diff --git a/.cryptsetup.metadata b/.cryptsetup.metadata
index 899196b..74cec14 100644
--- a/.cryptsetup.metadata
+++ b/.cryptsetup.metadata
@@ -1 +1,2 @@
 3ce643e82d52b0c0282c2754c4bfa8c15c1f567e SOURCES/cryptsetup-2.3.7.tar.xz
+ec3ce9960bd536f7500e0d767a973672037c13e6 SOURCES/tests.tar.xz
diff --git a/.gitignore b/.gitignore
index 48e6826..3374721 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 SOURCES/cryptsetup-2.3.7.tar.xz
+SOURCES/tests.tar.xz
diff --git a/SOURCES/cryptsetup-2.6.0-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch b/SOURCES/cryptsetup-2.6.0-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch
new file mode 100644
index 0000000..350a863
--- /dev/null
+++ b/SOURCES/cryptsetup-2.6.0-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch
@@ -0,0 +1,316 @@
+From 5b001b7962744b1bdaeb60b7c8cb9c682f907e03 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Tue, 28 Jun 2022 16:23:34 +0200
+Subject: [PATCH] Delegate FIPS mode detection to configured crypto backend.
+
+System FIPS mode check is no longer dependent on /etc/system-fips
+file. The change should be compatible with older distributions since
+we now depend on crypto backend internal routine.
+
+This commit affects only FIPS enabled systems (with FIPS enabled
+builds). In case this causes any regression in current distributions
+feel free to drop the patch.
+
+For reference see https://bugzilla.redhat.com/show_bug.cgi?id=2080516
+---
+ lib/crypto_backend/crypto_backend.h |  3 ++
+ lib/crypto_backend/crypto_gcrypt.c  | 17 +++++++++
+ lib/crypto_backend/crypto_kernel.c  |  5 +++
+ lib/crypto_backend/crypto_nettle.c  |  5 +++
+ lib/crypto_backend/crypto_nss.c     |  5 +++
+ lib/crypto_backend/crypto_openssl.c | 26 ++++++++++++++
+ lib/internal.h                      |  1 -
+ lib/utils_fips.c                    | 55 -----------------------------
+ lib/utils_fips.h                    | 28 ---------------
+ po/POTFILES.in                      |  1 -
+ src/cryptsetup.h                    |  1 -
+ tests/compat-test                   |  2 +-
+ tests/compat-test2                  |  2 +-
+ tests/keyring-compat-test           |  2 +-
+ tests/luks2-reencryption-test       |  2 +-
+ 16 files changed, 65 insertions(+), 92 deletions(-)
+ delete mode 100644 lib/utils_fips.c
+ delete mode 100644 lib/utils_fips.h
+
+Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_backend.h
+===================================================================
+--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_backend.h
++++ cryptsetup-2.3.7/lib/crypto_backend/crypto_backend.h
+@@ -135,4 +135,7 @@ static inline void crypt_backend_memzero
+ #endif
+ }
+ 
++/* crypto backend running in FIPS mode */
++bool crypt_fips_mode(void);
++
+ #endif /* _CRYPTO_BACKEND_H */
+Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_gcrypt.c
+===================================================================
+--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_gcrypt.c
++++ cryptsetup-2.3.7/lib/crypto_backend/crypto_gcrypt.c
+@@ -550,3 +550,20 @@ out:
+ 	return -ENOTSUP;
+ #endif
+ }
++
++#if !ENABLE_FIPS
++bool crypt_fips_mode(void) { return false; }
++#else
++bool crypt_fips_mode(void)
++{
++	static bool fips_mode = false, fips_checked = false;
++
++	if (fips_checked)
++		return fips_mode;
++
++	fips_mode = gcry_fips_mode_active();
++	fips_checked = true;
++
++	return fips_mode;
++}
++#endif /* ENABLE FIPS */
+Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_kernel.c
+===================================================================
+--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_kernel.c
++++ cryptsetup-2.3.7/lib/crypto_backend/crypto_kernel.c
+@@ -416,3 +416,8 @@ int crypt_bitlk_decrypt_key(const void *
+ 	return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
+ 					      iv, iv_length, tag, tag_length);
+ }
++
++bool crypt_fips_mode(void)
++{
++	return false;
++}
+Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_nettle.c
+===================================================================
+--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_nettle.c
++++ cryptsetup-2.3.7/lib/crypto_backend/crypto_nettle.c
+@@ -442,3 +442,8 @@ int crypt_bitlk_decrypt_key(const void *
+ 	return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
+ 					      iv, iv_length, tag, tag_length);
+ }
++
++bool crypt_fips_mode(void)
++{
++	return false;
++}
+Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_nss.c
+===================================================================
+--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_nss.c
++++ cryptsetup-2.3.7/lib/crypto_backend/crypto_nss.c
+@@ -395,3 +395,8 @@ int crypt_bitlk_decrypt_key(const void *
+ 	return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
+ 					      iv, iv_length, tag, tag_length);
+ }
++
++bool crypt_fips_mode(void)
++{
++	return false;
++}
+Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_openssl.c
+===================================================================
+--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_openssl.c
++++ cryptsetup-2.3.7/lib/crypto_backend/crypto_openssl.c
+@@ -574,3 +574,29 @@ out:
+ 	return -ENOTSUP;
+ #endif
+ }
++
++#if !ENABLE_FIPS
++bool crypt_fips_mode(void) { return false; }
++#else
++static bool openssl_fips_mode(void)
++{
++#if OPENSSL_VERSION_MAJOR >= 3
++	return EVP_default_properties_is_fips_enabled(NULL);
++#else
++	return FIPS_mode();
++#endif
++}
++
++bool crypt_fips_mode(void)
++{
++	static bool fips_mode = false, fips_checked = false;
++
++	if (fips_checked)
++		return fips_mode;
++
++	fips_mode = openssl_fips_mode();
++	fips_checked = true;
++
++	return fips_mode;
++}
++#endif /* ENABLE FIPS */
+Index: cryptsetup-2.3.7/lib/internal.h
+===================================================================
+--- cryptsetup-2.3.7.orig/lib/internal.h
++++ cryptsetup-2.3.7/lib/internal.h
+@@ -38,7 +38,6 @@
+ #include "utils_crypt.h"
+ #include "utils_loop.h"
+ #include "utils_dm.h"
+-#include "utils_fips.h"
+ #include "utils_keyring.h"
+ #include "utils_io.h"
+ #include "crypto_backend.h"
+Index: cryptsetup-2.3.7/po/POTFILES.in
+===================================================================
+--- cryptsetup-2.3.7.orig/po/POTFILES.in
++++ cryptsetup-2.3.7/po/POTFILES.in
+@@ -6,7 +6,6 @@ lib/volumekey.c
+ lib/crypt_plain.c
+ lib/utils_crypt.c
+ lib/utils_loop.c
+-lib/utils_fips.c
+ lib/utils_device.c
+ lib/utils_devpath.c
+ lib/utils_pbkdf.c
+Index: cryptsetup-2.3.7/src/cryptsetup.h
+===================================================================
+--- cryptsetup-2.3.7.orig/src/cryptsetup.h
++++ cryptsetup-2.3.7/src/cryptsetup.h
+@@ -43,7 +43,6 @@
+ #include "lib/nls.h"
+ #include "lib/utils_crypt.h"
+ #include "lib/utils_loop.h"
+-#include "lib/utils_fips.h"
+ #include "lib/utils_io.h"
+ #include "lib/utils_blkid.h"
+ 
+Index: cryptsetup-2.3.7/tests/compat-test
+===================================================================
+--- cryptsetup-2.3.7.orig/tests/compat-test
++++ cryptsetup-2.3.7/tests/compat-test
+@@ -44,7 +44,7 @@ KEY_MATERIAL5_EXT="S331776-395264"
+ TEST_UUID="12345678-1234-1234-1234-123456789abc"
+ 
+ LOOPDEV=$(losetup -f 2>/dev/null)
+-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
++FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+ 
+ function remove_mapping()
+ {
+Index: cryptsetup-2.3.7/tests/compat-test2
+===================================================================
+--- cryptsetup-2.3.7.orig/tests/compat-test2
++++ cryptsetup-2.3.7/tests/compat-test2
+@@ -42,7 +42,7 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-f
+ TEST_UUID="12345678-1234-1234-1234-123456789abc"
+ 
+ LOOPDEV=$(losetup -f 2>/dev/null)
+-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
++FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+ 
+ function remove_mapping()
+ {
+Index: cryptsetup-2.3.7/tests/keyring-compat-test
+===================================================================
+--- cryptsetup-2.3.7.orig/tests/keyring-compat-test
++++ cryptsetup-2.3.7/tests/keyring-compat-test
+@@ -26,7 +26,7 @@ PWD="aaa"
+ [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
+ CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
+ 
+-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
++FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+ 
+ function remove_mapping()
+ {
+Index: cryptsetup-2.3.7/tests/luks2-reencryption-test
+===================================================================
+--- cryptsetup-2.3.7.orig/tests/luks2-reencryption-test
++++ cryptsetup-2.3.7/tests/luks2-reencryption-test
+@@ -24,7 +24,7 @@ PWD1="93R4P4pIqAH8"
+ PWD2="1cND4319812f"
+ PWD3="1-9Qu5Ejfnqv"
+ 
+-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
++FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+ 
+ function dm_crypt_features()
+ {
+Index: cryptsetup-2.3.7/lib/utils_fips.c
+===================================================================
+--- cryptsetup-2.3.7.orig/lib/utils_fips.c
++++ cryptsetup-2.3.7/lib/utils_fips.c
+@@ -1,46 +1 @@
+-/*
+- * FIPS mode utilities
+- *
+- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
+- *
+- * This program is free software; you can redistribute it and/or
+- * modify it under the terms of the GNU General Public License
+- * as published by the Free Software Foundation; either version 2
+- * of the License, or (at your option) any later version.
+- *
+- * This program is distributed in the hope that it will be useful,
+- * but WITHOUT ANY WARRANTY; without even the implied warranty of
+- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+- * GNU General Public License for more details.
+- *
+- * You should have received a copy of the GNU General Public License
+- * along with this program; if not, write to the Free Software
+- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+- */
+-
+-#include <unistd.h>
+-#include <fcntl.h>
+-#include <errno.h>
+-#include "utils_fips.h"
+-
+-#if !ENABLE_FIPS
+-int crypt_fips_mode(void) { return 0; }
+-#else
+-static int kernel_fips_mode(void)
+-{
+-	int fd;
+-	char buf[1] = "";
+-
+-	if ((fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY)) >= 0) {
+-		while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
+-		close(fd);
+-	}
+-
+-	return (buf[0] == '1') ? 1 : 0;
+-}
+-
+-int crypt_fips_mode(void)
+-{
+-	return kernel_fips_mode() && !access("/etc/system-fips", F_OK);
+-}
+-#endif /* ENABLE_FIPS */
++/* keep an empty file to avoid running autogen.sh */
+Index: cryptsetup-2.3.7/lib/utils_fips.h
+===================================================================
+--- cryptsetup-2.3.7.orig/lib/utils_fips.h
++++ cryptsetup-2.3.7/lib/utils_fips.h
+@@ -1,26 +1 @@
+-/*
+- * FIPS mode utilities
+- *
+- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
+- *
+- * This program is free software; you can redistribute it and/or
+- * modify it under the terms of the GNU General Public License
+- * as published by the Free Software Foundation; either version 2
+- * of the License, or (at your option) any later version.
+- *
+- * This program is distributed in the hope that it will be useful,
+- * but WITHOUT ANY WARRANTY; without even the implied warranty of
+- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+- * GNU General Public License for more details.
+- *
+- * You should have received a copy of the GNU General Public License
+- * along with this program; if not, write to the Free Software
+- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+- */
+-
+-#ifndef _UTILS_FIPS_H
+-#define _UTILS_FIPS_H
+-
+-int crypt_fips_mode(void);
+-
+-#endif /* _UTILS_FIPS_H */
++/* keep an empty file to avoid running autogen.sh */
diff --git a/SOURCES/cryptsetup-2.7.0-Also-disallow-active-devices-with-internal-kernel-na.patch b/SOURCES/cryptsetup-2.7.0-Also-disallow-active-devices-with-internal-kernel-na.patch
new file mode 100644
index 0000000..31dc60c
--- /dev/null
+++ b/SOURCES/cryptsetup-2.7.0-Also-disallow-active-devices-with-internal-kernel-na.patch
@@ -0,0 +1,79 @@
+From dff9ee8c8cb68432e96261b87aabb7aaa51215e7 Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Tue, 2 May 2023 15:42:21 +0200
+Subject: [PATCH] Also disallow active devices with internal kernel names.
+
+The same problem fixed in commit 438cf1d1b3ef6d7405cfbcbe5f631d3d7467a605
+is present in libdevmapper wrapper when parsing active device table.
+
+The whole point of conversion was that non-authenticated modes
+can be always represented in the old cipher-mode-iv format.
+As the internal names contains dash, these are unsupported.
+
+That said, the libdevmapper backend now correctly returns
+full cipher specification including capi prefix for this case.
+
+Init_by_name call now fails with incomplatible cipher definition error.
+---
+ lib/setup.c       | 2 +-
+ lib/utils_crypt.c | 9 +++++++++
+ tests/mode-test   | 5 +++++
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+Index: cryptsetup-2.3.7/lib/setup.c
+===================================================================
+--- cryptsetup-2.3.7.orig/lib/setup.c
++++ cryptsetup-2.3.7/lib/setup.c
+@@ -1188,7 +1188,7 @@ static int _init_by_name_crypt(struct cr
+ 	r = crypt_parse_name_and_mode(tgt->type == DM_LINEAR ? "null" : tgt->u.crypt.cipher, cipher,
+ 				      &key_nums, cipher_mode);
+ 	if (r < 0) {
+-		log_dbg(cd, "Cannot parse cipher and mode from active device.");
++		log_err(cd, _("No known cipher specification pattern detected for active device %s."), name);
+ 		goto out;
+ 	}
+ 
+Index: cryptsetup-2.3.7/lib/utils_crypt.c
+===================================================================
+--- cryptsetup-2.3.7.orig/lib/utils_crypt.c
++++ cryptsetup-2.3.7/lib/utils_crypt.c
+@@ -224,6 +224,15 @@ int crypt_capi_to_cipher(char **org_c, c
+ 	if (i != 2)
+ 		return -EINVAL;
+ 
++	/* non-cryptsetup compatible mode (generic driver with dash?) */
++	if (strrchr(iv, ')')) {
++		if (i_dm)
++			return -EINVAL;
++		if (!(*org_c = strdup(c_dm)))
++			return -ENOMEM;
++		return 0;
++	}
++
+ 	len = strlen(tmp);
+ 	if (len < 2)
+ 		return -EINVAL;
+Index: cryptsetup-2.3.7/tests/mode-test
+===================================================================
+--- cryptsetup-2.3.7.orig/tests/mode-test
++++ cryptsetup-2.3.7/tests/mode-test
+@@ -8,6 +8,8 @@ DEV_NAME=dmc_test
+ HEADER_IMG=mode-test.img
+ PASSWORD=3xrododenron
+ PASSWORD1=$PASSWORD
++KEY="7c0dc5dfd0c9191381d92e6ebb3b29e7f0dba53b0de132ae23f5726727173540"
++FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
+ 
+ # cipher-chainmode-ivopts:ivmode
+ CIPHERS="aes twofish serpent"
+@@ -172,6 +174,10 @@ echo -n "CAPI format:"
+ echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail
+ $CRYPTSETUP close "$DEV_NAME"_tstdev || fail
+ echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail
++dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail
++$CRYPTSETUP status "$DEV_NAME"_tstdev >/dev/null 2>&1 && fail
++$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null && fail
++dmsetup remove "$DEV_NAME"_tstdev || fail
+ echo [OK]
+ 
+ cleanup
diff --git a/SOURCES/cryptsetup-2.7.0-Disallow-use-of-internal-kenrel-crypto-driver-names-.patch b/SOURCES/cryptsetup-2.7.0-Disallow-use-of-internal-kenrel-crypto-driver-names-.patch
new file mode 100644
index 0000000..d689213
--- /dev/null
+++ b/SOURCES/cryptsetup-2.7.0-Disallow-use-of-internal-kenrel-crypto-driver-names-.patch
@@ -0,0 +1,68 @@
+From 438cf1d1b3ef6d7405cfbcbe5f631d3d7467a605 Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Mon, 24 Apr 2023 21:19:03 +0200
+Subject: [PATCH] Disallow use of internal kenrel crypto driver names in "capi"
+ specification.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The common way to specify cipher mode in cryptsetup
+is to use cipher-mode-iv notation (like aes-xts-plain64).
+With introduction of authenticated ciphers we also allow "capi:<spec>"
+notation that is directly used by dm-crypt (e.g. capi:xts(aes)-plain64).
+
+CAPI specification was never intended to be used with internal
+kernel crypto api names (with dash in algorithm name), actually the
+whole parsing routine wrongly parses mode here now.
+
+The code not checks if parsing wrongly separated the full cipher
+string and effectively allowing only proper cipher names
+(example of no longer supported string is capi:xts(ecb(aes-generic))-plain64).
+
+Thanks to Jan Wichelmann, Luca Wilke and Thomas Eisenbarth from
+University of Lübeck for noticing the problems with this code.
+
+Fixes: #809
+---
+ lib/utils_crypt.c | 8 +++++++-
+ tests/mode-test   | 6 ++++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c
+index 0b7dc378..c1bde000 100644
+--- a/lib/utils_crypt.c
++++ b/lib/utils_crypt.c
+@@ -43,7 +43,13 @@ int crypt_parse_name_and_mode(const char *s, char *cipher, int *key_nums,
+ 		   cipher, cipher_mode) == 2) {
+ 		if (!strcmp(cipher_mode, "plain"))
+ 			strcpy(cipher_mode, "cbc-plain");
+-		if (key_nums) {
++		if (!strncmp(cipher, "capi:", 5)) {
++			/* CAPI must not use internal cipher driver names with dash */
++			if (strchr(cipher_mode, ')'))
++				return -EINVAL;
++			if (key_nums)
++				*key_nums = 1;
++		} else if (key_nums) {
+ 			char *tmp = strchr(cipher, ':');
+ 			*key_nums = tmp ? atoi(++tmp) : 1;
+ 			if (!*key_nums)
+diff --git a/tests/mode-test b/tests/mode-test
+index 82171fbd..fe61880a 100755
+--- a/tests/mode-test
++++ b/tests/mode-test
+@@ -184,4 +184,10 @@ done
+ dmcrypt xchacha12,aes-adiantum-plain64
+ dmcrypt xchacha20,aes-adiantum-plain64
+ 
++echo -n "CAPI format:"
++echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail
++$CRYPTSETUP close "$DEV_NAME"_tstdev || fail
++echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail
++echo [OK]
++
+ cleanup
+-- 
+2.40.1
+
diff --git a/SOURCES/cryptsetup-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch b/SOURCES/cryptsetup-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch
new file mode 100644
index 0000000..97c83d7
--- /dev/null
+++ b/SOURCES/cryptsetup-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch
@@ -0,0 +1,103 @@
+From b8711faf92868dc82b1a64e7673740444199b2ca Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Sun, 25 Jun 2023 23:32:13 +0200
+Subject: [PATCH 2/2] Fix activation of LUKS2 with capi format cipher and
+ kernel crypt name.
+
+While activation of internal cipher algorithms (like aes-generic)
+is disallowed, some old LUKS2 images can still use it.
+
+Check the cipher in activate call, but allow to load LUKS2 metadata.
+This can allow to add repair code easily and also allow luksDump.
+
+Also fix segfault in reencrypt code for such a header.
+
+Fixes: #820
+---
+ lib/luks2/luks2_json_metadata.c   |   5 +++++
+ tests/Makefile.am                 |   4 +++-
+ tests/compat-test2                |  17 ++++++++++++++++-
+ tests/luks2_invalid_cipher.img.xz | Bin 0 -> 135372 bytes
+ tests/meson.build                 |   1 +
+ 5 files changed, 25 insertions(+), 2 deletions(-)
+ create mode 100644 tests/luks2_invalid_cipher.img.xz
+
+Index: cryptsetup-2.3.7/lib/luks2/luks2_json_metadata.c
+===================================================================
+--- cryptsetup-2.3.7.orig/lib/luks2/luks2_json_metadata.c
++++ cryptsetup-2.3.7/lib/luks2/luks2_json_metadata.c
+@@ -2324,6 +2324,11 @@ int LUKS2_activate(struct crypt_device *
+ 	if ((r = LUKS2_unmet_requirements(cd, hdr, 0, 0)))
+ 		return r;
+ 
++	/* Check that cipher is in compatible format */
++	if (!crypt_get_cipher(cd)) {
++		log_err(cd, _("No known cipher specification pattern detected in LUKS2 header."));
++		return -EINVAL;
++	}
+ 	r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd),
+ 			vk, crypt_get_cipher_spec(cd), crypt_get_iv_offset(cd),
+ 			crypt_get_data_offset(cd), crypt_get_integrity(cd) ?: "none",
+Index: cryptsetup-2.3.7/tests/compat-test2
+===================================================================
+--- cryptsetup-2.3.7.orig/tests/compat-test2
++++ cryptsetup-2.3.7/tests/compat-test2
+@@ -3,6 +3,7 @@
+ PS4='$LINENO:'
+ [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
+ CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
++CRYPTSETUP_REENCRYPT=$CRYPTSETUP_PATH/cryptsetup-reencrypt
+ 
+ CRYPTSETUP_VALGRIND=../.libs/cryptsetup
+ CRYPTSETUP_LIB_VALGRIND=../.libs
+@@ -16,6 +17,7 @@ IMG10=luks-test-v10
+ HEADER_IMG=luks-header
+ HEADER_KEYU=luks2_keyslot_unassigned.img
+ HEADER_LUKS2_PV=blkid-luks2-pv.img
++HEADER_LUKS2_INV=luks2_invalid_cipher.img
+ KEY1=key1
+ KEY2=key2
+ KEY5=key5
+@@ -50,7 +52,9 @@ function remove_mapping()
+ 	[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
+ 	[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
+ 	losetup -d $LOOPDEV >/dev/null 2>&1
+-	rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE $HEADER_LUKS2_PV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* $KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1
++	rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE \
++	$HEADER_LUKS2_PV $HEADER_LUKS2_INV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* \
++	$KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1
+ 
+ 	# unlink whole test keyring
+ 	[ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null
+@@ -1049,5 +1053,19 @@ for cipher in $CIPHERS ; do
+ done
+ echo
+ 
++prepare "[44] LUKS2 invalid cipher (kernel cipher driver name)" wipe
++xz -dk $HEADER_LUKS2_INV.xz
++dd if=$HEADER_LUKS2_INV of=$IMG conv=notrunc >/dev/null 2>&1
++$CRYPTSETUP -q luksDump $LOOPDEV | grep -q "capi:xts(ecb(aes-generic))-plain64" || fail
++echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail
++echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME 2>&1 | grep -q "No known cipher specification pattern" || fail
++echo $PWD1 | $CRYPTSETUP reencrypt $LOOPDEV >/dev/null 2>&1 && fail
++echo $PWD1 | $CRYPTSETUP reencrypt $LOOPDEV 2>&1 | grep -q "No known cipher specification pattern" || fail
++echo $PWD1 | $CRYPTSETUP_REENCRYPT $LOOPDEV 2>&1 | grep -q "No known cipher specification pattern" || fail
++dmsetup create $DEV_NAME --uuid CRYPT-LUKS2-3d20686f551748cb89911ad32379821b-test --table \
++  "0 8 crypt capi:xts(ecb(aes-generic))-plain64 edaa40709797973715e572bf7d86fcbb9cfe2051083c33c28d58fe4e1e7ff642 0 $LOOPDEV 32768"
++$CRYPTSETUP status $DEV_NAME | grep -q "n/a" || fail
++$CRYPTSETUP close $DEV_NAME ||fail
++
+ remove_mapping
+ exit 0
+Index: cryptsetup-2.3.7/src/cryptsetup.h
+===================================================================
+--- cryptsetup-2.3.7.orig/src/cryptsetup.h
++++ cryptsetup-2.3.7/src/cryptsetup.h
+@@ -103,6 +103,7 @@ void tools_clear_line(void);
+ int tools_wipe_progress(uint64_t size, uint64_t offset, void *usrptr);
+ int tools_reencrypt_progress(uint64_t size, uint64_t offset, void *usrptr);
+ int reencrypt_is_header_detached(const char *header_device, const char *data_device);
++bool luks2_reencrypt_eligible(struct crypt_device *cd);
+ 
+ int tools_read_mk(const char *file, char **key, int keysize);
+ int tools_write_mk(const char *file, const char *key, int keysize);
diff --git a/SOURCES/cryptsetup-2.7.0-Fix-init_by_name-to-allow-unknown-cipher-format-in-d.patch b/SOURCES/cryptsetup-2.7.0-Fix-init_by_name-to-allow-unknown-cipher-format-in-d.patch
new file mode 100644
index 0000000..fdbc060
--- /dev/null
+++ b/SOURCES/cryptsetup-2.7.0-Fix-init_by_name-to-allow-unknown-cipher-format-in-d.patch
@@ -0,0 +1,52 @@
+From 53aa5f6c4f7439db1b25846597fb5603870ba55e Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Mon, 5 Jun 2023 16:02:06 +0200
+Subject: [PATCH] Fix init_by_name to allow unknown cipher format in dm-crypt
+ as null context.
+
+Deactivation code should deactivate dm-crypt device even if it is unknown
+for libcryptsetup. Previous fix for cipher specification was too strict.
+
+Let's allow initialization as null context, that allow status and
+deactivate to be usable again.
+---
+ lib/setup.c     | 6 ++++++
+ tests/mode-test | 5 ++---
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/lib/setup.c b/lib/setup.c
+index fd17be8c..786aa900 100644
+--- a/lib/setup.c
++++ b/lib/setup.c
+@@ -1276,6 +1276,12 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name)
+ 	r = crypt_parse_name_and_mode(tgt->type == DM_LINEAR ? "null" : tgt->u.crypt.cipher, cipher,
+ 				      &key_nums, cipher_mode);
+ 	if (r < 0) {
++		/* Allow crypt null context with unknown cipher string */
++		if (tgt->type == DM_CRYPT && !tgt->u.crypt.integrity) {
++			crypt_set_null_type(cd);
++			r = 0;
++			goto out;
++		}
+ 		log_err(cd, _("No known cipher specification pattern detected for active device %s."), name);
+ 		goto out;
+ 	}
+diff --git a/tests/mode-test b/tests/mode-test
+index 4775751e..7f7f20a1 100755
+--- a/tests/mode-test
++++ b/tests/mode-test
+@@ -190,9 +190,8 @@ echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256
+ $CRYPTSETUP close "$DEV_NAME"_tstdev || fail
+ echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail
+ dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail
+-$CRYPTSETUP status "$DEV_NAME"_tstdev >/dev/null 2>&1 && fail
+-$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null && fail
+-dmsetup remove "$DEV_NAME"_tstdev || fail
++$CRYPTSETUP status "$DEV_NAME"_tstdev 2>/dev/null | grep "type:" | grep -q "n/a" || fail
++$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null || fail
+ echo [OK]
+ 
+ cleanup
+-- 
+2.40.1
+
diff --git a/SOURCES/cryptsetup-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch b/SOURCES/cryptsetup-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch
new file mode 100644
index 0000000..19752ac
--- /dev/null
+++ b/SOURCES/cryptsetup-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch
@@ -0,0 +1,81 @@
+From 1f01eea60e38ac92aa05e4b95372d54b7b9095df Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Mon, 26 Jun 2023 13:25:59 +0200
+Subject: [PATCH 1/2] Fix reencryption to fail properly for unknown cipher.
+
+crypt_get_cipher and crypt_get_cipher mode can return NULL,
+check it in advance.
+---
+ src/utils_reencrypt.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+Index: cryptsetup-2.3.7/src/cryptsetup.c
+===================================================================
+--- cryptsetup-2.3.7.orig/src/cryptsetup.c
++++ cryptsetup-2.3.7/src/cryptsetup.c
+@@ -2999,6 +2999,12 @@ static int action_encrypt_luks2(struct c
+ 	if (r < 0)
+ 		goto err;
+ 
++	if (!crypt_get_cipher(*cd)) {
++		log_err(_("No known cipher specification pattern detected in LUKS2 header."));
++		r = -EINVAL;
++		goto err;
++	}
++
+ 	if (opt_data_shift) {
+ 		params.data_shift = imaxabs(opt_data_shift) / SECTOR_SIZE,
+ 		params.resilience = "datashift";
+@@ -3068,6 +3074,11 @@ static int action_decrypt_luks2(struct c
+ 	};
+ 	size_t passwordLen;
+ 
++	if (!crypt_get_cipher(cd)) {
++		log_err(_("No known cipher specification pattern detected in LUKS2 header."));
++		return -EINVAL;
++	}
++
+ 	if (!crypt_get_metadata_device_name(cd) || !crypt_get_device_name(cd) ||
+ 	    !strcmp(crypt_get_metadata_device_name(cd), crypt_get_device_name(cd))) {
+ 		log_err(_("LUKS2 decryption is supported with detached header device only."));
+@@ -3289,6 +3300,11 @@ static int action_reencrypt_luks2(struct
+ 		.luks2 = &luks2_params,
+ 	};
+ 
++	if (!crypt_get_cipher(cd)) {
++		log_err(_("No known cipher specification pattern detected in LUKS2 header."));
++		return -EINVAL;
++	}
++
+ 	_set_reencryption_flags(&params.flags);
+ 
+ 	if (!opt_cipher && crypt_is_cipher_null(crypt_get_cipher(cd))) {
+Index: cryptsetup-2.3.7/src/cryptsetup_reencrypt.c
+===================================================================
+--- cryptsetup-2.3.7.orig/src/cryptsetup_reencrypt.c
++++ cryptsetup-2.3.7/src/cryptsetup_reencrypt.c
+@@ -185,6 +185,11 @@ static int set_reencrypt_requirement(con
+ 	    crypt_persistent_flags_get(cd, CRYPT_FLAGS_REQUIREMENTS, &reqs))
+ 		goto out;
+ 
++	if (!crypt_get_cipher(cd)) {
++		log_err(_("No known cipher specification pattern detected in LUKS2 header."));
++		goto out;
++	}
++
+ 	/* reencrypt already in-progress */
+ 	if (reqs & CRYPT_REQUIREMENT_OFFLINE_REENCRYPT) {
+ 		log_err(_("Reencryption already in-progress."));
+@@ -709,6 +714,12 @@ static int backup_luks_headers(struct re
+ 	    (r = crypt_load(cd, CRYPT_LUKS, NULL)))
+ 		goto out;
+ 
++	if (!crypt_get_cipher(cd)) {
++		log_err(_("No known cipher specification pattern detected in LUKS2 header."));
++		r = -EINVAL;
++		goto out;
++	}
++
+ 	if ((r = crypt_header_backup(cd, CRYPT_LUKS, rc->header_file_org)))
+ 		goto out;
+ 	if (isLUKS2(rc->type)) {
diff --git a/SPECS/cryptsetup.spec b/SPECS/cryptsetup.spec
index 1f790e7..9baa81b 100644
--- a/SPECS/cryptsetup.spec
+++ b/SPECS/cryptsetup.spec
@@ -5,7 +5,7 @@ Obsoletes: cryptsetup-python3
 Summary: A utility for setting up encrypted disks
 Name: cryptsetup
 Version: 2.3.7
-Release: 5%{?dist}
+Release: 7%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: Applications/System
 URL: https://gitlab.com/cryptsetup/cryptsetup
@@ -19,6 +19,9 @@ Requires: libpwquality >= 1.2.0
 
 %global upstream_version %{version}
 Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{upstream_version}.tar.xz
+# binary archive with updated tests/conversion_imgs.tar.xz and tests/luks2_header_requirements.tar.xz
+# for testing (can not be patched via rpmbuild)
+Source1: tests.tar.xz
 # Following patch has to applied last
 Patch0:  %{name}-add-system-library-paths.patch
 # Remove the patch when (if ever) osci infrastructure gets stable enough
@@ -34,7 +37,13 @@ Patch9: %{name}-2.6.0-Move-cipher_dm2c-to-crypto-utilities.patch
 Patch10: %{name}-2.6.0-Code-cleanup.patch
 Patch11: %{name}-2.6.0-Copy-also-integrity-string-in-legacy-mode.patch
 Patch12: %{name}-2.6.0-Fix-internal-crypt-segment-compare-routine.patch
-Patch13: %{name}-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch
+Patch13: %{name}-2.6.0-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch
+Patch14: %{name}-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch
+Patch15: %{name}-2.7.0-Disallow-use-of-internal-kenrel-crypto-driver-names-.patch
+Patch16: %{name}-2.7.0-Also-disallow-active-devices-with-internal-kernel-na.patch
+Patch17: %{name}-2.7.0-Fix-init_by_name-to-allow-unknown-cipher-format-in-d.patch
+Patch18: %{name}-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch
+Patch19: %{name}-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch
 
 %description
 The cryptsetup package contains a utility for setting up
@@ -89,7 +98,7 @@ This package contains cryptsetup-reencrypt utility which
 can be used for offline reencryption of disk in situ.
 
 %prep
-%setup -q -n cryptsetup-%{upstream_version}
+%setup -q -n cryptsetup-%{upstream_version} -a 1
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
@@ -103,6 +112,12 @@ can be used for offline reencryption of disk in situ.
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
+%patch19 -p1
 %patch0 -p1
 chmod -x misc/dracut_90reencrypt/*
 
@@ -162,6 +177,19 @@ rm -rf %{buildroot}/%{_libdir}/*.la
 %clean
 
 %changelog
+* Tue Jul 11 2023 Ondrej Kozina <okozina@redhat.com> - 2.3.7-7
+- Rebuild due to missing CI environment
+- Resolves: #2212772 #2193342
+
+* Thu Jun 28 2023 Daniel Zatovic <dzatovic@redhat.com> - 2.3.7-6
+- patch: Delegate FIPS mode detection to configured crypto backend
+- patch: Disallow use of internal kenrel crypto driver names in "capi"
+- patch: Also disallow active devices with internal kernel names
+- patch: Fix init_by_name to allow unknown cipher format in dm-crypt
+- patch: Fix reencryption to fail properly for unknown cipher
+- patch: Fix activation of LUKS2 with capi format cipher and kernel
+- Resolves: #2212772 #2193342
+
 * Tue Jan 10 2023 Daniel Zatovic <dzatovic@redhat.com> - 2.3.7-5
 - change cryptsetup-devel dependency from cryptsetup to cryptsetup-libs
 - Resolves: #2150254