diff --git a/.cryptsetup.metadata b/.cryptsetup.metadata
new file mode 100644
index 0000000..ff5999b
--- /dev/null
+++ b/.cryptsetup.metadata
@@ -0,0 +1,4 @@
+1f06d268aee0adff931a39fe6709af7804e4f4f6 SOURCES/cryptsetup-1.7.4.tar.xz
+d24bdd0d55be8b27769b07531950ffe60589274b SOURCES/cryptsetup-2.0.3.tar.xz
+4da4e0728f59b42ac7ca7645c483ee554f0da821 SOURCES/luks2_mda_images.tar.xz
+839899b3821d4a5d8a8196c8fdd2dd0bd1f582f7 SOURCES/luks2_valid_hdr.tar.xz
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..7c79481
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,4 @@
+SOURCES/cryptsetup-1.7.4.tar.xz
+SOURCES/cryptsetup-2.0.3.tar.xz
+SOURCES/luks2_mda_images.tar.xz
+SOURCES/luks2_valid_hdr.tar.xz
diff --git a/SOURCES/cryptsetup-1.7.5-fix-luksformat-in-fips-mode.patch b/SOURCES/cryptsetup-1.7.5-fix-luksformat-in-fips-mode.patch
new file mode 100644
index 0000000..c321d4a
--- /dev/null
+++ b/SOURCES/cryptsetup-1.7.5-fix-luksformat-in-fips-mode.patch
@@ -0,0 +1,35 @@
+From 3c2135b36bbc52d052e4ced7c94dc4981eb07a53 Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Fri, 21 Apr 2017 08:16:14 +0200
+Subject: [PATCH] Fix luksFormat if running in FIPS mode on recent kernel.
+
+Recently introduced check for weak keys for XTS mode makes
+zeroed key for algorithm check unusable.
+
+Use random key for the test instead.
+---
+ lib/luks1/keymanage.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c
+index b700bab..5b1421b 100644
+--- a/lib/luks1/keymanage.c
++++ b/lib/luks1/keymanage.c
+@@ -631,9 +631,11 @@ static int LUKS_check_cipher(struct luks_phdr *hdr, struct crypt_device *ctx)
+ if (!empty_key)
+ return -ENOMEM;
+
+- r = LUKS_decrypt_from_storage(buf, sizeof(buf),
+- hdr->cipherName, hdr->cipherMode,
+- empty_key, 0, ctx);
++ /* No need to get KEY quality random but it must avoid known weak keys. */
++ r = crypt_random_get(ctx, empty_key->key, empty_key->keylength, CRYPT_RND_NORMAL);
++ if (!r)
++ r = LUKS_decrypt_from_storage(buf, sizeof(buf), hdr->cipherName,
++ hdr->cipherMode, empty_key, 0, ctx);
+
+ crypt_free_volume_key(empty_key);
+ crypt_memzero(buf, sizeof(buf));
+--
+2.7.4
+
diff --git a/SOURCES/cryptsetup-1.7.5-fix-unaligned-access-to-hidden-truecrypt.patch b/SOURCES/cryptsetup-1.7.5-fix-unaligned-access-to-hidden-truecrypt.patch
new file mode 100644
index 0000000..874a851
--- /dev/null
+++ b/SOURCES/cryptsetup-1.7.5-fix-unaligned-access-to-hidden-truecrypt.patch
@@ -0,0 +1,376 @@
+From a117f431179a2747f2b1d5293f43d9e198f1bac9 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Mon, 30 Nov 2015 16:44:15 +0100
+Subject: [PATCH] Fix access to unaligned hidden TrueCrypt header.
+
+backport all changes needed to fix unaligned access
+to hidden TrueCrypt hedaer.
+---
+ lib/internal.h | 7 ++-
+ lib/luks1/keymanage.c | 6 +-
+ lib/tcrypt/tcrypt.c | 24 ++++----
+ lib/utils.c | 155 +++++++++++++++++++++++++++++++++++++++++++-------
+ 4 files changed, 152 insertions(+), 40 deletions(-)
+
+diff --git a/lib/internal.h b/lib/internal.h
+index 382a600..f1525f2 100644
+--- a/lib/internal.h
++++ b/lib/internal.h
+@@ -101,9 +101,12 @@ char *crypt_get_partition_device(const char *dev_path, uint64_t offset, uint64_t
+ char *crypt_get_base_device(const char *dev_path);
+ uint64_t crypt_dev_partition_offset(const char *dev_path);
+
++ssize_t write_buffer(int fd, const void *buf, size_t count);
++ssize_t read_buffer(int fd, void *buf, size_t count);
+ ssize_t write_blockwise(int fd, int bsize, void *buf, size_t count);
+-ssize_t read_blockwise(int fd, int bsize, void *_buf, size_t count);
+-ssize_t write_lseek_blockwise(int fd, int bsize, char *buf, size_t count, off_t offset);
++ssize_t read_blockwise(int fd, int bsize, void *buf, size_t count);
++ssize_t write_lseek_blockwise(int fd, int bsize, void *buf, size_t count, off_t offset);
++ssize_t read_lseek_blockwise(int fd, int bsize, void *buf, size_t count, off_t offset);
+
+ unsigned crypt_getpagesize(void);
+ int init_crypto(struct crypt_device *ctx);
+diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c
+index 23e3fe2..b193ee9 100644
+--- a/lib/luks1/keymanage.c
++++ b/lib/luks1/keymanage.c
+@@ -201,7 +201,7 @@ int LUKS_hdr_backup(const char *backup_file, struct crypt_device *ctx)
+ r = -EINVAL;
+ goto out;
+ }
+- if (write(devfd, buffer, buffer_size) < buffer_size) {
++ if (write_buffer(devfd, buffer, buffer_size) < buffer_size) {
+ log_err(ctx, _("Cannot write header backup file %s.\n"), backup_file);
+ r = -EIO;
+ goto out;
+@@ -253,7 +253,7 @@ int LUKS_hdr_restore(
+ goto out;
+ }
+
+- if (read(devfd, buffer, buffer_size) < buffer_size) {
++ if (read_buffer(devfd, buffer, buffer_size) < buffer_size) {
+ log_err(ctx, _("Cannot read header backup file %s.\n"), backup_file);
+ r = -EIO;
+ goto out;
+@@ -498,7 +498,7 @@ int LUKS_read_phdr_backup(const char *backup_file,
+ return -ENOENT;
+ }
+
+- if (read(devfd, hdr, hdr_size) < hdr_size)
++ if (read_buffer(devfd, hdr, hdr_size) < hdr_size)
+ r = -EIO;
+ else {
+ LUKS_fix_header_compatible(hdr);
+diff --git a/lib/tcrypt/tcrypt.c b/lib/tcrypt/tcrypt.c
+index 45154ed..9ff7157 100644
+--- a/lib/tcrypt/tcrypt.c
++++ b/lib/tcrypt/tcrypt.c
+@@ -469,8 +469,7 @@ static int TCRYPT_pool_keyfile(struct crypt_device *cd,
+ return -EIO;
+ }
+
+- /* FIXME: add while */
+- data_size = read(fd, data, TCRYPT_KEYFILE_LEN);
++ data_size = read_buffer(fd, data, TCRYPT_KEYFILE_LEN);
+ close(fd);
+ if (data_size < 0) {
+ log_err(cd, _("Error reading keyfile %s.\n"), keyfile);
+@@ -628,27 +627,26 @@ int TCRYPT_read_phdr(struct crypt_device *cd,
+
+ r = -EIO;
+ if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) {
+- if (lseek(devfd, TCRYPT_HDR_SYSTEM_OFFSET, SEEK_SET) >= 0 &&
+- read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size) {
++ if (read_lseek_blockwise(devfd, bs, hdr, hdr_size,
++ TCRYPT_HDR_SYSTEM_OFFSET) == hdr_size) {
+ r = TCRYPT_init_hdr(cd, hdr, params);
+ }
+ } else if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
+ if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) {
+- if (lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET_BCK, SEEK_END) >= 0 &&
+- read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
++ if (read_lseek_blockwise(devfd, bs, hdr, hdr_size,
++ TCRYPT_HDR_HIDDEN_OFFSET_BCK) == hdr_size)
+ r = TCRYPT_init_hdr(cd, hdr, params);
+ } else {
+- if (lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET, SEEK_SET) >= 0 &&
+- read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
++ if (read_lseek_blockwise(devfd, bs, hdr, hdr_size,
++ TCRYPT_HDR_HIDDEN_OFFSET) == hdr_size)
+ r = TCRYPT_init_hdr(cd, hdr, params);
+- if (r &&
+- lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET_OLD, SEEK_END) >= 0 &&
+- read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
++ if (r && read_lseek_blockwise(devfd, bs, hdr, hdr_size,
++ TCRYPT_HDR_HIDDEN_OFFSET_OLD) == hdr_size)
+ r = TCRYPT_init_hdr(cd, hdr, params);
+ }
+ } else if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) {
+- if (lseek(devfd, TCRYPT_HDR_OFFSET_BCK, SEEK_END) >= 0 &&
+- read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
++ if (read_lseek_blockwise(devfd, bs, hdr, hdr_size,
++ TCRYPT_HDR_OFFSET_BCK) == hdr_size)
+ r = TCRYPT_init_hdr(cd, hdr, params);
+ } else if (read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
+ r = TCRYPT_init_hdr(cd, hdr, params);
+diff --git a/lib/utils.c b/lib/utils.c
+index 2dcf753..802ba55 100644
+--- a/lib/utils.c
++++ b/lib/utils.c
+@@ -56,22 +56,70 @@ static void *aligned_malloc(void **base, int size, int alignment)
+ /* Credits go to Michal's padlock patches for this alignment code */
+ char *ptr;
+
+- ptr = malloc(size + alignment);
+- if(ptr == NULL) return NULL;
++ ptr = malloc(size + alignment);
++ if (!ptr)
++ return NULL;
+
+ *base = ptr;
+- if(alignment > 1 && ((long)ptr & (alignment - 1))) {
++ if (alignment > 1 && ((long)ptr & (alignment - 1)))
+ ptr += alignment - ((long)(ptr) & (alignment - 1));
+- }
++
+ return ptr;
+ #endif
+ }
+
++ssize_t read_buffer(int fd, void *buf, size_t count)
++{
++ size_t read_size = 0;
++ ssize_t r;
++
++ if (fd < 0 || !buf)
++ return -EINVAL;
++
++ do {
++ r = read(fd, buf, count - read_size);
++ if (r == -1 && errno != EINTR)
++ return r;
++ if (r == 0)
++ return (ssize_t)read_size;
++ if (r > 0) {
++ read_size += (size_t)r;
++ buf = (uint8_t*)buf + r;
++ }
++ } while (read_size != count);
++
++ return (ssize_t)count;
++}
++
++ssize_t write_buffer(int fd, const void *buf, size_t count)
++{
++ size_t write_size = 0;
++ ssize_t w;
++
++ if (fd < 0 || !buf || !count)
++ return -EINVAL;
++
++ do {
++ w = write(fd, buf, count - write_size);
++ if (w < 0 && errno != EINTR)
++ return w;
++ if (w == 0)
++ return (ssize_t)write_size;
++ if (w > 0) {
++ write_size += (size_t) w;
++ buf = (const uint8_t*)buf + w;
++ }
++ } while (write_size != count);
++
++ return (ssize_t)write_size;
++}
++
+ ssize_t write_blockwise(int fd, int bsize, void *orig_buf, size_t count)
+ {
+ void *hangover_buf, *hangover_buf_base = NULL;
+ void *buf, *buf_base = NULL;
+- int r, hangover, solid, alignment;
++ int r, alignment;
++ size_t hangover, solid;
+ ssize_t ret = -1;
+
+ if (fd == -1 || !orig_buf || bsize <= 0)
+@@ -89,17 +137,19 @@ ssize_t write_blockwise(int fd, int bsize, void *orig_buf, size_t count)
+ } else
+ buf = orig_buf;
+
+- r = write(fd, buf, solid);
+- if (r < 0 || r != solid)
+- goto out;
++ if (solid) {
++ r = write_buffer(fd, buf, solid);
++ if (r < 0 || r != (ssize_t)solid)
++ goto out;
++ }
+
+ if (hangover) {
+ hangover_buf = aligned_malloc(&hangover_buf_base, bsize, alignment);
+ if (!hangover_buf)
+ goto out;
+
+- r = read(fd, hangover_buf, bsize);
+- if (r < 0 || r < hangover)
++ r = read_buffer(fd, hangover_buf, bsize);
++ if (r < 0 || r < (ssize_t)hangover)
+ goto out;
+
+ if (r < bsize)
+@@ -110,8 +160,8 @@ ssize_t write_blockwise(int fd, int bsize, void *orig_buf, size_t count)
+
+ memcpy(hangover_buf, (char*)buf + solid, hangover);
+
+- r = write(fd, hangover_buf, bsize);
+- if (r < 0 || r < hangover)
++ r = write_buffer(fd, hangover_buf, bsize);
++ if (r < 0 || r < (ssize_t)hangover)
+ goto out;
+ }
+ ret = count;
+@@ -122,10 +172,12 @@ out:
+ return ret;
+ }
+
+-ssize_t read_blockwise(int fd, int bsize, void *orig_buf, size_t count) {
++ssize_t read_blockwise(int fd, int bsize, void *orig_buf, size_t count)
++{
+ void *hangover_buf, *hangover_buf_base = NULL;
+ void *buf, *buf_base = NULL;
+- int r, hangover, solid, alignment;
++ int r, alignment;
++ size_t hangover, solid;
+ ssize_t ret = -1;
+
+ if (fd == -1 || !orig_buf || bsize <= 0)
+@@ -142,16 +194,16 @@ ssize_t read_blockwise(int fd, int bsize, void *orig_buf, size_t count) {
+ } else
+ buf = orig_buf;
+
+- r = read(fd, buf, solid);
+- if(r < 0 || r != solid)
++ r = read_buffer(fd, buf, solid);
++ if (r < 0 || r != (ssize_t)solid)
+ goto out;
+
+ if (hangover) {
+ hangover_buf = aligned_malloc(&hangover_buf_base, bsize, alignment);
+ if (!hangover_buf)
+ goto out;
+- r = read(fd, hangover_buf, bsize);
+- if (r < 0 || r < hangover)
++ r = read_buffer(fd, hangover_buf, bsize);
++ if (r < 0 || r < (ssize_t)hangover)
+ goto out;
+
+ memcpy((char *)buf + solid, hangover_buf, hangover);
+@@ -172,7 +224,8 @@ out:
+ * is implicitly included in the read/write offset, which can not be set to non-aligned
+ * boundaries. Hence, we combine llseek with write.
+ */
+-ssize_t write_lseek_blockwise(int fd, int bsize, char *buf, size_t count, off_t offset) {
++ssize_t write_lseek_blockwise(int fd, int bsize, void *buf, size_t count, off_t offset)
++{
+ char *frontPadBuf;
+ void *frontPadBuf_base = NULL;
+ int r, frontHang;
+@@ -182,6 +235,12 @@ ssize_t write_lseek_blockwise(int fd, int bsize, char *buf, size_t count, off_t
+ if (fd == -1 || !buf || bsize <= 0)
+ return -1;
+
++ if (offset < 0)
++ offset = lseek(fd, offset, SEEK_END);
++
++ if (offset < 0)
++ return -1;
++
+ frontHang = offset % bsize;
+
+ if (lseek(fd, offset - frontHang, SEEK_SET) < 0)
+@@ -193,7 +252,7 @@ ssize_t write_lseek_blockwise(int fd, int bsize, char *buf, size_t count, off_t
+ if (!frontPadBuf)
+ goto out;
+
+- r = read(fd, frontPadBuf, bsize);
++ r = read_buffer(fd, frontPadBuf, bsize);
+ if (r < 0 || r != bsize)
+ goto out;
+
+@@ -206,11 +265,11 @@ ssize_t write_lseek_blockwise(int fd, int bsize, char *buf, size_t count, off_t
+ if (lseek(fd, offset - frontHang, SEEK_SET) < 0)
+ goto out;
+
+- r = write(fd, frontPadBuf, bsize);
++ r = write_buffer(fd, frontPadBuf, bsize);
+ if (r < 0 || r != bsize)
+ goto out;
+
+- buf += innerCount;
++ buf = (char*)buf + innerCount;
+ count -= innerCount;
+ }
+
+@@ -223,6 +282,58 @@ out:
+ return ret;
+ }
+
++ssize_t read_lseek_blockwise(int fd, int bsize, void *buf, size_t count, off_t offset)
++{
++ char *frontPadBuf;
++ void *frontPadBuf_base = NULL;
++ int r, frontHang;
++ size_t innerCount = 0;
++ ssize_t ret = -1;
++
++ if (fd == -1 || !buf || bsize <= 0)
++ return -1;
++
++ if (offset < 0)
++ offset = lseek(fd, offset, SEEK_END);
++
++ if (offset < 0)
++ return -1;
++
++ frontHang = offset % bsize;
++
++ if (lseek(fd, offset - frontHang, SEEK_SET) < 0)
++ return ret;
++
++ if (frontHang) {
++ frontPadBuf = aligned_malloc(&frontPadBuf_base,
++ bsize, get_alignment(fd));
++
++ if (!frontPadBuf)
++ return ret;
++
++ r = read_buffer(fd, frontPadBuf, bsize);
++ if (r < 0 || r != bsize)
++ goto out;
++
++ innerCount = bsize - frontHang;
++ if (innerCount > count)
++ innerCount = count;
++
++ memcpy(buf, frontPadBuf + frontHang, innerCount);
++
++ buf = (char*)buf + innerCount;
++ count -= innerCount;
++ }
++
++ ret = read_blockwise(fd, bsize, buf, count);
++ if (ret >= 0)
++ ret += innerCount;
++out:
++ free(frontPadBuf_base);
++
++ return ret;
++}
++
+ /* MEMLOCK */
+ #define DEFAULT_PROCESS_PRIORITY -18
+
+--
+2.7.4
+
diff --git a/SOURCES/cryptsetup-1.7.6-crypt_deactivate-fail-earlier-when-holders-detected.patch b/SOURCES/cryptsetup-1.7.6-crypt_deactivate-fail-earlier-when-holders-detected.patch
new file mode 100644
index 0000000..df91689
--- /dev/null
+++ b/SOURCES/cryptsetup-1.7.6-crypt_deactivate-fail-earlier-when-holders-detected.patch
@@ -0,0 +1,150 @@
+From 2e4aaa1adad2d0838593b13efbf5efe79f58255c Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Mon, 16 Oct 2017 16:41:43 +0200
+Subject: [PATCH] crypt_deactivate: fail earlier when holders detected
+
+crypt_deactivate fails earlier without noisy dm retries
+when other device holders detected. The early detection
+works if:
+
+a) other device-mapper device has a hold reference on the
+ device
+
+- or -
+
+b) mounted fs is detected on the device
+
+diff -rupN cryptsetup-1.7.4.old/config.h.in cryptsetup-1.7.4/config.h.in
+--- cryptsetup-1.7.4.old/config.h.in 2017-03-15 10:43:26.000000000 +0100
++++ cryptsetup-1.7.4/config.h.in 2017-10-19 09:37:17.000000000 +0200
+@@ -97,6 +97,14 @@
+ */
+ #undef HAVE_DCGETTEXT
+
++/* Define to 1 if you have the declaration of `dm_device_has_holders', and to
++ 0 if you don't. */
++#undef HAVE_DECL_DM_DEVICE_HAS_HOLDERS
++
++/* Define to 1 if you have the declaration of `dm_device_has_mounted_fs', and
++ to 0 if you don't. */
++#undef HAVE_DECL_DM_DEVICE_HAS_MOUNTED_FS
++
+ /* Define to 1 if you have the declaration of `dm_task_retry_remove', and to 0
+ if you don't. */
+ #undef HAVE_DECL_DM_TASK_RETRY_REMOVE
+diff -rupN cryptsetup-1.7.4.old/configure cryptsetup-1.7.4/configure
+--- cryptsetup-1.7.4.old/configure 2017-03-15 10:43:13.000000000 +0100
++++ cryptsetup-1.7.4/configure 2017-10-19 09:37:18.590530138 +0200
+@@ -16735,6 +16735,30 @@ cat >>confdefs.h <<_ACEOF
+ #define HAVE_DECL_DM_TASK_RETRY_REMOVE $ac_have_decl
+ _ACEOF
+
++ac_fn_c_check_decl "$LINENO" "dm_device_has_mounted_fs" "ac_cv_have_decl_dm_device_has_mounted_fs" "#include <libdevmapper.h>
++"
++if test "x$ac_cv_have_decl_dm_device_has_mounted_fs" = xyes; then :
++ ac_have_decl=1
++else
++ ac_have_decl=0
++fi
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_DECL_DM_DEVICE_HAS_MOUNTED_FS $ac_have_decl
++_ACEOF
++
++ac_fn_c_check_decl "$LINENO" "dm_device_has_holders" "ac_cv_have_decl_dm_device_has_holders" "#include <libdevmapper.h>
++"
++if test "x$ac_cv_have_decl_dm_device_has_holders" = xyes; then :
++ ac_have_decl=1
++else
++ ac_have_decl=0
++fi
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_DECL_DM_DEVICE_HAS_HOLDERS $ac_have_decl
++_ACEOF
++
+ ac_fn_c_check_decl "$LINENO" "DM_UDEV_DISABLE_DISK_RULES_FLAG" "ac_cv_have_decl_DM_UDEV_DISABLE_DISK_RULES_FLAG" "#include <libdevmapper.h>
+ "
+ if test "x$ac_cv_have_decl_DM_UDEV_DISABLE_DISK_RULES_FLAG" = xyes; then :
+diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
+index a0d6872..d6017b1 100644
+--- a/lib/libdevmapper.c
++++ b/lib/libdevmapper.c
+@@ -1181,6 +1181,13 @@ int dm_query_device(struct crypt_device *cd, const char *name,
+ dmd->uuid = strdup(tmp_uuid + DM_UUID_PREFIX_LEN);
+ }
+
++ dmd->holders = 0;
++#if (HAVE_DECL_DM_DEVICE_HAS_HOLDERS && HAVE_DECL_DM_DEVICE_HAS_MOUNTED_FS)
++ if (get_flags & DM_ACTIVE_HOLDERS)
++ dmd->holders = (dm_device_has_mounted_fs(dmi.major, dmi.minor) ||
++ dm_device_has_holders(dmi.major, dmi.minor));
++#endif
++
+ r = (dmi.open_count > 0);
+ out:
+ if (dmt)
+diff --git a/lib/setup.c b/lib/setup.c
+index b2e4396..93e8079 100644
+--- a/lib/setup.c
++++ b/lib/setup.c
+@@ -2249,6 +2249,7 @@ int crypt_activate_by_volume_key(struct crypt_device *cd,
+ int crypt_deactivate(struct crypt_device *cd, const char *name)
+ {
+ struct crypt_device *fake_cd = NULL;
++ struct crypt_dm_active_device dmd = {};
+ int r;
+
+ if (!name)
+@@ -2266,6 +2267,13 @@ int crypt_deactivate(struct crypt_device *cd, const char *name)
+ switch (crypt_status(cd, name)) {
+ case CRYPT_ACTIVE:
+ case CRYPT_BUSY:
++ r = dm_query_device(cd, name, DM_ACTIVE_HOLDERS, &dmd);
++ if (r >= 0 && dmd.holders) {
++ log_err(cd, _("Device %s is still in use.\n"), name);
++ r = -EBUSY;
++ break;
++ }
++
+ if (isTCRYPT(cd->type))
+ r = TCRYPT_deactivate(cd, name);
+ else
+diff --git a/lib/utils_dm.h b/lib/utils_dm.h
+index c87e9aa..cf22e12 100644
+--- a/lib/utils_dm.h
++++ b/lib/utils_dm.h
+@@ -48,14 +48,16 @@ uint32_t dm_flags(void);
+
+ #define DM_ACTIVE_DEVICE (1 << 0)
+ #define DM_ACTIVE_UUID (1 << 1)
++#define DM_ACTIVE_HOLDERS (1 << 2)
+
+-#define DM_ACTIVE_CRYPT_CIPHER (1 << 2)
+-#define DM_ACTIVE_CRYPT_KEYSIZE (1 << 3)
+-#define DM_ACTIVE_CRYPT_KEY (1 << 4)
++#define DM_ACTIVE_CRYPT_CIPHER (1 << 3)
++#define DM_ACTIVE_CRYPT_KEYSIZE (1 << 4)
++#define DM_ACTIVE_CRYPT_KEY (1 << 5)
++
++#define DM_ACTIVE_VERITY_ROOT_HASH (1 << 6)
++#define DM_ACTIVE_VERITY_HASH_DEVICE (1 << 7)
++#define DM_ACTIVE_VERITY_PARAMS (1 << 8)
+
+-#define DM_ACTIVE_VERITY_ROOT_HASH (1 << 5)
+-#define DM_ACTIVE_VERITY_HASH_DEVICE (1 << 6)
+-#define DM_ACTIVE_VERITY_PARAMS (1 << 7)
+
+ struct crypt_dm_active_device {
+ enum { DM_CRYPT = 0, DM_VERITY } target;
+@@ -63,6 +65,7 @@ struct crypt_dm_active_device {
+ uint32_t flags; /* activation flags */
+ const char *uuid;
+ struct device *data_device;
++ unsigned holders:1;
+ union {
+ struct {
+ const char *cipher;
+--
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-1.7.6-fix-blockwise-access-functions-for-64k-page-size.patch b/SOURCES/cryptsetup-1.7.6-fix-blockwise-access-functions-for-64k-page-size.patch
new file mode 100644
index 0000000..2c82dff
--- /dev/null
+++ b/SOURCES/cryptsetup-1.7.6-fix-blockwise-access-functions-for-64k-page-size.patch
@@ -0,0 +1,50 @@
+diff -rupN cryptsetup-1.7.4.bcp/lib/utils.c cryptsetup-1.7.4/lib/utils.c
+--- cryptsetup-1.7.4.bcp/lib/utils.c 2017-10-18 11:39:01.694902755 +0200
++++ cryptsetup-1.7.4/lib/utils.c 2017-10-18 11:48:16.584868357 +0200
+@@ -252,21 +252,21 @@ ssize_t write_lseek_blockwise(int fd, in
+ if (!frontPadBuf)
+ goto out;
+
+- r = read_buffer(fd, frontPadBuf, bsize);
+- if (r < 0 || r != bsize)
+- goto out;
+-
+ innerCount = bsize - frontHang;
+ if (innerCount > count)
+ innerCount = count;
+
++ r = read_buffer(fd, frontPadBuf, bsize);
++ if (r < (frontHang + innerCount))
++ goto out;
++
+ memcpy(frontPadBuf + frontHang, buf, innerCount);
+
+ if (lseek(fd, offset - frontHang, SEEK_SET) < 0)
+ goto out;
+
+- r = write_buffer(fd, frontPadBuf, bsize);
+- if (r < 0 || r != bsize)
++ r = write_buffer(fd, frontPadBuf, frontHang + innerCount);
++ if (r != (frontHang + innerCount))
+ goto out;
+
+ buf = (char*)buf + innerCount;
+@@ -311,14 +311,14 @@ ssize_t read_lseek_blockwise(int fd, int
+ if (!frontPadBuf)
+ return ret;
+
+- r = read_buffer(fd, frontPadBuf, bsize);
+- if (r < 0 || r != bsize)
+- goto out;
+-
+ innerCount = bsize - frontHang;
+ if (innerCount > count)
+ innerCount = count;
+
++ r = read_buffer(fd, frontPadBuf, bsize);
++ if (r < (frontHang + innerCount))
++ goto out;
++
+ memcpy(buf, frontPadBuf + frontHang, innerCount);
+
+ buf = (char*)buf + innerCount;
diff --git a/SOURCES/cryptsetup-2.0.4-add-blkid-utilities-for-fast-detection-of-device-sig.patch b/SOURCES/cryptsetup-2.0.4-add-blkid-utilities-for-fast-detection-of-device-sig.patch
new file mode 100644
index 0000000..16a3ed6
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-add-blkid-utilities-for-fast-detection-of-device-sig.patch
@@ -0,0 +1,306 @@
+From 12d00da84239c3dcc4560dc60a0c36d534908cc0 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Wed, 4 Jul 2018 15:39:11 +0200
+Subject: [PATCH 1/6] Add blkid utilities for fast detection of device
+ signatures.
+
+---
+ configure.ac | 21 ++++++++
+ lib/Makemodule.am | 5 +-
+ lib/utils_blkid.c | 158 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ lib/utils_blkid.h | 48 +++++++++++++++++
+ 4 files changed, 231 insertions(+), 1 deletion(-)
+ create mode 100644 lib/utils_blkid.c
+ create mode 100644 lib/utils_blkid.h
+
+diff --git a/configure.ac b/configure.ac
+index 05da6d6..31508d0 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -415,6 +415,26 @@ if test x$enable_internal_argon2 = xyes ; then
+ fi
+ AM_CONDITIONAL(CRYPTO_INTERNAL_ARGON2, test x$enable_internal_argon2 = xyes)
+
++dnl Link with blkid to check for other device types
++AC_ARG_ENABLE(blkid, AS_HELP_STRING([--disable-blkid],
++ [disable use of blkid for device signature detection and wiping.]), [], [enable_blkid=yes])
++
++if test x$enable_blkid = xyes ; then
++ PKG_CHECK_MODULES([BLKID], [blkid],[AC_DEFINE([HAVE_BLKID], 1, [Define to 1 to use blkid for detection of disk signatures.])],[LIBBLKID_LIBS="-lblkid"])
++
++ AC_CHECK_HEADERS(blkid/blkid.h,,[AC_MSG_ERROR([You need blkid development library installed.])])
++ AC_CHECK_DECLS([ blkid_reset_probe,
++ blkid_probe_set_device,
++ blkid_probe_filter_superblocks_type,
++ blkid_do_safeprobe,
++ blkid_do_probe,
++ blkid_probe_lookup_value
++ ],,
++ [AC_MSG_ERROR([Can not compile with blkid support, disable it by --disable-blkid.])],
++ [#include <blkid/blkid.h>])
++fi
++AM_CONDITIONAL(HAVE_BLKID, test x$enable_blkid = xyes)
++
+ dnl Magic for cryptsetup.static build.
+ if test x$enable_static_cryptsetup = xyes; then
+ saved_PKG_CONFIG=$PKG_CONFIG
+@@ -465,6 +485,7 @@ AC_SUBST([CRYPTO_STATIC_LIBS])
+
+ AC_SUBST([JSON_C_LIBS])
+ AC_SUBST([LIBARGON2_LIBS])
++AC_SUBST([BLKID_LIBS])
+
+ AC_SUBST([LIBCRYPTSETUP_VERSION])
+ AC_SUBST([LIBCRYPTSETUP_VERSION_INFO])
+diff --git a/lib/Makemodule.am b/lib/Makemodule.am
+index 5e20039..26178b8 100644
+--- a/lib/Makemodule.am
++++ b/lib/Makemodule.am
+@@ -30,6 +30,7 @@ libcryptsetup_la_LIBADD = \
+ @CRYPTO_LIBS@ \
+ @LIBARGON2_LIBS@ \
+ @JSON_C_LIBS@ \
++ @BLKID_LIBS@ \
+ libcrypto_backend.la
+
+ libcryptsetup_la_SOURCES = \
+@@ -92,4 +93,6 @@ libcryptsetup_la_SOURCES = \
+ lib/luks2/luks2_token_keyring.c \
+ lib/luks2/luks2_token.c \
+ lib/luks2/luks2_internal.h \
+- lib/luks2/luks2.h
++ lib/luks2/luks2.h \
++ lib/utils_blkid.c \
++ lib/utils_blkid.h
+diff --git a/lib/utils_blkid.c b/lib/utils_blkid.c
+new file mode 100644
+index 0000000..7425bc5
+--- /dev/null
++++ b/lib/utils_blkid.c
+@@ -0,0 +1,158 @@
++/*
++ * blkid probe utilities
++ *
++ * Copyright (C) 2018, Red Hat, Inc. All rights reserved.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License
++ * as published by the Free Software Foundation; either version 2
++ * of the License, or (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, write to the Free Software
++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++ */
++
++#include <errno.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <unistd.h>
++
++#include "utils_blkid.h"
++
++#ifdef HAVE_BLKID
++#include <blkid/blkid.h>
++struct blkid_handle {
++ int fd;
++ blkid_probe pr;
++};
++#endif
++
++void blk_set_chains_for_fast_detection(struct blkid_handle *h)
++{
++#ifdef HAVE_BLKID
++ blkid_probe_enable_partitions(h->pr, 1);
++ blkid_probe_set_partitions_flags(h->pr, 0);
++
++ blkid_probe_enable_superblocks(h->pr, 1);
++ blkid_probe_set_superblocks_flags(h->pr, BLKID_SUBLKS_TYPE);
++#endif
++}
++
++int blk_init_by_path(struct blkid_handle **h, const char *path)
++{
++ int r = -ENOTSUP;
++#ifdef HAVE_BLKID
++ struct blkid_handle *tmp = malloc(sizeof(*tmp));
++ if (!tmp)
++ return -ENOMEM;
++
++ tmp->fd = -1;
++
++ tmp->pr = blkid_new_probe_from_filename(path);
++ if (!tmp->pr) {
++ free(tmp);
++ return -EINVAL;
++ }
++
++ *h = tmp;
++
++ r = 0;
++#endif
++ return r;
++}
++
++int blk_superblocks_filter_luks(struct blkid_handle *h)
++{
++ int r = -ENOTSUP;
++#ifdef HAVE_BLKID
++ char *luks_filter[] = {
++ "crypto_LUKS",
++ NULL
++ };
++ r = blkid_probe_filter_superblocks_type(h->pr, BLKID_FLTR_NOTIN, luks_filter);
++#endif
++ return r;
++}
++
++blk_probe_status blk_safeprobe(struct blkid_handle *h)
++{
++ int r = -1;
++#ifdef HAVE_BLKID
++ r = blkid_do_safeprobe(h->pr);
++#endif
++ switch (r) {
++ case -2:
++ return PRB_AMBIGUOUS;
++ case 1:
++ return PRB_EMPTY;
++ case 0:
++ return PRB_OK;
++ default:
++ return PRB_FAIL;
++ }
++}
++
++int blk_is_partition(struct blkid_handle *h)
++{
++ int r = 0;
++#ifdef HAVE_BLKID
++ r = blkid_probe_has_value(h->pr, "PTTYPE");
++#endif
++ return r;
++}
++
++int blk_is_superblock(struct blkid_handle *h)
++{
++ int r = 0;
++#ifdef HAVE_BLKID
++ r = blkid_probe_has_value(h->pr, "TYPE");
++#endif
++ return r;
++}
++
++const char *blk_get_partition_type(struct blkid_handle *h)
++{
++ const char *value = NULL;
++#ifdef HAVE_BLKID
++ (void) blkid_probe_lookup_value(h->pr, "PTTYPE", &value, NULL);
++#endif
++ return value;
++}
++
++const char *blk_get_superblock_type(struct blkid_handle *h)
++{
++ const char *value = NULL;
++#ifdef HAVE_BLKID
++ (void) blkid_probe_lookup_value(h->pr, "TYPE", &value, NULL);
++#endif
++ return value;
++}
++
++void blk_free(struct blkid_handle *h)
++{
++#ifdef HAVE_BLKID
++ if (!h)
++ return;
++
++ if (h->pr)
++ blkid_free_probe(h->pr);
++
++ free(h);
++#endif
++}
++
++int blk_supported(void)
++{
++ int r = 0;
++#ifdef HAVE_BLKID
++ r = 1;
++#endif
++ return r;
++}
+diff --git a/lib/utils_blkid.h b/lib/utils_blkid.h
+new file mode 100644
+index 0000000..d18b0a0
+--- /dev/null
++++ b/lib/utils_blkid.h
+@@ -0,0 +1,48 @@
++/*
++ * blkid probe utilities
++ *
++ * Copyright (C) 2018, Red Hat, Inc. All rights reserved.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License
++ * as published by the Free Software Foundation; either version 2
++ * of the License, or (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, write to the Free Software
++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++ */
++
++#ifndef _UTILS_BLKID_H
++#define _UTILS_BLKID_H
++
++struct blkid_handle;
++
++typedef enum { PRB_OK = 0, PRB_EMPTY, PRB_AMBIGUOUS, PRB_FAIL } blk_probe_status;
++
++int blk_init_by_path(struct blkid_handle **h, const char *path);
++
++void blk_free(struct blkid_handle *h);
++
++void blk_set_chains_for_fast_detection(struct blkid_handle *h);
++
++int blk_superblocks_filter_luks(struct blkid_handle *h);
++
++blk_probe_status blk_safeprobe(struct blkid_handle *h);
++
++int blk_is_partition(struct blkid_handle *h);
++
++int blk_is_superblock(struct blkid_handle *h);
++
++const char *blk_get_partition_type(struct blkid_handle *h);
++
++const char *blk_get_superblock_type(struct blkid_handle *h);
++
++int blk_supported(void);
++
++#endif
+--
+1.8.3.1
+
+--- cryptsetup-2.0.3.old/aclocal.m4 2018-05-03 21:36:53.000000000 +0200
++++ cryptsetup-2.0.3/aclocal.m4 2018-07-16 15:37:34.935817650 +0200
+@@ -31,7 +31,7 @@ To do so, use the procedure documented b
+ # WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
+ # implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ #
+-# Last-changed: 2014-10-02
++# Last-changed: 2018-07-16
+
+
+ dnl AM_PATH_LIBGCRYPT([MINIMUM-VERSION,
diff --git a/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-to-override-blkid-checks.patch b/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-to-override-blkid-checks.patch
new file mode 100644
index 0000000..31737aa
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-to-override-blkid-checks.patch
@@ -0,0 +1,131 @@
+From b82eaf14f7a01cfd542cb95fe97b8d3a22d5ba8f Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Thu, 28 Jun 2018 15:48:13 +0200
+Subject: [PATCH 3/6] Allow LUKS2 repair to override blkid checks.
+
+Allow user to run cryptsetup repair command and explicitly do
+repair on corrupted LUKS2 headers where blkid decides it's no longer
+a LUKS2 device.
+---
+ lib/luks2/luks2.h | 2 +-
+ lib/luks2/luks2_json_metadata.c | 13 +++++++------
+ lib/setup.c | 10 +++++-----
+ 3 files changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/lib/luks2/luks2.h b/lib/luks2/luks2.h
+index ee57b41..c431e8f 100644
+--- a/lib/luks2/luks2.h
++++ b/lib/luks2/luks2.h
+@@ -131,7 +131,7 @@ struct luks2_keyslot_params {
+ int LUKS2_hdr_version_unlocked(struct crypt_device *cd,
+ const char *backup_file);
+
+-int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr);
++int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, int repair);
+ int LUKS2_hdr_write(struct crypt_device *cd, struct luks2_hdr *hdr);
+ int LUKS2_hdr_dump(struct crypt_device *cd, struct luks2_hdr *hdr);
+
+diff --git a/lib/luks2/luks2_json_metadata.c b/lib/luks2/luks2_json_metadata.c
+index 125cad9..0fd6340 100644
+--- a/lib/luks2/luks2_json_metadata.c
++++ b/lib/luks2/luks2_json_metadata.c
+@@ -842,7 +842,8 @@ int LUKS2_hdr_validate(json_object *hdr_jobj)
+ return 0;
+ }
+
+-int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr)
++/* FIXME: should we expose do_recovery parameter explicitly? */
++int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, int repair)
+ {
+ int r;
+
+@@ -853,7 +854,7 @@ int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr)
+ return r;
+ }
+
+- r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, 1);
++ r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, !repair);
+ if (r == -EAGAIN) {
+ /* unlikely: auto-recovery is required and failed due to read lock being held */
+ device_read_unlock(crypt_metadata_device(cd));
+@@ -865,7 +866,7 @@ int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr)
+ return r;
+ }
+
+- r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, 1);
++ r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, !repair);
+
+ device_write_unlock(crypt_metadata_device(cd));
+ } else
+@@ -1050,7 +1051,7 @@ int LUKS2_hdr_restore(struct crypt_device *cd, struct luks2_hdr *hdr,
+ return r;
+ }
+
+- r = LUKS2_disk_hdr_read(cd, &hdr_file, backup_device, 0);
++ r = LUKS2_disk_hdr_read(cd, &hdr_file, backup_device, 0, 0);
+ device_read_unlock(backup_device);
+ device_free(backup_device);
+
+@@ -1089,7 +1090,7 @@ int LUKS2_hdr_restore(struct crypt_device *cd, struct luks2_hdr *hdr,
+ close(devfd);
+ devfd = -1;
+
+- r = LUKS2_hdr_read(cd, &tmp_hdr);
++ r = LUKS2_hdr_read(cd, &tmp_hdr, 0);
+ if (r == 0) {
+ log_dbg("Device %s already contains LUKS2 header, checking UUID and requirements.", device_path(device));
+ r = LUKS2_config_get_requirements(cd, &tmp_hdr, &reqs);
+@@ -1176,7 +1177,7 @@ out:
+
+ if (!r) {
+ LUKS2_hdr_free(hdr);
+- r = LUKS2_hdr_read(cd, hdr);
++ r = LUKS2_hdr_read(cd, hdr, 1);
+ }
+
+ return r;
+diff --git a/lib/setup.c b/lib/setup.c
+index fddbe7e..a9b2eba 100644
+--- a/lib/setup.c
++++ b/lib/setup.c
+@@ -644,16 +644,16 @@ struct crypt_pbkdf_type *crypt_get_pbkdf(struct crypt_device *cd)
+ /*
+ * crypt_load() helpers
+ */
+-static int _crypt_load_luks2(struct crypt_device *cd, int reload)
++static int _crypt_load_luks2(struct crypt_device *cd, int reload, int repair)
+ {
+ int r;
+ char tmp_cipher[MAX_CIPHER_LEN], tmp_cipher_mode[MAX_CIPHER_LEN],
+ *cipher = NULL, *cipher_mode = NULL, *type = NULL;
+ struct luks2_hdr hdr2 = {};
+
+- log_dbg("%soading LUKS2 header.", reload ? "Rel" : "L");
++ log_dbg("%soading LUKS2 header (repair %sabled).", reload ? "Rel" : "L", repair ? "en" : "dis");
+
+- r = LUKS2_hdr_read(cd, &hdr2);
++ r = LUKS2_hdr_read(cd, &hdr2, repair);
+ if (r)
+ return r;
+
+@@ -713,7 +713,7 @@ static void _luks2_reload(struct crypt_device *cd)
+ if (!cd || !isLUKS2(cd->type))
+ return;
+
+- (void) _crypt_load_luks2(cd, 1);
++ (void) _crypt_load_luks2(cd, 1, 0);
+ }
+
+ static int _crypt_load_luks(struct crypt_device *cd, const char *requested_type,
+@@ -768,7 +768,7 @@ static int _crypt_load_luks(struct crypt_device *cd, const char *requested_type,
+ return -EINVAL;
+ }
+
+- r = _crypt_load_luks2(cd, cd->type != NULL);
++ r = _crypt_load_luks2(cd, cd->type != NULL, repair);
+ } else
+ r = -EINVAL;
+ out:
+--
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-with-disabled-locks.patch b/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-with-disabled-locks.patch
new file mode 100644
index 0000000..a5d5258
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-with-disabled-locks.patch
@@ -0,0 +1,26 @@
+From c6dc8dd86c797b982d47ebb918367b4575d59dad Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Mon, 9 Jul 2018 18:43:02 +0200
+Subject: [PATCH 6/6] Allow LUKS2 repair with disabled locks.
+
+---
+ lib/luks2/luks2_disk_metadata.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/luks2/luks2_disk_metadata.c b/lib/luks2/luks2_disk_metadata.c
+index 6ca9d5e..bd5223f 100644
+--- a/lib/luks2/luks2_disk_metadata.c
++++ b/lib/luks2/luks2_disk_metadata.c
+@@ -592,7 +592,8 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
+ int i, r;
+ uint64_t hdr_size;
+
+- if (do_recovery && !crypt_metadata_locking_enabled()) {
++ /* Skip auto-recovery if locks are disabled and we're not doing LUKS2 explicit repair */
++ if (do_recovery && do_blkprobe && !crypt_metadata_locking_enabled()) {
+ do_recovery = 0;
+ log_dbg("Disabling header auto-recovery due to locking being disabled.");
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.0.4-allow-explicit-LUKS2-repair.patch b/SOURCES/cryptsetup-2.0.4-allow-explicit-LUKS2-repair.patch
new file mode 100644
index 0000000..5dc1782
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-allow-explicit-LUKS2-repair.patch
@@ -0,0 +1,44 @@
+From 4b3b6b07ad42ebab346f0fe343aab2a14cd5a9da Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Mon, 9 Jul 2018 17:18:17 +0200
+Subject: [PATCH 4/6] Allow explicit LUKS2 repair.
+
+Also moves FIXME comment lower to LUKS2 code with note that currently it's
+safe to do crypt_repair on LUKS2 format without paying attention to LUKS2
+requirements.
+---
+ lib/setup.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/lib/setup.c b/lib/setup.c
+index a9b2eba..952fa0e 100644
+--- a/lib/setup.c
++++ b/lib/setup.c
+@@ -768,6 +768,14 @@ static int _crypt_load_luks(struct crypt_device *cd, const char *requested_type,
+ return -EINVAL;
+ }
+
++ /*
++ * Current LUKS2 repair just overrides blkid probes
++ * and perform auto-recovery if possible. This is safe
++ * unless future LUKS2 repair code do something more
++ * sophisticated. In such case we would need to check
++ * for LUKS2 requirements and decide if it's safe to
++ * perform repair.
++ */
+ r = _crypt_load_luks2(cd, cd->type != NULL, repair);
+ } else
+ r = -EINVAL;
+@@ -2023,8 +2031,7 @@ int crypt_repair(struct crypt_device *cd,
+ if (!crypt_metadata_device(cd))
+ return -EINVAL;
+
+- /* FIXME LUKS2 (if so it also must respect LUKS2 requirements) */
+- if (requested_type && !isLUKS1(requested_type))
++ if (requested_type && !isLUKS(requested_type))
+ return -EINVAL;
+
+ /* Load with repair */
+--
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.0.4-dracut-reencrypt.patch b/SOURCES/cryptsetup-2.0.4-dracut-reencrypt.patch
new file mode 100644
index 0000000..abca3a3
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-dracut-reencrypt.patch
@@ -0,0 +1,106 @@
+From 1b9148f12f85f326cb8127665ecfc2136c9822d5 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Wed, 18 Oct 2017 09:57:03 +0200
+Subject: [PATCH] dracut-reencrypt: add --progress-frequency parameter
+
+---
+ misc/dracut_90reencrypt/reencrypt.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/misc/dracut_90reencrypt/reencrypt.sh b/misc/dracut_90reencrypt/reencrypt.sh
+index e6f87e0..b4960d7 100755
+--- a/misc/dracut_90reencrypt/reencrypt.sh
++++ b/misc/dracut_90reencrypt/reencrypt.sh
+@@ -18,7 +18,7 @@ else
+ device="$1"
+ fi
+
+-PARAMS="$device -T 1 --use-fsync -B 32"
++PARAMS="$device -T 1 --use-fsync --progress-frequency 5 -B 32"
+ if [ "$3" != "any" ]; then
+ PARAMS="$PARAMS -S $3"
+ fi
+--
+1.8.3.1
+
+From cda0a8ac7f30f120cdf5fadf16484715e8f9a040 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Thu, 19 Jul 2018 17:33:58 +0200
+Subject: [PATCH 2/2] Indicate running in initrd phase.
+
+---
+ misc/dracut_90reencrypt/reencrypt.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/misc/dracut_90reencrypt/reencrypt.sh b/misc/dracut_90reencrypt/reencrypt.sh
+index e6f87e0..24c7716 100755
+--- a/misc/dracut_90reencrypt/reencrypt.sh
++++ b/misc/dracut_90reencrypt/reencrypt.sh
+@@ -11,6 +11,8 @@
+
+ . /lib/dracut-lib.sh
+
++export CRYPT_REENCRYPT_IN_INITRD=1
++
+ # if device name is /dev/dm-X, convert to /dev/mapper/name
+ if [ "${1##/dev/dm-}" != "$1" ]; then
+ device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")"
+--
+1.8.3.1
+
+From 5da5e7f095e09c9501179864f6a20293dd9cada5 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Mon, 16 Jul 2018 17:17:45 +0200
+Subject: [PATCH] Redirect stdout to stderr during reencryption in initrd.
+
+Stdout is not printed in initrd unless user invokes debug mode.
+It's inconvenient to have users waiting for reencryption to
+finish with no input at all.
+---
+ misc/dracut_90reencrypt/module-setup.sh | 1 +
+ misc/dracut_90reencrypt/reencrypt-verbose.sh | 5 +++++
+ misc/dracut_90reencrypt/reencrypt.sh | 4 ++--
+ 3 files changed, 8 insertions(+), 2 deletions(-)
+ create mode 100755 misc/dracut_90reencrypt/reencrypt-verbose.sh
+
+diff --git a/misc/dracut_90reencrypt/module-setup.sh b/misc/dracut_90reencrypt/module-setup.sh
+index 2ec9953..fcd7c92 100755
+--- a/misc/dracut_90reencrypt/module-setup.sh
++++ b/misc/dracut_90reencrypt/module-setup.sh
+@@ -28,4 +28,5 @@ install() {
+ # shellcheck disable=SC2154
+ inst_hook cmdline 30 "$moddir/parse-reencrypt.sh"
+ inst_simple "$moddir"/reencrypt.sh /sbin/reencrypt
++ inst_simple "$moddir"/reencrypt-verbose.sh /sbin/cryptsetup-reencrypt-verbose
+ }
+diff --git a/misc/dracut_90reencrypt/reencrypt-verbose.sh b/misc/dracut_90reencrypt/reencrypt-verbose.sh
+new file mode 100755
+index 0000000..5db75d5
+--- /dev/null
++++ b/misc/dracut_90reencrypt/reencrypt-verbose.sh
+@@ -0,0 +1,5 @@
++#!/bin/sh
++
++# Route stdout to stderr in initrd. Otherwise output is invisible
++# unless we run in debug mode.
++/sbin/cryptsetup-reencrypt $@ 1>&2
+diff --git a/misc/dracut_90reencrypt/reencrypt.sh b/misc/dracut_90reencrypt/reencrypt.sh
+index b4960d7..4243773 100755
+--- a/misc/dracut_90reencrypt/reencrypt.sh
++++ b/misc/dracut_90reencrypt/reencrypt.sh
+@@ -50,10 +50,10 @@ reenc_run() {
+ fi
+ /bin/plymouth ask-for-password \
+ --prompt "$_prompt" \
+- --command="/sbin/cryptsetup-reencrypt $PARAMS"
++ --command="/sbin/cryptsetup-reencrypt-verbose $PARAMS"
+ else
+ info "REENCRYPT using key $1"
+- reenc_readkey "$1" | /sbin/cryptsetup-reencrypt -d - $PARAMS
++ reenc_readkey "$1" | /sbin/cryptsetup-reencrypt-verbose -d - $PARAMS
+ fi
+ _ret=$?
+ cd $cwd
+--
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.0.4-fix-LUKS2-api-test.patch b/SOURCES/cryptsetup-2.0.4-fix-LUKS2-api-test.patch
new file mode 100644
index 0000000..1c80967
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-fix-LUKS2-api-test.patch
@@ -0,0 +1,14 @@
+diff -rupN cryptsetup-2.0.3.old/tests/api-test-2.c cryptsetup-2.0.3/tests/api-test-2.c
+--- cryptsetup-2.0.3.old/tests/api-test-2.c 2019-03-27 21:31:18.684160803 +0100
++++ cryptsetup-2.0.3/tests/api-test-2.c 2019-03-27 21:32:14.762630391 +0100
+@@ -2514,8 +2514,8 @@ static void Luks2Requirements(void)
+ FAIL_((r = crypt_set_label(cd, "label", "subsystem")), "Unmet requirements detected");
+ EQ_(r, -ETXTBSY);
+
+- /* crypt_repair (not implemented for luks2) */
+- FAIL_(crypt_repair(cd, CRYPT_LUKS2, NULL), "Not implemented");
++ /* crypt_repair (with current repair capabilities it's unrestricted) */
++ OK_(crypt_repair(cd, CRYPT_LUKS2, NULL));
+
+ /* crypt_keyslot_add_passphrase (restricted) */
+ FAIL_((r = crypt_keyslot_add_by_passphrase(cd, CRYPT_ANY_SLOT, "aaa", 3, "bbb", 3)), "Unmet requirements detected");
diff --git a/SOURCES/cryptsetup-2.0.4-fix-write_blockwise-on-short-files.patch b/SOURCES/cryptsetup-2.0.4-fix-write_blockwise-on-short-files.patch
new file mode 100644
index 0000000..8821a14
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-fix-write_blockwise-on-short-files.patch
@@ -0,0 +1,40 @@
+From 63d66e7a3356da4bca77f521fd93df7cdf09b41a Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Tue, 19 Jun 2018 15:10:33 +0200
+Subject: [PATCH 3/4] Fix write_blockwise on short files.
+
+see unit test write_blockwise(length=2097153, bsize=4096), on x86
+with original test file size=2097152.
+
+The test is trying to write_blockwise 1 more byte than actual file
+size.
+---
+ lib/utils_io.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/lib/utils_io.c b/lib/utils_io.c
+index 8336b18..e0c2381 100644
+--- a/lib/utils_io.c
++++ b/lib/utils_io.c
+@@ -105,15 +105,13 @@ ssize_t write_blockwise(int fd, size_t bsize, size_t alignment,
+ if (hangover) {
+ if (posix_memalign(&hangover_buf, alignment, bsize))
+ goto out;
++ memset(hangover_buf, 0, bsize);
+
+ r = read_buffer(fd, hangover_buf, bsize);
+- if (r < 0 || r < (ssize_t)hangover)
++ if (r < 0)
+ goto out;
+
+- if (r < (ssize_t)bsize)
+- bsize = r;
+-
+- if (lseek(fd, -(off_t)bsize, SEEK_CUR) < 0)
++ if (lseek(fd, -(off_t)r, SEEK_CUR) < 0)
+ goto out;
+
+ memcpy(hangover_buf, (char*)buf + solid, hangover);
+--
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.0.4-fix-write_lseek_blockwise-for-in-the-middle-of-secto.patch b/SOURCES/cryptsetup-2.0.4-fix-write_lseek_blockwise-for-in-the-middle-of-secto.patch
new file mode 100644
index 0000000..92f889b
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-fix-write_lseek_blockwise-for-in-the-middle-of-secto.patch
@@ -0,0 +1,32 @@
+From 6392be68c4d481148e20dbc2a8380cc246f27ad1 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Tue, 19 Jun 2018 14:45:45 +0200
+Subject: [PATCH 2/4] Fix write_lseek_blockwise for in the middle of sector
+ case.
+
+See unit test write_lseek_blockwise(bsize=512, offset=1, length=1).
+
+The test tries to modify single byte at offset 1 of device with
+bsize=512.
+---
+ lib/utils_io.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/utils_io.c b/lib/utils_io.c
+index 94c4ef6..8336b18 100644
+--- a/lib/utils_io.c
++++ b/lib/utils_io.c
+@@ -216,8 +216,8 @@ ssize_t write_lseek_blockwise(int fd, size_t bsize, size_t alignment,
+ if (lseek(fd, offset - frontHang, SEEK_SET) < 0)
+ goto out;
+
+- r = write_buffer(fd, frontPadBuf, frontHang + innerCount);
+- if (r < 0 || r != (ssize_t)(frontHang + innerCount))
++ r = write_buffer(fd, frontPadBuf, bsize);
++ if (r < 0 || r != (ssize_t)bsize)
+ goto out;
+
+ buf = (char*)buf + innerCount;
+--
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.0.4-make-LUKS2-auto-recovery-aware-of-device-signatures.patch b/SOURCES/cryptsetup-2.0.4-make-LUKS2-auto-recovery-aware-of-device-signatures.patch
new file mode 100644
index 0000000..c472424
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-make-LUKS2-auto-recovery-aware-of-device-signatures.patch
@@ -0,0 +1,164 @@
+From 078ed81d14904f48a6237646050ba5eb74d702b7 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Wed, 4 Jul 2018 15:58:09 +0200
+Subject: [PATCH 2/6] Make LUKS2 auto-recovery aware of device signatures.
+
+auto-recovery triggers any time when only single correct LUKS2
+header instance was found. That may be dangerous.
+
+We should suppress auto-recovery in case blkid decided the
+device is no longer LUKS device. For example if secondary (intact)
+LUKS2 header was left behind and blkid declares the device is LVM2
+member.
+
+Moreover if at least one header instance is corrupted and blkid
+declares device non-empty and non-LUKS in the same time, header load
+operation will be aborted with error.
+---
+ lib/internal.h | 1 +
+ lib/luks2/luks2_disk_metadata.c | 61 ++++++++++++++++++++++++++++++++++++++++-
+ lib/luks2/luks2_internal.h | 2 +-
+ lib/luks2/luks2_json_metadata.c | 4 +--
+ 4 files changed, 64 insertions(+), 4 deletions(-)
+
+diff --git a/lib/internal.h b/lib/internal.h
+index 07a1a08..e6d2323 100644
+--- a/lib/internal.h
++++ b/lib/internal.h
+@@ -32,6 +32,7 @@
+
+ #include "nls.h"
+ #include "bitops.h"
++#include "utils_blkid.h"
+ #include "utils_crypt.h"
+ #include "utils_loop.h"
+ #include "utils_dm.h"
+diff --git a/lib/luks2/luks2_disk_metadata.c b/lib/luks2/luks2_disk_metadata.c
+index 4d9bce2..6ca9d5e 100644
+--- a/lib/luks2/luks2_disk_metadata.c
++++ b/lib/luks2/luks2_disk_metadata.c
+@@ -531,12 +531,59 @@ static json_object *parse_and_validate_json(const char *json_area, int length)
+ return jobj;
+ }
+
++static int detect_device_signatures(const char *path)
++{
++ blk_probe_status prb_state;
++ int r;
++ struct blkid_handle *h;
++
++ if (!blk_supported()) {
++ log_dbg("Blkid probing of device signatures disabled.");
++ return 0;
++ }
++
++ if ((r = blk_init_by_path(&h, path))) {
++ log_dbg("Failed to initialize blkid_handle by path.");
++ return -EINVAL;
++ }
++
++ /* We don't care about details. Be fast. */
++ blk_set_chains_for_fast_detection(h);
++
++ /* Filter out crypto_LUKS. we don't care now */
++ blk_superblocks_filter_luks(h);
++
++ prb_state = blk_safeprobe(h);
++
++ switch (prb_state) {
++ case PRB_AMBIGUOUS:
++ log_dbg("Blkid probe couldn't decide device type unambiguously.");
++ /* fall through */
++ case PRB_FAIL:
++ log_dbg("Blkid probe failed.");
++ r = -EINVAL;
++ break;
++ case PRB_OK: /* crypto_LUKS type is filtered out */
++ r = -EINVAL;
++
++ if (blk_is_partition(h))
++ log_dbg("Blkid probe detected partition type '%s'", blk_get_partition_type(h));
++ else if (blk_is_superblock(h))
++ log_dbg("blkid probe detected superblock type '%s'", blk_get_superblock_type(h));
++ break;
++ case PRB_EMPTY:
++ log_dbg("Blkid probe detected no foreign device signature.");
++ }
++ blk_free(h);
++ return r;
++}
++
+ /*
+ * Read and convert on-disk LUKS2 header to in-memory representation..
+ * Try to do recovery if on-disk state is not consistent.
+ */
+ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
+- struct device *device, int do_recovery)
++ struct device *device, int do_recovery, int do_blkprobe)
+ {
+ enum { HDR_OK, HDR_OBSOLETE, HDR_FAIL, HDR_FAIL_IO } state_hdr1, state_hdr2;
+ struct luks2_hdr_disk hdr_disk1, hdr_disk2;
+@@ -616,6 +663,12 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
+ if (state_hdr1 == HDR_OK && state_hdr2 != HDR_OK) {
+ log_dbg("Secondary LUKS2 header requires recovery.");
+
++ if (do_blkprobe && (r = detect_device_signatures(device_path(device)))) {
++ log_err(cd, _("Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
++ "Please run \"cryptsetup repair\" for recovery."));
++ goto err;
++ }
++
+ if (do_recovery) {
+ memcpy(&hdr_disk2, &hdr_disk1, LUKS2_HDR_BIN_LEN);
+ r = crypt_random_get(NULL, (char*)hdr_disk2.salt, sizeof(hdr_disk2.salt), CRYPT_RND_SALT);
+@@ -631,6 +684,12 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
+ } else if (state_hdr1 != HDR_OK && state_hdr2 == HDR_OK) {
+ log_dbg("Primary LUKS2 header requires recovery.");
+
++ if (do_blkprobe && (r = detect_device_signatures(device_path(device)))) {
++ log_err(cd, _("Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
++ "Please run \"cryptsetup repair\" for recovery."));
++ goto err;
++ }
++
+ if (do_recovery) {
+ memcpy(&hdr_disk1, &hdr_disk2, LUKS2_HDR_BIN_LEN);
+ r = crypt_random_get(NULL, (char*)hdr_disk1.salt, sizeof(hdr_disk1.salt), CRYPT_RND_SALT);
+diff --git a/lib/luks2/luks2_internal.h b/lib/luks2/luks2_internal.h
+index e9beab8..dcabed7 100644
+--- a/lib/luks2/luks2_internal.h
++++ b/lib/luks2/luks2_internal.h
+@@ -42,7 +42,7 @@
+ * On-disk access function prototypes
+ */
+ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
+- struct device *device, int do_recovery);
++ struct device *device, int do_recovery, int do_blkprobe);
+ int LUKS2_disk_hdr_write(struct crypt_device *cd, struct luks2_hdr *hdr,
+ struct device *device);
+
+diff --git a/lib/luks2/luks2_json_metadata.c b/lib/luks2/luks2_json_metadata.c
+index 362388e..125cad9 100644
+--- a/lib/luks2/luks2_json_metadata.c
++++ b/lib/luks2/luks2_json_metadata.c
+@@ -853,7 +853,7 @@ int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr)
+ return r;
+ }
+
+- r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1);
++ r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, 1);
+ if (r == -EAGAIN) {
+ /* unlikely: auto-recovery is required and failed due to read lock being held */
+ device_read_unlock(crypt_metadata_device(cd));
+@@ -865,7 +865,7 @@ int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr)
+ return r;
+ }
+
+- r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1);
++ r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, 1);
+
+ device_write_unlock(crypt_metadata_device(cd));
+ } else
+--
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.0.4-rephrase-error-message-for-invalid-type-param-in-con.patch b/SOURCES/cryptsetup-2.0.4-rephrase-error-message-for-invalid-type-param-in-con.patch
new file mode 100644
index 0000000..6c34ab8
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-rephrase-error-message-for-invalid-type-param-in-con.patch
@@ -0,0 +1,25 @@
+From b60e856087db77abbc5aa62a7f980e62b8b75029 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Tue, 17 Jul 2018 10:53:13 +0200
+Subject: [PATCH] Rephrase error message for invalid --type param in convert.
+
+---
+ src/cryptsetup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/cryptsetup.c b/src/cryptsetup.c
+index fc3481d..5f8df37 100644
+--- a/src/cryptsetup.c
++++ b/src/cryptsetup.c
+@@ -1851,7 +1851,7 @@ static int action_luksConvert(void)
+ } else if (!strcmp(opt_type, "luks1")) {
+ to_type = CRYPT_LUKS1;
+ } else {
+- log_err(_("Missing LUKS target type, option --type is required."));
++ log_err(_("Invalid LUKS type, only luks1 and luks2 are supported."));
+ return -EINVAL;
+ }
+
+--
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.0.4-update-crypt_repair-API-documentation-for-LUKS2.patch b/SOURCES/cryptsetup-2.0.4-update-crypt_repair-API-documentation-for-LUKS2.patch
new file mode 100644
index 0000000..a2f9d2e
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-update-crypt_repair-API-documentation-for-LUKS2.patch
@@ -0,0 +1,40 @@
+From 167da99eaa9708289492e8fca2ebe4964cf5baa7 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Mon, 9 Jul 2018 17:27:55 +0200
+Subject: [PATCH 5/6] Update crypt_repair API documentation for LUKS2.
+
+---
+ lib/libcryptsetup.h | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/lib/libcryptsetup.h b/lib/libcryptsetup.h
+index 0a7ebdb..2d959fa 100644
+--- a/lib/libcryptsetup.h
++++ b/lib/libcryptsetup.h
+@@ -624,7 +624,7 @@ int crypt_load(struct crypt_device *cd,
+ void *params);
+
+ /**
+- * Try to repair crypt device LUKS1 on-disk header if invalid.
++ * Try to repair crypt device LUKS on-disk header if invalid.
+ *
+ * @param cd crypt device handle
+ * @param requested_type @link crypt-type @endlink or @e NULL for all known
+@@ -632,9 +632,11 @@ int crypt_load(struct crypt_device *cd,
+ *
+ * @returns 0 on success or negative errno value otherwise.
+ *
+- * @note Does not support LUKS2 devices explicitly. LUKS2 header is auto-repaired
+- * (if exactly one header checksum does not match) automatically on
+- * crypt_load().
++ * @note For LUKS2 device crypt_repair bypass blkid checks and
++ * perform auto-recovery even though there're third party device
++ * signatures found by blkid probes. Currently the crypt_repair on LUKS2
++ * works only if exactly one header checksum does not match or exactly
++ * one header is missing.
+ */
+ int crypt_repair(struct crypt_device *cd,
+ const char *requested_type,
+--
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.0.4-update-cryptsetup-man-page-for-type-option-usage.patch b/SOURCES/cryptsetup-2.0.4-update-cryptsetup-man-page-for-type-option-usage.patch
new file mode 100644
index 0000000..d21d220
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-update-cryptsetup-man-page-for-type-option-usage.patch
@@ -0,0 +1,110 @@
+From 3f0f7acbc0dd72f1d98feb7af214cf12eb9bc47e Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Tue, 10 Jul 2018 14:36:45 +0200
+Subject: [PATCH] Update cryptsetup man page for --type option usage.
+
+Fixes #394.
+---
+ man/cryptsetup.8 | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/man/cryptsetup.8 b/man/cryptsetup.8
+index b2ef8cd..96d4fef 100644
+--- a/man/cryptsetup.8
++++ b/man/cryptsetup.8
+@@ -70,8 +70,8 @@ The following are valid actions for all supported device types.
+ .IP
+ Opens (creates a mapping with) <name> backed by device <device>.
+
+-Device type can be \fIplain\fR, \fIluks\fR (default), \fIloopaes\fR
+-or \fItcrypt\fR.
++Device type can be \fIplain\fR, \fIluks\fR (default), \fIluks1\fR, \fIluks2\fR,
++\fIloopaes\fR or \fItcrypt\fR.
+
+ For backward compatibility there are \fBopen\fR command aliases:
+
+@@ -243,7 +243,7 @@ the command prompts for it interactively.
+ \fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
+ \-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase,
+ \-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id,
+-\-\-token\-only, \-\-disable\-keyring, \-\-disable\-locks].
++\-\-token\-only, \-\-disable\-keyring, \-\-disable\-locks, \-\-type].
+ .PP
+ \fIluksSuspend\fR <name>
+ .IP
+@@ -266,7 +266,7 @@ Resumes a suspended device and reinstates the encryption key.
+ Prompts interactively for a passphrase if \-\-key-file is not given.
+
+ \fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-size, \-\-header,
+-\-\-disable\-keyring,\-\-disable\-locks]
++\-\-disable\-keyring, \-\-disable\-locks, \-\-type]
+ .PP
+ \fIluksAddKey\fR <device> [<key file with new key>]
+ .IP
+@@ -285,7 +285,7 @@ is not required.
+ \-\-keyfile\-size, \-\-new\-keyfile\-offset,
+ \-\-new\-keyfile\-size, \-\-key\-slot, \-\-master\-key\-file,
+ \-\-iter\-time, \-\-force\-password, \-\-header, \-\-disable\-locks,
+-\-\-unbound].
++\-\-unbound, \-\-type].
+ .PP
+ \fIluksRemoveKey\fR <device> [<key file with passphrase to be removed>]
+ .IP
+@@ -294,7 +294,7 @@ passphrase to be removed can be specified interactively,
+ as the positional argument or via \-\-key-file.
+
+ \fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
+-\-\-keyfile\-size, \-\-header, \-\-disable\-locks]
++\-\-keyfile\-size, \-\-header, \-\-disable\-locks, \-\-type]
+
+ \fBWARNING:\fR If you read the passphrase from stdin
+ (without further argument or with '-' as an argument
+@@ -328,7 +328,7 @@ inaccessible.
+ \fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
+ \-\-keyfile\-size, \-\-new\-keyfile\-offset,
+ \-\-new\-keyfile\-size, \-\-key\-slot, \-\-force\-password, \-\-header,
+-\-\-disable\-locks].
++\-\-disable\-locks, \-\-type].
+ .PP
+ .PP
+ \fIluksConvertKey\fR <device>
+@@ -364,7 +364,7 @@ an interactive confirmation when doing so. Removing the last
+ passphrase makes a LUKS container permanently inaccessible.
+
+ \fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
+-\-\-keyfile\-size, \-\-header, \-\-disable\-locks].
++\-\-keyfile\-size, \-\-header, \-\-disable\-locks, \-\-type].
+
+ \fBWARNING:\fR If you read the passphrase from stdin
+ (without further argument or with '-' as an argument
+@@ -399,6 +399,8 @@ Set new UUID if \fI\-\-uuid\fR option is specified.
+ Returns true, if <device> is a LUKS device, false otherwise.
+ Use option \-v to get human-readable feedback. 'Command successful.'
+ means the device is a LUKS device.
++
++By specifying \-\-type you may query for specific LUKS version.
+ .PP
+ \fIluksDump\fR <device>
+ .IP
+@@ -417,7 +419,7 @@ either interactively or via \-\-key\-file.
+
+ \fB<options>\fR can be [\-\-dump\-master\-key, \-\-key\-file,
+ \-\-keyfile\-offset, \-\-keyfile\-size, \-\-header, \-\-disable\-locks,
+-\-\-master\-key\-file].
++\-\-master\-key\-file, \-\-type].
+
+ \fBWARNING:\fR If \-\-dump\-master\-key is used with \-\-key\-file
+ and the argument to \-\-key\-file is '-', no validation question
+@@ -663,7 +665,8 @@ for LUKS device type.
+ This command is useful to fix some known benign LUKS metadata
+ header corruptions. Only basic corruptions of unused keyslot
+ are fixable. This command will only change the LUKS header, not
+-any key-slot data.
++any key-slot data. You may enforce LUKS version by adding \-\-type
++option.
+
+ \fBWARNING:\fR Always create a binary backup of the original
+ header before calling this command.
+--
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.0.4-zero-length-lseek-blockwise-i-o-should-return-zero.patch b/SOURCES/cryptsetup-2.0.4-zero-length-lseek-blockwise-i-o-should-return-zero.patch
new file mode 100644
index 0000000..6d4d7e3
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-zero-length-lseek-blockwise-i-o-should-return-zero.patch
@@ -0,0 +1,39 @@
+From 685bcc56351b3e46b69d46118d23268b69052097 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Tue, 19 Jun 2018 14:07:20 +0200
+Subject: [PATCH 1/4] Zero length lseek blockwise i/o should return zero.
+
+Note that both functions perform seek operations aligned to sector
+boundary if possible before returning.
+
+Unaligned input offset gets aligned on first preceding sector
+boundary.
+---
+ lib/utils_io.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/utils_io.c b/lib/utils_io.c
+index 0f671d6..94c4ef6 100644
+--- a/lib/utils_io.c
++++ b/lib/utils_io.c
+@@ -199,7 +199,7 @@ ssize_t write_lseek_blockwise(int fd, size_t bsize, size_t alignment,
+ if (lseek(fd, offset - frontHang, SEEK_SET) < 0)
+ return -1;
+
+- if (frontHang) {
++ if (frontHang && length) {
+ if (posix_memalign(&frontPadBuf, alignment, bsize))
+ return -1;
+
+@@ -253,7 +253,7 @@ ssize_t read_lseek_blockwise(int fd, size_t bsize, size_t alignment,
+ if (lseek(fd, offset - frontHang, SEEK_SET) < 0)
+ return -1;
+
+- if (frontHang) {
++ if (frontHang && length) {
+ if (posix_memalign(&frontPadBuf, alignment, bsize))
+ return -1;
+
+--
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.0.5-fix-miscalculation-of-device-alignment-offset.patch b/SOURCES/cryptsetup-2.0.5-fix-miscalculation-of-device-alignment-offset.patch
new file mode 100644
index 0000000..d3caad8
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.5-fix-miscalculation-of-device-alignment-offset.patch
@@ -0,0 +1,28 @@
+From dd36d56d472e1ea1db74d64d2e6a8d8ece2e7a76 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Thu, 9 Aug 2018 10:26:38 +0200
+Subject: [PATCH] Fix miscalculation of device alignment offset.
+
+device_topology_alignment routine already returns alignment offset
+in bytes. There's no need to divide it by sector size, since LUKS2
+format have all offsets and sizes stored in bytes.
+---
+ lib/setup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/setup.c b/lib/setup.c
+index ff944c9..1a78d2e 100644
+--- a/lib/setup.c
++++ b/lib/setup.c
+@@ -1602,7 +1602,7 @@ static int _crypt_format_luks2(struct crypt_device *cd,
+ integrity, uuid,
+ sector_size,
+ required_alignment / sector_size,
+- alignment_offset / sector_size,
++ alignment_offset,
+ cd->metadata_device ? 1 : 0);
+ if (r < 0)
+ goto out;
+--
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.0.5-remove-useless-division-followed-by-multiplication-b.patch b/SOURCES/cryptsetup-2.0.5-remove-useless-division-followed-by-multiplication-b.patch
new file mode 100644
index 0000000..a03d842
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.5-remove-useless-division-followed-by-multiplication-b.patch
@@ -0,0 +1,58 @@
+From d2f0773eb8482f754d9a7599d26697efcdd25cd6 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Thu, 9 Aug 2018 10:34:17 +0200
+Subject: [PATCH] Remove useless division followed by multiplication by same
+ base.
+
+---
+ lib/luks2/luks2_json_format.c | 10 +++++-----
+ lib/setup.c | 2 +-
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/lib/luks2/luks2_json_format.c b/lib/luks2/luks2_json_format.c
+index a0b72ab..4b50f89 100644
+--- a/lib/luks2/luks2_json_format.c
++++ b/lib/luks2/luks2_json_format.c
+@@ -122,9 +122,9 @@ int LUKS2_generate_hdr(
+ const char *cipherMode,
+ const char *integrity,
+ const char *uuid,
+- unsigned int sector_size,
+- unsigned int alignPayload,
+- unsigned int alignOffset,
++ unsigned int sector_size, /* in bytes */
++ unsigned int alignPayload, /* in bytes */
++ unsigned int alignOffset, /* in bytes */
+ int detached_metadata_device)
+ {
+ struct json_object *jobj_segment, *jobj_integrity, *jobj_keyslots, *jobj_segments, *jobj_config;
+@@ -182,11 +182,11 @@ int LUKS2_generate_hdr(
+ jobj_segment = json_object_new_object();
+ json_object_object_add(jobj_segment, "type", json_object_new_string("crypt"));
+ if (detached_metadata_device)
+- offset = (uint64_t)alignPayload * sector_size;
++ offset = (uint64_t)alignPayload;
+ else {
+ //FIXME
+ //offset = size_round_up(areas[7].offset + areas[7].length, alignPayload * SECTOR_SIZE);
+- offset = size_round_up(LUKS2_HDR_DEFAULT_LEN, (size_t)alignPayload * sector_size);
++ offset = size_round_up(LUKS2_HDR_DEFAULT_LEN, (size_t)alignPayload);
+ offset += alignOffset;
+ }
+
+diff --git a/lib/setup.c b/lib/setup.c
+index 1a78d2e..61bf3da 100644
+--- a/lib/setup.c
++++ b/lib/setup.c
+@@ -1601,7 +1601,7 @@ static int _crypt_format_luks2(struct crypt_device *cd,
+ cipher, cipher_mode,
+ integrity, uuid,
+ sector_size,
+- required_alignment / sector_size,
++ required_alignment,
+ alignment_offset,
+ cd->metadata_device ? 1 : 0);
+ if (r < 0)
+--
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.0.6-LUKS2-metadata-variation-fixes.patch b/SOURCES/cryptsetup-2.0.6-LUKS2-metadata-variation-fixes.patch
new file mode 100644
index 0000000..d78bd28
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.6-LUKS2-metadata-variation-fixes.patch
@@ -0,0 +1,202 @@
+diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c
+--- cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c 2019-04-03 18:55:44.392182454 +0200
++++ cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c 2019-04-03 18:56:22.567106063 +0200
+@@ -429,6 +429,7 @@ int LUKS2_token_validate(json_object *hd
+ {
+ json_object *jarr, *jobj_keyslots;
+
++ /* keyslots are not yet validated, but we need to know token doesn't reference missing keyslot */
+ if (!json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots))
+ return 1;
+
+@@ -505,12 +506,57 @@ static int hdr_validate_tokens(json_obje
+ return 0;
+ }
+
+-static int hdr_validate_segments(json_object *hdr_jobj)
++static int hdr_validate_crypt_segment(json_object *jobj, const char *key, json_object *jobj_digests,
++ uint64_t offset, uint64_t size)
+ {
+- json_object *jobj, *jobj_digests, *jobj_offset, *jobj_ivoffset,
+- *jobj_length, *jobj_sector_size, *jobj_type, *jobj_integrity;
++ json_object *jobj_ivoffset, *jobj_sector_size, *jobj_integrity;
+ uint32_t sector_size;
+- uint64_t ivoffset, offset, length;
++ uint64_t ivoffset;
++
++ if (!(jobj_ivoffset = json_contains(jobj, key, "Segment", "iv_tweak", json_type_string)) ||
++ !json_contains(jobj, key, "Segment", "encryption", json_type_string) ||
++ !(jobj_sector_size = json_contains(jobj, key, "Segment", "sector_size", json_type_int)))
++ return 1;
++
++ /* integrity */
++ if (json_object_object_get_ex(jobj, "integrity", &jobj_integrity)) {
++ if (!json_contains(jobj, key, "Segment", "integrity", json_type_object) ||
++ !json_contains(jobj_integrity, key, "Segment integrity", "type", json_type_string) ||
++ !json_contains(jobj_integrity, key, "Segment integrity", "journal_encryption", json_type_string) ||
++ !json_contains(jobj_integrity, key, "Segment integrity", "journal_integrity", json_type_string))
++ return 1;
++ }
++
++ /* enforce uint32_t type */
++ if (!validate_json_uint32(jobj_sector_size)) {
++ log_dbg("Illegal field \"sector_size\":%s.",
++ json_object_get_string(jobj_sector_size));
++ return 1;
++ }
++
++ sector_size = json_object_get_uint32(jobj_sector_size);
++ if (!sector_size || sector_size % SECTOR_SIZE) {
++ log_dbg("Illegal sector size: %" PRIu32, sector_size);
++ return 1;
++ }
++
++ if (!numbered("iv_tweak", json_object_get_string(jobj_ivoffset)) ||
++ !json_str_to_uint64(jobj_ivoffset, &ivoffset))
++ return 1;
++
++ if (size % sector_size) {
++ log_dbg("Size field has to be aligned to sector size: %" PRIu32, sector_size);
++ return 1;
++ }
++
++ return !segment_has_digest(key, jobj_digests);
++}
++
++static int hdr_validate_segments(json_object *hdr_jobj)
++{
++ json_object *jobj, *jobj_digests, *jobj_offset, *jobj_size, *jobj_type, *jobj_flags;
++ int i;
++ uint64_t offset, size;
+
+ if (!json_object_object_get_ex(hdr_jobj, "segments", &jobj)) {
+ log_dbg("Missing segments section.");
+@@ -530,70 +576,46 @@ static int hdr_validate_segments(json_ob
+ if (!numbered("Segment", key))
+ return 1;
+
+- if (!json_contains(val, key, "Segment", "type", json_type_string) ||
++ /* those fields are mandatory for all segment types */
++ if (!(jobj_type = json_contains(val, key, "Segment", "type", json_type_string)) ||
+ !(jobj_offset = json_contains(val, key, "Segment", "offset", json_type_string)) ||
+- !(jobj_ivoffset = json_contains(val, key, "Segment", "iv_tweak", json_type_string)) ||
+- !(jobj_length = json_contains(val, key, "Segment", "size", json_type_string)) ||
+- !json_contains(val, key, "Segment", "encryption", json_type_string) ||
+- !(jobj_sector_size = json_contains(val, key, "Segment", "sector_size", json_type_int)))
+- return 1;
+-
+- /* integrity */
+- if (json_object_object_get_ex(val, "integrity", &jobj_integrity)) {
+- if (!json_contains(val, key, "Segment", "integrity", json_type_object) ||
+- !json_contains(jobj_integrity, key, "Segment integrity", "type", json_type_string) ||
+- !json_contains(jobj_integrity, key, "Segment integrity", "journal_encryption", json_type_string) ||
+- !json_contains(jobj_integrity, key, "Segment integrity", "journal_integrity", json_type_string))
+- return 1;
+- }
+-
+- /* enforce uint32_t type */
+- if (!validate_json_uint32(jobj_sector_size)) {
+- log_dbg("Illegal field \"sector_size\":%s.",
+- json_object_get_string(jobj_sector_size));
+- return 1;
+- }
+-
+- sector_size = json_object_get_uint32(jobj_sector_size);
+- if (!sector_size || sector_size % 512) {
+- log_dbg("Illegal sector size: %" PRIu32, sector_size);
++ !(jobj_size = json_contains(val, key, "Segment", "size", json_type_string)))
+ return 1;
+- }
+
+ if (!numbered("offset", json_object_get_string(jobj_offset)) ||
+- !numbered("iv_tweak", json_object_get_string(jobj_ivoffset)))
++ !json_str_to_uint64(jobj_offset, &offset))
+ return 1;
+
+- /* rule out values > UINT64_MAX */
+- if (!json_str_to_uint64(jobj_offset, &offset) ||
+- !json_str_to_uint64(jobj_ivoffset, &ivoffset))
+- return 1;
++ /* size "dynamic" means whole device starting at 'offset' */
++ if (strcmp(json_object_get_string(jobj_size), "dynamic")) {
++ if (!numbered("size", json_object_get_string(jobj_size)) ||
++ !json_str_to_uint64(jobj_size, &size) || !size)
++ return 1;
++ } else
++ size = 0;
+
+- if (offset % sector_size) {
+- log_dbg("Offset field has to be aligned to sector size: %" PRIu32, sector_size);
++ /* all device-mapper devices are aligned to 512 sector size */
++ if (offset % SECTOR_SIZE) {
++ log_dbg("Offset field has to be aligned to sector size: %" PRIu32, SECTOR_SIZE);
+ return 1;
+ }
+-
+- if (ivoffset % sector_size) {
+- log_dbg("IV offset field has to be aligned to sector size: %" PRIu32, sector_size);
++ if (size % SECTOR_SIZE) {
++ log_dbg("Size field has to be aligned to sector size: %" PRIu32, SECTOR_SIZE);
+ return 1;
+ }
+
+- /* length "dynamic" means whole device starting at 'offset' */
+- if (strcmp(json_object_get_string(jobj_length), "dynamic")) {
+- if (!numbered("size", json_object_get_string(jobj_length)) ||
+- !json_str_to_uint64(jobj_length, &length))
++ /* flags array is optional and must contain strings */
++ if (json_object_object_get_ex(val, "flags", NULL)) {
++ if (!(jobj_flags = json_contains(val, key, "Segment", "flags", json_type_array)))
+ return 1;
+-
+- if (length % sector_size) {
+- log_dbg("Length field has to be aligned to sector size: %" PRIu32, sector_size);
+- return 1;
+- }
++ for (i = 0; i < (int) json_object_array_length(jobj_flags); i++)
++ if (!json_object_is_type(json_object_array_get_idx(jobj_flags, i), json_type_string))
++ return 1;
+ }
+
+- json_object_object_get_ex(val, "type", &jobj_type);
++ /* crypt */
+ if (!strcmp(json_object_get_string(jobj_type), "crypt") &&
+- !segment_has_digest(key, jobj_digests))
++ hdr_validate_crypt_segment(val, key, jobj_digests, offset, size))
+ return 1;
+ }
+
+@@ -610,6 +632,7 @@ static int hdr_validate_areas(json_objec
+ if (!json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots))
+ return 1;
+
++ /* segments are already validated */
+ if (!json_object_object_get_ex(hdr_jobj, "segments", &jobj_segments))
+ return 1;
+
+@@ -674,11 +697,11 @@ static int hdr_validate_digests(json_obj
+ return 1;
+ }
+
+- /* keyslots should already be validated */
++ /* keyslots are not yet validated, but we need to know digest doesn't reference missing keyslot */
+ if (!json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots))
+ return 1;
+
+- /* segments are not validated atm, but we need to know digest doesn't reference missing segment */
++ /* segments are not yet validated, but we need to know digest doesn't reference missing segment */
+ if (!json_object_object_get_ex(hdr_jobj, "segments", &jobj_segments))
+ return 1;
+
+@@ -813,10 +836,10 @@ int LUKS2_hdr_validate(json_object *hdr_
+ struct {
+ int (*validate)(json_object *);
+ } checks[] = {
+- { hdr_validate_keyslots },
+ { hdr_validate_tokens },
+ { hdr_validate_digests },
+ { hdr_validate_segments },
++ { hdr_validate_keyslots },
+ { hdr_validate_areas },
+ { hdr_validate_config },
+ { NULL }
diff --git a/SOURCES/cryptsetup-2.0.6-check-json-size-matches-value-from-binary-LUKS2-head.patch b/SOURCES/cryptsetup-2.0.6-check-json-size-matches-value-from-binary-LUKS2-head.patch
new file mode 100644
index 0000000..6862f4e
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.6-check-json-size-matches-value-from-binary-LUKS2-head.patch
@@ -0,0 +1,139 @@
+diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_disk_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_disk_metadata.c
+--- cryptsetup-2.0.3.old/lib/luks2/luks2_disk_metadata.c 2019-03-27 21:06:52.048172644 +0100
++++ cryptsetup-2.0.3/lib/luks2/luks2_disk_metadata.c 2019-03-27 21:07:12.068978543 +0100
+@@ -204,6 +204,12 @@ static int hdr_disk_sanity_check_pre(str
+ return -EINVAL;
+ }
+
++ if (secondary && (offset != be64_to_cpu(hdr->hdr_size))) {
++ log_dbg("LUKS2 offset 0x%04x in secondary header doesn't match size 0x%04x.",
++ (unsigned)offset, (unsigned)be64_to_cpu(hdr->hdr_size));
++ return -EINVAL;
++ }
++
+ /* FIXME: sanity check checksum alg. */
+
+ log_dbg("LUKS2 header version %u of size %u bytes, checksum %s.",
+@@ -476,7 +482,7 @@ static int validate_json_area(const char
+ return 0;
+ }
+
+-static int validate_luks2_json_object(json_object *jobj_hdr)
++static int validate_luks2_json_object(json_object *jobj_hdr, uint64_t length)
+ {
+ int r;
+
+@@ -487,14 +493,14 @@ static int validate_luks2_json_object(js
+ return r;
+ }
+
+- r = LUKS2_hdr_validate(jobj_hdr);
++ r = LUKS2_hdr_validate(jobj_hdr, length);
+ if (r) {
+ log_dbg("Repairing JSON metadata.");
+ /* try to correct known glitches */
+ LUKS2_hdr_repair(jobj_hdr);
+
+ /* run validation again */
+- r = LUKS2_hdr_validate(jobj_hdr);
++ r = LUKS2_hdr_validate(jobj_hdr, length);
+ }
+
+ if (r)
+@@ -516,7 +522,7 @@ static json_object *parse_and_validate_j
+
+ r = validate_json_area(json_area, offset, length);
+ if (!r)
+- r = validate_luks2_json_object(jobj);
++ r = validate_luks2_json_object(jobj, length);
+
+ if (r) {
+ json_object_put(jobj);
+diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_internal.h cryptsetup-2.0.3/lib/luks2/luks2_internal.h
+--- cryptsetup-2.0.3.old/lib/luks2/luks2_internal.h 2019-03-27 21:06:52.048172644 +0100
++++ cryptsetup-2.0.3/lib/luks2/luks2_internal.h 2019-03-27 21:07:12.070978524 +0100
+@@ -73,7 +73,7 @@ void JSON_DBG(json_object *jobj, const c
+ json_object *json_contains(json_object *jobj, const char *name, const char *section,
+ const char *key, json_type type);
+
+-int LUKS2_hdr_validate(json_object *hdr_jobj);
++int LUKS2_hdr_validate(json_object *hdr_jobj, uint64_t length);
+ int LUKS2_keyslot_validate(json_object *hdr_jobj, json_object *hdr_keyslot, const char *key);
+ int LUKS2_check_json_size(const struct luks2_hdr *hdr);
+ int LUKS2_token_validate(json_object *hdr_jobj, json_object *jobj_token, const char *key);
+diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c
+--- cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c 2019-03-27 21:06:52.049172634 +0100
++++ cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c 2019-03-27 21:07:44.937659885 +0100
+@@ -446,7 +446,7 @@ int LUKS2_token_validate(json_object *hd
+ return 0;
+ }
+
+-static int hdr_validate_json_size(json_object *hdr_jobj)
++static int hdr_validate_json_size(json_object *hdr_jobj, uint64_t hdr_json_size)
+ {
+ json_object *jobj, *jobj1;
+ const char *json;
+@@ -460,12 +460,22 @@ static int hdr_validate_json_size(json_o
+ json_area_size = json_object_get_uint64(jobj1);
+ json_size = (uint64_t)strlen(json);
+
+- return json_size > json_area_size ? 1 : 0;
++ if (hdr_json_size != json_area_size) {
++ log_dbg("JSON area size doesn't match value in binary header.");
++ return 1;
++ }
++
++ if (json_size > json_area_size) {
++ log_dbg("JSON doesn't fit in the designated area.");
++ return 1;
++ }
++
++ return 0;
+ }
+
+ int LUKS2_check_json_size(const struct luks2_hdr *hdr)
+ {
+- return hdr_validate_json_size(hdr->jobj);
++ return hdr_validate_json_size(hdr->jobj, hdr->hdr_size - LUKS2_HDR_BIN_LEN);
+ }
+
+ static int hdr_validate_keyslots(json_object *hdr_jobj)
+@@ -830,7 +840,7 @@ static int hdr_validate_config(json_obje
+ return 0;
+ }
+
+-int LUKS2_hdr_validate(json_object *hdr_jobj)
++int LUKS2_hdr_validate(json_object *hdr_jobj, uint64_t json_size)
+ {
+ struct {
+ int (*validate)(json_object *);
+@@ -852,10 +862,8 @@ int LUKS2_hdr_validate(json_object *hdr_
+ if (checks[i].validate && checks[i].validate(hdr_jobj))
+ return 1;
+
+- if (hdr_validate_json_size(hdr_jobj)) {
+- log_dbg("Json header is too large.");
++ if (hdr_validate_json_size(hdr_jobj, json_size))
+ return 1;
+- }
+
+ /* validate keyslot implementations */
+ if (LUKS2_keyslots_validate(hdr_jobj))
+@@ -903,7 +911,7 @@ int LUKS2_hdr_write(struct crypt_device
+ /* erase unused digests (no assigned keyslot or segment) */
+ LUKS2_digests_erase_unused(cd, hdr);
+
+- if (LUKS2_hdr_validate(hdr->jobj))
++ if (LUKS2_hdr_validate(hdr->jobj, hdr->hdr_size - LUKS2_HDR_BIN_LEN))
+ return -EINVAL;
+
+ return LUKS2_disk_hdr_write(cd, hdr, crypt_metadata_device(cd));
+@@ -1650,7 +1658,7 @@ const char *LUKS2_get_cipher(struct luks
+ return NULL;
+
+ if (!json_object_object_get_ex(jobj2, "encryption", &jobj3))
+- return NULL;
++ return "null";
+
+ return json_object_get_string(jobj3);
+ }
diff --git a/SOURCES/cryptsetup-2.0.6-do-not-validate-keyslot-areas-so-frantically.patch b/SOURCES/cryptsetup-2.0.6-do-not-validate-keyslot-areas-so-frantically.patch
new file mode 100644
index 0000000..3730909
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.6-do-not-validate-keyslot-areas-so-frantically.patch
@@ -0,0 +1,21 @@
+diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c
+--- cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c 2019-03-27 15:10:10.869610792 +0100
++++ cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c 2019-03-27 15:32:38.202382332 +0100
+@@ -402,7 +402,6 @@ static json_bool validate_intervals(int
+ return TRUE;
+ }
+
+-static int hdr_validate_areas(json_object *hdr_jobj);
+ int LUKS2_keyslot_validate(json_object *hdr_jobj, json_object *hdr_keyslot, const char *key)
+ {
+ json_object *jobj_key_size;
+@@ -419,9 +418,6 @@ int LUKS2_keyslot_validate(json_object *
+ return 1;
+ }
+
+- if (hdr_validate_areas(hdr_jobj))
+- return 1;
+-
+ return 0;
+ }
+
diff --git a/SOURCES/cryptsetup-2.0.6-enable-all-supported-metadata-sizes-in-LUKS2-validat.patch b/SOURCES/cryptsetup-2.0.6-enable-all-supported-metadata-sizes-in-LUKS2-validat.patch
new file mode 100644
index 0000000..5a5b065
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.6-enable-all-supported-metadata-sizes-in-LUKS2-validat.patch
@@ -0,0 +1,142 @@
+diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_disk_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_disk_metadata.c
+--- cryptsetup-2.0.3.old/lib/luks2/luks2_disk_metadata.c 2019-03-27 15:48:28.316632526 +0100
++++ cryptsetup-2.0.3/lib/luks2/luks2_disk_metadata.c 2019-03-27 15:48:48.093594565 +0100
+@@ -387,11 +387,6 @@ int LUKS2_disk_hdr_write(struct crypt_de
+ return -EINVAL;
+ }
+
+- if (hdr->hdr_size != LUKS2_HDR_16K_LEN) {
+- log_dbg("Unsupported LUKS2 header size (%zu).", hdr->hdr_size);
+- return -EINVAL;
+- }
+-
+ r = LUKS2_check_device_size(cd, crypt_metadata_device(cd), LUKS2_hdr_and_areas_size(hdr->jobj), 1);
+ if (r)
+ return r;
+diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2.h cryptsetup-2.0.3/lib/luks2/luks2.h
+--- cryptsetup-2.0.3.old/lib/luks2/luks2.h 2019-03-27 15:48:28.316632526 +0100
++++ cryptsetup-2.0.3/lib/luks2/luks2.h 2019-03-27 15:49:37.033500625 +0100
+@@ -326,6 +326,9 @@ int LUKS2_generate_hdr(
+ unsigned int alignOffset,
+ int detached_metadata_device);
+
++int LUKS2_check_metadata_area_size(uint64_t metadata_size);
++int LUKS2_check_keyslots_area_size(uint64_t keyslots_size);
++
+ uint64_t LUKS2_get_data_offset(struct luks2_hdr *hdr);
+ int LUKS2_get_sector_size(struct luks2_hdr *hdr);
+ const char *LUKS2_get_cipher(struct luks2_hdr *hdr, int segment);
+diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_json_format.c cryptsetup-2.0.3/lib/luks2/luks2_json_format.c
+--- cryptsetup-2.0.3.old/lib/luks2/luks2_json_format.c 2019-03-27 15:48:28.317632524 +0100
++++ cryptsetup-2.0.3/lib/luks2/luks2_json_format.c 2019-03-27 15:48:48.094594563 +0100
+@@ -114,6 +114,22 @@ int LUKS2_find_area_gap(struct crypt_dev
+ return 0;
+ }
+
++int LUKS2_check_metadata_area_size(uint64_t metadata_size)
++{
++ /* see LUKS2_HDR2_OFFSETS */
++ return (metadata_size != 0x004000 &&
++ metadata_size != 0x008000 && metadata_size != 0x010000 &&
++ metadata_size != 0x020000 && metadata_size != 0x040000 &&
++ metadata_size != 0x080000 && metadata_size != 0x100000 &&
++ metadata_size != 0x200000 && metadata_size != 0x400000);
++}
++
++int LUKS2_check_keyslots_area_size(uint64_t keyslots_size)
++{
++ return (!keyslots_size || (keyslots_size % 4096) ||
++ keyslots_size > LUKS2_MAX_KEYSLOTS_SIZE);
++}
++
+ int LUKS2_generate_hdr(
+ struct crypt_device *cd,
+ struct luks2_hdr *hdr,
+diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c
+--- cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c 2019-03-27 15:48:28.317632524 +0100
++++ cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c 2019-03-27 15:57:44.322526763 +0100
+@@ -701,30 +701,18 @@ static int hdr_validate_digests(json_obj
+ }
+
+ /* requires keyslots and segments sections being already validated */
+-static int validate_keyslots_size(json_object *hdr_jobj, json_object *jobj_keyslots_size)
++static int validate_keyslots_size(json_object *hdr_jobj, uint64_t metadata_size, uint64_t keyslots_size)
+ {
+ json_object *jobj_keyslots, *jobj, *jobj1;
+- uint64_t keyslots_size, segment_offset, keyslots_area_sum = 0;
+-
+- if (!json_str_to_uint64(jobj_keyslots_size, &keyslots_size))
+- return 1;
+-
+- if (keyslots_size % 4096) {
+- log_dbg("keyslots_size is not 4 KiB aligned");
+- return 1;
+- }
+-
+- if (keyslots_size > LUKS2_MAX_KEYSLOTS_SIZE) {
+- log_dbg("keyslots_size is too large. The cap is %" PRIu64 " bytes", (uint64_t) LUKS2_MAX_KEYSLOTS_SIZE);
+- return 1;
+- }
++ uint64_t segment_offset, keyslots_area_sum = 0;
+
+ json_object_object_get_ex(hdr_jobj, "segments", &jobj);
+ segment_offset = get_first_data_offset(jobj, "crypt");
+ if (segment_offset &&
+ (segment_offset < keyslots_size ||
+- (segment_offset - keyslots_size) < (2 * LUKS2_HDR_16K_LEN))) {
+- log_dbg("keyslots_size is too large %" PRIu64 " (bytes). Data offset: %" PRIu64 ", keyslots offset: %d", keyslots_size, segment_offset, 2 * LUKS2_HDR_16K_LEN);
++ (segment_offset - keyslots_size) < (2 * metadata_size))) {
++ log_dbg("keyslots_size is too large %" PRIu64 " (bytes). Data offset: %" PRIu64
++ ", keyslots offset: %" PRIu64, keyslots_size, segment_offset, 2 * metadata_size);
+ return 1;
+ }
+
+@@ -738,7 +726,8 @@ static int validate_keyslots_size(json_o
+ }
+
+ if (keyslots_area_sum > keyslots_size) {
+- log_dbg("Sum of all keyslot area sizes (%" PRIu64 ") is greater than value in config section %" PRIu64, keyslots_area_sum, keyslots_size);
++ log_dbg("Sum of all keyslot area sizes (%" PRIu64 ") is greater than value in config section %"
++ PRIu64, keyslots_area_sum, keyslots_size);
+ return 1;
+ }
+
+@@ -749,7 +738,7 @@ static int hdr_validate_config(json_obje
+ {
+ json_object *jobj_config, *jobj, *jobj1;
+ int i;
+- uint64_t json_size;
++ uint64_t json_size, keyslots_size;
+
+ if (!json_object_object_get_ex(hdr_jobj, "config", &jobj_config)) {
+ log_dbg("Missing config section.");
+@@ -760,21 +749,21 @@ static int hdr_validate_config(json_obje
+ !json_str_to_uint64(jobj, &json_size))
+ return 1;
+
+- /* currently it's hardcoded */
+- if (json_size != (LUKS2_HDR_16K_LEN - LUKS2_HDR_BIN_LEN)) {
+- log_dbg("Invalid json_size %" PRIu64, json_size);
++ if (!(jobj = json_contains(jobj_config, "section", "Config", "keyslots_size", json_type_string)) ||
++ !json_str_to_uint64(jobj, &keyslots_size))
+ return 1;
+- }
+
+- if (json_size % 4096) {
+- log_dbg("Json area is not properly aligned to 4 KiB.");
++ if (LUKS2_check_metadata_area_size(json_size + LUKS2_HDR_BIN_LEN)) {
++ log_dbg("Unsupported LUKS2 header size (%" PRIu64 ").", json_size + LUKS2_HDR_BIN_LEN);
+ return 1;
+ }
+
+- if (!(jobj = json_contains(jobj_config, "section", "Config", "keyslots_size", json_type_string)))
++ if (LUKS2_check_keyslots_area_size(keyslots_size)) {
++ log_dbg("Unsupported LUKS2 keyslots size (%" PRIu64 ").", keyslots_size);
+ return 1;
++ }
+
+- if (validate_keyslots_size(hdr_jobj, jobj))
++ if (validate_keyslots_size(hdr_jobj, json_size + LUKS2_HDR_BIN_LEN, keyslots_size))
+ return 1;
+
+ /* Flags array is optional */
diff --git a/SOURCES/cryptsetup-2.0.6-fix-keyslot-areas-validation.patch b/SOURCES/cryptsetup-2.0.6-fix-keyslot-areas-validation.patch
new file mode 100644
index 0000000..03f6519
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.6-fix-keyslot-areas-validation.patch
@@ -0,0 +1,94 @@
+diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c
+--- cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c 2019-03-27 16:14:49.790420791 +0100
++++ cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c 2019-03-27 16:23:50.499187212 +0100
+@@ -363,12 +363,13 @@ static json_bool segment_has_digest(cons
+ return FALSE;
+ }
+
+-static json_bool validate_intervals(int length, const struct interval *ix, uint64_t *data_offset)
++static json_bool validate_intervals(int length, const struct interval *ix,
++ uint64_t metadata_size, uint64_t keyslots_area_end)
+ {
+ int j, i = 0;
+
+ while (i < length) {
+- if (ix[i].offset < 2 * LUKS2_HDR_16K_LEN) {
++ if (ix[i].offset < 2 * metadata_size) {
+ log_dbg("Illegal area offset: %" PRIu64 ".", ix[i].offset);
+ return FALSE;
+ }
+@@ -378,10 +379,9 @@ static json_bool validate_intervals(int
+ return FALSE;
+ }
+
+- /* first segment at offset 0 means we have detached header. Do not check then. */
+- if (*data_offset && (ix[i].offset + ix[i].length) > *data_offset) {
+- log_dbg("Area [%" PRIu64 ", %" PRIu64 "] intersects with segment starting at offset: %" PRIu64,
+- ix[i].offset, ix[i].offset + ix[i].length, *data_offset);
++ if ((ix[i].offset + ix[i].length) > keyslots_area_end) {
++ log_dbg("Area [%" PRIu64 ", %" PRIu64 "] overflows binary keyslots area (ends at offset: %" PRIu64 ").",
++ ix[i].offset, ix[i].offset + ix[i].length, keyslots_area_end);
+ return FALSE;
+ }
+
+@@ -596,12 +596,24 @@ static int hdr_validate_segments(json_ob
+ return 0;
+ }
+
++static uint64_t LUKS2_metadata_size(json_object *jobj)
++{
++ json_object *jobj1, *jobj2;
++ uint64_t json_size;
++
++ json_object_object_get_ex(jobj, "config", &jobj1);
++ json_object_object_get_ex(jobj1, "json_size", &jobj2);
++ json_str_to_uint64(jobj2, &json_size);
++
++ return json_size + LUKS2_HDR_BIN_LEN;
++}
++
+ static int hdr_validate_areas(json_object *hdr_jobj)
+ {
+ struct interval *intervals;
+ json_object *jobj_keyslots, *jobj_offset, *jobj_length, *jobj_segments, *jobj_area;
+ int length, ret, i = 0;
+- uint64_t first_offset, keyslots_size, keyslots_area_sum = 0;
++ uint64_t keyslots_size, metadata_size, keyslots_area_sum = 0;
+
+ if (!json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots))
+ return 1;
+@@ -611,6 +623,7 @@ static int hdr_validate_areas(json_objec
+
+ /* config is already validated */
+ keyslots_size = LUKS2_keyslots_size(hdr_jobj);
++ metadata_size = LUKS2_metadata_size(hdr_jobj);
+
+ length = json_object_object_length(jobj_keyslots);
+
+@@ -663,9 +676,7 @@ static int hdr_validate_areas(json_objec
+ return 1;
+ }
+
+- first_offset = get_first_data_offset(jobj_segments, NULL);
+-
+- ret = validate_intervals(length, intervals, &first_offset) ? 0 : 1;
++ ret = validate_intervals(length, intervals, metadata_size, LUKS2_hdr_and_areas_size(hdr_jobj)) ? 0 : 1;
+
+ free(intervals);
+
+@@ -918,14 +929,7 @@ uint64_t LUKS2_keyslots_size(json_object
+
+ uint64_t LUKS2_hdr_and_areas_size(json_object *jobj)
+ {
+- json_object *jobj1, *jobj2;
+- uint64_t json_size;
+-
+- json_object_object_get_ex(jobj, "config", &jobj1);
+- json_object_object_get_ex(jobj1, "json_size", &jobj2);
+- json_str_to_uint64(jobj2, &json_size);
+-
+- return 2 * (json_size + LUKS2_HDR_BIN_LEN) + LUKS2_keyslots_size(jobj);
++ return 2 * LUKS2_metadata_size(jobj) + LUKS2_keyslots_size(jobj);
+ }
+
+ int LUKS2_hdr_backup(struct crypt_device *cd, struct luks2_hdr *hdr,
diff --git a/SOURCES/cryptsetup-2.0.6-reshuffle-config-and-keyslots-areas-validation-code.patch b/SOURCES/cryptsetup-2.0.6-reshuffle-config-and-keyslots-areas-validation-code.patch
new file mode 100644
index 0000000..775b59a
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.6-reshuffle-config-and-keyslots-areas-validation-code.patch
@@ -0,0 +1,147 @@
+diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c
+--- cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c 2019-03-28 11:32:18.850058719 +0100
++++ cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c 2019-03-28 11:33:07.610800041 +0100
+@@ -643,7 +643,7 @@ static int hdr_validate_areas(json_objec
+ struct interval *intervals;
+ json_object *jobj_keyslots, *jobj_offset, *jobj_length, *jobj_segments, *jobj_area;
+ int length, ret, i = 0;
+- uint64_t first_offset;
++ uint64_t first_offset, keyslots_size, keyslots_area_sum = 0;
+
+ if (!json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots))
+ return 1;
+@@ -652,6 +652,9 @@ static int hdr_validate_areas(json_objec
+ if (!json_object_object_get_ex(hdr_jobj, "segments", &jobj_segments))
+ return 1;
+
++ /* config is already validated */
++ keyslots_size = LUKS2_keyslots_size(hdr_jobj);
++
+ length = json_object_object_length(jobj_keyslots);
+
+ /* Empty section */
+@@ -687,6 +690,8 @@ static int hdr_validate_areas(json_objec
+ return 1;
+ }
+
++ keyslots_area_sum += intervals[i].length;
++
+ i++;
+ }
+
+@@ -694,6 +699,13 @@ static int hdr_validate_areas(json_objec
+ free(intervals);
+ return 1;
+ }
++
++ if (keyslots_area_sum > keyslots_size) {
++ log_dbg("Sum of all keyslot area sizes (%" PRIu64 ") is greater than value in config section %"
++ PRIu64, keyslots_area_sum, keyslots_size);
++ free(intervals);
++ return 1;
++ }
+
+ first_offset = get_first_data_offset(jobj_segments, NULL);
+
+@@ -739,45 +751,11 @@ static int hdr_validate_digests(json_obj
+ return 0;
+ }
+
+-/* requires keyslots and segments sections being already validated */
+-static int validate_keyslots_size(json_object *hdr_jobj, uint64_t metadata_size, uint64_t keyslots_size)
+-{
+- json_object *jobj_keyslots, *jobj, *jobj1;
+- uint64_t segment_offset, keyslots_area_sum = 0;
+-
+- json_object_object_get_ex(hdr_jobj, "segments", &jobj);
+- segment_offset = get_first_data_offset(jobj, "crypt");
+- if (segment_offset &&
+- (segment_offset < keyslots_size ||
+- (segment_offset - keyslots_size) < (2 * metadata_size))) {
+- log_dbg("keyslots_size is too large %" PRIu64 " (bytes). Data offset: %" PRIu64
+- ", keyslots offset: %" PRIu64, keyslots_size, segment_offset, 2 * metadata_size);
+- return 1;
+- }
+-
+- json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots);
+-
+- json_object_object_foreach(jobj_keyslots, key, val) {
+- UNUSED(key);
+- json_object_object_get_ex(val, "area", &jobj);
+- json_object_object_get_ex(jobj, "size", &jobj1);
+- keyslots_area_sum += json_object_get_uint64(jobj1);
+- }
+-
+- if (keyslots_area_sum > keyslots_size) {
+- log_dbg("Sum of all keyslot area sizes (%" PRIu64 ") is greater than value in config section %"
+- PRIu64, keyslots_area_sum, keyslots_size);
+- return 1;
+- }
+-
+- return 0;
+-}
+-
+ static int hdr_validate_config(json_object *hdr_jobj)
+ {
+ json_object *jobj_config, *jobj, *jobj1;
+ int i;
+- uint64_t json_size, keyslots_size;
++ uint64_t keyslots_size, metadata_size, segment_offset;
+
+ if (!json_object_object_get_ex(hdr_jobj, "config", &jobj_config)) {
+ log_dbg("Missing config section.");
+@@ -785,15 +763,19 @@ static int hdr_validate_config(json_obje
+ }
+
+ if (!(jobj = json_contains(jobj_config, "section", "Config", "json_size", json_type_string)) ||
+- !json_str_to_uint64(jobj, &json_size))
++ !json_str_to_uint64(jobj, &metadata_size))
+ return 1;
+
++ /* single metadata instance is assembled from json area size plus
++ * binary header size */
++ metadata_size += LUKS2_HDR_BIN_LEN;
++
+ if (!(jobj = json_contains(jobj_config, "section", "Config", "keyslots_size", json_type_string)) ||
+ !json_str_to_uint64(jobj, &keyslots_size))
+ return 1;
+
+- if (LUKS2_check_metadata_area_size(json_size + LUKS2_HDR_BIN_LEN)) {
+- log_dbg("Unsupported LUKS2 header size (%" PRIu64 ").", json_size + LUKS2_HDR_BIN_LEN);
++ if (LUKS2_check_metadata_area_size(metadata_size)) {
++ log_dbg("Unsupported LUKS2 header size (%" PRIu64 ").", metadata_size);
+ return 1;
+ }
+
+@@ -802,8 +784,19 @@ static int hdr_validate_config(json_obje
+ return 1;
+ }
+
+- if (validate_keyslots_size(hdr_jobj, json_size + LUKS2_HDR_BIN_LEN, keyslots_size))
+- return 1;
++ /*
++ * validate keyslots_size fits in between (2 * metadata_size) and first
++ * segment_offset (except detached header)
++ */
++ json_object_object_get_ex(hdr_jobj, "segments", &jobj);
++ segment_offset = get_first_data_offset(jobj, "crypt");
++ if (segment_offset &&
++ (segment_offset < keyslots_size ||
++ (segment_offset - keyslots_size) < (2 * metadata_size))) {
++ log_dbg("keyslots_size is too large %" PRIu64 " (bytes). Data offset: %" PRIu64
++ ", keyslots offset: %" PRIu64, keyslots_size, segment_offset, 2 * metadata_size);
++ return 1;
++ }
+
+ /* Flags array is optional */
+ if (json_object_object_get_ex(jobj_config, "flags", &jobj)) {
+@@ -845,8 +838,8 @@ int LUKS2_hdr_validate(json_object *hdr_
+ { hdr_validate_digests },
+ { hdr_validate_segments },
+ { hdr_validate_keyslots },
+- { hdr_validate_areas },
+ { hdr_validate_config },
++ { hdr_validate_areas },
+ { NULL }
+ };
+ int i;
diff --git a/SOURCES/cryptsetup-2.0.6-test-cryptsetup-can-handle-all-LUKS2-metadata-varian.patch b/SOURCES/cryptsetup-2.0.6-test-cryptsetup-can-handle-all-LUKS2-metadata-varian.patch
new file mode 100644
index 0000000..d612bb5
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.6-test-cryptsetup-can-handle-all-LUKS2-metadata-varian.patch
@@ -0,0 +1,39 @@
+diff -rupN cryptsetup-2.0.3.old/tests/compat-test2 cryptsetup-2.0.3/tests/compat-test2
+--- cryptsetup-2.0.3.old/tests/compat-test2 2019-03-27 17:03:58.788037100 +0100
++++ cryptsetup-2.0.3/tests/compat-test2 2019-03-27 17:14:19.432280547 +0100
+@@ -22,6 +22,7 @@ PWD0="compatkey"
+ PWD1="93R4P4pIqAH8"
+ PWD2="mymJeD8ivEhE"
+ PWD3="ocMakf3fAcQO"
++PWD4="Qx3qn46vq0v"
+ PWDW="rUkL4RUryBom"
+ TEST_KEYRING_NAME="compattest2_keyring"
+ TEST_TOKEN0="compattest2_desc0"
+@@ -46,7 +47,7 @@ function remove_mapping()
+ [ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove $DEV_NAME2
+ [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME
+ losetup -d $LOOPDEV >/dev/null 2>&1
+- rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE >/dev/null 2>&1
++ rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE copy_test_image* >/dev/null 2>&1
+
+ # unlink whole test keyring
+ [ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null
+@@ -817,5 +818,18 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q
+ $CRYPTSETUP luksKillSlot -q $LOOPDEV 3
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2 (unbound)" && fail
+
++prepare "[39] LUKS2 metadata variants" wipe
++for mda in 16 32 64 128 256 512 1024 2048 4096 ; do
++ cp test_image_$mda copy_test_image_$mda || fail
++ echo -n "[$mda KiB]"
++ echo $PWD4 | $CRYPTSETUP open copy_test_image_$mda $DEV_NAME || fail
++ $CRYPTSETUP close $DEV_NAME || fail
++ echo -e "$PWD4\n$PWD3" | $CRYPTSETUP luksAddKey -S9 $FAST_PBKDF_OPT copy_test_image_$mda || fail
++ echo $PWD4 | $CRYPTSETUP open --test-passphrase copy_test_image_$mda || fail
++ echo $PWD3 | $CRYPTSETUP open -S9 --test-passphrase copy_test_image_$mda || fail
++ echo -n "[OK]"
++done
++echo
++
+ remove_mapping
+ exit 0
diff --git a/SOURCES/cryptsetup-2.1.0-sync-LUKS2-validation-tests.patch b/SOURCES/cryptsetup-2.1.0-sync-LUKS2-validation-tests.patch
new file mode 100644
index 0000000..746d7a7
--- /dev/null
+++ b/SOURCES/cryptsetup-2.1.0-sync-LUKS2-validation-tests.patch
@@ -0,0 +1,3818 @@
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-invalid-json-size-c2.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-invalid-json-size-c2.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-invalid-json-size-c2.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-invalid-json-size-c2.img.sh 2019-03-27 20:59:49.443269763 +0100
+@@ -0,0 +1,85 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with config json size mismatching
++# value in binary header
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ JS=$(((LUKS2_HDR_SIZE-LUKS2_BIN_HDR_SIZE)*512))
++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_32K
++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
++
++ json_str=$(jq -c '.' $TMPDIR/json0)
++
++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
++
++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
++
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++
++ erase_checksum $TMPDIR/area1
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
++ write_checksum $chks0 $TMPDIR/area1
++
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
++}
++
++function check()
++{
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0
++ local str_res1=$(head -c 4 $TMPDIR/hdr_res0)
++ test "$str_res1" = "LUKS" || exit 2
++
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
++ local str_res1=$(head -c 4 $TMPDIR/hdr_res1)
++ test "$str_res1" = "SKUL" || exit 2
++
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
++ jq -c --arg js $JS 'if .config.json_size != ( $js | tostring )
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-1m.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-1m.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-1m.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-1m.img.sh 2019-03-27 20:59:49.444269753 +0100
+@@ -0,0 +1,94 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary with predefined json_size. There's only limited
++# set of values allowed as json size in config section of LUKS2
++# metadata
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # 1 MiB metadata
++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M
++
++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
++ JSON_SIZE=$((TEST_JSN_SIZE*512))
++ DATA_OFFSET=16777216
++
++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
++ .config.json_size = $jsize |
++ .segments."0".offset = $off' $TMPDIR/json0)
++ test -n "$json_str" || exit 2
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
++
++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
++
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++
++ erase_checksum $TMPDIR/area1
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
++ write_checksum $chks0 $TMPDIR/area1
++
++ kill_bin_hdr $TMPDIR/area1
++
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
++ (.config.json_size != $jsize)
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-1m-secondary.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-1m-secondary.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-1m-secondary.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-1m-secondary.img.sh 2019-03-27 20:59:49.444269753 +0100
+@@ -0,0 +1,97 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate secondary header with one of allowed json area
++# size values. Test whether auto-recovery code is able
++# to validate secondary header with non-default json area
++# size.
++#
++# primary header is corrupted on purpose.
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # 1 MiB metadata
++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M
++
++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
++ JSON_SIZE=$((TEST_JSN_SIZE*512))
++ DATA_OFFSET=16777216
++
++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
++ .config.json_size = $jsize |
++ .segments."0".offset = $off' $TMPDIR/json0)
++ test -n "$json_str" || exit 2
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
++
++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
++
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++
++ erase_checksum $TMPDIR/area1
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
++ write_checksum $chks0 $TMPDIR/area1
++
++ kill_bin_hdr $TMPDIR/area0
++
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
++}
++
++function check()
++{
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
++ local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
++ test "$str_res0" = "VACUUM" || exit 2
++ read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
++ (.config.json_size != $jsize)
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-128k.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-128k.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-128k.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-128k.img.sh 2019-03-27 20:59:49.445269743 +0100
+@@ -0,0 +1,94 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary with predefined json_size. There's only limited
++# set of values allowed as json size in config section of LUKS2
++# metadata
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # 128KiB metadata
++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_128K
++
++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
++ JSON_SIZE=$((TEST_JSN_SIZE*512))
++ DATA_OFFSET=16777216
++
++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
++ .config.json_size = $jsize |
++ .segments."0".offset = $off' $TMPDIR/json0)
++ test -n "$json_str" || exit 2
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
++
++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
++
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++
++ erase_checksum $TMPDIR/area1
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
++ write_checksum $chks0 $TMPDIR/area1
++
++ kill_bin_hdr $TMPDIR/area1
++
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
++ (.config.json_size != $jsize)
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-128k-secondary.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-128k-secondary.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-128k-secondary.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-128k-secondary.img.sh 2019-03-27 20:59:49.445269743 +0100
+@@ -0,0 +1,97 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate secondary header with one of allowed json area
++# size values. Test whether auto-recovery code is able
++# to validate secondary header with non-default json area
++# size.
++#
++# primary header is corrupted on purpose.
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # 128 KiB metadata
++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_128K
++
++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
++ JSON_SIZE=$((TEST_JSN_SIZE*512))
++ DATA_OFFSET=16777216
++
++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
++ .config.json_size = $jsize |
++ .segments."0".offset = $off' $TMPDIR/json0)
++ test -n "$json_str" || exit 2
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
++
++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
++
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++
++ erase_checksum $TMPDIR/area1
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
++ write_checksum $chks0 $TMPDIR/area1
++
++ kill_bin_hdr $TMPDIR/area0
++
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
++}
++
++function check()
++{
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
++ local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
++ test "$str_res0" = "VACUUM" || exit 2
++ read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
++ (.config.json_size != $jsize)
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-16k-secondary.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-16k-secondary.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-16k-secondary.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-16k-secondary.img.sh 2019-03-27 20:59:49.446269734 +0100
+@@ -0,0 +1,97 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate secondary header with one of allowed json area
++# size values. Test whether auto-recovery code is able
++# to validate secondary header with non-default json area
++# size.
++#
++# primary header is corrupted on purpose.
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # 16 KiB metadata
++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE
++
++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
++ JSON_SIZE=$((TEST_JSN_SIZE*512))
++ DATA_OFFSET=16777216
++
++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
++ .config.json_size = $jsize |
++ .segments."0".offset = $off' $TMPDIR/json0)
++ test -n "$json_str" || exit 2
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
++
++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
++
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++
++ erase_checksum $TMPDIR/area1
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
++ write_checksum $chks0 $TMPDIR/area1
++
++ kill_bin_hdr $TMPDIR/area0
++
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
++}
++
++function check()
++{
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
++ local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
++ test "$str_res0" = "VACUUM" || exit 2
++ read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
++ (.config.json_size != $jsize)
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-2m.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-2m.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-2m.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-2m.img.sh 2019-03-27 20:59:49.446269734 +0100
+@@ -0,0 +1,94 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary with predefined json_size. There's only limited
++# set of values allowed as json size in config section of LUKS2
++# metadata
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # 2 MiB metadata
++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_2M
++
++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
++ JSON_SIZE=$((TEST_JSN_SIZE*512))
++ DATA_OFFSET=16777216
++
++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
++ .config.json_size = $jsize |
++ .segments."0".offset = $off' $TMPDIR/json0)
++ test -n "$json_str" || exit 2
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
++
++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
++
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++
++ erase_checksum $TMPDIR/area1
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
++ write_checksum $chks0 $TMPDIR/area1
++
++ kill_bin_hdr $TMPDIR/area1
++
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
++ (.config.json_size != $jsize)
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-2m-secondary.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-2m-secondary.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-2m-secondary.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-2m-secondary.img.sh 2019-03-27 20:59:49.447269724 +0100
+@@ -0,0 +1,96 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary with predefined json_size. There's only limited
++# set of values allowed as json size in config section of LUKS2
++# metadata
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # 2 MiB metadata
++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_2M
++
++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
++ JSON_SIZE=$((TEST_JSN_SIZE*512))
++ DATA_OFFSET=16777216
++
++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
++ .config.json_size = $jsize |
++ .segments."0".offset = $off' $TMPDIR/json0)
++ test -n "$json_str" || exit 2
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
++
++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
++
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++
++ erase_checksum $TMPDIR/area1
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
++ write_checksum $chks0 $TMPDIR/area1
++
++ kill_bin_hdr $TMPDIR/area0
++
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
++}
++
++function check()
++{
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
++ local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
++ test "$str_res0" = "VACUUM" || exit 2
++ read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
++ (.config.json_size != $jsize)
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-256k.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-256k.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-256k.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-256k.img.sh 2019-03-27 20:59:49.447269724 +0100
+@@ -0,0 +1,94 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary with predefined json_size. There's only limited
++# set of values allowed as json size in config section of LUKS2
++# metadata
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # 256KiB metadata
++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_256K
++
++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
++ JSON_SIZE=$((TEST_JSN_SIZE*512))
++ DATA_OFFSET=16777216
++
++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
++ .config.json_size = $jsize |
++ .segments."0".offset = $off' $TMPDIR/json0)
++ test -n "$json_str" || exit 2
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
++
++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
++
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++
++ erase_checksum $TMPDIR/area1
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
++ write_checksum $chks0 $TMPDIR/area1
++
++ kill_bin_hdr $TMPDIR/area1
++
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
++ (.config.json_size != $jsize)
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-256k-secondary.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-256k-secondary.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-256k-secondary.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-256k-secondary.img.sh 2019-03-27 20:59:49.448269714 +0100
+@@ -0,0 +1,97 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate secondary header with one of allowed json area
++# size values. Test whether auto-recovery code is able
++# to validate secondary header with non-default json area
++# size.
++#
++# primary header is corrupted on purpose.
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # 256 KiB metadata
++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_256K
++
++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
++ JSON_SIZE=$((TEST_JSN_SIZE*512))
++ DATA_OFFSET=16777216
++
++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
++ .config.json_size = $jsize |
++ .segments."0".offset = $off' $TMPDIR/json0)
++ test -n "$json_str" || exit 2
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
++
++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
++
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++
++ erase_checksum $TMPDIR/area1
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
++ write_checksum $chks0 $TMPDIR/area1
++
++ kill_bin_hdr $TMPDIR/area0
++
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
++}
++
++function check()
++{
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
++ local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
++ test "$str_res0" = "VACUUM" || exit 2
++ read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
++ (.config.json_size != $jsize)
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-32k.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-32k.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-32k.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-32k.img.sh 2019-03-27 20:59:49.448269714 +0100
+@@ -0,0 +1,94 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with non-default metadata json_size.
++# There's only limited set of values allowed as json size in
++# config section of LUKS2 metadata
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # 32KiB metadata
++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_32K
++
++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
++ JSON_SIZE=$((TEST_JSN_SIZE*512))
++ DATA_OFFSET=16777216
++
++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
++ .config.json_size = $jsize |
++ .segments."0".offset = $off' $TMPDIR/json0)
++ test -n "$json_str" || exit 2
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
++
++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
++
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++
++ erase_checksum $TMPDIR/area1
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
++ write_checksum $chks0 $TMPDIR/area1
++
++ kill_bin_hdr $TMPDIR/area1
++
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
++ (.config.json_size != $jsize)
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-32k-secondary.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-32k-secondary.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-32k-secondary.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-32k-secondary.img.sh 2019-03-27 20:59:49.449269705 +0100
+@@ -0,0 +1,97 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate secondary header with one of allowed json area
++# size values. Test whether auto-recovery code is able
++# to validate secondary header with non-default json area
++# size.
++#
++# primary header is corrupted on purpose.
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # 32 KiB metadata
++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_32K
++
++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
++ JSON_SIZE=$((TEST_JSN_SIZE*512))
++ DATA_OFFSET=16777216
++
++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
++ .config.json_size = $jsize |
++ .segments."0".offset = $off' $TMPDIR/json0)
++ test -n "$json_str" || exit 2
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
++
++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
++
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++
++ erase_checksum $TMPDIR/area1
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
++ write_checksum $chks0 $TMPDIR/area1
++
++ kill_bin_hdr $TMPDIR/area0
++
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
++}
++
++function check()
++{
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
++ local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
++ test "$str_res0" = "VACUUM" || exit 2
++ read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
++ (.config.json_size != $jsize)
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-4m.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-4m.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-4m.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-4m.img.sh 2019-03-27 20:59:49.449269705 +0100
+@@ -0,0 +1,94 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary with predefined json_size. There's only limited
++# set of values allowed as json size in config section of LUKS2
++# metadata
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # 4 MiB metadata
++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_4M
++
++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
++ JSON_SIZE=$((TEST_JSN_SIZE*512))
++ DATA_OFFSET=16777216
++
++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
++ .config.json_size = $jsize |
++ .segments."0".offset = $off' $TMPDIR/json0)
++ test -n "$json_str" || exit 2
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
++
++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
++
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++
++ erase_checksum $TMPDIR/area1
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
++ write_checksum $chks0 $TMPDIR/area1
++
++ kill_bin_hdr $TMPDIR/area1
++
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
++ (.config.json_size != $jsize)
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-4m-secondary.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-4m-secondary.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-4m-secondary.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-4m-secondary.img.sh 2019-03-27 20:59:49.450269695 +0100
+@@ -0,0 +1,96 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary with predefined json_size. There's only limited
++# set of values allowed as json size in config section of LUKS2
++# metadata
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # 4 MiB metadata
++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_4M
++
++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
++ JSON_SIZE=$((TEST_JSN_SIZE*512))
++ DATA_OFFSET=16777216
++
++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
++ .config.json_size = $jsize |
++ .segments."0".offset = $off' $TMPDIR/json0)
++ test -n "$json_str" || exit 2
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
++
++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
++
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++
++ erase_checksum $TMPDIR/area1
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
++ write_checksum $chks0 $TMPDIR/area1
++
++ kill_bin_hdr $TMPDIR/area0
++
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
++}
++
++function check()
++{
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
++ local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
++ test "$str_res0" = "VACUUM" || exit 2
++ read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
++ (.config.json_size != $jsize)
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-512k.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-512k.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-512k.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-512k.img.sh 2019-03-27 20:59:49.450269695 +0100
+@@ -0,0 +1,94 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary with predefined json_size. There's only limited
++# set of values allowed as json size in config section of LUKS2
++# metadata
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # 512KiB metadata
++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_512K
++
++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
++ JSON_SIZE=$((TEST_JSN_SIZE*512))
++ DATA_OFFSET=16777216
++
++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
++ .config.json_size = $jsize |
++ .segments."0".offset = $off' $TMPDIR/json0)
++ test -n "$json_str" || exit 2
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
++
++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
++
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++
++ erase_checksum $TMPDIR/area1
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
++ write_checksum $chks0 $TMPDIR/area1
++
++ kill_bin_hdr $TMPDIR/area1
++
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
++ (.config.json_size != $jsize)
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-512k-secondary.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-512k-secondary.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-512k-secondary.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-512k-secondary.img.sh 2019-03-27 20:59:49.451269685 +0100
+@@ -0,0 +1,97 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate secondary header with one of allowed json area
++# size values. Test whether auto-recovery code is able
++# to validate secondary header with non-default json area
++# size.
++#
++# primary header is corrupted on purpose.
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # 512 KiB metadata
++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_512K
++
++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
++ JSON_SIZE=$((TEST_JSN_SIZE*512))
++ DATA_OFFSET=16777216
++
++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
++ .config.json_size = $jsize |
++ .segments."0".offset = $off' $TMPDIR/json0)
++ test -n "$json_str" || exit 2
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
++
++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
++
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++
++ erase_checksum $TMPDIR/area1
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
++ write_checksum $chks0 $TMPDIR/area1
++
++ kill_bin_hdr $TMPDIR/area0
++
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
++}
++
++function check()
++{
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
++ local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
++ test "$str_res0" = "VACUUM" || exit 2
++ read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
++ (.config.json_size != $jsize)
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-64k.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-64k.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-64k.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-64k.img.sh 2019-03-27 20:59:49.451269685 +0100
+@@ -0,0 +1,94 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary with predefined json_size. There's only limited
++# set of values allowed as json size in config section of LUKS2
++# metadata
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # 64KiB metadata
++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_64K
++
++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
++ JSON_SIZE=$((TEST_JSN_SIZE*512))
++ DATA_OFFSET=16777216
++
++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
++ .config.json_size = $jsize |
++ .segments."0".offset = $off' $TMPDIR/json0)
++ test -n "$json_str" || exit 2
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
++
++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
++
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++
++ erase_checksum $TMPDIR/area1
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
++ write_checksum $chks0 $TMPDIR/area1
++
++ kill_bin_hdr $TMPDIR/area1
++
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
++ (.config.json_size != $jsize)
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-64k-inv-area-c0.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-64k-inv-area-c0.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-64k-inv-area-c0.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-64k-inv-area-c0.img.sh 2019-03-27 20:59:49.452269675 +0100
+@@ -0,0 +1,94 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with non-default metadata json_size
++# and keyslots area trespassing in json area.
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # 64KiB metadata
++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_64K
++
++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024-1))
++ # overlap in json area by exactly one byte
++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024-1))
++ JSON_SIZE=$((TEST_JSN_SIZE*512))
++ DATA_OFFSET=16777216
++
++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
++ .config.json_size = $jsize |
++ .segments."0".offset = $off' $TMPDIR/json0)
++ test -n "$json_str" || exit 2
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
++
++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
++
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++
++ erase_checksum $TMPDIR/area1
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
++ write_checksum $chks0 $TMPDIR/area1
++
++ kill_bin_hdr $TMPDIR/area1
++
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
++ (.config.json_size != $jsize)
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-64k-inv-area-c1.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-64k-inv-area-c1.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-64k-inv-area-c1.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-64k-inv-area-c1.img.sh 2019-03-27 20:59:49.452269675 +0100
+@@ -0,0 +1,96 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with non-default metadata json_size
++# and keyslot area overflowing out of keyslots area.
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # 64KiB metadata
++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_64K
++
++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
++ JSON_SIZE=$((TEST_JSN_SIZE*512))
++ DATA_OFFSET=16777216
++
++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
++ --arg mda $((2*TEST_MDA_SIZE_BYTES)) \
++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
++ .keyslots."7".area.offset = ( ((.config.keyslots_size | tonumber) + ($mda | tonumber) - (.keyslots."7".area.size | tonumber) + 1) | tostring ) |
++ .config.json_size = $jsize |
++ .segments."0".offset = $off' $TMPDIR/json0)
++ test -n "$json_str" || exit 2
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
++
++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
++
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++
++ erase_checksum $TMPDIR/area1
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
++ write_checksum $chks0 $TMPDIR/area1
++
++ kill_bin_hdr $TMPDIR/area1
++
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
++# .keyslots.7.area.offset = ( ((.config.keyslots_size | tonumber) + ($mda | tonumber) - (.keyslots.7.area.size | tonumber) + 1) | tostring ) |
++ jq -c --arg mda $((2*TEST_MDA_SIZE_BYTES)) --arg jsize $JSON_SIZE \
++ 'if (.keyslots."7".area.offset != ( ((.config.keyslots_size | tonumber) + ($mda | tonumber) - (.keyslots."7".area.size | tonumber) + 1) | tostring )) or
++ (.config.json_size != $jsize)
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-64k-inv-keyslots-size-c0.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-64k-inv-keyslots-size-c0.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-64k-inv-keyslots-size-c0.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-64k-inv-keyslots-size-c0.img.sh 2019-03-27 20:59:49.453269666 +0100
+@@ -0,0 +1,96 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary with predefined json_size where keyslots size
++# overflows in data area (segment offset)
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # 64KiB metadata
++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_64K
++
++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
++ JSON_SIZE=$((TEST_JSN_SIZE*512))
++ DATA_OFFSET=16777216
++
++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
++ --arg mda $((2*TEST_MDA_SIZE_BYTES)) \
++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
++ .config.json_size = $jsize |
++ .config.keyslots_size = (((($off | tonumber) - ($mda | tonumber) + 4096)) | tostring ) |
++ .segments."0".offset = $off' $TMPDIR/json0)
++ test -n "$json_str" || exit 2
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
++
++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
++
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++
++ erase_checksum $TMPDIR/area1
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
++ write_checksum $chks0 $TMPDIR/area1
++
++ kill_bin_hdr $TMPDIR/area1
++
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE --arg off $DATA_OFFSET --arg mda $((2*TEST_MDA_SIZE_BYTES)) \
++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
++ (.config.json_size != $jsize) or
++ (.config.keyslots_size != (((($off | tonumber) - ($mda | tonumber) + 4096)) | tostring ))
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-64k-secondary.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-64k-secondary.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-64k-secondary.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-64k-secondary.img.sh 2019-03-27 20:59:49.453269666 +0100
+@@ -0,0 +1,97 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate secondary header with one of allowed json area
++# size values. Test whether auto-recovery code is able
++# to validate secondary header with non-default json area
++# size.
++#
++# primary header is corrupted on purpose.
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # 64 KiB metadata
++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_64K
++
++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
++ JSON_SIZE=$((TEST_JSN_SIZE*512))
++ DATA_OFFSET=16777216
++
++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
++ .config.json_size = $jsize |
++ .segments."0".offset = $off' $TMPDIR/json0)
++ test -n "$json_str" || exit 2
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
++
++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
++
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++
++ erase_checksum $TMPDIR/area1
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
++ write_checksum $chks0 $TMPDIR/area1
++
++ kill_bin_hdr $TMPDIR/area0
++
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
++}
++
++function check()
++{
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
++ local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
++ test "$str_res0" = "VACUUM" || exit 2
++ read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
++ (.config.json_size != $jsize)
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-missing-encryption.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-missing-encryption.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-missing-encryption.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-missing-encryption.img.sh 2019-03-27 20:59:49.454269656 +0100
+@@ -0,0 +1,67 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with segment encryption field missing
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # remove mandatory encryption field
++ json_str=$(jq -c 'del(.segments."0".encryption)' $TMPDIR/json0)
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
++ kill_bin_hdr $TMPDIR/hdr1
++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
++ jq -c 'if .segments."0".encryption
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-missing-ivoffset.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-missing-ivoffset.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-missing-ivoffset.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-missing-ivoffset.img.sh 2019-03-27 20:59:49.454269656 +0100
+@@ -0,0 +1,67 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with segment iv_tweak field missing
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # remove mandatory encryption field
++ json_str=$(jq -c 'del(.segments."0".iv_tweak)' $TMPDIR/json0)
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
++ kill_bin_hdr $TMPDIR/hdr1
++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
++ jq -c 'if .segments."0".iv_tweak
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-missing-sectorsize.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-missing-sectorsize.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-missing-sectorsize.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-missing-sectorsize.img.sh 2019-03-27 20:59:49.455269646 +0100
+@@ -0,0 +1,67 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with segment sector_size field missing
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # remove mandatory encryption field
++ json_str=$(jq -c 'del(.segments."0".sector_size)' $TMPDIR/json0)
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
++ kill_bin_hdr $TMPDIR/hdr1
++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
++ jq -c 'if .segments."0".sector_size
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-wrong-encryption.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-wrong-encryption.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-wrong-encryption.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-wrong-encryption.img.sh 2019-03-27 20:59:49.455269646 +0100
+@@ -0,0 +1,67 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with segment wrong encryption field
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # remove mandatory encryption field
++ json_str=$(jq -c '.segments."0".encryption = {}' $TMPDIR/json0)
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
++ kill_bin_hdr $TMPDIR/hdr1
++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
++ jq -c 'if .segments."0".encryption | type != "object"
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-wrong-ivoffset.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-wrong-ivoffset.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-wrong-ivoffset.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-wrong-ivoffset.img.sh 2019-03-27 20:59:49.456269637 +0100
+@@ -0,0 +1,67 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with segment iv_tweak field missing
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # remove mandatory encryption field
++ json_str=$(jq -c '.segments."0".iv_tweak = "dynamic"' $TMPDIR/json0)
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
++ kill_bin_hdr $TMPDIR/hdr1
++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
++ jq -c 'if .segments."0".iv_tweak != "dynamic"
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-0.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-0.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-0.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-0.img.sh 2019-03-27 20:59:49.456269637 +0100
+@@ -0,0 +1,67 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with wrong segment sector_size field
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # remove mandatory encryption field
++ json_str=$(jq -c '.segments."0".sector_size = 1023' $TMPDIR/json0)
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
++ kill_bin_hdr $TMPDIR/hdr1
++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
++ jq -c 'if .segments."0".sector_size != 1023
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-1.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-1.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-1.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-1.img.sh 2019-03-27 20:59:49.457269627 +0100
+@@ -0,0 +1,67 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with wrong segment sector_size field
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # remove mandatory encryption field
++ json_str=$(jq -c '.segments."0".sector_size = "4096"' $TMPDIR/json0)
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
++ kill_bin_hdr $TMPDIR/hdr1
++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
++ jq -c 'if .segments."0".sector_size != "4096"
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-2.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-2.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-2.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-2.img.sh 2019-03-27 20:59:49.457269627 +0100
+@@ -0,0 +1,67 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with wrong segment sector_size field
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # remove mandatory encryption field
++ json_str=$(jq -c '.segments."0".sector_size = -1024' $TMPDIR/json0)
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
++ kill_bin_hdr $TMPDIR/hdr1
++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
++ jq -c 'if .segments."0".sector_size != -1024
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-missing-offset.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-missing-offset.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-missing-offset.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-missing-offset.img.sh 2019-03-27 20:59:49.458269617 +0100
+@@ -0,0 +1,67 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with segment offset field missing
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # remove mandatory encryption field
++ json_str=$(jq -c 'del(.segments."0".offset)' $TMPDIR/json0)
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
++ kill_bin_hdr $TMPDIR/hdr1
++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
++ jq -c 'if .segments."0".offset
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-missing-size.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-missing-size.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-missing-size.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-missing-size.img.sh 2019-03-27 20:59:49.458269617 +0100
+@@ -0,0 +1,67 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with segment size field missing
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # remove mandatory encryption field
++ json_str=$(jq -c 'del(.segments."0".size)' $TMPDIR/json0)
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
++ kill_bin_hdr $TMPDIR/hdr1
++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
++ jq -c 'if .segments."0".size
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-missing-type.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-missing-type.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-missing-type.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-missing-type.img.sh 2019-03-27 20:59:49.459269608 +0100
+@@ -0,0 +1,67 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with segment type field missing
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # remove mandatory encryption field
++ json_str=$(jq -c 'del(.segments."0".type)' $TMPDIR/json0)
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
++ kill_bin_hdr $TMPDIR/hdr1
++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
++ jq -c 'if .segments."0".type
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-two.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-two.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-two.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-two.img.sh 2019-03-27 20:59:49.459269608 +0100
+@@ -0,0 +1,67 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with two segments
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # remove mandatory encryption field
++ json_str=$(jq -c '.segments."0".size = "512" | .segments."1" = {type:"some", offset: (.segments."0".offset | tonumber + 512 | tostring), size: "dynamic"}' $TMPDIR/json0)
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
++ kill_bin_hdr $TMPDIR/hdr1
++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
++ jq -c 'if .segments."1" | type != "object"
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-unknown-type.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-unknown-type.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-unknown-type.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-unknown-type.img.sh 2019-03-27 20:59:49.459269608 +0100
+@@ -0,0 +1,68 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with generic (unknown) segment type.
++# It should pass the validation.
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # remove mandatory encryption field
++ json_str=$(jq -c '.segments."0" = {type:"some_type", offset: .segments."0".offset, size: .segments."0".size, a_field:0}' $TMPDIR/json0)
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
++ kill_bin_hdr $TMPDIR/hdr1
++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
++ jq -c 'if .segments."0".type != "some_type"
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-flags-element.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-flags-element.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-flags-element.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-flags-element.img.sh 2019-03-27 20:59:49.460269598 +0100
+@@ -0,0 +1,67 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with segment flags containing invalid type
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # remove mandatory encryption field
++ json_str=$(jq -c '.segments."0".flags = [ "hello", 1 ]' $TMPDIR/json0)
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
++ kill_bin_hdr $TMPDIR/hdr1
++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
++ jq -c 'if .segments."0".flags != [ "hello", 1 ]
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-flags.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-flags.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-flags.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-flags.img.sh 2019-03-27 20:59:49.461269588 +0100
+@@ -0,0 +1,67 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with segment flags field of invalid type
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # remove mandatory encryption field
++ json_str=$(jq -c '.segments."0".flags = "hello"' $TMPDIR/json0)
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
++ kill_bin_hdr $TMPDIR/hdr1
++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
++ jq -c 'if .segments."0".flags != "hello"
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-offset.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-offset.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-offset.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-offset.img.sh 2019-03-27 20:59:49.461269588 +0100
+@@ -0,0 +1,67 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with wrong segment offset field
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # remove mandatory encryption field
++ json_str=$(jq -c '.segments."0".offset = "-42"' $TMPDIR/json0)
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
++ kill_bin_hdr $TMPDIR/hdr1
++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
++ jq -c 'if .segments."0".offset != "-42"
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-size-0.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-size-0.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-size-0.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-size-0.img.sh 2019-03-27 20:59:49.462269579 +0100
+@@ -0,0 +1,67 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with wrong segment size field
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # remove mandatory encryption field
++ json_str=$(jq -c '.segments."0".size = 4096' $TMPDIR/json0)
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
++ kill_bin_hdr $TMPDIR/hdr1
++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
++ jq -c 'if .segments."0".size != 4096
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-size-1.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-size-1.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-size-1.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-size-1.img.sh 2019-03-27 20:59:49.462269579 +0100
+@@ -0,0 +1,67 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with wrong segment size field
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # remove mandatory encryption field
++ json_str=$(jq -c '.segments."0".size = "automatic"' $TMPDIR/json0)
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
++ kill_bin_hdr $TMPDIR/hdr1
++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
++ jq -c 'if .segments."0".size != "automatic"
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-size-2.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-size-2.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-size-2.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-size-2.img.sh 2019-03-27 20:59:49.463269569 +0100
+@@ -0,0 +1,67 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with wrong segment size field
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # remove mandatory encryption field
++ json_str=$(jq -c '.segments."0".size = "511"' $TMPDIR/json0)
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
++ kill_bin_hdr $TMPDIR/hdr1
++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
++ jq -c 'if .segments."0".size != "511"
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-type.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-type.img.sh
+--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-type.img.sh 1970-01-01 01:00:00.000000000 +0100
++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-type.img.sh 2019-03-27 20:59:49.463269569 +0100
+@@ -0,0 +1,67 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary header with wrong segment type field
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++ cp $SRC_IMG $TGT_IMG
++ test -d $TMPDIR || mkdir $TMPDIR
++ read_luks2_json0 $TGT_IMG $TMPDIR/json0
++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++ # remove mandatory encryption field
++ json_str=$(jq -c '.segments."0".type = 42' $TMPDIR/json0)
++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++ write_luks2_json "$json_str" $TMPDIR/json0
++
++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0
++ erase_checksum $TMPDIR/area0
++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++ write_checksum $chks0 $TMPDIR/area0
++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG
++ kill_bin_hdr $TMPDIR/hdr1
++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
++}
++
++function check()
++{
++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++ test "$str_res1" = "VACUUM" || exit 2
++
++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
++ jq -c 'if .segments."0".type != 42
++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++ rm -f $TMPDIR/*
++ rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff -rupN cryptsetup-2.0.3.old/tests/generators/lib.sh cryptsetup-2.0.3/tests/generators/lib.sh
+--- cryptsetup-2.0.3.old/tests/generators/lib.sh 2019-03-27 20:59:31.664442127 +0100
++++ cryptsetup-2.0.3/tests/generators/lib.sh 2019-03-27 20:59:49.464269559 +0100
+@@ -1,9 +1,17 @@
+ #!/bin/bash
+
+-# all in 512 bytes blocks
+-# LUKS2 with 16KiB header
+-LUKS2_HDR_SIZE=32 # 16 KiB
+-LUKS2_BIN_HDR_SIZE=8 # 4096 B
++# all in 512 bytes blocks (including binary hdr (4KiB))
++LUKS2_HDR_SIZE=32 # 16 KiB
++LUKS2_HDR_SIZE_32K=64 # 32 KiB
++LUKS2_HDR_SIZE_64K=128 # 64 KiB
++LUKS2_HDR_SIZE_128K=256 # 128 KiB
++LUKS2_HDR_SIZE_256K=512 # 256 KiB
++LUKS2_HDR_SIZE_512K=1024 # 512 KiB
++LUKS2_HDR_SIZE_1M=2048 # 1 MiB
++LUKS2_HDR_SIZE_2M=4096 # 2 MiB
++LUKS2_HDR_SIZE_4M=8192 # 4 MiB
++
++LUKS2_BIN_HDR_SIZE=8 # 4 KiB
+ LUKS2_JSON_SIZE=$((LUKS2_HDR_SIZE-LUKS2_BIN_HDR_SIZE))
+
+ LUKS2_BIN_HDR_CHKS_OFFSET=0x1C0
+@@ -30,57 +38,88 @@ function test_img_name()
+ echo $str
+ }
+
++# read primary bin hdr
++# 1:from 2:to
+ function read_luks2_bin_hdr0()
+ {
+ _dd if=$1 of=$2 bs=512 count=$LUKS2_BIN_HDR_SIZE
+ }
+
++# read primary json area
++# 1:from 2:to 3:[json only size (defaults to 12KiB)]
+ function read_luks2_json0()
+ {
+- _dd if=$1 of=$2 bs=512 skip=$LUKS2_BIN_HDR_SIZE count=$LUKS2_JSON_SIZE
++ local _js=${4:-$LUKS2_JSON_SIZE}
++ local _js=$((_js*512/4096))
++ _dd if=$1 of=$2 bs=4096 skip=1 count=$_js
+ }
+
++# read secondary bin hdr
++# 1:from 2:to 3:[metadata size (defaults to 16KiB)]
+ function read_luks2_bin_hdr1()
+ {
+- _dd if=$1 of=$2 skip=$LUKS2_HDR_SIZE bs=512 count=$LUKS2_BIN_HDR_SIZE
++ _dd if=$1 of=$2 skip=${3:-$LUKS2_HDR_SIZE} bs=512 count=$LUKS2_BIN_HDR_SIZE
+ }
+
++# read secondary json area
++# 1:from 2:to 3:[json only size (defaults to 12KiB)]
+ function read_luks2_json1()
+ {
+- _dd if=$1 of=$2 bs=512 skip=$((LUKS2_BIN_HDR_SIZE+LUKS2_HDR_SIZE)) count=$LUKS2_JSON_SIZE
++ local _js=${3:-$LUKS2_JSON_SIZE}
++ _dd if=$1 of=$2 bs=512 skip=$((2*LUKS2_BIN_HDR_SIZE+_js)) count=$_js
+ }
+
++# read primary metadata area (bin + json)
++# 1:from 2:to 3:[metadata size (defaults to 16KiB)]
+ function read_luks2_hdr_area0()
+ {
+- _dd if=$1 of=$2 bs=512 count=$LUKS2_HDR_SIZE
++ local _as=${3:-$LUKS2_HDR_SIZE}
++ local _as=$((_as*512))
++ _dd if=$1 of=$2 bs=$_as count=1
+ }
+
++# read secondary metadata area (bin + json)
++# 1:from 2:to 3:[metadata size (defaults to 16KiB)]
+ function read_luks2_hdr_area1()
+ {
+- _dd if=$1 of=$2 bs=512 skip=$LUKS2_HDR_SIZE count=$LUKS2_HDR_SIZE
++ local _as=${3:-$LUKS2_HDR_SIZE}
++ local _as=$((_as*512))
++ _dd if=$1 of=$2 bs=$_as skip=1 count=1
+ }
+
++# write secondary bin hdr
++# 1:from 2:to 3:[metadata size (defaults to 16KiB)]
+ function write_luks2_bin_hdr1()
+ {
+- _dd if=$1 of=$2 bs=512 seek=$LUKS2_HDR_SIZE count=$LUKS2_BIN_HDR_SIZE conv=notrunc
++ _dd if=$1 of=$2 bs=512 seek=${3:-$LUKS2_HDR_SIZE} count=$LUKS2_BIN_HDR_SIZE conv=notrunc
+ }
+
++# write primary metadata area (bin + json)
++# 1:from 2:to 3:[metadata size (defaults to 16KiB)]
+ function write_luks2_hdr0()
+ {
+- _dd if=$1 of=$2 bs=512 count=$LUKS2_HDR_SIZE conv=notrunc
++ local _as=${3:-$LUKS2_HDR_SIZE}
++ local _as=$((_as*512))
++ _dd if=$1 of=$2 bs=$_as count=1 conv=notrunc
+ }
+
++# write secondary metadata area (bin + json)
++# 1:from 2:to 3:[metadata size (defaults to 16KiB)]
+ function write_luks2_hdr1()
+ {
+- _dd if=$1 of=$2 bs=512 seek=$LUKS2_HDR_SIZE count=$LUKS2_HDR_SIZE conv=notrunc
++ local _as=${3:-$LUKS2_HDR_SIZE}
++ local _as=$((_as*512))
++ _dd if=$1 of=$2 bs=$_as seek=1 count=1 conv=notrunc
+ }
+
+-# 1 - json str
++# write json (includes padding)
++# 1:json_string 2:to 3:[json size (defaults to 12KiB)]
+ function write_luks2_json()
+ {
++ local _js=${3:-$LUKS2_JSON_SIZE}
+ local len=${#1}
+- printf '%s' "$1" | _dd of=$2 bs=1 count=$len conv=notrunc
+- _dd if=/dev/zero of=$2 bs=1 seek=$len count=$((LUKS2_JSON_SIZE*512-len))
++ echo -n -E "$1" > $2
++ truncate -s $((_js*512)) $2
+ }
+
+ function kill_bin_hdr()
+@@ -117,17 +156,25 @@ function calc_sha256_checksum_stdin()
+ sha256sum - | cut -d ' ' -f 1
+ }
+
+-# 1 - bin
+-# 2 - json
+-# 3 - luks2_hdr_area
++# merge bin hdr with json to form metadata area
++# 1:bin_hdr 2:json 3:to 4:[json size (defaults to 12KiB)]
+ function merge_bin_hdr_with_json()
+ {
+- _dd if=$1 of=$3 bs=512 count=$LUKS2_BIN_HDR_SIZE
+- _dd if=$2 of=$3 bs=512 seek=$LUKS2_BIN_HDR_SIZE count=$LUKS2_JSON_SIZE
++ local _js=${4:-$LUKS2_JSON_SIZE}
++ local _js=$((_js*512/4096))
++ _dd if=$1 of=$3 bs=4096 count=1
++ _dd if=$2 of=$3 bs=4096 seek=1 count=$_js
+ }
+
+ function _dd()
+ {
+- dd $@ 2>/dev/null
+- #dd $@
++ dd $@ status=none
++}
++
++function write_bin_hdr_size() {
++ printf '%016x' $2 | xxd -r -p -l 16 | _dd of=$1 bs=8 count=1 seek=1 conv=notrunc
++}
++
++function write_bin_hdr_offset() {
++ printf '%016x' $2 | xxd -r -p -l 16 | _dd of=$1 bs=8 count=1 seek=32 conv=notrunc
+ }
+diff -rupN cryptsetup-2.0.3.old/tests/luks2-validation-test cryptsetup-2.0.3/tests/luks2-validation-test
+--- cryptsetup-2.0.3.old/tests/luks2-validation-test 2019-03-27 20:59:31.654442224 +0100
++++ cryptsetup-2.0.3/tests/luks2-validation-test 2019-03-27 20:59:49.465269549 +0100
+@@ -3,14 +3,12 @@
+ #turn on debug mode by following env. variable _DEBUG=1
+
+ PS4='$LINENO:'
+-CRYPTSETUP=../cryptsetup
++[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
++CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
+
+ CRYPTSETUP_VALGRIND=../.libs/cryptsetup
+ CRYPTSETUP_LIB_VALGRIND=../.libs
+
+-DM_CRYPT_SECTOR=512
+-LUKS2_HDR_SIZE=2112 # 16 KiB version, stored twice, including luks2 areas with keyslots
+-
+ START_DIR=$(pwd)
+
+ IMG=luks2-backend.img
+@@ -19,6 +17,8 @@ TST_IMGS=$START_DIR/luks2-images
+
+ GEN_DIR=generators
+
++FAILS=0
++
+ [ -z "$srcdir" ] && srcdir="."
+
+ function remove_mapping()
+@@ -29,12 +29,18 @@ function remove_mapping()
+ function fail()
+ {
+ [ -n "$1" ] && echo "$1"
+- echo "FAILED"
++ echo "FAILED at line $(caller)"
+ cd $START_DIR
+ remove_mapping
+ exit 2
+ }
+
++fail_count()
++{
++ echo "$1"
++ FAILS=$((FAILS+1))
++}
++
+ function skip()
+ {
+ [ -n "$1" ] && echo "$1"
+@@ -61,23 +67,24 @@ function test_load()
+ case "$1" in
+ R)
+ if [ -n "$_debug" ]; then
+- $CRYPTSETUP luksDump $_debug $IMG || fail "$2"
++ $CRYPTSETUP luksDump $_debug $IMG
+ else
+- $CRYPTSETUP luksDump $_debug $IMG > /dev/null || fail "$2"
++ $CRYPTSETUP luksDump $_debug $IMG > /dev/null 2>&1
+ fi
++ test $? -eq 0 || return 1
+ ;;
+ F)
+ if [ -n "$_debug" ]; then
+- $CRYPTSETUP luksDump $_debug $IMG && fail "$2"
++ $CRYPTSETUP luksDump $_debug $IMG
+ else
+- $CRYPTSETUP luksDump $_debug $IMG > /dev/null 2>&1 && fail "$2"
++ $CRYPTSETUP luksDump $_debug $IMG > /dev/null 2>&1
+ fi
++ test $? -ne 0 || return 1
+ ;;
+ *)
+ fail "Internal test error"
+ ;;
+ esac
+-
+ }
+
+ function RUN()
+@@ -85,7 +92,11 @@ function RUN()
+ echo -n "Test image: $1..."
+ cp $TST_IMGS/$1 $IMG || fail "Missing test image"
+ test_load $2 "$3"
+- echo "OK"
++ if [ $? -ne 0 ]; then
++ fail_count "$3"
++ else
++ echo "OK"
++ fi
+ }
+
+ function valgrind_setup()
+@@ -158,11 +169,6 @@ RUN luks2-area-in-json-hdr-space-json0.i
+ RUN luks2-missing-keyslot-referenced-in-digest.img "F" "Failed to detect missing keyslot referenced in digest"
+ RUN luks2-missing-segment-referenced-in-digest.img "F" "Failed to detect missing segment referenced in digest"
+ RUN luks2-missing-keyslot-referenced-in-token.img "F" "Failed to detect missing keyslots referenced in token"
+-RUN luks2-invalid-keyslots-size-c0.img "F" "Failed to detect too large keyslots_size in config section"
+-RUN luks2-invalid-keyslots-size-c1.img "F" "Failed to detect unaligned keyslots_size in config section"
+-RUN luks2-invalid-keyslots-size-c2.img "F" "Failed to detect too small keyslots_size config section"
+-RUN luks2-invalid-json-size-c0.img "F" "Failed to detect invalid json_size config section"
+-RUN luks2-invalid-json-size-c1.img "F" "Failed to detect invalid json_size config section"
+ RUN luks2-keyslot-missing-digest.img "F" "Failed to detect missing keyslot digest."
+ RUN luks2-keyslot-too-many-digests.img "F" "Failed to detect keyslot has too many digests."
+
+@@ -171,4 +177,56 @@ RUN luks2-uint64-max-segment-size.img
+ RUN luks2-uint64-overflow-segment-size.img "F" "Failed to detect uint64_t overflow"
+ RUN luks2-uint64-signed-segment-size.img "F" "Failed to detect negative value"
+
++echo "[5] Test segments validation"
++RUN luks2-segment-missing-type.img "F" "Failed to detect missing type field"
++RUN luks2-segment-wrong-type.img "F" "Failed to detect invalid type field"
++RUN luks2-segment-missing-offset.img "F" "Failed to detect missing offset field"
++RUN luks2-segment-wrong-offset.img "F" "Failed to detect invalid offset field"
++RUN luks2-segment-missing-size.img "F" "Failed to detect missing size field"
++RUN luks2-segment-wrong-size-0.img "F" "Failed to detect invalid size field"
++RUN luks2-segment-wrong-size-1.img "F" "Failed to detect invalid size field"
++RUN luks2-segment-wrong-size-2.img "F" "Failed to detect invalid size field"
++RUN luks2-segment-crypt-missing-encryption.img "F" "Failed to detect missing encryption field"
++RUN luks2-segment-crypt-wrong-encryption.img "F" "Failed to detect invalid encryption field"
++RUN luks2-segment-crypt-missing-ivoffset.img "F" "Failed to detect missing iv_tweak field"
++RUN luks2-segment-crypt-wrong-ivoffset.img "F" "Failed to detect invalid iv_tweak field"
++RUN luks2-segment-crypt-missing-sectorsize.img "F" "Failed to detect missing sector_size field"
++RUN luks2-segment-crypt-wrong-sectorsize-0.img "F" "Failed to detect invalid sector_size field"
++RUN luks2-segment-crypt-wrong-sectorsize-1.img "F" "Failed to detect invalid sector_size field"
++RUN luks2-segment-crypt-wrong-sectorsize-2.img "F" "Failed to detect invalid sector_size field"
++RUN luks2-segment-unknown-type.img "R" "Validation rejected segment with all mandatory fields correct"
++RUN luks2-segment-two.img "R" "Validation rejected two valid segments"
++RUN luks2-segment-wrong-flags.img "F" "Failed to detect invalid flags field"
++RUN luks2-segment-wrong-flags-element.img "F" "Failed to detect invalid flags content"
++
++echo "[6] Test metadata size and keyslots size (config section)"
++RUN luks2-invalid-keyslots-size-c0.img "F" "Failed to detect too large keyslots_size in config section"
++RUN luks2-invalid-keyslots-size-c1.img "F" "Failed to detect unaligned keyslots_size in config section"
++RUN luks2-invalid-keyslots-size-c2.img "F" "Failed to detect too small keyslots_size config section"
++RUN luks2-invalid-json-size-c0.img "F" "Failed to detect invalid json_size config section"
++RUN luks2-invalid-json-size-c1.img "F" "Failed to detect invalid json_size config section"
++RUN luks2-invalid-json-size-c2.img "F" "Failed to detect mismatching json size in config and binary hdr"
++RUN luks2-metadata-size-32k.img "R" "Valid 32KiB metadata size failed to validate"
++RUN luks2-metadata-size-64k.img "R" "Valid 64KiB metadata size failed to validate"
++RUN luks2-metadata-size-64k-inv-area-c0.img "F" "Failed to detect keyslot area trespassing in json area"
++RUN luks2-metadata-size-64k-inv-area-c1.img "F" "Failed to detect keyslot area overflowing keyslots area"
++RUN luks2-metadata-size-64k-inv-keyslots-size-c0.img "F" "Failed to detect keyslots size overflowing in data area"
++RUN luks2-metadata-size-128k.img "R" "Valid 128KiB metadata size failed to validate"
++RUN luks2-metadata-size-256k.img "R" "Valid 256KiB metadata size failed to validate"
++RUN luks2-metadata-size-512k.img "R" "Valid 512KiB metadata size failed to validate"
++RUN luks2-metadata-size-1m.img "R" "Valid 1MiB metadata size failed to validate"
++RUN luks2-metadata-size-2m.img "R" "Valid 2MiB metadata size failed to validate"
++RUN luks2-metadata-size-4m.img "R" "Valid 4MiB metadata size failed to validate"
++RUN luks2-metadata-size-16k-secondary.img "R" "Valid 16KiB metadata size in secondary hdr failed to validate"
++RUN luks2-metadata-size-32k-secondary.img "R" "Valid 32KiB metadata size in secondary hdr failed to validate"
++RUN luks2-metadata-size-64k-secondary.img "R" "Valid 64KiB metadata size in secondary hdr failed to validate"
++RUN luks2-metadata-size-128k-secondary.img "R" "Valid 128KiB metadata size in secondary hdr failed to validate"
++RUN luks2-metadata-size-256k-secondary.img "R" "Valid 256KiB metadata size in secondary hdr failed to validate"
++RUN luks2-metadata-size-512k-secondary.img "R" "Valid 512KiB metadata size in secondary hdr failed to validate"
++RUN luks2-metadata-size-1m-secondary.img "R" "Valid 1MiB metadata size in secondary hdr failed to validate"
++RUN luks2-metadata-size-2m-secondary.img "R" "Valid 2MiB metadata size in secondary hdr failed to validate"
++RUN luks2-metadata-size-4m-secondary.img "R" "Valid 4MiB metadata size in secondary hdr failed to validate"
++
+ remove_mapping
++
++test $FAILS -eq 0 || fail "($FAILS wrong result(s) in total)"
diff --git a/SOURCES/cryptsetup-2.2.1-reinstate-missing-backing-file-hint-for-loop-device.patch b/SOURCES/cryptsetup-2.2.1-reinstate-missing-backing-file-hint-for-loop-device.patch
new file mode 100644
index 0000000..7aa6b76
--- /dev/null
+++ b/SOURCES/cryptsetup-2.2.1-reinstate-missing-backing-file-hint-for-loop-device.patch
@@ -0,0 +1,149 @@
+diff -rupN cryptsetup-2.0.3.old/src/Makemodule.am cryptsetup-2.0.3.new/src/Makemodule.am
+--- cryptsetup-2.0.3.old/src/Makemodule.am 2019-08-27 17:37:25.043999695 +0200
++++ cryptsetup-2.0.3.new/src/Makemodule.am 2019-08-27 17:39:40.303336254 +0200
+@@ -6,6 +6,7 @@ cryptsetup_SOURCES = \
+ lib/utils_loop.c \
+ lib/utils_io.c \
+ src/utils_tools.c \
++ lib/utils_loop.c \
+ src/utils_password.c \
+ src/cryptsetup.c \
+ src/cryptsetup.h
+diff -rupN cryptsetup-2.0.3.old/src/utils_password.c cryptsetup-2.0.3.new/src/utils_password.c
+--- cryptsetup-2.0.3.old/src/utils_password.c 2019-08-27 17:37:25.043999695 +0200
++++ cryptsetup-2.0.3.new/src/utils_password.c 2019-08-27 17:38:35.354214280 +0200
+@@ -256,7 +256,7 @@ int tools_get_key(const char *prompt,
+ int timeout, int verify, int pwquality,
+ struct crypt_device *cd)
+ {
+- char tmp[1024];
++ char tmp[1024], *backing_file;
+ int r = -EINVAL, block;
+
+ block = tools_signals_blocked();
+@@ -270,9 +270,11 @@ int tools_get_key(const char *prompt,
+ } else {
+ if (!prompt && !crypt_get_device_name(cd))
+ snprintf(tmp, sizeof(tmp), _("Enter passphrase: "));
+- else if (!prompt)
+- snprintf(tmp, sizeof(tmp), _("Enter passphrase for %s: "),
+- crypt_get_device_name(cd));
++ else if (!prompt) {
++ backing_file = crypt_loop_backing_file(crypt_get_device_name(cd));
++ snprintf(tmp, sizeof(tmp), _("Enter passphrase for %s: "), backing_file ?: crypt_get_device_name(cd));
++ free(backing_file);
++ }
+ r = crypt_get_key_tty(prompt ?: tmp, key, key_size, timeout, verify, cd);
+ }
+ } else {
+diff -rupN cryptsetup-2.0.3.old/tests/compat-test cryptsetup-2.0.3.new/tests/compat-test
+--- cryptsetup-2.0.3.old/tests/compat-test 2019-08-27 17:37:24.942997950 +0200
++++ cryptsetup-2.0.3.new/tests/compat-test 2019-08-27 17:41:15.868988979 +0200
+@@ -735,15 +735,20 @@ fi
+ which expect >/dev/null 2>&1 || skip "WARNING: expect tool missing, interactive test will be skipped." 0
+
+ prepare "[32] Interactive password retry from terminal." new
++if [ "$(pwd)" = "/" ]; then
++ EXPECT_DEV=/$IMG
++else
++ EXPECT_DEV=$(pwd)/$IMG
++fi
+ expect - >/dev/null <<EOF
+ proc abort {} { send_error "Timeout. "; exit 2 }
+ set timeout 10
+ eval spawn $CRYPTSETUP luksOpen -v -T 2 $LOOPDEV $DEV_NAME
+-expect timeout abort "Enter passphrase for $LOOPDEV:"
++expect timeout abort "Enter passphrase for $EXPECT_DEV:"
+ sleep 0.1
+ send "$PWD0 x\n"
+ expect timeout abort "No key available with this passphrase."
+-expect timeout abort "Enter passphrase for $LOOPDEV:"
++expect timeout abort "Enter passphrase for $EXPECT_DEV:"
+ sleep 0.1
+ send "$PWD0\n"
+ expect timeout abort "Key slot 0 unlocked."
+@@ -760,11 +765,11 @@ expect - >/dev/null <<EOF
+ proc abort {} { send_error "Timeout. "; exit 2 }
+ set timeout 10
+ eval spawn $CRYPTSETUP luksOpen -v -T 2 $LOOPDEV $DEV_NAME
+-expect timeout abort "Enter passphrase for $LOOPDEV:"
++expect timeout abort "Enter passphrase for $EXPECT_DEV:"
+ sleep 0.1
+ send "$PWD0 x\n"
+ expect timeout abort "No key available with this passphrase."
+-expect timeout abort "Enter passphrase for $LOOPDEV:"
++expect timeout abort "Enter passphrase for $EXPECT_DEV:"
+ sleep 0.1
+ send "$PWD0 y\n"
+ expect timeout abort "No key available with this passphrase."
+@@ -799,7 +804,7 @@ set timeout 10
+ eval spawn $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF_OPT -v $LOOPDEV
+ expect timeout abort "Are you sure? (Type uppercase yes):"
+ send "YES\n"
+-expect timeout abort "Enter passphrase for $LOOPDEV:"
++expect timeout abort "Enter passphrase for $EXPECT_DEV:"
+ sleep 0.1
+ send "$PWD0\n"
+ expect timeout abort "Verify passphrase:"
+@@ -808,7 +813,7 @@ send "$PWD0\n"
+ expect timeout abort "Command successful."
+ expect timeout abort eof
+ eval spawn $CRYPTSETUP luksOpen -v $LOOPDEV --test-passphrase
+-expect timeout abort "Enter passphrase for $LOOPDEV:"
++expect timeout abort "Enter passphrase for $EXPECT_DEV:"
+ sleep 0.1
+ send "$PWD0\n"
+ expect timeout abort "Command successful."
+@@ -829,7 +834,7 @@ expect timeout abort eof
+ eval spawn $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF_OPT -v $LOOPDEV
+ expect timeout abort "Are you sure? (Type uppercase yes):"
+ send "YES\n"
+-expect timeout abort "Enter passphrase for $LOOPDEV:"
++expect timeout abort "Enter passphrase for $EXPECT_DEV:"
+ sleep 0.1
+ send "$PWD0\n"
+ expect timeout abort "Verify passphrase:"
+@@ -838,7 +843,7 @@ send "$PWD0 x\n"
+ expect timeout abort "Passphrases do not match."
+ expect timeout abort eof
+ eval spawn $CRYPTSETUP luksOpen -v $LOOPDEV -T 1 --test-passphrase
+-expect timeout abort "Enter passphrase for $LOOPDEV:"
++expect timeout abort "Enter passphrase for $EXPECT_DEV:"
+ sleep 0.1
+ send "$PWD0\n"
+ expect timeout abort "No key available with this passphrase."
+@@ -890,7 +895,7 @@ send "$PWD1\n"
+ expect timeout abort "Command successful."
+ expect timeout abort eof
+ eval spawn $CRYPTSETUP luksOpen -v $LOOPDEV --test-passphrase
+-expect timeout abort "Enter passphrase for $LOOPDEV:"
++expect timeout abort "Enter passphrase for $EXPECT_DEV:"
+ sleep 0.1
+ send "$PWD1\n"
+ expect timeout abort "Command successful."
+@@ -908,21 +913,21 @@ eval spawn $CRYPTSETUP luksSuspend -v $D
+ expect timeout abort "Command successful."
+ expect timeout abort eof
+ eval spawn $CRYPTSETUP luksResume -v -T 3 $DEV_NAME
+-expect timeout abort "Enter passphrase for $LOOPDEV:"
++expect timeout abort "Enter passphrase for $EXPECT_DEV:"
+ sleep 0.1
+ send "$PWD0 x\n"
+ expect timeout abort "No key available with this passphrase."
+-expect timeout abort "Enter passphrase for $LOOPDEV:"
++expect timeout abort "Enter passphrase for $EXPECT_DEV:"
+ sleep 0.1
+ send "$PWD1\n"
+ expect timeout abort "No key available with this passphrase."
+-expect timeout abort "Enter passphrase for $LOOPDEV:"
++expect timeout abort "Enter passphrase for $EXPECT_DEV:"
+ sleep 0.1
+ send "$PWD0 y\n"
+ expect timeout abort "No key available with this passphrase."
+ expect timeout abort eof
+ eval spawn $CRYPTSETUP luksResume -v $DEV_NAME
+-expect timeout abort "Enter passphrase for $LOOPDEV:"
++expect timeout abort "Enter passphrase for $EXPECT_DEV:"
+ sleep 0.1
+ send "$PWD0\n"
+ expect timeout abort "Command successful."
diff --git a/SOURCES/cryptsetup-argon2-fips.patch b/SOURCES/cryptsetup-argon2-fips.patch
new file mode 100644
index 0000000..5261c8d
--- /dev/null
+++ b/SOURCES/cryptsetup-argon2-fips.patch
@@ -0,0 +1,33 @@
+diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c
+index 3716c26..540915b 100644
+--- a/lib/luks2/luks2_keyslot_luks2.c
++++ b/lib/luks2/luks2_keyslot_luks2.c
+@@ -350,6 +350,13 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
+ crypt_free_volume_key(derived_key);
+ return -ENOMEM;
+ }
++
++ if (crypt_fips_mode() &&
++ (!strcmp(pbkdf.type, CRYPT_KDF_ARGON2I) ||
++ !strcmp(pbkdf.type, CRYPT_KDF_ARGON2ID)))
++ log_verbose(cd, _("%s key derivation function is not currently FIPS-compliant."),
++ pbkdf.type);
++
+ /*
+ * Calculate derived key, decrypt keyslot content and merge it.
+ */
+@@ -406,6 +413,14 @@ static int luks2_keyslot_update_json(struct crypt_device *cd,
+ if (!pbkdf)
+ return -EINVAL;
+
++ if (crypt_fips_mode() &&
++ (!strcmp(pbkdf->type, CRYPT_KDF_ARGON2I) ||
++ !strcmp(pbkdf->type, CRYPT_KDF_ARGON2ID))) {
++ log_err(cd, _("%s key derivation function is not allowed in FIPS mode."),
++ pbkdf->type);
++ return -EINVAL;
++ }
++
+ r = crypt_benchmark_pbkdf_internal(cd, CONST_CAST(struct crypt_pbkdf_type *)pbkdf, keyslot_key_len);
+ if (r < 0)
+ return r;
diff --git a/SOURCES/cryptsetup-avoid-rh-kernel-bug.patch b/SOURCES/cryptsetup-avoid-rh-kernel-bug.patch
new file mode 100644
index 0000000..c0ca3b2
--- /dev/null
+++ b/SOURCES/cryptsetup-avoid-rh-kernel-bug.patch
@@ -0,0 +1,56 @@
+--- a/lib/crypto_backend/crypto_cipher_kernel.c
++++ b/lib/crypto_backend/crypto_cipher_kernel.c
+@@ -31,6 +31,7 @@
+ #ifdef ENABLE_AF_ALG
+
+ #include <linux/if_alg.h>
++#include <sys/utsname.h>
+
+ #ifndef AF_ALG
+ #define AF_ALG 38
+@@ -88,6 +89,35 @@ int crypt_cipher_blocksize(const char *n
+ return ca ? ca->blocksize : -EINVAL;
+ }
+
++static size_t pagesize(size_t defsize)
++{
++ long r = sysconf(_SC_PAGESIZE);
++ return r < 0 ? defsize : (size_t)r;
++}
++
++static int check_rh_kernel_version(void)
++{
++ unsigned maj, mid, min, rel;
++ static struct utsname uts = {{ 0 }};
++ size_t ps = pagesize(32768);
++
++ if (ps < 32768)
++ return 0;
++
++ if (!*uts.release && uname(&uts) < 0)
++ return -ENOTSUP;
++ /*
++ * RH kernels 3.10.0-185 and lower are affected by a crypto API kernel
++ * socket bug. The bug only manifests on archs with page size >= 32 KiB.
++ *
++ * For reference, see rhbz#1136075
++ */
++ if (sscanf(uts.release, "%u.%u.%u-%u", &maj, &mid, &min, &rel) == 4)
++ return (maj == 3 && mid == 10 && min == 0 && rel < 186) ? -ENOTSUP : 0;
++
++ return -ENOTSUP;
++}
++
+ /*
+ * ciphers
+ *
+@@ -104,6 +134,9 @@ int crypt_cipher_init(struct crypt_ciphe
+ .salg_type = "skcipher",
+ };
+
++ if (check_rh_kernel_version())
++ return -ENOTSUP;
++
+ h = malloc(sizeof(*h));
+ if (!h)
+ return -ENOMEM;
diff --git a/SOURCES/cryptsetup-configure.patch b/SOURCES/cryptsetup-configure.patch
new file mode 100644
index 0000000..044988e
--- /dev/null
+++ b/SOURCES/cryptsetup-configure.patch
@@ -0,0 +1,417 @@
+diff -rupN cryptsetup-2.0.3.old/config.h.in cryptsetup-2.0.3.new/config.h.in
+--- cryptsetup-2.0.3.old/config.h.in 2019-08-27 18:30:14.342521239 +0200
++++ cryptsetup-2.0.3.new/config.h.in 2019-08-27 18:30:48.212105267 +0200
+@@ -106,6 +106,12 @@
+ /* Define to 1 if you have the <argon2.h> header file. */
+ #undef HAVE_ARGON2_H
+
++/* Define to 1 to use blkid for detection of disk signatures. */
++#undef HAVE_BLKID
++
++/* Define to 1 if you have the <blkid/blkid.h> header file. */
++#undef HAVE_BLKID_BLKID_H
++
+ /* Define to 1 if you have the <byteswap.h> header file. */
+ #undef HAVE_BYTESWAP_H
+
+@@ -127,6 +133,30 @@
+ */
+ #undef HAVE_DCGETTEXT
+
++/* Define to 1 if you have the declaration of `blkid_do_probe', and to 0 if
++ you don't. */
++#undef HAVE_DECL_BLKID_DO_PROBE
++
++/* Define to 1 if you have the declaration of `blkid_do_safeprobe', and to 0
++ if you don't. */
++#undef HAVE_DECL_BLKID_DO_SAFEPROBE
++
++/* Define to 1 if you have the declaration of
++ `blkid_probe_filter_superblocks_type', and to 0 if you don't. */
++#undef HAVE_DECL_BLKID_PROBE_FILTER_SUPERBLOCKS_TYPE
++
++/* Define to 1 if you have the declaration of `blkid_probe_lookup_value ', and
++ to 0 if you don't. */
++#undef HAVE_DECL_BLKID_PROBE_LOOKUP_VALUE__________
++
++/* Define to 1 if you have the declaration of `blkid_probe_set_device', and to
++ 0 if you don't. */
++#undef HAVE_DECL_BLKID_PROBE_SET_DEVICE
++
++/* Define to 1 if you have the declaration of `blkid_reset_probe', and to 0 if
++ you don't. */
++#undef HAVE_DECL_BLKID_RESET_PROBE
++
+ /* Define to 1 if you have the declaration of `dm_device_has_holders', and to
+ 0 if you don't. */
+ #undef HAVE_DECL_DM_DEVICE_HAS_HOLDERS
+diff -rupN cryptsetup-2.0.3.old/configure cryptsetup-2.0.3.new/configure
+--- cryptsetup-2.0.3.old/configure 2019-08-27 18:30:14.342521239 +0200
++++ cryptsetup-2.0.3.new/configure 2019-08-27 18:30:48.212105267 +0200
+@@ -664,6 +664,10 @@ PWQUALITY_STATIC_LIBS
+ systemd_tmpfilesdir
+ DEVMAPPER_STATIC_LIBS
+ DEVMAPPER_STATIC_CFLAGS
++HAVE_BLKID_FALSE
++HAVE_BLKID_TRUE
++BLKID_LIBS
++BLKID_CFLAGS
+ CRYPTO_INTERNAL_ARGON2_FALSE
+ CRYPTO_INTERNAL_ARGON2_TRUE
+ LIBARGON2_LIBS
+@@ -878,6 +882,7 @@ enable_gcrypt_pbkdf2
+ with_libgcrypt_prefix
+ enable_internal_argon2
+ enable_libargon2
++enable_blkid
+ enable_dev_random
+ enable_python
+ with_python_version
+@@ -935,6 +940,8 @@ NSS_CFLAGS
+ NSS_LIBS
+ LIBARGON2_CFLAGS
+ LIBARGON2_LIBS
++BLKID_CFLAGS
++BLKID_LIBS
+ DEVMAPPER_STATIC_CFLAGS
+ DEVMAPPER_STATIC_LIBS
+ systemd_tmpfilesdir
+@@ -1607,6 +1614,8 @@ Optional Features:
+ disable internal implementation of Argon2 PBKDF
+ --enable-libargon2 enable external libargon2 (PHC) library (disables
+ internal bundled version)
++ --disable-blkid disable use of blkid for device signature detection
++ and wiping.
+ --enable-dev-random use blocking /dev/random by default for key
+ generator (otherwise use /dev/urandom)
+ --enable-python enable Python bindings
+@@ -1719,6 +1728,9 @@ Some influential environment variables:
+ C compiler flags for LIBARGON2, overriding pkg-config
+ LIBARGON2_LIBS
+ linker flags for LIBARGON2, overriding pkg-config
++ BLKID_CFLAGS
++ C compiler flags for BLKID, overriding pkg-config
++ BLKID_LIBS linker flags for BLKID, overriding pkg-config
+ DEVMAPPER_STATIC_CFLAGS
+ C compiler flags for DEVMAPPER_STATIC, overriding pkg-config
+ DEVMAPPER_STATIC_LIBS
+@@ -18580,6 +18592,211 @@ else
+ fi
+
+
++# Check whether --enable-blkid was given.
++if test "${enable_blkid+set}" = set; then :
++ enableval=$enable_blkid;
++else
++ enable_blkid=yes
++fi
++
++
++if test x$enable_blkid = xyes ; then
++
++pkg_failed=no
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for BLKID" >&5
++$as_echo_n "checking for BLKID... " >&6; }
++
++if test -n "$BLKID_CFLAGS"; then
++ pkg_cv_BLKID_CFLAGS="$BLKID_CFLAGS"
++ elif test -n "$PKG_CONFIG"; then
++ if test -n "$PKG_CONFIG" && \
++ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"blkid\""; } >&5
++ ($PKG_CONFIG --exists --print-errors "blkid") 2>&5
++ ac_status=$?
++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++ test $ac_status = 0; }; then
++ pkg_cv_BLKID_CFLAGS=`$PKG_CONFIG --cflags "blkid" 2>/dev/null`
++ test "x$?" != "x0" && pkg_failed=yes
++else
++ pkg_failed=yes
++fi
++ else
++ pkg_failed=untried
++fi
++if test -n "$BLKID_LIBS"; then
++ pkg_cv_BLKID_LIBS="$BLKID_LIBS"
++ elif test -n "$PKG_CONFIG"; then
++ if test -n "$PKG_CONFIG" && \
++ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"blkid\""; } >&5
++ ($PKG_CONFIG --exists --print-errors "blkid") 2>&5
++ ac_status=$?
++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++ test $ac_status = 0; }; then
++ pkg_cv_BLKID_LIBS=`$PKG_CONFIG --libs "blkid" 2>/dev/null`
++ test "x$?" != "x0" && pkg_failed=yes
++else
++ pkg_failed=yes
++fi
++ else
++ pkg_failed=untried
++fi
++
++
++
++if test $pkg_failed = yes; then
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++
++if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
++ _pkg_short_errors_supported=yes
++else
++ _pkg_short_errors_supported=no
++fi
++ if test $_pkg_short_errors_supported = yes; then
++ BLKID_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "blkid" 2>&1`
++ else
++ BLKID_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "blkid" 2>&1`
++ fi
++ # Put the nasty error message in config.log where it belongs
++ echo "$BLKID_PKG_ERRORS" >&5
++
++ LIBBLKID_LIBS="-lblkid"
++elif test $pkg_failed = untried; then
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++ LIBBLKID_LIBS="-lblkid"
++else
++ BLKID_CFLAGS=$pkg_cv_BLKID_CFLAGS
++ BLKID_LIBS=$pkg_cv_BLKID_LIBS
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
++$as_echo "yes" >&6; }
++
++$as_echo "#define HAVE_BLKID 1" >>confdefs.h
++
++fi
++
++ for ac_header in blkid/blkid.h
++do :
++ ac_fn_c_check_header_mongrel "$LINENO" "blkid/blkid.h" "ac_cv_header_blkid_blkid_h" "$ac_includes_default"
++if test "x$ac_cv_header_blkid_blkid_h" = xyes; then :
++ cat >>confdefs.h <<_ACEOF
++#define HAVE_BLKID_BLKID_H 1
++_ACEOF
++
++else
++ as_fn_error $? "You need blkid development library installed." "$LINENO" 5
++fi
++
++done
++
++ ac_fn_c_check_decl "$LINENO" "blkid_reset_probe" "ac_cv_have_decl_blkid_reset_probe" "#include <blkid/blkid.h>
++"
++if test "x$ac_cv_have_decl_blkid_reset_probe" = xyes; then :
++ ac_have_decl=1
++else
++ ac_have_decl=0
++fi
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_DECL_BLKID_RESET_PROBE $ac_have_decl
++_ACEOF
++if test $ac_have_decl = 1; then :
++
++else
++ as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5
++fi
++ac_fn_c_check_decl "$LINENO" "blkid_probe_set_device" "ac_cv_have_decl_blkid_probe_set_device" "#include <blkid/blkid.h>
++"
++if test "x$ac_cv_have_decl_blkid_probe_set_device" = xyes; then :
++ ac_have_decl=1
++else
++ ac_have_decl=0
++fi
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_DECL_BLKID_PROBE_SET_DEVICE $ac_have_decl
++_ACEOF
++if test $ac_have_decl = 1; then :
++
++else
++ as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5
++fi
++ac_fn_c_check_decl "$LINENO" "blkid_probe_filter_superblocks_type" "ac_cv_have_decl_blkid_probe_filter_superblocks_type" "#include <blkid/blkid.h>
++"
++if test "x$ac_cv_have_decl_blkid_probe_filter_superblocks_type" = xyes; then :
++ ac_have_decl=1
++else
++ ac_have_decl=0
++fi
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_DECL_BLKID_PROBE_FILTER_SUPERBLOCKS_TYPE $ac_have_decl
++_ACEOF
++if test $ac_have_decl = 1; then :
++
++else
++ as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5
++fi
++ac_fn_c_check_decl "$LINENO" "blkid_do_safeprobe" "ac_cv_have_decl_blkid_do_safeprobe" "#include <blkid/blkid.h>
++"
++if test "x$ac_cv_have_decl_blkid_do_safeprobe" = xyes; then :
++ ac_have_decl=1
++else
++ ac_have_decl=0
++fi
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_DECL_BLKID_DO_SAFEPROBE $ac_have_decl
++_ACEOF
++if test $ac_have_decl = 1; then :
++
++else
++ as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5
++fi
++ac_fn_c_check_decl "$LINENO" "blkid_do_probe" "ac_cv_have_decl_blkid_do_probe" "#include <blkid/blkid.h>
++"
++if test "x$ac_cv_have_decl_blkid_do_probe" = xyes; then :
++ ac_have_decl=1
++else
++ ac_have_decl=0
++fi
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_DECL_BLKID_DO_PROBE $ac_have_decl
++_ACEOF
++if test $ac_have_decl = 1; then :
++
++else
++ as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5
++fi
++ac_fn_c_check_decl "$LINENO" "blkid_probe_lookup_value
++ " "ac_cv_have_decl_blkid_probe_lookup_value__________" "#include <blkid/blkid.h>
++"
++if test "x$ac_cv_have_decl_blkid_probe_lookup_value__________" = xyes; then :
++ ac_have_decl=1
++else
++ ac_have_decl=0
++fi
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_DECL_BLKID_PROBE_LOOKUP_VALUE__________ $ac_have_decl
++_ACEOF
++if test $ac_have_decl = 1; then :
++
++else
++ as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5
++fi
++
++fi
++ if test x$enable_blkid = xyes; then
++ HAVE_BLKID_TRUE=
++ HAVE_BLKID_FALSE='#'
++else
++ HAVE_BLKID_TRUE='#'
++ HAVE_BLKID_FALSE=
++fi
++
++
+ if test x$enable_static_cryptsetup = xyes; then
+ saved_PKG_CONFIG=$PKG_CONFIG
+ PKG_CONFIG="$PKG_CONFIG --static"
+@@ -19043,6 +19260,7 @@ $as_echo "$systemd_tmpfilesdir" >&6; }
+
+
+
++
+ # Check whether --enable-dev-random was given.
+ if test "${enable_dev_random+set}" = set; then :
+ enableval=$enable_dev_random; default_rng=/dev/random
+@@ -20146,6 +20364,10 @@ if test -z "${CRYPTO_INTERNAL_ARGON2_TRU
+ as_fn_error $? "conditional \"CRYPTO_INTERNAL_ARGON2\" was never defined.
+ Usually this means the macro was only invoked conditionally." "$LINENO" 5
+ fi
++if test -z "${HAVE_BLKID_TRUE}" && test -z "${HAVE_BLKID_FALSE}"; then
++ as_fn_error $? "conditional \"HAVE_BLKID\" was never defined.
++Usually this means the macro was only invoked conditionally." "$LINENO" 5
++fi
+ if test -z "${PYTHON_CRYPTSETUP_TRUE}" && test -z "${PYTHON_CRYPTSETUP_FALSE}"; then
+ as_fn_error $? "conditional \"PYTHON_CRYPTSETUP\" was never defined.
+ Usually this means the macro was only invoked conditionally." "$LINENO" 5
+diff -rupN cryptsetup-2.0.3.old/Makefile.in cryptsetup-2.0.3.new/Makefile.in
+--- cryptsetup-2.0.3.old/Makefile.in 2019-08-27 18:30:14.223519187 +0200
++++ cryptsetup-2.0.3.new/Makefile.in 2019-08-27 18:34:03.679475168 +0200
+@@ -270,7 +270,8 @@ am_libcryptsetup_la_OBJECTS = lib/libcry
+ lib/luks2/libcryptsetup_la-luks2_keyslot.lo \
+ lib/luks2/libcryptsetup_la-luks2_keyslot_luks2.lo \
+ lib/luks2/libcryptsetup_la-luks2_token_keyring.lo \
+- lib/luks2/libcryptsetup_la-luks2_token.lo
++ lib/luks2/libcryptsetup_la-luks2_token.lo \
++ lib/libcryptsetup_la-utils_blkid.lo
+ libcryptsetup_la_OBJECTS = $(am_libcryptsetup_la_OBJECTS)
+ libcryptsetup_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+@@ -308,12 +309,14 @@ am__cryptsetup_SOURCES_DIST = lib/utils_
+ cryptsetup_OBJECTS = $(am_cryptsetup_OBJECTS)
+ @CRYPTSETUP_TRUE@cryptsetup_DEPENDENCIES = libcryptsetup.la
+ am__cryptsetup_reencrypt_SOURCES_DIST = lib/utils_crypt.c \
+- lib/utils_io.c src/utils_tools.c src/utils_password.c \
+- src/cryptsetup_reencrypt.c src/cryptsetup.h
++ lib/utils_io.c src/utils_tools.c lib/utils_loop.c \
++ src/utils_password.c src/cryptsetup_reencrypt.c \
++ src/cryptsetup.h
+ @REENCRYPT_TRUE@am_cryptsetup_reencrypt_OBJECTS = \
+ @REENCRYPT_TRUE@ lib/utils_crypt.$(OBJEXT) \
+ @REENCRYPT_TRUE@ lib/utils_io.$(OBJEXT) \
+ @REENCRYPT_TRUE@ src/utils_tools.$(OBJEXT) \
++@REENCRYPT_TRUE@ lib/utils_loop.$(OBJEXT) \
+ @REENCRYPT_TRUE@ src/utils_password.$(OBJEXT) \
+ @REENCRYPT_TRUE@ src/cryptsetup_reencrypt.$(OBJEXT)
+ cryptsetup_reencrypt_OBJECTS = $(am_cryptsetup_reencrypt_OBJECTS)
+@@ -591,6 +594,8 @@ AUTOCONF = @AUTOCONF@
+ AUTOHEADER = @AUTOHEADER@
+ AUTOMAKE = @AUTOMAKE@
+ AWK = @AWK@
++BLKID_CFLAGS = @BLKID_CFLAGS@
++BLKID_LIBS = @BLKID_LIBS@
+ CC = @CC@
+ CCDEPMODE = @CCDEPMODE@
+ CFLAGS = @CFLAGS@
+@@ -846,6 +851,7 @@ libcryptsetup_la_LIBADD = \
+ @CRYPTO_LIBS@ \
+ @LIBARGON2_LIBS@ \
+ @JSON_C_LIBS@ \
++ @BLKID_LIBS@ \
+ libcrypto_backend.la
+
+ libcryptsetup_la_SOURCES = \
+@@ -908,7 +914,9 @@ libcryptsetup_la_SOURCES = \
+ lib/luks2/luks2_token_keyring.c \
+ lib/luks2/luks2_token.c \
+ lib/luks2/luks2_internal.h \
+- lib/luks2/luks2.h
++ lib/luks2/luks2.h \
++ lib/utils_blkid.c \
++ lib/utils_blkid.h
+
+
+ # cryptsetup
+@@ -1351,6 +1359,8 @@ lib/luks2/libcryptsetup_la-luks2_token_k
+ lib/luks2/$(am__dirstamp) lib/luks2/$(DEPDIR)/$(am__dirstamp)
+ lib/luks2/libcryptsetup_la-luks2_token.lo: lib/luks2/$(am__dirstamp) \
+ lib/luks2/$(DEPDIR)/$(am__dirstamp)
++lib/libcryptsetup_la-utils_blkid.lo: lib/$(am__dirstamp) \
++ lib/$(DEPDIR)/$(am__dirstamp)
+
+ libcryptsetup.la: $(libcryptsetup_la_OBJECTS) $(libcryptsetup_la_DEPENDENCIES) $(EXTRA_libcryptsetup_la_DEPENDENCIES)
+ $(AM_V_CCLD)$(libcryptsetup_la_LINK) -rpath $(libdir) $(libcryptsetup_la_OBJECTS) $(libcryptsetup_la_LIBADD) $(LIBS)
+@@ -1507,6 +1517,7 @@ distclean-compile:
+ @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-setup.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_benchmark.Plo@am__quote@
++@AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_blkid.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_crypt.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo@am__quote@
+@@ -1991,6 +2002,13 @@ lib/luks2/libcryptsetup_la-luks2_token.l
+ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -c -o lib/luks2/libcryptsetup_la-luks2_token.lo `test -f 'lib/luks2/luks2_token.c' || echo '$(srcdir)/'`lib/luks2/luks2_token.c
+
++lib/libcryptsetup_la-utils_blkid.lo: lib/utils_blkid.c
++@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -MT lib/libcryptsetup_la-utils_blkid.lo -MD -MP -MF lib/$(DEPDIR)/libcryptsetup_la-utils_blkid.Tpo -c -o lib/libcryptsetup_la-utils_blkid.lo `test -f 'lib/utils_blkid.c' || echo '$(srcdir)/'`lib/utils_blkid.c
++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) lib/$(DEPDIR)/libcryptsetup_la-utils_blkid.Tpo lib/$(DEPDIR)/libcryptsetup_la-utils_blkid.Plo
++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='lib/utils_blkid.c' object='lib/libcryptsetup_la-utils_blkid.lo' libtool=yes @AMDEPBACKSLASH@
++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -c -o lib/libcryptsetup_la-utils_blkid.lo `test -f 'lib/utils_blkid.c' || echo '$(srcdir)/'`lib/utils_blkid.c
++
+ python/pycryptsetup_la-pycryptsetup.lo: python/pycryptsetup.c
+ @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(pycryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT python/pycryptsetup_la-pycryptsetup.lo -MD -MP -MF python/$(DEPDIR)/pycryptsetup_la-pycryptsetup.Tpo -c -o python/pycryptsetup_la-pycryptsetup.lo `test -f 'python/pycryptsetup.c' || echo '$(srcdir)/'`python/pycryptsetup.c
+ @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) python/$(DEPDIR)/pycryptsetup_la-pycryptsetup.Tpo python/$(DEPDIR)/pycryptsetup_la-pycryptsetup.Plo
diff --git a/SOURCES/cryptsetup-new-avoid-rh-kernel-bug.patch b/SOURCES/cryptsetup-new-avoid-rh-kernel-bug.patch
new file mode 100644
index 0000000..2e9a27f
--- /dev/null
+++ b/SOURCES/cryptsetup-new-avoid-rh-kernel-bug.patch
@@ -0,0 +1,59 @@
+diff -rupN cryptsetup-2.0.3.old/lib/crypto_backend/crypto_cipher_kernel.c cryptsetup-2.0.3/lib/crypto_backend/crypto_cipher_kernel.c
+--- cryptsetup-2.0.3.old/lib/crypto_backend/crypto_cipher_kernel.c 2018-04-17 09:20:35.000000000 +0200
++++ cryptsetup-2.0.3/lib/crypto_backend/crypto_cipher_kernel.c 2018-05-07 14:13:45.176124062 +0200
+@@ -31,6 +31,7 @@
+ #ifdef ENABLE_AF_ALG
+
+ #include <linux/if_alg.h>
++#include <sys/utsname.h>
+
+ #ifndef AF_ALG
+ #define AF_ALG 38
+@@ -44,6 +45,36 @@ struct crypt_cipher {
+ int opfd;
+ };
+
++
++static size_t pagesize(size_t defsize)
++{
++ long r = sysconf(_SC_PAGESIZE);
++ return r < 0 ? defsize : (size_t)r;
++}
++
++static int check_rh_kernel_version(void)
++{
++ unsigned maj, mid, min, rel;
++ static struct utsname uts = {{ 0 }};
++ size_t ps = pagesize(32768);
++
++ if (ps < 32768)
++ return 0;
++
++ if (!*uts.release && uname(&uts) < 0)
++ return -ENOTSUP;
++ /*
++ * RH kernels 3.10.0-185 and lower are affected by a crypto API kernel
++ * socket bug. The bug only manifests on archs with page size >= 32 KiB.
++ *
++ * For reference, see rhbz#1136075
++ */
++ if (sscanf(uts.release, "%u.%u.%u-%u", &maj, &mid, &min, &rel) == 4)
++ return (maj == 3 && mid == 10 && min == 0 && rel < 186) ? -ENOTSUP : 0;
++
++ return -ENOTSUP;
++}
++
+ /*
+ * ciphers
+ *
+@@ -60,6 +91,9 @@ int crypt_cipher_init(struct crypt_ciphe
+ .salg_type = "skcipher",
+ };
+
++ if (check_rh_kernel_version())
++ return -ENOTSUP;
++
+ h = malloc(sizeof(*h));
+ if (!h)
+ return -ENOMEM;
+Binary files cryptsetup-2.0.3.old/lib/crypto_backend/.crypto_cipher_kernel.c.rej.swp and cryptsetup-2.0.3/lib/crypto_backend/.crypto_cipher_kernel.c.rej.swp differ
diff --git a/SOURCES/cryptsetup-sector-size-detection.patch b/SOURCES/cryptsetup-sector-size-detection.patch
new file mode 100644
index 0000000..a10bff0
--- /dev/null
+++ b/SOURCES/cryptsetup-sector-size-detection.patch
@@ -0,0 +1,13 @@
+--- cryptsetup-2.0.3.old/lib/libdevmapper.c 2018-05-03 18:30:59.000000000 +0200
++++ cryptsetup-2.0.3/lib/libdevmapper.c 2018-06-19 20:01:10.263369754 +0200
+@@ -164,6 +164,10 @@ static void _dm_set_crypt_compat(unsigne
+ _dm_flags |= DM_CAPI_STRING_SUPPORTED;
+ }
+
++ if (!_dm_satisfies_version(1, 15, 0, crypt_maj, crypt_min, crypt_patch) &&
++ _dm_satisfies_version(1, 14, 5, crypt_maj, crypt_min, crypt_patch))
++ _dm_flags |= DM_SECTOR_SIZE_SUPPORTED;
++
+ _dm_crypt_checked = true;
+ }
+
diff --git a/SOURCES/cryptsetup-tests-device-test.patch b/SOURCES/cryptsetup-tests-device-test.patch
new file mode 100644
index 0000000..ebc7186
--- /dev/null
+++ b/SOURCES/cryptsetup-tests-device-test.patch
@@ -0,0 +1,17 @@
+diff -rupN cryptsetup-2.0.3.old/tests/device-test cryptsetup-2.0.3/tests/device-test
+--- cryptsetup-2.0.3.old/tests/device-test 2018-06-06 11:00:28.716305843 -0400
++++ cryptsetup-2.0.3/tests/device-test 2018-06-06 11:00:37.036343168 -0400
+@@ -39,11 +39,12 @@ function dm_crypt_features()
+
+ VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
+ VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
++ VER_PAT=$(echo $VER_STR | cut -f 3 -d.)
+
+ [ $VER_MAJ -lt 1 ] && return
+ [ $VER_MAJ -eq 1 -a $VER_MIN -lt 14 ] && return
+ DM_PERF_CPU=1
+- [ $VER_MAJ -eq 1 -a $VER_MIN -lt 17 ] && return
++ [ $VER_MAJ -eq 1 -a $VER_MIN -lt 15 -a $VER_PAT -lt 5 ] && return
+ DM_SECTOR_SIZE=1
+ }
+
diff --git a/SPECS/cryptsetup.spec b/SPECS/cryptsetup.spec
new file mode 100644
index 0000000..db7bfdf
--- /dev/null
+++ b/SPECS/cryptsetup.spec
@@ -0,0 +1,757 @@
+%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
+
+%if 0%{?fedora}
+%if 0%{?fedora} >= 29
+Obsoletes: python2-cryptsetup
+Obsoletes: cryptsetup-python3
+%global python2_enable 0
+%global python3_enable 0
+%else
+%global python2_enable 1
+%global python3_enable 1
+%endif
+%else
+Obsoletes: cryptsetup-python3
+%global python3_enable 0
+%if 0%{?rhel} == 7
+%global python2_enable 1
+# Change to 1 when argon2 lands
+%global libargon2_enable 0
+# Change to 1 when dm-integrity gets backported
+%global integritysetup_enable 0
+%else
+Obsoletes: cryptsetup-python
+Obsoletes: python2-cryptsetup
+%global python2_enable 0
+%endif
+%endif
+
+
+Summary: A utility for setting up encrypted disks
+Name: cryptsetup
+Version: 2.0.3
+Release: 6%{?dist}
+License: GPLv2+ and LGPLv2+
+Group: Applications/System
+URL: https://gitlab.com/cryptsetup/cryptsetup
+BuildRequires: libgcrypt-devel, popt-devel, device-mapper-devel
+BuildRequires: libgpg-error-devel, libuuid-devel, libsepol-devel
+BuildRequires: libselinux-devel, gcc, libblkid-devel
+%if %{python2_enable}
+BuildRequires: python-devel
+%endif
+%if %{python3_enable}
+BuildRequires: python3-devel
+%endif
+BuildRequires: libpwquality-devel, json-c-devel
+%if 0%{?libargon2_enable}
+BuildRequires: libargon2-devel
+%endif
+Provides: cryptsetup-luks = %{version}-%{release}
+Obsoletes: cryptsetup-luks < 1.4.0
+Requires: cryptsetup-libs%{?_isa} = %{version}-%{release}
+Requires: libpwquality >= 1.2.0
+
+%define dracutmodulesdir %{_prefix}/lib/dracut/modules.d
+%define upstream_version %{version}
+%define upstream_version_old 1.7.4
+Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{upstream_version}.tar.xz
+Source1: https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-%{upstream_version_old}.tar.xz
+# contains test images only, original commit id 5a7535c
+Source2: luks2_mda_images.tar.xz
+# contains test images only, original commit id 177cb8b
+Source3: luks2_valid_hdr.tar.xz
+# version 1.7.4 only (all of it, up to next comment)
+Patch0: %{name}-avoid-rh-kernel-bug.patch
+Patch1: %{name}-1.7.5-fix-unaligned-access-to-hidden-truecrypt.patch
+Patch2: %{name}-1.7.5-fix-luksformat-in-fips-mode.patch
+Patch3: %{name}-1.7.6-fix-blockwise-access-functions-for-64k-page-size.patch
+Patch4: %{name}-1.7.6-crypt_deactivate-fail-earlier-when-holders-detected.patch
+# 2.0.x only
+Patch5: %{name}-2.0.4-dracut-reencrypt.patch
+Patch6: %{name}-new-avoid-rh-kernel-bug.patch
+Patch7: %{name}-sector-size-detection.patch
+Patch8: %{name}-tests-device-test.patch
+Patch9: %{name}-argon2-fips.patch
+Patch10: %{name}-2.0.4-zero-length-lseek-blockwise-i-o-should-return-zero.patch
+Patch11: %{name}-2.0.4-fix-write_lseek_blockwise-for-in-the-middle-of-secto.patch
+Patch12: %{name}-2.0.4-fix-write_blockwise-on-short-files.patch
+Patch13: %{name}-2.0.4-add-blkid-utilities-for-fast-detection-of-device-sig.patch
+Patch14: %{name}-2.0.4-make-LUKS2-auto-recovery-aware-of-device-signatures.patch
+Patch15: %{name}-2.0.4-allow-LUKS2-repair-to-override-blkid-checks.patch
+Patch16: %{name}-2.0.4-allow-explicit-LUKS2-repair.patch
+Patch17: %{name}-2.0.4-update-crypt_repair-API-documentation-for-LUKS2.patch
+Patch18: %{name}-2.0.4-allow-LUKS2-repair-with-disabled-locks.patch
+# the configure patch must be applied last
+Patch19: %{name}-configure.patch
+Patch20: %{name}-2.0.4-update-cryptsetup-man-page-for-type-option-usage.patch
+Patch21: %{name}-2.0.4-rephrase-error-message-for-invalid-type-param-in-con.patch
+Patch22: %{name}-2.0.4-fix-LUKS2-api-test.patch
+Patch23: %{name}-2.0.5-fix-miscalculation-of-device-alignment-offset.patch
+Patch24: %{name}-2.0.5-remove-useless-division-followed-by-multiplication-b.patch
+Patch25: %{name}-2.0.6-LUKS2-metadata-variation-fixes.patch
+Patch26: %{name}-2.0.6-enable-all-supported-metadata-sizes-in-LUKS2-validat.patch
+Patch27: %{name}-2.0.6-check-json-size-matches-value-from-binary-LUKS2-head.patch
+Patch28: %{name}-2.0.6-test-cryptsetup-can-handle-all-LUKS2-metadata-varian.patch
+Patch29: %{name}-2.0.6-do-not-validate-keyslot-areas-so-frantically.patch
+Patch30: %{name}-2.0.6-reshuffle-config-and-keyslots-areas-validation-code.patch
+Patch31: %{name}-2.0.6-fix-keyslot-areas-validation.patch
+# keep validation tests up to date
+Patch32: %{name}-2.1.0-sync-LUKS2-validation-tests.patch
+Patch33: %{name}-2.2.1-reinstate-missing-backing-file-hint-for-loop-device.patch
+
+%if 0%{?fedora} >= 19 || 0%{?rhel} >= 7
+%define configure_cipher --enable-gcrypt-pbkdf2
+%else
+%define configure_cipher --with-luks1-cipher=aes --with-luks1-mode=cbc-essiv:sha256 --with-luks1-keybits=256
+%endif
+
+%if 0%{?libargon2_enable}
+%define configure_libargon2 --enable-libargon2
+%endif
+%if 0%{?integritysetup_enable}
+%define configure_integritysetup --enable-integritysetup
+%else
+%define configure_integritysetup --disable-integritysetup
+%endif
+
+%description
+The cryptsetup package contains a utility for setting up
+disk encryption using dm-crypt kernel module.
+
+%package devel
+Group: Development/Libraries
+Requires: %{name} = %{version}-%{release}
+Requires: libgcrypt-devel > 1.1.42, device-mapper-devel, libuuid-devel
+Requires: pkgconfig
+Summary: Headers and libraries for using encrypted file systems
+Provides: cryptsetup-luks-devel = %{version}-%{release}
+Obsoletes: cryptsetup-luks-devel < 1.4.0
+
+%description devel
+The cryptsetup-devel package contains libraries and header files
+used for writing code that makes use of disk encryption.
+
+%package libs
+Group: System Environment/Libraries
+Summary: Cryptsetup shared library
+Provides: cryptsetup-luks-libs = %{version}-%{release}
+Obsoletes: cryptsetup-luks-libs < 1.4.0
+Obsoletes: cryptsetup-reencrypt-libs < 1.6.5
+# Need support for empty password in gcrypt PBKDF2
+%if 0%{?fedora} >= 19 || 0%{?rhel} >= 7
+Requires: libgcrypt >= 1.5.3-3
+%endif
+
+%description libs
+This package contains the cryptsetup shared library, libcryptsetup.
+
+%package -n veritysetup
+Group: Applications/System
+Summary: A utility for setting up dm-verity volumes
+Requires: cryptsetup-libs = %{version}-%{release}
+
+%description -n veritysetup
+The veritysetup package contains a utility for setting up
+disk verification using dm-verity kernel module.
+
+%package reencrypt
+Group: Applications/System
+Summary: A utility for offline reencryption of LUKS encrypted disks.
+Provides: cryptsetup-reencrypt = %{version}-%{release}
+Obsoletes: cryptsetup-reencrypt < 1.6.5
+Requires: cryptsetup-libs = %{version}-%{release}
+
+%description reencrypt
+This package contains cryptsetup-reencrypt utility which
+can be used for offline reencryption of disk in situ.
+Also includes dracut module required to perform reencryption
+of device containing a root filesystem.
+
+%package python
+Group: System Environment/Libraries
+Summary: Python bindings for libcryptsetup
+Requires: %{name}-libs = %{version}-%{release}
+Provides: python-cryptsetup = %{version}-%{release}
+Obsoletes: python-cryptsetup < 1.4.0
+
+%description python
+This package provides Python bindings for libcryptsetup, a library
+for setting up disk encryption using dm-crypt kernel module.
+
+%if %{python3_enable}
+%package python3
+Group: System Environment/Libraries
+Summary: Python3 bindings for libcryptsetup
+Requires: %{name}-libs = %{version}-%{release}
+Provides: python3-cryptsetup = %{version}-%{release}
+
+%description python3
+This package provides Python bindings for libcryptsetup, a library
+for setting up disk encryption using dm-crypt kernel module.
+%endif
+
+%prep
+%setup -q -n cryptsetup-%{upstream_version}
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
+%patch20 -p1
+%patch21 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1
+%patch25 -p1
+%patch26 -p1
+%patch27 -p1
+%patch28 -p1
+%patch29 -p1
+%patch30 -p1
+%patch31 -p1
+%patch32 -p1
+%patch33 -p1
+# the configure patch (always last)
+%patch19 -p1
+chmod -x python/pycryptsetup-test.py
+chmod -x misc/dracut_90reencrypt/*
+chmod +x tests/generators/generate-*.sh
+%setup -T -a 2 -D -n cryptsetup-%{upstream_version}/tests
+%setup -T -a 3 -D -n cryptsetup-%{upstream_version}/tests
+
+%if %{python3_enable}
+# copy the whole directory for the python3 build
+cp -a . %{py3dir}
+%endif
+
+%setup -T -a 1 -D -n cryptsetup-%{upstream_version}
+pushd cryptsetup-1.7.4
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+
+%build
+%configure --enable-fips --enable-pwquality --with-default-luks-format=LUKS1 %{?configure_cipher} %{?configure_libargon2} %{?configure_integritysetup}
+pushd cryptsetup-1.7.4
+%configure --enable-python --enable-fips --enable-pwquality --disable-cryptsetup-reencrypt --disable-veritysetup %{?configure_cipher}
+# remove rpath
+sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
+sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
+make %{?_smp_mflags}
+popd
+# remove rpath
+sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
+sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
+make %{?_smp_mflags}
+
+%if %{python3_enable}
+pushd %{py3dir}
+%configure --enable-python --with-python_version=3
+make %{?_smp_mflags}
+popd
+%endif
+
+%install
+pushd cryptsetup-1.7.4
+make install DESTDIR=%{buildroot}
+popd
+make install DESTDIR=%{buildroot}
+rm -rf %{buildroot}/%{_libdir}/*.la
+
+%if %{python3_enable}
+pushd %{py3dir}
+make install DESTDIR=%{buildroot}
+rm -rf %{buildroot}/%{_libdir}/*.la
+popd
+%endif
+
+%find_lang cryptsetup
+
+install -d -m755 %{buildroot}/%{dracutmodulesdir}/90reencrypt
+install -m755 misc/dracut_90reencrypt/module-setup.sh %{buildroot}/%{dracutmodulesdir}/90reencrypt
+install -m755 misc/dracut_90reencrypt/parse-reencrypt.sh %{buildroot}/%{dracutmodulesdir}/90reencrypt
+install -m755 misc/dracut_90reencrypt/reencrypt.sh %{buildroot}/%{dracutmodulesdir}/90reencrypt
+install -m755 misc/dracut_90reencrypt/reencrypt-verbose.sh %{buildroot}/%{dracutmodulesdir}/90reencrypt
+
+%post -n cryptsetup-libs -p /sbin/ldconfig
+
+%postun -n cryptsetup-libs -p /sbin/ldconfig
+
+%files
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%doc AUTHORS FAQ docs/*ReleaseNotes
+%{_mandir}/man8/cryptsetup.8.gz
+%{_sbindir}/cryptsetup
+
+%files -n veritysetup
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%{_mandir}/man8/veritysetup.8.gz
+%{_sbindir}/veritysetup
+
+%if %{integritysetup_enable}
+%files -n integritysetup
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%{_mandir}/man8/integritysetup.8.gz
+%{_sbindir}/integritysetup
+%endif
+
+%files reencrypt
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%doc misc/dracut_90reencrypt/README
+%{_mandir}/man8/cryptsetup-reencrypt.8.gz
+%{_sbindir}/cryptsetup-reencrypt
+%{dracutmodulesdir}/90reencrypt
+%{dracutmodulesdir}/90reencrypt/*
+
+%files devel
+%doc docs/examples/*
+%{_includedir}/libcryptsetup.h
+%{_libdir}/libcryptsetup.so
+%{_libdir}/pkgconfig/libcryptsetup.pc
+
+%files libs -f cryptsetup.lang
+%{!?_licensedir:%global license %%doc}
+%license COPYING COPYING.LGPL
+%{_libdir}/libcryptsetup.so.*
+%{_tmpfilesdir}/cryptsetup.conf
+%ghost %attr(700, -, -) %dir /run/cryptsetup
+
+%files python
+%{!?_licensedir:%global license %%doc}
+%license COPYING.LGPL
+%doc python/pycryptsetup-test.py
+%exclude %{python_sitearch}/pycryptsetup.la
+%{python_sitearch}/pycryptsetup.so
+
+%if %{python3_enable}
+%files python3
+%{!?_licensedir:%global license %%doc}
+%license COPYING.LGPL
+%doc python/pycryptsetup-test.py
+%exclude %{python3_sitearch}/pycryptsetup.la
+%{python3_sitearch}/pycryptsetup.so
+%endif
+
+%clean
+
+%changelog
+* Tue Aug 27 2019 Ondrej Kozina <okozina@redhat.com> - 2.0.3-6
+- patch: Reinstate missing backing file hint for loop device
+ during unlock.
+- Resolves: #1726287
+
+* Wed Apr 03 2019 Ondrej Kozina <okozina@redhat.com> - 2.0.3-5
+- patch: calculate alignment offset correctly for LUKS2 devices.
+- patch: fix memory leak in LUKS2 validation.
+- Resolves: #1613953 #1693592
+
+* Wed Mar 27 2019 Ondrej Kozina <okozina@redhat.com> - 2.0.3-4
+- patch: Fix broken LUKS2 api test.
+- patch: Allow cryptsetup to process all LUKS2 metadata variants
+ according to LUKS2 specifiation.
+- Resolves: #1653388
+
+* Tue Jul 31 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.3-3
+- Add expected permissions explicitly for locking directory.
+- Reinstate sed script removing library rpath from libtool
+ script due to bug in upstream sources distribution.
+- Resolves: #1609847 #1610379
+
+* Mon Jul 16 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.3-2
+- patch: stop LUKS2 auto-recovery if device is no longer LUKS
+ type
+- patch: update cryptsetup man page for --type option
+- patch: rephrase error message for invalid --type option in
+ convert action
+- Resolves: #1599281 #1601477 #1601481
+
+* Wed Jun 20 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.3-1
+- Update to cryptsetup 2.0.3.
+- Resolves: #1475904 #1380347 #1416174 #1536105 #1574239
+
+* Thu Oct 19 2017 Ondrej Kozina <okozina@redhat.com> - 1.7.4-4
+- patch: fix regression in blockwise functions
+- patch: avoid repeating error messages when device holders
+ detected.
+- patch: add option to cryptsetup-reencrypt to print progress
+ log sequentaly
+- patch: use --progress-frequency in reencryption dracut module
+- Resolves: #1480006 #1447632 #1479857
+
+* Tue Apr 25 2017 Ondrej Kozina <okozina@redhat.com> - 1.7.4-3
+- patch: fix luksFormat failure while running in FIPS mode.
+- Resolves: #1444137
+
+* Tue Apr 04 2017 Ondrej Kozina <okozina@redhat.com> - 1.7.4-2
+- patch: fix access to unaligned hidden TrueCrypt header.
+- Resolves: #1435543
+
+* Wed Mar 15 2017 Ondrej Kozina <okozina@redhat.com> - 1.7.4-1
+- Update to cryptsetup 1.7.4.
+- Resolves: #1381273
+
+* Tue Jun 7 2016 Ondrej Kozina <okozina@redhat.com> - 1.7.2-1
+- Update to cryptsetup 1.7.2.
+- Resolves: #1302022 #1070825
+
+* Thu Jun 18 2015 Ondrej Kozina <okozina@redhat.com> - 1.6.7-1
+- Update to cryptsetup 1.6.7.
+- patch: avoid use of kernel crypto API socket which is known
+ to be broken in RHEL7.0 kernel (7.1+ is fine).
+- Resolves: #1206170
+
+* Thu Dec 18 2014 Ondrej Kozina <okozina@redhat.com> - 1.6.6-3
+- drop FIPS power on self test and library checksum
+- Resolves: #1158897
+
+* Mon Sep 29 2014 Ondrej Kozina <okozina@redhat.com> - 1.6.6-2
+- patch: fix failures related to reencrypt log files
+- Resolves: #1140199
+
+* Mon Sep 8 2014 Ondrej Kozina <okozina@redhat.com> - 1.6.6-1
+- Update to cryptsetup 1.6.6.
+- Resolves: #1117372 #1038097
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 1.6.3-2
+- Mass rebuild 2014-01-24
+
+* Mon Jan 6 2014 Ondrej Kozina <okozina@redhat.com> - 1.6.3-1
+- Update to cryptsetup 1.6.3.
+- various fixes related to block devices with 4KiB sectors
+- enable reencryption using specific keyslot (dracut module)
+- fix failure in reading last keyslot from external LUKS header
+- update FIPS POST to be complaint with actual requirements
+- fix hash limiting if parameter is not numeric
+- Resolves: #1028362 #1029032 #1029406 #1030288 #1034388 #1038097
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 1.6.2-3
+- Mass rebuild 2013-12-27
+
+* Tue Nov 5 2013 Ondrej Kozina <okozina@redhat.com> - 1.6.2-2
+- 90reencrypt: Move conflict with 90crypt to install() section.
+- 90reencrypt: Drop to emergency_shell after successful reencryption.
+- Resolves: #1021593
+
+* Mon Oct 14 2013 Ondrej Kozina <okozina@redhat.com> - 1.6.2-1
+- Update to cryptsetup 1.6.2.
+- Add dracut module for cryptsetup-reencrypt (90reencrypt).
+- 90reencrypt: Rename dracut parameteres to be compliant with actual naming guidance.
+- 90reencrypt: Install and load loop kernel module.
+- 90reencrypt: Fix lock file name.
+- 90reencrypt: Add conflict with 90crypt dracut module (more info in #1010287)
+- Resolves: #1010278 #1010287
+
+* Sun Mar 31 2013 Milan Broz <gmazyland@gmail.com> - 1.6.1-1
+- Update to cryptsetup 1.6.1.
+- Install ReleaseNotes files instead of empty Changelog file.
+
+* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Mon Jan 14 2013 Milan Broz <mbroz@redhat.com> - 1.6.0-1
+- Update to cryptsetup 1.6.0.
+- Change default LUKS encryption mode to aes-xts-plain64 (AES128).
+- Force use of gcrypt PBKDF2 instead of internal implementation.
+
+* Sat Dec 29 2012 Milan Broz <mbroz@redhat.com> - 1.6.0-0.1
+- Update to cryptsetup 1.6.0-rc1.
+- Relax license to GPLv2+ according to new release.
+- Compile cryptsetup with libpwquality support.
+
+* Tue Oct 16 2012 Milan Broz <mbroz@redhat.com> - 1.5.1-1
+- Update to cryptsetup 1.5.1.
+
+* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Tue Jul 10 2012 Milan Broz <mbroz@redhat.com> - 1.5.0-1
+- Update to cryptsetup 1.5.0.
+
+* Wed Jun 20 2012 Milan Broz <mbroz@redhat.com> - 1.5.0-0.2
+- Update to cryptsetup 1.5.0-rc2.
+- Add cryptsetup-reencrypt subpackage.
+
+* Mon Jun 11 2012 Milan Broz <mbroz@redhat.com> - 1.5.0-0.1
+- Update to cryptsetup 1.5.0-rc1.
+- Add veritysetup subpackage.
+- Move localization files to libs subpackage.
+
+* Thu May 31 2012 Milan Broz <mbroz@redhat.com> - 1.4.3-2
+- Build with fipscheck (verification in fips mode).
+- Clean up spec file, use install to /usr.
+
+* Thu May 31 2012 Milan Broz <mbroz@redhat.com> - 1.4.3-1
+- Update to cryptsetup 1.4.3.
+
+* Thu Apr 12 2012 Milan Broz <mbroz@redhat.com> - 1.4.2-1
+- Update to cryptsetup 1.4.2.
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Wed Nov 09 2011 Milan Broz <mbroz@redhat.com> - 1.4.1-1
+- Update to cryptsetup 1.4.1.
+- Add Python cryptsetup bindings.
+- Obsolete separate python-cryptsetup package.
+
+* Wed Oct 26 2011 Milan Broz <mbroz@redhat.com> - 1.4.0-1
+- Update to cryptsetup 1.4.0.
+
+* Mon Oct 10 2011 Milan Broz <mbroz@redhat.com> - 1.4.0-0.1
+- Update to cryptsetup 1.4.0-rc1.
+- Rename package back from cryptsetup-luks to cryptsetup.
+
+* Wed Jun 22 2011 Milan Broz <mbroz@redhat.com> - 1.3.1-2
+- Fix return code for status command when device doesn't exist.
+
+* Tue May 24 2011 Milan Broz <mbroz@redhat.com> - 1.3.1-1
+- Update to cryptsetup 1.3.1.
+
+* Tue Apr 05 2011 Milan Broz <mbroz@redhat.com> - 1.3.0-1
+- Update to cryptsetup 1.3.0.
+
+* Tue Mar 22 2011 Milan Broz <mbroz@redhat.com> - 1.3.0-0.2
+- Update to cryptsetup 1.3.0-rc2
+
+* Mon Mar 14 2011 Milan Broz <mbroz@redhat.com> - 1.3.0-0.1
+- Update to cryptsetup 1.3.0-rc1
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Mon Dec 20 2010 Milan Broz <mbroz@redhat.com> - 1.2.0-1
+- Update to cryptsetup 1.2.0
+
+* Thu Nov 25 2010 Milan Broz <mbroz@redhat.com> - 1.2.0-0.2
+- Fix crypt_activate_by_keyfile() to work with PLAIN devices.
+
+* Tue Nov 16 2010 Milan Broz <mbroz@redhat.com> - 1.2.0-0.1
+- Add FAQ to documentation.
+- Update to cryptsetup 1.2.0-rc1
+
+* Sat Jul 03 2010 Milan Broz <mbroz@redhat.com> - 1.1.3-1
+- Update to cryptsetup 1.1.3
+
+* Mon Jun 07 2010 Milan Broz <mbroz@redhat.com> - 1.1.2-2
+- Fix alignment ioctl use.
+- Fix API activation calls to handle NULL device name.
+
+* Sun May 30 2010 Milan Broz <mbroz@redhat.com> - 1.1.2-1
+- Update to cryptsetup 1.1.2
+- Fix luksOpen handling of new line char on stdin.
+
+* Sun May 23 2010 Milan Broz <mbroz@redhat.com> - 1.1.1-1
+- Update to cryptsetup 1.1.1
+- Fix luksClose for stacked LUKS/LVM devices.
+
+* Mon May 03 2010 Milan Broz <mbroz@redhat.com> - 1.1.1-0.2
+- Update to cryptsetup 1.1.1-rc2.
+
+* Sat May 01 2010 Milan Broz <mbroz@redhat.com> - 1.1.1-0.1
+- Update to cryptsetup 1.1.1-rc1.
+
+* Sun Jan 17 2010 Milan Broz <mbroz@redhat.com> - 1.1.0-1
+- Update to cryptsetup 1.1.0.
+
+* Fri Jan 15 2010 Milan Broz <mbroz@redhat.com> - 1.1.0-0.6
+- Fix gcrypt initialisation.
+- Fix backward compatibility for hash algorithm (uppercase).
+
+* Wed Dec 30 2009 Milan Broz <mbroz@redhat.com> - 1.1.0-0.5
+- Update to cryptsetup 1.1.0-rc4
+
+* Mon Nov 16 2009 Milan Broz <mbroz@redhat.com> - 1.1.0-0.4
+- Update to cryptsetup 1.1.0-rc3
+
+* Thu Oct 01 2009 Milan Broz <mbroz@redhat.com> - 1.1.0-0.3
+- Update to cryptsetup 1.1.0-rc2
+- Fix libcryptsetup to properly export only versioned symbols.
+
+* Tue Sep 29 2009 Milan Broz <mbroz@redhat.com> - 1.1.0-0.2
+- Update to cryptsetup 1.1.0-rc1
+- Add luksHeaderBackup and luksHeaderRestore commands.
+
+* Fri Sep 11 2009 Milan Broz <mbroz@redhat.com> - 1.1.0-0.1
+- Update to new upstream testing version with new API interface.
+- Add luksSuspend and luksResume commands.
+- Introduce pkgconfig.
+
+* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Wed Jul 22 2009 Milan Broz <mbroz@redhat.com> - 1.0.7-1
+- Update to upstream final release.
+- Split libs subpackage.
+- Remove rpath setting from cryptsetup binary.
+
+* Wed Jul 15 2009 Till Maas <opensource@till.name> - 1.0.7-0.2
+- update BR because of libuuid splitout from e2fsprogs
+
+* Mon Jun 22 2009 Milan Broz <mbroz@redhat.com> - 1.0.7-0.1
+- Update to new upstream 1.0.7-rc1.
+
+- Wipe old fs headers to not confuse blkid (#468062)
+* Tue Feb 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.6-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Thu Oct 30 2008 Milan Broz <mbroz@redhat.com> - 1.0.6-6
+- Wipe old fs headers to not confuse blkid (#468062)
+
+* Tue Sep 23 2008 Milan Broz <mbroz@redhat.com> - 1.0.6-5
+- Change new project home page.
+- Print more descriptive messages for initialization errors.
+- Refresh patches to versions commited upstream.
+
+* Sat Sep 06 2008 Milan Broz <mbroz@redhat.com> - 1.0.6-4
+- Fix close of zero decriptor.
+- Fix udevsettle delays - use temporary crypt device remapping.
+
+* Wed May 28 2008 Till Maas <opensource till name> - 1.0.6-3
+- remove a duplicate sentence from the manpage (RH #448705)
+- add patch metadata about upstream status
+
+* Tue Apr 15 2008 Bill Nottinghm <notting@redhat.com> - 1.0.6-2
+- Add the device to the luksOpen prompt (#433406)
+- Use iconv, not recode (#442574)
+
+* Thu Mar 13 2008 Till Maas <opensource till name> - 1.0.6-1
+- Update to latest version
+- remove patches that have been merged upstream
+
+* Mon Mar 03 2008 Till Maas <opensource till name> - 1.0.6-0.1.pre2
+- Update to new version with several bugfixes
+- remove patches that have been merged upstream
+- add patch from cryptsetup newsgroup
+- fix typo / missing luksRemoveKey in manpage (patch)
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 1.0.5-9
+- Autorebuild for GCC 4.3
+
+* Sat Jan 19 2008 Peter Jones <pjones@redhat.com> - 1.0.5-8
+- Rebuild for broken deps.
+
+* Thu Aug 30 2007 Till Maas <opensource till name> - 1.0.5-7
+- update URL
+- update license tag
+- recode ChangeLog from latin1 to uf8
+- add smp_mflags to make
+
+* Fri Aug 24 2007 Till Maas <opensource till name> - 1.0.5-6
+- cleanup BuildRequires:
+- removed versions, packages in Fedora are new enough
+- changed popt to popt-devel
+
+* Thu Aug 23 2007 Till Maas <opensource till name> - 1.0.5-5
+- fix devel subpackage requires
+- remove empty NEWS README
+- remove uneeded INSTALL
+- remove uneeded ldconfig requires
+- add readonly detection patch
+
+* Wed Aug 08 2007 Till Maas <opensource till name> - 1.0.5-4
+- disable patch2, libsepol is now detected by configure
+- move libcryptsetup.so to %%{_libdir} instead of /%%{_lib}
+
+* Fri Jul 27 2007 Till Maas <opensource till name> - 1.0.5-3
+- Use /%%{_lib} instead of /lib to use /lib64 on 64bit archs
+
+* Thu Jul 26 2007 Till Maas <opensource till name> - 1.0.5-2
+- Use /lib as libdir (#243228)
+- sync header and library (#215349)
+- do not use %%makeinstall (recommended by PackageGuidelines)
+- select sbindir with %%configure instead with make
+- add TODO
+
+* Wed Jun 13 2007 Jeremy Katz <katzj@redhat.com> - 1.0.5-1
+- update to 1.0.5
+
+* Mon Jun 04 2007 Peter Jones <pjones@redhat.com> - 1.0.3-5
+- Don't build static any more.
+
+* Mon Feb 05 2007 Alasdair Kergon <agk@redhat.com> - 1.0.3-4
+- Add build dependency on new device-mapper-devel package.
+- Add preun and post ldconfig requirements.
+- Update BuildRoot.
+
+* Wed Nov 1 2006 Peter Jones <pjones@redhat.com> - 1.0.3-3
+- Require newer libselinux (#213414)
+
+* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 1.0.3-2.1
+- rebuild
+
+* Wed Jun 7 2006 Jeremy Katz <katzj@redhat.com> - 1.0.3-2
+- put shared libs in the right subpackages
+
+* Fri Apr 7 2006 Bill Nottingham <notting@redhat.com> 1.0.3-1
+- update to final 1.0.3
+
+* Mon Feb 27 2006 Bill Nottingham <notting@redhat.com> 1.0.3-0.rc2
+- update to 1.0.3rc2, fixes bug with HAL & encrypted devices (#182658)
+
+* Wed Feb 22 2006 Bill Nottingham <notting@redhat.com> 1.0.3-0.rc1
+- update to 1.0.3rc1, reverts changes to default encryption type
+
+* Tue Feb 21 2006 Bill Nottingham <notting@redhat.com> 1.0.2-1
+- update to 1.0.2, fix incompatiblity with old cryptsetup (#176726)
+
+* Mon Feb 20 2006 Karsten Hopp <karsten@redhat.de> 1.0.1-5
+- BuildRequires: libselinux-devel
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.0.1-4.2.1
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 1.0.1-4.2
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
+- rebuilt
+
+* Mon Dec 5 2005 Bill Nottingham <notting@redhat.com> 1.0.1-4
+- rebuild against new libdevmapper
+
+* Thu Oct 13 2005 Florian La Roche <laroche@redhat.com>
+- add -lsepol to rebuild on current fc5
+
+* Mon Aug 22 2005 Karel Zak <kzak@redhat.com> 1.0.1-2
+- fix cryptsetup help for isLuks action
+
+* Fri Jul 1 2005 Bill Nottingham <notting@redhat.com> 1.0.1-1
+- update to 1.0.1 - fixes incompatiblity with previous cryptsetup for
+ piped passwords
+
+* Thu Jun 16 2005 Bill Nottingham <notting@redhat.com> 1.0-2
+- add patch for 32/64 bit compatibility (#160445, <redhat@paukstadt.de>)
+
+* Tue Mar 29 2005 Bill Nottingham <notting@redhat.com> 1.0-1
+- update to 1.0
+
+* Thu Mar 10 2005 Bill Nottingham <notting@redhat.com> 0.993-1
+- switch to cryptsetup-luks, for LUKS support
+
+* Tue Oct 12 2004 Bill Nottingham <notting@redhat.com> 0.1-4
+- oops, make that *everything* static (#129926)
+
+* Tue Aug 31 2004 Bill Nottingham <notting@redhat.com> 0.1-3
+- link some things static, move to /sbin (#129926)
+
+* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Fri Apr 16 2004 Bill Nottingham <notting@redhat.com> 0.1-1
+- initial packaging