diff --git a/.cryptsetup.metadata b/.cryptsetup.metadata
index 0274ab2..4ef48e6 100644
--- a/.cryptsetup.metadata
+++ b/.cryptsetup.metadata
@@ -1 +1 @@
-7aae3037a6eba63df19fd89310e325ac9b75aebd SOURCES/cryptsetup-2.4.0.tar.xz
+8f25d5d69a4724e08e75697c82ce80a292d69b30 SOURCES/cryptsetup-2.4.1.tar.xz
diff --git a/.gitignore b/.gitignore
index f4e3f7f..4c60d40 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/cryptsetup-2.4.0.tar.xz
+SOURCES/cryptsetup-2.4.1.tar.xz
diff --git a/SOURCES/cryptsetup-2.4.1-Adapt-crypto-backend-to-openssl3-lib-context.patch b/SOURCES/cryptsetup-2.4.1-Adapt-crypto-backend-to-openssl3-lib-context.patch
deleted file mode 100644
index 0178126..0000000
--- a/SOURCES/cryptsetup-2.4.1-Adapt-crypto-backend-to-openssl3-lib-context.patch
+++ /dev/null
@@ -1,386 +0,0 @@
-From 6c9d3863031d5809cee6e157a0e53e7c4ef56940 Mon Sep 17 00:00:00 2001
-From: Ondrej Kozina <okozina@redhat.com>
-Date: Thu, 2 Sep 2021 15:36:15 +0200
-Subject: [PATCH 01/11] Adapt crypto backend to openssl3 lib context.
-
-Fully leverage openssl custom library context for various
-providers (default, legacy). It can be used to properly
-free all openssl resources used by libcryptsetup when
-libcryptsetup is unloaded (and destructor is triggered).
----
- lib/crypto_backend/crypto_openssl.c | 188 +++++++++++++++++++++++-----
- 1 file changed, 155 insertions(+), 33 deletions(-)
-
-diff --git a/lib/crypto_backend/crypto_openssl.c b/lib/crypto_backend/crypto_openssl.c
-index 19960a07..a5ec4048 100644
---- a/lib/crypto_backend/crypto_openssl.c
-+++ b/lib/crypto_backend/crypto_openssl.c
-@@ -41,8 +41,10 @@
- #include "crypto_backend_internal.h"
- #if OPENSSL_VERSION_MAJOR >= 3
- #include <openssl/provider.h>
-+#include <openssl/kdf.h>
- static OSSL_PROVIDER *ossl_legacy = NULL;
- static OSSL_PROVIDER *ossl_default = NULL;
-+static OSSL_LIB_CTX  *ossl_ctx = NULL;
- #endif
- 
- #define CONST_CAST(x) (x)(uintptr_t)
-@@ -68,6 +70,7 @@ struct crypt_cipher {
- 	struct {
- 		EVP_CIPHER_CTX *hd_enc;
- 		EVP_CIPHER_CTX *hd_dec;
-+		const EVP_CIPHER *cipher_type;
- 		size_t iv_length;
- 	} lib;
- 	} u;
-@@ -130,31 +133,41 @@ static void HMAC_CTX_free(HMAC_CTX *md)
- 	free(md);
- }
- #else
--static void openssl_backend_init(void)
-+static int openssl_backend_init(void)
- {
- /*
-  * OpenSSL >= 3.0.0 provides some algorithms in legacy provider
-  */
- #if OPENSSL_VERSION_MAJOR >= 3
--	OPENSSL_init_crypto(OPENSSL_INIT_NO_ATEXIT, NULL);
--	ossl_legacy  = OSSL_PROVIDER_try_load(NULL, "legacy", 0);
--	ossl_default = OSSL_PROVIDER_try_load(NULL, "default", 0);
-+	ossl_ctx = OSSL_LIB_CTX_new();
-+	if (!ossl_ctx)
-+		return -EINVAL;
-+
-+	ossl_default = OSSL_PROVIDER_try_load(ossl_ctx, "default", 0);
-+	if (!ossl_default) {
-+		OSSL_LIB_CTX_free(ossl_ctx);
-+		return -EINVAL;
-+	}
-+
-+	/* Optional */
-+	ossl_legacy = OSSL_PROVIDER_try_load(ossl_ctx, "legacy", 0);
- #endif
-+	return 0;
- }
- 
- static void openssl_backend_exit(void)
- {
- #if OPENSSL_VERSION_MAJOR >= 3
--	/*
--	 * If Destructor was already called, we must not call it again
--	 */
--	if (OPENSSL_init_crypto(0, NULL) != 0) {
-+	if (ossl_legacy)
- 		OSSL_PROVIDER_unload(ossl_legacy);
-+	if (ossl_default)
- 		OSSL_PROVIDER_unload(ossl_default);
--		OPENSSL_cleanup();
--	}
-+	if (ossl_ctx)
-+		OSSL_LIB_CTX_free(ossl_ctx);
-+
- 	ossl_legacy = NULL;
- 	ossl_default = NULL;
-+	ossl_ctx = NULL;
- #endif
- }
- 
-@@ -169,7 +182,8 @@ int crypt_backend_init(void)
- 	if (crypto_backend_initialised)
- 		return 0;
- 
--	openssl_backend_init();
-+	if (openssl_backend_init())
-+		return -EINVAL;
- 
- 	crypto_backend_initialised = 1;
- 	return 0;
-@@ -177,7 +191,14 @@ int crypt_backend_init(void)
- 
- void crypt_backend_destroy(void)
- {
-+	/*
-+	 * If Destructor was already called, we must not call it again
-+	 */
-+	if (!crypto_backend_initialised)
-+		return;
-+
- 	crypto_backend_initialised = 0;
-+
- 	openssl_backend_exit();
- }
- 
-@@ -215,16 +236,51 @@ static const char *crypt_hash_compat_name(const char *name)
- 	return hash_name;
- }
- 
-+static const EVP_MD *hash_id_get(const char *name)
-+{
-+#if OPENSSL_VERSION_MAJOR >= 3
-+	return EVP_MD_fetch(ossl_ctx, crypt_hash_compat_name(name), NULL);
-+#else
-+	return EVP_get_digestbyname(crypt_hash_compat_name(name));
-+#endif
-+}
-+
-+static void hash_id_free(const EVP_MD *hash_id)
-+{
-+#if OPENSSL_VERSION_MAJOR >= 3
-+	EVP_MD_free(CONST_CAST(EVP_MD*)hash_id);
-+#endif
-+}
-+
-+static const EVP_CIPHER *cipher_type_get(const char *name)
-+{
-+#if OPENSSL_VERSION_MAJOR >= 3
-+	return EVP_CIPHER_fetch(ossl_ctx, name, NULL);
-+#else
-+	return EVP_get_cipherbyname(name);
-+#endif
-+}
-+
-+static void cipher_type_free(const EVP_CIPHER *cipher_type)
-+{
-+#if OPENSSL_VERSION_MAJOR >= 3
-+	EVP_CIPHER_free(CONST_CAST(EVP_CIPHER*)cipher_type);
-+#endif
-+}
-+
- /* HASH */
- int crypt_hash_size(const char *name)
- {
-+	int size;
- 	const EVP_MD *hash_id;
- 
--	hash_id = EVP_get_digestbyname(crypt_hash_compat_name(name));
-+	hash_id = hash_id_get(name);
- 	if (!hash_id)
- 		return -EINVAL;
- 
--	return EVP_MD_size(hash_id);
-+	size = EVP_MD_size(hash_id);
-+	hash_id_free(hash_id);
-+	return size;
- }
- 
- int crypt_hash_init(struct crypt_hash **ctx, const char *name)
-@@ -241,7 +297,7 @@ int crypt_hash_init(struct crypt_hash **ctx, const char *name)
- 		return -ENOMEM;
- 	}
- 
--	h->hash_id = EVP_get_digestbyname(crypt_hash_compat_name(name));
-+	h->hash_id = hash_id_get(name);
- 	if (!h->hash_id) {
- 		EVP_MD_CTX_free(h->md);
- 		free(h);
-@@ -249,6 +305,7 @@ int crypt_hash_init(struct crypt_hash **ctx, const char *name)
- 	}
- 
- 	if (EVP_DigestInit_ex(h->md, h->hash_id, NULL) != 1) {
-+		hash_id_free(h->hash_id);
- 		EVP_MD_CTX_free(h->md);
- 		free(h);
- 		return -EINVAL;
-@@ -300,6 +357,7 @@ int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length)
- 
- void crypt_hash_destroy(struct crypt_hash *ctx)
- {
-+	hash_id_free(ctx->hash_id);
- 	EVP_MD_CTX_free(ctx->md);
- 	memset(ctx, 0, sizeof(*ctx));
- 	free(ctx);
-@@ -326,7 +384,7 @@ int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
- 		return -ENOMEM;
- 	}
- 
--	h->hash_id = EVP_get_digestbyname(crypt_hash_compat_name(name));
-+	h->hash_id = hash_id_get(name);
- 	if (!h->hash_id) {
- 		HMAC_CTX_free(h->md);
- 		free(h);
-@@ -374,6 +432,7 @@ int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length)
- 
- void crypt_hmac_destroy(struct crypt_hmac *ctx)
- {
-+	hash_id_free(ctx->hash_id);
- 	HMAC_CTX_free(ctx->md);
- 	memset(ctx, 0, sizeof(*ctx));
- 	free(ctx);
-@@ -389,6 +448,67 @@ int crypt_backend_rng(char *buffer, size_t length,
- 	return 0;
- }
- 
-+static int pbkdf2(const char *password, size_t password_length,
-+		const char *salt, size_t salt_length,
-+		uint32_t iterations, const char *hash, size_t key_length,
-+		unsigned char *key)
-+{
-+#if OPENSSL_VERSION_MAJOR >= 3
-+	EVP_KDF_CTX *ctx;
-+	EVP_KDF *pbkdf2;
-+	int r;
-+	OSSL_PARAM params[] = {
-+		{ .key = "pass",
-+		  .data_type = OSSL_PARAM_OCTET_STRING,
-+		  .data = CONST_CAST(void*)password,
-+		  .data_size = password_length
-+		},
-+		{ .key = "salt",
-+		  .data_type = OSSL_PARAM_OCTET_STRING,
-+		  .data = CONST_CAST(void*)salt,
-+		  .data_size = salt_length
-+		},
-+		{ .key = "iter",
-+		  .data_type = OSSL_PARAM_UNSIGNED_INTEGER,
-+		  .data = &iterations,
-+		  .data_size = sizeof(iterations)
-+		},
-+		{ .key = "digest",
-+		  .data_type = OSSL_PARAM_UTF8_STRING,
-+		  .data = CONST_CAST(void*)hash,
-+		  .data_size = strlen(hash)
-+		},
-+		{ NULL, 0, NULL, 0, 0 }
-+	};
-+
-+	pbkdf2 = EVP_KDF_fetch(ossl_ctx, "pbkdf2", NULL);
-+	if (!pbkdf2)
-+		return 0;
-+
-+	ctx = EVP_KDF_CTX_new(pbkdf2);
-+	if (!ctx) {
-+		EVP_KDF_free(pbkdf2);
-+		return 0;
-+	}
-+
-+	r = EVP_KDF_derive(ctx, key, key_length, params);
-+
-+	EVP_KDF_CTX_free(ctx);
-+	EVP_KDF_free(pbkdf2);
-+
-+	/* _derive() returns 0 or negative value on error, 1 on success */
-+	return r <= 0 ? 0 : 1;
-+#else
-+	const EVP_MD *hash_id = EVP_get_digestbyname(crypt_hash_compat_name(hash));
-+	if (!hash_id)
-+		return 0;
-+
-+	return PKCS5_PBKDF2_HMAC(password, (int)password_length, (const unsigned char *)salt,
-+				 (int)salt_length, iterations, hash_id,
-+				 (int)key_length, key);
-+#endif
-+}
-+
- /* PBKDF */
- int crypt_pbkdf(const char *kdf, const char *hash,
- 		const char *password, size_t password_length,
-@@ -397,19 +517,12 @@ int crypt_pbkdf(const char *kdf, const char *hash,
- 		uint32_t iterations, uint32_t memory, uint32_t parallel)
- 
- {
--	const EVP_MD *hash_id;
--
- 	if (!kdf)
- 		return -EINVAL;
- 
- 	if (!strcmp(kdf, "pbkdf2")) {
--		hash_id = EVP_get_digestbyname(crypt_hash_compat_name(hash));
--		if (!hash_id)
--			return -EINVAL;
--
--		if (!PKCS5_PBKDF2_HMAC(password, (int)password_length,
--		    (const unsigned char *)salt, (int)salt_length,
--	            (int)iterations, hash_id, (int)key_length, (unsigned char *)key))
-+		if (!pbkdf2(password, password_length,
-+		    salt, salt_length, iterations, hash, key_length, (unsigned char *)key))
- 			return -EINVAL;
- 		return 0;
- 	} else if (!strncmp(kdf, "argon2", 6)) {
-@@ -421,16 +534,19 @@ int crypt_pbkdf(const char *kdf, const char *hash,
- }
- 
- /* Block ciphers */
--static void _cipher_destroy(EVP_CIPHER_CTX **hd_enc, EVP_CIPHER_CTX **hd_dec)
-+static void _cipher_destroy(EVP_CIPHER_CTX **hd_enc, EVP_CIPHER_CTX **hd_dec, const EVP_CIPHER **cipher_type)
- {
- 	EVP_CIPHER_CTX_free(*hd_enc);
- 	*hd_enc = NULL;
- 
- 	EVP_CIPHER_CTX_free(*hd_dec);
- 	*hd_dec = NULL;
-+
-+	cipher_type_free(*cipher_type);
-+	*cipher_type = NULL;
- }
- 
--static int _cipher_init(EVP_CIPHER_CTX **hd_enc, EVP_CIPHER_CTX **hd_dec, const char *name,
-+static int _cipher_init(EVP_CIPHER_CTX **hd_enc, EVP_CIPHER_CTX **hd_dec, const EVP_CIPHER **cipher_type, const char *name,
- 			const char *mode, const void *key, size_t key_length, size_t *iv_length)
- {
- 	char cipher_name[256];
-@@ -445,32 +561,38 @@ static int _cipher_init(EVP_CIPHER_CTX **hd_enc, EVP_CIPHER_CTX **hd_dec, const
- 	if (r < 0 || (size_t)r >= sizeof(cipher_name))
- 		return -EINVAL;
- 
--	type = EVP_get_cipherbyname(cipher_name);
-+	type = cipher_type_get(cipher_name);
- 	if (!type)
- 		return -ENOENT;
- 
--	if (EVP_CIPHER_key_length(type) != (int)key_length)
-+	if (EVP_CIPHER_key_length(type) != (int)key_length) {
-+		cipher_type_free(type);
- 		return -EINVAL;
-+	}
- 
- 	*hd_enc = EVP_CIPHER_CTX_new();
- 	*hd_dec = EVP_CIPHER_CTX_new();
- 	*iv_length = EVP_CIPHER_iv_length(type);
- 
--	if (!*hd_enc || !*hd_dec)
-+	if (!*hd_enc || !*hd_dec) {
-+		cipher_type_free(type);
- 		return -EINVAL;
-+	}
- 
- 	if (EVP_EncryptInit_ex(*hd_enc, type, NULL, key, NULL) != 1 ||
- 	    EVP_DecryptInit_ex(*hd_dec, type, NULL, key, NULL) != 1) {
--		_cipher_destroy(hd_enc, hd_dec);
-+		_cipher_destroy(hd_enc, hd_dec, &type);
- 		return -EINVAL;
- 	}
- 
- 	if (EVP_CIPHER_CTX_set_padding(*hd_enc, 0) != 1 ||
- 	    EVP_CIPHER_CTX_set_padding(*hd_dec, 0) != 1) {
--		_cipher_destroy(hd_enc, hd_dec);
-+		_cipher_destroy(hd_enc, hd_dec, &type);
- 		return -EINVAL;
- 	}
- 
-+	*cipher_type = type;
-+
- 	return 0;
- }
- 
-@@ -484,7 +606,7 @@ int crypt_cipher_init(struct crypt_cipher **ctx, const char *name,
- 	if (!h)
- 		return -ENOMEM;
- 
--	if (!_cipher_init(&h->u.lib.hd_enc, &h->u.lib.hd_dec, name, mode, key,
-+	if (!_cipher_init(&h->u.lib.hd_enc, &h->u.lib.hd_dec, &h->u.lib.cipher_type, name, mode, key,
- 			  key_length, &h->u.lib.iv_length)) {
- 		h->use_kernel = false;
- 		*ctx = h;
-@@ -507,7 +629,7 @@ void crypt_cipher_destroy(struct crypt_cipher *ctx)
- 	if (ctx->use_kernel)
- 		crypt_cipher_destroy_kernel(&ctx->u.kernel);
- 	else
--		_cipher_destroy(&ctx->u.lib.hd_enc, &ctx->u.lib.hd_dec);
-+		_cipher_destroy(&ctx->u.lib.hd_enc, &ctx->u.lib.hd_dec, &ctx->u.lib.cipher_type);
- 	free(ctx);
- }
- 
--- 
-2.27.0
-
diff --git a/SOURCES/cryptsetup-2.4.1-Cache-FIPS-mode-check.patch b/SOURCES/cryptsetup-2.4.1-Cache-FIPS-mode-check.patch
deleted file mode 100644
index d64cbee..0000000
--- a/SOURCES/cryptsetup-2.4.1-Cache-FIPS-mode-check.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 75e45462f097a9a75747b3f44d7672f2547e63e9 Mon Sep 17 00:00:00 2001
-From: Milan Broz <gmazyland@gmail.com>
-Date: Tue, 14 Sep 2021 09:56:05 +0200
-Subject: [PATCH 04/11] Cache FIPS mode check.
-
-We do not support switch while the crypto backend is already initialized,
-so it does not make sense to check repeatedly for the FIPS mode status.
----
- lib/utils_fips.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/lib/utils_fips.c b/lib/utils_fips.c
-index 0c2b6434..640ff0e3 100644
---- a/lib/utils_fips.c
-+++ b/lib/utils_fips.c
-@@ -26,6 +26,9 @@
- #if !ENABLE_FIPS
- bool crypt_fips_mode(void) { return false; }
- #else
-+static bool fips_checked = false;
-+static bool fips_mode = false;
-+
- static bool kernel_fips_mode(void)
- {
- 	int fd;
-@@ -41,6 +44,12 @@ static bool kernel_fips_mode(void)
- 
- bool crypt_fips_mode(void)
- {
--	return kernel_fips_mode() && !access("/etc/system-fips", F_OK);
-+	if (fips_checked)
-+		return fips_mode;
-+
-+	fips_mode = kernel_fips_mode() && !access("/etc/system-fips", F_OK);
-+	fips_checked = true;
-+
-+	return fips_mode;
- }
- #endif /* ENABLE_FIPS */
--- 
-2.27.0
-
diff --git a/SOURCES/cryptsetup-2.4.1-Do-not-load-own-OpenSSL-backend-context-in-FIPS-mode.patch b/SOURCES/cryptsetup-2.4.1-Do-not-load-own-OpenSSL-backend-context-in-FIPS-mode.patch
deleted file mode 100644
index 928e65e..0000000
--- a/SOURCES/cryptsetup-2.4.1-Do-not-load-own-OpenSSL-backend-context-in-FIPS-mode.patch
+++ /dev/null
@@ -1,236 +0,0 @@
-From f8eb7b225affe8b6b9f02ab6a90fd2e73181a526 Mon Sep 17 00:00:00 2001
-From: Milan Broz <gmazyland@gmail.com>
-Date: Mon, 13 Sep 2021 19:45:05 +0200
-Subject: [PATCH 03/11] Do not load own OpenSSL backend context in FIPS mode.
-
-In the FIPS mode keep configuration up to the system wide config.
----
- lib/crypto_backend/crypto_backend.h |  2 +-
- lib/crypto_backend/crypto_gcrypt.c  |  2 +-
- lib/crypto_backend/crypto_kernel.c  |  2 +-
- lib/crypto_backend/crypto_nettle.c  |  2 +-
- lib/crypto_backend/crypto_nss.c     |  2 +-
- lib/crypto_backend/crypto_openssl.c | 39 +++++++++++++++++------------
- lib/setup.c                         |  2 +-
- lib/utils_fips.c                    |  8 +++---
- lib/utils_fips.h                    |  4 ++-
- tests/crypto-vectors.c              |  2 +-
- 10 files changed, 37 insertions(+), 28 deletions(-)
-
-diff --git a/lib/crypto_backend/crypto_backend.h b/lib/crypto_backend/crypto_backend.h
-index 5278c345..88cc2d59 100644
---- a/lib/crypto_backend/crypto_backend.h
-+++ b/lib/crypto_backend/crypto_backend.h
-@@ -31,7 +31,7 @@ struct crypt_hmac;
- struct crypt_cipher;
- struct crypt_storage;
- 
--int crypt_backend_init(void);
-+int crypt_backend_init(bool fips);
- void crypt_backend_destroy(void);
- 
- #define CRYPT_BACKEND_KERNEL (1 << 0)	/* Crypto uses kernel part, for benchmark */
-diff --git a/lib/crypto_backend/crypto_gcrypt.c b/lib/crypto_backend/crypto_gcrypt.c
-index 2845382e..67f26067 100644
---- a/lib/crypto_backend/crypto_gcrypt.c
-+++ b/lib/crypto_backend/crypto_gcrypt.c
-@@ -94,7 +94,7 @@ static void crypt_hash_test_whirlpool_bug(void)
- 		crypto_backend_whirlpool_bug = 1;
- }
- 
--int crypt_backend_init(void)
-+int crypt_backend_init(bool fips __attribute__((unused)))
- {
- 	int r;
- 
-diff --git a/lib/crypto_backend/crypto_kernel.c b/lib/crypto_backend/crypto_kernel.c
-index 2e3d65b2..ce84cfac 100644
---- a/lib/crypto_backend/crypto_kernel.c
-+++ b/lib/crypto_backend/crypto_kernel.c
-@@ -117,7 +117,7 @@ static int crypt_kernel_socket_init(struct sockaddr_alg *sa, int *tfmfd, int *op
- 	return 0;
- }
- 
--int crypt_backend_init(void)
-+int crypt_backend_init(bool fips __attribute__((unused)))
- {
- 	struct utsname uts;
- 	struct sockaddr_alg sa = {
-diff --git a/lib/crypto_backend/crypto_nettle.c b/lib/crypto_backend/crypto_nettle.c
-index 0860a52d..c9b9f5f8 100644
---- a/lib/crypto_backend/crypto_nettle.c
-+++ b/lib/crypto_backend/crypto_nettle.c
-@@ -213,7 +213,7 @@ static struct hash_alg *_get_alg(const char *name)
- 	return NULL;
- }
- 
--int crypt_backend_init(void)
-+int crypt_backend_init(bool fips __attribute__((unused)))
- {
- 	return 0;
- }
-diff --git a/lib/crypto_backend/crypto_nss.c b/lib/crypto_backend/crypto_nss.c
-index ebe9de0e..a84d3d65 100644
---- a/lib/crypto_backend/crypto_nss.c
-+++ b/lib/crypto_backend/crypto_nss.c
-@@ -75,7 +75,7 @@ static struct hash_alg *_get_alg(const char *name)
- 	return NULL;
- }
- 
--int crypt_backend_init(void)
-+int crypt_backend_init(bool fips __attribute__((unused)))
- {
- 	int r;
- 
-diff --git a/lib/crypto_backend/crypto_openssl.c b/lib/crypto_backend/crypto_openssl.c
-index 92eeb33c..2a490ce5 100644
---- a/lib/crypto_backend/crypto_openssl.c
-+++ b/lib/crypto_backend/crypto_openssl.c
-@@ -88,7 +88,7 @@ struct hash_alg {
- #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
-     (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
- 
--static void openssl_backend_init(void)
-+static void openssl_backend_init(bool fips __attribute__((unused)))
- {
- 	OpenSSL_add_all_algorithms();
- }
-@@ -150,7 +150,7 @@ static void openssl_backend_exit(void)
- #endif
- }
- 
--static int openssl_backend_init(void)
-+static int openssl_backend_init(bool fips)
- {
- /*
-  * OpenSSL >= 3.0.0 provides some algorithms in legacy provider
-@@ -158,23 +158,30 @@ static int openssl_backend_init(void)
- #if OPENSSL_VERSION_MAJOR >= 3
- 	int r;
- 
--	ossl_ctx = OSSL_LIB_CTX_new();
--	if (!ossl_ctx)
--		return -EINVAL;
-+	/*
-+	 * In FIPS mode we keep default OpenSSL context & global config
-+	 */
-+	if (!fips) {
-+		ossl_ctx = OSSL_LIB_CTX_new();
-+		if (!ossl_ctx)
-+			return -EINVAL;
- 
--	ossl_default = OSSL_PROVIDER_try_load(ossl_ctx, "default", 0);
--	if (!ossl_default) {
--		OSSL_LIB_CTX_free(ossl_ctx);
--		return -EINVAL;
--	}
-+		ossl_default = OSSL_PROVIDER_try_load(ossl_ctx, "default", 0);
-+		if (!ossl_default) {
-+			OSSL_LIB_CTX_free(ossl_ctx);
-+			return -EINVAL;
-+		}
- 
--	/* Optional */
--	ossl_legacy = OSSL_PROVIDER_try_load(ossl_ctx, "legacy", 0);
-+		/* Optional */
-+		ossl_legacy = OSSL_PROVIDER_try_load(ossl_ctx, "legacy", 0);
-+	}
- 
--	r = snprintf(backend_version, sizeof(backend_version), "%s %s%s",
-+	r = snprintf(backend_version, sizeof(backend_version), "%s %s%s%s",
- 		OpenSSL_version(OPENSSL_VERSION),
- 		ossl_default ? "[default]" : "",
--		ossl_legacy  ? "[legacy]" : "");
-+		ossl_legacy  ? "[legacy]" : "",
-+		fips  ? "[fips]" : "");
-+
- 	if (r < 0 || (size_t)r >= sizeof(backend_version)) {
- 		openssl_backend_exit();
- 		return -EINVAL;
-@@ -193,12 +200,12 @@ static const char *openssl_backend_version(void)
- }
- #endif
- 
--int crypt_backend_init(void)
-+int crypt_backend_init(bool fips)
- {
- 	if (crypto_backend_initialised)
- 		return 0;
- 
--	if (openssl_backend_init())
-+	if (openssl_backend_init(fips))
- 		return -EINVAL;
- 
- 	crypto_backend_initialised = 1;
-diff --git a/lib/setup.c b/lib/setup.c
-index dc5459f5..a5dfd843 100644
---- a/lib/setup.c
-+++ b/lib/setup.c
-@@ -227,7 +227,7 @@ int init_crypto(struct crypt_device *ctx)
- 		return r;
- 	}
- 
--	r = crypt_backend_init();
-+	r = crypt_backend_init(crypt_fips_mode());
- 	if (r < 0)
- 		log_err(ctx, _("Cannot initialize crypto backend."));
- 
-diff --git a/lib/utils_fips.c b/lib/utils_fips.c
-index 4fa22fb9..0c2b6434 100644
---- a/lib/utils_fips.c
-+++ b/lib/utils_fips.c
-@@ -24,9 +24,9 @@
- #include "utils_fips.h"
- 
- #if !ENABLE_FIPS
--int crypt_fips_mode(void) { return 0; }
-+bool crypt_fips_mode(void) { return false; }
- #else
--static int kernel_fips_mode(void)
-+static bool kernel_fips_mode(void)
- {
- 	int fd;
- 	char buf[1] = "";
-@@ -36,10 +36,10 @@ static int kernel_fips_mode(void)
- 		close(fd);
- 	}
- 
--	return (buf[0] == '1') ? 1 : 0;
-+	return (buf[0] == '1');
- }
- 
--int crypt_fips_mode(void)
-+bool crypt_fips_mode(void)
- {
- 	return kernel_fips_mode() && !access("/etc/system-fips", F_OK);
- }
-diff --git a/lib/utils_fips.h b/lib/utils_fips.h
-index 51b110b5..13cfc9fb 100644
---- a/lib/utils_fips.h
-+++ b/lib/utils_fips.h
-@@ -21,6 +21,8 @@
- #ifndef _UTILS_FIPS_H
- #define _UTILS_FIPS_H
- 
--int crypt_fips_mode(void);
-+#include <stdbool.h>
-+
-+bool crypt_fips_mode(void);
- 
- #endif /* _UTILS_FIPS_H */
-diff --git a/tests/crypto-vectors.c b/tests/crypto-vectors.c
-index 025585de..6484e97a 100644
---- a/tests/crypto-vectors.c
-+++ b/tests/crypto-vectors.c
-@@ -1301,7 +1301,7 @@ int main(__attribute__ ((unused)) int argc, __attribute__ ((unused))char *argv[]
- 		exit(77);
- 	}
- 
--	if (crypt_backend_init())
-+	if (crypt_backend_init(fips_mode()))
- 		exit_test("Crypto backend init error.", EXIT_FAILURE);
- 
- 	printf("Test vectors using %s crypto backend.\n", crypt_backend_version());
--- 
-2.27.0
-
diff --git a/SOURCES/cryptsetup-2.4.1-OpenSSL-backend-make-legacy-for-OpenSSL3-optional-an.patch b/SOURCES/cryptsetup-2.4.1-OpenSSL-backend-make-legacy-for-OpenSSL3-optional-an.patch
deleted file mode 100644
index 060b1ef..0000000
--- a/SOURCES/cryptsetup-2.4.1-OpenSSL-backend-make-legacy-for-OpenSSL3-optional-an.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From 29ea07ef66be59c8ab62058b2ce3e92765e2be10 Mon Sep 17 00:00:00 2001
-From: Milan Broz <gmazyland@gmail.com>
-Date: Mon, 13 Sep 2021 14:48:15 +0200
-Subject: [PATCH 02/11] OpenSSL backend: make legacy for OpenSSL3 optional and
- report loaded providers
-
----
- lib/crypto_backend/crypto_openssl.c | 48 +++++++++++++++++++----------
- 1 file changed, 32 insertions(+), 16 deletions(-)
-
-diff --git a/lib/crypto_backend/crypto_openssl.c b/lib/crypto_backend/crypto_openssl.c
-index a5ec4048..92eeb33c 100644
---- a/lib/crypto_backend/crypto_openssl.c
-+++ b/lib/crypto_backend/crypto_openssl.c
-@@ -45,6 +45,7 @@
- static OSSL_PROVIDER *ossl_legacy = NULL;
- static OSSL_PROVIDER *ossl_default = NULL;
- static OSSL_LIB_CTX  *ossl_ctx = NULL;
-+static char backend_version[256] = "OpenSSL";
- #endif
- 
- #define CONST_CAST(x) (x)(uintptr_t)
-@@ -133,12 +134,30 @@ static void HMAC_CTX_free(HMAC_CTX *md)
- 	free(md);
- }
- #else
-+static void openssl_backend_exit(void)
-+{
-+#if OPENSSL_VERSION_MAJOR >= 3
-+	if (ossl_legacy)
-+		OSSL_PROVIDER_unload(ossl_legacy);
-+	if (ossl_default)
-+		OSSL_PROVIDER_unload(ossl_default);
-+	if (ossl_ctx)
-+		OSSL_LIB_CTX_free(ossl_ctx);
-+
-+	ossl_legacy = NULL;
-+	ossl_default = NULL;
-+	ossl_ctx = NULL;
-+#endif
-+}
-+
- static int openssl_backend_init(void)
- {
- /*
-  * OpenSSL >= 3.0.0 provides some algorithms in legacy provider
-  */
- #if OPENSSL_VERSION_MAJOR >= 3
-+	int r;
-+
- 	ossl_ctx = OSSL_LIB_CTX_new();
- 	if (!ossl_ctx)
- 		return -EINVAL;
-@@ -151,30 +170,27 @@ static int openssl_backend_init(void)
- 
- 	/* Optional */
- 	ossl_legacy = OSSL_PROVIDER_try_load(ossl_ctx, "legacy", 0);
-+
-+	r = snprintf(backend_version, sizeof(backend_version), "%s %s%s",
-+		OpenSSL_version(OPENSSL_VERSION),
-+		ossl_default ? "[default]" : "",
-+		ossl_legacy  ? "[legacy]" : "");
-+	if (r < 0 || (size_t)r >= sizeof(backend_version)) {
-+		openssl_backend_exit();
-+		return -EINVAL;
-+	}
- #endif
- 	return 0;
- }
- 
--static void openssl_backend_exit(void)
-+static const char *openssl_backend_version(void)
- {
- #if OPENSSL_VERSION_MAJOR >= 3
--	if (ossl_legacy)
--		OSSL_PROVIDER_unload(ossl_legacy);
--	if (ossl_default)
--		OSSL_PROVIDER_unload(ossl_default);
--	if (ossl_ctx)
--		OSSL_LIB_CTX_free(ossl_ctx);
--
--	ossl_legacy = NULL;
--	ossl_default = NULL;
--	ossl_ctx = NULL;
-+	return backend_version;
-+#else
-+	return OpenSSL_version(OPENSSL_VERSION);
- #endif
- }
--
--static const char *openssl_backend_version(void)
--{
--    return OpenSSL_version(OPENSSL_VERSION);
--}
- #endif
- 
- int crypt_backend_init(void)
--- 
-2.27.0
-
diff --git a/SOURCES/cryptsetup-2.4.2-Check-if-DM-create-device-failed-in-an-early-phase.patch b/SOURCES/cryptsetup-2.4.2-Check-if-DM-create-device-failed-in-an-early-phase.patch
new file mode 100644
index 0000000..67ae8df
--- /dev/null
+++ b/SOURCES/cryptsetup-2.4.2-Check-if-DM-create-device-failed-in-an-early-phase.patch
@@ -0,0 +1,48 @@
+From 10b1d6493e3be04953ac9f65d2b2d992ab87bdde Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Tue, 21 Sep 2021 15:54:07 +0200
+Subject: [PATCH 2/7] Check if DM create device failed in an early phase.
+
+This happens when concurrent creation of DM devices meets
+in the very early state (no device node exists but creation fails).
+
+Return -ENODEV here instead of -EINVAL.
+
+(Should "fix" random verity concurrent test failure.)
+---
+ lib/libdevmapper.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
+index 09fd9588..1594f877 100644
+--- a/lib/libdevmapper.c
++++ b/lib/libdevmapper.c
+@@ -1346,12 +1346,6 @@ err:
+ 	return r;
+ }
+ 
+-static bool dm_device_exists(struct crypt_device *cd, const char *name)
+-{
+-	int r = dm_status_device(cd, name);
+-	return (r >= 0 || r == -EEXIST);
+-}
+-
+ static int _dm_create_device(struct crypt_device *cd, const char *name, const char *type,
+ 			     struct crypt_dm_active_device *dmd)
+ {
+@@ -1402,8 +1396,11 @@ static int _dm_create_device(struct crypt_device *cd, const char *name, const ch
+ 		goto out;
+ 
+ 	if (!dm_task_run(dmt)) {
+-		if (dm_device_exists(cd, name))
++		r = dm_status_device(cd, name);;
++		if (r >= 0)
+ 			r = -EEXIST;
++		if (r != -EEXIST && r != -ENODEV)
++			r = -EINVAL;
+ 		goto out;
+ 	}
+ 
+-- 
+2.27.0
+
diff --git a/SOURCES/cryptsetup-2.4.2-Do-not-try-to-set-compiler-optimization-flag-if-wipe.patch b/SOURCES/cryptsetup-2.4.2-Do-not-try-to-set-compiler-optimization-flag-if-wipe.patch
new file mode 100644
index 0000000..7ec2b84
--- /dev/null
+++ b/SOURCES/cryptsetup-2.4.2-Do-not-try-to-set-compiler-optimization-flag-if-wipe.patch
@@ -0,0 +1,53 @@
+From a76310b53fbb117e620f2c37350b68dd267f1088 Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Mon, 20 Sep 2021 17:42:20 +0200
+Subject: [PATCH 1/7] Do not try to set compiler optimization flag if wipe is
+ implemented in libc.
+
+If zeroing memory is implemented through libc call (like memset_bzero),
+compiler should never remove such call. It is not needed to set O0
+optimization flag explicitly.
+
+Various checkers like annocheck causes problems with these flags,
+just remove it where it makes no sense.
+
+(Moreover, we use the same pattern without compiler magic
+in crypt_backend_memzero() already.)
+---
+ lib/crypto_backend/argon2/core.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/lib/crypto_backend/argon2/core.c b/lib/crypto_backend/argon2/core.c
+index b204ba98..db9a7741 100644
+--- a/lib/crypto_backend/argon2/core.c
++++ b/lib/crypto_backend/argon2/core.c
+@@ -120,18 +120,24 @@ void free_memory(const argon2_context *context, uint8_t *memory,
+     }
+ }
+ 
+-void NOT_OPTIMIZED secure_wipe_memory(void *v, size_t n) {
+ #if defined(_MSC_VER) && VC_GE_2005(_MSC_VER)
++void secure_wipe_memory(void *v, size_t n) {
+     SecureZeroMemory(v, n);
++}
+ #elif defined memset_s
++void secure_wipe_memory(void *v, size_t n) {
+     memset_s(v, n, 0, n);
++}
+ #elif defined(HAVE_EXPLICIT_BZERO)
++void secure_wipe_memory(void *v, size_t n) {
+     explicit_bzero(v, n);
++}
+ #else
++void NOT_OPTIMIZED secure_wipe_memory(void *v, size_t n) {
+     static void *(*const volatile memset_sec)(void *, int, size_t) = &memset;
+     memset_sec(v, 0, n);
+-#endif
+ }
++#endif
+ 
+ /* Memory clear flag defaults to true. */
+ int FLAG_clear_internal_memory = 1;
+-- 
+2.27.0
+
diff --git a/SPECS/cryptsetup.spec b/SPECS/cryptsetup.spec
index 3d879b5..ba1d65b 100644
--- a/SPECS/cryptsetup.spec
+++ b/SPECS/cryptsetup.spec
@@ -1,7 +1,7 @@
 Summary: Utility for setting up encrypted disks
 Name: cryptsetup
-Version: 2.4.0
-Release: 2%{?dist}
+Version: 2.4.1
+Release: 1%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: https://gitlab.com/cryptsetup/cryptsetup
 BuildRequires: openssl-devel, popt-devel, device-mapper-devel
@@ -14,10 +14,8 @@ Requires: libpwquality >= 1.2.0
 %global upstream_version %{version}
 Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-%{upstream_version}.tar.xz
 # Following patch has to applied last
-Patch0000: %{name}-2.4.1-Adapt-crypto-backend-to-openssl3-lib-context.patch
-Patch0001: %{name}-2.4.1-OpenSSL-backend-make-legacy-for-OpenSSL3-optional-an.patch
-Patch0002: %{name}-2.4.1-Do-not-load-own-OpenSSL-backend-context-in-FIPS-mode.patch
-Patch0003: %{name}-2.4.1-Cache-FIPS-mode-check.patch
+Patch0000: %{name}-2.4.2-Do-not-try-to-set-compiler-optimization-flag-if-wipe.patch
+Patch0001: %{name}-2.4.2-Check-if-DM-create-device-failed-in-an-early-phase.patch
 Patch9999: %{name}-add-system-library-paths.patch
 
 %description
@@ -115,9 +113,9 @@ rm -rf %{buildroot}%{_libdir}/*.la
 %ghost %attr(700, -, -) %dir /run/cryptsetup
 
 %changelog
-* Thu Sep 09 2021 Ondrej Kozina <okozina@redhat.com> - 2.4.0-2
-- Fix openssl crypto backend teardown in library destructor
-  Resolves: #1998921
+* Wed Sep 29 2021 Ondrej Kozina <okozina@redhat.com> - 2.4.1-1
+- Update to cryptsetup 2.4.1.
+  Resolves: #2005035 #2005877
 
 * Thu Aug 19 2021 Ondrej Kozina <okozina@redhat.com> - 2.4.0-1
 - Update to cryptsetup 2.4.0.