Version 2.7.5.

Update cryptsetup.pot
Add 2.7.5 release notes.
2025-12-06 16:30:04 +01:00 · 2024-09-02 23:08:40 +02:00 · 2024-09-02 23:08:27 +02:00 · 2024-09-02 22:52:19 +02:00 · 2024-09-02 14:54:59 +02:00 · 2024-09-02 14:54:51 +02:00
455 changed files with 76739 additions and 32437 deletions
--- a/.codeql-config.yml
+++ b/.codeql-config.yml
@@ -0,0 +1,31 @@
 name: "Cryptsetup CodeQL config"
 query-filters:
 - exclude:
     id: cpp/fixme-comment
 - exclude:
     id: cpp/empty-block
 - exclude:
     id: cpp/poorly-documented-function
 - exclude:
     id: cpp/loop-variable-changed
 - exclude:
     id: cpp/empty-if
 - exclude:
     id: cpp/long-switch
 - exclude:
     id: cpp/complex-condition
 - exclude:
     id: cpp/commented-out-code
 # These produce many false positives
 - exclude:
     id: cpp/uninitialized-local
 - exclude:
     id: cpp/path-injection
 - exclude:
     id: cpp/missing-check-scanf
 # CodeQL should understand coverity [toctou] comments
 - exclude:
     id: cpp/toctou-race-condition
--- a/.github/workflows/cibuild-setup-ubuntu.sh
+++ b/.github/workflows/cibuild-setup-ubuntu.sh
@@ -0,0 +1,29 @@
 #!/bin/bash
 set -ex
 PACKAGES=(
 	git make autoconf automake autopoint pkg-config libtool libtool-bin
 	gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev
 	libjson-c-dev libssh-dev libblkid-dev tar libargon2-0-dev libpwquality-dev
 	sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass
 	asciidoctor meson ninja-build
 )
 COMPILER="${COMPILER:?}"
 COMPILER_VERSION="${COMPILER_VERSION:?}"
 RELEASE="$(lsb_release -cs)"
 bash -c "echo 'deb-src http://archive.ubuntu.com/ubuntu/ $RELEASE main restricted universe multiverse' >>/etc/apt/sources.list"
 # Latest gcc stack deb packages provided by
 # https://launchpad.net/~ubuntu-toolchain-r/+archive/ubuntu/test
 add-apt-repository -y ppa:ubuntu-toolchain-r/test
 PACKAGES+=(gcc-$COMPILER_VERSION)
 # scsi_debug, gost crypto
 PACKAGES+=(dkms linux-headers-$(uname -r) linux-modules-extra-$(uname -r) gost-crypto-dkms)
 apt-get -y update --fix-missing
 apt-get -y install "${PACKAGES[@]}"
 apt-get -y build-dep cryptsetup
--- a/.github/workflows/cibuild.sh
+++ b/.github/workflows/cibuild.sh
@@ -0,0 +1,38 @@
 #!/bin/bash
 PHASES=(${@:-CONFIGURE MAKE CHECK})
 COMPILER="${COMPILER:?}"
 COMPILER_VERSION="${COMPILER_VERSION}"
 CFLAGS=(-O1 -g)
 CXXFLAGS=(-O1 -g)
 CC="gcc${COMPILER_VERSION:+-$COMPILER_VERSION}"
 CXX="g++${COMPILER_VERSION:+-$COMPILER_VERSION}"
 set -ex
 for phase in "${PHASES[@]}"; do
 	case $phase in
 	CONFIGURE)
 		opts=(
 			--enable-libargon2
 		)
 		sudo -E git clean -xdf
 		./autogen.sh
 		CC="$CC" CXX="$CXX" CFLAGS="${CFLAGS[@]}" CXXFLAGS="${CXXFLAGS[@]}" ./configure "${opts[@]}"
 		;;
 	MAKE)
 		make -j
 		make -j -C tests check-programs
 		;;
 	CHECK)
 		make check
 		;;
 	*)
 		echo >&2 "Unknown phase '$phase'"
 		exit 1
 	esac
 done
--- a/.github/workflows/cibuild.yml
+++ b/.github/workflows/cibuild.yml
@@ -0,0 +1,29 @@
 name: Build test
 on:
  push:
    branches:
      - 'main'
      - 'wip-luks2'
      - 'v2.*.x'
    paths-ignore:
      - 'docs/**'
 jobs:
  build:
    runs-on: ubuntu-latest
    if: github.repository == 'mbroz/cryptsetup'
    strategy:
      fail-fast: false
      matrix:
        env:
          - { COMPILER: "gcc", COMPILER_VERSION: "13",  RUN_SSH_PLUGIN_TEST: "1" }
    env: ${{ matrix.env }}
    steps:
      - name: Repository checkout
        uses: actions/checkout@v1
      - name: Ubuntu setup
        run: sudo -E .github/workflows/cibuild-setup-ubuntu.sh
      - name: Configure & Make
        run: .github/workflows/cibuild.sh CONFIGURE MAKE
      - name: Check
        run: sudo -E .github/workflows/cibuild.sh CHECK
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,49 @@
 name: "CodeQL"
 on:
  push:
    branches:
      - 'main'
      - 'wip-luks2'
      - 'v2.*.x'
 permissions:
  contents: read
 jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    if: github.repository == 'mbroz/cryptsetup'
    concurrency:
      group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
      cancel-in-progress: true
    permissions:
      actions: read
      security-events: write
    strategy:
      fail-fast: false
      matrix:
        language: [ 'cpp' ]
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v2
        with:
          languages: ${{ matrix.language }}
          queries: +security-extended,security-and-quality
          config-file: .codeql-config.yml
      - name: Install dependencies
        run: sudo -E .github/workflows/cibuild-setup-ubuntu.sh
        env: { COMPILER: "gcc", COMPILER_VERSION: "13",  RUN_SSH_PLUGIN_TEST: "1" }
      - name: Autobuild
        uses: github/codeql-action/autobuild@v2
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v2
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -0,0 +1,48 @@
 name: Coverity test
 on:
  push:
    branches:
      - 'coverity_scan'
    paths-ignore:
      - 'docs/**'
 jobs:
  latest:
    runs-on: ubuntu-latest
    if: github.repository == 'mbroz/cryptsetup'
    steps:
      - name: Repository checkout
        uses: actions/checkout@v1
      - name: Ubuntu setup
        run: sudo -E .github/workflows/cibuild-setup-ubuntu.sh
        env:
          COMPILER: "gcc"
          COMPILER_VERSION: "13"
      - name: Install Coverity
        run: |
          wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=mbroz/cryptsetup" -O cov-analysis-linux64.tar.gz
          mkdir cov-analysis-linux64
          tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64
        env:
          TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
      - name: Run autoconf & configure
        run: |
          ./autogen.sh
          ./configure
      - name: Run cov-build
        run: |
          export PATH=`pwd`/cov-analysis-linux64/bin:$PATH
          cov-build --dir cov-int make
      - name: Submit to Coverity Scan
        run: |
          tar czvf cryptsetup.tgz cov-int
          curl \
            --form project=mbroz/cryptsetup \
            --form token=$TOKEN \
            --form email=gmazyland@gmail.com \
            --form file=@cryptsetup.tgz \
            --form version=trunk \
            --form description="`./cryptsetup --version`" \
            https://scan.coverity.com/builds?project=mbroz/cryptsetup
        env:
          TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
--- a/.gitignore
+++ b/.gitignore
@@ -6,6 +6,8 @@ Makefile.in.in
 *.lo
 *.la
 *.o
 *.so
 *.8
 **/*.dirstamp
 .deps/
 .libs/
@@ -54,3 +56,6 @@ tests/luks1-images
 tests/tcrypt-images
 tests/unit-utils-io
 tests/vectors-test
 tests/test-symbols-list.h
 tests/all-symbols-test
 tests/fuzz/LUKS2.pb*
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -0,0 +1,24 @@
 stages:
  - test
  - test-opal
 .fail_if_coredump_generated:
  after_script:
    - '[ "$(ls -A /var/coredumps)" ] && exit 1 || true'
 include:
  - local: .gitlab/ci/debian.yml
  - local: .gitlab/ci/fedora.yml
  - local: .gitlab/ci/fedora-opal.yml
  - local: .gitlab/ci/rhel.yml
  - local: .gitlab/ci/centos.yml
  - local: .gitlab/ci/annocheck.yml
  - local: .gitlab/ci/csmock.yml
  - local: .gitlab/ci/gitlab-shared-docker.yml
  - local: .gitlab/ci/compilation-various-disables.yml
  - local: .gitlab/ci/compilation-gcc.gitlab-ci.yml
  - local: .gitlab/ci/compilation-clang.gitlab-ci.yml
  - local: .gitlab/ci/alpinelinux.yml
  - local: .gitlab/ci/debian-i686.yml
  - local: .gitlab/ci/cifuzz.yml
  - local: .gitlab/ci/ubuntu.yml
--- a/.gitlab/ci/alpinelinux.yml
+++ b/.gitlab/ci/alpinelinux.yml
@@ -0,0 +1,55 @@
 .alpinelinux-dependencies:
  variables:
    DISTRO: cryptsetup-alpine-edge
  extends:
    - .fail_if_coredump_generated
  before_script:
    - >
      sudo apk add
      lvm2-dev openssl-dev popt-dev util-linux-dev json-c-dev
      argon2-dev device-mapper which sharutils gettext gettext-dev automake
      autoconf libtool build-base keyutils tar jq expect git asciidoctor
    - ./autogen.sh
    - ./configure --prefix=/usr --libdir=/lib --sbindir=/sbin --disable-static --enable-libargon2 --with-crypto_backend=openssl --disable-external-tokens --disable-ssh-token --enable-asciidoc
 test-main-commit-job-alpinelinux:
  extends:
    - .alpinelinux-dependencies
  tags:
    - libvirt
    - cryptsetup-alpine-edge
  stage: test
  interruptible: true
  variables:
    RUN_SSH_PLUGIN_TEST: "0"
  rules:
    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
      when: never
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
  script:
    - make -j
    - make -j -C tests check-programs
    - sudo -E make check
 test-mergerq-job-alpinelinux:
  extends:
    - .alpinelinux-dependencies
  tags:
    - libvirt
    - cryptsetup-alpine-edge
  stage: test
  interruptible: true
  variables:
    RUN_SSH_PLUGIN_TEST: "0"
  rules:
    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
      when: never
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
  script:
    - make -j
    - make -j -C tests check-programs
    - sudo -E make check
--- a/.gitlab/ci/annocheck.yml
+++ b/.gitlab/ci/annocheck.yml
@@ -0,0 +1,18 @@
 test-main-commit-job-annocheck:
  extends:
    - .fail_if_coredump_generated
  tags:
    - libvirt
    - cryptsetup-rhel-9
  stage: test
  interruptible: true
  allow_failure: true
  variables:
    DISTRO: cryptsetup-rhel-9
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
  script:
    - sudo /opt/run-annocheck.sh
--- a/.gitlab/ci/centos.yml
+++ b/.gitlab/ci/centos.yml
@@ -0,0 +1,61 @@
 .centos-openssl-backend:
  variables:
    DISTRO: cryptsetup-centos-stream-9
  extends:
    - .fail_if_coredump_generated
  before_script:
    - >
      sudo dnf -y -q  install
      autoconf automake device-mapper-devel gcc gettext-devel json-c-devel
      libblkid-devel libpwquality-devel libselinux-devel libssh-devel libtool
      libuuid-devel make popt-devel libsepol-devel nc openssh-clients passwd
      pkgconfig sharutils sshpass tar uuid-devel vim-common device-mapper
      expect gettext git jq keyutils openssl-devel openssl gem
    - sudo gem install asciidoctor
    - sudo -E git clean -xdf
    - ./autogen.sh
    - ./configure --enable-fips --enable-pwquality --with-crypto_backend=openssl --enable-asciidoc
 # non-FIPS jobs
 test-main-commit-centos-stream9:
  extends:
    - .centos-openssl-backend
  tags:
    - libvirt
    - cryptsetup-centos-stream-9
  stage: test
  interruptible: true
  variables:
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
      when: never
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
  script:
    - make -j
    - make -j -C tests check-programs
    - sudo -E make check
 test-mergerq-centos-stream9:
  extends:
    - .centos-openssl-backend
  tags:
    - libvirt
    - cryptsetup-centos-stream-9
  stage: test
  interruptible: true
  variables:
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
      when: never
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
  script:
    - make -j
    - make -j -C tests check-programs
    - sudo -E make check
--- a/.gitlab/ci/cibuild-setup-ubuntu.sh
+++ b/.gitlab/ci/cibuild-setup-ubuntu.sh
@@ -0,0 +1,53 @@
 #!/bin/bash
 set -ex
 PACKAGES=(
 	git make autoconf automake autopoint pkg-config libtool libtool-bin
 	gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev
 	libjson-c-dev libssh-dev libblkid-dev tar libargon2-dev libpwquality-dev
 	sharutils dmsetup jq xxd expect keyutils netcat-openbsd passwd openssh-client
 	sshpass asciidoctor
 )
 COMPILER="${COMPILER:?}"
 COMPILER_VERSION="${COMPILER_VERSION:?}"
 sed -i 's/^Types: deb$/Types: deb deb-src/' /etc/apt/sources.list.d/ubuntu.sources
 # use this on older Ubuntu
 # grep -E '^deb' /etc/apt/sources.list > /etc/apt/sources.list~
 # sed -Ei 's/^deb /deb-src /' /etc/apt/sources.list~
 # cat /etc/apt/sources.list~ >> /etc/apt/sources.list
 apt-get -y update --fix-missing
 DEBIAN_FRONTEND=noninteractive apt-get -yq install software-properties-common wget lsb-release
 RELEASE="$(lsb_release -cs)"
 if [[ $COMPILER == "gcc" ]]; then
 	# Latest gcc stack deb packages provided by
 	# https://launchpad.net/~ubuntu-toolchain-r/+archive/ubuntu/test
 	add-apt-repository -y ppa:ubuntu-toolchain-r/test
 	PACKAGES+=(gcc-$COMPILER_VERSION)
 elif [[ $COMPILER == "clang" ]]; then
 	wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add -
 	add-apt-repository "deb http://apt.llvm.org/${RELEASE}/   llvm-toolchain-${RELEASE}-${COMPILER_VERSION} main"
 	# scan-build
 	PACKAGES+=(clang-tools-$COMPILER_VERSION clang-$COMPILER_VERSION lldb-$COMPILER_VERSION lld-$COMPILER_VERSION clangd-$COMPILER_VERSION)
 	PACKAGES+=(perl)
 else
 	exit 1
 fi
 apt-get -y update --fix-missing
 DEBIAN_FRONTEND=noninteractive apt-get -yq install "${PACKAGES[@]}"
 apt-get -y build-dep cryptsetup
 echo "====================== VERSIONS ==================="
 if [[ $COMPILER == "clang" ]]; then
 	echo "Using scan-build${COMPILER_VERSION:+-$COMPILER_VERSION}"
 fi
 ${COMPILER}-$COMPILER_VERSION -v
 echo "====================== END VERSIONS ==================="
--- a/.gitlab/ci/cifuzz.yml
+++ b/.gitlab/ci/cifuzz.yml
@@ -0,0 +1,46 @@
 cifuzz:
  variables:
    OSS_FUZZ_PROJECT_NAME: cryptsetup
    CFL_PLATFORM: gitlab
    CIFUZZ_DEBUG: "True"
    FUZZ_SECONDS: 300 # 5 minutes per fuzzer
    ARCHITECTURE: "x86_64"
    DRY_RUN: "False"
    LOW_DISK_SPACE: "True"
    BAD_BUILD_CHECK: "True"
    LANGUAGE: "c"
    DOCKER_HOST: "tcp://docker:2375"
    DOCKER_IN_DOCKER: "true"
    DOCKER_DRIVER: overlay2
    DOCKER_TLS_CERTDIR: ""
  image:
    name: gcr.io/oss-fuzz-base/cifuzz-base
    entrypoint: [""]
  services:
    - docker:dind
  stage: test
  parallel:
    matrix:
      - SANITIZER: [address, undefined, memory]
  rules:
    # Default code change.
    # - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    #   variables:
    #     MODE: "code-change"
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $BUILD_AND_RUN_FUZZERS != null
  before_script:
    # Get gitlab's container id.
    - export CFL_CONTAINER_ID=`cut -c9- < /proc/1/cpuset`
  script:
    # Will build and run the fuzzers.
    # We use a hack to override CI_JOB_ID, because otherwise a bad path is used
    # in GitLab CI environment
    - CI_JOB_ID="$CI_PROJECT_NAMESPACE/$CI_PROJECT_TITLE" python3 "/opt/oss-fuzz/infra/cifuzz/cifuzz_combined_entrypoint.py"
  artifacts:
    # Upload artifacts when a crash makes the job fail.
    when: always
    paths:
      - artifacts/
--- a/.gitlab/ci/clang-Wall
+++ b/.gitlab/ci/clang-Wall
@@ -0,0 +1,48 @@
 #!/bin/bash
 # clang -Wall plus other important warnings not included in -Wall
 for arg in "$@"
 do
 	case $arg in
 	-O*) Wuninitialized=-Wuninitialized;;  # only makes sense with `-O'
 	esac
 done
 CLANG="clang${COMPILER_VERSION:+-$COMPILER_VERSION}"
 #PEDANTIC="-std=gnu99"
 #PEDANTIC="-pedantic -std=gnu99"
 #PEDANTIC="-pedantic -std=gnu99 -Wno-variadic-macros"
 #CONVERSION="-Wconversion"
 EXTRA="\
 -Wextra \
 -Wsign-compare \
 -Wcast-align
 -Werror-implicit-function-declaration \
 -Wpointer-arith \
 -Wwrite-strings \
 -Wswitch \
 -Wmissing-format-attribute \
 -Winit-self \
 -Wold-style-definition \
 -Wno-missing-field-initializers \
 -Wunused-parameter \
 -Wno-long-long"
 exec $CLANG $PEDANTIC $CONVERSION \
 	-Wall $Wuninitialized \
 	-Wno-switch \
 	-Wdisabled-optimization \
 	-Wwrite-strings \
 	-Wpointer-arith \
 	-Wbad-function-cast \
 	-Wmissing-prototypes \
 	-Wmissing-declarations \
 	-Wstrict-prototypes \
 	-Wnested-externs \
 	-Wcomment \
 	-Winline \
 	-Wcast-qual \
 	-Wredundant-decls $EXTRA \
 	"$@"
--- a/.gitlab/ci/compilation-clang.gitlab-ci.yml
+++ b/.gitlab/ci/compilation-clang.gitlab-ci.yml
@@ -0,0 +1,57 @@
 test-clang-compilation:
  extends:
    - .gitlab-shared-clang
  script:
    - export CFLAGS="-Wall -Werror"
    - ./autogen.sh
    - ./configure
    - make -j
    - make -j check-programs
 test-clang-Wall-script:
  extends:
    - .gitlab-shared-clang
  script:
    - export CFLAGS="-g -O0"
    - export CC="$CI_PROJECT_DIR/.gitlab/ci/clang-Wall"
    - ./autogen.sh
    - ./configure
    - make -j CFLAGS="-g -O0 -Werror"
    - make -j CFLAGS="-g -O0 -Werror" check-programs
 test-scan-build:
  extends:
    - .gitlab-shared-clang
  script:
    - ./autogen.sh
    - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} -V ./configure CFLAGS="-g -O0"
    - make clean
    - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --status-bugs -maxloop 10 make -j
    - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --status-bugs -maxloop 10 make -j check-programs
 test-scan-build-backends:
  extends:
    - .gitlab-shared-clang
  parallel:
    matrix:
      - BACKENDS: [
          "openssl",
          "gcrypt",
          "nss",
          "kernel",
          "nettle"
      ]
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event" || $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
      changes:
        - lib/crypto_backend/*
  script:
    - DEBIAN_FRONTEND=noninteractive apt-get -yq install libgcrypt20-dev libnss3-dev nettle-dev
    - ./autogen.sh
    - echo "Configuring with crypto backend $BACKENDS"
    - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} -V ./configure CFLAGS="-g -O0" --with-crypto_backend=$BACKENDS
    - make clean
    - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --status-bugs -maxloop 10 make -j
    - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --status-bugs -maxloop 10 make -j check-programs
--- a/.gitlab/ci/compilation-gcc.gitlab-ci.yml
+++ b/.gitlab/ci/compilation-gcc.gitlab-ci.yml
@@ -0,0 +1,55 @@
 test-gcc-compilation:
  extends:
    - .gitlab-shared-gcc
  script:
    - export CFLAGS="-Wall -Werror"
    - ./autogen.sh
    - ./configure
    - make -j
    - make -j check-programs
 test-gcc-Wall-script:
  extends:
    - .gitlab-shared-gcc
  script:
    - export CFLAGS="-g -O0"
    - export CC="$CI_PROJECT_DIR/.gitlab/ci/gcc-Wall"
    - ./autogen.sh
    - ./configure
    - make -j CFLAGS="-g -O0 -Werror"
    - make -j CFLAGS="-g -O0 -Werror" check-programs
 test-gcc-fanalyzer:
  extends:
    - .gitlab-shared-gcc
  script:
    - ./autogen.sh
    - ./configure CFLAGS="-Wall -Werror -g -O0 -fanalyzer -fdiagnostics-path-format=separate-events" --host=x86_64
    - make -j
    - make -j check-programs
 test-gcc-fanalyzer-backends:
  extends:
    - .gitlab-shared-gcc
  parallel:
    matrix:
      - BACKENDS: [
          "openssl",
          "gcrypt",
          "nss",
          "kernel",
          "nettle"
      ]
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event" || $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
      changes:
        - lib/crypto_backend/*
  script:
    - DEBIAN_FRONTEND=noninteractive apt-get -yq install libgcrypt20-dev libnss3-dev nettle-dev
    - ./autogen.sh
    - echo "Configuring with crypto backend $BACKENDS"
    - ./configure CFLAGS="-Wall -Werror -g -O0 -fanalyzer -fdiagnostics-path-format=separate-events" --host=x86_64 --with-crypto_backend=$BACKENDS
    - make -j
    - make -j check-programs
--- a/.gitlab/ci/compilation-various-disables.yml
+++ b/.gitlab/ci/compilation-various-disables.yml
@@ -0,0 +1,33 @@
 test-gcc-disable-compiles:
  extends:
    - .gitlab-shared-gcc
  parallel:
    matrix:
      - DISABLE_FLAGS: [
          "keyring",
          "external-tokens ssh-token",
          "luks2-reencryption",
          "cryptsetup veritysetup integritysetup",
          "kernel_crypto",
          "udev",
          "internal-argon2",
          "blkid",
          "hw-opal"
      ]
  artifacts:
    name: "meson-build-logs-$CI_COMMIT_REF_NAME"
    paths:
      - meson_builddir/meson-logs
  script:
    - DEBIAN_FRONTEND=noninteractive apt-get -yq install meson ninja-build
    - export CFLAGS="-Wall -Werror"
    - ./autogen.sh
    - echo "Configuring with --disable-$DISABLE_FLAGS"
    - ./configure $(for i in $DISABLE_FLAGS; do echo "--disable-$i"; done)
    - make -j
    - make -j check-programs
    - git checkout -f && git clean -xdf
    - meson -v
    - echo "Configuring with -D$DISABLE_FLAGS=false"
    - meson setup meson_builddir $(for i in $DISABLE_FLAGS; do [ "$i" == "internal-argon2" ] && echo "-Dargon-implementation=internal" || echo "-D$i=false"; done)
    - ninja -C meson_builddir
--- a/.gitlab/ci/csmock.yml
+++ b/.gitlab/ci/csmock.yml
@@ -0,0 +1,25 @@
 test-commit-job-csmock:
  extends:
    - .fail_if_coredump_generated
  tags:
    - libvirt
    - cryptsetup-rhel-9
  stage: test
  interruptible: true
  allow_failure: true
  variables:
    DISTRO: cryptsetup-rhel-9
    RUN_SSH_PLUGIN_TEST: "1"
    DISK_SIZE: 20
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/ || $CI_PIPELINE_SOURCE == "merge_request_event"
  script:
    - sudo /opt/run-csmock.sh
  artifacts:
    # Upload artifacts when a crash makes the job fail.
    when: always
    paths:
      - cryptsetup-csmock-results.tar.xz
      - cryptsetup-csmock-results
--- a/.gitlab/ci/debian-i686.yml
+++ b/.gitlab/ci/debian-i686.yml
@@ -0,0 +1,43 @@
 test-mergerq-job-debian-i686:
  extends:
    - .debian-prep
  tags:
    - libvirt
    - cryptsetup-debian-12i686
  stage: test
  interruptible: true
  variables:
    DISTRO: cryptsetup-debian-12i686
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
      when: never
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
  script:
    - make -j
    - make -j -C tests check-programs
    - sudo -E make check
 test-main-commit-job-debian-i686:
  extends:
    - .debian-prep
  tags:
    - libvirt
    - cryptsetup-debian-12i686
  stage: test
  interruptible: true
  variables:
    DISTRO: cryptsetup-debian-12i686
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
      when: never
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
  script:
    - make -j
    - make -j -C tests check-programs
    - sudo -E make check
--- a/.gitlab/ci/debian.yml
+++ b/.gitlab/ci/debian.yml
@@ -0,0 +1,102 @@
 .debian-prep:
  extends:
    - .fail_if_coredump_generated
  before_script:
    - sudo apt-get -y update
    - >
      [ -z "$RUN_SYSTEMD_PLUGIN_TEST" ] ||
      sudo apt-get -y install -y -qq swtpm meson ninja-build python3-jinja2
      gperf libcap-dev libtss2-dev libmount-dev swtpm-tools
    - >
      sudo apt-get -y install -y -qq git gcc make autoconf automake autopoint
      pkgconf libtool libtool-bin gettext libssl-dev libdevmapper-dev
      libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev
      tar libargon2-dev libpwquality-dev sharutils dmsetup jq xxd expect
      keyutils netcat-openbsd passwd openssh-client sshpass asciidoctor
    - sudo apt-get -y build-dep cryptsetup
    - sudo -E git clean -xdf
    - ./autogen.sh
    - ./configure --enable-libargon2 --enable-asciidoc
 test-mergerq-job-debian:
  extends:
    - .debian-prep
  tags:
    - libvirt
    - cryptsetup-debian-12
  stage: test
  interruptible: true
  variables:
    DISTRO: cryptsetup-debian-12
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
  script:
    - make -j
    - make -j -C tests check-programs
    - sudo -E make check
 test-main-commit-job-debian:
  extends:
    - .debian-prep
  tags:
    - libvirt
    - cryptsetup-debian-12
  stage: test
  interruptible: true
  variables:
    DISTRO: cryptsetup-debian-12
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
  script:
    - make -j
    - make -j -C tests check-programs
    - sudo -E make check
 # meson tests
 test-mergerq-job-debian-meson:
  extends:
    - .debian-prep
  tags:
    - libvirt
    - cryptsetup-debian-12
  stage: test
  interruptible: true
  variables:
    DISTRO: cryptsetup-debian-12
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
  script:
    - sudo apt-get -y install -y -qq meson ninja-build
    - meson setup build
    - ninja -C build
    - cd build && sudo -E meson test --verbose --print-errorlogs
 test-main-commit-job-debian-meson:
  extends:
    - .debian-prep
  tags:
    - libvirt
    - cryptsetup-debian-12
  stage: test
  interruptible: true
  variables:
    DISTRO: cryptsetup-debian-12
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
  script:
    - sudo apt-get -y install -y -qq meson ninja-build
    - meson setup build
    - ninja -C build
    - cd build && sudo -E meson test --verbose --print-errorlogs
--- a/.gitlab/ci/fedora-opal.yml
+++ b/.gitlab/ci/fedora-opal.yml
@@ -0,0 +1,144 @@
 .opal-template-fedora:
  extends:
    - .dnf-openssl-backend
  tags:
    - libvirt
    - cryptsetup-fedora-rawhide
  stage: test-opal
  interruptible: false
  variables:
    OPAL2_DEV: "/dev/nvme0n1"
    OPAL2_PSID_FILE: "/home/gitlab-runner/psid.txt"
    VOLATILE: 1
  script:
    - sudo dnf install -y -q nvme-cli
    - sudo nvme list
    - make -j
    - make -j -C tests check-programs
    - sudo -E make check TESTS="00modules-test compat-test-opal"
 # Samsung SSD 980 500GB (on tiber machine)
 test-commit-rawhide-samsung980:
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
  extends:
    - .opal-template-fedora
  tags:
    - tiber
  resource_group: samsung980-on-tiber
  interruptible: false
  variables:
    PCI_PASSTHROUGH_VENDOR_ID: "144d"
    PCI_PASSTHROUGH_DEVICE_ID: "a809"
 test-mergerq-rawhide-samsung980:
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
  extends:
    - .opal-template-fedora
  tags:
    - tiber
  resource_group: samsung980-on-tiber
  interruptible: false
  variables:
    PCI_PASSTHROUGH_VENDOR_ID: "144d"
    PCI_PASSTHROUGH_DEVICE_ID: "a809"
 # WD PC SN740 SDDQNQD-512G-1014 (on tiber machine)
 test-commit-rawhide-sn740:
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
  extends:
    - .opal-template-fedora
  tags:
    - tiber
  resource_group: sn740-on-tiber
  interruptible: false
  variables:
    PCI_PASSTHROUGH_VENDOR_ID: "15b7"
    PCI_PASSTHROUGH_DEVICE_ID: "5017"
 test-mergerq-rawhide-sn740:
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
  extends:
    - .opal-template-fedora
  tags:
    - tiber
  resource_group: sn740-on-tiber
  interruptible: false
  variables:
    PCI_PASSTHROUGH_VENDOR_ID: "15b7"
    PCI_PASSTHROUGH_DEVICE_ID: "5017"
 # Samsung SSD 980 PRO 1TB (on trantor machine)
 test-commit-rawhide-samsung980pro:
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
  extends:
    - .opal-template-fedora
  tags:
    - trantor
  resource_group: samsung980pro-on-trantor
  interruptible: false
  variables:
    PCI_PASSTHROUGH_VENDOR_ID: "144d"
    PCI_PASSTHROUGH_DEVICE_ID: "a80a"
 test-mergerq-rawhide-samsung980pro:
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
  extends:
    - .opal-template-fedora
  tags:
    - trantor
  resource_group: samsung980pro-on-trantor
  interruptible: false
  variables:
    PCI_PASSTHROUGH_VENDOR_ID: "144d"
    PCI_PASSTHROUGH_DEVICE_ID: "a80a"
 # # UMIS RPETJ256MGE2MDQ (on tiber machine)
 # test-commit-rawhide-umis:
 #   rules:
 #     - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
 #       when: never
 #     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
 #   extends:
 #     - .opal-template-fedora
 #   tags:
 #     - tiber
 #   resource_group: umis-on-tiber
 #   stage: test
 #   interruptible: false
 #   variables:
 #     PCI_PASSTHROUGH_VENDOR_ID: "1cc4"
 #     PCI_PASSTHROUGH_DEVICE_ID: "6302"
 #
 # test-mergerq-rawhide-umis:
 #   rules:
 #     - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
 #       when: never
 #     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
 #   extends:
 #     - .opal-template-fedora
 #   tags:
 #     - tiber
 #   resource_group: umis-on-tiber
 #   stage: test
 #   interruptible: false
 #   variables:
 #     PCI_PASSTHROUGH_VENDOR_ID: "1cc4"
 #     PCI_PASSTHROUGH_DEVICE_ID: "6302"
--- a/.gitlab/ci/fedora.yml
+++ b/.gitlab/ci/fedora.yml
@@ -0,0 +1,62 @@
 .dnf-openssl-backend:
  variables:
    DISTRO: cryptsetup-fedora-rawhide
  extends:
    - .fail_if_coredump_generated
  before_script:
    - >
      [ -z "$RUN_SYSTEMD_PLUGIN_TEST" ] ||
      sudo dnf -y -q install
      swtpm meson ninja-build python3-jinja2 gperf libcap-devel tpm2-tss-devel
      libmount-devel swtpm-tools
    - >
      sudo dnf -y -q install
      autoconf automake device-mapper-devel gcc gettext-devel json-c-devel
      libargon2-devel libblkid-devel libpwquality-devel libselinux-devel
      libssh-devel libtool libuuid-devel make popt-devel
      libsepol-devel.x86_64 netcat openssh-clients passwd pkgconfig sharutils
      sshpass tar uuid-devel vim-common device-mapper expect gettext git jq
      keyutils openssl-devel openssl asciidoctor
    - sudo -E git clean -xdf
    - ./autogen.sh
    - ./configure --enable-fips --enable-pwquality --enable-libargon2 --with-crypto_backend=openssl --enable-asciidoc
 test-main-commit-job-rawhide:
  extends:
    - .dnf-openssl-backend
  tags:
    - libvirt
    - cryptsetup-fedora-rawhide
  stage: test
  interruptible: true
  allow_failure: true
  variables:
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
  script:
    - make -j
    - make -j -C tests check-programs
    - sudo -E make check
 test-mergerq-job-rawhide:
  extends:
    - .dnf-openssl-backend
  tags:
    - libvirt
    - cryptsetup-fedora-rawhide
  stage: test
  interruptible: true
  allow_failure: true
  variables:
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
  script:
    - make -j
    - make -j -C tests check-programs
    - sudo -E make check
--- a/.gitlab/ci/gcc-Wall
+++ b/.gitlab/ci/gcc-Wall
@@ -0,0 +1,57 @@
 #!/bin/bash
 # gcc -Wall plus other important warnings not included in -Wall
 for arg in "$@"
 do
 	case $arg in
 	-O*) Wuninitialized=-Wuninitialized;;  # only makes sense with `-O'
 	esac
 done
 GCC="gcc${COMPILER_VERSION:+-$COMPILER_VERSION}"
 #PEDANTIC="-std=gnu99"
 #PEDANTIC="-pedantic -std=gnu99"
 #PEDANTIC="-pedantic -std=gnu99 -Wno-variadic-macros"
 #CONVERSION="-Wconversion"
 # -Wpacked \
 # This does more than expected for gcc (mixed code with declarations)
 # -Wdeclaration-after-statement \
 EXTRA="-Wextra \
 -Wsign-compare \
 -Werror-implicit-function-declaration \
 -Wpointer-arith \
 -Wwrite-strings \
 -Wswitch \
 -Wmissing-format-attribute \
 -Wstrict-aliasing=3 \
 -Winit-self \
 -Wunsafe-loop-optimizations \
 -Wold-style-definition \
 -Wno-missing-field-initializers \
 -Wunused-parameter \
 -Wno-long-long \
 -Wmaybe-uninitialized \
 -Wvla \
 -Wformat-overflow \
 -Wformat-truncation"
 exec $GCC $PEDANTIC $CONVERSION \
 	-Wall $Wuninitialized \
 	-Wno-switch \
 	-Wdisabled-optimization \
 	-Wwrite-strings \
 	-Wpointer-arith \
 	-Wbad-function-cast \
 	-Wmissing-prototypes \
 	-Wmissing-declarations \
 	-Wstrict-prototypes \
 	-Wnested-externs \
 	-Wcomment \
 	-Winline \
 	-Wcast-align=strict \
 	-Wcast-qual \
 	-Wredundant-decls $EXTRA \
 	"$@"
--- a/.gitlab/ci/gitlab-shared-docker.yml
+++ b/.gitlab/ci/gitlab-shared-docker.yml
@@ -0,0 +1,32 @@
 .gitlab-shared-docker:
  image: ubuntu:noble
  tags:
    - gitlab-org-docker
  stage: test
  interruptible: true
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event" || $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
  before_script:
    - .gitlab/ci/cibuild-setup-ubuntu.sh
    - export CC="${COMPILER}${COMPILER_VERSION:+-$COMPILER_VERSION}"
    - export CXX="${COMPILER}++${COMPILER_VERSION:+-$COMPILER_VERSION}"
 .gitlab-shared-gcc:
  extends:
    - .gitlab-shared-docker
  variables:
    COMPILER: "gcc"
    COMPILER_VERSION: "13"
    CC: "gcc-13"
    RUN_SSH_PLUGIN_TEST: "1"
 .gitlab-shared-clang:
  extends:
    - .gitlab-shared-docker
  variables:
    COMPILER: "clang"
    COMPILER_VERSION: "18"
    CC: "clang-18"
    RUN_SSH_PLUGIN_TEST: "1"
--- a/.gitlab/ci/rhel.yml
+++ b/.gitlab/ci/rhel.yml
@@ -0,0 +1,110 @@
 .rhel-openssl-backend:
  extends:
    - .fail_if_coredump_generated
  before_script:
    - >
      sudo yum -y -q  install
      autoconf automake device-mapper-devel gcc gettext-devel json-c-devel
      libblkid-devel libpwquality-devel libselinux-devel libssh-devel libtool
      libuuid-devel make popt-devel libsepol-devel nc openssh-clients passwd
      pkgconfig sharutils sshpass tar uuid-devel vim-common device-mapper
      expect gettext git jq keyutils openssl-devel openssl gem > /dev/null 2>&1
    - sudo gem install asciidoctor
    - sudo -E git clean -xdf
    - ./autogen.sh
    - ./configure --enable-fips --enable-pwquality --with-crypto_backend=openssl --enable-asciidoc
 # non-FIPS jobs
 test-main-commit-rhel8:
  extends:
    - .rhel-openssl-backend
  tags:
    - libvirt
    - cryptsetup-rhel-8
  stage: test
  interruptible: true
  variables:
    DISTRO: cryptsetup-rhel-8
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
      when: never
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
  script:
    - make -j
    - make -j -C tests check-programs
    - sudo -E make check
 test-main-commit-rhel9:
  extends:
    - .rhel-openssl-backend
  tags:
    - libvirt
    - cryptsetup-rhel-9
  stage: test
  interruptible: true
  variables:
    DISTRO: cryptsetup-rhel-9
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
      when: never
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
  script:
    - make -j
    - make -j -C tests check-programs
    - sudo -E make check
 # FIPS jobs
 test-main-commit-rhel8-fips:
  extends:
    - .rhel-openssl-backend
  tags:
    - libvirt
    - cryptsetup-rhel-8-fips
  stage: test
  interruptible: true
  variables:
    DISTRO: cryptsetup-rhel-8-fips
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
      when: never
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
  script:
    - sudo fips-mode-setup --check || exit 1
    - make -j
    - make -j -C tests check-programs
    - sudo -E make check
 test-main-commit-rhel9-fips:
  extends:
    - .rhel-openssl-backend
  tags:
    - libvirt
    - cryptsetup-rhel-9-fips
  stage: test
  interruptible: true
  allow_failure: true
  variables:
    DISTRO: cryptsetup-rhel-9-fips
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
      when: never
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
  script:
    - sudo fips-mode-setup --check || exit 1
    - make -j
    - make -j -C tests check-programs
    - sudo -E make check
--- a/.gitlab/ci/ubuntu.yml
+++ b/.gitlab/ci/ubuntu.yml
@@ -0,0 +1,102 @@
 .ubuntu-prep:
  extends:
    - .fail_if_coredump_generated
  before_script:
    - sudo apt-get -y update
    - >
      [ -z "$RUN_SYSTEMD_PLUGIN_TEST" ] ||
      sudo apt-get -y install -y -qq swtpm meson ninja-build python3-jinja2
      gperf libcap-dev libtss2-dev libmount-dev swtpm-tools
    - >
      sudo apt-get -y install -y -qq git gcc make autoconf automake autopoint
      pkgconf libtool libtool-bin gettext libssl-dev libdevmapper-dev
      libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev
      tar libargon2-dev libpwquality-dev sharutils dmsetup jq xxd expect
      keyutils netcat-openbsd passwd openssh-client sshpass asciidoctor
    - sudo apt-get -y build-dep cryptsetup
    - sudo -E git clean -xdf
    - ./autogen.sh
    - ./configure --enable-libargon2 --enable-asciidoc
 test-mergerq-job-ubuntu:
  extends:
    - .ubuntu-prep
  tags:
    - libvirt
    - cryptsetup-ubuntu-2404
  stage: test
  interruptible: true
  variables:
    DISTRO: cryptsetup-ubuntu-2404
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
  script:
    - make -j
    - make -j -C tests check-programs
    - sudo -E make check
 test-main-commit-job-ubuntu:
  extends:
    - .ubuntu-prep
  tags:
    - libvirt
    - cryptsetup-ubuntu-2404
  stage: test
  interruptible: true
  variables:
    DISTRO: cryptsetup-ubuntu-2404
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
  script:
    - make -j
    - make -j -C tests check-programs
    - sudo -E make check
 # meson tests
 test-mergerq-job-ubuntu-meson:
  extends:
    - .ubuntu-prep
  tags:
    - libvirt
    - cryptsetup-ubuntu-2404
  stage: test
  interruptible: true
  variables:
    DISTRO: cryptsetup-ubuntu-2404
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
  script:
    - sudo apt-get -y install -y -qq meson ninja-build
    - meson setup build
    - ninja -C build
    - cd build && sudo -E meson test --verbose --print-errorlogs
 test-main-commit-job-ubuntu-meson:
  extends:
    - .ubuntu-prep
  tags:
    - libvirt
    - cryptsetup-ubuntu-2404
  stage: test
  interruptible: true
  variables:
    DISTRO: cryptsetup-ubuntu-2404
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
  script:
    - sudo apt-get -y install -y -qq meson ninja-build
    - meson setup build
    - ninja -C build
    - cd build && sudo -E meson test --verbose --print-errorlogs
--- a/.gitlab/issue_templates/Bug.md
+++ b/.gitlab/issue_templates/Bug.md
@@ -9,7 +9,10 @@
 ### Debug log
 <!-- Paste a debug log of the failing command (add --debug option) between the markers below (to keep raw debug format).-->
 <!-- We need a lot of information from the debug log; without it, we cannot process your report. -->
 <!-- Debug log does not contain any private information. Do not paste private data; we'll ask you for more information if needed. -->
 ```
 Output with --debug option:
 ```
 <!-- NOTE: WITHOUT DEBUG LOG, THE BUG REPORT WILL BE CLOSED. ALSO, PLEASE DO NOT TRY TO REMOVE PARTS OF THE DEBUG LOG! -->
--- a/.travis-functions.sh
+++ b/.travis-functions.sh
@@ -1,174 +0,0 @@
 #!/bin/bash
 #
 # .travis-functions.sh:
 #   - helper functions to be sourced from .travis.yml
 #   - designed to respect travis' environment but testing locally is possible
 #   - modified copy from util-linux project
 #
 if [ ! -f "configure.ac" ]; then
 	echo ".travis-functions.sh must be sourced from source dir" >&2
 	return 1 || exit 1
 fi
 ## some config settings
 # travis docs say we get 1.5 CPUs
 MAKE="make -j2"
 DUMP_CONFIG_LOG="short"
 export TS_OPT_parsable="yes"
 export RUN_SSH_PLUGIN_TEST=1
 function configure_travis
 {
 	./configure "$@"
 	err=$?
 	if [ "$DUMP_CONFIG_LOG" = "short" ]; then
 		grep -B1 -A10000 "^## Output variables" config.log | grep -v "_FALSE="
 	elif [ "$DUMP_CONFIG_LOG" = "full" ]; then
 		cat config.log
 	fi
 	return $err
 }
 function check_nonroot
 {
 	local cfg_opts="$1"
 	[ -z "$cfg_opts" ] && return
 	configure_travis \
 		--enable-cryptsetup-reencrypt \
 		--enable-internal-sse-argon2 \
 		--enable-external-tokens \
 		--enable-ssh-token \
 		"$cfg_opts" \
 		|| return
 	$MAKE || return
 	make check
 }
 function check_root
 {
 	local cfg_opts="$1"
 	[ -z "$cfg_opts" ] && return
 	configure_travis \
 		--enable-cryptsetup-reencrypt \
 		--enable-internal-sse-argon2 \
 		--enable-external-tokens \
 		--enable-ssh-token \
 		"$cfg_opts" \
 		|| return
 	$MAKE || return
 	# FIXME: we should use -E option here
 	sudo make check
 }
 function check_nonroot_compile_only
 {
 	local cfg_opts="$1"
 	[ -z "$cfg_opts" ] && return
 	configure_travis \
 		--enable-cryptsetup-reencrypt \
 		--enable-internal-sse-argon2 \
 		"$cfg_opts" \
 		|| return
 	$MAKE
 }
 function travis_install_script
 {
 	# install some packages from Ubuntu's default sources
 	sudo apt-get -qq update
 	sudo apt-get install -qq >/dev/null \
 		sharutils \
 		libgcrypt20-dev \
 		libssl-dev \
 		libdevmapper-dev \
 		libpopt-dev \
 		uuid-dev \
 		libsepol1-dev \
 		libtool \
 		dmsetup \
 		autoconf \
 		automake \
 		pkg-config \
 		autopoint \
 		gettext \
 		expect \
 		keyutils \
 		libjson-c-dev \
 		libblkid-dev \
 		dkms \
 		linux-headers-$(uname -r) \
 		linux-modules-extra-$(uname -r) \
 		libssh-dev \
 		sshpass \
 		|| return
 	# For VeraCrypt test
 	sudo apt-get install gost-crypto-dkms
 }
 function travis_before_script
 {
 	set -o xtrace
 	./autogen.sh
 	ret=$?
 	set +o xtrace
 	return $ret
 }
 function travis_script
 {
 	local ret
 	set -o xtrace
 	case "$MAKE_CHECK" in
 	gcrypt)
 		check_nonroot "--with-crypto_backend=gcrypt" && \
 		check_root "--with-crypto_backend=gcrypt"
 		;;
 	gcrypt_compile)
 		check_nonroot_compile_only "--with-crypto_backend=gcrypt"
 		;;
 	openssl)
 		check_nonroot "--with-crypto_backend=openssl" && \
 		check_root "--with-crypto_backend=openssl"
 		;;
 	openssl_compile)
 		check_nonroot_compile_only "--with-crypto_backend=openssl"
 		;;
 	kernel)
 		check_nonroot "--with-crypto_backend=kernel" && \
 		check_root "--with-crypto_backend=kernel"
 		;;
 	kernel_compile)
 		check_nonroot_compile_only "--with-crypto_backend=kernel"
 		;;
 	*)
 		echo "error, check environment (travis.yml)" >&2
 		false
 		;;
 	esac
 	ret=$?
 	set +o xtrace
 	return $ret
 }
 function travis_after_script
 {
 	return 0
 }
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,42 +0,0 @@
 language: c
 sudo: required
 os: linux
 dist: focal
 group: edge
 compiler:
  - gcc
 env:
  # MAKE_CHECK="gcrypt"
  - MAKE_CHECK="openssl"
  # MAKE_CHECK="kernel"
 branches:
  only:
    - master
    - wip-luks2
    - v2.3.x
 before_install:
  - uname -a
  - $CC --version
  - which $CC
  # workaround clang not system wide, fail on sudo make install
  - export CC=`which $CC`
  # workaround travis-ci issue #5301
  - unset PYTHON_CFLAGS
 install:
  - source ./.travis-functions.sh
  - travis_install_script
 before_script:
  - travis_before_script
 script:
  - travis_script
 after_script:
  - travis_after_script
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,157 @@
 Contributing to cryptsetup
 ==========================
 For basic information about the cryptsetup project, please read [README](README.md).
 The Cryptsetup project uses free, open-source licenses; details are described in [licensing](README.licensing).
 For contribution code or documentation to the cryptsetup project, you must have the necessary rights to the content, and your contribution must be provided under the required license.
 We welcome contributions from everyone.
 Cryptsetup is an independent project with much volunteer effort, and our resources are limited.
 Following the guidelines specified in this file makes it easier for us to process your issue.
 Project maintainers can remove or reject abusive or otherwise unacceptable comments or code.
 Git repository
 --------------
 The primary repository is located at [gitlab.com/cryptsetup/cryptsetup](https://gitlab.com/cryptsetup/cryptsetup).
 The development branch is ``main``; minor stable releases can use their branches with cherry-picked or backported patches.
 There are backup mirrors located at [github.com/mbroz/cryptsetup](https://github.com/mbroz/cryptsetup) and [git.kernel.org/pub/scm/utils/cryptsetup/cryptsetup.git](https://git.kernel.org/pub/scm/utils/cryptsetup/cryptsetup.git).
 How to make a bug report
 ------------------------
 To report an issue or feature request, please use GitLab [cryptsetup issue tracker](https://gitlab.com/cryptsetup/cryptsetup/-/issues).
 Before reporting an issue, please try to search documentation and existing issues. Always try to reproduce the problem on the latest supported release.
 Please *always* collect and attach ``--debug`` log and other information as instructed in the issue template.
 Even if you think the problem is obvious, we need logged information about the environment (like versions of kernel modules, etc.).
 Please do not report distribution-specific issues if they are not present in the latest upstream release.
 For such reports, please use downstream distribution-specific trackers.
 If the issue is related to upstream, downstream maintainers will redirect you here, or upstream maintainers will join the discussion.
 If you think that you found some security bug, please follow the instructions in the [SECURITY](SECURITY.md) file.
 How to contribute changes to cryptsetup
 ---------------------------------------
 The following notes are a very short introduction to cryptsetup internal processes and an overview of generic rules that should be followed for all changes.
 Changes from developers and external contributors should go through the GitLab repository [merge reguests](https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests).
 Alternatively (for trivial changes), you can send a patch to [cryptsetup mailing list](mailto:cryptsetup@lists.linux.dev).
 Please do not write personal emails with questions or patches to maintainers and developers.
 ### Project structure
 Cryptsetup projects include a libcryptsetup library, tools, token plugins, documentation, and a test suite.
 Cryptsetup library (libcryptsetup) exports [versioned symbols](lib/libcryptsetup.sym).
 Tools (cryptsetup, veritysetup, integritysetup) use libcryptsetup shared library.
 Some isolated parts in the lib directory can be reused for tools (the source is recompiled).
 The basic directory structure in the repository is
 ```
 ├── docs - Documentation and release notes.
 ├── lib  - libcryptsetup implementation
 │   ├── bitlk           - Bitlocker format
 │   ├── crypto_backend  - Cryptography backend
 │   ├── fvault2         - FileVault2 format
 │   ├── integrity       - Linux dm-integrity interface
 │   ├── loopaes         - Linux LoopAES format
 │   ├── luks1           - LUKS1 format
 │   ├── luks2           - LUKS2 format including OPAL2 SED
 │   ├── tcrypt          - TrueCrypt / VeraCrypt format
 │   └── verity          - Linux dm-verity interface
 ├── man - Manual pages (in AsciiDoc format)
 ├── misc - Miscellaneous additions
 ├── po - Translation files
 ├── scripts - Scripts for system configuration
 ├── src - Tools implementation
 ├── tests - Testsuite (test units, regression tests, fuzzing)
 └── tokens - Token plugins
 ```
 ### Coordination with other projects
 The cryptsetup tools and library use low-level functions that depend on many other subsystems.
 Currently, the project is supported only for Linux (it will not work on Android or other systems).
 Cryptsetup project requires some parts of the Linux kernel, notably the *Device Mapper* (dm-crypt, dm-integrity, dm-verity, dm-zero modules) and kernel *userspace cryptographic interface*.
 Missing kernel interface can significantly limit (or even disallow) cryptsetup functionality.
 Integration in operating systems also depends on several other projects, most notably *systemd* (that implements its own tooling using libcryptsetup) and *util-Linux* (*blkid* parsing of supported format metadata). Some changes must be synchronized in all needed places (kernel, blkid, libcryptsetup).
 Several other projects implement their own token metadata (either through binary token plugins or through generic libcryptsetup JSON token access functions).
 ### Used cryptography algorithms
 Cryptsetup avoids implementing cryptographic primitives but uses cryptographic libraries.
 Exceptions were PBKDF internal implementations - PBKDF2 and Argon2 until these were integrated into major cryptographic libraries.
 Cryptsetup can be compiled with several cryptographic libraries backend (OpenSSL, libgcrypt, Nettle, NSS, and Linux kernel userspace API).
 OpenSSL is the default and strongly recommended configuration.
 If the cryptographic library does not implement some cryptographic primitive (for example, if running in a FIPS-140 environment or just
 because it does not include it at all), functionality could be limited.
 ### Configuration and versioning
 Cryptsetup can be configured using *Autoconf* or *Meson*. Autoconf support is being deprecated in the long term.
 Currently, all new configuration options must be implemented in both systems.
 Cryptsetup intentionally does not use a system configuration file (located in /etc).
 All functionality must be determined dynamically.
 All related /etc configuration files (crypttab, fstab and others) are maintained by systemd (in some legacy distributions by cryptsetup downstream).
 Cryptsetup uses [semantic versioning](https://semver.org/).
 Major and minor releases are always based on the main git branch; the minor stable (patch) versions can have some specific branch with backported or cherry-picked patches (from the main branch).
 Usually, minor releases happen twice per year and stable patch updates according to reported bugs (in 1-3 month intervals).
 ### Compilation and debugging
 The library and tools are written in C language; we require C99 and support gcc and Clang compilers.
 Manual pages are generated from AsciiDoc sources and libcryptsetup API documentation by Doxygen (from libcryptsetup.h comments).
 Testsuite is a combination of local C utilities, fuzzing implementation in C++, bash scripts, and uses many other system utilities.
 All tools contain compiled-in debug messages that are available through --debug options.
 With Autoconf and libtool, you can run the cryptsetup tool in the debugger without installation using this one-line script:
 ```
 libtool --mode=execute gdb --args ./cryptsetup --debug $@
 ```
 This will ensure that a properly compiled libcryptsetup file is used.
 ### Coding style
 Cryptsetup uses [Linux kernel coding style](https://www.kernel.org/doc/html/latest/process/coding-style.html) for libcryptsetup and tools (where applicable) with some additional notes:
 - Use tabulators for indentation; the line should not exceed 100 characters with an 8-character tabulator. Otherwise, use a tab of any length. :-).
 - The minimal C standard required is C99.
 - The ``goto`` use is allowed only for error path (``goto out`` for common code path, ``goto err`` for specific error code path).
 - Split patches per change; do not submit huge patches combining several changes.
 - Use an elaborative description in the patch header.
 - No need to use sign-off-by lines.
 - Use name prefixes (``crypt_``, ``LUKS2_`` and similar).
 - Avoid extensive preprocessor use (specifically ``#ifdef`` sections).
 - Use output only through ``log_err, log_std, log_verbose, log_dbg`` macros.
  The ``log_dbg`` is always in English; the others should be wrapped in the ``_()`` macro for translation.
 - Use ``assert()`` but only for simple invariants and variables (avoid calling functions).
  Do not use assert for user-defined input (this should be a normal error path).
 - The code style is quite relaxed in testing scripts (code there is not intended for production use).
 ### General rules and testing
 - Cryptsetup should work on all architectures supported by the Linux kernel.
 Only very few functionalities require specific hardware (notably Opal SED support).
 If you want to introduce some specific hardware support, please discuss it with the maintainers first.
 - All code changes should go through merge requests and reviews.
 Code can be merged after review approval (done by someone with the commit right to the development repository), but reviews from external people are very welcome, too.
 - All new functionality must come with at least rudimentary coverage in the test suite.
 Always run the test suite before opening the merge request (``make check`` with root privilege).
 - We have continuous integration (CI) that runs many tests automatically, but the output is not directly visible for external merge request authors (for security reasons).
 All CI scripts are available in .gitlab and .github folders in the project repository.
  Maintainers will provide you log files if anything fails. Your code must produce no warnings before it is merged.
 - We run compilation with many extended [gcc](.gitlab/ci/gcc-Wall) and [Clang](.gitlab/ci/clang-Wall) warnings and include some analyzers, notably
  - [Coverity](https://scan.coverity.com), GitHub CodeQL, Clang scan-build, and gcc static analyzer, and
  - fuzzing integrated in [OSS-fuzz project](https://github.com/google/oss-fuzz/tree/master/projects/cryptsetup).
 - Testsuite can also partially run under Valgrind dynamic analyzer with ``make valgrind-check``.
--- a/FAQ.md
+++ b/FAQ.md
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,5 +1,18 @@
-EXTRA_DIST = README.md COPYING.LGPL FAQ docs misc
+EXTRA_DIST = README.md SECURITY.md COPYING.LGPL CONTRIBUTING.md FAQ.md docs misc autogen.sh
-SUBDIRS = po tests
+EXTRA_DIST += meson_options.txt \
 	meson.build \
 	lib/crypto_backend/argon2/meson.build \
 	lib/crypto_backend/meson.build \
 	lib/meson.build \
 	man/meson.build \
 	po/meson.build \
 	scripts/meson.build \
 	src/meson.build \
 	tests/meson.build \
 	tokens/meson.build \
 	tokens/ssh/meson.build
 SUBDIRS = po tests tests/fuzz
 CLEANFILES =
 DISTCLEAN_TARGETS =
@@ -14,9 +27,15 @@ AM_CPPFLAGS = \
        -DVERSION=\""$(VERSION)"\"              \
        -DEXTERNAL_LUKS2_TOKENS_PATH=\"${EXTERNAL_LUKS2_TOKENS_PATH}\"
 AM_CFLAGS = -Wall
 AM_CXXFLAGS = -Wall
 AM_LDFLAGS =
-LDADD = $(LTLIBINTL) -lm
+if ENABLE_FUZZ_TARGETS
 AM_CFLAGS += -fsanitize=fuzzer-no-link
 AM_CXXFLAGS += -fsanitize=fuzzer-no-link
 endif
 LDADD = $(LTLIBINTL)
 tmpfilesddir = @DEFAULT_TMPFILESDIR@
@@ -27,6 +46,7 @@ sbin_PROGRAMS =
 man8_MANS =
 tmpfilesd_DATA =
 pkgconfig_DATA =
 dist_noinst_DATA =
 include man/Makemodule.am
@@ -46,7 +66,7 @@ ACLOCAL_AMFLAGS = -I m4
 DISTCHECK_CONFIGURE_FLAGS = 	\
 	--with-tmpfilesdir=$$dc_install_base/usr/lib/tmpfiles.d \
 	--enable-internal-argon2 --enable-internal-sse-argon2 \
-	--enable-external-tokens --enable-ssh-token
+	--enable-external-tokens --enable-ssh-token --enable-asciidoc
 distclean-local:
 	-find . -name \*~ -o -name \*.orig -o -name \*.rej | xargs rm -f
@@ -54,3 +74,17 @@ distclean-local:
 clean-local:
 	-rm -rf docs/doxygen_api_docs libargon2.la
 install-data-local:
 	$(MKDIR_P) -m 0755 $(DESTDIR)/${EXTERNAL_LUKS2_TOKENS_PATH}
 uninstall-local:
 	rmdir $(DESTDIR)/${EXTERNAL_LUKS2_TOKENS_PATH} 2>/dev/null || :
 check-programs: libcryptsetup.la
 	$(MAKE) -C tests $@
 if ENABLE_FUZZ_TARGETS
 fuzz-targets: libcryptsetup.la libcrypto_backend.la
 	$(MAKE) -C tests/fuzz $@
 endif
--- a/README.md
+++ b/README.md
@@ -2,97 +2,144 @@
 What the ...?
 =============
-**Cryptsetup** is a utility used to conveniently set up disk encryption based
+**Cryptsetup** is an open-source utility used to conveniently set up disk encryption based
-on the [DMCrypt](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt) kernel module.
+on the [dm-crypt](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt) kernel module.
-These include **plain** **dm-crypt** volumes, **LUKS** volumes, **loop-AES**,
+These formats are supported:
-**TrueCrypt** (including **VeraCrypt** extension) and **BitLocker** formats.
+  * **plain** volumes,
  * **LUKS** volumes,
  * **loop-AES**,
  * **TrueCrypt** (including **VeraCrypt** extension),
  * **BitLocker**, and
  * **FileVault2**.
 The project also includes a **veritysetup** utility used to conveniently setup
-[DMVerity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity) block integrity checking kernel module
+[dm-verity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity)
-and **integritysetup** to setup
+block integrity checking kernel module and **integritysetup** to setup
-[DMIntegrity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMIntegrity) block integrity kernel module.
+[dm-integrity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMIntegrity)
-
+block integrity kernel module.
 LUKS Design
 -----------
-**LUKS** is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not  
+**LUKS** is the standard for Linux disk encryption. By providing a standardized on-disk format,
-only facilitate compatibility among distributions, but also provides secure management of multiple user passwords.  
+it not only facilitate compatibility among distributions, but also enables secure management
-LUKS stores all necessary setup information in the partition header, enabling to transport or migrate data seamlessly.
+of multiple user passwords. LUKS stores all necessary setup information in the partition header,
 which enables users to transport or migrate data seamlessly.
-Last version of the LUKS2 format specification is
+### Specification and documentation
-[available here](https://gitlab.com/cryptsetup/LUKS2-docs).
+  * The latest version of the
-
+  [LUKS2 format specification](https://gitlab.com/cryptsetup/LUKS2-docs).
-Last version of the LUKS1 format specification is
+  * The latest version of the
-[available here](https://www.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf).
+  [LUKS1 format specification](https://www.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf).
-
+  * [Project home page](https://gitlab.com/cryptsetup/cryptsetup/).
-Why LUKS?
+  * [Frequently asked questions (FAQ)](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions)
 ---------
 * compatibility via standardization,
 * secure against low entropy attacks,
 * support for multiple keys,
 * effective passphrase revocation,
 * free.
 [Project home page](https://gitlab.com/cryptsetup/cryptsetup/).
 -----------------
 [Frequently asked questions (FAQ)](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions)
 --------------------------------
 Download
 --------
-All release tarballs and release notes are hosted on [kernel.org](https://www.kernel.org/pub/linux/utils/cryptsetup/).
+Release notes and tarballs are available at
 [kernel.org](https://www.kernel.org/pub/linux/utils/cryptsetup/).
-**The latest release candidate cryptsetup version is 2.4.0-rc1**
+**The latest stable cryptsetup release version is 2.7.5**
-  * [cryptsetup-2.4.0-rc1.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-2.4.0-rc1.tar.xz)
+  * [cryptsetup-2.7.5.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.5.tar.xz)
-  * Signature [cryptsetup-2.4.0-rc1.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-2.4.0-rc1.tar.sign)
+  * Signature [cryptsetup-2.7.5.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.5.tar.sign)
    _(You need to decompress file first to check signature.)_
-  * [Cryptsetup 2.4.0-rc1 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/v2.4.0-rc1-ReleaseNotes).
+  * [Cryptsetup 2.7.5 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.5-ReleaseNotes).
 **The latest stable cryptsetup version is 2.3.6**
  * [cryptsetup-2.3.6.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-2.3.6.tar.xz)
  * Signature [cryptsetup-2.3.6.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-2.3.6.tar.sign)
    _(You need to decompress file first to check signature.)_
  * [Cryptsetup 2.3.6 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/v2.3.6-ReleaseNotes).
 Previous versions
- * [Version 2.0.6](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-2.0.6.tar.xz) -
+ * [Version 2.6.1](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.1.tar.xz) -
-   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-2.0.6.tar.sign) -
+   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.1.tar.sign) -
-   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.6-ReleaseNotes).
+   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/v2.5.0-ReleaseNotes).
 * [Version 1.7.5](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.xz) -
   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.sign) -
   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.5-ReleaseNotes).
-Source and API docs
+Source and API documentation
-------------------
+----------------------------
-For development version code, please refer to [source](https://gitlab.com/cryptsetup/cryptsetup/tree/master) page,
+For development version code, please refer to the
-mirror on [kernel.org](https://git.kernel.org/cgit/utils/cryptsetup/cryptsetup.git/) or [GitHub](https://github.com/mbroz/cryptsetup).
+[source](https://gitlab.com/cryptsetup/cryptsetup/tree/master) page, with mirrors
 at [kernel.org](https://git.kernel.org/cgit/utils/cryptsetup/cryptsetup.git/) and
 [GitHub](https://github.com/mbroz/cryptsetup).
-For libcryptsetup documentation see [libcryptsetup API](https://mbroz.fedorapeople.org/libcryptsetup_API/) page.
+For libcryptsetup documentation see
 [libcryptsetup API](https://mbroz.fedorapeople.org/libcryptsetup_API/) page.
-The libcryptsetup API/ABI changes are tracked in [compatibility report](https://abi-laboratory.pro/tracker/timeline/cryptsetup/).
+NLS PO files are maintained by
-
+[TranslationProject](https://translationproject.org/domain/cryptsetup.html).
 NLS PO files are maintained by [TranslationProject](https://translationproject.org/domain/cryptsetup.html).
 Required packages
 -----------------
-All distributions provide cryptsetup as distro package. If you need to compile cryptsetup youfself, some packages are required for compilation. Please always prefer distro specific build tools to manually configuring cryptsetup.
+All major Linux distributions provide cryptsetup as a bundled package. If you need
-Fo available compile options, check ``configure --help`` for more info. If you are using a git snapshot, you need to generate configure script with ``autogen.sh`` script.
+to compile cryptsetup yourself, various additional packages are required.
 Any distribution-specific build tools are preferred when manually configuring cryptsetup.
-Here is the list of packages needed for the compilation of project for particular distributions:
+Below are the packages needed to build for certain Linux distributions:
 * For Fedora: `git gcc make autoconf automake gettext-devel pkgconfig openssl-devel popt-devel device-mapper-devel libuuid-devel json-c-devel libblkid-devel findutils libtool libssh-devel tar`. Optionally `libargon2-devel libpwquality-devel`. To run internal testsuite you also need `sharutils device-mapper jq vim-common expect keyutils netcat shadow-utils openssh-clients openssh sshpass`.
- * For Debian and Ubuntu: `git gcc make autoconf automake autopoint pkg-config libtool gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol1-dev libjson-c-dev libssh-dev libblkid-dev tar`. Optionally `libargon2-0-dev libpwquality-dev`. To run internal testsuite you also need `sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass`
+**For Fedora**:
 ```
 git gcc make autoconf automake gettext-devel pkgconfig openssl-devel popt-devel device-mapper-devel
 libuuid-devel json-c-devel libblkid-devel findutils libtool libssh-devel tar
-Note that the list could change as distributions evolve.
+Optionally: libargon2-devel libpwquality-devel
 ```
 To run the internal testsuite (make check) you also need to install
 ```
 sharutils device-mapper jq vim-common expect keyutils netcat shadow-utils openssh-clients openssh sshpass
 ```
 **For Debian and Ubuntu**:
 ```
 git gcc make autoconf automake autopoint pkg-config libtool gettext libssl-dev libdevmapper-dev
 libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev tar
 Optionally: libargon2-0-dev libpwquality-dev
 ```
 To run the internal testsuite (make check) you also need to install
 ```
 sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass
 ```
 Note that the list may change as Linux distributions evolve.
 Compilation
 -----------
 The cryptsetup project uses **automake** and **autoconf** system to generate all files needed to build.
 When building from a git snapshot,, use **./autogen.sh && ./configure && make**
 to compile the project. When building from a release **tar.xz** tarball, the configure script
 is pre-generated (no need to run **autoconf.sh**).
 See **./configure --help** and use the **--disable-[feature]** and **--enable-[feature]** options.
 To run the test suite that come with the project, type **make check**.
 Note that most tests will need root user privileges and will run dangerous storage failure simulations.
 Do **not** run tests with root privilege on production systems! Some tests will need the **scsi_debug**
 kernel module to be installed.
 For more details, please refer to the
 [automake](https://www.gnu.org/software/automake/manual/automake.html) and
 [autoconf](https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf.html) documentation.
 Help!
 -----
-Please always read [FAQ](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions) first.
+### Documentation
-For cryptsetup and LUKS related questions, please use the dm-crypt mailing list, [dm-crypt@saout.de](mailto:dm-crypt@saout.de).
+Please read the following before posting questions to the mailing list so that
 you can ask better questions and better understand answers.
-If you want to subscribe just send an empty mail to [dm-crypt-subscribe@saout.de](mailto:dm-crypt-subscribe@saout.de).
+* [Frequently asked questions (FAQ)](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions),
 * [LUKS Specifications](#specification-and-documentation), and
 * manuals (aka man page, man pages, man-page) 
-You can also browse [list archive](https://www.saout.de/pipermail/dm-crypt/) or read and search it through
+The FAQ is available online and in the source code for the project. The specifications are
-[web interface on lore.kernel.org](https://lore.kernel.org/dm-crypt/) or alternatively on [marc.info](https://marc.info/?l=dm-crypt).
+referenced above in this document. The man pages live within the source tree and should be
 available after installation using standard man commands, e.g. **man cryptsetup**.
 ### Mailing List
 For cryptsetup and LUKS related questions, please use the cryptsetup mailing list
 [cryptsetup@lists.linux.dev](mailto:cryptsetup@lists.linux.dev),
 hosted at [kernel.org subspace](https://subspace.kernel.org/lists.linux.dev.html).
 To subscribe send an empty email message to
 [cryptsetup+subscribe@lists.linux.dev](mailto:cryptsetup+subscribe@lists.linux.dev).
 You can also browse and/or search the mailing [list archive](https://lore.kernel.org/cryptsetup/).
 USEnet News (NNTP), Atom feed and git access to the public inbox is available through
 [lore.kernel.org](https://lore.kernel.org) service.
 The former **dm-crypt** [list archive](https://lore.kernel.org/dm-crypt/) is also available.
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,10 @@
 # Reporting a Security Bug in cryptsetup project
 If you think you have discovered a security issue, please report it through
 the project issue tracker [New issue](https://gitlab.com/cryptsetup/cryptsetup/issues)
 as a confidential issue (select confidential checkbox).
 An alternative is to send PGP encrypted mail to the cryptsetup maintainer.
 Current maintainer is [Milan Broz](mailto:gmazyland@gmail.com), use PGP key
 with fingerprint 2A29 1824 3FDE 4664 8D06 86F9 D9B0 577B D93E 98FC.
--- a/autogen.sh
+++ b/autogen.sh
@@ -29,10 +29,10 @@ DIE=0
  DIE=1
 }
-(grep "^AM_PROG_LIBTOOL" $srcdir/configure.ac >/dev/null) && {
+(grep "^LT_INIT" $srcdir/configure.ac >/dev/null) && {
-  (libtool --version) < /dev/null > /dev/null 2>&1 || {
+  (libtoolize --version) < /dev/null > /dev/null 2>&1 || {
    echo
-    echo "**Error**: You must have libtool installed."
+    echo "**Error**: You must have libtoolize installed."
    echo "Download the appropriate package for your distribution."
    DIE=1
  }
@@ -74,7 +74,7 @@ autopoint --force $AP_OPTS
 libtoolize --force --copy
 aclocal -I m4 $AL_OPTS
 autoheader $AH_OPTS
-automake --add-missing --copy --gnu $AM_OPTS
+automake --force-missing --add-missing --copy --gnu $AM_OPTS
 autoconf $AC_OPTS
 echo
--- a/configure.ac
+++ b/configure.ac
@@ -1,9 +1,9 @@
 AC_PREREQ([2.67])
-AC_INIT([cryptsetup],[2.4.0-rc1])
+AC_INIT([cryptsetup],[2.7.5])
 dnl library version from <major>.<minor>.<release>[-<suffix>]
 LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-)
-LIBCRYPTSETUP_VERSION_INFO=19:0:7
+LIBCRYPTSETUP_VERSION_INFO=22:0:10
 AM_SILENT_RULES([yes])
 AC_CONFIG_SRCDIR(src/cryptsetup.c)
@@ -28,12 +28,13 @@ AC_USE_SYSTEM_EXTENSIONS
 AC_PROG_CC
 AM_PROG_CC_C_O
 AC_PROG_CPP
 AC_PROG_CXX
 AC_PROG_INSTALL
 AC_PROG_MAKE_SET
 AC_PROG_MKDIR_P
 AC_ENABLE_STATIC(no)
 LT_INIT
 PKG_PROG_PKG_CONFIG
 AM_ICONV
 dnl ==========================================================================
 dnl define PKG_CHECK_VAR for old pkg-config <= 0.28
@@ -52,13 +53,33 @@ AS_VAR_COPY([$1], [pkg_cv_][$1])
 AS_VAR_IF([$1], [""], [$5], [$4])
 ])
 ])
 dnl ==========================================================================
 dnl AsciiDoc manual pages
 AC_ARG_ENABLE([asciidoc],
 	AS_HELP_STRING([--disable-asciidoc], [do not generate man pages from asciidoc]),
 	[], [enable_asciidoc=yes]
 )
 AC_PATH_PROG([ASCIIDOCTOR], [asciidoctor])
 if test "x$enable_asciidoc" = xyes -a "x$ASCIIDOCTOR" = x; then
 	AC_MSG_ERROR([Building man pages requires asciidoctor installed.])
 fi
 AM_CONDITIONAL([ENABLE_ASCIIDOC], [test "x$enable_asciidoc" = xyes])
 have_manpages=no
 AS_IF([test -f "$srcdir/man/cryptsetup-open.8"], [
 	AC_MSG_NOTICE([re-use already generated man-pages.])
 	have_manpages=yes]
 )
 AM_CONDITIONAL([HAVE_MANPAGES], [test "x$have_manpages" = xyes])
 dnl ==========================================================================
 AC_C_RESTRICT
 AC_HEADER_DIRENT
-AC_HEADER_STDC
+AC_CHECK_HEADERS(fcntl.h malloc.h inttypes.h uchar.h sys/ioctl.h sys/mman.h \
 AC_CHECK_HEADERS(fcntl.h malloc.h inttypes.h sys/ioctl.h sys/mman.h \
 	sys/sysmacros.h sys/statvfs.h ctype.h unistd.h locale.h byteswap.h endian.h stdint.h)
 AC_CHECK_DECLS([O_CLOEXEC],,[AC_DEFINE([O_CLOEXEC],[0], [Defined to 0 if not provided])],
 [[
@@ -107,12 +128,10 @@ if test "x$enable_largefile" = "xno"; then
  AC_MSG_ERROR([Building with --disable-largefile is not supported, it can cause data corruption.])
 fi
 AC_C_CONST
 AC_C_BIGENDIAN
 AC_TYPE_OFF_T
 AC_SYS_LARGEFILE
 AC_FUNC_FSEEKO
 AC_PROG_GCC_TRADITIONAL
 AC_FUNC_STRERROR_R
 dnl ==========================================================================
@@ -123,7 +142,14 @@ AC_ARG_ENABLE([external-tokens],
 	[], [enable_external_tokens=yes])
 if test "x$enable_external_tokens" = "xyes"; then
 	AC_DEFINE(USE_EXTERNAL_TOKENS, 1, [Use external tokens])
 	dnl we need dynamic library loading here
 	saved_LIBS=$LIBS
 	AC_SEARCH_LIBS([dlsym],[dl])
 	AC_CHECK_FUNCS([dlvsym])
 	AC_SUBST(DL_LIBS, $LIBS)
 	LIBS=$saved_LIBS
 fi
 AM_CONDITIONAL(EXTERNAL_TOKENS, test "x$enable_external_tokens" = "xyes")
 AC_ARG_ENABLE([ssh-token],
 	AS_HELP_STRING([--disable-ssh-token], [disable LUKS2 ssh-token]),
@@ -134,6 +160,14 @@ if test "x$enable_ssh_token" = "xyes" -a "x$enable_external_tokens" = "xno"; the
 	AC_MSG_ERROR([Requested LUKS2 ssh-token build, but external tokens are disabled.])
 fi
 dnl LUKS2 online reencryption
 AC_ARG_ENABLE([luks2-reencryption],
 	AS_HELP_STRING([--disable-luks2-reencryption], [disable LUKS2 online reencryption extension]),
 	[], [enable_luks2_reencryption=yes])
 if test "x$enable_luks2_reencryption" = "xyes"; then
 	AC_DEFINE(USE_LUKS2_REENCRYPTION, 1, [Use LUKS2 online reencryption extension])
 fi
 dnl ==========================================================================
 AM_GNU_GETTEXT([external],[need-ngettext])
@@ -179,6 +213,17 @@ if test "x$enable_pwquality" = "xyes"; then
 	PWQUALITY_STATIC_LIBS="$PWQUALITY_LIBS -lcrack -lz"
 fi
 dnl ==========================================================================
 dnl fuzzers, it requires own static library compilation later
 AC_ARG_ENABLE([fuzz-targets],
 	AS_HELP_STRING([--enable-fuzz-targets], [enable building fuzz targets]))
 AM_CONDITIONAL(ENABLE_FUZZ_TARGETS, test "x$enable_fuzz_targets" = "xyes")
 if test "x$enable_fuzz_targets" = "xyes"; then
 	AX_CHECK_COMPILE_FLAG([-fsanitize=fuzzer-no-link],,
 		AC_MSG_ERROR([Required compiler options not supported; use clang.]), [-Werror])
 fi
 dnl ==========================================================================
 dnl passwdqc library (cryptsetup CLI only)
 AC_ARG_ENABLE([passwdqc],
@@ -220,6 +265,9 @@ AC_DEFUN([CONFIGURE_GCRYPT], [
 		GCRYPT_REQ_VERSION=1.1.42
 	fi
 	use_internal_pbkdf2=0
 	use_internal_argon2=1
 	dnl libgcrypt rejects to use pkgconfig, use AM_PATH_LIBGCRYPT from gcrypt-devel here.
 	dnl Do not require gcrypt-devel if other crypto backend is used.
 	m4_ifdef([AM_PATH_LIBGCRYPT],[
@@ -243,7 +291,24 @@ AC_DEFUN([CONFIGURE_GCRYPT], [
 		NO_FIPS([])
 	fi
 	m4_ifdef([AM_PATH_LIBGCRYPT],[
 	AC_ARG_ENABLE([gcrypt-argon2],
 		dnl Check if we can use gcrypt Argon2 (1.11.0 supports empty password)
 		AS_HELP_STRING([--disable-gcrypt-argon2], [force disable internal gcrypt Argon2]),
 		[],
 		[AM_PATH_LIBGCRYPT([1.11.0], [use_internal_argon2=0], [use_internal_argon2=1])])
 	AM_PATH_LIBGCRYPT($GCRYPT_REQ_VERSION,,[AC_MSG_ERROR([You need the gcrypt library.])])],
 	AC_MSG_ERROR([Missing support for gcrypt: install gcrypt and regenerate configure.]))
 	AC_MSG_CHECKING([if internal cryptsetup Argon2 is compiled-in])
 	if test $use_internal_argon2 = 0; then
 		AC_MSG_RESULT([no])
 	else
 		AC_MSG_RESULT([yes])
 	fi
 	AC_CHECK_DECLS([GCRY_CIPHER_MODE_XTS], [], [], [#include <gcrypt.h>])
 	AC_CHECK_DECLS([GCRY_KDF_ARGON2], [], [], [#include <gcrypt.h>])
 	if test "x$enable_static_cryptsetup" = "xyes"; then
 		saved_LIBS=$LIBS
@@ -263,19 +328,25 @@ AC_DEFUN([CONFIGURE_GCRYPT], [
 ])
 AC_DEFUN([CONFIGURE_OPENSSL], [
-	PKG_CHECK_MODULES([OPENSSL], [openssl >= 0.9.8],,
+	PKG_CHECK_MODULES([LIBCRYPTO], [libcrypto >= 0.9.8],,
 		AC_MSG_ERROR([You need openssl library.]))
-	CRYPTO_CFLAGS=$OPENSSL_CFLAGS
+	CRYPTO_CFLAGS=$LIBCRYPTO_CFLAGS
-	CRYPTO_LIBS=$OPENSSL_LIBS
+	CRYPTO_LIBS=$LIBCRYPTO_LIBS
 	use_internal_pbkdf2=0
 	use_internal_argon2=1
 	if test "x$enable_static_cryptsetup" = "xyes"; then
 		saved_PKG_CONFIG=$PKG_CONFIG
 		PKG_CONFIG="$PKG_CONFIG --static"
-		PKG_CHECK_MODULES([OPENSSL_STATIC], [openssl])
+		PKG_CHECK_MODULES([LIBCRYPTO_STATIC], [libcrypto])
-		CRYPTO_STATIC_LIBS=$OPENSSL_STATIC_LIBS
+		CRYPTO_STATIC_LIBS=$LIBCRYPTO_STATIC_LIBS
 		PKG_CONFIG=$saved_PKG_CONFIG
 	fi
 	saved_LIBS=$LIBS
 	AC_CHECK_DECLS([OSSL_get_max_threads], [], [], [#include <openssl/thread.h>])
 	AC_CHECK_DECLS([OSSL_KDF_PARAM_ARGON2_VERSION], [use_internal_argon2=0], [], [#include <openssl/core_names.h>])
 	LIBS=$saved_LIBS
 ])
 AC_DEFUN([CONFIGURE_NSS], [
@@ -296,6 +367,7 @@ AC_DEFUN([CONFIGURE_NSS], [
 	CRYPTO_CFLAGS=$NSS_CFLAGS
 	CRYPTO_LIBS=$NSS_LIBS
 	use_internal_pbkdf2=1
 	use_internal_argon2=1
 	NO_FIPS([])
 ])
@@ -306,6 +378,7 @@ AC_DEFUN([CONFIGURE_KERNEL], [
 #		[AC_MSG_ERROR([You need Linux kernel with userspace crypto interface.])],
 #		[#include <sys/socket.h>])
 	use_internal_pbkdf2=1
 	use_internal_argon2=1
 	NO_FIPS([])
 ])
@@ -322,6 +395,7 @@ AC_DEFUN([CONFIGURE_NETTLE], [
 	CRYPTO_STATIC_LIBS=$CRYPTO_LIBS
 	use_internal_pbkdf2=0
 	use_internal_argon2=1
 	NO_FIPS([])
 ])
@@ -348,11 +422,6 @@ AC_ARG_ENABLE([veritysetup],
 	[], [enable_veritysetup=yes])
 AM_CONDITIONAL(VERITYSETUP, test "x$enable_veritysetup" = "xyes")
 AC_ARG_ENABLE([cryptsetup-reencrypt],
 	AS_HELP_STRING([--disable-cryptsetup-reencrypt], [disable cryptsetup-reencrypt tool]),
 	[], [enable_cryptsetup_reencrypt=yes])
 AM_CONDITIONAL(REENCRYPT, test "x$enable_cryptsetup_reencrypt" = "xyes")
 AC_ARG_ENABLE([integritysetup],
 	AS_HELP_STRING([--disable-integritysetup], [disable integritysetup support]),
 	[], [enable_integritysetup=yes])
@@ -399,10 +468,15 @@ PKG_CHECK_MODULES([JSON_C], [json-c])
 AC_CHECK_DECLS([json_object_object_add_ex], [], [], [#include <json-c/json.h>])
 AC_CHECK_DECLS([json_object_deep_copy], [], [], [#include <json-c/json.h>])
-dnl Check for libssh for SSH plugin
+dnl Check for libssh and argp for SSH plugin
 if test "x$enable_ssh_token" = "xyes"; then
 	PKG_CHECK_MODULES([LIBSSH], [libssh])
 	AC_CHECK_DECLS([ssh_session_is_known_server], [], [], [#include <libssh/libssh.h>])
 	AC_CHECK_HEADER([argp.h], [], AC_MSG_ERROR([You need argp library.]))
 	saved_LIBS=$LIBS
 	AC_SEARCH_LIBS([argp_parse],[argp])
 	AC_SUBST(ARGP_LIBS, $LIBS)
 	LIBS=$saved_LIBS
 fi
 dnl Crypto backend configuration.
@@ -446,12 +520,21 @@ AC_ARG_ENABLE([internal-argon2],
 AC_ARG_ENABLE([libargon2],
 	AS_HELP_STRING([--enable-libargon2], [enable external libargon2 (PHC) library (disables internal bundled version)]))
-if test "x$enable_libargon2" = "xyes" ; then
+if test $use_internal_argon2 = 0 || ( test "x$enable_internal_argon2" = "xno" && test "x$enable_libargon2" != "xyes" ); then
 	if test "x$enable_internal_argon2" = "xyes" || test "x$enable_libargon2" = "xyes"; then
 		AC_MSG_NOTICE([Argon2 in $with_crypto_backend lib is used; internal Argon2 options are ignored.])
 	fi
 	enable_internal_argon2=no
 	enable_internal_sse_argon2=no
 	enable_libargon2=no
 	use_internal_argon2=0
 elif test "x$enable_libargon2" = "xyes" ; then
 	AC_CHECK_HEADERS(argon2.h,,
 		[AC_MSG_ERROR([You need libargon2 development library installed.])])
 	AC_CHECK_DECL(Argon2_id,,[AC_MSG_ERROR([You need more recent Argon2 library with support for Argon2id.])], [#include <argon2.h>])
 	PKG_CHECK_MODULES([LIBARGON2], [libargon2],,[LIBARGON2_LIBS="-largon2"])
 	enable_internal_argon2=no
 	use_internal_argon2=0
 else
 	AC_MSG_WARN([Argon2 bundled (slow) reference implementation will be used, please consider to use system library with --enable-libargon2.])
@@ -470,11 +553,10 @@ else
 	fi
 fi
 if test "x$enable_internal_argon2" = "xyes"; then
 	AC_DEFINE(USE_INTERNAL_ARGON2, 1, [Use internal Argon2])
 fi
 AM_CONDITIONAL(CRYPTO_INTERNAL_ARGON2, test "x$enable_internal_argon2" = "xyes")
 AM_CONDITIONAL(CRYPTO_INTERNAL_SSE_ARGON2, test "x$enable_internal_sse_argon2" = "xyes")
 dnl If libargon is in use, we have defined HAVE_ARGON2_H
 AC_DEFINE_UNQUOTED(USE_INTERNAL_ARGON2, [$use_internal_argon2], [Use internal Argon2])
 dnl Link with blkid to check for other device types
 AC_ARG_ENABLE([blkid],
@@ -509,6 +591,27 @@ AM_CONDITIONAL(HAVE_BLKID, test "x$enable_blkid" = "xyes")
 AM_CONDITIONAL(HAVE_BLKID_WIPE, test "x$enable_blkid_wipe" = "xyes")
 AM_CONDITIONAL(HAVE_BLKID_STEP_BACK, test "x$enable_blkid_step_back" = "xyes")
 AC_ARG_ENABLE([hw-opal],
 	AS_HELP_STRING([--disable-hw-opal], [disable use of hardware-backed OPAL for device encryption]),
 	[],
 	[enable_hw_opal=yes])
 if test "x$enable_hw_opal" = "xyes"; then
 	have_opal=yes
 	AC_CHECK_DECLS([ OPAL_FL_SUM_SUPPORTED,
 			 IOC_OPAL_GET_LR_STATUS,
 			 IOC_OPAL_GET_GEOMETRY
 		       ],
 		       [],
 		       [have_opal=no],
 		       [#include <linux/sed-opal.h>])
 	if test "x$have_opal" = "xyes"; then
 		AC_DEFINE([HAVE_HW_OPAL], 1, [Define to 1 to enable OPAL support.])
 	else
 		AC_MSG_WARN([Can not compile with OPAL support, kernel headers are too old, requires v6.4.])
 	fi
 fi
 dnl Magic for cryptsetup.static build.
 if test "x$enable_static_cryptsetup" = "xyes"; then
 	saved_PKG_CONFIG=$PKG_CONFIG
@@ -541,6 +644,23 @@ if test "x$enable_static_cryptsetup" = "xyes"; then
 	PKG_CONFIG=$saved_PKG_CONFIG
 fi
 dnl Check compiler support for symver function attribute
 AC_MSG_CHECKING([for symver attribute support])
 saved_CFLAGS=$CFLAGS
 CFLAGS="-O0 -Werror"
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
 	void _test_sym(void);
 	__attribute__((__symver__("sym@VERSION_4.2"))) void _test_sym(void) {}
 ]],
 [[ _test_sym() ]]
 )],[
 	AC_DEFINE([HAVE_ATTRIBUTE_SYMVER], 1, [Define to 1 to use __attribute__((symver))])
 	AC_MSG_RESULT([yes])
 ], [
 	AC_MSG_RESULT([no])
 ])
 CFLAGS=$saved_CFLAGS
 AC_MSG_CHECKING([for systemd tmpfiles config directory])
 PKG_CHECK_VAR([systemd_tmpfilesdir], [systemd], [tmpfilesdir], [], [systemd_tmpfilesdir=no])
 AC_MSG_RESULT([$systemd_tmpfilesdir])
@@ -566,6 +686,22 @@ AC_SUBST([LIBSSH_LIBS])
 AC_SUBST([LIBCRYPTSETUP_VERSION])
 AC_SUBST([LIBCRYPTSETUP_VERSION_INFO])
 dnl Set Requires.private for libcryptsetup.pc
 dnl pwquality is used only by tools
 PKGMODULES="uuid devmapper json-c"
 case $with_crypto_backend in
 	gcrypt)  PKGMODULES="$PKGMODULES libgcrypt" ;;
 	openssl) PKGMODULES="$PKGMODULES openssl" ;;
 	nss)     PKGMODULES="$PKGMODULES nss" ;;
 	nettle)  PKGMODULES="$PKGMODULES nettle" ;;
 esac
 if test "x$enable_libargon2" = "xyes"; then
 	PKGMODULES="$PKGMODULES libargon2"
 fi
 if test "x$enable_blkid" = "xyes"; then
 	PKGMODULES="$PKGMODULES blkid"
 fi
 AC_SUBST([PKGMODULES])
 dnl ==========================================================================
 AC_ARG_ENABLE([dev-random],
 	AS_HELP_STRING([--enable-dev-random], [use /dev/random by default for key generation (otherwise use /dev/urandom)]))
@@ -601,9 +737,9 @@ AC_DEFUN([CS_ABSPATH], [
 ])
 dnl ==========================================================================
-CS_STR_WITH([plain-hash],   [password hashing function for plain mode], [ripemd160])
+CS_STR_WITH([plain-hash],   [password hashing function for plain mode], [sha256])
 CS_STR_WITH([plain-cipher], [cipher for plain mode], [aes])
-CS_STR_WITH([plain-mode],   [cipher mode for plain mode], [cbc-essiv:sha256])
+CS_STR_WITH([plain-mode],   [cipher mode for plain mode], [xts-plain64])
 CS_NUM_WITH([plain-keybits],[key length in bits for plain mode], [256])
 CS_STR_WITH([luks1-hash],   [hash function for LUKS1 header], [sha256])
@@ -688,5 +824,6 @@ lib/libcryptsetup.pc
 po/Makefile.in
 scripts/cryptsetup.conf
 tests/Makefile
 tests/fuzz/Makefile
 ])
 AC_OUTPUT
--- a/docs/ChangeLog.old
+++ b/docs/ChangeLog.old
@@ -74,7 +74,7 @@
 2012-03-16  Milan Broz  <gmazyland@gmail.com>
 	* Add --keyfile-offset and --new-keyfile-offset parameters to API and CLI.
 	* Add repair command and crypt_repair() for known LUKS metadata problems repair.
-	* Allow to specify --align-payload only for luksFormat.
+	* Allow one to specify --align-payload only for luksFormat.
 2012-03-16  Milan Broz  <mbroz@redhat.com>
 	* Unify password verification option.
@@ -228,7 +228,7 @@
 	* Fix password callback call.
 	* Fix default plain password entry from terminal in activate_by_passphrase.
 	* Add --dump-master-key option for luksDump to allow volume key dump.
-	* Allow to activate by internally cached volume key
+	* Allow one to activate by internally cached volume key
 	  (format/activate without keyslots active - used for temporary devices).
 	* Initialize volume key from active device in crypt_init_by_name()
 	* Fix cryptsetup binary exitcodes.
--- a/docs/Keyring.txt
+++ b/docs/Keyring.txt
@@ -12,30 +12,53 @@ no longer stored directly in dm-crypt target. Starting with cryptsetup 2.0 we
 load VK in kernel keyring by default for LUKSv2 devices (when dm-crypt with the
 feature is available).
-Currently cryptsetup loads VK in 'logon' type kernel key so that VK is passed in
+Currently, cryptsetup loads VK in 'logon' type kernel key so that VK is passed in
-the kernel and can't be read from userspace afterward. Also cryptsetup loads VK in
+the kernel and can't be read from userspace afterwards. Also, cryptsetup loads VK in
-thread keyring (before passing the reference to dm-crypt target) so that the key
+the thread keyring (before passing the reference to dm-crypt target) so that the key
 lifetime is directly bound to the process that performs the dm-crypt setup. When
-cryptsetup process exits (for whatever reason) the key gets unlinked in kernel
+cryptsetup process exits (for whatever reason) the key gets unlinked in the kernel
 automatically. In summary, the key description visible in dm-crypt table line is
 a reference to VK that usually no longer exists in kernel keyring service if you
-used cryptsetup to for device activation.
+used cryptsetup for device activation.
 Using this feature dm-crypt no longer maintains a direct key copy (but there's
-always at least one copy in kernel crypto layer).
+always at least one copy in the kernel crypto layer).
 Additionally, libcryptsetup supports the linking of volume keys to
 user-specified kernel keyring with crypt_set_keyring_to_link(). The user may
 specify keyring name, key type ('user' or 'logon') and key description where
 libcryptsetup should link the verified volume key upon subsequent device
 activation (or key verification alone).
 The volume key(s) (provided the key type is 'user') linked in the user keyring
 can be later used to activate the device via crypt_activate_by_keyslot_context()
 with CRYPT_KC_TYPE_VK_KEYRING type keyslot context
 (acquired by crypt_keyslot_context_init_by_vk_in_keyring()).
 Example of how to use volume key linked in custom user keyring from cryptsetup
 utility:
 1) Open the device and store the volume key to the session keyring:
 # cryptsetup open <device> --link-vk-to-keyring "@s::%user:testkey" tst
 2) Add a keyslot using the stored volume key in a keyring:
 # cryptsetup luksAddKey <device> --volume-key-keyring "%user:testkey"
 3) Activate the device using the volume key cached in a keyring ('user' type key)
 # cryptsetup open <device> <active_name> --volume-key-keyring "testkey"
 II) Keyslot passphrase
 The second use case for kernel keyring is to allow cryptsetup reading the keyslot
-passphrase stored in kernel keyring instead. The user may load passphrase in kernel
+passphrase stored in kernel keyring instead. The user may load the passphrase in the kernel
 keyring and notify cryptsetup to read it from there later. Currently, cryptsetup
 cli supports kernel keyring for passphrase only via LUKS2 internal token
-(luks2-keyring). Library also provides a general method for device activation by
+(luks2-keyring). The library also provides a general method for device activation by
-reading passphrase from keyring: crypt_activate_by_keyring(). The key type
+reading the passphrase from the keyring: crypt_activate_by_keyring(). The key type
 for use case II) must always be 'user' since we need to read the actual key
-data from userspace unlike with VK in I). Ability to read keyslot passphrase
+data from userspace unlike with VK in I). The ability to read keyslot passphrases
-from kernel keyring also allows easily auto-activate LUKS2 devices.
+from kernel keyring also allows easy auto-activate LUKS2 devices.
-Simple example how to use kernel keyring for keyslot passphrase:
+Simple example of how to use kernel keyring for keyslot passphrase:
 1) create LUKS2 keyring token for keyslot 0 (in LUKS2 device/image)
 cryptsetup token add --key-description my:key -S 0 /dev/device
@@ -43,7 +66,7 @@ cryptsetup token add --key-description my:key -S 0 /dev/device
 2) Load keyslot passphrase in user keyring
 read -s -p "Keyslot passphrase: "; echo -n $REPLY | keyctl padd user my:key @u
-3) Activate device using passphrase stored in kernel keyring
+3) Activate the device using the passphrase stored in the kernel keyring
 cryptsetup open /dev/device my_unlocked_device
 4a) unlink the key when no longer needed by
@@ -52,5 +75,5 @@ keyctl unlink %user:my:key @u
 4b) or revoke it immediately by
 keyctl revoke %user:my:key
-If cryptsetup asks for passphrase in step 3) something went wrong with keyring
+If cryptsetup asks for a passphrase in step 3) something went wrong with keyring
 activation. See --debug output then.
--- a/docs/LUKS2-locking.txt
+++ b/docs/LUKS2-locking.txt
@@ -5,7 +5,7 @@ Why
 ~~~
 LUKS2 format keeps two identical copies of metadata stored consecutively
-at the head of metadata device (file or bdev). The metadata
+at the head of the metadata device (file or bdev). The metadata
 area (both copies) must be updated in a single atomic operation to avoid
 header corruption during concurrent write.
@@ -15,17 +15,17 @@ locking with legacy format was not so obvious as it is with the LUKSv2 format.
 With LUKS2 the boundary between read-only and read-write is blurry and what
 used to be the exclusively read-only operation (i.e., cryptsetup open command) may
-easily become read-update operation silently without user's knowledge.
+easily become read-update operation silently without the user's knowledge.
-Major feature of LUKS2 format is resilience against accidental
+A major feature of the LUKS2 format is resilience against accidental
 corruption of metadata (i.e., partial header overwrite by parted or cfdisk
-while creating partition on mistaken block device).
+while creating a partition on a mistaken block device).
-Such header corruption is detected early on header read and auto-recovery
+Such header corruption is detected early on the header read and the auto-recovery
 procedure takes place (the corrupted header with checksum mismatch is being
 replaced by the secondary one if that one is intact).
-On current Linux systems header load operation may be triggered without user
+On current Linux systems header load operation may be triggered without the user
-direct intervention for example by udev rule or from systemd service.
+direct intervention for example by an udev rule or from a systemd service.
-Such clash of header read and auto-recovery procedure could have severe
+Such a clash of header read and auto-recovery procedure could have severe
-consequences with the worst case of having LUKS2 device unaccessible or being
+consequences with the worst case of having a LUKS2 device inaccessible or being
 broken beyond repair.
 The whole locking of LUKSv2 device headers split into two categories depending
@@ -36,17 +36,17 @@ I) block device
 We perform flock() on file descriptors of files stored in a private
 directory (by default /run/lock/cryptsetup). The file name is derived
-from major:minor couple of affected block device. Note we recommend
+from major:minor couple of the affected block device. Note we recommend
-that access to private locking directory is supposed to be limited
+that access to the private locking directory is supposed to be limited
-to superuser only. For this method to work the distribution needs
+to the superuser only. For this method to work the distribution needs
 to install the locking directory with appropriate access rights.
 II) regular files
 ~~~~~~~~~~~~~~~~~
-First notable difference between headers stored in a file
+A first notable difference between headers stored in a file
 vs. headers stored in a block device is that headers in a file may be
-manipulated by the regular user unlike headers on block devices. Therefore
+manipulated by the regular user, unlike headers on block devices. Therefore
 we perform flock() protection on file with the luks2 header directly.
 Limitations
@@ -58,4 +58,40 @@ while locking is enabled.
 We do not suppress any other negative effect that two or more concurrent
 writers of the same header may cause.
-b) The locking is not cluster aware in any way.
+b) The locking is not cluster-aware in any way.
 Additional LUKS2 locks
 ======================
 LUKS2 reencryption device lock
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Device in LUKS2 reencryption is protected by an exclusive lock placed in the default
 locking directory. The lock's purpose is to exclude multiple processes from
 performing reencryption on the same device (identified by LUKS uuid). The lock
 is taken no matter the LUKS2 reencryption mode (online or offline).
 LUKS2 memory hard global lock
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 An optional global lock that makes libcryptsetup serialize memory hard
 pbkdf function when deriving a key encryption key from passphrase on unlocking
 LUKS2 keyslot. The lock has to be enabled via the CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF
 flag. The lock is placed in the default locking directory.
 LUKS2 OPAL lock
 ~~~~~~~~~~~~~~~
 Exclusive per device lock taken when manipulating LUKS2 device configured for use with
 SED OPAL2 locking range.
 Lock ordering
 =============
 To avoid a deadlock following rules must apply:
 - LUKS2 reencrytpion lock must be taken before LUKS2 OPAL lock.
 - LUKS2 OPAL lock must be taken before LUKS2 metadata lock.
 - LUKS2 memory hard global lock can not be used with other locks.
--- a/docs/doxyfile
+++ b/docs/doxyfile
@@ -1,4 +1,4 @@
-# Doxyfile 1.8.8
+# Doxyfile 1.9.8
 #---------------------------------------------------------------------------
 # Project related configuration options
@@ -10,6 +10,7 @@ PROJECT_BRIEF          = "Public cryptsetup API"
 PROJECT_LOGO           =
 OUTPUT_DIRECTORY       = doxygen_api_docs
 CREATE_SUBDIRS         = NO
 CREATE_SUBDIRS_LEVEL   = 8
 ALLOW_UNICODE_NAMES    = NO
 OUTPUT_LANGUAGE        = English
 BRIEF_MEMBER_DESC      = YES
@@ -22,40 +23,49 @@ STRIP_FROM_PATH        =
 STRIP_FROM_INC_PATH    =
 SHORT_NAMES            = NO
 JAVADOC_AUTOBRIEF      = NO
 JAVADOC_BANNER         = NO
 QT_AUTOBRIEF           = NO
 MULTILINE_CPP_IS_BRIEF = NO
 PYTHON_DOCSTRING       = YES
 INHERIT_DOCS           = YES
 SEPARATE_MEMBER_PAGES  = NO
 TAB_SIZE               = 8
 ALIASES                =
 TCL_SUBST              =
 OPTIMIZE_OUTPUT_FOR_C  = YES
 OPTIMIZE_OUTPUT_JAVA   = NO
 OPTIMIZE_FOR_FORTRAN   = NO
 OPTIMIZE_OUTPUT_VHDL   = NO
 OPTIMIZE_OUTPUT_SLICE  = NO
 EXTENSION_MAPPING      =
 MARKDOWN_SUPPORT       = YES
 TOC_INCLUDE_HEADINGS   = 5
 MARKDOWN_ID_STYLE      = DOXYGEN
 AUTOLINK_SUPPORT       = YES
 BUILTIN_STL_SUPPORT    = NO
 CPP_CLI_SUPPORT        = NO
 SIP_SUPPORT            = NO
 IDL_PROPERTY_SUPPORT   = YES
 DISTRIBUTE_GROUP_DOC   = NO
 GROUP_NESTED_COMPOUNDS = NO
 SUBGROUPING            = YES
 INLINE_GROUPED_CLASSES = NO
 INLINE_SIMPLE_STRUCTS  = NO
 TYPEDEF_HIDES_STRUCT   = YES
 LOOKUP_CACHE_SIZE      = 0
 NUM_PROC_THREADS       = 1
 TIMESTAMP              = NO
 #---------------------------------------------------------------------------
 # Build related configuration options
 #---------------------------------------------------------------------------
 EXTRACT_ALL            = NO
 EXTRACT_PRIVATE        = NO
 EXTRACT_PRIV_VIRTUAL   = NO
 EXTRACT_PACKAGE        = NO
 EXTRACT_STATIC         = NO
 EXTRACT_LOCAL_CLASSES  = YES
 EXTRACT_LOCAL_METHODS  = NO
 EXTRACT_ANON_NSPACES   = NO
 RESOLVE_UNNAMED_PARAMS = YES
 HIDE_UNDOC_MEMBERS     = NO
 HIDE_UNDOC_CLASSES     = NO
 HIDE_FRIEND_COMPOUNDS  = NO
@@ -63,6 +73,8 @@ HIDE_IN_BODY_DOCS      = NO
 INTERNAL_DOCS          = NO
 CASE_SENSE_NAMES       = YES
 HIDE_SCOPE_NAMES       = NO
 HIDE_COMPOUND_REFERENCE= NO
 SHOW_HEADERFILE        = YES
 SHOW_INCLUDE_FILES     = YES
 SHOW_GROUPED_MEMB_INC  = NO
 FORCE_LOCAL_INCLUDES   = NO
@@ -92,22 +104,27 @@ QUIET                  = NO
 WARNINGS               = YES
 WARN_IF_UNDOCUMENTED   = YES
 WARN_IF_DOC_ERROR      = YES
 WARN_IF_INCOMPLETE_DOC = YES
 WARN_NO_PARAMDOC       = NO
 WARN_IF_UNDOC_ENUM_VAL = NO
 WARN_AS_ERROR          = NO
 WARN_FORMAT            = "$file:$line: $text"
 WARN_LINE_FORMAT       = "at line $line of file $file"
 WARN_LOGFILE           =
 #---------------------------------------------------------------------------
 # Configuration options related to the input files
 #---------------------------------------------------------------------------
-INPUT                  = "doxygen_index.h" \
+INPUT                  = doxygen_index.h \
-                         "../lib/libcryptsetup.h"
+                         ../lib/libcryptsetup.h
 INPUT_ENCODING         = UTF-8
 INPUT_FILE_ENCODING    =
 FILE_PATTERNS          =
 RECURSIVE              = NO
 EXCLUDE                =
 EXCLUDE_SYMLINKS       = NO
 EXCLUDE_PATTERNS       =
 EXCLUDE_SYMBOLS        =
-EXAMPLE_PATH           = "examples"
+EXAMPLE_PATH           = examples
 EXAMPLE_PATTERNS       =
 EXAMPLE_RECURSIVE      = NO
 IMAGE_PATH             =
@@ -116,6 +133,7 @@ FILTER_PATTERNS        =
 FILTER_SOURCE_FILES    = NO
 FILTER_SOURCE_PATTERNS =
 USE_MDFILE_AS_MAINPAGE =
 FORTRAN_COMMENT_AFTER  = 72
 #---------------------------------------------------------------------------
 # Configuration options related to source browsing
 #---------------------------------------------------------------------------
@@ -129,12 +147,13 @@ SOURCE_TOOLTIPS        = YES
 USE_HTAGS              = NO
 VERBATIM_HEADERS       = YES
 CLANG_ASSISTED_PARSING = NO
 CLANG_ADD_INC_PATHS    = YES
 CLANG_OPTIONS          =
 CLANG_DATABASE_PATH    =
 #---------------------------------------------------------------------------
 # Configuration options related to the alphabetical class index
 #---------------------------------------------------------------------------
 ALPHABETICAL_INDEX     = YES
 COLS_IN_ALPHA_INDEX    = 5
 IGNORE_PREFIX          =
 #---------------------------------------------------------------------------
 # Configuration options related to the HTML output
@@ -147,14 +166,17 @@ HTML_FOOTER            =
 HTML_STYLESHEET        =
 HTML_EXTRA_STYLESHEET  =
 HTML_EXTRA_FILES       =
 HTML_COLORSTYLE        = AUTO_LIGHT
 HTML_COLORSTYLE_HUE    = 220
 HTML_COLORSTYLE_SAT    = 100
 HTML_COLORSTYLE_GAMMA  = 80
-HTML_TIMESTAMP         = YES
+HTML_DYNAMIC_MENUS     = YES
 HTML_DYNAMIC_SECTIONS  = NO
 HTML_CODE_FOLDING      = YES
 HTML_INDEX_NUM_ENTRIES = 100
 GENERATE_DOCSET        = NO
 DOCSET_FEEDNAME        = "Doxygen generated docs"
 DOCSET_FEEDURL         =
 DOCSET_BUNDLE_ID       = org.doxygen.Project
 DOCSET_PUBLISHER_ID    = org.doxygen.Publisher
 DOCSET_PUBLISHER_NAME  = Publisher
@@ -165,6 +187,7 @@ GENERATE_CHI           = NO
 CHM_INDEX_ENCODING     =
 BINARY_TOC             = NO
 TOC_EXPAND             = NO
 SITEMAP_URL            =
 GENERATE_QHP           = NO
 QCH_FILE               =
 QHP_NAMESPACE          = org.doxygen.Project
@@ -177,12 +200,16 @@ GENERATE_ECLIPSEHELP   = NO
 ECLIPSE_DOC_ID         = org.doxygen.Project
 DISABLE_INDEX          = NO
 GENERATE_TREEVIEW      = NO
 FULL_SIDEBAR           = NO
 ENUM_VALUES_PER_LINE   = 4
 TREEVIEW_WIDTH         = 250
 EXT_LINKS_IN_WINDOW    = NO
 OBFUSCATE_EMAILS       = YES
 HTML_FORMULA_FORMAT    = png
 FORMULA_FONTSIZE       = 10
-FORMULA_TRANSPARENT    = YES
+FORMULA_MACROFILE      =
 USE_MATHJAX            = NO
 MATHJAX_VERSION        = MathJax_2
 MATHJAX_FORMAT         = HTML-CSS
 MATHJAX_RELPATH        = http://www.mathjax.org/mathjax
 MATHJAX_EXTENSIONS     =
@@ -201,18 +228,20 @@ GENERATE_LATEX         = YES
 LATEX_OUTPUT           = latex
 LATEX_CMD_NAME         = latex
 MAKEINDEX_CMD_NAME     = makeindex
 LATEX_MAKEINDEX_CMD    = makeindex
 COMPACT_LATEX          = NO
 PAPER_TYPE             = a4
 EXTRA_PACKAGES         =
 LATEX_HEADER           =
 LATEX_FOOTER           =
 LATEX_EXTRA_STYLESHEET =
 LATEX_EXTRA_FILES      =
 PDF_HYPERLINKS         = YES
 USE_PDFLATEX           = YES
 LATEX_BATCHMODE        = NO
 LATEX_HIDE_INDICES     = NO
 LATEX_SOURCE_CODE      = NO
 LATEX_BIB_STYLE        = plain
 LATEX_EMOJI_DIRECTORY  =
 #---------------------------------------------------------------------------
 # Configuration options related to the RTF output
 #---------------------------------------------------------------------------
@@ -236,17 +265,23 @@ MAN_LINKS              = NO
 GENERATE_XML           = NO
 XML_OUTPUT             = xml
 XML_PROGRAMLISTING     = YES
 XML_NS_MEMB_FILE_SCOPE = NO
 #---------------------------------------------------------------------------
 # Configuration options related to the DOCBOOK output
 #---------------------------------------------------------------------------
 GENERATE_DOCBOOK       = NO
 DOCBOOK_OUTPUT         = docbook
 DOCBOOK_PROGRAMLISTING = NO
 #---------------------------------------------------------------------------
 # Configuration options for the AutoGen Definitions output
 #---------------------------------------------------------------------------
 GENERATE_AUTOGEN_DEF   = NO
 #---------------------------------------------------------------------------
 # Configuration options related to Sqlite3 output
 #---------------------------------------------------------------------------
 GENERATE_SQLITE3       = NO
 SQLITE3_OUTPUT         = sqlite3
 SQLITE3_RECREATE_DB    = YES
 #---------------------------------------------------------------------------
 # Configuration options related to the Perl module output
 #---------------------------------------------------------------------------
 GENERATE_PERLMOD       = NO
@@ -273,24 +308,23 @@ GENERATE_TAGFILE       =
 ALLEXTERNALS           = NO
 EXTERNAL_GROUPS        = YES
 EXTERNAL_PAGES         = YES
 PERL_PATH              =
 #---------------------------------------------------------------------------
-# Configuration options related to the dot tool
+# Configuration options related to diagram generator tools
 #---------------------------------------------------------------------------
 CLASS_DIAGRAMS         = YES
 MSCGEN_PATH            =
 DIA_PATH               =
 HIDE_UNDOC_RELATIONS   = YES
 HAVE_DOT               = NO
 DOT_NUM_THREADS        = 0
-DOT_FONTNAME           = Helvetica
+DOT_COMMON_ATTR        = "fontname=Helvetica,fontsize=10"
-DOT_FONTSIZE           = 10
+DOT_EDGE_ATTR          = "labelfontname=Helvetica,labelfontsize=10"
 DOT_NODE_ATTR          = "shape=box,height=0.2,width=0.4"
 DOT_FONTPATH           =
 CLASS_GRAPH            = YES
 COLLABORATION_GRAPH    = YES
 GROUP_GRAPHS           = YES
 UML_LOOK               = NO
 UML_LIMIT_NUM_FIELDS   = 10
 DOT_UML_DETAILS        = NO
 DOT_WRAP_THRESHOLD     = 17
 TEMPLATE_RELATIONS     = NO
 INCLUDE_GRAPH          = YES
 INCLUDED_BY_GRAPH      = YES
@@ -298,16 +332,20 @@ CALL_GRAPH             = NO
 CALLER_GRAPH           = NO
 GRAPHICAL_HIERARCHY    = YES
 DIRECTORY_GRAPH        = YES
 DIR_GRAPH_MAX_DEPTH    = 1
 DOT_IMAGE_FORMAT       = png
 INTERACTIVE_SVG        = NO
 DOT_PATH               =
 DOTFILE_DIRS           =
-MSCFILE_DIRS           =
+DIA_PATH               =
 DIAFILE_DIRS           =
 PLANTUML_JAR_PATH      =
 PLANTUML_CFG_FILE      =
 PLANTUML_INCLUDE_PATH  =
 DOT_GRAPH_MAX_NODES    = 50
 MAX_DOT_GRAPH_DEPTH    = 0
 DOT_TRANSPARENT        = NO
 DOT_MULTI_TARGETS      = NO
 GENERATE_LEGEND        = YES
 DOT_CLEANUP            = YES
 MSCGEN_TOOL            =
 MSCFILE_DIRS           =
--- a/docs/examples/crypt_log_usage.c
+++ b/docs/examples/crypt_log_usage.c
@@ -1,21 +1,8 @@
 // SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * libcryptsetup API log example
 *
- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved.
 *
 * This file is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This file is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this file; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include <stdio.h>
--- a/docs/examples/crypt_luks_usage.c
+++ b/docs/examples/crypt_luks_usage.c
@@ -1,21 +1,8 @@
 // SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 *  libcryptsetup API - using LUKS device example
 *
- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved.
 *
 * This file is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This file is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this file; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include <stdio.h>
--- a/docs/on-disk-format-luks2.pdf
+++ b/docs/on-disk-format-luks2.pdf
--- a/docs/v1.2.0-ReleaseNotes
+++ b/docs/v1.2.0-ReleaseNotes
@@ -85,7 +85,7 @@ Libcryptsetup API additions:
 * Fix optional password callback handling.
- * Allow to activate by internally cached volume key immediately after
+ * Allow one to activate by internally cached volume key immediately after
 crypt_format() without active slot (for temporary devices with
 on-disk metadata)
--- a/docs/v1.4.2-ReleaseNotes
+++ b/docs/v1.4.2-ReleaseNotes
@@ -24,7 +24,7 @@ Changes since version 1.4.1
 * Fix header check to support old (cryptsetup 1.0.0) header alignment.
  (Regression in 1.4.0)
-* Allow to specify --align-payload only for luksFormat.
+* Allow one to specify --align-payload only for luksFormat.
 * Add --master-key-file option to luksOpen (open using volume key).
--- a/docs/v1.4.3-ReleaseNotes
+++ b/docs/v1.4.3-ReleaseNotes
@@ -32,7 +32,7 @@ Changes since version 1.4.2
  Device-mapper now retry removal if device is busy.
 * Allow "private" activation (skip some udev global rules) flag.
-  Cryptsetup library API now allows to specify CRYPT_ACTIVATE_PRIVATE,
+  Cryptsetup library API now allows one to specify CRYPT_ACTIVATE_PRIVATE,
  which means that some udev rules are not processed.
  (Used for temporary devices, like internal keyslot mappings where
  it is not desirable to run any device scans.)
--- a/docs/v1.6.0-ReleaseNotes
+++ b/docs/v1.6.0-ReleaseNotes
@@ -4,7 +4,7 @@ Cryptsetup 1.6.0 Release Notes
 Changes since version 1.6.0-rc1
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- * Change LUKS default cipher to to use XTS encryption mode,
+ * Change LUKS default cipher to use XTS encryption mode,
   aes-xts-plain64 (i.e. using AES128-XTS).
   XTS mode becomes standard in hard disk encryption.
@@ -209,7 +209,7 @@ Important changes
     WARNING: these tests do not use dmcrypt, only crypto API.
     You have to benchmark the whole device stack and you can get completely
-     different results. But is is usable for basic comparison.
+     different results. But it is usable for basic comparison.
     (Note for example AES-NI decryption optimization effect in example above.)
 Features
--- a/docs/v1.6.2-ReleaseNotes
+++ b/docs/v1.6.2-ReleaseNotes
@@ -8,7 +8,7 @@ Changes since version 1.6.1
 * Fix cipher specification string parsing (found by gcc -fsanitize=address option).
 * Try to map TCRYPT system encryption through partition
-  (allows to activate mapping when other partition on the same device is mounted).
+  (allows one to activate mapping when other partition on the same device is mounted).
 * Print a warning if system encryption is used and device is a partition.
  (TCRYPT system encryption uses whole device argument.)
--- a/docs/v1.6.4-ReleaseNotes
+++ b/docs/v1.6.4-ReleaseNotes
@@ -25,7 +25,7 @@ Changes since version 1.6.3
  Please refer to cryptsetup FAQ for detail how to fix this situation.
-* Allow to use --disable-gcrypt-pbkdf2 during configuration
+* Allow one to use --disable-gcrypt-pbkdf2 during configuration
  to force use internal PBKDF2 code.
 * Require gcrypt 1.6.1 for imported implementation of PBKDF2
--- a/docs/v1.6.5-ReleaseNotes
+++ b/docs/v1.6.5-ReleaseNotes
@@ -38,7 +38,7 @@ Changes since version 1.6.4
  The command "cryptsetup status" will print basic info, even if you
  do not provide detached header argument.
-* Allow to specify ECB mode in cryptsetup benchmark.
+* Allow one to specify ECB mode in cryptsetup benchmark.
 * Add some LUKS images for regression testing.
  Note that if image with Whirlpool fails, the most probable cause is that
--- a/docs/v1.6.7-ReleaseNotes
+++ b/docs/v1.6.7-ReleaseNotes
@@ -35,14 +35,14 @@ Changes since version 1.6.6
 * Support permanent device decryption for cryptsetup-reencrypt.
  To remove LUKS encryption from a device, you can now use --decrypt option.
-* Allow to use --header option in all LUKS commands.
+* Allow one to use --header option in all LUKS commands.
  The --header always takes precedence over positional device argument.
 * Allow luksSuspend without need to specify a detached header.
 * Detect if O_DIRECT is usable on a device allocation.
  There are some strange storage stack configurations which wrongly allows
-  to open devices with direct-io but fails on all IO operations later.
+  one to open devices with direct-io but fails on all IO operations later.
  Cryptsetup now tries to read the device first sector to ensure it can use
  direct-io.
--- a/docs/v1.6.8-ReleaseNotes
+++ b/docs/v1.6.8-ReleaseNotes
@@ -30,7 +30,7 @@ Changes since version 1.6.7
  cryptsetup resize will try to resize underlying loop device as well.
  (It can be used to grow up file-backed device in one step.)
-* Cryptsetup now allows to use empty password through stdin pipe.
+* Cryptsetup now allows one to use empty password through stdin pipe.
  (Intended only for testing in scripts.)
 Cryptsetup API NOTE:
--- a/docs/v1.7.4-ReleaseNotes
+++ b/docs/v1.7.4-ReleaseNotes
@@ -3,7 +3,7 @@ Cryptsetup 1.7.4 Release Notes
 Changes since version 1.7.3
-* Allow to specify LUKS1 hash algorithm in Python luksFormat wrapper.
+* Allow one to specify LUKS1 hash algorithm in Python luksFormat wrapper.
 * Use LUKS1 compiled-in defaults also in Python wrapper.
--- a/docs/v2.0.0-ReleaseNotes
+++ b/docs/v2.0.0-ReleaseNotes
@@ -89,7 +89,7 @@ Important features
  Integritysetup is intended to be used for settings that require
  non-cryptographic data integrity protection with no data encryption.
-  Fo setting integrity protected encrypted devices, see disk authenticated
+  For setting integrity protected encrypted devices, see disk authenticated
  encryption below.
  Note that after formatting the checksums need to be initialized;
@@ -583,7 +583,7 @@ Unfinished things & TODO for next releases
  in kernel (more on this later).
  NOTE: Currently available authenticated modes (GCM, Chacha20-poly1305)
  in kernel have too small 96-bit nonces that are problematic with
-  randomly generated IVs (the collison probability is not negligible).
+  randomly generated IVs (the collision probability is not negligible).
  For the GCM, nonce collision is a fatal problem.
 * Authenticated encryption do not set encryption for dm-integrity journal.
--- a/docs/v2.0.2-ReleaseNotes
+++ b/docs/v2.0.2-ReleaseNotes
@@ -30,7 +30,7 @@ Changes since version 2.0.1
 * Add LUKS2 specific options for cryptsetup-reencrypt.
  Tokens and persistent flags are now transferred during reencryption;
-  change of PBKDF keyslot parameters is now supported and allows
+  change of PBKDF keyslot parameters is now supported and allows one
  to set precalculated values (no benchmarks).
 * Do not allow LUKS2 --persistent and --test-passphrase cryptsetup flags
--- a/docs/v2.0.3-ReleaseNotes
+++ b/docs/v2.0.3-ReleaseNotes
@@ -28,7 +28,7 @@ Changes since version 2.0.2
 * New API extensions for unbound keyslots (LUKS2 only)
  crypt_keyslot_get_key_size() and crypt_volume_key_get()
-  These functions allow to get key and key size for unbound keyslots.
+  These functions allow one to get key and key size for unbound keyslots.
 * New enum value CRYPT_SLOT_UNBOUND for keyslot status (LUKS2 only).
--- a/docs/v2.1.0-ReleaseNotes
+++ b/docs/v2.1.0-ReleaseNotes
@@ -170,21 +170,21 @@ These new calls are now exported, for details see libcryptsetup.h:
 * crypt_get_metadata_size
 * crypt_set_metadata_size
-     allows to set/get area sizes in LUKS header
+     allows one to set/get area sizes in LUKS header
     (according to specification).
 * crypt_get_default_type
     get default compiled-in LUKS type (version).
 * crypt_get_pbkdf_type_params
-     allows to get compiled-in PBKDF parameters.
+     allows one to get compiled-in PBKDF parameters.
 * crypt_keyslot_set_encryption
 * crypt_keyslot_get_encryption
-     allows to set/get per-keyslot encryption algorithm for LUKS2.
+     allows one to set/get per-keyslot encryption algorithm for LUKS2.
 * crypt_keyslot_get_pbkdf
-     allows to get PBKDF parameters per-keyslot.
+     allows one to get PBKDF parameters per-keyslot.
 and these new defines:
 * CRYPT_LOG_DEBUG_JSON (message type for JSON debug)
--- a/docs/v2.3.0-ReleaseNotes
+++ b/docs/v2.3.0-ReleaseNotes
@@ -9,7 +9,7 @@ native read-write access to BitLocker Full Disk Encryption devices.
 The BITLK implementation is based on publicly available information
 and it is an independent and opensource implementation that allows
-to access this proprietary disk encryption.
+one to access this proprietary disk encryption.
 Changes since version 2.2.2
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- a/docs/v2.3.2-ReleaseNotes
+++ b/docs/v2.3.2-ReleaseNotes
@@ -18,7 +18,7 @@ Changes since version 2.3.1
  The slot number --key-slot (-S) option is mandatory here.
  An unbound keyslot store a key is that is not assigned to data
-  area on disk (LUKS2 allows to store arbitrary keys).
+  area on disk (LUKS2 allows one to store arbitrary keys).
 * Rephrase some error messages and remove redundant end-of-lines.
--- a/docs/v2.3.4-ReleaseNotes
+++ b/docs/v2.3.4-ReleaseNotes
@@ -75,7 +75,7 @@ Changes since version 2.3.3
  If users want to use blake2b/blake2s, the kernel algorithm name includes
  a dash (like "blake2s-256").
-  Theses algorithms can now be used for integritysetup devices.
+  These algorithms can now be used for integritysetup devices.
 * Fix crypto backend to properly handle ECB mode.
--- a/docs/v2.4.0-rc1-ReleaseNotes
+++ b/docs/v2.4.0-rc1-ReleaseNotes
@@ -1,31 +1,10 @@
-Cryptsetup 2.4.0-rc1 Release Notes
+Cryptsetup 2.4.0 Release Notes
-==================================
+==============================
-Stable release candidate with new features and bug fixes.
+Stable release with new features and bug fixes.
 This version introduces support for external libraries
 (plugins) for handling LUKS2 token objects.
 Changes since version 2.4.0-rc0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 * Add cryptsetup --token-type parameter.
  It restricts token type to the parameter value in case no specific
  token-id is selected.
 * Do not retry token operations if PIN entry failed.
 * Respect keyslot priority with token-based activation.
 * veritysetup: add --root-hash-file option
  Allow passing the root hash via a file, rather than verbatim on
  the command line, for the open, verify, and format actions.
 * Add crypt_reencrypt_run superseding now deprecated crypt_reencrypt
  API call (fixes API break in rc0 release).
 * Respect keyslot priority with token-based activation.
 Changes since version 2.3.6
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -39,7 +18,13 @@ Changes since version 2.3.6
  in external libraries (possibly provided by other projects).
  A token library allows cryptsetup to understand metadata and provide
-  basic operations (activate, resize, dump metadata, handle keyslots).
+  basic operations. Currently external tokens may be used to unlock
  keyslots for following CLI actions: open (luksOpen),
  refresh (open --refresh), resize and dump (prints token specific
  content).
  LUKS2 devices cannot be resumed (luksResume action) via tokens yet.
  Support for resume and other actions will be added later.
  The library now provides an interface that automatically tries to load
  an external library for a token object in LUKS2 metadata.
@@ -61,8 +46,14 @@ Changes since version 2.3.6
  External projects can use this interface to handle specific hardware
  without introducing additional dependencies to libcryptsetup core.
-  Examples of such tokens are already available for the systemd project
+  As of cryptsetup 2.4.0 release systemd project already merged upstream
-  for TPM2 and FIDO2 interfaces.
+  native cryptsetup token handler for its systemd-tpm2 LUKS2 token
  released originally in systemd-v248. The token can be created using
  systemd-cryptenroll utility and devices may be manipulated either by
  systemd-cryptsetup cli or by cryptsetup for actions listed above.
  Other tokens like systemd-fido2 and systemd-pkcs11 are currently
  in-review.
 * Experimental SSH token
@@ -119,6 +110,19 @@ Example (how to activate LUKS2 through remote keyfile):
  Please note SSH token is just demonstration of plugin interface API,
  it is an EXPERIMENTAL feature.
 * Add cryptsetup --token-type parameter.
  It restricts token type to the parameter value in case no specific
  token-id is selected.
 * Support for token based activation with PIN.
  If specific token requires PIN to unlock keyslot passphrase and
  --token-only parameter was used cryptsetup asks for additional
  token PIN.
 * Respect keyslot priority with token-based activation.
 * Default LUKS2 PBKDF is now Argon2id
  Cryptsetup LUKS2 was using Argon2 while there were two versions,
@@ -266,6 +270,10 @@ Example (how to activate LUKS2 through remote keyfile):
  Note that it cannot detect unknown algorithm names and similar where
  we need call API functions.
 * veritysetup: add --root-hash-file option
  Allow passing the root hash via a file, rather than verbatim on
  the command line, for the open, verify, and format actions.
 * libcryptsetup C API extensions (see libcryptsetup.h for details)
  - crypt_logf - a printf like log function
@@ -275,7 +283,7 @@ Example (how to activate LUKS2 through remote keyfile):
  - crypt_token_external_path - get path for plugins (or NULL)
  - crypt_token_external_disable - disable runtime support for plugins
  - crypt_activate_by_token_pin - activate by token with additional PIN
-  - crypt_reencrypt - fixed prototype
+  - crypt_reencrypt_run - fixed API for deprecated crypt_reencrypt
  The token plugin library interface cosists from these versioned
  exported symbols (for details see header file and SSH token example):
--- a/docs/v2.4.1-ReleaseNotes
+++ b/docs/v2.4.1-ReleaseNotes
@@ -0,0 +1,47 @@
 Cryptsetup 2.4.1 Release Notes
 ==============================
 Stable bug-fix release with minor extensions.
 All users of cryptsetup 2.4.0 should upgrade to this version.
 Changes since version 2.4.0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 * Fix compilation for libc implementations without dlvsym().
  Some alternative libc implementations (like musl) do not provide
  versioned symbols dlvsym function. Code now fallbacks to dlsym
  operation for dynamic LUKS2 token load.
  It is up to maintainers to ensure that LUKS2 token plugins are
  compiled for the supported version.
 * Fix compilation and tests on systems with non-standard libraries
  (standalone argp library, external gettext library, BusyBox
  implementations of standard tools).
 * Try to workaround some issues on systems without udev support.
  NOTE: non-udev systems cannot provide all functionality for kernel
  device-mapper, and some operations can fail.
 * Fixes for OpenSSL3 crypto backend (including FIPS mode).
  Because cryptsetup still requires some hash functions implemented
  in OpenSSL3 legacy provider, crypto backend now uses its library
  context and tries to load both default and legacy OpenSSL3 providers.
  If FIPS mode is detected, no library context is used, and it is up
  to the OpenSSL system-wide policy to load proper providers.
  NOTE: We still use some deprecated API in the OpenSSL3 backend,
  and there are some known problems in OpenSSL 3.0.0.
 * Print error message when assigning a token to an inactive keyslot.
 * Fix offset bug in LUKS2 encryption code if --offset option was used.
 * Do not allow LUKS2 decryption for devices with data offset.
  Such devices cannot be used after decryption.
 * Fix LUKS1 cryptsetup repair command for some specific problems.
  Repair code can now fix wrongly used initialization vector
  specification in ECB mode (that is insecure anyway!) and repair
  the upper-case hash specification in the LUKS1 header.
--- a/docs/v2.4.2-ReleaseNotes
+++ b/docs/v2.4.2-ReleaseNotes
@@ -0,0 +1,37 @@
 Cryptsetup 2.4.2 Release Notes
 ==============================
 Stable bug-fix release.
 All users of cryptsetup 2.4.1 should upgrade to this version.
 Changes since version 2.4.1
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 * Fix possible large memory allocation if LUKS2 header size is invalid.
  LUKS2 code read the full header to buffer to verify the checksum.
  The maximal supported header size now limits the memory allocation.
 * Fix memory corruption in debug message printing LUKS2 checksum.
 * veritysetup: remove link to the UUID library for the static build.
 * Remove link to pwquality library for integritysetup and veritysetup.
  These tools do not read passphrases.
 * OpenSSL3 backend: avoid remaining deprecated calls in API.
  Crypto backend no longer use API deprecated in OpenSSL 3.0
 * Check if kernel device-mapper create device failed in an early phase.
  This happens when a concurrent creation of device-mapper devices
  meets in the very early state.
 * Do not set compiler optimization flag for Argon2 KDF if the memory
  wipe is implemented in libc.
 * Do not attempt to unload LUKS2 tokens if external tokens are disabled.
  This allows building a static binary with  --disable-external-tokens.
 * LUKS convert: also check sysfs for device activity.
  If udev symlink is missing, code fallbacks to sysfs scan to prevent
  data corruption for the active device.
--- a/docs/v2.4.3-ReleaseNotes
+++ b/docs/v2.4.3-ReleaseNotes
@@ -0,0 +1,101 @@
 Cryptsetup 2.4.3 Release Notes
 ==============================
 Stable security bug-fix release that fixes CVE-2021-4122.
 All users of cryptsetup 2.4.x must upgrade to this version.
 Changes since version 2.4.2
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 * Fix possible attacks against data confidentiality through LUKS2 online
  reencryption extension crash recovery (CVE-2021-4122).
  An attacker can modify on-disk metadata to simulate decryption in
  progress with crashed (unfinished) reencryption step and persistently
  decrypt part of the LUKS device.
  This attack requires repeated physical access to the LUKS device but
  no knowledge of user passphrases.
  The decryption step is performed after a valid user activates
  the device with a correct passphrase and modified metadata.
  There are no visible warnings for the user that such recovery happened
  (except using the luksDump command). The attack can also be reversed
  afterward (simulating crashed encryption from a plaintext) with
  possible modification of revealed plaintext.
  The size of possible decrypted data depends on configured LUKS2 header
  size (metadata size is configurable for LUKS2).
  With the default parameters (16 MiB LUKS2 header) and only one
  allocated keyslot (512 bit key for AES-XTS), simulated decryption with
  checksum resilience SHA1 (20 bytes checksum for 4096-byte blocks),
  the maximal decrypted size can be over 3GiB.
  The attack is not applicable to LUKS1 format, but the attacker can
  update metadata in place to LUKS2 format as an additional step.
  For such a converted LUKS2 header, the keyslot area is limited to
  decrypted size (with SHA1 checksums) over 300 MiB.
  The issue is present in all cryptsetup releases since 2.2.0.
  Versions 1.x, 2.0.x, and 2.1.x are not affected, as these do not
  contain LUKS2 reencryption extension.
  The problem was caused by reusing a mechanism designed for actual
  reencryption operation without reassessing the security impact for new
  encryption and decryption operations. While the reencryption requires
  calculating and verifying both key digests, no digest was needed to
  initiate decryption recovery if the destination is plaintext (no
  encryption key). Also, some metadata (like encryption cipher) is not
  protected, and an attacker could change it. Note that LUKS2 protects
  visible metadata only when a random change occurs. It does not protect
  against intentional modification but such modification must not cause
  a violation of data confidentiality.
  The fix introduces additional digest protection of reencryption
  metadata. The digest is calculated from known keys and critical
  reencryption metadata. Now an attacker cannot create correct metadata
  digest without knowledge of a passphrase for used keyslots.
  For more details, see LUKS2 On-Disk Format Specification version 1.1.0.
  The former reencryption operation (without the additional digest) is no
  longer supported (reencryption with the digest is not backward
  compatible). You need to finish in-progress reencryption before
  updating to new packages. The alternative approach is to perform
  a repair command from the updated package to recalculate reencryption
  digest and fix metadata.
  The reencryption repair operation always require a user passphrase.
  WARNING: Devices with older reencryption in progress can be no longer
  activated without performing the action mentioned above.
  Encryption in progress can be detected by running the luksDump command
  (output includes reencrypt keyslot with reencryption parameters). Also,
  during the active reencryption, no keyslot operations are available
  (change of passphrases, etc.).
  The issue was found by Milan Broz as cryptsetup maintainer.
 Other changes
 ~~~~~~~~~~~~~
 * Add configure option --disable-luks2-reencryption to completely disable
  LUKS2 reencryption code.
  When used, the libcryptsetup library can read metadata with
  reencryption code, but all reencryption API calls and cryptsetup
  reencrypt commands are disabled.
  Devices with online reencryption in progress cannot be activated.
  This option can cause some incompatibilities. Please use with care.
 * Improve internal metadata validation code for reencryption metadata.
 * Add updated documentation for LUKS2 On-Disk Format Specification
  version 1.1.0 (with reencryption extension description and updated
  metadata description). See docs/on-disk-format-luks2.pdf or online
  version in https://gitlab.com/cryptsetup/LUKS2-docs repository.
 * Fix support for bitlk (BitLocker compatible) startup key with new
  metadata entry introduced in Windows 11.
 * Fix space restriction for LUKS2 reencryption with data shift.
  The code required more space than was needed.
--- a/docs/v2.5.0-ReleaseNotes
+++ b/docs/v2.5.0-ReleaseNotes
@@ -0,0 +1,291 @@
 Cryptsetup 2.5.0 Release Notes
 ==============================
 Stable release with new features and bug fixes.
 Changes since version 2.4.3
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 * Split manual pages into per-action pages and use AsciiDoc format.
  Manual pages are now generated from AsciiDoc format, allowing easy
  conditional modifications for per-action options.
  Generation of man pages requires the asciidoctor tool installed.
  Pre-generated man pages are also included in the distribution tarball.
  You can use --disable-asciidoc configure option to skip man page
  generation completely. In this case, pre-generated man pages will be
  used for installation.
  For cryptsetup, there is main man page (cryptsetup.8) that references
  separate man pages for each command (for example, cryptsetup-open.8).
  You can open such a man page by simply running "man cryptsetup open".
  Also, man pages for action aliases are available (cryptsetup-luksOpen.8
  is an alias for cryptsetup-open.8, etc.)
 LUKS volume reencryption changes
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 * Remove cryptsetup-reencrypt tool from the project and move reencryption
  to already existing "cryptsetup reencrypt" command.
  Cryptsetup reencrypt now handles both LUKS1 and LUKS2 reencryption,
  encryption, and decryption.
  If you need to emulate the old cryptsetup-reencrypt binary, use simple
  wrappers script running "exec cryptsetup reencrypt $@".
  All command line options should be compatible. An exception is the
  reencryption of LUKS2 volumes with old LUKS1 reencryption code that was
  replaced by native and more resilient LUKS2 reencryption.
 * LUKS2: implement --decryption option that allows LUKS removal. The
  operation can run online or offline and supports the data shift option.
  During the initialization, the LUKS2 header is exported to a file.
  The first data segment is moved to the head of the data device in place
  of the original header.
  The feature internally introduces several new resilience modes
  (combination of existing modes datashift and "checksum" or "journal").
  Datashift resilience mode is applied for data moved towards the first
  segment, and the first segment is then decrypted in place.
  This decryption mode is not backward compatible with prior LUKS2
  reencryption. Interrupted operations in progress cannot be resumed
  using older cryptsetup releases.
 * Reencryption metadata options that are not compatible with recent code
  (features implemented in more recent releases) are now only read, but
  code will not activate or modify such metadata.
  Reencryption metadata contains a version that is validated when
  reencryption is resumed.
  For more info, see the updated LUKS2 on-disk format specification.
  Safe operation of reencryption is to always finish the operation with
  only one version of the tools.
 * Fix decryption operation with --active-name option and restrict
  it to be used only with LUKS2.
 * Do not refresh reencryption digest when not needed.
  This should speed up the reencryption resume process.
 * Store proper resilience data in LUKS2 reencrypt initialization.
  Resuming reencryption now does not require specification of resilience
  type parameters if these are the same as during initialization.
 * Properly wipe the unused area after reencryption with datashift in
  the forward direction.
 * Check datashift value against larger sector size.
  For example, it could cause an issue if misaligned 4K sector appears
  during decryption.
 * Do not allow sector size increase reencryption in offline mode.
  The eventual logical block size increase on the dm-crypt device above
  may lead to an unusable filesystem. Do not allow offline reencryption
  when sector size increase is requested.
  You can use --force-offline-reencrypt option to override this check
  (and potentially destroy the data).
 * Do not allow dangerous sector size change during reencryption.
  By changing the encryption sector size during reencryption, a user
  may increase the effective logical block size for the dm-crypt active
  device.
  Do not allow encryption sector size to be increased over the value
  provided by fs superblock in BLOCK_SIZE property.
 * Ask the user for confirmation before resuming reencryption.
  The prompt is not shown in batch mode or when the user explicitly asks
  for a reencryption resume via --resume-only.
 * Do not resume reencryption with conflicting parameters.
  For example, if the operation was initialized as --encrypt, do not
  allow resume with opposing parameter --decrypt and vice versa.
  Also, the code now checks for conflicting resilience parameters
  (datashift cannot be changed after initialization).
 * Add --force-offline-reencrypt option.
  It can be used to enforce offline reencryption in batch mode when
  the device is a regular file; therefore, cryptsetup cannot detect
  properly active devices using it.
  Also, it may be useful to override the active device auto-detection
  for specific storage configurations (dangerous!).
 * Do not allow nested encryption in LUKS reencrypt.
  Avoid accidental nested encryption via cryptsetup reencrypt --encrypt.
 * Fix --test-passphrase when the device is in reencryption.
 * Do not upload keys in keyring during offline reencryption.
  Reencryption runs in userspace, so the kernel does not need the key.
 * Support all options allowed with luksFormat with encrypt action.
 * Add prompt if LUKS2 decryption is run with a detached header.
 * Add warning for reencryption of file image and mention
  the possible use of --force-offline-reencrypt option.
 Other changes
 ~~~~~~~~~~~~~
 * Add resize action to integritysetup.
  This allows resizing of standalone integrity devices.
 * Support --device-size option (that allows unit specification) for plain
  devices (existing --size option requires 512-byte sectors units).
 * Fix detection of encryption sector size if a detached header is used.
 * Remove obsolete dracut plugin reencryption example.
 * Fix possible keyslot area size overflow during conversion to LUKS2.
  If keyslots are not sorted according to binary area offset, the area
  size calculation was wrong and could overflow.
 * Hardening and fixes to LUKS2 validation functions:
  * Log a visible error if convert fails due to validation check.
  * Check for interval (keyslot and segment area) overflow.
  * Check cipher availability before LUKS conversion to LUKS2.
    Some historic incompatibilities are ignored for LUKS1 but do not
    work for LUKS2.
  * Add empty string check to LUKS2 metadata JSON validation.
    Most of the LUKS2 fields cannot be empty.
  * Fix JSON objects validation to check JSON object type properly.
 * TCRYPT: Properly apply retry count and continue if some PBKDF variant
  is unavailable.
 * BITLK: Add a warning when activating a device with the wrong size
  stored in metadata.
 * BITLK: Add BitLocker volume size to dump command.
 * BITLK: Fix possible UTF16 buffer overflow in volume key dump.
 * BITLK: Skip question if the batch mode is set for volume key dump.
 * BITLK: Check dm-zero availability in the kernel.
  Bitlocker compatible mode uses dm-zero to mask metadata area.
  The device cannot be activated if dm-zero is not available.
 * Fix error message for LUKS2-only cryptsetup commands to explicitly
  state LUKS2 version is required.
 * Fix error message for incompatible dm-integrity metadata.
  If the integritysetup tool is too old, kernel dm-integrity may use
  a more recent version of dm-integrity metadata.
 * Properly deactivate the integrity device even if the LUKS2 header
  is no longer available.
  If LUKS2 is used with integrity protection, there is always
  a dm-integrity device underneath that must be deactivated.
 * Allow use of --header option for cryptsetup close.
  This can be used to check that the activated device has the same UUID.
 * Fix activation of LUKS2 device with integrity and detached header.
  The kernel-parsed dm-integrity superblock is always located on the
  data device, the incorrectly used detached header device here.
 * Add ZEROOUT IOCTL support for crypt_wipe API call.
  For block devices, we can use optimized in-kernel BLKZEROOUT ioctl.
 * VERITY: set loopback sector size according to dm-verity block sizes.
  Verity block size has the same limits, so we can optimize the loop
  device to increase performance.
 * Other Documentation and man page improvements:
  * Update LUKS2 on-disk format description.
  * Add per-keyslot LUKS2 options to the man page.
    Some options were missing for LUKS2 luksAddKey and luksChangeKey.
  * Fix cryptsetup manpage to use PBKDF consistently.
  * Add compile info to README. This information was lost when we removed
    the default automake INSTALL file.
  * Use volume key consistently in FAQ and man pages.
  * Use markdown version of FAQ directly for installation.
  * Clarify graceful reencryption interruption.
    Currently, it can be interrupted by both SIGINT and SIGTERM signals.
  * Add new mailing list info.
  * Mention non-cryptographic xxhash64 hash for integrity protection.
 * veritysetup: dump device sizes.
  Calculating device sizes for verity devices is a little bit tricky.
  Data, hash, and FEC can share devices or be separate devices.
  Now dump command prints used device sizes, but it requires that
  the user specifies all values that are not stored in superblock
  (like FEC device and FEC roots).
 * Fix check for argp_usage in configure if argp-standalone lib is used.
 * Add constant time memcmp and hexa print implementation and use it for
  cryptographic keys handling.
 * Display progress when wiping the end of the resized device.
 * LUKS2 token: prefer token PIN query before passphrase in some cases.
  When a user provides --token-type or specific --token-id, a token PIN
  query is preferred to a passphrase query.
 * LUKS2 token: allow tokens to be replaced with --token-replace option
  for cryptsetup token command.
 * LUKS2 token: do not continue operation when interrupted in PIN prompt.
 * Add --progress-json parameter to utilities.
  Progress data can now be printed out in JSON format suitable for
  machine processing.
 * Embedded Argon2 PBKDF: optimize and simplify thread exit.
 * Avoid using SHA1 in tests and fix new enforcements introduced in FIPS
  provider for OpenSSL3 (like minimal parameters for PBKDF2).
 * Use custom UTF conversion and avoid linking to iconv as a dependency.
 * Reimplement BASE64 with simplified code instead of coreutils version.
 * Fix regression when warning messages were not displayed
  if some kernel feature is not supported (2.4.2).
 * Add support for --key-slot option in luksResume action.
 Libcryptsetup API extensions and changes
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 * Properly define uint32_t constants in API.
  This is not a real change, but it avoids strict compiler warnings.
 * crypt_resume_by_token_pin() - Resume crypt device using LUKS2 token.
 * crypt_get_label() - Get the label of the LUKS2 device.
 * crypt_get_subsystem() - Get the subsystem label of the LUKS2 device.
 * Make CRYPT_WIPE_ENCRYPTED_ZERO crypt_wipe() option obsolete.
  It was never implemented (the idea was to speed up wipe), but with
  the recent RNG performance changes, it makes no longer sense.
 * Add struct crypt_params_reencrypt changes related to decryption.
 * Improve crypt_reencrypt_status() return values.
  Empty or any non-LUKS types now returns CRYPT_REENCRYPT_INVALID status.
  For LUKS1 devices, it returns CRYPT_REENCRYPT_NONE.
--- a/docs/v2.6.0-ReleaseNotes
+++ b/docs/v2.6.0-ReleaseNotes
@@ -0,0 +1,236 @@
 Cryptsetup 2.6.0 Release Notes
 ==============================
 Stable release with new features and bug fixes.
 Changes since version 2.5.0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 * Introduce support for handling macOS FileVault2 devices (FVAULT2).
  Cryptsetup now supports the mapping of FileVault2 full-disk encryption
  by Apple for the macOS operating system using a native Linux kernel.
  You can open an existing USB FileVault portable device and (with
  the hfsplus filesystem driver) access the native data read/write.
  Cryptsetup supports only (legacy) FileVault2 based on Core Storage
  and HFS+ filesystem (introduced in MacOS X 10.7 Lion).
  It does NOT support the new version of FileVault based on the APFS
  filesystem used in recent macOS versions.
  Header formatting and changes are not supported; cryptsetup never
  changes the metadata on the device.
  FVAULT2 extension requires kernel userspace crypto API and kernel
  driver for HFS+ (hfsplus) filesystem (available on most systems today).
  Example of using FileVault2 formatted USB device:
  A typical encrypted device contains three partitions; the FileVault
  encrypted partition is here sda2:
  $ lsblk -o NAME,FSTYPE,LABEL /dev/sda
    NAME   FSTYPE  LABEL
    sda
    |-sda1 vfat    EFI
    |-sda2
    `-sda3 hfsplus Boot OS X
  Note: blkid does not recognize FileVault2 format yet.
  To dump metadata information about the device, you can use
  the fvault2Dump command:
  $ cryptsetup fvault2Dump /dev/sda2
    Header information for FVAULT2 device /dev/sda2.
    Physical volume UUID:   6f353c05-daae-4e76-a0ee-6a9569a22d81
    Family UUID:            f82cceb0-a788-4815-945a-53d57fcd55a8
    Logical volume offset:  67108864 [bytes]
    Logical volume size:    3288334336 [bytes]
    Cipher:                 aes
    Cipher mode:            xts-plain64
    PBKDF2 iterations:      97962
    PBKDF2 salt:            173a4ec7447662ec79ca7a47df6c2a01
 To activate the device, use open --type fvault2 option:
 $ cryptsetup open --type fvault2 /dev/sda2 test
   Enter passphrase for /dev/sda2: ...
 And check the status of the active device:
 $ cryptsetup status test
   /dev/mapper/test is active.
   type:    FVAULT2
   cipher:  aes-xts-plain64
   keysize: 256 bits
   key location: dm-crypt
   device:  /dev/sda2
   sector size:  512
   offset:  131072 sectors
   size:    6422528 sectors
   mode:    read/write
 Now, if the kernel contains hfsplus filesystem driver, you can mount
 decrypted content:
 $ mount /dev/mapper/test /mnt/test
 For more info about implementation, please refer to the master thesis
 by Pavel Tobias, which was the source for this extension.
 https://is.muni.cz/th/p0aok/?lang=en
 * libcryptsetup: no longer use global memory locking through mlockall()
  For many years, libcryptsetup locked all memory (including dependent
  library address space) to prevent swapping sensitive content outside
  of RAM.
  This strategy no longer works as the locking of basic libraries exceeds
  the memory locking limit if running as a non-root user.
  Libcryptsetup now locks only memory ranges containing sensitive
  material (keys) through crypt_safe_alloc() calls.
  This change solves many reported mysterious problems of unexpected
  failures. If the initial lock was still under the limit and succeeded,
  some following memory allocation could fail later as it exceeded
  the locking limit. If the initial locking fails,  memory locking
  was quietly ignored completely.
  The whole crypt_memory_lock() API call is deprecated; it no longer
  calls memlockall().
 * libcryptsetup: process priority is increased only for key derivation
  (PBKDF) calls.
  Increasing priority was tight to memory locking and works only if
  running under superuser.
  Only PBKDF calls and benchmarking now increase the process priority.
 * Add new LUKS keyslot context handling functions and API.
  In practice, the luksAddKey action does two operations.
  It unlocks the existing device volume key and stores the unlocked
  volume key in a new keyslot.
  Previously the options were limited to key files and passphrases.
  Newly available methods (keyslot contexts) are passphrase, keyfile,
  key (binary representation), and LUKS2 token.
  To unlock a keyslot user may:
    - provide existing passphrase via interactive prompt (default method)
    - use --key-file option to provide a file with a valid passphrase
    - provide volume key directly via --volume-key-file
    - unlock keyslot via all available LUKS2 tokens by --token-only
    - unlock keyslot via specific token with --token-id
    - unlock keyslot via specific token type by --token-type
  To provide the passphrase for a new keyslot, a user may:
    - provide existing passphrase via interactive prompt (default method)
    - use --new-keyfile to read the passphrase from the file
    - use --new-token-id to select LUKS2 token to get passphrase
      for new keyslot. The new keyslot is assigned to the selected token
      id if the operation is successful.
 * The volume key may now be extracted using a passphrase, keyfile, or
  token. For LUKS devices, it also returns the volume key after
  a successful crypt_format call.
 * Fix --disable-luks2-reencryption configuration option.
 * cryptsetup: Print a better error message and warning if the format
  produces an image without space available for data.
  Activation now fails early with a more descriptive message.
 * Print error if anti-forensic LUKS2 hash setting is not available.
  If the specified hash was not available, activation quietly failed.
 * Fix internal crypt segment compare routine if the user
  specified cipher in kernel format (capi: prefix).
 * cryptsetup: Add token unassign action.
  This action allows removing token binding on specific keyslot.
 * veritysetup: add support for --use-tasklets option.
  This option sets try_verify_in_tasklet kernel dm-verity option
  (available since Linux kernel 6.0) to allow some performance
  improvement on specific systems.
 * Provide pkgconfig Require.private settings.
  While we do not completely provide static build on udev systems,
  it helps produce statically linked binaries in certain situations.
 * Always update automake library files if autogen.sh is run.
  For several releases, we distributed older automake scripts by mistake.
 * reencryption: Fix user defined moved segment size in LUKS2 decryption.
  The --hotzone-size argument was ignored in cases where the actual data
  size was less than the original LUKS2 data offset.
 * Delegate FIPS mode detection to configured crypto backend.
  System FIPS mode check no longer depends on /etc/system-fips file.
 * tests: externally provided systemd plugin is now optionally compiled
  from systemd git and tested with cryptsetup
 * tests: initial integration to OSS-fuzz project with basic crypt_load()
  test for LUKS2 and JSON mutated fuzzing.
  For more info, see README in tests/fuzz directory.
 * Update documentation, including FAQ and man pages.
 Libcryptsetup API extensions
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 The libcryptsetup API is backward compatible with existing symbols.
 New symbols:
  crypt_keyslot_context_init_by_passphrase
  crypt_keyslot_context_init_by_keyfile
  crypt_keyslot_context_init_by_token
  crypt_keyslot_context_init_by_volume_key
  crypt_keyslot_context_get_error
  crypt_keyslot_context_set_pin
  crypt_keyslot_context_get_type
  crypt_keyslot_context_free
  crypt_keyslot_add_by_keyslot_context
  crypt_volume_key_get_by_keyslot_context
 New defines:
  CRYPT_FVAULT2 "FVAULT2" (FileVault2 compatible mode)
 Keyslot context types:
  CRYPT_KC_TYPE_PASSPHRASE
  CRYPT_KC_TYPE_KEYFILE
  CRYPT_KC_TYPE_TOKEN
  CRYPT_KC_TYPE_KEY
  CRYPT_ACTIVATE_TASKLETS (dm-verity: use tasklets activation flag)
 WARNING!
 ~~~~~~~~
 The next version of cryptsetup will change the encryption mode and key
 derivation option for the PLAIN format.
 This change will cause backward incompatibility.
 For this reason, the user will have to specify the exact parameters
 for cipher, key size, and key derivation parameters for plain format.
 The default encryption mode will be AES-XTS with 512bit key (AES-256).
 The CBC mode is no longer considered the best default, as it allows easy
 bit-flipped ciphertext modification attacks and performance problems.
 For the passphrase hashing in plain mode, the encryption key is directly
 derived through iterative hashing from a user-provided passphrase
 (except a keyfile that is not hashed).
 The default hash is RIPEMD160, which is no longer the best default
 option. The exact change will be yet discussed but should include
 the possibility of using a password-based key derivation function
 instead of iterative hashing.
--- a/docs/v2.6.1-ReleaseNotes
+++ b/docs/v2.6.1-ReleaseNotes
@@ -0,0 +1,50 @@
 Cryptsetup 2.6.1 Release Notes
 ==============================
 Stable bug-fix release with minor extensions.
 All users of cryptsetup 2.6.0 should upgrade to this version.
 Changes since version 2.6.0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 * bitlk: Fixes for BitLocker-compatible on-disk metadata parser
  (found by new cryptsetup OSS-Fuzz fuzzers).
  - Fix a possible memory leak if the metadata contains more than
    one description field.
  - Harden parsing of metadata entries for key and description entries.
  - Fix broken metadata parsing that can cause a crash or out of memory.
 * Fix possible iteration overflow in OpenSSL2 PBKDF2 crypto backend.
  OpenSSL2 uses a signed integer for PBKDF2 iteration count.
  As cryptsetup uses an unsigned value, this can lead to overflow and
  a decrease in the actual iteration count.
  This situation can happen only if the user specifies
  --pbkdf-force-iterations option.
  OpenSSL3 (and other supported crypto backends) are not affected.
 * Fix compilation for new ISO C standards (gcc with -std=c11 and higher).
 * fvault2: Fix compilation with very old uuid.h.
 * verity: Fix possible hash offset setting overflow.
 * bitlk: Fix use of startup BEK key on big-endian platforms.
 * Fix compilation with latest musl library.
  Recent musl no longer implements lseek64() in some configurations.
  Use lseek() as 64-bit offset is mandatory for cryptsetup.
 * Do not initiate encryption (reencryption command) when the header and
  data devices are the same.
  If data device reduction is not requsted, this leads to data corruption
  since LUKS metadata was written over the data device.
 * Fix possible memory leak if crypt_load() fails.
 * Always use passphrases with a minimal 8 chars length for benchmarking.
  Some enterprise distributions decided to set an unconditional check
  for PBKDF2 password length when running in FIPS mode.
  This questionable change led to unexpected failures during LUKS format
  and keyslot operations, where short passwords were used for
  benchmarking PBKDF2 speed.
  PBKDF2 benchmark calculations should not be affected by this change.
--- a/docs/v2.7.0-ReleaseNotes
+++ b/docs/v2.7.0-ReleaseNotes
@@ -0,0 +1,437 @@
 Cryptsetup 2.7.0 Release Notes
 ==============================
 Stable release with new features and bug fixes.
 Changes since version 2.6.1
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 * Introduce support for hardware OPAL disk encryption.
  Some SATA and NVMe devices support hardware encryption through OPAL2
  TCG interface (SEDs - self-encrypting drives). Using hardware disk
  encryption is controversial as you must trust proprietary hardware.
  On the other side, using both software and hardware encryption
  layers increases the security margin by adding an additional layer
  of protection. There is usually no performance drop if OPAL encryption
  is used (the drive always operates with full throughput), and it does
  not add any utilization to the main CPU.
  LUKS2 now supports hardware encryption through the Linux kernel
  SED OPAL interface (CONFIG_BLK_SED_OPAL Linux kernel option must be
  enabled). Cryptsetup OPAL is never enabled by default; you have to use
  luksFormat parameters to use it. OPAL support can be disabled during
  the build phase with --disable-hw-opal configure option.
  LUKS2 OPAL encryption is configured the same way as software encryption
  - it stores metadata in the LUKS2 header and activates encryption for
  the data area on the disk (configured OPAL locking range).
  LUKS2 header metadata must always be visible (thus not encrypted).
  The key stored in LUKS2 keyslots contains two parts - volume key
  for software (dm-crypt) encryption and unlocking key for OPAL.
  OPAL unlocking key is independent of the dm-crypt volume key and is
  always 256 bits long. Cryptsetup does not support full drive OPAL
  encryption; only a specific locking range is always used.
  If the OPAL device is in its initial factory state (after factory
  reset), cryptsetup needs to configure the OPAL admin user and password.
  If the OPAL admin user is already set, the OPAL password must be
  provided during luksFormat.
  The provided password is needed only to configure or reset the OPAL
  locking range; LUKS device activation requires LUKS passphrase only.
  LUKS passphrase should be different from OPAL password (OPAL admin user
  is configured inside OPAL hardware while LUKS unlocking passphrase
  unlocks LUKS keyslot).
  OPAL encryption can be used in combination with software (dm-crypt)
  encryption (--hw-opal option) or without the software layer
  (--hw-opal-only option).
  You can see the configured segment parameters in the luksDump command.
  LUKS2 devices with OPAL segments set a new requirement flag in
  the LUKS2 header to prevent older cryptsetup metadata manipulation.
  Do not use hardware-only encryption if you do not fully trust your
  hardware vendor.
  Compatibility notes:
    - Linux kernel SED interface does NOT work through USB external
    adapters due to the missing compatibility layer in Linux USB storage
    drivers (even if USB hardware itself can support OPAL commands).
    - other TCG security subsystems like Ruby or Pyrite are not
    supported. Note that many drives support only Pyrite subsystem that
    does NOT encrypt data (it provides only authentication).
    - compatibility among OPAL-enabled drives is often very problematic,
    specifically for older drives. Many drives have bugs in the firmware
    that make the Linux kernel interface unusable.
    - if you forget the OPAL admin password, the only way to recover is
    the full drive factory reset through the PSID key (usually printed
    on the drive itself) that wipes all data on the drive (not only the
    LUKS area).
    - cryptsetup reencryption is not supported for LUKS2 OPAL-enabled
    devices
    - most OPAL drives use AES-XTS cipher mode (older drives can use
    AES-CBC). This information is not available through kernel SED API.
    - locked OPAL locking ranges return IO errors while reading; this
    can produce a lot of scary messages in the log if some tools (like
    blkid) try to read the locked area.
  Examples:
  * Formatting the drive
  Use --hw-opal with luksFormat (or --hw-opal-only for hardware only
  encryption):
  # cryptsetup luksFormat --hw-opal <device>
  Enter passphrase for <device>: ***
  Enter OPAL Admin password: ***
  * Check configuration with luksDump.
  Note "hw-opal-crypt" segment that uses both dm-crypt and OPAL
  encryption - keyslot stores 768 bits key (512 sw + 256 bits OPAL key).
  # cryptsetup luksDump <device>
    LUKS header information
    Version:        2
    ...
    Data segments:
       0: hw-opal-crypt
         offset: 16777216 [bytes]
         length: ... [bytes]
         cipher: aes-xts-plain64
         sector: 512 [bytes]
         HW OPAL encryption:
                OPAL segment number: 1
                OPAL key: 256 bits
                OPAL segment length: ... [bytes]
     Keyslots:
       0: luks2
         Key:        768 bits
      ...
  For devices with OPAL encryption ONLY (only 256 bits OPAL unlocking
  key is stored):
     LUKS header information
     Version:        2
     ...
     Data segments:
        0: hw-opal
          offset: 16777216 [bytes]
          length: ... [bytes]
          cipher: (no SW encryption)
          HW OPAL encryption:
                OPAL segment number: 1
                OPAL key: 256 bits
                OPAL segment length: ... [bytes]
     Keyslots:
       0: luks2
         Key:        256 bits
         ...
  * Activation and deactivation (open, close, luksSuspend, luksResume)
  with OPAL works the same as for the LUKS2 device.
  * Erase LUKS metadata (keyslots) and remove OPAL locking range:
  # cryptsetup luksErase <device>
    Enter OPAL Admin password: ***
  The LUKS header is destroyed (unlike in normal LUKS luksErase) as
  data are no longer accessible even with previous volume key knowledge.
  * Factory reset OPAL drive (if you do not know the Admin password).
    You need the PSID (physical presence security ID), which is usually
    printed on the device label. Note this will reset the device to
    factory state, erasing all data on it (not only LUKS).
  # cryptsetup luksErase --hw-opal-factory-reset <device>
    Enter OPAL PSID: ***
 * plain mode: Set default cipher to aes-xts-plain64 and password hashing
  to sha256.
  NOTE: this is a backward incompatible change for plain mode (if you
  rely on defaults). It is not relevant for LUKS devices.
  The default plain encryption mode was CBC for a long time, with many
  performance problems. Using XTS mode aligns it with LUKS defaults.
  The hash algorithm for plain mode was ripemd160, which is considered
  deprecated, so the new default is sha256.
  The default key size remains 256 bits (it means using AES-128 as XTS
  requires two keys).
  Always specify cipher, hash, and key size for plain mode (or even
  better, use LUKS as it stores all options in its metadata on disk).
  As we need to upgrade algorithms from time to time because of security
  reasons, cryptsetup now warns users to specify these options explicitly
  in the open cryptsetup command if plain mode is used.
  Cryptsetup does not block using any legacy encryption type; just it
  must be specified explicitly on the cryptsetup command line.
  You can configure these defaults during build time if you need to
  enforce backward compatibility.
  To get the backward-compatible setting, use:
    --with-plain-hash=ripemd160 --with-plain-cipher=aes
    --with-plain-mode=cbc-essiv:sha256
  Compiled-in defaults are visible in cryptsetup --help output.
 * Allow activation (open), luksResume, and luksAddKey to use the volume
  key stored in a keyring.
 * Allow to store volume key to a user-specified keyring in open and
  luksResume commands.
  These options are intended to be used for integration with other
  systems for automation.
  Users can now use the volume key (not passphrase) stored in arbitrary
  kernel keyring and directly use it in particular cryptsetup commands
  with --volume-key-keyring option. The keyring can use various policies
  (set outside of the cryptsetup scope, for example, by keyctl).
  The --volume-key-keyring option takes a key description in
  keyctl-compatible syntax and can either be a numeric key ID or
  a string name in the format [%<key type>:]<key name>.
  The default key type is "user".
  To store the volume key in a keyring, you can use cryptsetup with
  --link-vk-to-keyring option that is available for open and luksResume
  cryptsetup command. The option argument has a more complex format:
  <keyring_description>::<key_description>.
  The <keyring_description> contains the existing kernel keyring
  description (numeric id or keyctl format). The <keyring_description>
  may be optionally prefixed with "%:" or "%keyring:". The string "::" is
  a delimiter that separates keyring and key descriptions.
  The <key_description> has the same syntax as used in the
  --volume-key-keyring option.
  Example:
  Open the device and store the volume key to the keyring:
  # cryptsetup open <device> --link-vk-to-keyring "@s::%user:testkey" tst
  Add keyslot using the stored key in a keyring:
  # cryptsetup luksAddKey <device> --volume-key-keyring "%user:testkey"
 * Do not flush IO operations if resize grows the device.
  This can help performance in specific cases where the encrypted device
  is extended automatically while running many IO operations.
 * Use only half of detected free memory for Argon2 PBKDF on systems
  without swap (for LUKS2 new keyslot or format operations).
  This should avoid out-of-memory crashes on low-memory systems without
  swap. The benchmark for memory-hard KDF during format is tricky, and
  it seems that relying on the maximum half of physical memory is not
  enough; relying on free memory should bring the needed security margin
  while still using Argon2.
  There is no change for systems with active swap.
  Note, for very-low memory-constrained systems, a user should avoid
  memory-hard PBKDF completely (manually select legacy PBKDF2 instead
  of Argon2); cryptsetup does not change PBKDF automatically.
 * Add the possibility to specify a directory for external LUKS2 token
  handlers (plugins).
  Use --external-tokens-path parameter in cryptsetup or
  crypt_token_set_external_path API call. The parameter is required to be
  an absolute path, and it is set per process context. This parameter is
  intended mainly for testing and developing new tokens.
 * Do not allow reencryption/decryption on LUKS2 devices with
  authenticated encryption or hardware (OPAL) encryption.
  The operation fails later anyway; cryptsetup now detects incompatible
  parameters early.
 * Do not fail LUKS format if the operation was interrupted on subsequent
  device wipe.
  Device wipe (used with authenticated encryption) is an optional
  operation and can be interrupted; not yet wiped part of the device will
  only report integrity errors (until overwritten with new data).
 * Fix the LUKS2 keyslot option to be used while activating the device
  by a token.
  It can also be used to check if a specific token (--token-id) can
  unlock a specific keyslot (--key-slot option) when --test-passphrase
  option is specified.
 * Properly report if the dm-verity device cannot be activated due to
  the inability to verify the signed root hash (ENOKEY).
 * Fix to check passphrase for selected keyslot only when adding
  new keyslot.
  If the user specifies the exact keyslot to unlock, cryptsetup no longer
  checks other keyslots.
 * Fix to not wipe the keyslot area before in-place overwrite.
  If the LUKS2 keyslot area has to be overwritten (due to lack of free
  space for keyslot swap), cryptsetup does not wipe the affected area as
  the first step (it will be overwritten later anyway).
  Previously, there was an unnecessary risk of losing the keyslot data
  if the code crashed before adding the new keyslot.
  If there is enough space in the keyslot area, cryptsetup never
  overwrites the older keyslot before the new one is written correctly
  (even if the keyslot number remains the same).
 * bitlk: Fix segfaults when attempting to verify the volume key.
  Also, clarify that verifying the volume key is impossible without
  providing a passphrase or recovery key.
 * Add --disable-blkid command line option to avoid blkid device check.
 * Add support for the meson build system.
  All basic operations are supported (compile, test, and dist) with some
  minor exceptions; please see the meson manual for more info.
  The Meson build system will completely replace autotools in some future
  major release. Both autotools and meson build systems are supported,
  and the release archive is built with autotools.
 * Fix wipe operation that overwrites the whole device if used for LUKS2
  header with no keyslot area.
  Formatting a LUKS2 device with no defined keyslots area is a very
  specific operation, and the code now properly recognizes such
  configuration.
 * Fix luksErase to work with detached LUKS header.
 * Disallow the use of internal kernel crypto driver names in "capi"
  specification.
  The common way to specify cipher mode in cryptsetup is to use
  cipher-mode-iv notation (like aes-xts-plain64).
  With the introduction of authenticated ciphers, we also allow
  "capi:<spec>" notation that is directly used by dm-crypt
  (e.g., capi:xts(aes)-plain64).
  CAPI specification was never intended to be used directly in the LUKS
  header; unfortunately, the code allowed it until now.
  Devices with CAPI specification in metadata can no longer be activated;
  header repair is required.
  CAPI specification could allow attackers to change the cipher
  specification to enforce loading some specific kernel crypto driver
  (for example, load driver with known side-channel issues).
  This can be problematic, specifically in a cloud environment
  (modifying LUKS2 metadata in container image).
  Thanks to Jan Wichelmann, Luca Wilke, and Thomas Eisenbarth from
  University of Luebeck for noticing the problems with this code.
 * Fix reencryption to fail early for unknown cipher.
 * tcrypt: Support new Blake2 hash for VeraCrypt.
  VeraCrypt introduces support for Blake2 PRF for PBKDF2; also support it
  in cryptsetup compatible tcrypt format.
 * tcrypt: use hash values as substring for limiting KDF check.
  This allows the user to specify --hash sha or --hash blake2 to limit
  the KDF scan without the need to specify the full algorithm name
  (similar to cipher where we already use substring match).
 * Add Aria cipher support and block size info.
  Aria cipher is similar to AES and is supported in Linux kernel crypto
  API in recent releases.
  It can be now used also for LUKS keyslot encryption.
 * Do not decrease PBKDF parameters if the user forces them.
  If a user explicitly specifies PBKDF parameters (like iterations,
  used memory, or threads), do not limit them, even if it can cause
  resource exhaustion.
  The force options were mostly used for decreasing parameters, but it
  should work even opposite - despite the fact it can mean an
  out-of-memory crash.
  The only limits are hard limits per the PBKDF algorithm.
 * Support OpenSSL 3.2 Argon2 implementation.
  Argon2 is now available directly in OpenSSL, so the code no longer
  needs to use libargon implementation.
  Configure script should detect this automatically.
 * Add support for Argon2 from libgcrypt
  (requires yet unreleased gcrypt 1.11).
  Argon2 has been available since version 1.10, but we need version 1.11,
  which will allow empty passwords.
 * Used Argon2 PBKDF implementation is now reported in debug mode
  in the cryptographic backend version. For native support in
  OpenSSL 3.2 or libgcrypt 1.11, "argon2" is displayed.
  If libargon2 is used, "cryptsetup libargon2" (for embedded
  library) or "external libargon2" is displayed.
 * Link only libcrypto from OpenSSL.
  This reduces dependencies as other OpenSSL libraries are not needed.
 * Disable reencryption for Direct-Access (DAX) devices.
  Linux kernel device-mapper cannot stack DAX/non-DAX devices in
  the mapping table, so online reencryption cannot work. Detect DAX
  devices and warn users during LUKS format. Also, DAX or persistent
  memory devices do not provide atomic sector updates; any single
  modification can corrupt the whole encryption block.
 * Print a warning message if the device is not aligned to sector size.
  If a partition is resized after format, activation could fail when
  the device is not multiple of a sector size. Print at least a warning
  here, as the activation error message is visible only in kernel syslog.
 * Fix sector size and integrity fields display for non-LUKS2 crypt
  devices for the status command.
 * Fix suspend for LUKS2 with authenticated encryption (also suspend
  dm-integrity device underneath).
  This should stop the dm-integrity device from issuing journal updates
  and possibly corrupt data if the user also tries to modify the
  underlying device.
 * Update keyring and locking documentation and LUKS2 specification
  for OPAL2 support.
 Libcryptsetup API extensions
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 The libcryptsetup API is backward compatible for all existing symbols.
 New symbols:
  crypt_activate_by_keyslot_context
  crypt_format_luks2_opal
  crypt_get_hw_encryption_type
  crypt_get_hw_encryption_key_size
  crypt_keyslot_context_init_by_keyring
  crypt_keyslot_context_init_by_vk_in_keyring
  crypt_keyslot_context_init_by_signed_key
  crypt_resume_by_keyslot_context
  crypt_token_set_external_path
  crypt_set_keyring_to_link
  crypt_wipe_hw_opal
 New defines (hw encryption status):
  CRYPT_SW_ONLY
  CRYPT_OPAL_HW_ONLY
  CRYPT_SW_AND_OPAL_HW
 New keyslot context types:
  CRYPT_KC_TYPE_KEYRING
  CRYPT_KC_TYPE_VK_KEYRING
  CRYPT_KC_TYPE_SIGNED_KEY
 New requirement flag:
  CRYPT_REQUIREMENT_OPAL
--- a/docs/v2.7.1-ReleaseNotes
+++ b/docs/v2.7.1-ReleaseNotes
@@ -0,0 +1,30 @@
 Cryptsetup 2.7.1 Release Notes
 ==============================
 Stable bug-fix release with minor extensions.
 All users of cryptsetup 2.7.0 should upgrade to this version.
 Changes since version 2.7.0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 * Fix interrupted LUKS1 decryption resume.
  With the replacement of the cryptsetup-reencrypt tool by the cryptsetup
  reencrypt command, resuming the interrupted LUKS1 decryption operation
  could fail. LUKS2 was not affected.
 * Allow --link-vk-to-keyring with --test-passphrase option.
  This option allows uploading the volume key in a user-specified kernel
  keyring without activating the device.
 * Fix crash when --active-name was used in decryption initialization.
 * Updates and changes to man pages, including indentation, sorting options
  alphabetically, fixing mistakes in crypt_set_keyring_to_link, and fixing
  some typos.
 * Fix compilation with libargon2 when --disable-internal-argon2 was used.
 * Do not require installed argon2.h header and never compile internal
  libargon2 code if the crypto library directly supports Argon2.
 * Fixes to regression tests to support older Linux distributions.
--- a/docs/v2.7.2-ReleaseNotes
+++ b/docs/v2.7.2-ReleaseNotes
@@ -0,0 +1,31 @@
 Cryptsetup 2.7.2 Release Notes
 ==============================
 Stable bug-fix release.
 All users of cryptsetup 2.7 should upgrade to this version.
 Changes since version 2.7.1
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 * Fix activation of OPAL-only encrypted LUKS device with tokens.
  The issue was caused by an invalid volume key check (assert)
  that is impossible without software encryption.
 * Fix formatting of OPAL devices with 4096-byte sector size.
 * Fix incorrect OPAL locking range alignment calculation if used
  over an unaligned device partition.
 * Add --hw-opal-factory-reset option description to the manual page.
 * Do not check the passphrase quality for OPAL Admin PIN,
  as this passphrase already exists.
 * Update license for FAQ document to CC BY-SA 4.0.
 NOTE: Please note that with OPAL-only (--hw-opal-only) encryption,
 the configured OPAL administrator PIN (passphrase) allows unlocking
 all configured locking ranges without LUKS keyslot decryption
 (without knowledge of LUKS passphrase).
 Because of many observed problems with compatibility, cryptsetup
 currently DOES NOT use OPAL single-user mode, which would allow such
 decoupling of OPAL admin PIN access.
--- a/docs/v2.7.3-ReleaseNotes
+++ b/docs/v2.7.3-ReleaseNotes
@@ -0,0 +1,114 @@
 Cryptsetup 2.7.3 Release Notes
 ==============================
 Stable bug-fix release with security fixes.
 All users of cryptsetup 2.7 must upgrade to this version.
 Changes since version 2.7.2
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 * Do not allow formatting LUKS2 with Opal SED (hardware encryption)
  if the reported logical sector size for the block device and Opal
  encryption logical block differs.
  Such a configuration can lead to a partially encrypted Opal locking
  range or data destruction following the expected locking range.
  Some NVMe drives support multiple LBAF profiles (typically supporting
  512-byte and 4096-byte sector size). Some broken Opal NVMe firmware can
  report bogus encryption size that disagrees with real used sector size.
  This usually happens after low-level NVMe reformatting (LBAF profile
  change with nvme utility) to different sector size.
  Moreover, some firmware versions do not properly reset this even after
  explicit PSID revert.
  Cryptsetup calculates the Opal locking range using the reported block
  size in Opal geometry ioctl.  Unfortunately, the broken firmware drive
  internally uses the logical block size of the block device, which can
  differ. This can lead to two possible situations:
  - Opal reports a smaller block size (512-byte) while the drive uses
  a 4096-byte sector. The configured locking range is then much larger,
  destroying data following the expected locking range setting.
  - Opal reports a larger block size (4096-byte) while the drive uses
  a 512-byte sector. The configured locking range is then much smaller,
  leaving the remaining space in the locking range unencrypted (violating
  the confidentiality of data).
  Cryptsetup now detects this discrepancy and disallows LUKS2 format with
  Opal hardware encryption in such a case.
  For already formatted devices, you will see this warning:
    "Bogus OPAL logical block size differs from device block size."
  If you also used software encryption (dm-crypt over Opal), data will
  still be fully encrypted with software dm-crypt.
  With hw-only encryption,  your configuration is probably already broken
  (insecure or accessing data beyond the assigned area).
  Note that this is caused by bad firmware (seen with multiple vendors),
  and the problem was reported, at least for drives we have access to.
 * Fixes to wiping LUKS2 headers after Opal locking area erase.
  As the hardware locking range is destroyed (cryptsetup erase command),
  the LUKS2 header is no longer usable and was partially wiped.
  Now the code fully wipes also the secondary header, as the previous
  code wiped only the primary LUKS area.
  Note that this is an exception, as the normal erase command wipes only
  the keyslots, keeping the LUKS2 header in place.  With Opal encryption,
  the data segment is no longer valid, so the whole LUKS2 header is no
  longer usable.
 * Mention the need for possible PSID revert before Opal format for some
  drives (man page).
 * Fix Bitlocker-compatible code to ignore newly seen metadata entries.
  Recent Windows OS versions started to include new (undocumented)
  metadata entries in Bitlocker. These entries are now quietly ignored,
  allowing Bitlocker images to open with cryptsetup again.
 * Fix interactive query retry if LUKS2 unbound keyslot is present.
  If an unbound keyslot is present, the password query retry count is
  now properly applied.
 * Detect unsupported zoned devices for LUKS header devices.
  Zoned devices cannot be written with direct-io and used for LUKS header
  logic in general. Code now rejects placing the LUKS header on a zoned
  device, while you can still create a detached header and use a zoned
  device for encrypted data.
 * Allow "capi" cipher format for benchmark command and fix parsing
  of plain IV in "capi" format.
  Some ciphers can be specified only in Linux kernel crypto notation
  (in short, "capi"). Code now allows this format also for benchmark,
  for example, "benchmark -c capi:xts\(aes\)-plain64"
  (that is equivalent to -c aes-xts-plain64).
 * Add support for HCTR2 encryption mode.
  The HCTR2 encryption mode was added to the Linux kernel for fscrypt,
  but as it is a length-preserving mode (with sector tweak), it can be
  easily used for disk encryption, too.
  The mode has the same property as wide modes (any change is propagated
  to the whole sector instead of only one block as in XTS mode).
  As it needs a larger initialization vector (32 bytes), we need to add
  an exception in the userspace format code.
  You can now use --cipher aes-hctr2-plain64 for the format operation.
 * Source code now uses SPDX license identifiers instead of full
  license preambles.
 * Fix missing includes for cryptographic backend that could cause
  compilation errors for some systems.
 * Fix tests to work correctly in FIPS mode with recent OpenSSL 3.2.
 * Fix various (mostly false positive) issues detected by Coverity.
--- a/docs/v2.7.4-ReleaseNotes
+++ b/docs/v2.7.4-ReleaseNotes
@@ -0,0 +1,62 @@
 Cryptsetup 2.7.4 Release Notes
 ==============================
 Stable bug-fix release.
 All users of cryptsetup 2.7 should upgrade to this version.
 Changes since version 2.7.3
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 * Detect device busy failure for device-mapper table-referenced devices.
  Some device-mapper ioctl failures can disappear in libdevmapper,
  causing the libcryptsetup wrapper to return an invalid error (EINVAL)
  instead of EEXIST or EBUSY. One such case is when there is a device
  creation race, and the device-mapper device name is created, but
  the following mapping table load fails. This can happen because some
  block devices used in table mapping have already been claimed by
  another process (the kernel needs exclusive access).
  The kernel ioctl properly returns EBUSY; this errno is lost in
  libdevmapper (dm_task_get_errno returns 0). It should be fixed by
  libdevmapper in the future.
  Such behavior was seen in the systemd way of handling dm-verity
  devices. With these changes, the code should react for EEXIST and
  EBUSY, as another process has already activated the device.
  Code calling libcryptsetup also must not check the underlying device
  with an exclusive open flag (O_EXCL). Otherwise, it could cause a race
  in the kernel device-mapper, resulting in no process succeeding device
  activation (see also CRYPT_ACTIVATE_SHARED flag below).
 * Fix shared activation for dm-verity devices.
  The CRYPT_ACTIVATE_SHARED flag was silently ignored when activating
  dm-verity devices. Dm-verity shared activation is generally safe
  since all verity devices are read-only.
  The shared flag is a way to skip the exclusive access check for the
  device, allowing it to create multiple mappings with the same device or
  properly handle a racy concurrent activation of devices with the same
  name from different processes.
 * Add --shared option for veritysetup open action.
  The option allows the data device to be used in multiple device-mapper
  table mappings (skip exclusive access check) or to allow concurrent
  dm-verity device activation of the same device (only one process
  succeeds in this case; the other will return EEXIST or EBUSY).
 * Do not use exclusive flag for the allocated backing loop files.
  Using this flag is an undefined operation for opening an existing file.
  The flag should be used only for allocated loop (block) devices.
 * Fixes for problems found by static analyzers and Valgrind.
  These include fixes for non-default libgcrypt, NSS, and Nettle
  cryptographic backends, buffer operations to avoid partial read/write,
  and several other workarounds for mostly false positive warnings.
 * Fixes to tests and CI scripts.
--- a/docs/v2.7.5-ReleaseNotes
+++ b/docs/v2.7.5-ReleaseNotes
@@ -0,0 +1,23 @@
 Cryptsetup 2.7.5 Release Notes
 ==============================
 Stable bug-fix release.
 All users of cryptsetup 2.7 must upgrade to this version.
 Changes since version 2.7.4
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 * Fix possible online reencryption data corruption (only in 2.7.x).
  In some situations (initializing a suspended device-mapper device),
  cryptsetup disabled direct-io device access. This caused unsafe
  online reencryption operations that could lead to data corruption.
  The code now adds strict checks (and aborts the operation) and
  changes direct-io detection code to prevent data corruption.
 * Fix a clang compilation error in SSH token plugin.
  As clang linker treats missing symbols as errors, the linker phase
  for the SSH token failed as the optional cryptsetup_token_buffer_free
  was not defined.
 * Fix crypto backend initialization in crypt_format_luks2_opal API call.
--- a/lib/Makemodule.am
+++ b/lib/Makemodule.am
@@ -32,7 +32,8 @@ libcryptsetup_la_LIBADD = \
 	@LIBARGON2_LIBS@	\
 	@JSON_C_LIBS@		\
 	@BLKID_LIBS@		\
-	$(LTLIBICONV)		\
+	@DL_LIBS@		\
 	$(LTLIBINTL)		\
 	libcrypto_backend.la	\
 	libutils_io.la
@@ -52,8 +53,6 @@ libcryptsetup_la_SOURCES = \
 	lib/utils_loop.h		\
 	lib/utils_devpath.c		\
 	lib/utils_wipe.c		\
 	lib/utils_fips.c		\
 	lib/utils_fips.h		\
 	lib/utils_device.c		\
 	lib/utils_keyring.c		\
 	lib/utils_keyring.h		\
@@ -68,14 +67,14 @@ libcryptsetup_la_SOURCES = \
 	lib/volumekey.c			\
 	lib/random.c			\
 	lib/crypt_plain.c		\
 	lib/base64.h			\
 	lib/base64.c			\
 	lib/integrity/integrity.h	\
 	lib/integrity/integrity.c	\
 	lib/loopaes/loopaes.h		\
 	lib/loopaes/loopaes.c		\
 	lib/tcrypt/tcrypt.h		\
 	lib/tcrypt/tcrypt.c		\
 	lib/keyslot_context.h		\
 	lib/keyslot_context.c		\
 	lib/luks1/af.h			\
 	lib/luks1/af.c			\
 	lib/luks1/keyencryption.c	\
@@ -98,12 +97,17 @@ libcryptsetup_la_SOURCES = \
 	lib/luks2/luks2_keyslot_luks2.c	\
 	lib/luks2/luks2_keyslot_reenc.c	\
 	lib/luks2/luks2_reencrypt.c	\
 	lib/luks2/luks2_reencrypt_digest.c	\
 	lib/luks2/luks2_segment.c	\
 	lib/luks2/luks2_token_keyring.c	\
 	lib/luks2/luks2_token.c		\
 	lib/luks2/luks2_internal.h	\
 	lib/luks2/luks2.h		\
 	lib/luks2/hw_opal/hw_opal.c	\
 	lib/luks2/hw_opal/hw_opal.h	\
 	lib/utils_blkid.c		\
 	lib/utils_blkid.h		\
 	lib/bitlk/bitlk.h		\
-	lib/bitlk/bitlk.c
+	lib/bitlk/bitlk.c		\
 	lib/fvault2/fvault2.h		\
 	lib/fvault2/fvault2.c
--- a/lib/base64.c
+++ b/lib/base64.c
@@ -1,605 +0,0 @@
 /* base64.c -- Encode binary data using printable characters.
   Copyright (C) 1999-2001, 2004-2006, 2009-2019 Free Software Foundation, Inc.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 2, or (at your option)
   any later version.
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
   You should have received a copy of the GNU General Public License
   along with this program; if not, see <https://www.gnu.org/licenses/>.  */
 /* Written by Simon Josefsson.  Partially adapted from GNU MailUtils
 * (mailbox/filter_trans.c, as of 2004-11-28).  Improved by review
 * from Paul Eggert, Bruno Haible, and Stepan Kasal.
 *
 * See also RFC 4648 <https://www.ietf.org/rfc/rfc4648.txt>.
 *
 * Be careful with error checking.  Here is how you would typically
 * use these functions:
 *
 * bool ok = base64_decode_alloc (in, inlen, &out, &outlen);
 * if (!ok)
 *   FAIL: input was not valid base64
 * if (out == NULL)
 *   FAIL: memory allocation error
 * OK: data in OUT/OUTLEN
 *
 * size_t outlen = base64_encode_alloc (in, inlen, &out);
 * if (out == NULL && outlen == 0 && inlen != 0)
 *   FAIL: input too long
 * if (out == NULL)
 *   FAIL: memory allocation error
 * OK: data in OUT/OUTLEN.
 *
 */
 #include <config.h>
 /* Get prototype. */
 #include "base64.h"
 /* Get malloc. */
 #include <stdlib.h>
 /* Get UCHAR_MAX. */
 #include <limits.h>
 #include <string.h>
 /* C89 compliant way to cast 'char' to 'unsigned char'. */
 static unsigned char
 to_uchar (char ch)
 {
  return ch;
 }
 static const char b64c[64] =
  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
 /* Base64 encode IN array of size INLEN into OUT array. OUT needs
   to be of length >= BASE64_LENGTH(INLEN), and INLEN needs to be
   a multiple of 3.  */
 static void
 base64_encode_fast (const char *restrict in, size_t inlen, char *restrict out)
 {
  while (inlen)
    {
      *out++ = b64c[(to_uchar (in[0]) >> 2) & 0x3f];
      *out++ = b64c[((to_uchar (in[0]) << 4) + (to_uchar (in[1]) >> 4)) & 0x3f];
      *out++ = b64c[((to_uchar (in[1]) << 2) + (to_uchar (in[2]) >> 6)) & 0x3f];
      *out++ = b64c[to_uchar (in[2]) & 0x3f];
      inlen -= 3;
      in += 3;
    }
 }
 /* Base64 encode IN array of size INLEN into OUT array of size OUTLEN.
   If OUTLEN is less than BASE64_LENGTH(INLEN), write as many bytes as
   possible.  If OUTLEN is larger than BASE64_LENGTH(INLEN), also zero
   terminate the output buffer. */
 void
 base64_encode (const char *restrict in, size_t inlen,
               char *restrict out, size_t outlen)
 {
  /* Note this outlen constraint can be enforced at compile time.
     I.E. that the output buffer is exactly large enough to hold
     the encoded inlen bytes.  The inlen constraints (of corresponding
     to outlen, and being a multiple of 3) can change at runtime
     at the end of input.  However the common case when reading
     large inputs is to have both constraints satisfied, so we depend
     on both in base_encode_fast().  */
  if (outlen % 4 == 0 && inlen == outlen / 4 * 3)
    {
      base64_encode_fast (in, inlen, out);
      return;
    }
  while (inlen && outlen)
    {
      *out++ = b64c[(to_uchar (in[0]) >> 2) & 0x3f];
      if (!--outlen)
        break;
      *out++ = b64c[((to_uchar (in[0]) << 4)
                       + (--inlen ? to_uchar (in[1]) >> 4 : 0))
                      & 0x3f];
      if (!--outlen)
        break;
      *out++ =
        (inlen
         ? b64c[((to_uchar (in[1]) << 2)
                   + (--inlen ? to_uchar (in[2]) >> 6 : 0))
                  & 0x3f]
         : '=');
      if (!--outlen)
        break;
      *out++ = inlen ? b64c[to_uchar (in[2]) & 0x3f] : '=';
      if (!--outlen)
        break;
      if (inlen)
        inlen--;
      if (inlen)
        in += 3;
    }
  if (outlen)
    *out = '\0';
 }
 /* Allocate a buffer and store zero terminated base64 encoded data
   from array IN of size INLEN, returning BASE64_LENGTH(INLEN), i.e.,
   the length of the encoded data, excluding the terminating zero.  On
   return, the OUT variable will hold a pointer to newly allocated
   memory that must be deallocated by the caller.  If output string
   length would overflow, 0 is returned and OUT is set to NULL.  If
   memory allocation failed, OUT is set to NULL, and the return value
   indicates length of the requested memory block, i.e.,
   BASE64_LENGTH(inlen) + 1. */
 size_t
 base64_encode_alloc (const char *in, size_t inlen, char **out)
 {
  size_t outlen = 1 + BASE64_LENGTH (inlen);
  /* Check for overflow in outlen computation.
   *
   * If there is no overflow, outlen >= inlen.
   *
   * If the operation (inlen + 2) overflows then it yields at most +1, so
   * outlen is 0.
   *
   * If the multiplication overflows, we lose at least half of the
   * correct value, so the result is < ((inlen + 2) / 3) * 2, which is
   * less than (inlen + 2) * 0.66667, which is less than inlen as soon as
   * (inlen > 4).
   */
  if (inlen > outlen)
    {
      *out = NULL;
      return 0;
    }
  *out = malloc (outlen);
  if (!*out)
    return outlen;
  base64_encode (in, inlen, *out, outlen);
  return outlen - 1;
 }
 /* With this approach this file works independent of the charset used
   (think EBCDIC).  However, it does assume that the characters in the
   Base64 alphabet (A-Za-z0-9+/) are encoded in 0..255.  POSIX
   1003.1-2001 require that char and unsigned char are 8-bit
   quantities, though, taking care of that problem.  But this may be a
   potential problem on non-POSIX C99 platforms.
   IBM C V6 for AIX mishandles "#define B64(x) ...'x'...", so use "_"
   as the formal parameter rather than "x".  */
 #define B64(_)                                  \
  ((_) == 'A' ? 0                               \
   : (_) == 'B' ? 1                             \
   : (_) == 'C' ? 2                             \
   : (_) == 'D' ? 3                             \
   : (_) == 'E' ? 4                             \
   : (_) == 'F' ? 5                             \
   : (_) == 'G' ? 6                             \
   : (_) == 'H' ? 7                             \
   : (_) == 'I' ? 8                             \
   : (_) == 'J' ? 9                             \
   : (_) == 'K' ? 10                            \
   : (_) == 'L' ? 11                            \
   : (_) == 'M' ? 12                            \
   : (_) == 'N' ? 13                            \
   : (_) == 'O' ? 14                            \
   : (_) == 'P' ? 15                            \
   : (_) == 'Q' ? 16                            \
   : (_) == 'R' ? 17                            \
   : (_) == 'S' ? 18                            \
   : (_) == 'T' ? 19                            \
   : (_) == 'U' ? 20                            \
   : (_) == 'V' ? 21                            \
   : (_) == 'W' ? 22                            \
   : (_) == 'X' ? 23                            \
   : (_) == 'Y' ? 24                            \
   : (_) == 'Z' ? 25                            \
   : (_) == 'a' ? 26                            \
   : (_) == 'b' ? 27                            \
   : (_) == 'c' ? 28                            \
   : (_) == 'd' ? 29                            \
   : (_) == 'e' ? 30                            \
   : (_) == 'f' ? 31                            \
   : (_) == 'g' ? 32                            \
   : (_) == 'h' ? 33                            \
   : (_) == 'i' ? 34                            \
   : (_) == 'j' ? 35                            \
   : (_) == 'k' ? 36                            \
   : (_) == 'l' ? 37                            \
   : (_) == 'm' ? 38                            \
   : (_) == 'n' ? 39                            \
   : (_) == 'o' ? 40                            \
   : (_) == 'p' ? 41                            \
   : (_) == 'q' ? 42                            \
   : (_) == 'r' ? 43                            \
   : (_) == 's' ? 44                            \
   : (_) == 't' ? 45                            \
   : (_) == 'u' ? 46                            \
   : (_) == 'v' ? 47                            \
   : (_) == 'w' ? 48                            \
   : (_) == 'x' ? 49                            \
   : (_) == 'y' ? 50                            \
   : (_) == 'z' ? 51                            \
   : (_) == '0' ? 52                            \
   : (_) == '1' ? 53                            \
   : (_) == '2' ? 54                            \
   : (_) == '3' ? 55                            \
   : (_) == '4' ? 56                            \
   : (_) == '5' ? 57                            \
   : (_) == '6' ? 58                            \
   : (_) == '7' ? 59                            \
   : (_) == '8' ? 60                            \
   : (_) == '9' ? 61                            \
   : (_) == '+' ? 62                            \
   : (_) == '/' ? 63                            \
   : -1)
 static const signed char b64[0x100] = {
  B64 (0), B64 (1), B64 (2), B64 (3),
  B64 (4), B64 (5), B64 (6), B64 (7),
  B64 (8), B64 (9), B64 (10), B64 (11),
  B64 (12), B64 (13), B64 (14), B64 (15),
  B64 (16), B64 (17), B64 (18), B64 (19),
  B64 (20), B64 (21), B64 (22), B64 (23),
  B64 (24), B64 (25), B64 (26), B64 (27),
  B64 (28), B64 (29), B64 (30), B64 (31),
  B64 (32), B64 (33), B64 (34), B64 (35),
  B64 (36), B64 (37), B64 (38), B64 (39),
  B64 (40), B64 (41), B64 (42), B64 (43),
  B64 (44), B64 (45), B64 (46), B64 (47),
  B64 (48), B64 (49), B64 (50), B64 (51),
  B64 (52), B64 (53), B64 (54), B64 (55),
  B64 (56), B64 (57), B64 (58), B64 (59),
  B64 (60), B64 (61), B64 (62), B64 (63),
  B64 (64), B64 (65), B64 (66), B64 (67),
  B64 (68), B64 (69), B64 (70), B64 (71),
  B64 (72), B64 (73), B64 (74), B64 (75),
  B64 (76), B64 (77), B64 (78), B64 (79),
  B64 (80), B64 (81), B64 (82), B64 (83),
  B64 (84), B64 (85), B64 (86), B64 (87),
  B64 (88), B64 (89), B64 (90), B64 (91),
  B64 (92), B64 (93), B64 (94), B64 (95),
  B64 (96), B64 (97), B64 (98), B64 (99),
  B64 (100), B64 (101), B64 (102), B64 (103),
  B64 (104), B64 (105), B64 (106), B64 (107),
  B64 (108), B64 (109), B64 (110), B64 (111),
  B64 (112), B64 (113), B64 (114), B64 (115),
  B64 (116), B64 (117), B64 (118), B64 (119),
  B64 (120), B64 (121), B64 (122), B64 (123),
  B64 (124), B64 (125), B64 (126), B64 (127),
  B64 (128), B64 (129), B64 (130), B64 (131),
  B64 (132), B64 (133), B64 (134), B64 (135),
  B64 (136), B64 (137), B64 (138), B64 (139),
  B64 (140), B64 (141), B64 (142), B64 (143),
  B64 (144), B64 (145), B64 (146), B64 (147),
  B64 (148), B64 (149), B64 (150), B64 (151),
  B64 (152), B64 (153), B64 (154), B64 (155),
  B64 (156), B64 (157), B64 (158), B64 (159),
  B64 (160), B64 (161), B64 (162), B64 (163),
  B64 (164), B64 (165), B64 (166), B64 (167),
  B64 (168), B64 (169), B64 (170), B64 (171),
  B64 (172), B64 (173), B64 (174), B64 (175),
  B64 (176), B64 (177), B64 (178), B64 (179),
  B64 (180), B64 (181), B64 (182), B64 (183),
  B64 (184), B64 (185), B64 (186), B64 (187),
  B64 (188), B64 (189), B64 (190), B64 (191),
  B64 (192), B64 (193), B64 (194), B64 (195),
  B64 (196), B64 (197), B64 (198), B64 (199),
  B64 (200), B64 (201), B64 (202), B64 (203),
  B64 (204), B64 (205), B64 (206), B64 (207),
  B64 (208), B64 (209), B64 (210), B64 (211),
  B64 (212), B64 (213), B64 (214), B64 (215),
  B64 (216), B64 (217), B64 (218), B64 (219),
  B64 (220), B64 (221), B64 (222), B64 (223),
  B64 (224), B64 (225), B64 (226), B64 (227),
  B64 (228), B64 (229), B64 (230), B64 (231),
  B64 (232), B64 (233), B64 (234), B64 (235),
  B64 (236), B64 (237), B64 (238), B64 (239),
  B64 (240), B64 (241), B64 (242), B64 (243),
  B64 (244), B64 (245), B64 (246), B64 (247),
  B64 (248), B64 (249), B64 (250), B64 (251),
  B64 (252), B64 (253), B64 (254), B64 (255)
 };
 #if UCHAR_MAX == 255
 # define uchar_in_range(c) true
 #else
 # define uchar_in_range(c) ((c) <= 255)
 #endif
 /* Return true if CH is a character from the Base64 alphabet, and
   false otherwise.  Note that '=' is padding and not considered to be
   part of the alphabet.  */
 bool
 isbase64 (char ch)
 {
  return uchar_in_range (to_uchar (ch)) && 0 <= b64[to_uchar (ch)];
 }
 /* Initialize decode-context buffer, CTX.  */
 void
 base64_decode_ctx_init (struct base64_decode_context *ctx)
 {
  ctx->i = 0;
 }
 /* If CTX->i is 0 or 4, there are four or more bytes in [*IN..IN_END), and
   none of those four is a newline, then return *IN.  Otherwise, copy up to
   4 - CTX->i non-newline bytes from that range into CTX->buf, starting at
   index CTX->i and setting CTX->i to reflect the number of bytes copied,
   and return CTX->buf.  In either case, advance *IN to point to the byte
   after the last one processed, and set *N_NON_NEWLINE to the number of
   verified non-newline bytes accessible through the returned pointer.  */
 static const char *
 get_4 (struct base64_decode_context *ctx,
       char const *restrict *in, char const *restrict in_end,
       size_t *n_non_newline)
 {
  if (ctx->i == 4)
    ctx->i = 0;
  if (ctx->i == 0)
    {
      char const *t = *in;
      if (4 <= in_end - *in && memchr (t, '\n', 4) == NULL)
        {
          /* This is the common case: no newline.  */
          *in += 4;
          *n_non_newline = 4;
          return (const char *) t;
        }
    }
  {
    /* Copy non-newline bytes into BUF.  */
    char const *p = *in;
    while (p < in_end)
      {
        char c = *p++;
        if (c != '\n')
          {
            ctx->buf[ctx->i++] = c;
            if (ctx->i == 4)
              break;
          }
      }
    *in = p;
    *n_non_newline = ctx->i;
    return ctx->buf;
  }
 }
 #define return_false                            \
  do                                            \
    {                                           \
      *outp = out;                              \
      return false;                             \
    }                                           \
  while (false)
 /* Decode up to four bytes of base64-encoded data, IN, of length INLEN
   into the output buffer, *OUT, of size *OUTLEN bytes.  Return true if
   decoding is successful, false otherwise.  If *OUTLEN is too small,
   as many bytes as possible are written to *OUT.  On return, advance
   *OUT to point to the byte after the last one written, and decrement
   *OUTLEN to reflect the number of bytes remaining in *OUT.  */
 static bool
 decode_4 (char const *restrict in, size_t inlen,
          char *restrict *outp, size_t *outleft)
 {
  char *out = *outp;
  if (inlen < 2)
    return false;
  if (!isbase64 (in[0]) || !isbase64 (in[1]))
    return false;
  if (*outleft)
    {
      *out++ = ((b64[to_uchar (in[0])] << 2)
                | (b64[to_uchar (in[1])] >> 4));
      --*outleft;
    }
  if (inlen == 2)
    return_false;
  if (in[2] == '=')
    {
      if (inlen != 4)
        return_false;
      if (in[3] != '=')
        return_false;
    }
  else
    {
      if (!isbase64 (in[2]))
        return_false;
      if (*outleft)
        {
          *out++ = (((b64[to_uchar (in[1])] << 4) & 0xf0)
                    | (b64[to_uchar (in[2])] >> 2));
          --*outleft;
        }
      if (inlen == 3)
        return_false;
      if (in[3] == '=')
        {
          if (inlen != 4)
            return_false;
        }
      else
        {
          if (!isbase64 (in[3]))
            return_false;
          if (*outleft)
            {
              *out++ = (((b64[to_uchar (in[2])] << 6) & 0xc0)
                        | b64[to_uchar (in[3])]);
              --*outleft;
            }
        }
    }
  *outp = out;
  return true;
 }
 /* Decode base64-encoded input array IN of length INLEN to output array
   OUT that can hold *OUTLEN bytes.  The input data may be interspersed
   with newlines.  Return true if decoding was successful, i.e. if the
   input was valid base64 data, false otherwise.  If *OUTLEN is too
   small, as many bytes as possible will be written to OUT.  On return,
   *OUTLEN holds the length of decoded bytes in OUT.  Note that as soon
   as any non-alphabet, non-newline character is encountered, decoding
   is stopped and false is returned.  If INLEN is zero, then process
   only whatever data is stored in CTX.
   Initially, CTX must have been initialized via base64_decode_ctx_init.
   Subsequent calls to this function must reuse whatever state is recorded
   in that buffer.  It is necessary for when a quadruple of base64 input
   bytes spans two input buffers.
   If CTX is NULL then newlines are treated as garbage and the input
   buffer is processed as a unit.  */
 bool
 base64_decode_ctx (struct base64_decode_context *ctx,
                   const char *restrict in, size_t inlen,
                   char *restrict out, size_t *outlen)
 {
  size_t outleft = *outlen;
  bool ignore_newlines = ctx != NULL;
  bool flush_ctx = false;
  unsigned int ctx_i = 0;
  if (ignore_newlines)
    {
      ctx_i = ctx->i;
      flush_ctx = inlen == 0;
    }
  while (true)
    {
      size_t outleft_save = outleft;
      if (ctx_i == 0 && !flush_ctx)
        {
          while (true)
            {
              /* Save a copy of outleft, in case we need to re-parse this
                 block of four bytes.  */
              outleft_save = outleft;
              if (!decode_4 (in, inlen, &out, &outleft))
                break;
              in += 4;
              inlen -= 4;
            }
        }
      if (inlen == 0 && !flush_ctx)
        break;
      /* Handle the common case of 72-byte wrapped lines.
         This also handles any other multiple-of-4-byte wrapping.  */
      if (inlen && *in == '\n' && ignore_newlines)
        {
          ++in;
          --inlen;
          continue;
        }
      /* Restore OUT and OUTLEFT.  */
      out -= outleft_save - outleft;
      outleft = outleft_save;
      {
        char const *in_end = in + inlen;
        char const *non_nl;
        if (ignore_newlines)
          non_nl = get_4 (ctx, &in, in_end, &inlen);
        else
          non_nl = in;  /* Might have nl in this case. */
        /* If the input is empty or consists solely of newlines (0 non-newlines),
           then we're done.  Likewise if there are fewer than 4 bytes when not
           flushing context and not treating newlines as garbage.  */
        if (inlen == 0 || (inlen < 4 && !flush_ctx && ignore_newlines))
          {
            inlen = 0;
            break;
          }
        if (!decode_4 (non_nl, inlen, &out, &outleft))
          break;
        inlen = in_end - in;
      }
    }
  *outlen -= outleft;
  return inlen == 0;
 }
 /* Allocate an output buffer in *OUT, and decode the base64 encoded
   data stored in IN of size INLEN to the *OUT buffer.  On return, the
   size of the decoded data is stored in *OUTLEN.  OUTLEN may be NULL,
   if the caller is not interested in the decoded length.  *OUT may be
   NULL to indicate an out of memory error, in which case *OUTLEN
   contains the size of the memory block needed.  The function returns
   true on successful decoding and memory allocation errors.  (Use the
   *OUT and *OUTLEN parameters to differentiate between successful
   decoding and memory error.)  The function returns false if the
   input was invalid, in which case *OUT is NULL and *OUTLEN is
   undefined. */
 bool
 base64_decode_alloc_ctx (struct base64_decode_context *ctx,
                         const char *in, size_t inlen, char **out,
                         size_t *outlen)
 {
  /* This may allocate a few bytes too many, depending on input,
     but it's not worth the extra CPU time to compute the exact size.
     The exact size is 3 * (inlen + (ctx ? ctx->i : 0)) / 4, minus 1 if the
     input ends with "=" and minus another 1 if the input ends with "==".
     Dividing before multiplying avoids the possibility of overflow.  */
  size_t needlen = 3 * (inlen / 4) + 3;
  *out = malloc (needlen);
  if (!*out)
    return true;
  if (!base64_decode_ctx (ctx, in, inlen, *out, &needlen))
    {
      free (*out);
      *out = NULL;
      return false;
    }
  if (outlen)
    *outlen = needlen;
  return true;
 }
--- a/lib/base64.h
+++ b/lib/base64.h
@@ -1,68 +0,0 @@
 /* base64.h -- Encode binary data using printable characters.
   Copyright (C) 2004-2006, 2009-2019 Free Software Foundation, Inc.
   Written by Simon Josefsson.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 2, or (at your option)
   any later version.
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
   You should have received a copy of the GNU General Public License
   along with this program; if not, see <https://www.gnu.org/licenses/>.  */
 #ifndef BASE64_H
 # define BASE64_H
 /* Get size_t. */
 # include <stddef.h>
 /* Get bool. */
 # include <stdbool.h>
 # ifdef __cplusplus
 extern "C" {
 # endif
 /* This uses that the expression (n+(k-1))/k means the smallest
   integer >= n/k, i.e., the ceiling of n/k.  */
 # define BASE64_LENGTH(inlen) ((((inlen) + 2) / 3) * 4)
 struct base64_decode_context
 {
  unsigned int i;
  char buf[4];
 };
 extern bool isbase64 (char ch) __attribute__ ((__const__));
 extern void base64_encode (const char *restrict in, size_t inlen,
                           char *restrict out, size_t outlen);
 extern size_t base64_encode_alloc (const char *in, size_t inlen, char **out);
 extern void base64_decode_ctx_init (struct base64_decode_context *ctx);
 extern bool base64_decode_ctx (struct base64_decode_context *ctx,
                               const char *restrict in, size_t inlen,
                               char *restrict out, size_t *outlen);
 extern bool base64_decode_alloc_ctx (struct base64_decode_context *ctx,
                                     const char *in, size_t inlen,
                                     char **out, size_t *outlen);
 #define base64_decode(in, inlen, out, outlen) \
        base64_decode_ctx (NULL, in, inlen, out, outlen)
 #define base64_decode_alloc(in, inlen, out, outlen) \
        base64_decode_alloc_ctx (NULL, in, inlen, out, outlen)
 # ifdef __cplusplus
 }
 # endif
 #endif /* BASE64_H */
--- a/lib/bitlk/bitlk.c
+++ b/lib/bitlk/bitlk.c
@@ -1,30 +1,16 @@
 // SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * BITLK (BitLocker-compatible) volume handling
 *
- * Copyright (C) 2019-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2019-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2019-2021 Milan Broz
+ * Copyright (C) 2019-2024 Milan Broz
- * Copyright (C) 2019-2021 Vojtech Trefny
+ * Copyright (C) 2019-2024 Vojtech Trefny
 *
 * This file is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This file is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this file; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include <errno.h>
 #include <string.h>
 #include <uuid/uuid.h>
 #include <time.h>
 #include <iconv.h>
 #include <limits.h>
 #include "bitlk.h"
@@ -234,86 +220,11 @@ static const char* get_bitlk_type_string(BITLKEncryptionType type)
 	}
 }
 /* TODO -- move to some utils file */
 static void hexprint(struct crypt_device *cd, const char *d, int n, const char *sep)
 {
 	int i;
 	for(i = 0; i < n; i++)
 		log_std(cd, "%02hhx%s", (const char)d[i], sep);
 }
 static uint64_t filetime_to_unixtime(uint64_t time)
 {
 	return (time - EPOCH_AS_FILETIME) / HUNDREDS_OF_NANOSECONDS;
 }
 static int convert_to_utf8(struct crypt_device *cd, uint8_t *input, size_t inlen, char **out)
 {
 	char *outbuf = NULL;
 	iconv_t ic;
 	size_t ic_inlen = inlen;
 	size_t ic_outlen = inlen;
 	char *ic_outbuf = NULL;
 	size_t r = 0;
 	outbuf = malloc(inlen);
 	if (outbuf == NULL)
 		return -ENOMEM;
 	memset(outbuf, 0, inlen);
 	ic_outbuf = outbuf;
 	ic = iconv_open("UTF-8", "UTF-16LE");
 	r = iconv(ic, (char **) &input, &ic_inlen, &ic_outbuf, &ic_outlen);
 	iconv_close(ic);
 	if (r == 0)
 		*out = strdup(outbuf);
 	else {
 		*out = NULL;
 		log_dbg(cd, "Failed to convert volume description: %s", strerror(errno));
 		r = 0;
 	}
 	free(outbuf);
 	return r;
 }
 static int passphrase_to_utf16(struct crypt_device *cd, char *input, size_t inlen, char **out)
 {
 	char *outbuf = NULL;
 	iconv_t ic;
 	size_t ic_inlen = inlen;
 	size_t ic_outlen = inlen * 2;
 	char *ic_outbuf = NULL;
 	size_t r = 0;
 	if (inlen == 0)
 		return r;
 	outbuf = crypt_safe_alloc(inlen * 2);
 	if (outbuf == NULL)
 		return -ENOMEM;
 	memset(outbuf, 0, inlen * 2);
 	ic_outbuf = outbuf;
 	ic = iconv_open("UTF-16LE", "UTF-8");
 	r = iconv(ic, &input, &ic_inlen, &ic_outbuf, &ic_outlen);
 	iconv_close(ic);
 	if (r == 0) {
 		*out = outbuf;
 	} else {
 		*out = NULL;
 		crypt_safe_free(outbuf);
 		log_dbg(cd, "Failed to convert passphrase: %s", strerror(errno));
 		r = -errno;
 	}
 	return r;
 }
 static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, int end, struct bitlk_vmk **vmk)
 {
 	uint16_t key_entry_size = 0;
@@ -324,19 +235,23 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
 	const char *key = NULL;
 	struct volume_key *vk = NULL;
 	bool supported = false;
 	int r = 0;
 	/* only passphrase or recovery passphrase vmks are supported (can be used to activate) */
 	supported = (*vmk)->protection == BITLK_PROTECTION_PASSPHRASE ||
 		    (*vmk)->protection == BITLK_PROTECTION_RECOVERY_PASSPHRASE ||
 		    (*vmk)->protection == BITLK_PROTECTION_STARTUP_KEY;
-	while (end - start > 2) {
+	while ((end - start) >= (ssize_t)(sizeof(key_entry_size) + sizeof(key_entry_type) + sizeof(key_entry_value))) {
 		/* size of this entry */
 		memcpy(&key_entry_size, data + start, sizeof(key_entry_size));
 		key_entry_size = le16_to_cpu(key_entry_size);
 		if (key_entry_size == 0)
 			break;
 		if (key_entry_size > (end - start))
 			return -EINVAL;
 		/* type and value of this entry */
 		memcpy(&key_entry_type, data + start + sizeof(key_entry_size), sizeof(key_entry_type));
 		memcpy(&key_entry_value,
@@ -355,20 +270,24 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
 		}
 		/* stretch key with salt, skip 4 B (encryption method of the stretch key) */
-		if (key_entry_value == BITLK_ENTRY_VALUE_STRETCH_KEY)
+		if (key_entry_value == BITLK_ENTRY_VALUE_STRETCH_KEY) {
 			if ((end - start) < (BITLK_ENTRY_HEADER_LEN + BITLK_SALT_SIZE + 4))
 				return -EINVAL;
 			memcpy((*vmk)->salt,
 			       data + start + BITLK_ENTRY_HEADER_LEN + 4,
-			       sizeof((*vmk)->salt));
+			       BITLK_SALT_SIZE);
 		/* AES-CCM encrypted key */
-		else if (key_entry_value == BITLK_ENTRY_VALUE_ENCRYPTED_KEY) {
+		} else if (key_entry_value == BITLK_ENTRY_VALUE_ENCRYPTED_KEY) {
 			if (key_entry_size < (BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE))
 				return -EINVAL;
 			/* nonce */
 			memcpy((*vmk)->nonce,
 			       data + start + BITLK_ENTRY_HEADER_LEN,
-			       sizeof((*vmk)->nonce));
+			       BITLK_NONCE_SIZE);
 			/* MAC tag */
 			memcpy((*vmk)->mac_tag,
 			       data + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE,
-			       sizeof((*vmk)->mac_tag));
+			       BITLK_VMK_MAC_TAG_SIZE);
 			/* AES-CCM encrypted key */
 			key_size = key_entry_size - (BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE);
 			key = (const char *) data + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE;
@@ -392,10 +311,20 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
 		/* unknown timestamps in recovery protected VMK */
 		} else if (key_entry_value == BITLK_ENTRY_VALUE_RECOVERY_TIME) {
 			;
 		/* optional hint (?) string (masked email?), we can safely ignore it */
 		} else if (key_entry_value == BITLK_ENTRY_VALUE_HINT) {
 			;
 		} else if (key_entry_value == BITLK_ENTRY_VALUE_STRING) {
-			if (convert_to_utf8(cd, data + start + BITLK_ENTRY_HEADER_LEN, key_entry_size - BITLK_ENTRY_HEADER_LEN, &string) < 0) {
+			if (key_entry_size < BITLK_ENTRY_HEADER_LEN)
-				log_err(cd, _("Invalid string found when parsing Volume Master Key."));
+				return -EINVAL;
 			string = malloc((key_entry_size - BITLK_ENTRY_HEADER_LEN) * 2 + 1);
 			if (!string)
 				return -ENOMEM;
 			r = crypt_utf16_to_utf8(&string, CONST_CAST(char16_t *)(data + start + BITLK_ENTRY_HEADER_LEN),
 						     key_entry_size - BITLK_ENTRY_HEADER_LEN);
 			if (r < 0 || !string) {
 				free(string);
 				log_err(cd, _("Invalid string found when parsing Volume Master Key."));
 				return -EINVAL;
 			} else if ((*vmk)->name != NULL) {
 				if (supported) {
@@ -414,6 +343,9 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
 		/* no idea what this is, lets hope it's not important */
 		} else if (key_entry_value == BITLK_ENTRY_VALUE_USE_KEY && (*vmk)->protection == BITLK_PROTECTION_STARTUP_KEY) {
 			;
 		/* quietly ignore unsupported TPM key */
 		} else if (key_entry_value == BITLK_ENTRY_VALUE_TPM_KEY && (*vmk)->protection == BITLK_PROTECTION_TPM) {
 			;
 		} else {
 			if (supported) {
 				log_err(cd, _("Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."), key_entry_value);
@@ -475,6 +407,7 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 	struct bitlk_fve_metadata fve = {};
 	struct bitlk_entry_vmk entry_vmk = {};
 	uint8_t *fve_entries = NULL;
 	size_t fve_entries_size = 0;
 	uint32_t fve_metadata_size = 0;
 	int fve_offset = 0;
 	char guid_buf[UUID_STR_LEN] = {0};
@@ -483,9 +416,9 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 	int i = 0;
 	int r = 0;
 	int start = 0;
 	int end = 0;
 	size_t key_size = 0;
 	const char *key = NULL;
 	char *description = NULL;
 	struct bitlk_vmk *vmk = NULL;
 	struct bitlk_vmk *vmk_p = params->vmks;
@@ -499,8 +432,8 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 	/* read and check the signature */
 	if (read_lseek_blockwise(devfd, device_block_size(cd, device),
 		device_alignment(device), &sig, sizeof(sig), 0) != sizeof(sig)) {
-		log_err(cd, _("Failed to read BITLK signature from %s."), device_path(device));
+		log_dbg(cd, "Failed to read BITLK signature from %s.", device_path(device));
-		r = -EINVAL;
+		r = -EIO;
 		goto out;
 	}
@@ -511,7 +444,7 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 		params->togo = true;
 		fve_offset = BITLK_HEADER_METADATA_OFFSET_TOGO;
 	} else {
-		log_err(cd, _("Invalid or unknown signature for BITLK device."));
+		log_dbg(cd, "Invalid or unknown signature for BITLK device.");
 		r = -EINVAL;
 		goto out;
 	}
@@ -581,8 +514,8 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 			le16_to_cpu(fve.curr_state), le16_to_cpu(fve.next_state));
 	}
 	params->volume_size = le64_to_cpu(fve.volume_size);
 	params->metadata_version = le16_to_cpu(fve.fve_version);
 	fve_metadata_size = le32_to_cpu(fve.metadata_size);
 	switch (le16_to_cpu(fve.encryption)) {
 	/* AES-CBC with Elephant difuser */
@@ -637,40 +570,56 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 	params->creation_time = filetime_to_unixtime(le64_to_cpu(fve.creation_time));
 	fve_metadata_size = le32_to_cpu(fve.metadata_size);
 	if (fve_metadata_size < (BITLK_FVE_METADATA_HEADER_LEN + sizeof(entry_size) + sizeof(entry_type)) ||
 	    fve_metadata_size > BITLK_FVE_METADATA_SIZE) {
 		r = -EINVAL;
 		goto out;
 	}
 	fve_entries_size = fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN;
 	/* read and parse all FVE metadata entries */
-	fve_entries = malloc(fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN);
+	fve_entries = malloc(fve_entries_size);
 	if (!fve_entries) {
 		r = -ENOMEM;
 		goto out;
 	}
-	memset(fve_entries, 0, (fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN));
+	memset(fve_entries, 0, fve_entries_size);
-	log_dbg(cd, "Reading BITLK FVE metadata entries of size %" PRIu32 " on device %s, offset %" PRIu64 ".",
+	log_dbg(cd, "Reading BITLK FVE metadata entries of size %zu on device %s, offset %" PRIu64 ".",
-		fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN, device_path(device),
+		fve_entries_size, device_path(device), params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN);
 		params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN);
 	if (read_lseek_blockwise(devfd, device_block_size(cd, device),
-		device_alignment(device), fve_entries, fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN,
+		device_alignment(device), fve_entries, fve_entries_size,
-		params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN) != (ssize_t)(fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN)) {
+		params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN) != (ssize_t)fve_entries_size) {
 		log_err(cd, _("Failed to read BITLK metadata entries from %s."), device_path(device));
 		r = -EINVAL;
 		goto out;
 	}
-	end = fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN;
+	while ((fve_entries_size - start) >= (sizeof(entry_size) + sizeof(entry_type))) {
-	while (end - start > 2) {
+
 		/* size of this entry */
 		memcpy(&entry_size, fve_entries + start, sizeof(entry_size));
 		entry_size = le16_to_cpu(entry_size);
 		if (entry_size == 0)
 			break;
 		if (entry_size > (fve_entries_size - start)) {
 			r = -EINVAL;
 			goto out;
 		}
 		/* type of this entry */
 		memcpy(&entry_type, fve_entries + start + sizeof(entry_size), sizeof(entry_type));
 		entry_type = le16_to_cpu(entry_type);
 		/* VMK */
 		if (entry_type == BITLK_ENTRY_TYPE_VMK) {
 			if (entry_size < (BITLK_ENTRY_HEADER_LEN + sizeof(entry_vmk))) {
 				r = -EINVAL;
 				goto out;
 			}
 			/* skip first four variables in the entry (entry size, type, value and version) */
 			memcpy(&entry_vmk,
 			       fve_entries + start + BITLK_ENTRY_HEADER_LEN,
@@ -707,7 +656,11 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 			vmk_p = vmk;
 			vmk = vmk->next;
 		/* FVEK */
-		} else if (entry_type == BITLK_ENTRY_TYPE_FVEK) {
+		} else if (entry_type == BITLK_ENTRY_TYPE_FVEK && !params->fvek) {
 			if (entry_size < (BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE)) {
 				r = -EINVAL;
 				goto out;
 			}
 			params->fvek = malloc(sizeof(struct bitlk_fvek));
 			if (!params->fvek) {
 				r = -ENOMEM;
@@ -715,11 +668,11 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 			}
 			memcpy(params->fvek->nonce,
 			       fve_entries + start + BITLK_ENTRY_HEADER_LEN,
-			       sizeof(params->fvek->nonce));
+			       BITLK_NONCE_SIZE);
 			/* MAC tag */
 			memcpy(params->fvek->mac_tag,
 			       fve_entries + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE,
-			       sizeof(params->fvek->mac_tag));
+			       BITLK_VMK_MAC_TAG_SIZE);
 			/* AES-CCM encrypted key */
 			key_size = entry_size - (BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE);
 			key = (const char *) fve_entries + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE;
@@ -731,20 +684,35 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 		/* volume header info (location and size) */
 		} else if (entry_type == BITLK_ENTRY_TYPE_VOLUME_HEADER) {
 			struct bitlk_entry_header_block entry_header;
 			if ((fve_entries_size - start) < (BITLK_ENTRY_HEADER_LEN + sizeof(entry_header))) {
 				r = -EINVAL;
 				goto out;
 			}
 			memcpy(&entry_header,
 			       fve_entries + start + BITLK_ENTRY_HEADER_LEN,
 			       sizeof(entry_header));
 			params->volume_header_offset = le64_to_cpu(entry_header.offset);
 			params->volume_header_size = le64_to_cpu(entry_header.size);
 		/* volume description (utf-16 string) */
-		} else if (entry_type == BITLK_ENTRY_TYPE_DESCRIPTION) {
+		} else if (entry_type == BITLK_ENTRY_TYPE_DESCRIPTION && !params->description) {
-			r = convert_to_utf8(cd, fve_entries + start + BITLK_ENTRY_HEADER_LEN,
+			if (entry_size < BITLK_ENTRY_HEADER_LEN) {
-					    entry_size - BITLK_ENTRY_HEADER_LEN,
+				r = -EINVAL;
 					    &(params->description));
 			if (r < 0) {
 				BITLK_bitlk_vmk_free(vmk);
 				goto out;
 			}
 			description = malloc((entry_size - BITLK_ENTRY_HEADER_LEN) * 2 + 1);
 			if (!description) {
 				r = -ENOMEM;
 				goto out;
 			}
 			r = crypt_utf16_to_utf8(&description, CONST_CAST(char16_t *)(fve_entries + start + BITLK_ENTRY_HEADER_LEN),
 					                  entry_size - BITLK_ENTRY_HEADER_LEN);
 			if (r < 0) {
 				free(description);
 				BITLK_bitlk_vmk_free(vmk);
 				log_err(cd, _("Failed to convert BITLK volume description"));
 				goto out;
 			}
 			params->description = description;
 		}
 		start += entry_size;
@@ -760,6 +728,7 @@ int BITLK_dump(struct crypt_device *cd, struct device *device, struct bitlk_meta
 {
 	struct volume_key *vk_p;
 	struct bitlk_vmk *vmk_p;
 	char time[32];
 	int next_id = 0;
 	int i = 0;
@@ -767,7 +736,9 @@ int BITLK_dump(struct crypt_device *cd, struct device *device, struct bitlk_meta
 	log_std(cd, "Version:      \t%u\n", params->metadata_version);
 	log_std(cd, "GUID:         \t%s\n", params->guid);
 	log_std(cd, "Sector size:  \t%u [bytes]\n", params->sector_size);
-	log_std(cd, "Created:      \t%s", ctime((time_t *)&(params->creation_time)));
+	log_std(cd, "Volume size:  \t%" PRIu64 " [bytes]\n", params->volume_size);
 	if (ctime_r((time_t *)&params->creation_time, time))
 		log_std(cd, "Created:      \t%s", time);
 	log_std(cd, "Description:  \t%s\n", params->description);
 	log_std(cd, "Cipher name:  \t%s\n", params->cipher);
 	log_std(cd, "Cipher mode:  \t%s\n", params->cipher_mode);
@@ -785,7 +756,7 @@ int BITLK_dump(struct crypt_device *cd, struct device *device, struct bitlk_meta
 		log_std(cd, "\tGUID:       \t%s\n", vmk_p->guid);
 		log_std(cd, "\tProtection: \t%s\n", get_vmk_protection_string (vmk_p->protection));
 		log_std(cd, "\tSalt:       \t");
-		hexprint(cd, (const char *) vmk_p->salt, 16, "");
+		crypt_log_hex(cd, (const char *) vmk_p->salt, 16, "", 0, NULL);
 		log_std(cd, "\n");
 		vk_p = vmk_p->vk;
@@ -869,21 +840,31 @@ static int get_recovery_key(struct crypt_device *cd,
 	return 0;
 }
-static int parse_external_key_entry(struct crypt_device *cd, const char *data, int start, int end, struct volume_key **vk)
+static int parse_external_key_entry(struct crypt_device *cd,
 				    const char *data,
 				    int start,
 				    int end,
 				    struct volume_key **vk,
 				    const struct bitlk_metadata *params)
 {
 	uint16_t key_entry_size = 0;
 	uint16_t key_entry_type = 0;
 	uint16_t key_entry_value = 0;
 	size_t key_size = 0;
 	const char *key = NULL;
 	struct bitlk_guid guid;
 	char guid_buf[UUID_STR_LEN] = {0};
-	while (end - start > 2) {
+	while ((end - start) >= (ssize_t)(sizeof(key_entry_size) + sizeof(key_entry_type) + sizeof(key_entry_value))) {
 		/* size of this entry */
 		memcpy(&key_entry_size, data + start, sizeof(key_entry_size));
 		key_entry_size = le16_to_cpu(key_entry_size);
 		if (key_entry_size == 0)
 			break;
 		if (key_entry_size > (end - start))
 			return -EINVAL;
 		/* type and value of this entry */
 		memcpy(&key_entry_type, data + start + sizeof(key_entry_size), sizeof(key_entry_type));
 		memcpy(&key_entry_value,
@@ -892,13 +873,14 @@ static int parse_external_key_entry(struct crypt_device *cd, const char *data, i
 		key_entry_type = le16_to_cpu(key_entry_type);
 		key_entry_value = le16_to_cpu(key_entry_value);
-		/* only properties should be in this entry */
+		if (key_entry_type != BITLK_ENTRY_TYPE_PROPERTY && key_entry_type != BITLK_ENTRY_TYPE_VOLUME_GUID) {
 		if (key_entry_type != BITLK_ENTRY_TYPE_PROPERTY) {
 			log_err(cd, _("Unexpected metadata entry type '%u' found when parsing external key."), key_entry_type);
 			return -EINVAL;
 		}
 		if (key_entry_value == BITLK_ENTRY_VALUE_KEY) {
 			if (key_entry_size < (BITLK_ENTRY_HEADER_LEN + 4))
 				return -EINVAL;
 			key_size = key_entry_size - (BITLK_ENTRY_HEADER_LEN + 4);
 			key = (const char *) data + start + BITLK_ENTRY_HEADER_LEN + 4;
 			*vk = crypt_alloc_volume_key(key_size, key);
@@ -908,7 +890,17 @@ static int parse_external_key_entry(struct crypt_device *cd, const char *data, i
 		/* optional "ExternalKey" string, we can safely ignore it */
 		} else if (key_entry_value == BITLK_ENTRY_VALUE_STRING)
 			;
-		else {
+		/* GUID of the BitLocker device we are trying to open with this key */
 		else if (key_entry_value == BITLK_ENTRY_VALUE_GUID) {
 			if ((end - start) < (ssize_t)(BITLK_ENTRY_HEADER_LEN + sizeof(struct bitlk_guid)))
 				return -EINVAL;
 			memcpy(&guid, data + start + BITLK_ENTRY_HEADER_LEN, sizeof(struct bitlk_guid));
 			guid_to_string(&guid, guid_buf);
 			if (strcmp(guid_buf, params->guid) != 0) {
 				log_err(cd, _("BEK file GUID '%s' does not match GUID of the volume."), guid_buf);
 				return -EINVAL;
 			}
 		} else {
 			log_err(cd, _("Unexpected metadata entry value '%u' found when parsing external key."), key_entry_value);
 			return -EINVAL;
 		}
@@ -925,7 +917,8 @@ static int get_startup_key(struct crypt_device *cd,
 			   const char *password,
 			   size_t passwordLen,
 			   const struct bitlk_vmk *vmk,
-			   struct volume_key **su_key)
+			   struct volume_key **su_key,
 			   const struct bitlk_metadata *params)
 {
 	struct bitlk_bek_header bek_header = {0};
 	char guid_buf[UUID_STR_LEN] = {0};
@@ -934,7 +927,7 @@ static int get_startup_key(struct crypt_device *cd,
 	uint16_t key_entry_type = 0;
 	uint16_t key_entry_value = 0;
-	if (passwordLen < BITLK_BEK_FILE_HEADER_LEN)
+	if (passwordLen < (BITLK_BEK_FILE_HEADER_LEN + sizeof(key_entry_size) + sizeof(key_entry_type) + sizeof(key_entry_value)))
 		return -EPERM;
 	memcpy(&bek_header, password, BITLK_BEK_FILE_HEADER_LEN);
@@ -946,13 +939,14 @@ static int get_startup_key(struct crypt_device *cd,
 	else
 		return -EPERM;
-	if (bek_header.metadata_version != 1) {
+	if (le32_to_cpu(bek_header.metadata_version) != 1) {
-		log_err(cd, "Unsupported BEK metadata version %" PRIu32 "", bek_header.metadata_version);
+		log_err(cd, _("Unsupported BEK metadata version %" PRIu32), le32_to_cpu(bek_header.metadata_version));
 		return -ENOTSUP;
 	}
-	if (bek_header.metadata_size != passwordLen) {
+	if (le32_to_cpu(bek_header.metadata_size) != passwordLen) {
-		log_err(cd, "Unexpected BEK metadata size  %" PRIu32 " does not match BEK file length", bek_header.metadata_size);
+		log_err(cd, _("Unexpected BEK metadata size %" PRIu32 " does not match BEK file length"),
 			le32_to_cpu(bek_header.metadata_size));
 		return -EINVAL;
 	}
@@ -975,7 +969,7 @@ static int get_startup_key(struct crypt_device *cd,
 	if (key_entry_type == BITLK_ENTRY_TYPE_STARTUP_KEY && key_entry_value == BITLK_ENTRY_VALUE_EXTERNAL_KEY) {
 		return parse_external_key_entry(cd, password,
 						BITLK_BEK_FILE_HEADER_LEN + BITLK_ENTRY_HEADER_LEN + BITLK_STARTUP_KEY_HEADER_LEN,
-						passwordLen, su_key);
+						passwordLen, su_key, params);
 	} else {
 		log_err(cd, _("Unexpected metadata entry found when parsing startup key."));
 		log_dbg(cd, "Entry type: %u, entry value: %u", key_entry_type, key_entry_value);
@@ -983,8 +977,7 @@ static int get_startup_key(struct crypt_device *cd,
 	}
 }
-static int bitlk_kdf(struct crypt_device *cd,
+static int bitlk_kdf(const char *password,
 		     const char *password,
 		     size_t passwordLen,
 		     bool recovery,
 		     const uint8_t *salt,
@@ -993,7 +986,7 @@ static int bitlk_kdf(struct crypt_device *cd,
 	struct bitlk_kdf_data kdf = {};
 	struct crypt_hash *hd = NULL;
 	int len = 0;
-	char *utf16Password = NULL;
+	char16_t *utf16Password = NULL;
 	int i = 0;
 	int r = 0;
@@ -1010,11 +1003,16 @@ static int bitlk_kdf(struct crypt_device *cd,
 	if (!recovery) {
 		/* passphrase: convert to UTF-16 first, then sha256(sha256(pw)) */
-		r = passphrase_to_utf16(cd, CONST_CAST(char*)password, passwordLen, &utf16Password);
+		utf16Password = crypt_safe_alloc(sizeof(char16_t) * (passwordLen + 1));
 		if (!utf16Password) {
 			r = -ENOMEM;
 			goto out;
 		}
 		r = crypt_utf8_to_utf16(&utf16Password, CONST_CAST(char*)password, passwordLen);
 		if (r < 0)
 			goto out;
-		crypt_hash_write(hd, utf16Password, passwordLen * 2);
+		crypt_hash_write(hd, (char*)utf16Password, passwordLen * 2);
 		r = crypt_hash_final(hd, kdf.initial_sha256, len);
 		if (r < 0)
 			goto out;
@@ -1116,7 +1114,7 @@ int BITLK_get_volume_key(struct crypt_device *cd,
 	next_vmk = params->vmks;
 	while (next_vmk) {
 		if (next_vmk->protection == BITLK_PROTECTION_PASSPHRASE) {
-			r = bitlk_kdf(cd, password, passwordLen, false, next_vmk->salt, &vmk_dec_key);
+			r = bitlk_kdf(password, passwordLen, false, next_vmk->salt, &vmk_dec_key);
 			if (r) {
 				/* something wrong happened, but we still want to check other key slots */
 				next_vmk = next_vmk->next;
@@ -1136,13 +1134,13 @@ int BITLK_get_volume_key(struct crypt_device *cd,
 				continue;
 			}
 			log_dbg(cd, "Trying to use given password as a recovery key.");
-			r = bitlk_kdf(cd, recovery_key->key, recovery_key->keylength,
+			r = bitlk_kdf(recovery_key->key, recovery_key->keylength,
 				      true, next_vmk->salt, &vmk_dec_key);
 			crypt_free_volume_key(recovery_key);
 			if (r)
 				return r;
 		} else if (next_vmk->protection == BITLK_PROTECTION_STARTUP_KEY) {
-			r = get_startup_key(cd, password, passwordLen, next_vmk, &vmk_dec_key);
+			r = get_startup_key(cd, password, passwordLen, next_vmk, &vmk_dec_key, params);
 			if (r) {
 				next_vmk = next_vmk->next;
 				continue;
@@ -1243,7 +1241,7 @@ static int _activate(struct crypt_device *cd,
 	uint64_t next_start = 0;
 	uint64_t next_end = 0;
 	uint64_t last_segment = 0;
-	uint32_t dmt_flags;
+	uint32_t dmt_flags = 0;
 	r = _activate_check(cd, params);
 	if (r)
@@ -1254,6 +1252,11 @@ static int _activate(struct crypt_device *cd,
 	if (r)
 		return r;
 	if (dmd.size * SECTOR_SIZE != params->volume_size)
 		log_std(cd, _("WARNING: BitLocker volume size %" PRIu64 " does not match the underlying device size %" PRIu64 ""),
 			params->volume_size,
 			dmd.size * SECTOR_SIZE);
 	/* there will be always 4 dm-zero segments: 3x metadata, 1x FS header */
 	for (i = 0; i < 3; i++) {
 		segments[num_segments].offset = params->metadata_offset[i] / SECTOR_SIZE;
@@ -1384,6 +1387,14 @@ static int _activate(struct crypt_device *cd,
 			log_err(cd, _("Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."));
 			r = -ENOTSUP;
 		}
 		if ((dmd.flags & CRYPT_ACTIVATE_IV_LARGE_SECTORS) && !(dmt_flags & DM_SECTOR_SIZE_SUPPORTED)) {
 			log_err(cd, _("Cannot activate device, kernel dm-crypt is missing support for large sector size."));
 			r = -ENOTSUP;
 		}
 		if (dm_flags(cd, DM_ZERO, &dmt_flags) < 0) {
 			log_err(cd, _("Cannot activate device, kernel dm-zero module is missing."));
 			r = -ENOTSUP;
 		}
 	}
 out:
 	dm_targets_free(cd, &dmd);
--- a/lib/bitlk/bitlk.h
+++ b/lib/bitlk/bitlk.h
@@ -1,23 +1,10 @@
 // SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * BITLK (BitLocker-compatible) header definition
 *
- * Copyright (C) 2019-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2019-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2019-2021 Milan Broz
+ * Copyright (C) 2019-2024 Milan Broz
- * Copyright (C) 2019-2021 Vojtech Trefny
+ * Copyright (C) 2019-2024 Vojtech Trefny
 *
 * This file is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This file is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this file; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #ifndef _CRYPTSETUP_BITLK_H
@@ -61,6 +48,7 @@ typedef enum {
 	BITLK_ENTRY_TYPE_STARTUP_KEY = 0x0006,
 	BITLK_ENTRY_TYPE_DESCRIPTION = 0x0007,
 	BITLK_ENTRY_TYPE_VOLUME_HEADER = 0x000f,
 	BITLK_ENTRY_TYPE_VOLUME_GUID = 0x0019,
 } BITLKFVEEntryType;
 typedef enum {
@@ -76,6 +64,8 @@ typedef enum {
 	BITLK_ENTRY_VALUE_EXTERNAL_KEY = 0x0009,
 	BITLK_ENTRY_VALUE_OFFSET_SIZE = 0x000f,
 	BITLK_ENTRY_VALUE_RECOVERY_TIME = 0x015,
 	BITLK_ENTRY_VALUE_GUID = 0x0017,
 	BITLK_ENTRY_VALUE_HINT = 0x0018,
 } BITLKFVEEntryValue;
 struct bitlk_vmk {
@@ -97,6 +87,7 @@ struct bitlk_fvek {
 struct bitlk_metadata {
 	uint16_t sector_size;
 	uint64_t volume_size;
 	bool togo;
 	bool state;
 	BITLKEncryptionType type;
--- a/lib/crypt_plain.c
+++ b/lib/crypt_plain.c
@@ -1,23 +1,10 @@
 // SPDX-License-Identifier: GPL-2.0-or-later
 /*
 * cryptsetup plain device helper functions
 *
 * Copyright (C) 2004 Jana Saout <jana@saout.de>
- * Copyright (C) 2010-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2021 Milan Broz
+ * Copyright (C) 2010-2024 Milan Broz
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include <string.h>
--- a/lib/crypto_backend/Makemodule.am
+++ b/lib/crypto_backend/Makemodule.am
@@ -9,6 +9,8 @@ libcrypto_backend_la_SOURCES = \
 	lib/crypto_backend/crypto_storage.c \
 	lib/crypto_backend/pbkdf_check.c \
 	lib/crypto_backend/crc32.c \
 	lib/crypto_backend/base64.c \
 	lib/crypto_backend/utf8.c \
 	lib/crypto_backend/argon2_generic.c \
 	lib/crypto_backend/cipher_generic.c \
 	lib/crypto_backend/cipher_check.c
--- a/lib/crypto_backend/argon2/core.c
+++ b/lib/crypto_backend/argon2/core.c
@@ -120,18 +120,24 @@ void free_memory(const argon2_context *context, uint8_t *memory,
    }
 }
 void NOT_OPTIMIZED secure_wipe_memory(void *v, size_t n) {
 #if defined(_MSC_VER) && VC_GE_2005(_MSC_VER)
 void secure_wipe_memory(void *v, size_t n) {
    SecureZeroMemory(v, n);
 }
 #elif defined memset_s
 void secure_wipe_memory(void *v, size_t n) {
    memset_s(v, n, 0, n);
 }
 #elif defined(HAVE_EXPLICIT_BZERO)
 void secure_wipe_memory(void *v, size_t n) {
    explicit_bzero(v, n);
 }
 #else
 void NOT_OPTIMIZED secure_wipe_memory(void *v, size_t n) {
    static void *(*const volatile memset_sec)(void *, int, size_t) = &memset;
    memset_sec(v, 0, n);
 #endif
 }
 #endif
 /* Memory clear flag defaults to true. */
 int FLAG_clear_internal_memory = 1;
@@ -273,7 +279,6 @@ static void *fill_segment_thr(void *thread_data)
 {
    argon2_thread_data *my_data = thread_data;
    fill_segment(my_data->instance_ptr, my_data->pos);
    argon2_thread_exit();
    return 0;
 }
--- a/lib/crypto_backend/argon2/meson.build
+++ b/lib/crypto_backend/argon2/meson.build
@@ -0,0 +1,28 @@
 libargon2_sources = files(
    'blake2/blake2b.c',
    'argon2.c',
    'core.c',
    'encoding.c',
    'thread.c',
 )
 if use_internal_sse_argon2
    libargon2_sources += files(
        'opt.c',
    )
 else
    libargon2_sources += files(
        'ref.c',
    )
 endif
 libargon2 = static_library('argon2',
    libargon2_sources,
    override_options : ['c_std=c89', 'optimization=3'],
    build_by_default : false,
    include_directories: include_directories(
        'blake2',
    ),
    dependencies : [
        threads,
    ])
--- a/lib/crypto_backend/argon2/thread.c
+++ b/lib/crypto_backend/argon2/thread.c
@@ -46,12 +46,4 @@ int argon2_thread_join(argon2_thread_handle_t handle) {
 #endif
 }
 void argon2_thread_exit(void) {
 #if defined(_WIN32)
    _endthreadex(0);
 #else
    pthread_exit(NULL);
 #endif
 }
 #endif /* ARGON2_NO_THREADS */
--- a/lib/crypto_backend/argon2/thread.h
+++ b/lib/crypto_backend/argon2/thread.h
@@ -58,10 +58,5 @@ int argon2_thread_create(argon2_thread_handle_t *handle,
 */
 int argon2_thread_join(argon2_thread_handle_t handle);
 /* Terminate the current thread. Must be run inside a thread created by
 * argon2_thread_create.
 */
 void argon2_thread_exit(void);
 #endif /* ARGON2_NO_THREADS */
 #endif
--- a/lib/crypto_backend/argon2_generic.c
+++ b/lib/crypto_backend/argon2_generic.c
@@ -1,42 +1,30 @@
 // SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * Argon2 PBKDF2 library wrapper
 *
- * Copyright (C) 2016-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2021 Milan Broz
+ * Copyright (C) 2016-2024 Milan Broz
 *
 * This file is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This file is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this file; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include <errno.h>
 #include "crypto_backend_internal.h"
 /* Check for HAVE_ARGON2_H is run only if libargon2 code is used */
 #if USE_INTERNAL_ARGON2 || HAVE_ARGON2_H
 #define CONST_CAST(x) (x)(uintptr_t)
 #if HAVE_ARGON2_H
 #include <argon2.h>
 #else
 #include "argon2/argon2.h"
 #endif
 #define CONST_CAST(x) (x)(uintptr_t)
 int argon2(const char *type, const char *password, size_t password_length,
 	   const char *salt, size_t salt_length,
 	   char *key, size_t key_length,
 	   uint32_t iterations, uint32_t memory, uint32_t parallel)
 {
 #if !USE_INTERNAL_ARGON2 && !HAVE_ARGON2_H
 	return -EINVAL;
 #else
 	argon2_type atype;
 	argon2_context context = {
 		.flags = ARGON2_DEFAULT_FLAGS,
@@ -54,6 +42,9 @@ int argon2(const char *type, const char *password, size_t password_length,
 	};
 	int r;
 	/* This code must not be run if crypt backend library natively supports Argon2 */
 	assert(!(crypt_backend_flags() & CRYPT_BACKEND_ARGON2));
 	if (!strcmp(type, "argon2i"))
 		atype = Argon2_i;
 	else if(!strcmp(type, "argon2id"))
@@ -75,5 +66,33 @@ int argon2(const char *type, const char *password, size_t password_length,
 	}
 	return r;
-#endif
+}
 #else /* USE_INTERNAL_ARGON2 || HAVE_ARGON2_H */
 #pragma GCC diagnostic ignored "-Wunused-parameter"
 int argon2(const char *type, const char *password, size_t password_length,
 	   const char *salt, size_t salt_length,
 	   char *key, size_t key_length,
 	   uint32_t iterations, uint32_t memory, uint32_t parallel)
 {
 	return -EINVAL;
 }
 #endif
 /* Additional string for crypt backend version */
 const char *crypt_argon2_version(void)
 {
 	const char *version = "";
 	if (crypt_backend_flags() & CRYPT_BACKEND_ARGON2)
 		return version;
 #if HAVE_ARGON2_H /* this has priority over internal argon2 */
 	version = " [external libargon2]";
 #elif USE_INTERNAL_ARGON2
 	version = " [cryptsetup libargon2]";
 #endif
 	return version;
 }
--- a/lib/crypto_backend/base64.c
+++ b/lib/crypto_backend/base64.c
@@ -0,0 +1,263 @@
 // SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * Base64 "Not encryption" helpers, copied and adapted from systemd project.
 *
 * Copyright (C) 2010 Lennart Poettering
 *
 * cryptsetup related changes
 * Copyright (C) 2021-2024 Milan Broz
 */
 #include <errno.h>
 #include <stdlib.h>
 #include <limits.h>
 #include "crypto_backend.h"
 #define WHITESPACE " \t\n\r"
 /* https://tools.ietf.org/html/rfc4648#section-4 */
 static char base64char(int x)
 {
 	static const char table[64] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
 				      "abcdefghijklmnopqrstuvwxyz"
 				      "0123456789+/";
 	return table[x & 63];
 }
 static int unbase64char(char c)
 {
 	unsigned offset;
 	if (c >= 'A' && c <= 'Z')
 		return c - 'A';
 	offset = 'Z' - 'A' + 1;
 	if (c >= 'a' && c <= 'z')
 		return c - 'a' + offset;
 	offset += 'z' - 'a' + 1;
 	if (c >= '0' && c <= '9')
 		return c - '0' + offset;
 	offset += '9' - '0' + 1;
 	if (c == '+')
 		return offset;
 	offset++;
 	if (c == '/')
 		return offset;
 	return -EINVAL;
 }
 int crypt_base64_encode(char **out, size_t *out_length, const char *in, size_t in_length)
 {
 	char *r, *z;
 	const uint8_t *x;
 	assert(in || in_length == 0);
 	assert(out);
 	/* three input bytes makes four output bytes, padding is added so we must round up */
 	z = r = malloc(4 * (in_length + 2) / 3 + 1);
 	if (!r)
 		return -ENOMEM;
 	for (x = (const uint8_t *)in; x < (const uint8_t*)in + (in_length / 3) * 3; x += 3) {
 		/* x[0] == XXXXXXXX; x[1] == YYYYYYYY; x[2] == ZZZZZZZZ */
 		*(z++) = base64char(x[0] >> 2);                    /* 00XXXXXX */
 		*(z++) = base64char((x[0] & 3) << 4 | x[1] >> 4);  /* 00XXYYYY */
 		*(z++) = base64char((x[1] & 15) << 2 | x[2] >> 6); /* 00YYYYZZ */
 		*(z++) = base64char(x[2] & 63);                    /* 00ZZZZZZ */
 	}
 	switch (in_length % 3) {
 	case 2:
 		*(z++) = base64char(x[0] >> 2);                   /* 00XXXXXX */
 		*(z++) = base64char((x[0] & 3) << 4 | x[1] >> 4); /* 00XXYYYY */
 		*(z++) = base64char((x[1] & 15) << 2);            /* 00YYYY00 */
 		*(z++) = '=';
 		break;
 	case 1:
 		*(z++) = base64char(x[0] >> 2);        /* 00XXXXXX */
 		*(z++) = base64char((x[0] & 3) << 4);  /* 00XX0000 */
 		*(z++) = '=';
 		*(z++) = '=';
 		break;
 	}
 	*z = 0;
 	*out = r;
 	if (out_length)
 		*out_length = z - r;
 	return 0;
 }
 static int unbase64_next(const char **p, size_t *l)
 {
 	int ret;
 	assert(p);
 	assert(l);
 	/* Find the next non-whitespace character, and decode it. If we find padding, we return it as INT_MAX. We
 	 * greedily skip all preceding and all following whitespace. */
 	for (;;) {
 		if (*l == 0)
 			return -EPIPE;
 		if (!strchr(WHITESPACE, **p))
 			break;
 		/* Skip leading whitespace */
 		(*p)++, (*l)--;
 	}
 	if (**p == '=')
 		ret = INT_MAX; /* return padding as INT_MAX */
 	else {
 		ret = unbase64char(**p);
 		if (ret < 0)
 			return ret;
 	}
 	for (;;) {
 		(*p)++, (*l)--;
 		if (*l == 0)
 			break;
 		if (!strchr(WHITESPACE, **p))
 			break;
 		/* Skip following whitespace */
 	}
 	return ret;
 }
 int crypt_base64_decode(char **out, size_t *out_length, const char *in, size_t in_length)
 {
 	uint8_t *buf = NULL;
 	const char *x;
 	uint8_t *z;
 	size_t len;
 	int r;
 	assert(in || in_length == 0);
 	assert(out);
 	assert(out_length);
 	if (in_length == (size_t) -1)
 		in_length = strlen(in);
 	/* A group of four input bytes needs three output bytes, in case of padding we need to add two or three extra
 	 * bytes. Note that this calculation is an upper boundary, as we ignore whitespace while decoding */
 	len = (in_length / 4) * 3 + (in_length % 4 != 0 ? (in_length % 4) - 1 : 0);
 	buf = malloc(len + 1);
 	if (!buf)
 		return -ENOMEM;
 	for (x = in, z = buf;;) {
 		int a, b, c, d; /* a == 00XXXXXX; b == 00YYYYYY; c == 00ZZZZZZ; d == 00WWWWWW */
 		a = unbase64_next(&x, &in_length);
 		if (a == -EPIPE) /* End of string */
 			break;
 		if (a < 0) {
 			r = a;
 			goto err;
 		}
 		if (a == INT_MAX) { /* Padding is not allowed at the beginning of a 4ch block */
 			r = -EINVAL;
 			goto err;
 		}
 		b = unbase64_next(&x, &in_length);
 		if (b < 0) {
 			r = b;
 			goto err;
 		}
 		if (b == INT_MAX) { /* Padding is not allowed at the second character of a 4ch block either */
 			r = -EINVAL;
 			goto err;
 		}
 		c = unbase64_next(&x, &in_length);
 		if (c < 0) {
 			r = c;
 			goto err;
 		}
 		d = unbase64_next(&x, &in_length);
 		if (d < 0) {
 			r = d;
 			goto err;
 		}
 		if (c == INT_MAX) { /* Padding at the third character */
 			if (d != INT_MAX) { /* If the third character is padding, the fourth must be too */
 				r = -EINVAL;
 				goto err;
 			}
 			/* b == 00YY0000 */
 			if (b & 15) {
 				r = -EINVAL;
 				goto err;
 			}
 			if (in_length > 0) { /* Trailing rubbish? */
 				r = -ENAMETOOLONG;
 				goto err;
 			}
 			*(z++) = (uint8_t) a << 2 | (uint8_t) (b >> 4); /* XXXXXXYY */
 			break;
 		}
 		if (d == INT_MAX) {
 			/* c == 00ZZZZ00 */
 			if (c & 3) {
 				r = -EINVAL;
 				goto err;
 			}
 			if (in_length > 0) { /* Trailing rubbish? */
 				r = -ENAMETOOLONG;
 				goto err;
 			}
 			*(z++) = (uint8_t) a << 2 | (uint8_t) b >> 4; /* XXXXXXYY */
 			*(z++) = (uint8_t) b << 4 | (uint8_t) c >> 2; /* YYYYZZZZ */
 			break;
 		}
 		*(z++) = (uint8_t) a << 2 | (uint8_t) b >> 4; /* XXXXXXYY */
 		*(z++) = (uint8_t) b << 4 | (uint8_t) c >> 2; /* YYYYZZZZ */
 		*(z++) = (uint8_t) c << 6 | (uint8_t) d;      /* ZZWWWWWW */
 	}
 	*z = 0;
 	*out_length = (size_t) (z - buf);
 	*out = (char *)buf;
 	return 0;
 err:
 	free(buf);
 	/* Ignore other errors in crypt_backend */
 	if (r != -ENOMEM)
 		r = -EINVAL;
 	return r;
 }
--- a/lib/crypto_backend/cipher_check.c
+++ b/lib/crypto_backend/cipher_check.c
@@ -1,22 +1,9 @@
 // SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * Cipher performance check
 *
- * Copyright (C) 2018-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2018-2021 Milan Broz
+ * Copyright (C) 2018-2024 Milan Broz
 *
 * This file is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This file is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this file; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include <errno.h>
--- a/lib/crypto_backend/cipher_generic.c
+++ b/lib/crypto_backend/cipher_generic.c
@@ -1,27 +1,13 @@
 // SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * Linux kernel cipher generic utilities
 *
- * Copyright (C) 2018-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2018-2021 Milan Broz
+ * Copyright (C) 2018-2024 Milan Broz
 *
 * This file is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This file is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this file; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include <string.h>
 #include <stdbool.h>
 #include <errno.h>
 #include <strings.h>
 #include "crypto_backend.h"
 struct cipher_alg {
@@ -51,6 +37,7 @@ static const struct cipher_alg cipher_algs[] = {
 	{ "xchacha12,aes", "adiantum", 32, false },
 	{ "xchacha20,aes", "adiantum", 32, false },
 	{ "sm4",         NULL, 16, false },
 	{ "aria",        NULL, 16, false },
 	{ NULL,          NULL,  0, false }
 };
@@ -75,6 +62,9 @@ int crypt_cipher_ivsize(const char *name, const char *mode)
 	if (!ca)
 		return -EINVAL;
 	if (mode && !strcasecmp(mode, "hctr2"))
 		return 32;
 	if (mode && !strcasecmp(mode, "ecb"))
 		return 0;
--- a/lib/crypto_backend/crc32.c
+++ b/lib/crypto_backend/crc32.c
@@ -38,8 +38,6 @@
 *
 */
 #include <stdio.h>
 #include "crypto_backend.h"
 static const uint32_t crc32_tab[] = {
@@ -97,18 +95,87 @@ static const uint32_t crc32_tab[] = {
 	0x2d02ef8dL
 };
 static const uint32_t crc32c_tab[] = {
 	0x00000000L, 0xF26B8303L, 0xE13B70F7L, 0x1350F3F4L, 0xC79A971FL,
 	0x35F1141CL, 0x26A1E7E8L, 0xD4CA64EBL, 0x8AD958CFL, 0x78B2DBCCL,
 	0x6BE22838L, 0x9989AB3BL, 0x4D43CFD0L, 0xBF284CD3L, 0xAC78BF27L,
 	0x5E133C24L, 0x105EC76FL, 0xE235446CL, 0xF165B798L, 0x030E349BL,
 	0xD7C45070L, 0x25AFD373L, 0x36FF2087L, 0xC494A384L, 0x9A879FA0L,
 	0x68EC1CA3L, 0x7BBCEF57L, 0x89D76C54L, 0x5D1D08BFL, 0xAF768BBCL,
 	0xBC267848L, 0x4E4DFB4BL, 0x20BD8EDEL, 0xD2D60DDDL, 0xC186FE29L,
 	0x33ED7D2AL, 0xE72719C1L, 0x154C9AC2L, 0x061C6936L, 0xF477EA35L,
 	0xAA64D611L, 0x580F5512L, 0x4B5FA6E6L, 0xB93425E5L, 0x6DFE410EL,
 	0x9F95C20DL, 0x8CC531F9L, 0x7EAEB2FAL, 0x30E349B1L, 0xC288CAB2L,
 	0xD1D83946L, 0x23B3BA45L, 0xF779DEAEL, 0x05125DADL, 0x1642AE59L,
 	0xE4292D5AL, 0xBA3A117EL, 0x4851927DL, 0x5B016189L, 0xA96AE28AL,
 	0x7DA08661L, 0x8FCB0562L, 0x9C9BF696L, 0x6EF07595L, 0x417B1DBCL,
 	0xB3109EBFL, 0xA0406D4BL, 0x522BEE48L, 0x86E18AA3L, 0x748A09A0L,
 	0x67DAFA54L, 0x95B17957L, 0xCBA24573L, 0x39C9C670L, 0x2A993584L,
 	0xD8F2B687L, 0x0C38D26CL, 0xFE53516FL, 0xED03A29BL, 0x1F682198L,
 	0x5125DAD3L, 0xA34E59D0L, 0xB01EAA24L, 0x42752927L, 0x96BF4DCCL,
 	0x64D4CECFL, 0x77843D3BL, 0x85EFBE38L, 0xDBFC821CL, 0x2997011FL,
 	0x3AC7F2EBL, 0xC8AC71E8L, 0x1C661503L, 0xEE0D9600L, 0xFD5D65F4L,
 	0x0F36E6F7L, 0x61C69362L, 0x93AD1061L, 0x80FDE395L, 0x72966096L,
 	0xA65C047DL, 0x5437877EL, 0x4767748AL, 0xB50CF789L, 0xEB1FCBADL,
 	0x197448AEL, 0x0A24BB5AL, 0xF84F3859L, 0x2C855CB2L, 0xDEEEDFB1L,
 	0xCDBE2C45L, 0x3FD5AF46L, 0x7198540DL, 0x83F3D70EL, 0x90A324FAL,
 	0x62C8A7F9L, 0xB602C312L, 0x44694011L, 0x5739B3E5L, 0xA55230E6L,
 	0xFB410CC2L, 0x092A8FC1L, 0x1A7A7C35L, 0xE811FF36L, 0x3CDB9BDDL,
 	0xCEB018DEL, 0xDDE0EB2AL, 0x2F8B6829L, 0x82F63B78L, 0x709DB87BL,
 	0x63CD4B8FL, 0x91A6C88CL, 0x456CAC67L, 0xB7072F64L, 0xA457DC90L,
 	0x563C5F93L, 0x082F63B7L, 0xFA44E0B4L, 0xE9141340L, 0x1B7F9043L,
 	0xCFB5F4A8L, 0x3DDE77ABL, 0x2E8E845FL, 0xDCE5075CL, 0x92A8FC17L,
 	0x60C37F14L, 0x73938CE0L, 0x81F80FE3L, 0x55326B08L, 0xA759E80BL,
 	0xB4091BFFL, 0x466298FCL, 0x1871A4D8L, 0xEA1A27DBL, 0xF94AD42FL,
 	0x0B21572CL, 0xDFEB33C7L, 0x2D80B0C4L, 0x3ED04330L, 0xCCBBC033L,
 	0xA24BB5A6L, 0x502036A5L, 0x4370C551L, 0xB11B4652L, 0x65D122B9L,
 	0x97BAA1BAL, 0x84EA524EL, 0x7681D14DL, 0x2892ED69L, 0xDAF96E6AL,
 	0xC9A99D9EL, 0x3BC21E9DL, 0xEF087A76L, 0x1D63F975L, 0x0E330A81L,
 	0xFC588982L, 0xB21572C9L, 0x407EF1CAL, 0x532E023EL, 0xA145813DL,
 	0x758FE5D6L, 0x87E466D5L, 0x94B49521L, 0x66DF1622L, 0x38CC2A06L,
 	0xCAA7A905L, 0xD9F75AF1L, 0x2B9CD9F2L, 0xFF56BD19L, 0x0D3D3E1AL,
 	0x1E6DCDEEL, 0xEC064EEDL, 0xC38D26C4L, 0x31E6A5C7L, 0x22B65633L,
 	0xD0DDD530L, 0x0417B1DBL, 0xF67C32D8L, 0xE52CC12CL, 0x1747422FL,
 	0x49547E0BL, 0xBB3FFD08L, 0xA86F0EFCL, 0x5A048DFFL, 0x8ECEE914L,
 	0x7CA56A17L, 0x6FF599E3L, 0x9D9E1AE0L, 0xD3D3E1ABL, 0x21B862A8L,
 	0x32E8915CL, 0xC083125FL, 0x144976B4L, 0xE622F5B7L, 0xF5720643L,
 	0x07198540L, 0x590AB964L, 0xAB613A67L, 0xB831C993L, 0x4A5A4A90L,
 	0x9E902E7BL, 0x6CFBAD78L, 0x7FAB5E8CL, 0x8DC0DD8FL, 0xE330A81AL,
 	0x115B2B19L, 0x020BD8EDL, 0xF0605BEEL, 0x24AA3F05L, 0xD6C1BC06L,
 	0xC5914FF2L, 0x37FACCF1L, 0x69E9F0D5L, 0x9B8273D6L, 0x88D28022L,
 	0x7AB90321L, 0xAE7367CAL, 0x5C18E4C9L, 0x4F48173DL, 0xBD23943EL,
 	0xF36E6F75L, 0x0105EC76L, 0x12551F82L, 0xE03E9C81L, 0x34F4F86AL,
 	0xC69F7B69L, 0xD5CF889DL, 0x27A40B9EL, 0x79B737BAL, 0x8BDCB4B9L,
 	0x988C474DL, 0x6AE7C44EL, 0xBE2DA0A5L, 0x4C4623A6L, 0x5F16D052L,
 	0xAD7D5351L
 };
 /*
 * This a generic crc32() function, it takes seed as an argument,
 * and does __not__ xor at the end. Then individual users can do
 * whatever they need.
 */
-uint32_t crypt_crc32(uint32_t seed, const unsigned char *buf, size_t len)
+static uint32_t compute_crc32(
 	const uint32_t *crc32_table,
 	uint32_t seed,
 	const unsigned char *buf,
 	size_t len)
 {
 	uint32_t crc = seed;
 	const unsigned char *p = buf;
 	while(len-- > 0)
-		crc = crc32_tab[(crc ^ *p++) & 0xff] ^ (crc >> 8);
+		crc = crc32_table[(crc ^ *p++) & 0xff] ^ (crc >> 8);
 	return crc;
 }
 uint32_t crypt_crc32(uint32_t seed, const unsigned char *buf, size_t len)
 {
 	return compute_crc32(crc32_tab, seed, buf, len);
 }
 uint32_t crypt_crc32c(uint32_t seed, const unsigned char *buf, size_t len)
 {
 	return compute_crc32(crc32c_tab, seed, buf, len);
 }
--- a/lib/crypto_backend/crypto_backend.h
+++ b/lib/crypto_backend/crypto_backend.h
@@ -1,43 +1,41 @@
 // SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * crypto backend implementation
 *
- * Copyright (C) 2010-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2021 Milan Broz
+ * Copyright (C) 2010-2024 Milan Broz
 *
 * This file is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This file is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this file; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #ifndef _CRYPTO_BACKEND_H
 #define _CRYPTO_BACKEND_H
 #include <assert.h>
 #include <stdint.h>
 #include <stdbool.h>
 #include <stddef.h>
 #include <string.h>
 #ifdef HAVE_UCHAR_H
 #include <uchar.h>
 #else
 #define char32_t uint32_t
 #define char16_t uint16_t
 #endif
 struct crypt_hash;
 struct crypt_hmac;
 struct crypt_cipher;
 struct crypt_storage;
-int crypt_backend_init(void);
+int crypt_backend_init(bool fips);
 void crypt_backend_destroy(void);
 #define CRYPT_BACKEND_KERNEL     (1 << 0) /* Crypto uses kernel part, for benchmark */
 #define CRYPT_BACKEND_PBKDF2_INT (1 << 1) /* Iteration in PBKDF2 is signed int and can overflow */
 #define CRYPT_BACKEND_ARGON2     (1 << 2) /* Backend provides native Argon2 implementation */
 uint32_t crypt_backend_flags(void);
 const char *crypt_backend_version(void);
 const char *crypt_argon2_version(void);
 /* HASH */
 int crypt_hash_size(const char *name);
@@ -82,6 +80,15 @@ int crypt_pbkdf_perf(const char *kdf, const char *hash,
 /* CRC32 */
 uint32_t crypt_crc32(uint32_t seed, const unsigned char *buf, size_t len);
 uint32_t crypt_crc32c(uint32_t seed, const unsigned char *buf, size_t len);
 /* Base64 */
 int crypt_base64_encode(char **out, size_t *out_length, const char *in, size_t in_length);
 int crypt_base64_decode(char **out, size_t *out_length, const char *in, size_t in_length);
 /* UTF8/16 */
 int crypt_utf16_to_utf8(char **out, const char16_t *s, size_t length /* bytes! */);
 int crypt_utf8_to_utf16(char16_t **out, const char *s, size_t length);
 /* Block ciphers */
 int crypt_cipher_ivsize(const char *name, const char *mode);
@@ -135,4 +142,10 @@ static inline void crypt_backend_memzero(void *s, size_t n)
 #endif
 }
 /* Memcmp helper (memcmp in constant time) */
 int crypt_backend_memeq(const void *m1, const void *m2, size_t n);
 /* crypto backend running in FIPS mode */
 bool crypt_fips_mode(void);
 #endif /* _CRYPTO_BACKEND_H */
--- a/lib/crypto_backend/crypto_backend_internal.h
+++ b/lib/crypto_backend/crypto_backend_internal.h
@@ -1,29 +1,17 @@
 // SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * crypto backend implementation
 *
- * Copyright (C) 2010-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2021 Milan Broz
+ * Copyright (C) 2010-2024 Milan Broz
 *
 * This file is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This file is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this file; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #ifndef _CRYPTO_BACKEND_INTERNAL_H
 #define _CRYPTO_BACKEND_INTERNAL_H
 #include "crypto_backend.h"
-/* internal PBKDF2 implementation */
+/* Internal PBKDF2 implementation */
 int pkcs5_pbkdf2(const char *hash,
 		 const char *P, size_t Plen,
 		 const char *S, size_t Slen,
@@ -58,4 +46,18 @@ int crypt_bitlk_decrypt_key_kernel(const void *key, size_t key_length,
 				   const char *iv, size_t iv_length,
 				   const char *tag, size_t tag_length);
 /* Internal implementation for constant time memory comparison */
 static inline int crypt_internal_memeq(const void *m1, const void *m2, size_t n)
 {
 	const unsigned char *_m1 = (const unsigned char *) m1;
 	const unsigned char *_m2 = (const unsigned char *) m2;
 	unsigned char result = 0;
 	size_t i;
 	for (i = 0; i < n; i++)
 		result |= _m1[i] ^ _m2[i];
 	return result;
 }
 #endif /* _CRYPTO_BACKEND_INTERNAL_H */
--- a/lib/crypto_backend/crypto_cipher_kernel.c
+++ b/lib/crypto_backend/crypto_cipher_kernel.c
@@ -1,28 +1,13 @@
 // SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * Linux kernel userspace API crypto backend implementation (skcipher)
 *
- * Copyright (C) 2012-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2021 Milan Broz
+ * Copyright (C) 2012-2024 Milan Broz
 *
 * This file is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This file is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this file; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include <string.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <stdbool.h>
 #include <errno.h>
 #include <unistd.h>
 #include <sys/socket.h>
@@ -101,14 +86,19 @@ int crypt_cipher_init_kernel(struct crypt_cipher_kernel *ctx, const char *name,
 	if (!strcmp(name, "cipher_null"))
 		key_length = 0;
 	if (!strncmp(name, "capi:", 5))
 		strncpy((char *)sa.salg_name, &name[5], sizeof(sa.salg_name) - 1);
 	else {
 		r = snprintf((char *)sa.salg_name, sizeof(sa.salg_name), "%s(%s)", mode, name);
 		if (r < 0 || (size_t)r >= sizeof(sa.salg_name))
 			return -EINVAL;
 	}
 	return _crypt_cipher_init(ctx, key, key_length, 0, &sa);
 }
 /* The in/out should be aligned to page boundary */
 /* coverity[ -taint_source : arg-3 ] */
 static int _crypt_cipher_crypt(struct crypt_cipher_kernel *ctx,
 			       const char *in, size_t in_length,
 			       char *out, size_t out_length,
@@ -312,6 +302,8 @@ int crypt_bitlk_decrypt_key_kernel(const void *key, size_t key_length,
 }
 #else /* ENABLE_AF_ALG */
 #pragma GCC diagnostic ignored "-Wunused-parameter"
 int crypt_cipher_init_kernel(struct crypt_cipher_kernel *ctx, const char *name,
 			     const char *mode, const void *key, size_t key_length)
 {
--- a/lib/crypto_backend/crypto_gcrypt.c
+++ b/lib/crypto_backend/crypto_gcrypt.c
@@ -1,29 +1,16 @@
 // SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * GCRYPT crypto backend implementation
 *
- * Copyright (C) 2010-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2021 Milan Broz
+ * Copyright (C) 2010-2024 Milan Broz
 *
 * This file is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This file is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this file; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include <string.h>
 #include <stdio.h>
 #include <errno.h>
-#include <assert.h>
+#include <strings.h>
 #include <gcrypt.h>
 #include <pthread.h>
 #include "crypto_backend_internal.h"
 static int crypto_backend_initialised = 0;
@@ -64,7 +51,6 @@ static void crypt_hash_test_whirlpool_bug(void)
 {
 	struct crypt_hash *h;
 	char buf[2] = "\0\0", hash_out1[64], hash_out2[64];
 	int r;
 	if (crypto_backend_whirlpool_bug >= 0)
 		return;
@@ -74,16 +60,16 @@ static void crypt_hash_test_whirlpool_bug(void)
 		return;
 	/* One shot */
-	if ((r = crypt_hash_write(h, &buf[0], 2)) ||
+	if (crypt_hash_write(h, &buf[0], 2) ||
-	    (r = crypt_hash_final(h, hash_out1, 64))) {
+	    crypt_hash_final(h, hash_out1, 64)) {
 		crypt_hash_destroy(h);
 		return;
 	}
 	/* Split buf (crypt_hash_final resets hash state) */
-	if ((r = crypt_hash_write(h, &buf[0], 1)) ||
+	if (crypt_hash_write(h, &buf[0], 1) ||
-	    (r = crypt_hash_write(h, &buf[1], 1)) ||
+	    crypt_hash_write(h, &buf[1], 1) ||
-	    (r = crypt_hash_final(h, hash_out2, 64))) {
+	    crypt_hash_final(h, hash_out2, 64)) {
 		crypt_hash_destroy(h);
 		return;
 	}
@@ -94,7 +80,7 @@ static void crypt_hash_test_whirlpool_bug(void)
 		crypto_backend_whirlpool_bug = 1;
 }
-int crypt_backend_init(void)
+int crypt_backend_init(bool fips __attribute__((unused)))
 {
 	int r;
@@ -127,10 +113,11 @@ int crypt_backend_init(void)
 	crypto_backend_initialised = 1;
 	crypt_hash_test_whirlpool_bug();
-	r = snprintf(version, sizeof(version), "gcrypt %s%s%s",
+	r = snprintf(version, sizeof(version), "gcrypt %s%s%s%s",
 		 gcry_check_version(NULL),
 		 crypto_backend_secmem ? "" : ", secmem disabled",
-		 crypto_backend_whirlpool_bug > 0 ? ", flawed whirlpool" : "");
+		 crypto_backend_whirlpool_bug > 0 ? ", flawed whirlpool" : "",
 		 crypt_backend_flags() & CRYPT_BACKEND_ARGON2 ? ", argon2" : "");
 	if (r < 0 || (size_t)r >= sizeof(version))
 		return -EINVAL;
@@ -152,7 +139,11 @@ const char *crypt_backend_version(void)
 uint32_t crypt_backend_flags(void)
 {
-	return 0;
+	uint32_t flags = 0;
 #if HAVE_DECL_GCRY_KDF_ARGON2 && !USE_INTERNAL_ARGON2
 	flags |= CRYPT_BACKEND_ARGON2;
 #endif
 	return flags;
 }
 static const char *crypt_hash_compat_name(const char *name, unsigned int *flags)
@@ -267,7 +258,6 @@ int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length)
 void crypt_hash_destroy(struct crypt_hash *ctx)
 {
 	gcry_md_close(ctx->hd);
 	memset(ctx, 0, sizeof(*ctx));
 	free(ctx);
 }
@@ -342,7 +332,6 @@ int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length)
 void crypt_hmac_destroy(struct crypt_hmac *ctx)
 {
 	gcry_md_close(ctx->hd);
 	memset(ctx, 0, sizeof(*ctx));
 	free(ctx);
 }
@@ -387,6 +376,130 @@ static int pbkdf2(const char *hash,
 #endif /* USE_INTERNAL_PBKDF2 */
 }
 #if HAVE_DECL_GCRY_KDF_ARGON2 && !USE_INTERNAL_ARGON2
 struct gcrypt_thread_job
 {
 	pthread_t thread;
 	struct job_thread_param {
 		gcry_kdf_job_fn_t job;
 		void *p;
 	} work;
 };
 struct gcrypt_threads
 {
 	pthread_attr_t attr;
 	unsigned int num_threads;
 	unsigned int max_threads;
 	struct gcrypt_thread_job *jobs_ctx;
 };
 static void *gcrypt_job_thread(void *p)
 {
 	struct job_thread_param *param = p;
 	param->job(param->p);
 	pthread_exit(NULL);
 }
 static int gcrypt_wait_all_jobs(void *ctx)
 {
 	unsigned int i;
 	struct gcrypt_threads *threads = ctx;
 	for (i = 0; i < threads->num_threads; i++) {
 		pthread_join(threads->jobs_ctx[i].thread, NULL);
 		threads->jobs_ctx[i].thread = 0;
 	}
 	threads->num_threads = 0;
 	return 0;
 }
 static int gcrypt_dispatch_job(void *ctx, gcry_kdf_job_fn_t job, void *p)
 {
 	struct gcrypt_threads *threads = ctx;
 	if (threads->num_threads >= threads->max_threads)
 		return -1;
 	threads->jobs_ctx[threads->num_threads].work.job = job;
 	threads->jobs_ctx[threads->num_threads].work.p = p;
 	if (pthread_create(&threads->jobs_ctx[threads->num_threads].thread, &threads->attr,
 			   gcrypt_job_thread, &threads->jobs_ctx[threads->num_threads].work))
 		return -1;
 	threads->num_threads++;
 	return 0;
 }
 static int gcrypt_argon2(const char *type,
 	const char *password, size_t password_length,
 	const char *salt, size_t salt_length,
 	char *key, size_t key_length,
 	uint32_t iterations, uint32_t memory, uint32_t parallel)
 {
 	gcry_kdf_hd_t hd;
 	int atype, r = -EINVAL;
 	unsigned long param[4];
 	struct gcrypt_threads threads = {
 		.max_threads = parallel,
 		.num_threads = 0
 	};
 	const gcry_kdf_thread_ops_t ops = {
 		.jobs_context = &threads,
 		.dispatch_job = gcrypt_dispatch_job,
 		.wait_all_jobs = gcrypt_wait_all_jobs
 	};
 	if (!strcmp(type, "argon2i"))
 		atype = GCRY_KDF_ARGON2I;
 	else if (!strcmp(type, "argon2id"))
 		atype = GCRY_KDF_ARGON2ID;
 	else
 		return -EINVAL;
 	param[0] = key_length;
 	param[1] = iterations;
 	param[2] = memory;
 	param[3] = parallel;
 	if (gcry_kdf_open(&hd, GCRY_KDF_ARGON2, atype, param, 4,
 			password, password_length, salt, salt_length,
 			NULL, 0, NULL, 0)) {
 		free(threads.jobs_ctx);
 		return -EINVAL;
 	}
 	if (parallel == 1) {
 		/* Do not use threads here */
 		if (gcry_kdf_compute(hd, NULL))
 			goto out;
 	} else {
 		threads.jobs_ctx = calloc(threads.max_threads,
 				      sizeof(struct gcrypt_thread_job));
 		if (!threads.jobs_ctx)
 			goto out;
 		if (pthread_attr_init(&threads.attr))
 			goto out;
 		if (gcry_kdf_compute(hd, &ops))
 			goto out;
 	}
 	if (gcry_kdf_final(hd, key_length, key))
 		goto out;
 	r = 0;
 out:
 	gcry_kdf_close(hd);
 	pthread_attr_destroy(&threads.attr);
 	free(threads.jobs_ctx);
 	return r;
 }
 #endif
 /* PBKDF */
 int crypt_pbkdf(const char *kdf, const char *hash,
 		const char *password, size_t password_length,
@@ -401,8 +514,13 @@ int crypt_pbkdf(const char *kdf, const char *hash,
 		return pbkdf2(hash, password, password_length, salt, salt_length,
 			      key, key_length, iterations);
 	else if (!strncmp(kdf, "argon2", 6))
 #if HAVE_DECL_GCRY_KDF_ARGON2 && !USE_INTERNAL_ARGON2
 		return gcrypt_argon2(kdf, password, password_length, salt, salt_length,
 				     key, key_length, iterations, memory, parallel);
 #else
 		return argon2(kdf, password, password_length, salt, salt_length,
 			      key, key_length, iterations, memory, parallel);
 #endif
 	return -EINVAL;
 }
@@ -550,3 +668,28 @@ out:
 	return -ENOTSUP;
 #endif
 }
 int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
 {
 	return crypt_internal_memeq(m1, m2, n);
 }
 #if !ENABLE_FIPS
 bool crypt_fips_mode(void) { return false; }
 #else
 bool crypt_fips_mode(void)
 {
 	static bool fips_mode = false, fips_checked = false;
 	if (fips_checked)
 		return fips_mode;
 	if (crypt_backend_init(false /* ignored */))
 		return false;
 	fips_mode = gcry_fips_mode_active();
 	fips_checked = true;
 	return fips_mode;
 }
 #endif /* ENABLE FIPS */
--- a/lib/crypto_backend/crypto_kernel.c
+++ b/lib/crypto_backend/crypto_kernel.c
@@ -1,25 +1,11 @@
 // SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * Linux kernel userspace API crypto backend implementation
 *
- * Copyright (C) 2010-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2021 Milan Broz
+ * Copyright (C) 2010-2024 Milan Broz
 *
 * This file is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This file is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this file; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include <string.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <errno.h>
@@ -117,7 +103,7 @@ static int crypt_kernel_socket_init(struct sockaddr_alg *sa, int *tfmfd, int *op
 	return 0;
 }
-int crypt_backend_init(void)
+int crypt_backend_init(bool fips __attribute__((unused)))
 {
 	struct utsname uts;
 	struct sockaddr_alg sa = {
@@ -245,7 +231,6 @@ void crypt_hash_destroy(struct crypt_hash *ctx)
 		close(ctx->tfmfd);
 	if (ctx->opfd >= 0)
 		close(ctx->opfd);
 	memset(ctx, 0, sizeof(*ctx));
 	free(ctx);
 }
@@ -324,7 +309,6 @@ void crypt_hmac_destroy(struct crypt_hmac *ctx)
 		close(ctx->tfmfd);
 	if (ctx->opfd >= 0)
 		close(ctx->opfd);
 	memset(ctx, 0, sizeof(*ctx));
 	free(ctx);
 }
@@ -416,3 +400,13 @@ int crypt_bitlk_decrypt_key(const void *key, size_t key_length,
 	return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
 					      iv, iv_length, tag, tag_length);
 }
 int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
 {
 	return crypt_internal_memeq(m1, m2, n);
 }
 bool crypt_fips_mode(void)
 {
 	return false;
 }
--- a/lib/crypto_backend/crypto_nettle.c
+++ b/lib/crypto_backend/crypto_nettle.c
@@ -1,31 +1,18 @@
 // SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * Nettle crypto backend implementation
 *
- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2011-2021 Milan Broz
+ * Copyright (C) 2011-2024 Milan Broz
 *
 * This file is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This file is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this file; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
 #include <nettle/sha.h>
 #include <nettle/sha3.h>
 #include <nettle/hmac.h>
 #include <nettle/pbkdf2.h>
 #include <nettle/memops.h>
 #include "crypto_backend_internal.h"
 #if HAVE_NETTLE_VERSION_H
@@ -213,7 +200,7 @@ static struct hash_alg *_get_alg(const char *name)
 	return NULL;
 }
-int crypt_backend_init(void)
+int crypt_backend_init(bool fips __attribute__((unused)))
 {
 	return 0;
 }
@@ -297,8 +284,7 @@ int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
 	h = malloc(sizeof(*h));
 	if (!h)
 		return -ENOMEM;
-	memset(ctx, 0, sizeof(*ctx));
+	memset(h, 0, sizeof(*h));
 	h->hash = _get_alg(name);
 	if (!h->hash) {
@@ -446,3 +432,14 @@ int crypt_bitlk_decrypt_key(const void *key, size_t key_length,
 	return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
 					      iv, iv_length, tag, tag_length);
 }
 int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
 {
 	/* The logic is inverse to memcmp... */
 	return !memeql_sec(m1, m2, n);
 }
 bool crypt_fips_mode(void)
 {
 	return false;
 }
--- a/lib/crypto_backend/crypto_nss.c
+++ b/lib/crypto_backend/crypto_nss.c
@@ -1,25 +1,12 @@
 // SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * NSS crypto backend implementation
 *
- * Copyright (C) 2010-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2021 Milan Broz
+ * Copyright (C) 2010-2024 Milan Broz
 *
 * This file is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This file is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this file; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include <string.h>
+#include <stdio.h>
 #include <errno.h>
 #include <nss.h>
 #include <pk11pub.h>
@@ -75,7 +62,7 @@ static struct hash_alg *_get_alg(const char *name)
 	return NULL;
 }
-int crypt_backend_init(void)
+int crypt_backend_init(bool fips __attribute__((unused)))
 {
 	int r;
@@ -220,8 +207,7 @@ int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
 	h = malloc(sizeof(*h));
 	if (!h)
 		return -ENOMEM;
-	memset(ctx, 0, sizeof(*ctx));
+	memset(h, 0, sizeof(*h));
 	h->hash = _get_alg(name);
 	if (!h->hash)
@@ -395,3 +381,13 @@ int crypt_bitlk_decrypt_key(const void *key, size_t key_length,
 	return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
 					      iv, iv_length, tag, tag_length);
 }
 int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
 {
 	return NSS_SecureMemcmp(m1, m2, n);
 }
 bool crypt_fips_mode(void)
 {
 	return false;
 }
--- a/lib/crypto_backend/crypto_openssl.c
+++ b/lib/crypto_backend/crypto_openssl.c
@@ -1,51 +1,42 @@
 // SPDX-License-Identifier: LGPL-2.1-or-later WITH cryptsetup-OpenSSL-exception
 /*
 * OPENSSL crypto backend implementation
 *
- * Copyright (C) 2010-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2021 Milan Broz
+ * Copyright (C) 2010-2024 Milan Broz
 *
 * This file is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This file is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this file; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * In addition, as a special exception, the copyright holders give
 * permission to link the code of portions of this program with the
 * OpenSSL library under certain conditions as described in each
 * individual source file, and distribute linked combinations
 * including the two.
 *
 * You must obey the GNU Lesser General Public License in all respects
 * for all of the code used other than OpenSSL.
 */
-/*
+#include <stdio.h>
 * HMAC will be later rewritten to a new API from OpenSSL 3
 */
 #define OPENSSL_SUPPRESS_DEPRECATED
 #include <string.h>
 #include <errno.h>
 #include <limits.h>
 #include <strings.h>
 #include <openssl/crypto.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/rand.h>
 #include "crypto_backend_internal.h"
 #if OPENSSL_VERSION_MAJOR >= 3
 #include <openssl/provider.h>
 #include <openssl/kdf.h>
 #include <openssl/core_names.h>
 static OSSL_PROVIDER *ossl_legacy = NULL;
 static OSSL_PROVIDER *ossl_default = NULL;
 static OSSL_LIB_CTX  *ossl_ctx = NULL;
 static char backend_version[256] = "OpenSSL";
 #define MAX_THREADS 8
 #if !HAVE_DECL_OSSL_GET_MAX_THREADS
 static int OSSL_set_max_threads(OSSL_LIB_CTX *ctx __attribute__((unused)),
 				uint64_t max_threads __attribute__((unused))) { return 0; }
 static uint64_t OSSL_get_max_threads(OSSL_LIB_CTX *ctx __attribute__((unused))) { return 0; }
 #else
 #include <openssl/thread.h>
 #endif
 #endif
 #define CONST_CAST(x) (x)(uintptr_t)
 #define UNUSED(x) (void)(x)
 static int crypto_backend_initialised = 0;
@@ -56,8 +47,14 @@ struct crypt_hash {
 };
 struct crypt_hmac {
 #if OPENSSL_VERSION_MAJOR >= 3
 	EVP_MAC *mac;
 	EVP_MAC_CTX *md;
 	EVP_MAC_CTX *md_org;
 #else
 	HMAC_CTX *md;
 	const EVP_MD *hash_id;
 #endif
 	int hash_len;
 };
@@ -68,6 +65,7 @@ struct crypt_cipher {
 	struct {
 		EVP_CIPHER_CTX *hd_enc;
 		EVP_CIPHER_CTX *hd_dec;
 		const EVP_CIPHER *cipher_type;
 		size_t iv_length;
 	} lib;
 	} u;
@@ -84,9 +82,10 @@ struct hash_alg {
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
    (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
-static void openssl_backend_init(void)
+static int openssl_backend_init(bool fips __attribute__((unused)))
 {
 	OpenSSL_add_all_algorithms();
 	return 0;
 }
 static void openssl_backend_exit(void)
@@ -130,46 +129,88 @@ static void HMAC_CTX_free(HMAC_CTX *md)
 	free(md);
 }
 #else
-static void openssl_backend_init(void)
+static void openssl_backend_exit(void)
 {
 #if OPENSSL_VERSION_MAJOR >= 3
 	if (ossl_legacy)
 		OSSL_PROVIDER_unload(ossl_legacy);
 	if (ossl_default)
 		OSSL_PROVIDER_unload(ossl_default);
 	if (ossl_ctx)
 		OSSL_LIB_CTX_free(ossl_ctx);
 	ossl_legacy = NULL;
 	ossl_default = NULL;
 	ossl_ctx = NULL;
 #endif
 }
 static int openssl_backend_init(bool fips)
 {
 /*
 * OpenSSL >= 3.0.0 provides some algorithms in legacy provider
 */
 #if OPENSSL_VERSION_MAJOR >= 3
-	OPENSSL_init_crypto(OPENSSL_INIT_NO_ATEXIT, NULL);
+	int r;
-	ossl_legacy  = OSSL_PROVIDER_try_load(NULL, "legacy", 0);
+	bool ossl_threads = false;
 	ossl_default = OSSL_PROVIDER_try_load(NULL, "default", 0);
 #endif
 }
 static void openssl_backend_exit(void)
 {
 #if OPENSSL_VERSION_MAJOR >= 3
 	/*
-	 * If Destructor was already called, we must not call it again
+	 * In FIPS mode we keep default OpenSSL context & global config
 	 */
-	if (OPENSSL_init_crypto(0, NULL) != 0) {
+	if (!fips) {
-		OSSL_PROVIDER_unload(ossl_legacy);
+		ossl_ctx = OSSL_LIB_CTX_new();
-		OSSL_PROVIDER_unload(ossl_default);
+		if (!ossl_ctx)
-		OPENSSL_cleanup();
+			return -EINVAL;
 		ossl_default = OSSL_PROVIDER_try_load(ossl_ctx, "default", 0);
 		if (!ossl_default) {
 			OSSL_LIB_CTX_free(ossl_ctx);
 			return -EINVAL;
 		}
-	ossl_legacy = NULL;
+
-	ossl_default = NULL;
+		/* Optional */
 		ossl_legacy = OSSL_PROVIDER_try_load(ossl_ctx, "legacy", 0);
 	}
 	if (OSSL_set_max_threads(ossl_ctx, MAX_THREADS) == 1 &&
 	    OSSL_get_max_threads(ossl_ctx) == MAX_THREADS)
 		ossl_threads = true;
 	r = snprintf(backend_version, sizeof(backend_version), "%s %s%s%s%s%s",
 		OpenSSL_version(OPENSSL_VERSION),
 		ossl_default ? "[default]" : "",
 		ossl_legacy  ? "[legacy]" : "",
 		fips  ? "[fips]" : "",
 		ossl_threads ? "[threads]" : "",
 		crypt_backend_flags() & CRYPT_BACKEND_ARGON2 ? "[argon2]" : "");
 	if (r < 0 || (size_t)r >= sizeof(backend_version)) {
 		openssl_backend_exit();
 		return -EINVAL;
 	}
 #else
 	UNUSED(fips);
 #endif
 	return 0;
 }
 static const char *openssl_backend_version(void)
 {
 #if OPENSSL_VERSION_MAJOR >= 3
 	return backend_version;
 #else
 	return OpenSSL_version(OPENSSL_VERSION);
 #endif
 }
 #endif
-int crypt_backend_init(void)
+int crypt_backend_init(bool fips)
 {
 	if (crypto_backend_initialised)
 		return 0;
-	openssl_backend_init();
+	if (openssl_backend_init(fips))
 		return -EINVAL;
 	crypto_backend_initialised = 1;
 	return 0;
@@ -177,13 +218,27 @@ int crypt_backend_init(void)
 void crypt_backend_destroy(void)
 {
 	/*
 	 * If Destructor was already called, we must not call it again
 	 */
 	if (!crypto_backend_initialised)
 		return;
 	crypto_backend_initialised = 0;
 	openssl_backend_exit();
 }
 uint32_t crypt_backend_flags(void)
 {
-	return 0;
+	uint32_t flags = 0;
 #if OPENSSL_VERSION_MAJOR < 3
 	flags |= CRYPT_BACKEND_PBKDF2_INT;
 #endif
 #if HAVE_DECL_OSSL_KDF_PARAM_ARGON2_VERSION
 	flags |= CRYPT_BACKEND_ARGON2;
 #endif
 	return flags;
 }
 const char *crypt_backend_version(void)
@@ -215,16 +270,55 @@ static const char *crypt_hash_compat_name(const char *name)
 	return hash_name;
 }
 static const EVP_MD *hash_id_get(const char *name)
 {
 #if OPENSSL_VERSION_MAJOR >= 3
 	return EVP_MD_fetch(ossl_ctx, crypt_hash_compat_name(name), NULL);
 #else
 	return EVP_get_digestbyname(crypt_hash_compat_name(name));
 #endif
 }
 static void hash_id_free(const EVP_MD *hash_id)
 {
 #if OPENSSL_VERSION_MAJOR >= 3
 	EVP_MD_free(CONST_CAST(EVP_MD*)hash_id);
 #else
 	UNUSED(hash_id);
 #endif
 }
 static const EVP_CIPHER *cipher_type_get(const char *name)
 {
 #if OPENSSL_VERSION_MAJOR >= 3
 	return EVP_CIPHER_fetch(ossl_ctx, name, NULL);
 #else
 	return EVP_get_cipherbyname(name);
 #endif
 }
 static void cipher_type_free(const EVP_CIPHER *cipher_type)
 {
 #if OPENSSL_VERSION_MAJOR >= 3
 	EVP_CIPHER_free(CONST_CAST(EVP_CIPHER*)cipher_type);
 #else
 	UNUSED(cipher_type);
 #endif
 }
 /* HASH */
 int crypt_hash_size(const char *name)
 {
 	int size;
 	const EVP_MD *hash_id;
-	hash_id = EVP_get_digestbyname(crypt_hash_compat_name(name));
+	hash_id = hash_id_get(name);
 	if (!hash_id)
 		return -EINVAL;
-	return EVP_MD_size(hash_id);
+	size = EVP_MD_size(hash_id);
 	hash_id_free(hash_id);
 	return size;
 }
 int crypt_hash_init(struct crypt_hash **ctx, const char *name)
@@ -241,7 +335,7 @@ int crypt_hash_init(struct crypt_hash **ctx, const char *name)
 		return -ENOMEM;
 	}
-	h->hash_id = EVP_get_digestbyname(crypt_hash_compat_name(name));
+	h->hash_id = hash_id_get(name);
 	if (!h->hash_id) {
 		EVP_MD_CTX_free(h->md);
 		free(h);
@@ -249,6 +343,7 @@ int crypt_hash_init(struct crypt_hash **ctx, const char *name)
 	}
 	if (EVP_DigestInit_ex(h->md, h->hash_id, NULL) != 1) {
 		hash_id_free(h->hash_id);
 		EVP_MD_CTX_free(h->md);
 		free(h);
 		return -EINVAL;
@@ -300,8 +395,8 @@ int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length)
 void crypt_hash_destroy(struct crypt_hash *ctx)
 {
 	hash_id_free(ctx->hash_id);
 	EVP_MD_CTX_free(ctx->md);
 	memset(ctx, 0, sizeof(*ctx));
 	free(ctx);
 }
@@ -315,7 +410,39 @@ int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
 		    const void *key, size_t key_length)
 {
 	struct crypt_hmac *h;
 #if OPENSSL_VERSION_MAJOR >= 3
 	OSSL_PARAM params[] = {
 		OSSL_PARAM_utf8_string(OSSL_MAC_PARAM_DIGEST, CONST_CAST(void*)name, 0),
 		OSSL_PARAM_END
 	};
 	h = malloc(sizeof(*h));
 	if (!h)
 		return -ENOMEM;
 	h->mac = EVP_MAC_fetch(ossl_ctx, OSSL_MAC_NAME_HMAC, NULL);
 	if (!h->mac) {
 		free(h);
 		return -EINVAL;
 	}
 	h->md = EVP_MAC_CTX_new(h->mac);
 	if (!h->md) {
 		EVP_MAC_free(h->mac);
 		free(h);
 		return -ENOMEM;
 	}
 	if (EVP_MAC_init(h->md, key, key_length, params) != 1) {
 		EVP_MAC_CTX_free(h->md);
 		EVP_MAC_free(h->mac);
 		free(h);
 		return -EINVAL;
 	}
 	h->hash_len = EVP_MAC_CTX_get_mac_size(h->md);
 	h->md_org = EVP_MAC_CTX_dup(h->md);
 #else
 	h = malloc(sizeof(*h));
 	if (!h)
 		return -ENOMEM;
@@ -326,7 +453,7 @@ int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
 		return -ENOMEM;
 	}
-	h->hash_id = EVP_get_digestbyname(crypt_hash_compat_name(name));
+	h->hash_id = hash_id_get(name);
 	if (!h->hash_id) {
 		HMAC_CTX_free(h->md);
 		free(h);
@@ -336,46 +463,75 @@ int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
 	HMAC_Init_ex(h->md, key, key_length, h->hash_id, NULL);
 	h->hash_len = EVP_MD_size(h->hash_id);
 #endif
 	*ctx = h;
 	return 0;
 }
-static void crypt_hmac_restart(struct crypt_hmac *ctx)
+static int crypt_hmac_restart(struct crypt_hmac *ctx)
 {
 #if OPENSSL_VERSION_MAJOR >= 3
 	EVP_MAC_CTX_free(ctx->md);
 	ctx->md = EVP_MAC_CTX_dup(ctx->md_org);
 	if (!ctx->md)
 		return -EINVAL;
 #else
 	HMAC_Init_ex(ctx->md, NULL, 0, ctx->hash_id, NULL);
 #endif
 	return 0;
 }
 int crypt_hmac_write(struct crypt_hmac *ctx, const char *buffer, size_t length)
 {
 #if OPENSSL_VERSION_MAJOR >= 3
 	return EVP_MAC_update(ctx->md, (const unsigned char *)buffer, length) == 1 ? 0 : -EINVAL;
 #else
 	HMAC_Update(ctx->md, (const unsigned char *)buffer, length);
 	return 0;
 #endif
 }
 int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length)
 {
 	unsigned char tmp[EVP_MAX_MD_SIZE];
 #if OPENSSL_VERSION_MAJOR >= 3
 	size_t tmp_len = 0;
 	if (length > (size_t)ctx->hash_len)
 		return -EINVAL;
 	if (EVP_MAC_final(ctx->md, tmp,  &tmp_len, sizeof(tmp)) != 1)
 		return -EINVAL;
 #else
 	unsigned int tmp_len = 0;
 	if (length > (size_t)ctx->hash_len)
 		return -EINVAL;
 	HMAC_Final(ctx->md, tmp, &tmp_len);
-
+#endif
 	memcpy(buffer, tmp, length);
 	crypt_backend_memzero(tmp, sizeof(tmp));
 	if (tmp_len < length)
 		return -EINVAL;
-	crypt_hmac_restart(ctx);
+	if (crypt_hmac_restart(ctx))
 		return -EINVAL;
 	return 0;
 }
 void crypt_hmac_destroy(struct crypt_hmac *ctx)
 {
 #if OPENSSL_VERSION_MAJOR >= 3
 	EVP_MAC_CTX_free(ctx->md);
 	EVP_MAC_CTX_free(ctx->md_org);
 	EVP_MAC_free(ctx->mac);
 #else
 	hash_id_free(ctx->hash_id);
 	HMAC_CTX_free(ctx->md);
-	memset(ctx, 0, sizeof(*ctx));
+#endif
 	free(ctx);
 }
@@ -389,48 +545,140 @@ int crypt_backend_rng(char *buffer, size_t length,
 	return 0;
 }
 static int openssl_pbkdf2(const char *password, size_t password_length,
 	const char *salt, size_t salt_length, uint32_t iterations,
 	const char *hash, char *key, size_t key_length)
 {
 	int r;
 #if OPENSSL_VERSION_MAJOR >= 3
 	EVP_KDF_CTX *ctx;
 	EVP_KDF *pbkdf2;
 	OSSL_PARAM params[] = {
 		OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD,
 			CONST_CAST(void*)password, password_length),
 		OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT,
 			CONST_CAST(void*)salt, salt_length),
 		OSSL_PARAM_uint32(OSSL_KDF_PARAM_ITER, &iterations),
 		OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST,
 			CONST_CAST(void*)hash, 0),
 		OSSL_PARAM_END
 	};
 	pbkdf2 = EVP_KDF_fetch(ossl_ctx, "pbkdf2", NULL);
 	if (!pbkdf2)
 		return -EINVAL;
 	ctx = EVP_KDF_CTX_new(pbkdf2);
 	if (!ctx) {
 		EVP_KDF_free(pbkdf2);
 		return -EINVAL;
 	}
 	r = EVP_KDF_derive(ctx, (unsigned char*)key, key_length, params);
 	EVP_KDF_CTX_free(ctx);
 	EVP_KDF_free(pbkdf2);
 #else
 	const EVP_MD *hash_id = EVP_get_digestbyname(crypt_hash_compat_name(hash));
 	if (!hash_id)
 		return -EINVAL;
 	/* OpenSSL2 has iteration as signed int, avoid overflow */
 	if (iterations > INT_MAX)
 		return -EINVAL;
 	r = PKCS5_PBKDF2_HMAC(password, (int)password_length, (const unsigned char *)salt,
 		(int)salt_length, iterations, hash_id, (int)key_length, (unsigned char*) key);
 #endif
 	return r == 1 ? 0 : -EINVAL;
 }
 static int openssl_argon2(const char *type, const char *password, size_t password_length,
 	const char *salt, size_t salt_length, char *key, size_t key_length,
 	uint32_t iterations, uint32_t memory, uint32_t parallel)
 {
 #if HAVE_DECL_OSSL_KDF_PARAM_ARGON2_VERSION
 	EVP_KDF_CTX *ctx;
 	EVP_KDF *argon2;
 	unsigned int threads = parallel;
 	int r;
 	OSSL_PARAM params[] = {
 		OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD,
 			CONST_CAST(void*)password, password_length),
 		OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT,
 			CONST_CAST(void*)salt, salt_length),
 		OSSL_PARAM_uint32(OSSL_KDF_PARAM_ITER, &iterations),
 		OSSL_PARAM_uint(OSSL_KDF_PARAM_THREADS, &threads),
 		OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_LANES, &parallel),
 		OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_MEMCOST, &memory),
 		OSSL_PARAM_END
 	};
 	if (OSSL_get_max_threads(ossl_ctx) == 0)
 		threads = 1;
 	argon2 = EVP_KDF_fetch(ossl_ctx, type, NULL);
 	if (!argon2)
 		return -EINVAL;
 	ctx = EVP_KDF_CTX_new(argon2);
 	if (!ctx) {
 		EVP_KDF_free(argon2);
 		return -EINVAL;
 	}
 	if (EVP_KDF_CTX_set_params(ctx, params) != 1) {
 		EVP_KDF_CTX_free(ctx);
 		EVP_KDF_free(argon2);
 		return -EINVAL;
 	}
 	r = EVP_KDF_derive(ctx, (unsigned char*)key, key_length, NULL /*params*/);
 	EVP_KDF_CTX_free(ctx);
 	EVP_KDF_free(argon2);
 	/* _derive() returns 0 or negative value on error, 1 on success */
 	return r == 1 ? 0 : -EINVAL;
 #else
 	return argon2(type, password, password_length, salt, salt_length,
 		      key, key_length, iterations, memory, parallel);
 #endif
 }
 /* PBKDF */
 int crypt_pbkdf(const char *kdf, const char *hash,
 		const char *password, size_t password_length,
 		const char *salt, size_t salt_length,
 		char *key, size_t key_length,
 		uint32_t iterations, uint32_t memory, uint32_t parallel)
 {
 	const EVP_MD *hash_id;
 	if (!kdf)
 		return -EINVAL;
-	if (!strcmp(kdf, "pbkdf2")) {
+	if (!strcmp(kdf, "pbkdf2"))
-		hash_id = EVP_get_digestbyname(crypt_hash_compat_name(hash));
+		return openssl_pbkdf2(password, password_length, salt, salt_length,
-		if (!hash_id)
+				      iterations, hash, key, key_length);
-			return -EINVAL;
+	if (!strncmp(kdf, "argon2", 6))
-
+		return openssl_argon2(kdf, password, password_length, salt, salt_length,
 		if (!PKCS5_PBKDF2_HMAC(password, (int)password_length,
 		    (const unsigned char *)salt, (int)salt_length,
 	            (int)iterations, hash_id, (int)key_length, (unsigned char *)key))
 			return -EINVAL;
 		return 0;
 	} else if (!strncmp(kdf, "argon2", 6)) {
 		return argon2(kdf, password, password_length, salt, salt_length,
 				      key, key_length, iterations, memory, parallel);
 	}
 	return -EINVAL;
 }
 /* Block ciphers */
-static void _cipher_destroy(EVP_CIPHER_CTX **hd_enc, EVP_CIPHER_CTX **hd_dec)
+static void _cipher_destroy(EVP_CIPHER_CTX **hd_enc, EVP_CIPHER_CTX **hd_dec, const EVP_CIPHER **cipher_type)
 {
 	EVP_CIPHER_CTX_free(*hd_enc);
 	*hd_enc = NULL;
 	EVP_CIPHER_CTX_free(*hd_dec);
 	*hd_dec = NULL;
 	cipher_type_free(*cipher_type);
 	*cipher_type = NULL;
 }
-static int _cipher_init(EVP_CIPHER_CTX **hd_enc, EVP_CIPHER_CTX **hd_dec, const char *name,
+static int _cipher_init(EVP_CIPHER_CTX **hd_enc, EVP_CIPHER_CTX **hd_dec, const EVP_CIPHER **cipher_type, const char *name,
 			const char *mode, const void *key, size_t key_length, size_t *iv_length)
 {
 	char cipher_name[256];
@@ -445,32 +693,38 @@ static int _cipher_init(EVP_CIPHER_CTX **hd_enc, EVP_CIPHER_CTX **hd_dec, const
 	if (r < 0 || (size_t)r >= sizeof(cipher_name))
 		return -EINVAL;
-	type = EVP_get_cipherbyname(cipher_name);
+	type = cipher_type_get(cipher_name);
 	if (!type)
 		return -ENOENT;
-	if (EVP_CIPHER_key_length(type) != (int)key_length)
+	if (EVP_CIPHER_key_length(type) != (int)key_length) {
 		cipher_type_free(type);
 		return -EINVAL;
 	}
 	*hd_enc = EVP_CIPHER_CTX_new();
 	*hd_dec = EVP_CIPHER_CTX_new();
 	*iv_length = EVP_CIPHER_iv_length(type);
-	if (!*hd_enc || !*hd_dec)
+	if (!*hd_enc || !*hd_dec) {
 		cipher_type_free(type);
 		return -EINVAL;
 	}
 	if (EVP_EncryptInit_ex(*hd_enc, type, NULL, key, NULL) != 1 ||
 	    EVP_DecryptInit_ex(*hd_dec, type, NULL, key, NULL) != 1) {
-		_cipher_destroy(hd_enc, hd_dec);
+		_cipher_destroy(hd_enc, hd_dec, &type);
 		return -EINVAL;
 	}
 	if (EVP_CIPHER_CTX_set_padding(*hd_enc, 0) != 1 ||
 	    EVP_CIPHER_CTX_set_padding(*hd_dec, 0) != 1) {
-		_cipher_destroy(hd_enc, hd_dec);
+		_cipher_destroy(hd_enc, hd_dec, &type);
 		return -EINVAL;
 	}
 	*cipher_type = type;
 	return 0;
 }
@@ -484,7 +738,7 @@ int crypt_cipher_init(struct crypt_cipher **ctx, const char *name,
 	if (!h)
 		return -ENOMEM;
-	if (!_cipher_init(&h->u.lib.hd_enc, &h->u.lib.hd_dec, name, mode, key,
+	if (!_cipher_init(&h->u.lib.hd_enc, &h->u.lib.hd_dec, &h->u.lib.cipher_type, name, mode, key,
 			  key_length, &h->u.lib.iv_length)) {
 		h->use_kernel = false;
 		*ctx = h;
@@ -507,7 +761,7 @@ void crypt_cipher_destroy(struct crypt_cipher *ctx)
 	if (ctx->use_kernel)
 		crypt_cipher_destroy_kernel(&ctx->u.kernel);
 	else
-		_cipher_destroy(&ctx->u.lib.hd_enc, &ctx->u.lib.hd_dec);
+		_cipher_destroy(&ctx->u.lib.hd_enc, &ctx->u.lib.hd_dec, &ctx->u.lib.cipher_type);
 	free(ctx);
 }
@@ -594,9 +848,6 @@ int crypt_bitlk_decrypt_key(const void *key, size_t key_length __attribute__((un
 	if (EVP_DecryptInit_ex(ctx, EVP_aes_256_ccm(), NULL, NULL, NULL) != 1)
 		goto out;
 	//EVP_CIPHER_CTX_key_length(ctx)
 	//EVP_CIPHER_CTX_iv_length(ctx)
 	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, iv_length, NULL) != 1)
 		goto out;
 	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, tag_length, CONST_CAST(void*)tag) != 1)
@@ -614,3 +865,34 @@ out:
 	return -ENOTSUP;
 #endif
 }
 int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
 {
 	return CRYPTO_memcmp(m1, m2, n);
 }
 #if !ENABLE_FIPS
 bool crypt_fips_mode(void) { return false; }
 #else
 static bool openssl_fips_mode(void)
 {
 #if OPENSSL_VERSION_MAJOR >= 3
 	return EVP_default_properties_is_fips_enabled(NULL);
 #else
 	return FIPS_mode();
 #endif
 }
 bool crypt_fips_mode(void)
 {
 	static bool fips_mode = false, fips_checked = false;
 	if (fips_checked)
 		return fips_mode;
 	fips_mode = openssl_fips_mode();
 	fips_checked = true;
 	return fips_mode;
 }
 #endif /* ENABLE FIPS */
--- a/lib/crypto_backend/crypto_storage.c
+++ b/lib/crypto_backend/crypto_storage.c
@@ -1,22 +1,9 @@
 // SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * Generic wrapper for storage encryption modes and Initial Vectors
 * (reimplementation of some functions from Linux dm-crypt kernel)
 *
- * Copyright (C) 2014-2021 Milan Broz
+ * Copyright (C) 2014-2024 Milan Broz
 *
 * This file is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This file is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this file; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include <stdlib.h>
@@ -151,7 +138,8 @@ static int crypt_sector_iv_init(struct crypt_sector_iv *ctx,
 static int crypt_sector_iv_generate(struct crypt_sector_iv *ctx, uint64_t sector)
 {
-	uint64_t val;
+	uint64_t val, *u64_iv;
 	uint32_t *u32_iv;
 	switch (ctx->type) {
 	case IV_NONE:
@@ -161,19 +149,24 @@ static int crypt_sector_iv_generate(struct crypt_sector_iv *ctx, uint64_t sector
 		break;
 	case IV_PLAIN:
 		memset(ctx->iv, 0, ctx->iv_size);
-		*(uint32_t *)ctx->iv = cpu_to_le32(sector & 0xffffffff);
+		u32_iv = (void *)ctx->iv;
 		*u32_iv = cpu_to_le32(sector & 0xffffffff);
 		break;
 	case IV_PLAIN64:
 		memset(ctx->iv, 0, ctx->iv_size);
-		*(uint64_t *)ctx->iv = cpu_to_le64(sector);
+		u64_iv = (void *)ctx->iv;
 		*u64_iv = cpu_to_le64(sector);
 		break;
 	case IV_PLAIN64BE:
 		memset(ctx->iv, 0, ctx->iv_size);
-		*(uint64_t *)&ctx->iv[ctx->iv_size - sizeof(uint64_t)] = cpu_to_be64(sector);
+		/* iv_size is at least of size u64; usually it is 16 bytes */
 		u64_iv = (void *)&ctx->iv[ctx->iv_size - sizeof(uint64_t)];
 		*u64_iv = cpu_to_be64(sector);
 		break;
 	case IV_ESSIV:
 		memset(ctx->iv, 0, ctx->iv_size);
-		*(uint64_t *)ctx->iv = cpu_to_le64(sector);
+		u64_iv = (void *)ctx->iv;
 		*u64_iv = cpu_to_le64(sector);
 		return crypt_cipher_encrypt(ctx->cipher,
 			ctx->iv, ctx->iv, ctx->iv_size, NULL, 0);
 		break;
@@ -184,7 +177,8 @@ static int crypt_sector_iv_generate(struct crypt_sector_iv *ctx, uint64_t sector
 		break;
 	case IV_EBOIV:
 		memset(ctx->iv, 0, ctx->iv_size);
-		*(uint64_t *)ctx->iv = cpu_to_le64(sector << ctx->shift);
+		u64_iv = (void *)ctx->iv;
 		*u64_iv = cpu_to_le64(sector << ctx->shift);
 		return crypt_cipher_encrypt(ctx->cipher,
 			ctx->iv, ctx->iv, ctx->iv_size, NULL, 0);
 		break;
@@ -254,7 +248,7 @@ int crypt_storage_init(struct crypt_storage **ctx,
 	}
 	s->sector_size = sector_size;
-	s->iv_shift = large_iv ? int_log2(sector_size) - SECTOR_SHIFT : 0;
+	s->iv_shift = large_iv ? (unsigned)int_log2(sector_size) - SECTOR_SHIFT : 0;
 	*ctx = s;
 	return 0;
--- a/lib/crypto_backend/meson.build
+++ b/lib/crypto_backend/meson.build
@@ -0,0 +1,40 @@
 if use_internal_argon2
    subdir('argon2')
 endif
 libcrypto_backend_dependencies = [
    crypto_backend_library,
    clock_gettime,
 ]
 libcrypto_backend_link_with = []
 libcrypto_backend_sources = files(
    'argon2_generic.c',
    'base64.c',
    'cipher_check.c',
    'cipher_generic.c',
    'crc32.c',
    'crypto_cipher_kernel.c',
    'crypto_storage.c',
    'pbkdf_check.c',
    'utf8.c',
 )
 crypto_backend = get_option('crypto-backend')
 libcrypto_backend_sources += files('crypto_@0@.c'.format(crypto_backend))
 if use_internal_pbkdf2
    libcrypto_backend_sources += files('pbkdf2_generic.c')
 endif
 if use_internal_argon2 and get_option('argon-implementation') == 'internal'
    libcrypto_backend_link_with += libargon2
 elif get_option('argon-implementation') == 'libargon2'
    libcrypto_backend_dependencies += libargon2_external
 endif
 libcrypto_backend = static_library('crypto_backend',
    libcrypto_backend_sources,
    include_directories: includes_lib,
    dependencies: libcrypto_backend_dependencies,
    link_with: libcrypto_backend_link_with)
--- a/lib/crypto_backend/pbkdf2_generic.c
+++ b/lib/crypto_backend/pbkdf2_generic.c
@@ -1,26 +1,12 @@
 // SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * Implementation of Password-Based Cryptography as per PKCS#5
 * Copyright (C) 2002,2003 Simon Josefsson
 * Copyright (C) 2004 Free Software Foundation
 *
 * cryptsetup related changes
- * Copyright (C) 2012-2021 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2021 Milan Broz
+ * Copyright (C) 2012-2024 Milan Broz
 *
 * This file is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This file is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this file; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 */
 #include <errno.h>
--- a/Show More
+++ b/Show More