -S 21 $LOOPDEV || fail
+
+ prepare "[38] luksAddKey unbound tests" wipe
+ $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY5 --key-slot 5 || fail
+ # unbound key may have arbitrary size
+-echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 16 $LOOPDEV || fail
+-echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 32 -S 2 $LOOPDEV || fail
++echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 72 $LOOPDEV || fail
++echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 72 -S 2 $LOOPDEV || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2 (unbound)" || fail
+ dd if=/dev/urandom of=$KEY_FILE0 bs=64 count=1 > /dev/null 2>&1 || fail
+ echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 512 -S 3 --volume-key-file $KEY_FILE0 $LOOPDEV || fail
+@@ -1100,10 +1104,10 @@ $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 --key-slot 2 -
+ [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
+ [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
+ # unbound keyslot
+-echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 21 --unbound -s 32 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
++echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 21 --unbound -s 72 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
+ [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
+ [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
+-echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 22 --unbound -s 32 $LOOPDEV || fail
++echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 22 --unbound -s 72 $LOOPDEV || fail
+ echo $PWD3 | $CRYPTSETUP luksConvertKey --key-slot 22 $LOOPDEV --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
+ [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
+ [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
+diff --git a/tests/keyring-compat-test b/tests/keyring-compat-test
+index 57c7fd98..ea88c210 100755
+--- a/tests/keyring-compat-test
++++ b/tests/keyring-compat-test
+@@ -21,7 +21,7 @@ NAME=testcryptdev
+ CHKS_DMCRYPT=vk_in_dmcrypt.chk
+ CHKS_KEYRING=vk_in_keyring.chk
+
+-PWD="aaa"
++PWD="aaablabl"
+
+ [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
+ CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
+diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test
+index 433f4d4c..f6a84137 100755
+--- a/tests/reencryption-compat-test
++++ b/tests/reencryption-compat-test
+@@ -22,6 +22,12 @@ PWD3="1-9Qu5Ejfnqv"
+
+ MNT_DIR=./mnt_luks
+ START_DIR=$(pwd)
++FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
++
++function fips_mode()
++{
++ [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
++}
+
+ function del_scsi_device()
+ {
+@@ -296,6 +302,7 @@ check_slot 0 || fail "Only keyslot 0 expected to be enabled"
+ $REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q || fail
+ # FIXME echo $PWD1 | $REENC ...
+
++if [ ! fips_mode ]; then
+ echo "[4] Encryption of not yet encrypted device"
+ # well, movin' zeroes :-)
+ OFFSET=2048
+@@ -323,6 +330,7 @@ OFFSET=4096
+ echo fake | $REENC $LOOPDEV1 -d $KEY1 --new --type luks1 --reduce-device-size "$OFFSET"S -q $FAST_PBKDF || fail
+ $CRYPTSETUP open --test-passphrase $LOOPDEV1 -d $KEY1 || fail
+ wipe_dev $LOOPDEV1
++fi
+
+ echo "[5] Reencryption using specific keyslot"
+ echo $PWD2 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail
+@@ -396,6 +404,7 @@ add_scsi_device sector_size=512 dev_size_mb=32 physblk_exp=3
+ test_logging "[4096/512 sector]" || fail
+ test_logging_tmpfs || fail
+
++if [ ! fips_mode ]; then
+ echo "[10] Removal of encryption"
+ prepare 8192
+ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail
+@@ -460,6 +469,7 @@ if [ "$HAVE_BLKID" -gt 0 ]; then
+ echo $PWD1 | $REENC --header $IMG_HDR $HEADER_LUKS2_PV -q $FAST_PBKDF --new --type luks1 2>/dev/null && fail
+ test -f $IMG_HDR && fail
+ fi
++fi # if [ ! fips_mode ]
+
+ remove_mapping
+ exit 0
+diff --git a/tests/ssh-test-plugin b/tests/ssh-test-plugin
+index 0a440b93..5b3966e7 100755
+--- a/tests/ssh-test-plugin
++++ b/tests/ssh-test-plugin
+@@ -11,7 +11,7 @@ CRYPTSETUP_SSH=$CRYPTSETUP_PATH/cryptsetup-ssh
+ IMG="ssh_test.img"
+ MAP="sshtest"
+ USER="sshtest"
+-PASSWD="sshtest"
++PASSWD="sshtest1"
+ PASSWD2="sshtest2"
+ SSH_OPTIONS="-o StrictHostKeyChecking=no"
+
+--
+2.38.1
+
diff --git a/SOURCES/cryptsetup-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch b/SOURCES/cryptsetup-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch
new file mode 100644
index 0000000..cfbd36a
--- /dev/null
+++ b/SOURCES/cryptsetup-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch
@@ -0,0 +1,55 @@
+From be088b8de8d636993767a42f195ffd3bf915e567 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Mon, 12 Dec 2022 17:33:12 +0100
+Subject: [PATCH 1/2] Enable crypt_header_is_detached for empty contexts.
+
+Also changes few tests now expecting crypt_header_is_detached
+works with empty contexts.
+---
+ lib/setup.c | 2 +-
+ tests/api-test-2.c | 2 +-
+ tests/api-test.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/setup.c b/lib/setup.c
+index f169942c..3263578b 100644
+--- a/lib/setup.c
++++ b/lib/setup.c
+@@ -3242,7 +3242,7 @@ int crypt_header_is_detached(struct crypt_device *cd)
+ {
+ int r;
+
+- if (!cd || !isLUKS(cd->type))
++ if (!cd || (cd->type && !isLUKS(cd->type)))
+ return -EINVAL;
+
+ r = device_is_identical(crypt_data_device(cd), crypt_metadata_device(cd));
+diff --git a/tests/api-test-2.c b/tests/api-test-2.c
+index 2c39191b..c7e930ca 100644
+--- a/tests/api-test-2.c
++++ b/tests/api-test-2.c
+@@ -889,7 +889,7 @@ static void AddDeviceLuks2(void)
+ FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, key, key_size, 0), "Device is active");
+ EQ_(crypt_status(cd, CDEVICE_2), CRYPT_INACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+- FAIL_(crypt_header_is_detached(cd), "no header for mismatched device");
++ EQ_(crypt_header_is_detached(cd), 1);
+ CRYPT_FREE(cd);
+
+ params.data_device = NULL;
+diff --git a/tests/api-test.c b/tests/api-test.c
+index 9bb6d2f1..f6e33a40 100644
+--- a/tests/api-test.c
++++ b/tests/api-test.c
+@@ -960,7 +960,7 @@ static void AddDeviceLuks(void)
+ FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, key, key_size, 0), "Device is active");
+ EQ_(crypt_status(cd, CDEVICE_2), CRYPT_INACTIVE);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+- FAIL_(crypt_header_is_detached(cd), "no header for mismatched device");
++ EQ_(crypt_header_is_detached(cd), 1);
+ CRYPT_FREE(cd);
+
+ params.data_device = NULL;
+--
+2.38.1
+
diff --git a/SOURCES/cryptsetup-2.6.1-Run-PBKDF-benchmark-with-8-bytes-long-well-known-pas.patch b/SOURCES/cryptsetup-2.6.1-Run-PBKDF-benchmark-with-8-bytes-long-well-known-pas.patch
new file mode 100644
index 0000000..28dc504
--- /dev/null
+++ b/SOURCES/cryptsetup-2.6.1-Run-PBKDF-benchmark-with-8-bytes-long-well-known-pas.patch
@@ -0,0 +1,58 @@
+From a33f7bf5ca33587ddb05f2acac42f93068022458 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Fri, 2 Dec 2022 11:39:59 +0100
+Subject: [PATCH 1/3] Run PBKDF benchmark with 8 bytes long well-known
+ passphrase.
+
+---
+ lib/utils_benchmark.c | 4 ++--
+ src/cryptsetup.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/lib/utils_benchmark.c b/lib/utils_benchmark.c
+index 0a0c438e..d8976fb2 100644
+--- a/lib/utils_benchmark.c
++++ b/lib/utils_benchmark.c
+@@ -187,7 +187,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd,
+ pbkdf->parallel_threads = 0; /* N/A in PBKDF2 */
+ pbkdf->max_memory_kb = 0; /* N/A in PBKDF2 */
+
+- r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3, "01234567890abcdef", 16,
++ r = crypt_benchmark_pbkdf(cd, pbkdf, "foobarfo", 8, "01234567890abcdef", 16,
+ volume_key_size, &benchmark_callback, &u);
+ pbkdf->time_ms = ms_tmp;
+ if (r < 0) {
+@@ -207,7 +207,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd,
+ return 0;
+ }
+
+- r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3,
++ r = crypt_benchmark_pbkdf(cd, pbkdf, "foobarfo", 8,
+ "0123456789abcdef0123456789abcdef", 32,
+ volume_key_size, &benchmark_callback, &u);
+ if (r < 0)
+diff --git a/src/cryptsetup.c b/src/cryptsetup.c
+index c2e23c6e..dfaf7682 100644
+--- a/src/cryptsetup.c
++++ b/src/cryptsetup.c
+@@ -997,7 +997,7 @@ static int action_benchmark_kdf(const char *kdf, const char *hash, size_t key_si
+ .time_ms = 1000,
+ };
+
+- r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3, "0123456789abcdef", 16, key_size,
++ r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foobarfo", 8, "0123456789abcdef", 16, key_size,
+ &benchmark_callback, &pbkdf);
+ if (r < 0)
+ log_std(_("PBKDF2-%-9s N/A\n"), hash);
+@@ -1012,7 +1012,7 @@ static int action_benchmark_kdf(const char *kdf, const char *hash, size_t key_si
+ .parallel_threads = ARG_UINT32(OPT_PBKDF_PARALLEL_ID)
+ };
+
+- r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3,
++ r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foobarfo", 8,
+ "0123456789abcdef0123456789abcdef", 32,
+ key_size, &benchmark_callback, &pbkdf);
+ if (r < 0)
+--
+2.38.1
+
diff --git a/SOURCES/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch b/SOURCES/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch
new file mode 100644
index 0000000..59db57f
--- /dev/null
+++ b/SOURCES/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch
@@ -0,0 +1,47 @@
+From 293abb5435e2b4bec7f8333fb11c88d5c1f45800 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Mon, 5 Dec 2022 13:35:24 +0100
+Subject: [PATCH 3/3] Add FIPS related error message in keyslot add code.
+
+Add hints on what went wrong when creating new LUKS
+keyslots. The hint is printed only in FIPS mode and
+when pbkdf2 failed with passphrase shorter than 8
+bytes.
+---
+ lib/luks1/keymanage.c | 5 ++++-
+ lib/luks2/luks2_keyslot_luks2.c | 2 ++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c
+index de97b73c..225e84b8 100644
+--- a/lib/luks1/keymanage.c
++++ b/lib/luks1/keymanage.c
+@@ -924,8 +924,11 @@ int LUKS_set_key(unsigned int keyIndex,
+ hdr->keyblock[keyIndex].passwordSalt, LUKS_SALTSIZE,
+ derived_key->key, hdr->keyBytes,
+ hdr->keyblock[keyIndex].passwordIterations, 0, 0);
+- if (r < 0)
++ if (r < 0) {
++ if (crypt_fips_mode() && passwordLen < 8)
++ log_err(ctx, _("Invalid passphrase for PBKDF2 in FIPS mode."));
+ goto out;
++ }
+
+ /*
+ * AF splitting, the volume key stored in vk->key is split to AfKey
+diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c
+index 78f74242..f480bcab 100644
+--- a/lib/luks2/luks2_keyslot_luks2.c
++++ b/lib/luks2/luks2_keyslot_luks2.c
+@@ -265,6 +265,8 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
+ free(salt);
+ if (r < 0) {
+ crypt_free_volume_key(derived_key);
++ if (crypt_fips_mode() && passwordLen < 8 && !strcmp(pbkdf.type, "pbkdf2"))
++ log_err(cd, _("Invalid passphrase for PBKDF2 in FIPS mode."));
+ return r;
+ }
+
+--
+2.38.1
+
diff --git a/SPECS/cryptsetup.spec b/SPECS/cryptsetup.spec
index 45ff1b4..fce51de 100644
--- a/SPECS/cryptsetup.spec
+++ b/SPECS/cryptsetup.spec
@@ -1,29 +1,32 @@
Summary: Utility for setting up encrypted disks
Name: cryptsetup
-Version: 2.4.3
-Release: 5%{?dist}
+Version: 2.6.0
+Release: 2%{?dist}
License: GPLv2+ and LGPLv2+
URL: https://gitlab.com/cryptsetup/cryptsetup
BuildRequires: openssl-devel, popt-devel, device-mapper-devel
BuildRequires: libuuid-devel, gcc, json-c-devel
BuildRequires: libpwquality-devel, libblkid-devel
BuildRequires: make
+BuildRequires: asciidoctor
Requires: cryptsetup-libs = %{version}-%{release}
Requires: libpwquality >= 1.2.0
+Obsoletes: %{name}-reencrypt <= %{version}
+Provides: %{name}-reencrypt = %{version}
%global upstream_version %{version}
-Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-%{upstream_version}.tar.xz
-# binary archive with updated compatimage.img.xz for testing (can not be patched via rpmbuild)
+Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-%{upstream_version}.tar.xz
+
+# binary archive with updated tests/conversion_imgs.tar.xz and tests/luks2_header_requirements.tar.xz
+# for testing (can not be patched via rpmbuild)
Source1: tests.tar.xz
# Following patch has to applied last
-Patch0000: %{name}-2.5.0-Fix-typo-in-repair-prompt.patch
-Patch0001: %{name}-2.5.0-Fix-PBKDF-benchmark-in-OpenSSL3-FIPS-mode.patch
-Patch0002: %{name}-2.5.0-Get-rid-of-SHA1-in-tests.patch
-Patch0003: %{name}-2.5.0-Do-not-use-too-small-key-in-tests.patch
-Patch0004: %{name}-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch
-Patch0005: %{name}-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch
-Patch0006: %{name}-2.5.1-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch
+Patch0000: %{name}-2.6.1-Run-PBKDF-benchmark-with-8-bytes-long-well-known-pas.patch
+Patch0001: %{name}-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch
+Patch0002: %{name}-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch
+Patch0003: %{name}-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch
+Patch9998: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch
Patch9999: %{name}-add-system-library-paths.patch
%description
@@ -61,20 +64,12 @@ Requires: cryptsetup-libs = %{version}-%{release}
The integritysetup package contains a utility for setting up
disk integrity protection using dm-integrity kernel module.
-%package reencrypt
-Summary: A utility for offline reencryption of LUKS encrypted disks
-Requires: cryptsetup-libs = %{version}-%{release}
-
-%description reencrypt
-This package contains cryptsetup-reencrypt utility which
-can be used for offline reencryption of disk in situ.
-
%prep
%autosetup -n cryptsetup-%{upstream_version} -p 1 -a 1
-chmod -x misc/dracut_90reencrypt/*
%build
-%configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --disable-ssh-token
+rm -f man/*.8
+%configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --disable-ssh-token --enable-asciidoc
%make_build
%install
@@ -87,8 +82,9 @@ rm -rf %{buildroot}%{_libdir}/*.la
%files
%license COPYING
-%doc AUTHORS FAQ docs/*ReleaseNotes
+%doc AUTHORS FAQ.md docs/*ReleaseNotes
%{_mandir}/man8/cryptsetup.8.gz
+%{_mandir}/man8/cryptsetup-*.8.gz
%{_sbindir}/cryptsetup
%files -n veritysetup
@@ -101,12 +97,6 @@ rm -rf %{buildroot}%{_libdir}/*.la
%{_mandir}/man8/integritysetup.8.gz
%{_sbindir}/integritysetup
-%files reencrypt
-%license COPYING
-%doc misc/dracut_90reencrypt
-%{_mandir}/man8/cryptsetup-reencrypt.8.gz
-%{_sbindir}/cryptsetup-reencrypt
-
%files devel
%doc docs/examples/*
%{_includedir}/libcryptsetup.h
@@ -121,6 +111,15 @@ rm -rf %{buildroot}%{_libdir}/*.la
%ghost %attr(700, -, -) %dir /run/cryptsetup
%changelog
+* Wed Dec 14 2022 Daniel Zatovic <dzatovic@redhat.com> - 2.6.0-2
+- Fix FIPS related bugs.
+- Abort encryption when header and data devices are same.
+- Resolves: #2150251 #2148841
+
+* Wed Nov 30 2022 Daniel Zatovic <dzatovic@redhat.com> - 2.6.0-1
+- Update to cryptsetup 2.6.0.
+- Resolves: #2003748 #2108404 #1862173
+
* Wed Aug 10 2022 Ondrej Kozina <okozina@redhat.com> - 2.4.3-5
- patch: Delegate FIPS mode detection to crypto backend.
- Resolves: #2080516