import cryptsetup-2.6.0-2.el9

.cryptsetup.metadata

@@ -1,2 +1,2 @@
-1597b4642a9ef6b73ad191516f26bd2292055680 SOURCES/cryptsetup-2.4.3.tar.xz
+8098a06269c4268b0446b34f7b20e8fa6032e006 SOURCES/cryptsetup-2.6.0.tar.xz
-23cea5fef57d512c9e80c01c9ff76c641cb356b0 SOURCES/tests.tar.xz
+ae06fbc13edb47b59ba17eb8faff9959b5eefe93 SOURCES/tests.tar.xz

.gitignore

@@ -1,2 +1,2 @@
-SOURCES/cryptsetup-2.4.3.tar.xz
+SOURCES/cryptsetup-2.6.0.tar.xz
 SOURCES/tests.tar.xz

SOURCES/cryptsetup-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch

@@ -1,56 +0,0 @@
-From f671febe64d8f40cdcb1677a08436a8907ccbb7e Mon Sep 17 00:00:00 2001
-From: Ondrej Kozina <okozina@redhat.com>
-Date: Wed, 23 Feb 2022 12:27:57 +0100
-Subject: [PATCH 2/3] Add more tests for --test-passphrase parameter.
-
----
- tests/compat-test-args        |  4 ++++
- tests/luks2-reencryption-test | 18 ++++++++++++++++++
- 2 files changed, 22 insertions(+)
-
-diff --git a/tests/compat-test-args b/tests/compat-test-args
-index faeddd00..8bbe5563 100755
---- a/tests/compat-test-args
-+++ b/tests/compat-test-args
-@@ -258,6 +258,10 @@ exp_fail luksAddKey DEV --unbound --key-size 0
- exp_pass luksAddKey DEV --unbound --key-size 8
- exp_pass luksDump DEV --unbound -S5
- exp_fail luksDump DEV --unbound
-+exp_pass open DEV --unbound --test-passphrase
-+exp_pass open DEV --unbound --test-passphrase -S5
-+exp_fail open DEV --unbound NAME
-+exp_fail open DEV --unbound -S5 NAME
- 
- exp_fail resize NAME --refresh
- exp_fail open DEV NAME --test-passphrase --refresh
-diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
-index 6f156016..73818b5d 100755
---- a/tests/luks2-reencryption-test
-+++ b/tests/luks2-reencryption-test
-@@ -1606,5 +1606,23 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
- 	reencrypt_recover_online 4096 journal $HASH1
- fi
- 
-+echo "[27] Verify test passphrase mode works with reencryption metadata"
-+echo $PWD1 | $CRYPTSETUP -S5 -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV || fail
-+echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $DEV || fail
-+echo $PWD1 | $CRYPTSETUP reencrypt --init-only $DEV || fail
-+echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail
-+
-+echo $PWD1 | $CRYPTSETUP -q luksFormat -S5 --header $IMG_HDR --type luks2 $FAST_PBKDF_ARGON $DEV || fail
-+echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $IMG_HDR || fail
-+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --init-only --header $IMG_HDR $DEV || fail
-+echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail
-+
-+echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --init-only --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
-+echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail
-+
-+wipe_dev_head $DEV 1
-+echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 8M $FAST_PBKDF_ARGON $DEV || fail
-+echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail
-+
- remove_mapping
- exit 0
--- 
-2.27.0
-

SOURCES/cryptsetup-2.5.0-Do-not-use-too-small-key-in-tests.patch

@@ -1,45 +0,0 @@
-From 34f033b2549d95833270d657cf099ee4f6faff37 Mon Sep 17 00:00:00 2001
-From: Milan Broz <gmazyland@gmail.com>
-Date: Fri, 21 Jan 2022 09:55:34 +0100
-Subject: [PATCH 3/3] Do not use too small key in tests.
-
-Apparently FIPS mode enforces somewhere minimal key size.
-As 64bit key is no longer useful anyway, just remove it.
-
-Apparently cipher_null is now more safer with the longer key,
-isn't? :-)
----
- tests/align-test | 10 ----------
- 1 file changed, 10 deletions(-)
-
-diff --git a/tests/align-test b/tests/align-test
-index 9ae606ca..a00103c2 100755
---- a/tests/align-test
-+++ b/tests/align-test
-@@ -262,11 +262,6 @@ cleanup
- echo "# Offset check: 512B sector drive"
- add_device dev_size_mb=16 sector_size=512 num_tgts=1
- #           |k| expO reqO expected slot offsets
--format_null  64 2048    0 8:72:136:200:264:328:392:456
--format_null  64  520    1
--format_null  64  520    8
--format_null  64  640  128
--format_null  64 2048 2048
- format_null 128 2048    0 8:136:264:392:520:648:776:904
- format_null 128 1032    1
- format_null 128 1032    8
-@@ -286,11 +281,6 @@ cleanup
- 
- echo "# Offset check: 4096B sector drive"
- add_device dev_size_mb=16 sector_size=4096 num_tgts=1 opt_blks=64
--format_null  64 2048    0 8:72:136:200:264:328:392:456
--format_null  64  520    1
--format_null  64  520    8
--format_null  64  640  128
--format_null  64 2048 2048
- format_null 128 2048    0 8:136:264:392:520:648:776:904
- format_null 128 1032    1
- format_null 128 1032    8
--- 
-2.27.0
-

SOURCES/cryptsetup-2.5.0-Fix-PBKDF-benchmark-in-OpenSSL3-FIPS-mode.patch

@@ -1,47 +0,0 @@
-From 05a237be2a6c7a342fb5aba4433aec487a08317f Mon Sep 17 00:00:00 2001
-From: Milan Broz <gmazyland@gmail.com>
-Date: Fri, 21 Jan 2022 09:47:13 +0100
-Subject: [PATCH 1/3] Fix PBKDF benchmark in OpenSSL3 FIPS mode.
-
-OpenSSL now enforces minimal parameters for PBKDF2 according to SP 800-132
-key length (112 bits), minimal salt length (128 bits) and minimal number
-of iterations (1000).
-
-Our benchmark violates this, causeing cryptsetup misbehave for luksFormat.
-
-Just inrease tet salt to 16 bytes here, it will little bit influence benchmark,
-but there is no way back.
----
- lib/utils_benchmark.c | 2 +-
- src/cryptsetup.c      | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/lib/utils_benchmark.c b/lib/utils_benchmark.c
-index 7a9736d8..24e7bccc 100644
---- a/lib/utils_benchmark.c
-+++ b/lib/utils_benchmark.c
-@@ -184,7 +184,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd,
- 		pbkdf->parallel_threads = 0; /* N/A in PBKDF2 */
- 		pbkdf->max_memory_kb = 0; /* N/A in PBKDF2 */
- 
--		r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3, "bar", 3,
-+		r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3, "01234567890abcdef", 16,
- 					volume_key_size, &benchmark_callback, &u);
- 		pbkdf->time_ms = ms_tmp;
- 		if (r < 0) {
-diff --git a/src/cryptsetup.c b/src/cryptsetup.c
-index e529b7ac..37d35c92 100644
---- a/src/cryptsetup.c
-+++ b/src/cryptsetup.c
-@@ -860,7 +860,7 @@ static int action_benchmark_kdf(const char *kdf, const char *hash, size_t key_si
- 			.time_ms = 1000,
- 		};
- 
--		r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3, "bar", 3, key_size,
-+		r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3, "0123456789abcdef", 16, key_size,
- 					&benchmark_callback, &pbkdf);
- 		if (r < 0)
- 			log_std(_("PBKDF2-%-9s     N/A\n"), hash);
--- 
-2.27.0
-

SOURCES/cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch

@@ -1,106 +0,0 @@
-diff -rupN cryptsetup-2.4.3.old/man/cryptsetup.8 cryptsetup-2.4.3/man/cryptsetup.8
---- cryptsetup-2.4.3.old/man/cryptsetup.8	2022-02-23 16:33:42.449525744 +0100
-+++ cryptsetup-2.4.3/man/cryptsetup.8	2022-02-24 08:57:43.036396289 +0100
-@@ -321,7 +321,8 @@ the command prompts for it interactively
- \-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase,
- \-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id,
- \-\-token\-only, \-\-token-type, \-\-disable\-external\-tokens, \-\-disable\-keyring,
--\-\-disable\-locks, \-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf].
-+\-\-disable\-locks, \-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf,
-+\-\-unbound].
- .PP
- \fIluksSuspend\fR <name>
- .IP
-@@ -1465,10 +1466,14 @@ aligned to page size and page-cache init
- integrity tag.
- .TP
- .B "\-\-unbound"
--
- Creates new or dumps existing LUKS2 unbound keyslot. See \fIluksAddKey\fR or
- \fIluksDump\fR actions for more details.
- 
-+When used in \fIluksOpen\fR action (allowed only together with
-+\-\-test\-passphrase parameter), it allows to test passphrase for unbound LUKS2
-+keyslot. Otherwise, unbound keyslot passphrase can be tested only when specific
-+keyslot is selected via \-\-key\-slot parameter.
-+
- .TP
- .B "\-\-tcrypt\-hidden"
- .B "\-\-tcrypt\-system"
-diff -rupN cryptsetup-2.4.3.old/src/cryptsetup_args.h cryptsetup-2.4.3/src/cryptsetup_args.h
---- cryptsetup-2.4.3.old/src/cryptsetup_args.h	2022-02-23 16:33:42.450525749 +0100
-+++ cryptsetup-2.4.3/src/cryptsetup_args.h	2022-02-24 08:57:43.036396289 +0100
-@@ -75,7 +75,7 @@
- #define OPT_TCRYPT_HIDDEN_ACTIONS		{ OPEN_ACTION, TCRYPTDUMP_ACTION }
- #define OPT_TCRYPT_SYSTEM_ACTIONS		{ OPEN_ACTION, TCRYPTDUMP_ACTION }
- #define OPT_TEST_PASSPHRASE_ACTIONS		{ OPEN_ACTION }
--#define OPT_UNBOUND_ACTIONS			{ ADDKEY_ACTION, LUKSDUMP_ACTION }
-+#define OPT_UNBOUND_ACTIONS			{ ADDKEY_ACTION, LUKSDUMP_ACTION, OPEN_ACTION }
- #define OPT_USE_RANDOM_ACTIONS			{ FORMAT_ACTION }
- #define OPT_USE_URANDOM_ACTIONS			{ FORMAT_ACTION }
- #define OPT_UUID_ACTIONS			{ FORMAT_ACTION, UUID_ACTION }
-diff -rupN cryptsetup-2.4.3.old/src/cryptsetup.c cryptsetup-2.4.3/src/cryptsetup.c
---- cryptsetup-2.4.3.old/src/cryptsetup.c	2022-02-23 16:33:42.450525749 +0100
-+++ cryptsetup-2.4.3/src/cryptsetup.c	2022-02-24 08:57:43.036396289 +0100
-@@ -140,7 +140,8 @@ static void _set_activation_flags(uint32
- 		*flags |= CRYPT_ACTIVATE_IGNORE_PERSISTENT;
- 
- 	/* Only for LUKS2 but ignored elsewhere */
--	if (ARG_SET(OPT_TEST_PASSPHRASE_ID))
-+	if (ARG_SET(OPT_TEST_PASSPHRASE_ID) &&
-+	    (ARG_SET(OPT_KEY_SLOT_ID) || ARG_SET(OPT_UNBOUND_ID)))
- 		*flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY;
- 
- 	if (ARG_SET(OPT_SERIALIZE_MEMORY_HARD_PBKDF_ID))
-@@ -3982,6 +3983,18 @@ int main(int argc, const char **argv)
- 		_("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."),
- 		poptGetInvocationName(popt_context));
- 
-+	if (ARG_SET(OPT_UNBOUND_ID) && !strcmp(aname, OPEN_ACTION) && device_type &&
-+	    strncmp(device_type, "luks", 4))
-+		usage(popt_context, EXIT_FAILURE,
-+		_("Option --unbound is allowed only for open of luks device."),
-+		poptGetInvocationName(popt_context));
-+
-+	if (ARG_SET(OPT_UNBOUND_ID) && !ARG_SET(OPT_TEST_PASSPHRASE_ID) &&
-+	    !strcmp(aname, OPEN_ACTION))
-+		usage(popt_context, EXIT_FAILURE,
-+		_("Option --unbound cannot be used without --test-passphrase."),
-+		poptGetInvocationName(popt_context));
-+
- 	if (ARG_SET(OPT_TCRYPT_HIDDEN_ID) && ARG_SET(OPT_ALLOW_DISCARDS_ID))
- 		usage(popt_context, EXIT_FAILURE,
- 		_("Option --tcrypt-hidden cannot be combined with --allow-discards."),
-diff -rupN cryptsetup-2.4.3.old/tests/compat-test2 cryptsetup-2.4.3/tests/compat-test2
---- cryptsetup-2.4.3.old/tests/compat-test2	2022-02-23 16:33:42.444525716 +0100
-+++ cryptsetup-2.4.3/tests/compat-test2	2022-02-24 09:05:38.716422307 +0100
-@@ -699,7 +699,7 @@ $CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOP
- # otoh it should be allowed to test for proper passphrase
- prepare "" new
- echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
--echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
-+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
- echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
- [ -b /dev/mapper/$DEV_NAME ] && fail
- echo $PWD1 | $CRYPTSETUP open $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
-@@ -708,7 +708,7 @@ echo $PWD0 | $CRYPTSETUP open -S1 --test
- $CRYPTSETUP luksKillSlot -q $HEADER_KEYU 0
- $CRYPTSETUP luksDump $HEADER_KEYU | grep -q "0: luks2" && fail
- echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
--echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
-+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
- echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
- 
- prepare "[28] Detached LUKS header" wipe
-@@ -967,11 +967,9 @@ echo $PWD3 | $CRYPTSETUP -q luksAddKey -
- # do not allow to replace keyslot by unbound slot
- echo $PWD1 | $CRYPTSETUP -q luksAddKey -S5 --unbound -s 32 $LOOPDEV 2>/dev/null && fail
- echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
--echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
- echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV $DEV_NAME 2> /dev/null && fail
- echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV --test-passphrase || fail
- echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
--echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
- # check we're able to change passphrase for unbound keyslot
- echo -e "$PWD2\n$PWD3" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail
- echo $PWD3 | $CRYPTSETUP open --test-passphrase $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail

SOURCES/cryptsetup-2.5.0-Fix-typo-in-repair-prompt.patch

@@ -1,12 +0,0 @@
-diff -rupN cryptsetup-2.4.3.old/src/cryptsetup.c cryptsetup-2.4.3/src/cryptsetup.c
---- cryptsetup-2.4.3.old/src/cryptsetup.c	2022-01-21 13:14:56.864817351 +0100
-+++ cryptsetup-2.4.3/src/cryptsetup.c	2022-01-21 13:15:15.579947027 +0100
-@@ -1188,7 +1188,7 @@ static int reencrypt_metadata_repair(str
- 		       _("Operation aborted.\n")))
- 		return -EINVAL;
- 
--	r = tools_get_key(_("Enter passphrase to protect and uppgrade reencryption metadata: "),
-+	r = tools_get_key(_("Enter passphrase to protect and upgrade reencryption metadata: "),
- 			  &password, &passwordLen, ARG_UINT64(OPT_KEYFILE_OFFSET_ID),
- 			  ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID), ARG_UINT32(OPT_TIMEOUT_ID),
- 			  _verify_passphrase(0), 0, cd);

SOURCES/cryptsetup-2.5.0-Get-rid-of-SHA1-in-tests.patch

@@ -1,441 +0,0 @@
-diff -rupN cryptsetup-2.4.3.old/tests/api-test.c cryptsetup-2.4.3/tests/api-test.c
---- cryptsetup-2.4.3.old/tests/api-test.c	2022-02-17 16:37:09.535345938 +0100
-+++ cryptsetup-2.4.3/tests/api-test.c	2022-02-17 16:37:29.156459763 +0100
-@@ -312,7 +312,7 @@ static int _setup(void)
- static void AddDevicePlain(void)
- {
- 	struct crypt_params_plain params = {
--		.hash = "sha1",
-+		.hash = "sha256",
- 		.skip = 0,
- 		.offset = 0,
- 		.size = 0
-@@ -322,7 +322,7 @@ static void AddDevicePlain(void)
- 
- 	const char *passphrase = PASSPHRASE;
- 	// hashed hex version of PASSPHRASE
--	const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
-+	const char *mk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea";
- 	size_t key_size = strlen(mk_hex) / 2;
- 	const char *cipher = "aes";
- 	const char *cipher_mode = "cbc-essiv:sha256";
-@@ -438,7 +438,7 @@ static void AddDevicePlain(void)
- 	OK_(crypt_deactivate(cd,CDEVICE_1));
- 
- 	CRYPT_FREE(cd);
--	params.hash = "sha1";
-+	params.hash = "sha256";
- 	params.offset = 0;
- 	params.size = 0;
- 	params.skip = 0;
-@@ -620,7 +620,7 @@ static void new_log(int level, const cha
- static void CallbacksTest(void)
- {
- 	struct crypt_params_plain params = {
--		.hash = "sha1",
-+		.hash = "sha256",
- 		.skip = 0,
- 		.offset = 0,
- 	};
-@@ -1116,7 +1116,7 @@ static void LuksHeaderRestore(void)
- 		.data_alignment = 2048, // 4M, data offset will be 4096
- 	};
- 	struct crypt_params_plain pl_params = {
--		.hash = "sha1",
-+		.hash = "sha256",
- 		.skip = 0,
- 		.offset = 0,
- 		.size = 0
-@@ -1203,7 +1203,7 @@ static void LuksHeaderLoad(void)
- 		.data_alignment = 2048,
- 	};
- 	struct crypt_params_plain pl_params = {
--		.hash = "sha1",
-+		.hash = "sha256",
- 		.skip = 0,
- 		.offset = 0,
- 		.size = 0
-diff -rupN cryptsetup-2.4.3.old/tests/api-test-2.c cryptsetup-2.4.3/tests/api-test-2.c
---- cryptsetup-2.4.3.old/tests/api-test-2.c	2022-02-17 16:37:09.535345938 +0100
-+++ cryptsetup-2.4.3/tests/api-test-2.c	2022-02-17 16:37:29.155459758 +0100
-@@ -1232,7 +1232,7 @@ static void Luks2HeaderRestore(void)
- 		.sector_size = 512
- 	};
- 	struct crypt_params_plain pl_params = {
--		.hash = "sha1",
-+		.hash = "sha256",
- 		.skip = 0,
- 		.offset = 0,
- 		.size = 0
-@@ -1242,7 +1242,7 @@ static void Luks2HeaderRestore(void)
- 	};
- 	uint32_t flags = 0;
- 
--	const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
-+	const char *mk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea";
- 	size_t key_size = strlen(mk_hex) / 2;
- 	const char *cipher = "aes";
- 	const char *cipher_mode = "cbc-essiv:sha256";
-@@ -1337,7 +1337,7 @@ static void Luks2HeaderLoad(void)
- 		.sector_size = 512
- 	};
- 	struct crypt_params_plain pl_params = {
--		.hash = "sha1",
-+		.hash = "sha256",
- 		.skip = 0,
- 		.offset = 0,
- 		.size = 0
-@@ -2142,7 +2142,7 @@ static void LuksConvert(void)
- 		.parallel_threads = 1
- 	}, pbkdf2 = {
- 		.type = CRYPT_KDF_PBKDF2,
--		.hash = "sha1",
-+		.hash = "sha256",
- 		.time_ms = 1
- 	};
- 
-@@ -2675,7 +2675,7 @@ static void Pbkdf(void)
- 		.hash = default_luks1_hash
- 	};
- 	struct crypt_params_plain params = {
--		.hash = "sha1",
-+		.hash = "sha256",
- 		.skip = 0,
- 		.offset = 0,
- 		.size = 0
-@@ -2874,11 +2874,11 @@ static void Pbkdf(void)
- 	pbkdf2.time_ms = 9;
- 	pbkdf2.hash = NULL;
- 	FAIL_(crypt_set_pbkdf_type(cd, &pbkdf2), "Hash is mandatory for pbkdf2");
--	pbkdf2.hash = "sha1";
-+	pbkdf2.hash = "sha256";
- 	OK_(crypt_set_pbkdf_type(cd, &pbkdf2));
- 
- 	argon2.time_ms = 9;
--	argon2.hash = "sha1"; // will be ignored
-+	argon2.hash = "sha256"; // will be ignored
- 	OK_(crypt_set_pbkdf_type(cd, &argon2));
- 	argon2.hash = NULL;
- 	OK_(crypt_set_pbkdf_type(cd, &argon2));
-@@ -3839,7 +3839,7 @@ static void Luks2Reencryption(void)
- 	struct crypt_params_reencrypt retparams = {}, rparams = {
- 		.direction = CRYPT_REENCRYPT_FORWARD,
- 		.resilience = "checksum",
--		.hash = "sha1",
-+		.hash = "sha256",
- 		.luks2 = &params2,
- 	};
- 	dev_t devno;
-@@ -3983,7 +3983,7 @@ static void Luks2Reencryption(void)
- 	rparams.hash = "hamSter";
- 	FAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 21, 9, "aes", "xts-plain64", &rparams), "Invalid resilience hash.");
- 
--	rparams.hash = "sha1";
-+	rparams.hash = "sha256";
- 	OK_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 21, 9, "aes", "xts-plain64", &rparams));
- 	OK_(crypt_reencrypt_run(cd, NULL, NULL));
- 
-diff -rupN cryptsetup-2.4.3.old/tests/compat-test cryptsetup-2.4.3/tests/compat-test
---- cryptsetup-2.4.3.old/tests/compat-test	2022-02-17 16:37:09.541345973 +0100
-+++ cryptsetup-2.4.3/tests/compat-test	2022-02-17 16:37:29.157459769 +0100
-@@ -302,8 +302,8 @@ $CRYPTSETUP -q luksUUID $IMG | grep -q $
- prepare	"[1] open - compat image - acceptance check" new
- echo $PWD0 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
- check_exists
--ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
--[ "$ORG_SHA1" = 676062b66ebf36669dab705442ea0762dfc091b0 ] || fail
-+ORG_SHA256=$(sha256sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
-+[ "$ORG_SHA256" = 7428e8f2436882a07eb32765086f5c899474c08b5576f556b573d2aabdf923e8 ] || fail
- $CRYPTSETUP -q luksClose  $DEV_NAME || fail
- 
- # Check it can be opened from header backup as well
-@@ -315,6 +315,7 @@ $CRYPTSETUP -q luksClose  $DEV_NAME || f
- $CRYPTSETUP luksHeaderRestore -q $IMG --header-backup-file $HEADER_IMG || fail
- 
- # Repeat for V1.0 header - not aligned first keyslot
-+if [ ! fips_mode ] ; then
- echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME || fail
- check_exists
- ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
-@@ -326,6 +327,7 @@ $CRYPTSETUP luksHeaderBackup $IMG10 --he
- echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME --header $HEADER_IMG || fail
- check_exists
- $CRYPTSETUP -q luksClose  $DEV_NAME || fail
-+fi
- 
- prepare "[2] open - compat image - denial check" new
- echo $PWDW | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
-@@ -526,7 +528,7 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q
- 
- prepare "[19] create & status & resize" wipe
- echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash xxx 2>/dev/null && fail
--echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail
-+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail
- $CRYPTSETUP -q status  $DEV_NAME | grep "offset:" | grep -q "3 sectors" || fail
- $CRYPTSETUP -q status  $DEV_NAME | grep "skipped:" | grep -q "4 sectors" || fail
- $CRYPTSETUP -q status  $DEV_NAME | grep "mode:" | grep -q "readonly" || fail
-@@ -546,15 +548,15 @@ $CRYPTSETUP -q resize  $DEV_NAME || fail
- $CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "32765 sectors" || fail
- $CRYPTSETUP -q remove  $DEV_NAME || fail
- $CRYPTSETUP -q status  $DEV_NAME >/dev/null && fail
--echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail
-+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail
- $CRYPTSETUP -q remove  $DEV_NAME || fail
--echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 $LOOPDEV || fail
-+echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 $LOOPDEV || fail
- $CRYPTSETUP -q remove  $DEV_NAME || fail
--echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 --size 100 $LOOPDEV || fail
-+echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 --size 100 $LOOPDEV || fail
- $CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
- $CRYPTSETUP -q remove  $DEV_NAME || fail
- # 4k sector resize (if kernel supports it)
--echo $PWD1 | $CRYPTSETUP -q open --type plain $LOOPDEV $DEV_NAME --sector-size 4096 --size 8  >/dev/null 2>&1
-+echo $PWD1 | $CRYPTSETUP -q open --type plain --hash sha256 $LOOPDEV $DEV_NAME --sector-size 4096 --size 8  >/dev/null 2>&1
- if [ $? -eq 0 ] ; then
- 	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "8 sectors" || fail
- 	$CRYPTSETUP -q resize  $DEV_NAME --size 16 || fail
-@@ -567,7 +569,7 @@ if [ $? -eq 0 ] ; then
- fi
- # Resize not aligned to logical block size
- add_scsi_device dev_size_mb=32 sector_size=4096
--echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV || fail
-+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV || fail
- OLD_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/')
- $CRYPTSETUP resize $DEV_NAME -b 7 2> /dev/null && fail
- dmsetup info $DEV_NAME | grep -q SUSPENDED && fail
-@@ -575,10 +577,10 @@ NEW_SIZE=$($CRYPTSETUP status $DEV_NAME
- test $OLD_SIZE -eq $NEW_SIZE || fail
- $CRYPTSETUP close $DEV_NAME || fail
- # Add check for unaligned plain crypt activation
--echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV -b 7 2>/dev/null && fail
-+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV -b 7 2>/dev/null && fail
- $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
- # verify is ignored on non-tty input
--echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --verify-passphrase 2>/dev/null || fail
-+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --verify-passphrase 2>/dev/null || fail
- $CRYPTSETUP -q remove  $DEV_NAME || fail
- $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size 255 2>/dev/null && fail
- $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size -1 2>/dev/null && fail
-@@ -695,15 +697,15 @@ $CRYPTSETUP luksChangeKey $LOOPDEV $FAST
- dmsetup remove --retry $DEV_NAME2
- 
- prepare "[25] Create shared segments" wipe
--echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV  --hash sha1 --offset   0 --size 256 || fail
--echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 2>/dev/null && fail
--echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 --shared || fail
-+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV  --hash sha256 --offset   0 --size 256 || fail
-+echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 2>/dev/null && fail
-+echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 --shared || fail
- $CRYPTSETUP -q remove  $DEV_NAME2 || fail
- $CRYPTSETUP -q remove  $DEV_NAME || fail
- 
- prepare "[26] Suspend/Resume" wipe
- # only LUKS is supported
--echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail
-+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail
- $CRYPTSETUP luksSuspend $DEV_NAME 2>/dev/null && fail
- $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
- $CRYPTSETUP -q remove  $DEV_NAME || fail
-diff -rupN cryptsetup-2.4.3.old/tests/compat-test2 cryptsetup-2.4.3/tests/compat-test2
---- cryptsetup-2.4.3.old/tests/compat-test2	2022-02-17 16:37:09.541345973 +0100
-+++ cryptsetup-2.4.3/tests/compat-test2	2022-02-17 16:37:29.158459775 +0100
-@@ -774,7 +774,7 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q
- $CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
- $CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail
- # hash test
--$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha1 || fail
-+$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha512 || fail
- $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 --hash sha256 || fail
- $CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail
- $CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail
-diff -rupN cryptsetup-2.4.3.old/tests/discards-test cryptsetup-2.4.3/tests/discards-test
---- cryptsetup-2.4.3.old/tests/discards-test	2022-02-17 16:37:09.541345973 +0100
-+++ cryptsetup-2.4.3/tests/discards-test	2022-02-17 16:37:29.158459775 +0100
-@@ -80,7 +80,7 @@ dmsetup table $DEV_NAME | grep allow_dis
- $CRYPTSETUP luksClose $DEV_NAME || fail
- 
- echo "[2] Allowing discards for plain device"
--echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha1 --allow-discards || fail
-+echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha256 --allow-discards || fail
- $CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail
- $CRYPTSETUP resize $DEV_NAME --size 100 || fail
- $CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail
-diff -rupN cryptsetup-2.4.3.old/tests/integrity-compat-test cryptsetup-2.4.3/tests/integrity-compat-test
---- cryptsetup-2.4.3.old/tests/integrity-compat-test	2022-02-17 16:37:09.542345979 +0100
-+++ cryptsetup-2.4.3/tests/integrity-compat-test	2022-02-17 16:37:29.159459781 +0100
-@@ -168,7 +168,7 @@ intformat() # alg alg_out tagsize outtag
- 	echo -n "[FORMAT]"
- 	$INTSETUP format --integrity-legacy-padding -q --integrity $1 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV >/dev/null 2>&1
- 	if [ $? -ne 0 ] ; then
--		if [[ $1 =~ "sha" || $1 =~ "crc" ]] ; then
-+		if [[ $1 =~ "sha2" || $1 =~ "crc" ]] ; then
- 			fail "Cannot format device."
- 		fi
- 		echo "[N/A]"
-@@ -214,7 +214,14 @@ int_error_detection() # mode alg tagsize
- 
- 	echo -n "[INTEGRITY:$1:$2:$4:$5]"
- 	echo -n "[FORMAT]"
--	$INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null || fail "Cannot format device."
-+	$INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null 2>&1
-+	if [ $? -ne 0 ] ; then
-+		if [[ $2 =~ "sha2" || $2 =~ "crc" ]] ; then
-+			fail "Cannot format device."
-+		fi
-+		echo "[N/A]"
-+		return
-+	fi
- 	echo -n "[ACTIVATE]"
- 	$INTSETUP open $DEV $DEV_NAME --integrity $2 --integrity-no-journal $KEY_PARAMS $INT_MODE || fail "Cannot activate device."
- 
-diff -rupN cryptsetup-2.4.3.old/tests/keyring-compat-test cryptsetup-2.4.3/tests/keyring-compat-test
---- cryptsetup-2.4.3.old/tests/keyring-compat-test	2022-02-17 16:37:09.542345979 +0100
-+++ cryptsetup-2.4.3/tests/keyring-compat-test	2022-02-17 16:39:07.132028140 +0100
-@@ -119,7 +119,7 @@ add_device() {
- which dmsetup >/dev/null 2>&1 || skip "Cannot find dmsetup, test skipped"
- which keyctl >/dev/null 2>&1 || skip "Cannot find keyctl, test skipped"
- which xxd >/dev/null 2>&1 || skip "Cannot find xxd, test skipped"
--which sha1sum > /dev/null 2>&1 || skip "Cannot find sha1sum, test skipped"
-+which sha256sum >/dev/null 2>&1 || skip "Cannot find sha256sum, test skipped"
- modprobe dm-crypt >/dev/null 2>&1 || fail "dm-crypt failed to load"
- dm_crypt_keyring_support || skip "dm-crypt doesn't support kernel keyring, test skipped."
- 
-@@ -132,23 +132,23 @@ dd if=/dev/urandom of=$DEV bs=1M count=$
- #test aes cipher with xts mode, plain IV
- echo -n "Testing $CIPHER_XTS_PLAIN..."
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
--sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
- dmsetup remove --retry $NAME || fail
- load_key "$HEXKEY_32" logon  $LOGON_KEY_32_OK "$TEST_KEYRING" || fail "Cannot load 32 byte logon key type"
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN :32:logon:$LOGON_KEY_32_OK 0 $DEV 0" || fail
--sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
- dmsetup remove --retry $NAME || fail
- diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
- # same test using message
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
--sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
- dmsetup remove --retry $NAME || fail
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
- dmsetup suspend $NAME || fail
- dmsetup message $NAME 0 key wipe || fail
- dmsetup message $NAME 0 "key set :32:logon:$LOGON_KEY_32_OK" || fail
- dmsetup resume $NAME || fail
--sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
- dmsetup remove --retry $NAME || fail
- diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
- echo "OK"
-@@ -156,23 +156,23 @@ echo "OK"
- #test aes cipher, xts mode, essiv IV
- echo -n "Testing $CIPHER_CBC_ESSIV..."
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
--sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
- dmsetup remove --retry $NAME || fail
- load_key "$HEXKEY_16" logon  $LOGON_KEY_16_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type"
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV :16:logon:$LOGON_KEY_16_OK 0 $DEV 0" || fail
--sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
- dmsetup remove --retry $NAME || fail
- diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
- # same test using message
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
--sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
- dmsetup remove --retry $NAME || fail
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
- dmsetup suspend $NAME || fail
- dmsetup message $NAME 0 key wipe || fail
- dmsetup message $NAME 0 "key set :16:logon:$LOGON_KEY_16_OK" || fail
- dmsetup resume $NAME || fail
--sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
- dmsetup remove --retry $NAME || fail
- diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
- echo "OK"
-@@ -181,23 +181,23 @@ echo "OK"
- fips_mode || {
- echo -n "Testing $CIPHER_CBC_TCW..."
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
--sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
- dmsetup remove --retry $NAME || fail
- load_key "$HEXKEY_64" logon  $LOGON_KEY_64_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type"
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW :64:logon:$LOGON_KEY_64_OK 0 $DEV 0" || fail
--sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
- dmsetup remove --retry $NAME || fail
- diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)"
- # same test using message
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
--sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
- dmsetup remove --retry $NAME || fail
- dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
- dmsetup suspend $NAME || fail
- dmsetup message $NAME 0 key wipe || fail
- dmsetup message $NAME 0 "key set :64:logon:$LOGON_KEY_64_OK" || fail
- dmsetup resume $NAME || fail
--sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
-+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
- dmsetup remove --retry $NAME || fail
- diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
- echo "OK"
-@@ -207,10 +207,10 @@ echo -n "Test LUKS2 key refresh..."
- echo $PWD | $CRYPTSETUP luksFormat --type luks2 --luks2-metadata-size 16k --luks2-keyslots-size 4064k --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --force-password $DEV || fail
- echo $PWD | $CRYPTSETUP open $DEV $NAME || fail
- $CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" || skip "LUKS2 can't use keyring. Test skipped."
--dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_KEYRING || fail
-+dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha256sum > $CHKS_KEYRING || fail
- echo $PWD | $CRYPTSETUP refresh $NAME --disable-keyring || fail
- $CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" && fail "Key is still in keyring"
--dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_DMCRYPT || fail
-+dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha256sum > $CHKS_DMCRYPT || fail
- diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)"
- echo "OK"
- 
-diff -rupN cryptsetup-2.4.3.old/tests/password-hash-test cryptsetup-2.4.3/tests/password-hash-test
---- cryptsetup-2.4.3.old/tests/password-hash-test	2022-02-17 16:37:09.541345973 +0100
-+++ cryptsetup-2.4.3/tests/password-hash-test	2022-02-17 16:37:29.160459787 +0100
-@@ -75,7 +75,7 @@ crypt_key() # hash keysize pwd/file name
- 	esac
- 
- 	# ignore these cases, not all libs/kernel supports it
--	if [ "$1" != "sha1" -a "$1" != "sha256" ] || [ $2 -gt 256 ] ; then
-+	if [ "$1" != "sha256" ] || [ $2 -gt 256 ] ; then
- 		if [ $ret -ne 0 ] ; then
- 			echo " [N/A] ($ret, SKIPPED)"
- 			return
-diff -rupN cryptsetup-2.4.3.old/tests/reencryption-compat-test cryptsetup-2.4.3/tests/reencryption-compat-test
---- cryptsetup-2.4.3.old/tests/reencryption-compat-test	2022-02-17 16:37:09.541345973 +0100
-+++ cryptsetup-2.4.3/tests/reencryption-compat-test	2022-02-17 16:37:29.160459787 +0100
-@@ -338,7 +338,7 @@ simple_scsi_reenc "[4096/512 sector]"
- echo "[OK]"
- 
- echo "[8] Header only reencryption (hash and iteration time)"
--echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --hash sha1 $FAST_PBKDF $LOOPDEV1 || fail
-+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --hash sha512 $FAST_PBKDF $LOOPDEV1 || fail
- wipe $PWD1
- check_hash $PWD1 $HASH1
- echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key || fail
-diff -rupN cryptsetup-2.4.3.old/tests/verity-compat-test cryptsetup-2.4.3/tests/verity-compat-test
---- cryptsetup-2.4.3.old/tests/verity-compat-test	2022-02-17 16:37:09.541345973 +0100
-+++ cryptsetup-2.4.3/tests/verity-compat-test	2022-02-17 16:37:29.161459793 +0100
-@@ -148,7 +148,13 @@ function check_root_hash() # $1 size, $2
- 	for fail in data hash; do
- 	wipe
- 	echo -n "V$4(sb=$sb root_hash_as_file=$root_hash_as_file) $5 block size $1: "
--	$VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >$DEV_OUT || fail
-+	$VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >$DEV_OUT
-+	if [ $? -ne 0 ] ; then
-+		if [[ $1 =~ "sha2" ]] ; then
-+			fail "Cannot format device."
-+		fi
-+		return
-+	fi
- 
- 	echo -n "[root hash]"
- 	compare_out "root hash" $2

SOURCES/cryptsetup-2.5.1-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch

@@ -1,364 +0,0 @@
-diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_backend.h cryptsetup-2.4.3/lib/crypto_backend/crypto_backend.h
---- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_backend.h	2022-01-13 10:14:51.000000000 +0100
-+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_backend.h	2022-08-10 17:04:13.727162964 +0200
-@@ -134,5 +134,8 @@ static inline void crypt_backend_memzero
- 	while(n--) *p++ = 0;
- #endif
- }
-+ 
-+/* crypto backend running in FIPS mode */
-+bool crypt_fips_mode(void);
- 
- #endif /* _CRYPTO_BACKEND_H */
-diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_gcrypt.c cryptsetup-2.4.3/lib/crypto_backend/crypto_gcrypt.c
---- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_gcrypt.c	2022-01-13 10:14:51.000000000 +0100
-+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_gcrypt.c	2022-08-10 17:06:28.163895662 +0200
-@@ -550,3 +550,20 @@ out:
- 	return -ENOTSUP;
- #endif
- }
-+
-+#if !ENABLE_FIPS
-+bool crypt_fips_mode(void) { return false; }
-+#else
-+bool crypt_fips_mode(void)
-+{
-+	static bool fips_mode = false, fips_checked = false;
-+
-+	if (fips_checked)
-+		return fips_mode;
-+
-+	fips_mode = gcry_fips_mode_active();
-+	fips_checked = true;
-+
-+	return fips_mode;
-+}
-+#endif /* ENABLE FIPS */
-diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_kernel.c cryptsetup-2.4.3/lib/crypto_backend/crypto_kernel.c
---- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_kernel.c	2022-01-13 10:14:51.000000000 +0100
-+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_kernel.c	2022-08-10 17:07:06.720105794 +0200
-@@ -416,3 +416,8 @@ int crypt_bitlk_decrypt_key(const void *
- 	return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
- 					      iv, iv_length, tag, tag_length);
- }
-+
-+bool crypt_fips_mode(void)
-+{
-+	return false;
-+}
-diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_nettle.c cryptsetup-2.4.3/lib/crypto_backend/crypto_nettle.c
---- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_nettle.c	2022-01-13 10:14:51.000000000 +0100
-+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_nettle.c	2022-08-10 17:07:18.127167962 +0200
-@@ -446,3 +446,8 @@ int crypt_bitlk_decrypt_key(const void *
- 	return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
- 					      iv, iv_length, tag, tag_length);
- }
-+
-+bool crypt_fips_mode(void)
-+{
-+	return false;
-+}
-diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_nss.c cryptsetup-2.4.3/lib/crypto_backend/crypto_nss.c
---- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_nss.c	2022-01-13 10:14:51.000000000 +0100
-+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_nss.c	2022-08-10 17:07:24.547202954 +0200
-@@ -395,3 +395,8 @@ int crypt_bitlk_decrypt_key(const void *
- 	return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
- 					      iv, iv_length, tag, tag_length);
- }
-+
-+bool crypt_fips_mode(void)
-+{
-+	return false;
-+}
-diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_openssl.c cryptsetup-2.4.3/lib/crypto_backend/crypto_openssl.c
---- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_openssl.c	2022-01-13 10:14:51.000000000 +0100
-+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_openssl.c	2022-08-10 17:05:51.483695770 +0200
-@@ -809,3 +809,29 @@ out:
- 	return -ENOTSUP;
- #endif
- }
-+
-+#if !ENABLE_FIPS
-+bool crypt_fips_mode(void) { return false; }
-+#else
-+static bool openssl_fips_mode(void)
-+{
-+#if OPENSSL_VERSION_MAJOR >= 3
-+	return EVP_default_properties_is_fips_enabled(NULL);
-+#else
-+	return FIPS_mode();
-+#endif
-+}
-+
-+bool crypt_fips_mode(void)
-+{
-+	static bool fips_mode = false, fips_checked = false;
-+
-+	if (fips_checked)
-+		return fips_mode;
-+
-+	fips_mode = openssl_fips_mode();
-+	fips_checked = true;
-+
-+	return fips_mode;
-+}
-+#endif /* ENABLE FIPS */
-diff -rupN cryptsetup-2.4.3.old/lib/internal.h cryptsetup-2.4.3/lib/internal.h
---- cryptsetup-2.4.3.old/lib/internal.h	2022-01-13 10:14:51.000000000 +0100
-+++ cryptsetup-2.4.3/lib/internal.h	2022-08-10 17:03:00.348765820 +0200
-@@ -38,7 +38,6 @@
- #include "utils_crypt.h"
- #include "utils_loop.h"
- #include "utils_dm.h"
--#include "utils_fips.h"
- #include "utils_keyring.h"
- #include "utils_io.h"
- #include "crypto_backend/crypto_backend.h"
-diff -rupN cryptsetup-2.4.3.old/lib/Makemodule.am cryptsetup-2.4.3/lib/Makemodule.am
---- cryptsetup-2.4.3.old/lib/Makemodule.am	2022-01-13 10:14:51.000000000 +0100
-+++ cryptsetup-2.4.3/lib/Makemodule.am	2022-08-10 17:03:00.342765787 +0200
-@@ -54,8 +54,6 @@ libcryptsetup_la_SOURCES = \
- 	lib/utils_loop.h		\
- 	lib/utils_devpath.c		\
- 	lib/utils_wipe.c		\
--	lib/utils_fips.c		\
--	lib/utils_fips.h		\
- 	lib/utils_device.c		\
- 	lib/utils_keyring.c		\
- 	lib/utils_keyring.h		\
-diff -rupN cryptsetup-2.4.3.old/lib/utils_fips.c cryptsetup-2.4.3/lib/utils_fips.c
---- cryptsetup-2.4.3.old/lib/utils_fips.c	2022-01-13 10:14:51.000000000 +0100
-+++ cryptsetup-2.4.3/lib/utils_fips.c	1970-01-01 01:00:00.000000000 +0100
-@@ -1,55 +0,0 @@
--/*
-- * FIPS mode utilities
-- *
-- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * as published by the Free Software Foundation; either version 2
-- * of the License, or (at your option) any later version.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-- * GNU General Public License for more details.
-- *
-- * You should have received a copy of the GNU General Public License
-- * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-- */
--
--#include <unistd.h>
--#include <fcntl.h>
--#include <errno.h>
--#include "utils_fips.h"
--
--#if !ENABLE_FIPS
--bool crypt_fips_mode(void) { return false; }
--#else
--static bool fips_checked = false;
--static bool fips_mode = false;
--
--static bool kernel_fips_mode(void)
--{
--	int fd;
--	char buf[1] = "";
--
--	if ((fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY)) >= 0) {
--		while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
--		close(fd);
--	}
--
--	return (buf[0] == '1');
--}
--
--bool crypt_fips_mode(void)
--{
--	if (fips_checked)
--		return fips_mode;
--
--	fips_mode = kernel_fips_mode() && !access("/etc/system-fips", F_OK);
--	fips_checked = true;
--
--	return fips_mode;
--}
--#endif /* ENABLE_FIPS */
-diff -rupN cryptsetup-2.4.3.old/lib/utils_fips.h cryptsetup-2.4.3/lib/utils_fips.h
---- cryptsetup-2.4.3.old/lib/utils_fips.h	2022-01-13 10:14:51.000000000 +0100
-+++ cryptsetup-2.4.3/lib/utils_fips.h	1970-01-01 01:00:00.000000000 +0100
-@@ -1,28 +0,0 @@
--/*
-- * FIPS mode utilities
-- *
-- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * as published by the Free Software Foundation; either version 2
-- * of the License, or (at your option) any later version.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-- * GNU General Public License for more details.
-- *
-- * You should have received a copy of the GNU General Public License
-- * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-- */
--
--#ifndef _UTILS_FIPS_H
--#define _UTILS_FIPS_H
--
--#include <stdbool.h>
--
--bool crypt_fips_mode(void);
--
--#endif /* _UTILS_FIPS_H */
-diff -rupN cryptsetup-2.4.3.old/Makefile.in cryptsetup-2.4.3/Makefile.in
---- cryptsetup-2.4.3.old/Makefile.in	2022-01-13 10:24:33.000000000 +0100
-+++ cryptsetup-2.4.3/Makefile.in	2022-08-10 17:28:09.508914077 +0200
-@@ -281,7 +281,6 @@ am_libcryptsetup_la_OBJECTS = lib/libcry
- 	lib/libcryptsetup_la-utils_loop.lo \
- 	lib/libcryptsetup_la-utils_devpath.lo \
- 	lib/libcryptsetup_la-utils_wipe.lo \
--	lib/libcryptsetup_la-utils_fips.lo \
- 	lib/libcryptsetup_la-utils_device.lo \
- 	lib/libcryptsetup_la-utils_keyring.lo \
- 	lib/libcryptsetup_la-utils_device_locking.lo \
-@@ -547,7 +546,6 @@ am__depfiles_remade = lib/$(DEPDIR)/cryp
- 	lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo \
- 	lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo \
- 	lib/$(DEPDIR)/libcryptsetup_la-utils_devpath.Plo \
--	lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo \
- 	lib/$(DEPDIR)/libcryptsetup_la-utils_keyring.Plo \
- 	lib/$(DEPDIR)/libcryptsetup_la-utils_loop.Plo \
- 	lib/$(DEPDIR)/libcryptsetup_la-utils_pbkdf.Plo \
-@@ -1036,8 +1034,6 @@ libcryptsetup_la_SOURCES = \
- 	lib/utils_loop.h		\
- 	lib/utils_devpath.c		\
- 	lib/utils_wipe.c		\
--	lib/utils_fips.c		\
--	lib/utils_fips.h		\
- 	lib/utils_device.c		\
- 	lib/utils_keyring.c		\
- 	lib/utils_keyring.h		\
-@@ -1551,8 +1547,6 @@ lib/libcryptsetup_la-utils_devpath.lo: l
- 	lib/$(DEPDIR)/$(am__dirstamp)
- lib/libcryptsetup_la-utils_wipe.lo: lib/$(am__dirstamp) \
- 	lib/$(DEPDIR)/$(am__dirstamp)
--lib/libcryptsetup_la-utils_fips.lo: lib/$(am__dirstamp) \
--	lib/$(DEPDIR)/$(am__dirstamp)
- lib/libcryptsetup_la-utils_device.lo: lib/$(am__dirstamp) \
- 	lib/$(DEPDIR)/$(am__dirstamp)
- lib/libcryptsetup_la-utils_keyring.lo: lib/$(am__dirstamp) \
-@@ -1811,7 +1805,6 @@ distclean-compile:
- @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo@am__quote@ # am--include-marker
- @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo@am__quote@ # am--include-marker
- @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_devpath.Plo@am__quote@ # am--include-marker
--@AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo@am__quote@ # am--include-marker
- @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_keyring.Plo@am__quote@ # am--include-marker
- @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_loop.Plo@am__quote@ # am--include-marker
- @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_pbkdf.Plo@am__quote@ # am--include-marker
-@@ -2105,13 +2098,6 @@ lib/libcryptsetup_la-utils_wipe.lo: lib/
- @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -c -o lib/libcryptsetup_la-utils_wipe.lo `test -f 'lib/utils_wipe.c' || echo '$(srcdir)/'`lib/utils_wipe.c
- 
--lib/libcryptsetup_la-utils_fips.lo: lib/utils_fips.c
--@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -MT lib/libcryptsetup_la-utils_fips.lo -MD -MP -MF lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Tpo -c -o lib/libcryptsetup_la-utils_fips.lo `test -f 'lib/utils_fips.c' || echo '$(srcdir)/'`lib/utils_fips.c
--@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Tpo lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo
--@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='lib/utils_fips.c' object='lib/libcryptsetup_la-utils_fips.lo' libtool=yes @AMDEPBACKSLASH@
--@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
--@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -c -o lib/libcryptsetup_la-utils_fips.lo `test -f 'lib/utils_fips.c' || echo '$(srcdir)/'`lib/utils_fips.c
--
- lib/libcryptsetup_la-utils_device.lo: lib/utils_device.c
- @am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -MT lib/libcryptsetup_la-utils_device.lo -MD -MP -MF lib/$(DEPDIR)/libcryptsetup_la-utils_device.Tpo -c -o lib/libcryptsetup_la-utils_device.lo `test -f 'lib/utils_device.c' || echo '$(srcdir)/'`lib/utils_device.c
- @am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) lib/$(DEPDIR)/libcryptsetup_la-utils_device.Tpo lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo
-@@ -2987,7 +2973,6 @@ distclean: distclean-recursive
- 	-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo
- 	-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo
- 	-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_devpath.Plo
--	-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo
- 	-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_keyring.Plo
- 	-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_loop.Plo
- 	-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_pbkdf.Plo
-@@ -3124,7 +3109,6 @@ maintainer-clean: maintainer-clean-recur
- 	-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo
- 	-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo
- 	-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_devpath.Plo
--	-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo
- 	-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_keyring.Plo
- 	-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_loop.Plo
- 	-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_pbkdf.Plo
-diff -rupN cryptsetup-2.4.3.old/po/POTFILES.in cryptsetup-2.4.3/po/POTFILES.in
---- cryptsetup-2.4.3.old/po/POTFILES.in	2022-01-13 10:23:53.000000000 +0100
-+++ cryptsetup-2.4.3/po/POTFILES.in	2022-08-10 17:03:30.306926994 +0200
-@@ -6,7 +6,6 @@ lib/volumekey.c
- lib/crypt_plain.c
- lib/utils_crypt.c
- lib/utils_loop.c
--lib/utils_fips.c
- lib/utils_device.c
- lib/utils_devpath.c
- lib/utils_pbkdf.c
-diff -rupN cryptsetup-2.4.3.old/src/cryptsetup.h cryptsetup-2.4.3/src/cryptsetup.h
---- cryptsetup-2.4.3.old/src/cryptsetup.h	2022-01-13 10:14:51.000000000 +0100
-+++ cryptsetup-2.4.3/src/cryptsetup.h	2022-08-10 17:03:30.307926999 +0200
-@@ -44,7 +44,6 @@
- #include "lib/bitops.h"
- #include "lib/utils_crypt.h"
- #include "lib/utils_loop.h"
--#include "lib/utils_fips.h"
- #include "lib/utils_io.h"
- #include "lib/utils_blkid.h"
- #include "lib/libcryptsetup_macros.h"
-diff -rupN cryptsetup-2.4.3.old/tests/compat-test cryptsetup-2.4.3/tests/compat-test
---- cryptsetup-2.4.3.old/tests/compat-test	2022-08-10 16:36:36.593578847 +0200
-+++ cryptsetup-2.4.3/tests/compat-test	2022-08-10 17:03:30.308927004 +0200
-@@ -44,7 +44,7 @@ KEY_MATERIAL5_EXT="S331776-395264"
- TEST_UUID="12345678-1234-1234-1234-123456789abc"
- 
- LOOPDEV=$(losetup -f 2>/dev/null)
--[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
-+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
- 
- function remove_mapping()
- {
-diff -rupN cryptsetup-2.4.3.old/tests/compat-test2 cryptsetup-2.4.3/tests/compat-test2
---- cryptsetup-2.4.3.old/tests/compat-test2	2022-08-10 16:36:57.610677161 +0200
-+++ cryptsetup-2.4.3/tests/compat-test2	2022-08-10 17:03:30.308927004 +0200
-@@ -42,7 +42,7 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-f
- TEST_UUID="12345678-1234-1234-1234-123456789abc"
- 
- LOOPDEV=$(losetup -f 2>/dev/null)
--[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
-+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
- 
- function remove_mapping()
- {
-diff -rupN cryptsetup-2.4.3.old/tests/keyring-compat-test cryptsetup-2.4.3/tests/keyring-compat-test
---- cryptsetup-2.4.3.old/tests/keyring-compat-test	2022-08-10 16:36:36.594578852 +0200
-+++ cryptsetup-2.4.3/tests/keyring-compat-test	2022-08-10 17:09:55.062022004 +0200
-@@ -26,7 +26,7 @@ PWD="aaa"
- [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
- CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
- 
--[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
-+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
- 
- function remove_mapping()
- {
-diff -rupN cryptsetup-2.4.3.old/tests/luks2-reencryption-test cryptsetup-2.4.3/tests/luks2-reencryption-test
---- cryptsetup-2.4.3.old/tests/luks2-reencryption-test	2022-08-10 16:37:14.711757148 +0200
-+++ cryptsetup-2.4.3/tests/luks2-reencryption-test	2022-08-10 17:03:30.310927015 +0200
-@@ -25,7 +25,7 @@ PWD2="1cND4319812f"
- PWD3="1-9Qu5Ejfnqv"
- DEV_LINK="reenc-test-link"
- 
--[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
-+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
- 
- function dm_crypt_features()
- {

SOURCES/cryptsetup-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch

@@ -0,0 +1,161 @@
+From c18dcfaa0b91eb48006232fbfadce9e6a9b4a790 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Fri, 2 Dec 2022 15:39:36 +0100
+Subject: [PATCH 2/2] Abort encryption when header and data devices are same.
+
+If data device reduction is not requsted this led
+to data corruption since LUKS metadata was written
+over the data device.
+---
+ src/utils_reencrypt.c          | 42 ++++++++++++++++++++++++++++++----
+ tests/luks2-reencryption-test  | 16 +++++++++++++
+ tests/reencryption-compat-test | 20 +++++++++++++---
+ 3 files changed, 70 insertions(+), 8 deletions(-)
+
+diff --git a/src/utils_reencrypt.c b/src/utils_reencrypt.c
+index 87ead680..73e0bca8 100644
+--- a/src/utils_reencrypt.c
++++ b/src/utils_reencrypt.c
+@@ -467,6 +467,26 @@ static int reencrypt_check_active_device_sb_block_size(const char *active_device
+ 	return reencrypt_check_data_sb_block_size(dm_device, new_sector_size);
+ }
+ 
++static int reencrypt_is_header_detached(const char *header_device, const char *data_device)
++{
++	int r;
++	struct stat st;
++	struct crypt_device *cd;
++
++	if (!header_device)
++		return 0;
++
++	if (header_device && stat(header_device, &st) < 0 && errno == ENOENT)
++		return 1;
++
++	if ((r = crypt_init_data_device(&cd, header_device, data_device)))
++		return r;
++
++	r = crypt_header_is_detached(cd);
++	crypt_free(cd);
++	return r;
++}
++
+ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device, const char *device_name)
+ {
+ 	int keyslot, r, fd;
+@@ -490,9 +510,14 @@ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device,
+ 
+ 	_set_reencryption_flags(&params.flags);
+ 
+-	if (!data_shift && !ARG_SET(OPT_HEADER_ID)) {
+-		log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
+-		return -ENOTSUP;
++	if (!data_shift) {
++		r = reencrypt_is_header_detached(ARG_STR(OPT_HEADER_ID), data_device);
++		if (r < 0)
++			return r;
++		if (!r) {
++			log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
++			return -ENOTSUP;
++		}
+ 	}
+ 
+ 	if (!ARG_SET(OPT_HEADER_ID) && ARG_UINT64(OPT_OFFSET_ID) &&
+@@ -1358,9 +1383,16 @@ static int _encrypt(struct crypt_device *cd, const char *type, enum device_statu
+ 	if (!type)
+ 		type = crypt_get_default_type();
+ 
+-	if (dev_st == DEVICE_LUKS1_UNUSABLE || isLUKS1(type))
++	if (dev_st == DEVICE_LUKS1_UNUSABLE || isLUKS1(type)) {
++		r = reencrypt_is_header_detached(ARG_STR(OPT_HEADER_ID), action_argv[0]);
++		if (r < 0)
++			return r;
++		if (!r && !ARG_SET(OPT_REDUCE_DEVICE_SIZE_ID)) {
++			log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
++			return -ENOTSUP;
++		}
+ 		return reencrypt_luks1(action_argv[0]);
+-	else if (dev_st == DEVICE_NOT_LUKS) {
++	} else if (dev_st == DEVICE_NOT_LUKS) {
+ 		r = encrypt_luks2_init(&encrypt_cd, action_argv[0], action_argc > 1 ? action_argv[1] : NULL);
+ 		if (r < 0 || ARG_SET(OPT_INIT_ONLY_ID)) {
+ 			crypt_free(encrypt_cd);
+diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
+index bab54353..a647a8c2 100755
+--- a/tests/luks2-reencryption-test
++++ b/tests/luks2-reencryption-test
+@@ -1080,6 +1080,22 @@ $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
+ $CRYPTSETUP close $DEV_NAME
+ echo $PWD1 | $CRYPTSETUP open --header $IMG_HDR $DEV --test-passphrase || fail
+ 
++# Encrypt without size reduction must not allow header device same as data device
++wipe_dev_head $DEV 1
++echo $PWD1 | $CRYPTSETUP reencrypt $DEV --type luks2 --encrypt --header $DEV -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $DEV 2>/dev/null && fail
++ln -s $DEV $DEV_LINK || fail
++echo $PWD1 | $CRYPTSETUP reencrypt $DEV --type luks2 --encrypt --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $DEV 2>/dev/null && fail
++rm -f $DEV_LINK || fail
++
++dd if=/dev/zero of=$IMG bs=4k count=1 >/dev/null 2>&1
++echo $PWD1 | $CRYPTSETUP reencrypt $IMG --type luks2 --encrypt --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
++ln -s $IMG $DEV_LINK || fail
++echo $PWD1 | $CRYPTSETUP reencrypt $IMG --type luks2 --encrypt --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
++
+ echo "[4] Reencryption with detached header"
+ wipe $PWD1 $IMG_HDR
+ echo $PWD1 | $CRYPTSETUP reencrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
+diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test
+index f6a84137..453831d1 100755
+--- a/tests/reencryption-compat-test
++++ b/tests/reencryption-compat-test
+@@ -15,6 +15,7 @@ IMG=reenc-data
+ IMG_HDR=$IMG.hdr
+ HEADER_LUKS2_PV=blkid-luks2-pv.img
+ ORIG_IMG=reenc-data-orig
++DEV_LINK="reenc-test-link"
+ KEY1=key1
+ PWD1="93R4P4pIqAH8"
+ PWD2="1cND4319812f"
+@@ -40,7 +41,7 @@ function remove_mapping()
+ 	[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
+ 	[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
+ 	[ ! -z "$LOOPDEV1" ] && losetup -d $LOOPDEV1 >/dev/null 2>&1
+-	rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $HEADER_LUKS2_PV >/dev/null 2>&1
++	rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $HEADER_LUKS2_PV $DEV_LINK >/dev/null 2>&1
+ 	umount $MNT_DIR > /dev/null 2>&1
+ 	rmdir $MNT_DIR > /dev/null 2>&1
+ 	LOOPDEV1=""
+@@ -302,12 +303,25 @@ check_slot 0 || fail "Only keyslot 0 expected to be enabled"
+ $REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q || fail
+ # FIXME echo $PWD1 | $REENC ...
+ 
+-if [ ! fips_mode ]; then
+ echo "[4] Encryption of not yet encrypted device"
++# Encrypt without size reduction must not allow header device same as data device
++wipe_dev $LOOPDEV1
++echo $PWD1 | $REENC $LOOPDEV1 --type luks1 --new --header $LOOPDEV1 -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $LOOPDEV1 2>/dev/null && fail
++ln -s $LOOPDEV1 $DEV_LINK || fail
++echo $PWD1 | $REENC $LOOPDEV1 --type luks1 --new --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $LOOPDEV1 2>/dev/null && fail
++rm -f $DEV_LINK || fail
++echo $PWD1 | $REENC $IMG --type luks1 --new --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
++ln -s $IMG $DEV_LINK || fail
++echo $PWD1 | $REENC $IMG --type luks1 --new --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
++
++if [ ! fips_mode ]; then
+ # well, movin' zeroes :-)
+ OFFSET=2048
+ SIZE=$(blockdev --getsz $LOOPDEV1)
+-wipe_dev $LOOPDEV1
+ dmsetup create $DEV_NAME2 --table "0 $(($SIZE - $OFFSET)) linear $LOOPDEV1 0" || fail
+ check_hash_dev /dev/mapper/$DEV_NAME2 $HASH3
+ dmsetup remove --retry $DEV_NAME2 || fail
+-- 
+2.38.1
+

SOURCES/cryptsetup-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch

@@ -0,0 +1,662 @@
+From e7a1f18d976771efc06987107da12ccae4d0b360 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Fri, 2 Dec 2022 11:40:24 +0100
+Subject: [PATCH 2/3] Change tests to use passphrases with minimal 8 chars
+ length.
+
+Skip tests that can not satisfy minimal test passphrase length:
+
+- empty passphrase
+- LUKS1 cipher_null tests (empty passphrase is mandatory)
+- LUKS1 encryption
+---
+ tests/Makefile.am              |   3 +-
+ tests/align-test               |  10 +++
+ tests/api-test-2.c             | 117 +++++++++++++++++----------------
+ tests/api-test.c               |  14 ++--
+ tests/compat-test              |   8 ++-
+ tests/compat-test2             |  16 +++--
+ tests/keyring-compat-test      |   2 +-
+ tests/reencryption-compat-test |  10 +++
+ tests/ssh-test-plugin          |   2 +-
+ 9 files changed, 110 insertions(+), 72 deletions(-)
+
+diff --git a/tests/align-test b/tests/align-test
+index eedf8b77..5941cde2 100755
+--- a/tests/align-test
++++ b/tests/align-test
+@@ -10,9 +10,16 @@ PWD1="93R4P4pIqAH8"
+ PWD2="mymJeD8ivEhE"
+ FAST_PBKDF="--pbkdf-force-iterations 1000"
+ 
++FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
++
+ CRYPTSETUP_VALGRIND=../.libs/cryptsetup
+ CRYPTSETUP_LIB_VALGRIND=../.libs
+ 
++function fips_mode()
++{
++	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
++}
++
+ cleanup() {
+ 	udevadm settle >/dev/null 2>&1
+ 	if [ -d "$MNT_DIR" ] ; then
+@@ -276,6 +283,8 @@ format_plain_fail 2048
+ format_plain_fail 4096
+ cleanup
+ 
++# skip tests using empty passphrase (LUKS1 cipher_null)
++if [ ! fips_mode ]; then
+ echo "# Offset check: 512B sector drive"
+ add_device dev_size_mb=16 sector_size=512 num_tgts=1
+ #           |k| expO reqO expected slot offsets
+@@ -314,6 +323,7 @@ format_null 512 4040    8
+ format_null 512 4096  128
+ format_null 512 4096 2048
+ cleanup
++fi
+ 
+ echo "# Create enterprise-class 4K drive with fs and LUKS images."
+ # loop device here presents 512 block but images have 4k block
+diff --git a/tests/api-test-2.c b/tests/api-test-2.c
+index b7c762d9..2c39191b 100644
+--- a/tests/api-test-2.c
++++ b/tests/api-test-2.c
+@@ -74,8 +74,8 @@ typedef int32_t key_serial_t;
+ #define KEYFILE2 "key2.file"
+ #define KEY2 "0123456789abcdef"
+ 
+-#define PASSPHRASE "blabla"
+-#define PASSPHRASE1 "albalb"
++#define PASSPHRASE "blablabl"
++#define PASSPHRASE1 "albalbal"
+ 
+ #define DEVICE_TEST_UUID "12345678-1234-1234-1234-123456789abc"
+ 
+@@ -107,15 +107,15 @@ typedef int32_t key_serial_t;
+ #define CONV_L2_512_DET_FULL "l2_512b_det_full"
+ #define CONV_L1_256_LEGACY "l1_256b_legacy_offset"
+ #define CONV_L1_256_UNMOVABLE "l1_256b_unmovable"
+-#define PASS0 "aaa"
+-#define PASS1 "hhh"
+-#define PASS2 "ccc"
+-#define PASS3 "ddd"
+-#define PASS4 "eee"
+-#define PASS5 "fff"
+-#define PASS6 "ggg"
+-#define PASS7 "bbb"
+-#define PASS8 "iii"
++#define PASS0 "aaablabl"
++#define PASS1 "hhhblabl"
++#define PASS2 "cccblabl"
++#define PASS3 "dddblabl"
++#define PASS4 "eeeblabl"
++#define PASS5 "fffblabl"
++#define PASS6 "gggblabl"
++#define PASS7 "bbbblabl"
++#define PASS8 "iiiblabl"
+ 
+ static int _fips_mode = 0;
+ 
+@@ -429,11 +429,11 @@ static int _setup(void)
+ 
+ 	_system("dd if=/dev/zero of=" IMAGE_EMPTY_SMALL_2 " bs=512 count=2050 2>/dev/null", 1);
+ 
+-	_system(" [ ! -e " NO_REQS_LUKS2_HEADER " ] && xz -dk " NO_REQS_LUKS2_HEADER ".xz", 1);
++	_system(" [ ! -e " NO_REQS_LUKS2_HEADER " ] && tar xJf " REQS_LUKS2_HEADER ".tar.xz", 1);
+ 	fd = loop_attach(&DEVICE_4, NO_REQS_LUKS2_HEADER, 0, 0, &ro);
+ 	close(fd);
+ 
+-	_system(" [ ! -e " REQS_LUKS2_HEADER " ] && xz -dk " REQS_LUKS2_HEADER ".xz", 1);
++	_system(" [ ! -e " REQS_LUKS2_HEADER " ] && tar xJf " REQS_LUKS2_HEADER ".tar.xz", 1);
+ 	fd = loop_attach(&DEVICE_5, REQS_LUKS2_HEADER, 0, 0, &ro);
+ 	close(fd);
+ 
+@@ -709,7 +709,7 @@ static void AddDeviceLuks2(void)
+ 	};
+ 	char key[128], key2[128], key3[128];
+ 
+-	const char *tmp_buf, *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
++	const char *tmp_buf, *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd";
+ 	const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ 	const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
+ 	size_t key_size = strlen(vk_hex) / 2;
+@@ -1056,7 +1056,6 @@ static void Luks2MetadataSize(void)
+ 	};
+ 	char key[128], tmp[128];
+ 
+-	const char *passphrase = "blabla";
+ 	const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ 	size_t key_size = strlen(vk_hex) / 2;
+ 	const char *cipher = "aes";
+@@ -1103,7 +1102,7 @@ static void Luks2MetadataSize(void)
+ 	OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ 	OK_(crypt_set_metadata_size(cd, 0x080000, 0x080000));
+ 	OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, key, key_size, &params));
+-	EQ_(crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, passphrase, strlen(passphrase)), 7);
++	EQ_(crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, PASSPHRASE, strlen(PASSPHRASE)), 7);
+ 	CRYPT_FREE(cd);
+ 	OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ 	OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
+@@ -3306,8 +3305,8 @@ static void Luks2Requirements(void)
+ 		.key_description = KEY_DESC_TEST0
+ 	};
+ 
+-	OK_(prepare_keyfile(KEYFILE1, "aaa", 3));
+-	OK_(prepare_keyfile(KEYFILE2, "xxx", 3));
++	OK_(prepare_keyfile(KEYFILE1, PASSPHRASE, strlen(PASSPHRASE)));
++	OK_(prepare_keyfile(KEYFILE2, PASSPHRASE1, strlen(PASSPHRASE1)));
+ 
+ 	/* crypt_load (unrestricted) */
+ 	OK_(crypt_init(&cd, DEVICE_5));
+@@ -3361,11 +3360,11 @@ static void Luks2Requirements(void)
+ 	OK_(crypt_repair(cd, CRYPT_LUKS2, NULL));
+ 
+ 	/* crypt_keyslot_add_passphrase (restricted) */
+-	FAIL_((r = crypt_keyslot_add_by_passphrase(cd, CRYPT_ANY_SLOT, "aaa", 3, "bbb", 3)), "Unmet requirements detected");
++	FAIL_((r = crypt_keyslot_add_by_passphrase(cd, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), "bbb", 3)), "Unmet requirements detected");
+ 	EQ_(r, -ETXTBSY);
+ 
+ 	/* crypt_keyslot_change_by_passphrase (restricted) */
+-	FAIL_((r = crypt_keyslot_change_by_passphrase(cd, CRYPT_ANY_SLOT, 9, "aaa", 3, "bbb", 3)), "Unmet requirements detected");
++	FAIL_((r = crypt_keyslot_change_by_passphrase(cd, CRYPT_ANY_SLOT, 9, PASSPHRASE, strlen(PASSPHRASE), "bbb", 3)), "Unmet requirements detected");
+ 	EQ_(r, -ETXTBSY);
+ 
+ 	/* crypt_keyslot_add_by_keyfile (restricted) */
+@@ -3377,18 +3376,18 @@ static void Luks2Requirements(void)
+ 	EQ_(r, -ETXTBSY);
+ 
+ 	/* crypt_volume_key_get (unrestricted, but see below) */
+-	OK_(crypt_volume_key_get(cd, 0, key, &key_size, "aaa", 3));
++	OK_(crypt_volume_key_get(cd, 0, key, &key_size, PASSPHRASE, strlen(PASSPHRASE)));
+ 
+ 	/* crypt_keyslot_add_by_volume_key (restricted) */
+-	FAIL_((r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, key_size, "xxx", 3)), "Unmet requirements detected");
++	FAIL_((r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, key_size, PASSPHRASE1, strlen(PASSPHRASE1))), "Unmet requirements detected");
+ 	EQ_(r, -ETXTBSY);
+ 
+ 	/* crypt_keyslot_add_by_key (restricted) */
+-	FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, NULL, key_size, "xxx", 3, CRYPT_VOLUME_KEY_NO_SEGMENT)), "Unmet requirements detected");
++	FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, NULL, key_size, PASSPHRASE1, strlen(PASSPHRASE1), CRYPT_VOLUME_KEY_NO_SEGMENT)), "Unmet requirements detected");
+ 	EQ_(r, -ETXTBSY);
+ 
+ 	/* crypt_keyslot_add_by_key (restricted) */
+-	FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, key, key_size, "xxx", 3, 0)), "Unmet requirements detected");
++	FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, key, key_size, PASSPHRASE1, strlen(PASSPHRASE1), 0)), "Unmet requirements detected");
+ 	EQ_(r, -ETXTBSY);
+ 
+ 	/* crypt_persistent_flasgs_set (restricted) */
+@@ -3400,10 +3399,10 @@ static void Luks2Requirements(void)
+ 	EQ_(flags, CRYPT_REQUIREMENT_UNKNOWN);
+ 
+ 	/* crypt_activate_by_passphrase (restricted for activation only) */
+-	FAIL_((r = crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0)), "Unmet requirements detected");
++	FAIL_((r = crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0)), "Unmet requirements detected");
+ 	EQ_(r, -ETXTBSY);
+-	OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, 0));
+-	OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
++	OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
++	OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
+ 	EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
+ 
+ 	/* crypt_activate_by_keyfile (restricted for activation only) */
+@@ -3420,7 +3419,7 @@ static void Luks2Requirements(void)
+ 
+ #ifdef KERNEL_KEYRING
+ 	if (t_dm_crypt_keyring_support()) {
+-		kid = add_key("user", KEY_DESC_TEST0, "aaa", 3, KEY_SPEC_THREAD_KEYRING);
++		kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE, strlen(PASSPHRASE), KEY_SPEC_THREAD_KEYRING);
+ 		NOTFAIL_(kid, "Test or kernel keyring are broken.");
+ 
+ 		/* crypt_activate_by_keyring (restricted for activation only) */
+@@ -3428,6 +3427,8 @@ static void Luks2Requirements(void)
+ 		EQ_(r, t_dm_crypt_keyring_support() ? -ETXTBSY : -EINVAL);
+ 		OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, 0));
+ 		OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, CRYPT_ACTIVATE_KEYRING_KEY));
++
++		NOTFAIL_(keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING), "Test or kernel keyring are broken.");
+ 	}
+ #endif
+ 
+@@ -3513,10 +3514,15 @@ static void Luks2Requirements(void)
+ 	/* crypt_activate_by_token (restricted for activation only) */
+ #ifdef KERNEL_KEYRING
+ 	if (t_dm_crypt_keyring_support()) {
++		kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE, strlen(PASSPHRASE), KEY_SPEC_THREAD_KEYRING);
++		NOTFAIL_(kid, "Test or kernel keyring are broken.");
++
+ 		FAIL_((r = crypt_activate_by_token(cd, CDEVICE_1, 1, NULL, 0)), ""); // supposed to be silent
+ 		EQ_(r, -ETXTBSY);
+ 		OK_(crypt_activate_by_token(cd, NULL, 1, NULL, 0));
+ 		OK_(crypt_activate_by_token(cd, NULL, 1, NULL, CRYPT_ACTIVATE_KEYRING_KEY));
++
++		NOTFAIL_(keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING), "Test or kernel keyring are broken.");
+ 	}
+ #endif
+ 	OK_(get_luks2_offsets(0, 8192, 0, NULL, &r_payload_offset));
+@@ -3528,7 +3534,7 @@ static void Luks2Requirements(void)
+ 	CRYPT_FREE(cd);
+ 	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+ 	OK_(crypt_load(cd, CRYPT_LUKS, NULL));
+-	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0));
++	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
+ 	OK_(crypt_header_backup(cd, CRYPT_LUKS2, BACKUP_FILE));
+ 	/* replace header with no requirements */
+ 	OK_(_system("dd if=" REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
+@@ -3566,7 +3572,7 @@ static void Luks2Requirements(void)
+ 	OK_(crypt_init_by_name(&cd, CDEVICE_1));
+ 
+ 	/* crypt_resume_by_passphrase (restricted) */
+-	FAIL_((r = crypt_resume_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3)), "Unmet requirements detected");
++	FAIL_((r = crypt_resume_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE))), "Unmet requirements detected");
+ 	EQ_(r, -ETXTBSY);
+ 
+ 	/* crypt_resume_by_keyfile (restricted) */
+@@ -3580,13 +3586,13 @@ static void Luks2Requirements(void)
+ 
+ 	OK_(_system("dd if=" NO_REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
+ 	OK_(crypt_init_by_name(&cd, CDEVICE_1));
+-	OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3));
++	OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE)));
+ 	CRYPT_FREE(cd);
+ 	OK_(_system("dd if=" REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
+ 
+ 	OK_(crypt_init_by_name(&cd, CDEVICE_1));
+ 	/* load VK in keyring */
+-	OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
++	OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
+ 	/* crypt_resize (restricted) */
+ 	FAIL_((r = crypt_resize(cd, CDEVICE_1, 1)), "Unmet requirements detected");
+ 	EQ_(r, -ETXTBSY);
+@@ -3622,7 +3628,6 @@ static void Luks2Integrity(void)
+ 		.integrity = "hmac(sha256)"
+ 	};
+ 	size_t key_size = 32 + 32;
+-	const char *passphrase = "blabla";
+ 	const char *cipher = "aes";
+ 	const char *cipher_mode = "xts-random";
+ 	int ret;
+@@ -3636,8 +3641,8 @@ static void Luks2Integrity(void)
+ 		return;
+ 	}
+ 
+-	EQ_(crypt_keyslot_add_by_volume_key(cd, 7, NULL, key_size, passphrase, strlen(passphrase)), 7);
+-	EQ_(crypt_activate_by_passphrase(cd, CDEVICE_2, 7, passphrase, strlen(passphrase) ,0), 7);
++	EQ_(crypt_keyslot_add_by_volume_key(cd, 7, NULL, key_size, PASSPHRASE, strlen(PASSPHRASE)), 7);
++	EQ_(crypt_activate_by_passphrase(cd, CDEVICE_2, 7, PASSPHRASE, strlen(PASSPHRASE) ,0), 7);
+ 	GE_(crypt_status(cd, CDEVICE_2), CRYPT_ACTIVE);
+ 	CRYPT_FREE(cd);
+ 
+@@ -3689,36 +3694,36 @@ static void Luks2Refresh(void)
+ 	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+ 	OK_(set_fast_pbkdf(cd));
+ 	OK_(crypt_format(cd, CRYPT_LUKS2, cipher, mode, NULL, key, 32, NULL));
+-	OK_(crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, 32, "aaa", 3));
+-	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0));
++	OK_(crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
++	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
+ 
+ 	/* check we can refresh significant flags */
+ 	if (t_dm_crypt_discard_support()) {
+-		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_ALLOW_DISCARDS));
++		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_ALLOW_DISCARDS));
+ 		OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ 		OK_(check_flag(cad.flags, CRYPT_ACTIVATE_ALLOW_DISCARDS));
+ 		cad.flags = 0;
+ 	}
+ 
+ 	if (t_dm_crypt_cpu_switch_support()) {
+-		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SAME_CPU_CRYPT));
++		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SAME_CPU_CRYPT));
+ 		OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ 		OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SAME_CPU_CRYPT));
+ 		cad.flags = 0;
+ 
+-		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
++		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
+ 		OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ 		OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
+ 		cad.flags = 0;
+ 
+-		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
++		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
+ 		OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ 		OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
+ 		cad.flags = 0;
+ 	}
+ 
+ 	OK_(crypt_volume_key_keyring(cd, 0));
+-	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
++	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
+ 	OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ 	FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_KEYRING_KEY), "Unexpected flag raised.");
+ 	cad.flags = 0;
+@@ -3726,7 +3731,7 @@ static void Luks2Refresh(void)
+ #ifdef KERNEL_KEYRING
+ 	if (t_dm_crypt_keyring_support()) {
+ 		OK_(crypt_volume_key_keyring(cd, 1));
+-		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
++		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
+ 		OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ 		OK_(check_flag(cad.flags, CRYPT_ACTIVATE_KEYRING_KEY));
+ 		cad.flags = 0;
+@@ -3735,26 +3740,26 @@ static void Luks2Refresh(void)
+ 
+ 	/* multiple flags at once */
+ 	if (t_dm_crypt_discard_support() && t_dm_crypt_cpu_switch_support()) {
+-		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
++		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
+ 		OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ 		OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
+ 		cad.flags = 0;
+ 	}
+ 
+ 	/* do not allow reactivation with read-only (and drop flag silently because activation behaves exactly same) */
+-	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_READONLY));
++	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_READONLY));
+ 	OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ 	FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_READONLY), "Reactivated with read-only flag.");
+ 	cad.flags = 0;
+ 
+ 	/* reload flag is dropped silently */
+ 	OK_(crypt_deactivate(cd, CDEVICE_1));
+-	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
++	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
+ 
+ 	/* check read-only flag is not lost after reload */
+ 	OK_(crypt_deactivate(cd, CDEVICE_1));
+-	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_READONLY));
+-	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
++	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_READONLY));
++	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
+ 	OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ 	OK_(check_flag(cad.flags, CRYPT_ACTIVATE_READONLY));
+ 	cad.flags = 0;
+@@ -3762,7 +3767,7 @@ static void Luks2Refresh(void)
+ 	/* check LUKS2 with auth. enc. reload */
+ 	OK_(crypt_init(&cd2, DMDIR L_DEVICE_WRONG));
+ 	if (!crypt_format(cd2, CRYPT_LUKS2, "aes", "gcm-random", crypt_get_uuid(cd), key, 32, &params)) {
+-		OK_(crypt_keyslot_add_by_volume_key(cd2, 0, key, 32, "aaa", 3));
++		OK_(crypt_keyslot_add_by_volume_key(cd2, 0, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
+ 		OK_(crypt_activate_by_volume_key(cd2, CDEVICE_2, key, 32, 0));
+ 		OK_(crypt_activate_by_volume_key(cd2, CDEVICE_2, key, 32, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_NO_JOURNAL));
+ 		OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
+@@ -3772,11 +3777,11 @@ static void Luks2Refresh(void)
+ 		OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
+ 		OK_(check_flag(cad.flags, CRYPT_ACTIVATE_NO_JOURNAL | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
+ 		cad.flags = 0;
+-		OK_(crypt_activate_by_passphrase(cd2, CDEVICE_2, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
++		OK_(crypt_activate_by_passphrase(cd2, CDEVICE_2, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
+ 		OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
+ 		FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_NO_JOURNAL), "");
+ 		FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS), "");
+-		FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS2/aead context");
++		FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS2/aead context");
+ 		OK_(crypt_deactivate(cd2, CDEVICE_2));
+ 	} else {
+ 		printf("WARNING: cannot format integrity device, skipping few reload tests.\n");
+@@ -3786,8 +3791,8 @@ static void Luks2Refresh(void)
+ 	/* Use LUKS1 context on LUKS2 device */
+ 	OK_(crypt_init(&cd2, DMDIR L_DEVICE_1S));
+ 	OK_(crypt_format(cd2, CRYPT_LUKS1, cipher, mode, crypt_get_uuid(cd), key, 32, NULL));
+-	OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, NULL, 32, "aaa", 3));
+-	FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS1 context");
++	OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)));
++	FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS1 context");
+ 	CRYPT_FREE(cd2);
+ 
+ 	/* Use PLAIN context on LUKS2 device */
+@@ -3803,8 +3808,8 @@ static void Luks2Refresh(void)
+ 	OK_(crypt_init(&cd2, DMDIR L_DEVICE_WRONG));
+ 	OK_(set_fast_pbkdf(cd2));
+ 	OK_(crypt_format(cd2, CRYPT_LUKS2, cipher, mode, crypt_get_uuid(cd), key, 32, NULL));
+-	OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, key, 32, "aaa", 3));
+-	FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed dm-crypt mapped over mismatching data device");
++	OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
++	FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed dm-crypt mapped over mismatching data device");
+ 
+ 	OK_(crypt_deactivate(cd, CDEVICE_1));
+ 
+@@ -4825,7 +4830,7 @@ static void LuksKeyslotAdd(void)
+ 	crypt_keyslot_context_free(um2);
+ 
+ 	// generate new unbound key
+-	OK_(crypt_keyslot_context_init_by_volume_key(cd, NULL, 1, &um1));
++	OK_(crypt_keyslot_context_init_by_volume_key(cd, NULL, 9, &um1));
+ 	OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &um2));
+ 	EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 10, um2, CRYPT_VOLUME_KEY_NO_SEGMENT), 10);
+ 	EQ_(crypt_keyslot_status(cd, 10), CRYPT_SLOT_UNBOUND);
+diff --git a/tests/api-test.c b/tests/api-test.c
+index 2b2f0813..9bb6d2f1 100644
+--- a/tests/api-test.c
++++ b/tests/api-test.c
+@@ -65,8 +65,8 @@
+ #define KEYFILE2 "key2.file"
+ #define KEY2 "0123456789abcdef"
+ 
+-#define PASSPHRASE "blabla"
+-#define PASSPHRASE1 "albalb"
++#define PASSPHRASE "blablabl"
++#define PASSPHRASE1 "albalbal"
+ 
+ #define DEVICE_TEST_UUID "12345678-1234-1234-1234-123456789abc"
+ 
+@@ -327,7 +327,7 @@ static void AddDevicePlain(void)
+ 	char key[128], key2[128], path[128];
+ 	struct crypt_keyslot_context *kc = NULL;
+ 
+-	const char *passphrase = PASSPHRASE;
++	const char *passphrase = "blabla";
+ 	// hashed hex version of PASSPHRASE
+ 	const char *vk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea";
+ 	size_t key_size = strlen(vk_hex) / 2;
+@@ -772,6 +772,10 @@ static void SuspendDevice(void)
+ 	OK_(crypt_deactivate(cd, CDEVICE_1));
+ 	CRYPT_FREE(cd);
+ 
++	/* skip tests using empty passphrase */
++	if(_fips_mode)
++		return;
++
+ 	OK_(get_luks_offsets(0, key_size, 1024*2, 0, NULL, &r_payload_offset));
+ 	OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1));
+ 
+@@ -806,7 +810,7 @@ static void AddDeviceLuks(void)
+ 	};
+ 	char key[128], key2[128], key3[128];
+ 
+-	const char *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
++	const char *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd";
+ 	const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ 	const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
+ 	size_t key_size = strlen(vk_hex) / 2;
+@@ -2105,7 +2109,7 @@ static void LuksKeyslotAdd(void)
+ 	};
+ 	char key[128], key3[128];
+ 
+-	const char *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
++	const char *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd";
+ 	const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ 	const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
+ 	size_t key_size = strlen(vk_hex) / 2;
+diff --git a/tests/compat-test b/tests/compat-test
+index 356b7283..6dc80041 100755
+--- a/tests/compat-test
++++ b/tests/compat-test
+@@ -450,10 +450,13 @@ if [ -d /dev/disk/by-uuid ] ; then
+ 	$CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
+ 	$CRYPTSETUP -q luksClose  $DEV_NAME || fail
+ fi
++# skip tests using empty passphrase
++if [ ! fips_mode ]; then
+ # empty keyfile
+ $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEYE || fail
+ $CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
+ $CRYPTSETUP -q luksClose  $DEV_NAME || fail
++fi
+ # open by volume key
+ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT -s 256 --volume-key-file $KEY1 $LOOPDEV || fail
+ $CRYPTSETUP luksOpen --volume-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
+@@ -503,7 +506,7 @@ echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --
+ echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
+ # keyfile/passphrase
+-echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail
++echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 8 || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: ENABLED" || fail
+ 
+ prepare "[18] RemoveKey passphrase and keyfile" reuse
+@@ -728,12 +731,15 @@ echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
+ [ $? -ne 2 ] && fail "luksResume should return EPERM exit code"
+ echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME  || fail
+ $CRYPTSETUP -q luksClose $DEV_NAME || fail
++# skip tests using empty passphrase
++if [ ! fips_mode ]; then
+ echo | $CRYPTSETUP -q luksFormat -c null $FAST_PBKDF_OPT --type luks1 $LOOPDEV || fail
+ echo | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
+ $CRYPTSETUP luksSuspend $DEV_NAME || fail
+ $CRYPTSETUP -q status  $DEV_NAME | grep -q "(suspended)" || fail
+ echo | $CRYPTSETUP luksResume $DEV_NAME || fail
+ $CRYPTSETUP -q luksClose $DEV_NAME || fail
++fi
+ 
+ prepare "[27] luksOpen/luksResume with specified key slot number" wipe
+ # first, let's try passphrase option
+diff --git a/tests/compat-test2 b/tests/compat-test2
+index 2f18d7b6..c54dc7ea 100755
+--- a/tests/compat-test2
++++ b/tests/compat-test2
+@@ -427,10 +427,14 @@ if [ -d /dev/disk/by-uuid ] ; then
+ 	$CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
+ 	$CRYPTSETUP -q luksClose  $DEV_NAME || fail
+ fi
++# skip tests using empty passphrases
++if [ ! fips_mode ]; then
+ # empty keyfile
+ $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEYE || fail
+ $CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
+ $CRYPTSETUP -q luksClose  $DEV_NAME || fail
++fi
++
+ # open by volume key
+ echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT -s 256 --volume-key-file $KEY1 --type luks2 $LOOPDEV || fail
+ $CRYPTSETUP luksOpen --volume-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
+@@ -477,7 +481,7 @@ echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --
+ echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
+ # keyfile/passphrase
+-echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail
++echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 8 || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" || fail
+ 
+ prepare "[18] RemoveKey passphrase and keyfile" reuse
+@@ -1001,14 +1005,14 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail
+ echo $PWD1 | $CRYPTSETUP -q luksConvertKey $LOOPDEV -S 1 --pbkdf argon2i -i1 --pbkdf-memory 32 || can_fail_fips
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || can_fail_fips
+-echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 21 --unbound -s 16 $LOOPDEV || fail
++echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 21 --unbound -s 72 $LOOPDEV || fail
+ echo $PWD3 | $CRYPTSETUP luksConvertKey --pbkdf-force-iterations 1001 --pbkdf pbkdf2 -S 21 $LOOPDEV || fail
+ 
+ prepare "[38] luksAddKey unbound tests" wipe
+ $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY5 --key-slot 5 || fail
+ # unbound key may have arbitrary size
+-echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 16 $LOOPDEV || fail
+-echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 32 -S 2 $LOOPDEV || fail
++echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 72 $LOOPDEV || fail
++echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 72 -S 2 $LOOPDEV || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2 (unbound)" || fail
+ dd if=/dev/urandom of=$KEY_FILE0 bs=64 count=1 > /dev/null 2>&1 || fail
+ echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 512 -S 3 --volume-key-file $KEY_FILE0 $LOOPDEV || fail
+@@ -1100,10 +1104,10 @@ $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 --key-slot 2 -
+ [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher:"    | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
+ [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
+ # unbound keyslot
+-echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 21 --unbound -s 32 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
++echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 21 --unbound -s 72 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
+ [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher:"    | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
+ [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
+-echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 22 --unbound -s 32 $LOOPDEV || fail
++echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 22 --unbound -s 72 $LOOPDEV || fail
+ echo $PWD3 | $CRYPTSETUP luksConvertKey --key-slot 22 $LOOPDEV --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
+ [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher:"    | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
+ [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
+diff --git a/tests/keyring-compat-test b/tests/keyring-compat-test
+index 57c7fd98..ea88c210 100755
+--- a/tests/keyring-compat-test
++++ b/tests/keyring-compat-test
+@@ -21,7 +21,7 @@ NAME=testcryptdev
+ CHKS_DMCRYPT=vk_in_dmcrypt.chk
+ CHKS_KEYRING=vk_in_keyring.chk
+ 
+-PWD="aaa"
++PWD="aaablabl"
+ 
+ [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
+ CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
+diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test
+index 433f4d4c..f6a84137 100755
+--- a/tests/reencryption-compat-test
++++ b/tests/reencryption-compat-test
+@@ -22,6 +22,12 @@ PWD3="1-9Qu5Ejfnqv"
+ 
+ MNT_DIR=./mnt_luks
+ START_DIR=$(pwd)
++FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
++
++function fips_mode()
++{
++	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
++}
+ 
+ function del_scsi_device()
+ {
+@@ -296,6 +302,7 @@ check_slot 0 || fail "Only keyslot 0 expected to be enabled"
+ $REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q || fail
+ # FIXME echo $PWD1 | $REENC ...
+ 
++if [ ! fips_mode ]; then
+ echo "[4] Encryption of not yet encrypted device"
+ # well, movin' zeroes :-)
+ OFFSET=2048
+@@ -323,6 +330,7 @@ OFFSET=4096
+ echo fake | $REENC $LOOPDEV1 -d $KEY1 --new --type luks1 --reduce-device-size "$OFFSET"S -q $FAST_PBKDF || fail
+ $CRYPTSETUP open --test-passphrase $LOOPDEV1 -d $KEY1 || fail
+ wipe_dev $LOOPDEV1
++fi
+ 
+ echo "[5] Reencryption using specific keyslot"
+ echo $PWD2 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail
+@@ -396,6 +404,7 @@ add_scsi_device sector_size=512 dev_size_mb=32 physblk_exp=3
+ test_logging "[4096/512 sector]" || fail
+ test_logging_tmpfs || fail
+ 
++if [ ! fips_mode ]; then
+ echo "[10] Removal of encryption"
+ prepare 8192
+ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail
+@@ -460,6 +469,7 @@ if [ "$HAVE_BLKID" -gt 0 ]; then
+ 	echo $PWD1 | $REENC --header $IMG_HDR $HEADER_LUKS2_PV -q $FAST_PBKDF --new --type luks1 2>/dev/null && fail
+ 	test -f $IMG_HDR && fail
+ fi
++fi # if [ ! fips_mode ]
+ 
+ remove_mapping
+ exit 0
+diff --git a/tests/ssh-test-plugin b/tests/ssh-test-plugin
+index 0a440b93..5b3966e7 100755
+--- a/tests/ssh-test-plugin
++++ b/tests/ssh-test-plugin
+@@ -11,7 +11,7 @@ CRYPTSETUP_SSH=$CRYPTSETUP_PATH/cryptsetup-ssh
+ IMG="ssh_test.img"
+ MAP="sshtest"
+ USER="sshtest"
+-PASSWD="sshtest"
++PASSWD="sshtest1"
+ PASSWD2="sshtest2"
+ SSH_OPTIONS="-o StrictHostKeyChecking=no"
+ 
+-- 
+2.38.1
+

SOURCES/cryptsetup-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch

@@ -0,0 +1,55 @@
+From be088b8de8d636993767a42f195ffd3bf915e567 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Mon, 12 Dec 2022 17:33:12 +0100
+Subject: [PATCH 1/2] Enable crypt_header_is_detached for empty contexts.
+
+Also changes few tests now expecting crypt_header_is_detached
+works with empty contexts.
+---
+ lib/setup.c        | 2 +-
+ tests/api-test-2.c | 2 +-
+ tests/api-test.c   | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/setup.c b/lib/setup.c
+index f169942c..3263578b 100644
+--- a/lib/setup.c
++++ b/lib/setup.c
+@@ -3242,7 +3242,7 @@ int crypt_header_is_detached(struct crypt_device *cd)
+ {
+ 	int r;
+ 
+-	if (!cd || !isLUKS(cd->type))
++	if (!cd || (cd->type && !isLUKS(cd->type)))
+ 		return -EINVAL;
+ 
+ 	r = device_is_identical(crypt_data_device(cd), crypt_metadata_device(cd));
+diff --git a/tests/api-test-2.c b/tests/api-test-2.c
+index 2c39191b..c7e930ca 100644
+--- a/tests/api-test-2.c
++++ b/tests/api-test-2.c
+@@ -889,7 +889,7 @@ static void AddDeviceLuks2(void)
+ 	FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, key, key_size, 0), "Device is active");
+ 	EQ_(crypt_status(cd, CDEVICE_2), CRYPT_INACTIVE);
+ 	OK_(crypt_deactivate(cd, CDEVICE_1));
+-	FAIL_(crypt_header_is_detached(cd), "no header for mismatched device");
++	EQ_(crypt_header_is_detached(cd), 1);
+ 	CRYPT_FREE(cd);
+ 
+ 	params.data_device = NULL;
+diff --git a/tests/api-test.c b/tests/api-test.c
+index 9bb6d2f1..f6e33a40 100644
+--- a/tests/api-test.c
++++ b/tests/api-test.c
+@@ -960,7 +960,7 @@ static void AddDeviceLuks(void)
+ 	FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, key, key_size, 0), "Device is active");
+ 	EQ_(crypt_status(cd, CDEVICE_2), CRYPT_INACTIVE);
+ 	OK_(crypt_deactivate(cd, CDEVICE_1));
+-	FAIL_(crypt_header_is_detached(cd), "no header for mismatched device");
++	EQ_(crypt_header_is_detached(cd), 1);
+ 	CRYPT_FREE(cd);
+ 
+ 	params.data_device = NULL;
+-- 
+2.38.1
+

SOURCES/cryptsetup-2.6.1-Run-PBKDF-benchmark-with-8-bytes-long-well-known-pas.patch

@@ -0,0 +1,58 @@
+From a33f7bf5ca33587ddb05f2acac42f93068022458 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Fri, 2 Dec 2022 11:39:59 +0100
+Subject: [PATCH 1/3] Run PBKDF benchmark with 8 bytes long well-known
+ passphrase.
+
+---
+ lib/utils_benchmark.c | 4 ++--
+ src/cryptsetup.c      | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/lib/utils_benchmark.c b/lib/utils_benchmark.c
+index 0a0c438e..d8976fb2 100644
+--- a/lib/utils_benchmark.c
++++ b/lib/utils_benchmark.c
+@@ -187,7 +187,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd,
+ 		pbkdf->parallel_threads = 0; /* N/A in PBKDF2 */
+ 		pbkdf->max_memory_kb = 0; /* N/A in PBKDF2 */
+ 
+-		r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3, "01234567890abcdef", 16,
++		r = crypt_benchmark_pbkdf(cd, pbkdf, "foobarfo", 8, "01234567890abcdef", 16,
+ 					volume_key_size, &benchmark_callback, &u);
+ 		pbkdf->time_ms = ms_tmp;
+ 		if (r < 0) {
+@@ -207,7 +207,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd,
+ 			return 0;
+ 		}
+ 
+-		r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3,
++		r = crypt_benchmark_pbkdf(cd, pbkdf, "foobarfo", 8,
+ 			"0123456789abcdef0123456789abcdef", 32,
+ 			volume_key_size, &benchmark_callback, &u);
+ 		if (r < 0)
+diff --git a/src/cryptsetup.c b/src/cryptsetup.c
+index c2e23c6e..dfaf7682 100644
+--- a/src/cryptsetup.c
++++ b/src/cryptsetup.c
+@@ -997,7 +997,7 @@ static int action_benchmark_kdf(const char *kdf, const char *hash, size_t key_si
+ 			.time_ms = 1000,
+ 		};
+ 
+-		r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3, "0123456789abcdef", 16, key_size,
++		r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foobarfo", 8, "0123456789abcdef", 16, key_size,
+ 					&benchmark_callback, &pbkdf);
+ 		if (r < 0)
+ 			log_std(_("PBKDF2-%-9s     N/A\n"), hash);
+@@ -1012,7 +1012,7 @@ static int action_benchmark_kdf(const char *kdf, const char *hash, size_t key_si
+ 			.parallel_threads = ARG_UINT32(OPT_PBKDF_PARALLEL_ID)
+ 		};
+ 
+-		r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3,
++		r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foobarfo", 8,
+ 			"0123456789abcdef0123456789abcdef", 32,
+ 			key_size, &benchmark_callback, &pbkdf);
+ 		if (r < 0)
+-- 
+2.38.1
+

SOURCES/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch

@@ -0,0 +1,47 @@
+From 293abb5435e2b4bec7f8333fb11c88d5c1f45800 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Mon, 5 Dec 2022 13:35:24 +0100
+Subject: [PATCH 3/3] Add FIPS related error message in keyslot add code.
+
+Add hints on what went wrong when creating new LUKS
+keyslots. The hint is printed only in FIPS mode and
+when pbkdf2 failed with passphrase shorter than 8
+bytes.
+---
+ lib/luks1/keymanage.c           | 5 ++++-
+ lib/luks2/luks2_keyslot_luks2.c | 2 ++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c
+index de97b73c..225e84b8 100644
+--- a/lib/luks1/keymanage.c
++++ b/lib/luks1/keymanage.c
+@@ -924,8 +924,11 @@ int LUKS_set_key(unsigned int keyIndex,
+ 			hdr->keyblock[keyIndex].passwordSalt, LUKS_SALTSIZE,
+ 			derived_key->key, hdr->keyBytes,
+ 			hdr->keyblock[keyIndex].passwordIterations, 0, 0);
+-	if (r < 0)
++	if (r < 0) {
++		if (crypt_fips_mode() && passwordLen < 8)
++			log_err(ctx, _("Invalid passphrase for PBKDF2 in FIPS mode."));
+ 		goto out;
++	}
+ 
+ 	/*
+ 	 * AF splitting, the volume key stored in vk->key is split to AfKey
+diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c
+index 78f74242..f480bcab 100644
+--- a/lib/luks2/luks2_keyslot_luks2.c
++++ b/lib/luks2/luks2_keyslot_luks2.c
+@@ -265,6 +265,8 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
+ 	free(salt);
+ 	if (r < 0) {
+ 		crypt_free_volume_key(derived_key);
++		if (crypt_fips_mode() && passwordLen < 8 && !strcmp(pbkdf.type, "pbkdf2"))
++			log_err(cd, _("Invalid passphrase for PBKDF2 in FIPS mode."));
+ 		return r;
+ 	}
+ 
+-- 
+2.38.1
+

SPECS/cryptsetup.spec

@@ -1,29 +1,32 @@
 Summary: Utility for setting up encrypted disks
 Name: cryptsetup
-Version: 2.4.3
+Version: 2.6.0
-Release: 5%{?dist}
+Release: 2%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: https://gitlab.com/cryptsetup/cryptsetup
 BuildRequires: openssl-devel, popt-devel, device-mapper-devel
 BuildRequires: libuuid-devel, gcc, json-c-devel
 BuildRequires: libpwquality-devel, libblkid-devel
 BuildRequires: make
+BuildRequires: asciidoctor
 Requires: cryptsetup-libs = %{version}-%{release}
 Requires: libpwquality >= 1.2.0
+Obsoletes: %{name}-reencrypt <= %{version}
+Provides: %{name}-reencrypt = %{version}
 
 %global upstream_version %{version}
-Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-%{upstream_version}.tar.xz
+Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-%{upstream_version}.tar.xz
-# binary archive with updated compatimage.img.xz for testing (can not be patched via rpmbuild)
+
+# binary archive with updated tests/conversion_imgs.tar.xz and tests/luks2_header_requirements.tar.xz
+# for testing (can not be patched via rpmbuild)
 Source1: tests.tar.xz
 
 # Following patch has to applied last
-Patch0000: %{name}-2.5.0-Fix-typo-in-repair-prompt.patch
+Patch0000: %{name}-2.6.1-Run-PBKDF-benchmark-with-8-bytes-long-well-known-pas.patch
-Patch0001: %{name}-2.5.0-Fix-PBKDF-benchmark-in-OpenSSL3-FIPS-mode.patch
+Patch0001: %{name}-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch
-Patch0002: %{name}-2.5.0-Get-rid-of-SHA1-in-tests.patch
+Patch0002: %{name}-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch
-Patch0003: %{name}-2.5.0-Do-not-use-too-small-key-in-tests.patch
+Patch0003: %{name}-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch
-Patch0004: %{name}-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch
+Patch9998: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch
-Patch0005: %{name}-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch
-Patch0006: %{name}-2.5.1-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch
 Patch9999: %{name}-add-system-library-paths.patch
 
 %description
@@ -61,20 +64,12 @@ Requires: cryptsetup-libs = %{version}-%{release}
 The integritysetup package contains a utility for setting up
 disk integrity protection using dm-integrity kernel module.
 
-%package reencrypt
-Summary: A utility for offline reencryption of LUKS encrypted disks
-Requires: cryptsetup-libs = %{version}-%{release}
-
-%description reencrypt
-This package contains cryptsetup-reencrypt utility which
-can be used for offline reencryption of disk in situ.
-
 %prep
 %autosetup -n cryptsetup-%{upstream_version} -p 1 -a 1
-chmod -x misc/dracut_90reencrypt/*
 
 %build
-%configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --disable-ssh-token
+rm -f man/*.8
+%configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --disable-ssh-token --enable-asciidoc
 %make_build
 
 %install
@@ -87,8 +82,9 @@ rm -rf %{buildroot}%{_libdir}/*.la
 
 %files
 %license COPYING
-%doc AUTHORS FAQ docs/*ReleaseNotes
+%doc AUTHORS FAQ.md docs/*ReleaseNotes
 %{_mandir}/man8/cryptsetup.8.gz
+%{_mandir}/man8/cryptsetup-*.8.gz
 %{_sbindir}/cryptsetup
 
 %files -n veritysetup
@@ -101,12 +97,6 @@ rm -rf %{buildroot}%{_libdir}/*.la
 %{_mandir}/man8/integritysetup.8.gz
 %{_sbindir}/integritysetup
 
-%files reencrypt
-%license COPYING
-%doc misc/dracut_90reencrypt
-%{_mandir}/man8/cryptsetup-reencrypt.8.gz
-%{_sbindir}/cryptsetup-reencrypt
-
 %files devel
 %doc docs/examples/*
 %{_includedir}/libcryptsetup.h
@@ -121,6 +111,15 @@ rm -rf %{buildroot}%{_libdir}/*.la
 %ghost %attr(700, -, -) %dir /run/cryptsetup
 
 %changelog
+* Wed Dec 14 2022 Daniel Zatovic <dzatovic@redhat.com> - 2.6.0-2
+- Fix FIPS related bugs.
+- Abort encryption when header and data devices are same.
+- Resolves: #2150251 #2148841
+
+* Wed Nov 30 2022 Daniel Zatovic <dzatovic@redhat.com> - 2.6.0-1
+- Update to cryptsetup 2.6.0.
+- Resolves: #2003748 #2108404 #1862173
+
 * Wed Aug 10 2022 Ondrej Kozina <okozina@redhat.com> - 2.4.3-5
 - patch: Delegate FIPS mode detection to crypto backend.
 - Resolves: #2080516