Version 2.7.1.

XFS V4 can be disabled in kernel, add image V5.

Minimal 300M xfs size avoided by using QA variables magic in format:
export TEST_DIR=1 TEST_DEV=1 QA_CHECK_FS=1 ; mkfs -t xfs ...

README.md

@@ -39,11 +39,11 @@ Download
 Release notes and tarballs are available at
 [kernel.org](https://www.kernel.org/pub/linux/utils/cryptsetup/).
 
-**The latest stable cryptsetup release version is 2.7.0**
-  * [cryptsetup-2.7.0.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.0.tar.xz)
-  * Signature [cryptsetup-2.7.0.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.0.tar.sign)
+**The latest stable cryptsetup release version is 2.7.1**
+  * [cryptsetup-2.7.1.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.1.tar.xz)
+  * Signature [cryptsetup-2.7.1.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.1.tar.sign)
     _(You need to decompress file first to check signature.)_
-  * [Cryptsetup 2.7.0 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.0-ReleaseNotes).
+  * [Cryptsetup 2.7.1 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.1-ReleaseNotes).
 
 Previous versions
  * [Version 2.6.1](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.1.tar.xz) -

configure.ac

@@ -1,5 +1,5 @@
 AC_PREREQ([2.67])
-AC_INIT([cryptsetup],[2.7.0])
+AC_INIT([cryptsetup],[2.7.1])
 
 dnl library version from <major>.<minor>.<release>[-<suffix>]
 LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-)

docs/v2.7.1-ReleaseNotes

@@ -0,0 +1,30 @@
+Cryptsetup 2.7.1 Release Notes
+==============================
+Stable bug-fix release with minor extensions.
+
+All users of cryptsetup 2.7.0 should upgrade to this version.
+
+Changes since version 2.7.0
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Fix interrupted LUKS1 decryption resume.
+  With the replacement of the cryptsetup-reencrypt tool by the cryptsetup
+  reencrypt command, resuming the interrupted LUKS1 decryption operation
+  could fail. LUKS2 was not affected.
+
+* Allow --link-vk-to-keyring with --test-passphrase option.
+  This option allows uploading the volume key in a user-specified kernel
+  keyring without activating the device.
+
+* Fix crash when --active-name was used in decryption initialization.
+
+* Updates and changes to man pages, including indentation, sorting options
+  alphabetically, fixing mistakes in crypt_set_keyring_to_link, and fixing
+  some typos.
+
+* Fix compilation with libargon2 when --disable-internal-argon2 was used.
+
+* Do not require installed argon2.h header and never compile internal
+  libargon2 code if the crypto library directly supports Argon2.
+
+* Fixes to regression tests to support older Linux distributions.

meson.build

@@ -2,7 +2,7 @@ project('cryptsetup',
     'c',
     default_options: [ 'prefix=/usr' ],
     meson_version: '>=0.64',
-    version: '2.7.0')
+    version: '2.7.1')
 
 libcryptsetup_version = '12.10.0'
 

misc/fedora/cryptsetup.spec

@@ -2,7 +2,7 @@
 
 Summary: Utility for setting up encrypted disks
 Name: cryptsetup
-Version: 2.7.0
+Version: 2.7.1
 Release: 1%{?dist}
 License: GPL-2.0-or-later WITH cryptsetup-OpenSSL-exception AND LGPL-2.1-or-later WITH cryptsetup-OpenSSL-exception
 URL: https://gitlab.com/cryptsetup/cryptsetup

po/cryptsetup.pot

@@ -5,9 +5,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.7.0\n"
+"Project-Id-Version: cryptsetup 2.7.1\n"
 "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
-"POT-Creation-Date: 2024-01-24 09:44+0100\n"
+"POT-Creation-Date: 2024-03-07 15:42+0100\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -191,7 +191,7 @@ msgstr ""
 #: lib/luks2/luks2_json_metadata.c:1374 src/cryptsetup.c:1878
 #: src/cryptsetup.c:2059 src/cryptsetup.c:2114 src/cryptsetup.c:2319
 #: src/cryptsetup.c:2489 src/cryptsetup.c:2770 src/cryptsetup.c:3078
-#: src/cryptsetup.c:3146 src/utils_reencrypt.c:1488
+#: src/cryptsetup.c:3146 src/utils_reencrypt.c:1498
 #: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:85
 #, c-format
 msgid "Device %s is not a valid LUKS device."
@@ -760,7 +760,7 @@ msgid "Cannot read requested amount of data."
 msgstr ""
 
 #: lib/utils_device.c:213 lib/utils_storage_wrappers.c:110
-#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1461
+#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1471
 #, c-format
 msgid "Device %s does not exist or access denied."
 msgstr ""
@@ -2111,7 +2111,7 @@ msgid "Enter token %d PIN: "
 msgstr ""
 
 #: src/cryptsetup.c:196 src/cryptsetup.c:1182 src/cryptsetup.c:1523
-#: src/utils_reencrypt.c:1137 src/utils_reencrypt_luks1.c:517
+#: src/utils_reencrypt.c:1146 src/utils_reencrypt_luks1.c:517
 #: src/utils_reencrypt_luks1.c:580
 msgid "No known cipher specification pattern detected."
 msgstr ""
@@ -2149,7 +2149,7 @@ msgid ""
 msgstr ""
 
 #: src/cryptsetup.c:266 src/cryptsetup.c:1368 src/cryptsetup.c:1566
-#: src/integritysetup.c:197 src/utils_reencrypt.c:1346
+#: src/integritysetup.c:197 src/utils_reencrypt.c:1355
 #, c-format
 msgid "Blkid scan failed for %s."
 msgstr ""
@@ -2165,7 +2165,7 @@ msgstr ""
 #: src/cryptsetup.c:1375 src/cryptsetup.c:1500 src/cryptsetup.c:1578
 #: src/cryptsetup.c:2622 src/cryptsetup.c:3049 src/integritysetup.c:187
 #: src/utils_reencrypt.c:138 src/utils_reencrypt.c:314
-#: src/utils_reencrypt.c:764
+#: src/utils_reencrypt.c:772
 msgid "Operation aborted.\n"
 msgstr ""
 
@@ -3549,37 +3549,37 @@ msgstr ""
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr ""
 
-#: src/utils_luks.c:183
+#: src/utils_luks.c:186
 #, c-format
 msgid "Failed to open file %s in read-only mode."
 msgstr ""
 
-#: src/utils_luks.c:196
+#: src/utils_luks.c:199
 msgid "Provide valid LUKS2 token JSON:\n"
 msgstr ""
 
-#: src/utils_luks.c:203
+#: src/utils_luks.c:206
 msgid "Failed to read JSON file."
 msgstr ""
 
-#: src/utils_luks.c:208
+#: src/utils_luks.c:211
 msgid ""
 "\n"
 "Read interrupted."
 msgstr ""
 
-#: src/utils_luks.c:249
+#: src/utils_luks.c:252
 #, c-format
 msgid "Failed to open file %s in write mode."
 msgstr ""
 
-#: src/utils_luks.c:258
+#: src/utils_luks.c:261
 msgid ""
 "\n"
 "Write interrupted."
 msgstr ""
 
-#: src/utils_luks.c:262
+#: src/utils_luks.c:265
 msgid "Failed to write JSON file."
 msgstr ""
 
@@ -3667,7 +3667,7 @@ msgid ""
 "(block size: %<PRIu32> bytes) detected on device %s."
 msgstr ""
 
-#: src/utils_reencrypt.c:533 src/utils_reencrypt.c:1412
+#: src/utils_reencrypt.c:533 src/utils_reencrypt.c:1421
 msgid ""
 "Encryption without detached header (--header) is not possible without data "
 "device size reduction (--reduce-device-size)."
@@ -3723,124 +3723,124 @@ msgstr ""
 msgid "Original LUKS2 header restore failed."
 msgstr ""
 
-#: src/utils_reencrypt.c:759
+#: src/utils_reencrypt.c:765
 #, c-format
 msgid ""
 "Header file %s does not exist. Do you want to initialize LUKS2 decryption of "
 "device %s and export LUKS2 header to file %s?"
 msgstr ""
 
-#: src/utils_reencrypt.c:807
+#: src/utils_reencrypt.c:815
 msgid "Failed to add read/write permissions to exported header file."
 msgstr ""
 
-#: src/utils_reencrypt.c:860
+#: src/utils_reencrypt.c:869
 #, c-format
 msgid "Reencryption initialization failed. Header backup is available in %s."
 msgstr ""
 
-#: src/utils_reencrypt.c:888
+#: src/utils_reencrypt.c:897
 msgid ""
 "LUKS2 decryption is supported with detached header device only (with data "
 "offset set to 0)."
 msgstr ""
 
-#: src/utils_reencrypt.c:1023 src/utils_reencrypt.c:1032
+#: src/utils_reencrypt.c:1032 src/utils_reencrypt.c:1041
 msgid "Not enough free keyslots for reencryption."
 msgstr ""
 
-#: src/utils_reencrypt.c:1053 src/utils_reencrypt_luks1.c:1100
+#: src/utils_reencrypt.c:1062 src/utils_reencrypt_luks1.c:1100
 msgid ""
 "Key file can be used only with --key-slot or with exactly one key slot "
 "active."
 msgstr ""
 
-#: src/utils_reencrypt.c:1062 src/utils_reencrypt_luks1.c:1147
+#: src/utils_reencrypt.c:1071 src/utils_reencrypt_luks1.c:1147
 #: src/utils_reencrypt_luks1.c:1158
 #, c-format
 msgid "Enter passphrase for key slot %d: "
 msgstr ""
 
-#: src/utils_reencrypt.c:1074
+#: src/utils_reencrypt.c:1083
 #, c-format
 msgid "Enter passphrase for key slot %u: "
 msgstr ""
 
-#: src/utils_reencrypt.c:1126
+#: src/utils_reencrypt.c:1135
 #, c-format
 msgid "Switching data encryption cipher to %s.\n"
 msgstr ""
 
-#: src/utils_reencrypt.c:1180
+#: src/utils_reencrypt.c:1189
 msgid "No data segment parameters changed. Reencryption aborted."
 msgstr ""
 
-#: src/utils_reencrypt.c:1282
+#: src/utils_reencrypt.c:1291
 msgid ""
 "Encryption sector size increase on offline device is not supported.\n"
 "Activate the device first or use --force-offline-reencrypt option "
 "(dangerous!)."
 msgstr ""
 
-#: src/utils_reencrypt.c:1322 src/utils_reencrypt_luks1.c:726
+#: src/utils_reencrypt.c:1331 src/utils_reencrypt_luks1.c:726
 #: src/utils_reencrypt_luks1.c:798
 msgid ""
 "\n"
 "Reencryption interrupted."
 msgstr ""
 
-#: src/utils_reencrypt.c:1327
+#: src/utils_reencrypt.c:1336
 msgid "Resuming LUKS reencryption in forced offline mode.\n"
 msgstr ""
 
-#: src/utils_reencrypt.c:1350
+#: src/utils_reencrypt.c:1359
 #, c-format
 msgid "Device %s contains broken LUKS metadata. Aborting operation."
 msgstr ""
 
-#: src/utils_reencrypt.c:1366 src/utils_reencrypt.c:1388
+#: src/utils_reencrypt.c:1375 src/utils_reencrypt.c:1397
 #, c-format
 msgid "Device %s is already LUKS device. Aborting operation."
 msgstr ""
 
-#: src/utils_reencrypt.c:1394
+#: src/utils_reencrypt.c:1403
 #, c-format
 msgid "Device %s is already in LUKS reencryption. Aborting operation."
 msgstr ""
 
-#: src/utils_reencrypt.c:1476
+#: src/utils_reencrypt.c:1486
 msgid "LUKS2 decryption requires --header option."
 msgstr ""
 
-#: src/utils_reencrypt.c:1524
+#: src/utils_reencrypt.c:1534
 msgid "Command requires device as argument."
 msgstr ""
 
-#: src/utils_reencrypt.c:1537
+#: src/utils_reencrypt.c:1547
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS1."
 msgstr ""
 
-#: src/utils_reencrypt.c:1543
+#: src/utils_reencrypt.c:1553
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
 msgstr ""
 
-#: src/utils_reencrypt.c:1549
+#: src/utils_reencrypt.c:1559
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS2."
 msgstr ""
 
-#: src/utils_reencrypt.c:1555
+#: src/utils_reencrypt.c:1565
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
 msgstr ""
 
-#: src/utils_reencrypt.c:1561
+#: src/utils_reencrypt.c:1571
 msgid "LUKS2 reencryption already initialized. Aborting operation."
 msgstr ""
 
-#: src/utils_reencrypt.c:1568
+#: src/utils_reencrypt.c:1578
 msgid "Device reencryption not in progress."
 msgstr ""
 

src/utils_reencrypt.c

@@ -1451,7 +1451,8 @@ static int _decrypt(struct crypt_device **cd, enum device_status_info dev_st, co
 
 	assert(cd);
 
-	if (dev_st == DEVICE_LUKS1 || dev_st == DEVICE_LUKS1_UNUSABLE)
+	if (dev_st == DEVICE_LUKS1 || dev_st == DEVICE_LUKS1_UNUSABLE ||
+	    (dev_st == DEVICE_NOT_LUKS && ARG_SET(OPT_UUID_ID) && !ARG_SET(OPT_HEADER_ID)))
 		return reencrypt_luks1(data_device);
 
 	/* header file does not exist, try loading device type from data device */

tests/Makefile.am

@@ -55,7 +55,7 @@ EXTRA_DIST = compatimage.img.xz compatv10image.img.xz \
 	compatimage2.img.xz \
 	conversion_imgs.tar.xz \
 	luks2_keyslot_unassigned.img.xz \
-	img_fs_ext4.img.xz img_fs_vfat.img.xz img_fs_xfs.img.xz \
+	img_fs_ext4.img.xz img_fs_vfat.img.xz img_fs_xfs.img.xz img_fs_xfs5.img.xz \
 	xfs_512_block_size.img.xz \
 	valid_header_file.xz \
 	luks2_valid_hdr.img.xz \
@@ -100,7 +100,8 @@ EXTRA_DIST = compatimage.img.xz compatv10image.img.xz \
 	run-all-symbols \
 	fake_systemd_tpm_path.c \
 	unit-wipe-test \
-	systemd-test-plugin
+	systemd-test-plugin \
+	LUKS-d238e48a-0ed3-4169-b841-f26b44693134.tar.xz
 
 CLEANFILES = cryptsetup-tst* valglog* *-fail-*.log test-symbols-list.h fake_systemd_tpm_path.so
 clean-local:

tests/align-test

@@ -292,7 +292,7 @@ format_plain_fail 4096
 cleanup
 
 # skip tests using empty passphrase (LUKS1 cipher_null)
-if [ ! fips_mode ]; then
+if ! fips_mode; then
 echo "# Offset check: 512B sector drive"
 add_device dev_size_mb=16 sector_size=512 num_tgts=1
 #           |k| expO reqO expected slot offsets
@@ -338,12 +338,19 @@ echo "# Create enterprise-class 4K drive with fs and LUKS images."
 # cryptsetup should properly use 4k block on direct-io
 add_device dev_size_mb=32 sector_size=4096 physblk_exp=0 num_tgts=1 opt_blks=64
 for file in $(ls img_fs_*.img.xz) ; do
-	echo "Format using fs image $file."
+	echo -n "Format using fs image $file "
 	xz -d -c $file | dd of=$DEV bs=1M 2>/dev/null || fail "bad image"
 	[ ! -d $MNT_DIR ] && mkdir $MNT_DIR
-	mount $DEV $MNT_DIR || skip "Mounting image is not available."
+	mount $DEV $MNT_DIR 2>/dev/null
+	if [ $? -ne 0 ] ; then
+		echo "[N/A]"
+		continue
+	fi
 	echo $PWD1 | $CRYPTSETUP luksFormat --type luks1 --key-size 256 $FAST_PBKDF $MNT_DIR/luks.img || fail
 	echo $PWD2 | $CRYPTSETUP luksFormat --type luks1 --key-size 256 $FAST_PBKDF $MNT_DIR/luks.img --header $MNT_DIR/luks_header.img || fail
-	umount $MNT_DIR
+	umount $MNT_DIR || fail
+	echo "[OK]"
 done
 cleanup
+
+exit 0

tests/align-test2

@@ -421,13 +421,18 @@ echo "# Create enterprise-class 4K drive with fs and LUKS images."
 # cryptsetup should properly use 4k block on direct-io
 add_device dev_size_mb=32 sector_size=4096 physblk_exp=0 num_tgts=1 opt_blks=64
 for file in $(ls img_fs_*.img.xz) ; do
-	echo "Format using fs image $file."
+	echo -n "Format using fs image $file. "
 	xz -d -c $file | dd of=$DEV bs=1M 2>/dev/null || fail "bad image"
 	[ ! -d $MNT_DIR ] && mkdir $MNT_DIR
-	mount $DEV $MNT_DIR || skip "Mounting image is not available."
+	mount $DEV $MNT_DIR 2>/dev/null
+	if [ $? -ne 0 ] ; then
+		echo "[N/A]"
+		continue
+	fi
 	echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF --type luks2 $MNT_DIR/luks.img --offset 8192 || fail
 	echo $PWD2 | $CRYPTSETUP luksFormat $FAST_PBKDF --type luks2 $MNT_DIR/luks.img --header $MNT_DIR/luks_header.img || fail
-	umount $MNT_DIR
+	umount $MNT_DIR || fail
+	echo "[OK]"
 done
 cleanup
 
@@ -454,3 +459,5 @@ add_device dev_size_mb=32 sector_size=4096 num_tgts=1 opt_blks=64
 auto_sector 4096 $DEV
 auto_sector 4096 $DEV $HDR
 cleanup
+
+exit 0

tests/api-test-2.c

@@ -5304,6 +5304,11 @@ static void KeyslotContextAndKeyringLink(void)
 		pbkdf.iterations = 1000;
 	}
 
+	if (!t_dm_crypt_keyring_support()) {
+		printf("WARNING: dm-crypt does not support keyring, skipping test.\n");
+		return;
+	}
+
 	OK_(get_luks2_offsets(0, 0, 0, NULL, &r_payload_offset));
 	OK_(create_dmdevice_over_loop(L_DEVICE_1S, r_payload_offset + 1));
 

tests/blockwise-compat-test

@@ -80,12 +80,12 @@ falloc() {
 
 run_all_in_fs() {
 	for file in $(ls img_fs_*.img.xz) ; do
-		echo "Run tests in $file put on top block device."
+		echo -n "Run tests in $file put on top block device. "
 		xz -d -c $file | dd of=$DEV bs=1M 2>/dev/null || fail "bad image"
 		[ ! -d $MNT_DIR ] && mkdir $MNT_DIR
-		mount $DEV $MNT_DIR
+		mount $DEV $MNT_DIR 2>/dev/null
 		if [ $? -ne 0 ]; then
-			echo "Mounting image $file failed, skipped."
+			echo "[N/A]"
 			continue;
 		fi
 		rm -rf $MNT_DIR/* 2>/dev/null
@@ -97,7 +97,8 @@ run_all_in_fs() {
 		BSIZE=$iobsize
 		run_all $tfile
 		BSIZE=$oldbsize
-		umount $MNT_DIR
+		umount $MNT_DIR || fail
+		echo "[OK]"
 	done
 }
 

tests/compat-test

@@ -331,7 +331,7 @@ $CRYPTSETUP -q luksClose  $DEV_NAME || fail
 $CRYPTSETUP luksHeaderRestore -q $IMG --header-backup-file $HEADER_IMG || fail
 
 # Repeat for V1.0 header - not aligned first keyslot
-if [ ! fips_mode ] ; then
+if ! fips_mode; then
 echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME || fail
 check_exists
 ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
@@ -459,7 +459,7 @@ if [ -d /dev/disk/by-uuid ] ; then
 	$CRYPTSETUP -q luksClose  $DEV_NAME || fail
 fi
 # skip tests using empty passphrase
-if [ ! fips_mode ]; then
+if ! fips_mode; then
 # empty keyfile
 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEYE || fail
 $CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
@@ -740,7 +740,7 @@ echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
 echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME  || fail
 $CRYPTSETUP -q luksClose $DEV_NAME || fail
 # skip tests using empty passphrase
-if [ ! fips_mode ]; then
+if ! fips_mode; then
 echo | $CRYPTSETUP -q luksFormat -c null $FAST_PBKDF_OPT --type luks1 $LOOPDEV || fail
 echo | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
 $CRYPTSETUP luksSuspend $DEV_NAME || fail

tests/compat-test-opal

@@ -536,9 +536,9 @@ if [ -d /dev/disk/by-uuid ] ; then
 	$CRYPTSETUP -q luksClose  $DEV_NAME || fail
 fi
 # skip tests using empty passphrases
-if [ ! fips_mode ]; then
+if ! fips_mode; then
 # empty passphrase (OPAL admin pin cannot be empty)
-echo -e "\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV || fail
+echo -e "\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV --force-password || fail
 $CRYPTSETUP luksOpen -d $KEYE $OPAL2_DEV $DEV_NAME || fail
 $CRYPTSETUP -q luksClose  $DEV_NAME || fail
 fi
@@ -555,9 +555,9 @@ if [ -d /dev/disk/by-uuid ] ; then
 	$CRYPTSETUP -q luksClose  $DEV_NAME || fail
 fi
 # skip tests using empty passphrases
-if [ ! fips_mode ]; then
+if ! fips_mode; then
 # empty passphrase (OPAL admin pin cannot be empty)
-echo -e "\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV || fail
+echo -e "\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --force-password || fail
 $CRYPTSETUP luksOpen -d $KEYE $OPAL2_DEV $DEV_NAME || fail
 $CRYPTSETUP -q luksClose  $DEV_NAME || fail
 fi

tests/compat-test2

@@ -173,6 +173,20 @@ function valgrind_run()
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 }
 
+function dm_crypt_capi_support()
+{
+	VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
+	[ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
+
+	VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
+	VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
+
+	if [ $VER_MIN -ge 16 ]; then
+		return 0
+	fi
+	return 1
+}
+
 function dm_crypt_keyring_support()
 {
 	$CRYPTSETUP --version | grep -q KEYRING || return 1
@@ -630,7 +644,7 @@ if [ -d /dev/disk/by-uuid ] ; then
 	$CRYPTSETUP -q luksClose  $DEV_NAME || fail
 fi
 # skip tests using empty passphrases
-if [ ! fips_mode ]; then
+if ! fips_mode; then
 # empty keyfile
 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEYE || fail
 $CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
@@ -1454,17 +1468,19 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
 	$CRYPTSETUP open -q --test-passphrase --token-only --token-id 0 -q $IMG || fail
 fi
 
-prepare "[44] LUKS2 invalid cipher (kernel cipher driver name)" wipe
-xz -dk $HEADER_LUKS2_INV.xz
-dd if=$HEADER_LUKS2_INV of=$IMG conv=notrunc >/dev/null 2>&1
-$CRYPTSETUP -q luksDump $LOOPDEV | grep -q "capi:xts(ecb(aes-generic))-plain64" || fail
-echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail
-echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME 2>&1 | grep -q "No known cipher specification pattern" || fail
-echo $PWD1 | $CRYPTSETUP reencrypt $LOOPDEV >/dev/null 2>&1 && fail
-dmsetup create $DEV_NAME --uuid CRYPT-LUKS2-3d20686f551748cb89911ad32379821b-test --table \
-  "0 8 crypt capi:xts(ecb(aes-generic))-plain64 edaa40709797973715e572bf7d86fcbb9cfe2051083c33c28d58fe4e1e7ff642 0 $LOOPDEV 32768"
-$CRYPTSETUP status $DEV_NAME | grep -q "n/a" || fail
-$CRYPTSETUP close $DEV_NAME ||fail
+if dm_crypt_capi_support; then
+	prepare "[44] LUKS2 invalid cipher (kernel cipher driver name)" wipe
+	xz -dk $HEADER_LUKS2_INV.xz
+	dd if=$HEADER_LUKS2_INV of=$IMG conv=notrunc >/dev/null 2>&1
+	$CRYPTSETUP -q luksDump $LOOPDEV | grep -q "capi:xts(ecb(aes-generic))-plain64" || fail
+	echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail
+	echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME 2>&1 | grep -q "No known cipher specification pattern" || fail
+	echo $PWD1 | $CRYPTSETUP reencrypt $LOOPDEV >/dev/null 2>&1 && fail
+	dmsetup create $DEV_NAME --uuid CRYPT-LUKS2-3d20686f551748cb89911ad32379821b-test --table \
+         "0 8 crypt capi:xts(ecb(aes-generic))-plain64 edaa40709797973715e572bf7d86fcbb9cfe2051083c33c28d58fe4e1e7ff642 0 $LOOPDEV 32768"
+	$CRYPTSETUP status $DEV_NAME | grep -q "n/a" || fail
+	$CRYPTSETUP close $DEV_NAME ||fail
+fi
 
 if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
 	prepare "[45] Link VK to a keyring and use custom VK type." wipe

tests/meson.build

@@ -16,6 +16,9 @@ test_files_to_copy = [
     'fvault2-images.tar.xz',
     'generators/generate-luks2-area-in-json-hdr-space-json0.img.sh',
     'img_fs_ext4.img.xz',
+    'img_fs_vfat.img.xz',
+    'img_fs_xfs.img.xz',
+    'img_fs_xfs5.img.xz',
     'luks1-images.tar.xz',
     'luks2_header_requirements.tar.xz',
     'luks2_keyslot_unassigned.img.xz',
@@ -27,6 +30,7 @@ test_files_to_copy = [
     'xfs_512_block_size.img.xz',
     'valg.sh',
     'cryptsetup-valg-supps',
+    'LUKS-d238e48a-0ed3-4169-b841-f26b44693134.tar.xz'
 ]
 
 foreach file : test_files_to_copy

tests/mode-test

@@ -52,6 +52,22 @@ skip()
 	exit 77
 }
 
+function dm_crypt_capi_support()
+{
+	VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
+	[ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
+
+	VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
+	VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
+	VER_PTC=$(echo $VER_STR | cut -f 3 -d.)
+
+	if [ $VER_MIN -ge 16 ]; then
+		return 0
+	fi
+
+	return 1
+}
+
 function valgrind_setup()
 {
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
@@ -132,7 +148,7 @@ dmcrypt()
 		echo -n -e "PLAIN:"
 		dmcrypt_check "$DEV_NAME"_tstdev $OUT
 	else
-		echo -n "[n/a]"
+		echo -n "[N/A]"
 	fi
 
 	echo $PASSWORD | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF2 -c $1 -s 256 /dev/mapper/$DEV_NAME >/dev/null 2>&1
@@ -193,12 +209,17 @@ dmcrypt xchacha12,aes-adiantum-plain64
 dmcrypt xchacha20,aes-adiantum-plain64
 
 echo -n "CAPI format:"
-echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail
-$CRYPTSETUP close "$DEV_NAME"_tstdev || fail
-echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail
-dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail
-$CRYPTSETUP status "$DEV_NAME"_tstdev 2>/dev/null | grep "type:" | grep -q "n/a" || fail
-$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null || fail
-echo [OK]
+if dm_crypt_capi_support ; then
+	echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME --debug || fail
+	$CRYPTSETUP close "$DEV_NAME"_tstdev || fail
+	echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail
+	dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail
+	$CRYPTSETUP status "$DEV_NAME"_tstdev 2>/dev/null | grep "type:" | grep -q "n/a" || fail
+	$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null || fail
+	echo [OK]
+else
+	echo [N/A]
+fi
 
 cleanup
+exit 0

tests/reencryption-compat-test

@@ -25,6 +25,9 @@ PWD1="93R4P4pIqAH8"
 PWD2="1cND4319812f"
 PWD3="1-9Qu5Ejfnqv"
 
+LUKS1_DECRYPT_UUID=d238e48a-0ed3-4169-b841-f26b44693134
+LUKS1_DECRYPT="LUKS-$LUKS1_DECRYPT_UUID"
+
 MNT_DIR=./mnt_luks
 START_DIR=$(pwd)
 FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
@@ -45,7 +48,7 @@ function remove_mapping()
 	[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
 	[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
 	[ ! -z "$LOOPDEV1" ] && losetup -d $LOOPDEV1 >/dev/null 2>&1
-	rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $HEADER_LUKS2_PV $DEV_LINK >/dev/null 2>&1
+	rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $HEADER_LUKS2_PV $DEV_LINK $LUKS1_DECRYPT.{org\|new\|log} >/dev/null 2>&1
 	umount $MNT_DIR > /dev/null 2>&1
 	rmdir $MNT_DIR > /dev/null 2>&1
 	LOOPDEV1=""
@@ -211,7 +214,7 @@ function simple_scsi_reenc()
 function mount_and_test() {
 	test -d $MNT_DIR || mkdir -p $MNT_DIR
 	mount $@ $MNT_DIR 2>/dev/null || {
-		echo -n "failed to mount [SKIP]"
+		echo -n "[N/A]"
 		return 0
 	}
 	rm $MNT_DIR/* 2>/dev/null
@@ -239,7 +242,7 @@ function test_logging() {
 	echo -n "$1:"
 	for img in $(ls img_fs*img.xz) ; do
 		wipefs -a $SCSI_DEV > /dev/null
-		echo -n "[${img%.img.xz}]"
+		echo -n " [${img%.img.xz}]"
 		xz -d -c $img | dd of=$SCSI_DEV bs=4k >/dev/null 2>&1
 		mount_and_test $SCSI_DEV || return 1
 	done
@@ -325,7 +328,7 @@ ln -s $IMG $DEV_LINK || fail
 echo $PWD1 | $REENC $IMG --type luks1 --new --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
 $CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
 
-if [ ! fips_mode ]; then
+if ! fips_mode; then
 # well, movin' zeroes :-)
 OFFSET=2048
 SIZE=$(blockdev --getsz $LOOPDEV1)
@@ -425,7 +428,7 @@ add_scsi_device sector_size=512 dev_size_mb=32 physblk_exp=3
 test_logging "[4096/512 sector]" || fail
 test_logging_tmpfs || fail
 
-if [ ! fips_mode ]; then
+if ! fips_mode; then
 echo "[10] Removal of encryption"
 prepare 8192
 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail
@@ -490,7 +493,16 @@ if [ "$HAVE_BLKID" -gt 0 ]; then
 	echo $PWD1 | $REENC --header $IMG_HDR $HEADER_LUKS2_PV -q $FAST_PBKDF --new --type luks1 2>/dev/null && fail
 	test -f $IMG_HDR && fail
 fi
-fi # if [ ! fips_mode ]
+
+# Only test if the LUKS1 decryption can be resumed with provided --uuid
+echo "[14] Resume LUKS1 decryption"
+prepare 8192
+tar xJf $LUKS1_DECRYPT.tar.xz || fail
+echo $PWD1 | $REENC $LOOPDEV1 -q --decrypt --uuid $LUKS1_DECRYPT_UUID >/dev/null || fail
+test -f $LUKS1_DECRYPT.org && fail
+test -f $LUKS1_DECRYPT.new && fail
+test -f $LUKS1_DECRYPT.log && fail
+fi # if ! fips_mode
 
 remove_mapping
 exit 0