Update README for version 2.7.3.

Update cryptsetup.pot.
Add CONTRIBUTING.md file.
2025-12-08 01:10:03 +01:00 · 2024-06-17 14:24:31 +02:00 · 2024-06-17 14:05:50 +02:00 · 2024-06-17 14:04:40 +02:00 · 2024-06-17 13:56:40 +02:00 · 2024-06-11 12:32:37 +02:00
326 changed files with 51966 additions and 19382 deletions
--- a/.codeql-config.yml
+++ b/.codeql-config.yml
@@ -0,0 +1,31 @@
+name: "Cryptsetup CodeQL config"
+
+query-filters:
+- exclude:
+     id: cpp/fixme-comment
+- exclude:
+     id: cpp/empty-block
+- exclude:
+     id: cpp/poorly-documented-function
+- exclude:
+     id: cpp/loop-variable-changed
+- exclude:
+     id: cpp/empty-if
+- exclude:
+     id: cpp/long-switch
+- exclude:
+     id: cpp/complex-condition
+- exclude:
+     id: cpp/commented-out-code
+
+# These produce many false positives
+- exclude:
+     id: cpp/uninitialized-local
+- exclude:
+     id: cpp/path-injection
+- exclude:
+     id: cpp/missing-check-scanf
+
+# CodeQL should understand coverity [toctou] comments
+- exclude:
+     id: cpp/toctou-race-condition
--- a/.github/workflows/cibuild-setup-ubuntu.sh
+++ b/.github/workflows/cibuild-setup-ubuntu.sh
@@ -4,10 +4,10 @@ set -ex

 PACKAGES=(
 	git make autoconf automake autopoint pkg-config libtool libtool-bin
-	gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol1-dev
+	gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev
 	libjson-c-dev libssh-dev libblkid-dev tar libargon2-0-dev libpwquality-dev
 	sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass
-	asciidoctor
+	asciidoctor meson ninja-build
 )

 COMPILER="${COMPILER:?}"
--- a/.github/workflows/cibuild.yml
+++ b/.github/workflows/cibuild.yml
@@ -4,8 +4,7 @@ on:
    branches:
      - 'main'
      - 'wip-luks2'
-      - 'v2.3.x'
-      - 'v2.4.x'
+      - 'v2.*.x'
    paths-ignore:
      - 'docs/**'

@@ -17,7 +16,7 @@ jobs:
      fail-fast: false
      matrix:
        env:
-          - { COMPILER: "gcc", COMPILER_VERSION: "11",  RUN_SSH_PLUGIN_TEST: "1" }
+          - { COMPILER: "gcc", COMPILER_VERSION: "13",  RUN_SSH_PLUGIN_TEST: "1" }
    env: ${{ matrix.env }}
    steps:
      - name: Repository checkout
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,49 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches:
+      - 'main'
+      - 'wip-luks2'
+      - 'v2.*.x'
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    if: github.repository == 'mbroz/cryptsetup'
+    concurrency:
+      group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
+      cancel-in-progress: true
+    permissions:
+      actions: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp' ]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          queries: +security-extended,security-and-quality
+          config-file: .codeql-config.yml
+
+      - name: Install dependencies
+        run: sudo -E .github/workflows/cibuild-setup-ubuntu.sh
+        env: { COMPILER: "gcc", COMPILER_VERSION: "13",  RUN_SSH_PLUGIN_TEST: "1" }
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -17,7 +17,7 @@ jobs:
        run: sudo -E .github/workflows/cibuild-setup-ubuntu.sh
        env:
          COMPILER: "gcc"
-          COMPILER_VERSION: "11"
+          COMPILER_VERSION: "13"
      - name: Install Coverity
        run: |
          wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=mbroz/cryptsetup" -O cov-analysis-linux64.tar.gz
--- a/.gitignore
+++ b/.gitignore
@@ -58,3 +58,4 @@ tests/unit-utils-io
 tests/vectors-test
 tests/test-symbols-list.h
 tests/all-symbols-test
+tests/fuzz/LUKS2.pb*
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,20 +1,23 @@
 stages:
  - test
+  - test-opal

-.dump_kernel_log:
+.fail_if_coredump_generated:
  after_script:
-    - sudo dmesg > /mnt/artifacts/dmesg.log
-    - sudo journalctl > /mnt/artifacts/journalctl.log
    - '[ "$(ls -A /var/coredumps)" ] && exit 1 || true'

 include:
  - local: .gitlab/ci/debian.yml
  - local: .gitlab/ci/fedora.yml
+  - local: .gitlab/ci/fedora-opal.yml
  - local: .gitlab/ci/rhel.yml
  - local: .gitlab/ci/centos.yml
  - local: .gitlab/ci/annocheck.yml
  - local: .gitlab/ci/csmock.yml
  - local: .gitlab/ci/gitlab-shared-docker.yml
+  - local: .gitlab/ci/compilation-various-disables.yml
  - local: .gitlab/ci/compilation-gcc.gitlab-ci.yml
  - local: .gitlab/ci/compilation-clang.gitlab-ci.yml
  - local: .gitlab/ci/alpinelinux.yml
+  - local: .gitlab/ci/debian-i686.yml
+  - local: .gitlab/ci/cifuzz.yml
--- a/.gitlab/ci/alpinelinux.yml
+++ b/.gitlab/ci/alpinelinux.yml
@@ -1,12 +1,12 @@
 .alpinelinux-dependencies:
-  after_script:
-    - sudo dmesg > /mnt/artifacts/dmesg.log
-    - sudo cp /var/log/messages /mnt/artifacts/
-    - '[ "$(ls -A /var/coredumps)" ] && exit 1 || true'
+  variables:
+    DISTRO: cryptsetup-alpine-edge
+  extends:
+    - .fail_if_coredump_generated
  before_script:
    - >
      sudo apk add
-      lvm2-dev openssl1.1-compat-dev popt-dev util-linux-dev json-c-dev
+      lvm2-dev openssl-dev popt-dev util-linux-dev json-c-dev
      argon2-dev device-mapper which sharutils gettext gettext-dev automake
      autoconf libtool build-base keyutils tar jq expect git asciidoctor
    - ./autogen.sh
@@ -17,17 +17,17 @@ test-main-commit-job-alpinelinux:
    - .alpinelinux-dependencies
  tags:
    - libvirt
-    - alpinelinux
+    - cryptsetup-alpine-edge
  stage: test
  interruptible: true
  variables:
    RUN_SSH_PLUGIN_TEST: "0"
  rules:
+    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+      when: never
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
-  rules:
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
  script:
    - make -j
    - make -j -C tests check-programs
@@ -38,12 +38,14 @@ test-mergerq-job-alpinelinux:
    - .alpinelinux-dependencies
  tags:
    - libvirt
-    - alpinelinux
+    - cryptsetup-alpine-edge
  stage: test
  interruptible: true
  variables:
    RUN_SSH_PLUGIN_TEST: "0"
  rules:
+    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+      when: never
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
--- a/.gitlab/ci/annocheck.yml
+++ b/.gitlab/ci/annocheck.yml
@@ -1,19 +1,18 @@
 test-main-commit-job-annocheck:
  extends:
-    - .dump_kernel_log
+    - .fail_if_coredump_generated
  tags:
    - libvirt
-    - rhel9-annocheck
+    - cryptsetup-rhel-9
  stage: test
  interruptible: true
  allow_failure: true
  variables:
+    DISTRO: cryptsetup-rhel-9
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
  script:
-    - /opt/build-rpm-script.sh > /dev/null 2>&1
-    - annocheck /var/lib/mock/rhel-9.0.0-candidate-x86_64/result/*.rpm --profile=el9
-    - annocheck /var/lib/mock/rhel-9.0.0-candidate-x86_64/result/*.rpm --profile=el8
+    - sudo /opt/run-annocheck.sh
--- a/.gitlab/ci/centos.yml
+++ b/.gitlab/ci/centos.yml
@@ -1,6 +1,8 @@
 .centos-openssl-backend:
+  variables:
+    DISTRO: cryptsetup-centos-stream-9
  extends:
-    - .dump_kernel_log
+    - .fail_if_coredump_generated
  before_script:
    - >
      sudo dnf -y -q  install
@@ -21,12 +23,14 @@ test-main-commit-centos-stream9:
    - .centos-openssl-backend
  tags:
    - libvirt
-    - centos-stream9
+    - cryptsetup-centos-stream-9
  stage: test
  interruptible: true
  variables:
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
+    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+      when: never
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
@@ -40,12 +44,14 @@ test-mergerq-centos-stream9:
    - .centos-openssl-backend
  tags:
    - libvirt
-    - centos-stream9
+    - cryptsetup-centos-stream-9
  stage: test
  interruptible: true
  variables:
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
+    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+      when: never
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
--- a/.gitlab/ci/cibuild-setup-ubuntu.sh
+++ b/.gitlab/ci/cibuild-setup-ubuntu.sh
@@ -4,10 +4,10 @@ set -ex

 PACKAGES=(
 	git make autoconf automake autopoint pkg-config libtool libtool-bin
-	gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol1-dev
+	gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev
 	libjson-c-dev libssh-dev libblkid-dev tar libargon2-0-dev libpwquality-dev
-	sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass
-	asciidoctor
+	sharutils dmsetup jq xxd expect keyutils netcat-openbsd passwd openssh-client
+	sshpass asciidoctor
 )

 COMPILER="${COMPILER:?}"
--- a/.gitlab/ci/cifuzz.yml
+++ b/.gitlab/ci/cifuzz.yml
@@ -0,0 +1,46 @@
+cifuzz:
+  variables:
+    OSS_FUZZ_PROJECT_NAME: cryptsetup
+    CFL_PLATFORM: gitlab
+    CIFUZZ_DEBUG: "True"
+    FUZZ_SECONDS: 300 # 5 minutes per fuzzer
+    ARCHITECTURE: "x86_64"
+    DRY_RUN: "False"
+    LOW_DISK_SPACE: "True"
+    BAD_BUILD_CHECK: "True"
+    LANGUAGE: "c"
+    DOCKER_HOST: "tcp://docker:2375"
+    DOCKER_IN_DOCKER: "true"
+    DOCKER_DRIVER: overlay2
+    DOCKER_TLS_CERTDIR: ""
+  image:
+    name: gcr.io/oss-fuzz-base/cifuzz-base
+    entrypoint: [""]
+  services:
+    - docker:dind
+
+  stage: test
+  parallel:
+    matrix:
+      - SANITIZER: [address, undefined, memory]
+  rules:
+    # Default code change.
+    # - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    #   variables:
+    #     MODE: "code-change"
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $BUILD_AND_RUN_FUZZERS != null
+  before_script:
+    # Get gitlab's container id.
+    - export CFL_CONTAINER_ID=`cut -c9- < /proc/1/cpuset`
+  script:
+    # Will build and run the fuzzers.
+    # We use a hack to override CI_JOB_ID, because otherwise a bad path is used
+    # in GitLab CI environment
+    - CI_JOB_ID="$CI_PROJECT_NAMESPACE/$CI_PROJECT_TITLE" python3 "/opt/oss-fuzz/infra/cifuzz/cifuzz_combined_entrypoint.py"
+  artifacts:
+    # Upload artifacts when a crash makes the job fail.
+    when: always
+    paths:
+      - artifacts/
--- a/.gitlab/ci/clang-Wall
+++ b/.gitlab/ci/clang-Wall
@@ -25,10 +25,9 @@ EXTRA="\
 -Wswitch \
 -Wmissing-format-attribute \
 -Winit-self \
- -Wdeclaration-after-statement \
 -Wold-style-definition \
 -Wno-missing-field-initializers \
- -Wno-unused-parameter \
+ -Wunused-parameter \
 -Wno-long-long"

 exec $CLANG $PEDANTIC $CONVERSION \
--- a/.gitlab/ci/compilation-clang.gitlab-ci.yml
+++ b/.gitlab/ci/compilation-clang.gitlab-ci.yml
@@ -3,6 +3,7 @@ test-clang-compilation:
    - .gitlab-shared-clang
  script:
    - export CFLAGS="-Wall -Werror"
+    - ./autogen.sh
    - ./configure
    - make -j
    - make -j check-programs
@@ -13,6 +14,7 @@ test-clang-Wall-script:
  script:
    - export CFLAGS="-g -O0"
    - export CC="$CI_PROJECT_DIR/.gitlab/ci/clang-Wall"
+    - ./autogen.sh
    - ./configure
    - make -j CFLAGS="-g -O0 -Werror"
    - make -j CFLAGS="-g -O0 -Werror" check-programs
@@ -21,6 +23,7 @@ test-scan-build:
  extends:
    - .gitlab-shared-clang
  script:
+    - ./autogen.sh
    - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} -V ./configure CFLAGS="-g -O0"
    - make clean
    - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --status-bugs -maxloop 10 make -j
--- a/.gitlab/ci/compilation-gcc.gitlab-ci.yml
+++ b/.gitlab/ci/compilation-gcc.gitlab-ci.yml
@@ -3,6 +3,7 @@ test-gcc-compilation:
    - .gitlab-shared-gcc
  script:
    - export CFLAGS="-Wall -Werror"
+    - ./autogen.sh
    - ./configure
    - make -j
    - make -j check-programs
@@ -13,6 +14,7 @@ test-gcc-Wall-script:
  script:
    - export CFLAGS="-g -O0"
    - export CC="$CI_PROJECT_DIR/.gitlab/ci/gcc-Wall"
+    - ./autogen.sh
    - ./configure
    - make -j CFLAGS="-g -O0 -Werror"
    - make -j CFLAGS="-g -O0 -Werror" check-programs
@@ -22,6 +24,7 @@ test-gcc-fanalyzer:
    - .gitlab-shared-gcc
  script:
    - export CFLAGS="-Wall -Werror -g -O0 -fanalyzer -fdiagnostics-path-format=separate-events"
+    - ./autogen.sh
    - ./configure
    - make -j
    - make -j check-programs
--- a/.gitlab/ci/compilation-various-disables.yml
+++ b/.gitlab/ci/compilation-various-disables.yml
@@ -0,0 +1,33 @@
+test-gcc-disable-compiles:
+  extends:
+    - .gitlab-shared-gcc
+  parallel:
+    matrix:
+      - DISABLE_FLAGS: [
+          "keyring",
+          "external-tokens ssh-token",
+          "luks2-reencryption",
+          "cryptsetup veritysetup integritysetup",
+          "kernel_crypto",
+          "udev",
+          "internal-argon2",
+          "blkid",
+          "hw-opal"
+      ]
+  artifacts:
+    name: "meson-build-logs-$CI_COMMIT_REF_NAME"
+    paths:
+      - meson_builddir/meson-logs
+  script:
+    - DEBIAN_FRONTEND=noninteractive apt-get -yq install meson ninja-build
+    - export CFLAGS="-Wall -Werror"
+    - ./autogen.sh
+    - echo "Configuring with --disable-$DISABLE_FLAGS"
+    - ./configure $(for i in $DISABLE_FLAGS; do echo "--disable-$i"; done)
+    - make -j
+    - make -j check-programs
+    - git checkout -f && git clean -xdf
+    - meson -v
+    - echo "Configuring with -D$DISABLE_FLAGS=false"
+    - meson setup meson_builddir $(for i in $DISABLE_FLAGS; do [ "$i" == "internal-argon2" ] && echo "-Dargon-implementation=internal" || echo "-D$i=false"; done)
+    - ninja -C meson_builddir
--- a/.gitlab/ci/csmock.yml
+++ b/.gitlab/ci/csmock.yml
@@ -1,17 +1,25 @@
 test-commit-job-csmock:
  extends:
-    - .dump_kernel_log
+    - .fail_if_coredump_generated
  tags:
    - libvirt
-    - rhel7-csmock
+    - cryptsetup-rhel-9
  stage: test
  interruptible: true
  allow_failure: true
  variables:
+    DISTRO: cryptsetup-rhel-9
    RUN_SSH_PLUGIN_TEST: "1"
+    DISK_SIZE: 20
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/ || $CI_PIPELINE_SOURCE == "merge_request_event"
  script:
-    - /opt/csmock-run-script.sh
+    - sudo /opt/run-csmock.sh
+  artifacts:
+    # Upload artifacts when a crash makes the job fail.
+    when: always
+    paths:
+      - cryptsetup-csmock-results.tar.xz
+      - cryptsetup-csmock-results
--- a/.gitlab/ci/debian-i686.yml
+++ b/.gitlab/ci/debian-i686.yml
@@ -0,0 +1,43 @@
+test-mergerq-job-debian-i686:
+  extends:
+    - .debian-prep
+  tags:
+    - libvirt
+    - cryptsetup-debian-12i686
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-debian-12i686
+    RUN_SSH_PLUGIN_TEST: "1"
+  rules:
+    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+      when: never
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  script:
+    - make -j
+    - make -j -C tests check-programs
+    - sudo -E make check
+
+test-main-commit-job-debian-i686:
+  extends:
+    - .debian-prep
+  tags:
+    - libvirt
+    - cryptsetup-debian-12i686
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-debian-12i686
+    RUN_SSH_PLUGIN_TEST: "1"
+  rules:
+    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+      when: never
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+  script:
+    - make -j
+    - make -j -C tests check-programs
+    - sudo -E make check
--- a/.gitlab/ci/debian.yml
+++ b/.gitlab/ci/debian.yml
@@ -1,14 +1,18 @@
 .debian-prep:
  extends:
-    - .dump_kernel_log
+    - .fail_if_coredump_generated
  before_script:
+    - sudo apt-get -y update
    - >
-      sudo apt-get -y install -y -qq  git gcc make
-      autoconf automake autopoint pkg-config libtool libtool-bin gettext
-      libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol1-dev
-      libjson-c-dev libssh-dev libblkid-dev tar libargon2-0-dev
-      libpwquality-dev sharutils dmsetup jq xxd expect keyutils
-      netcat passwd openssh-client sshpass asciidoctor
+      [ -z "$RUN_SYSTEMD_PLUGIN_TEST" ] ||
+      sudo apt-get -y install -y -qq swtpm meson ninja-build python3-jinja2
+      gperf libcap-dev libtss2-dev libmount-dev swtpm-tools
+    - >
+      sudo apt-get -y install -y -qq git gcc make autoconf automake autopoint
+      pkgconf libtool libtool-bin gettext libssl-dev libdevmapper-dev
+      libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev
+      tar libargon2-dev libpwquality-dev sharutils dmsetup jq xxd expect
+      keyutils netcat-openbsd passwd openssh-client sshpass asciidoctor
    - sudo apt-get -y build-dep cryptsetup
    - sudo -E git clean -xdf
    - ./autogen.sh
@@ -19,10 +23,11 @@ test-mergerq-job-debian:
    - .debian-prep
  tags:
    - libvirt
-    - debian10
+    - cryptsetup-debian-12
  stage: test
  interruptible: true
  variables:
+    DISTRO: cryptsetup-debian-12
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
@@ -38,10 +43,11 @@ test-main-commit-job-debian:
    - .debian-prep
  tags:
    - libvirt
-    - debian10
+    - cryptsetup-debian-12
  stage: test
  interruptible: true
  variables:
+    DISTRO: cryptsetup-debian-12
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
@@ -51,3 +57,46 @@ test-main-commit-job-debian:
    - make -j
    - make -j -C tests check-programs
    - sudo -E make check
+
+# meson tests
+test-mergerq-job-debian-meson:
+  extends:
+    - .debian-prep
+  tags:
+    - libvirt
+    - cryptsetup-debian-12
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-debian-12
+    RUN_SSH_PLUGIN_TEST: "1"
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  script:
+    - sudo apt-get -y install -y -qq meson ninja-build
+    - meson setup build
+    - ninja -C build
+    - cd build && sudo -E meson test --verbose --print-errorlogs
+
+test-main-commit-job-debian-meson:
+  extends:
+    - .debian-prep
+  tags:
+    - libvirt
+    - cryptsetup-debian-12
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-debian-12
+    RUN_SSH_PLUGIN_TEST: "1"
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+  script:
+    - sudo apt-get -y install -y -qq meson ninja-build
+    - meson setup build
+    - ninja -C build
+    - cd build && sudo -E meson test --verbose --print-errorlogs
--- a/.gitlab/ci/fedora-opal.yml
+++ b/.gitlab/ci/fedora-opal.yml
@@ -0,0 +1,136 @@
+.opal-template-fedora:
+  extends:
+    - .dnf-openssl-backend
+  tags:
+    - libvirt
+    - cryptsetup-fedora-rawhide
+  stage: test-opal
+  interruptible: false
+  variables:
+    OPAL2_DEV: "/dev/nvme0n1"
+    OPAL2_PSID_FILE: "/home/gitlab-runner/psid.txt"
+    VOLATILE: 1
+  script:
+    - sudo dnf install -y -q nvme-cli
+    - sudo nvme list
+    - make -j
+    - make -j -C tests check-programs
+    - sudo -E make check TESTS="00modules-test compat-test-opal"
+
+# Samsung SSD 980 500GB (on tiber machine)
+test-commit-rawhide-samsung980:
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+  extends:
+    - .opal-template-fedora
+  tags:
+    - tiber
+  interruptible: false
+  variables:
+    PCI_PASSTHROUGH_VENDOR_ID: "144d"
+    PCI_PASSTHROUGH_DEVICE_ID: "a809"
+
+test-mergerq-rawhide-samsung980:
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  extends:
+    - .opal-template-fedora
+  tags:
+    - tiber
+  interruptible: false
+  variables:
+    PCI_PASSTHROUGH_VENDOR_ID: "144d"
+    PCI_PASSTHROUGH_DEVICE_ID: "a809"
+
+# WD PC SN740 SDDQNQD-512G-1014 (on tiber machine)
+test-commit-rawhide-sn740:
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+  extends:
+    - .opal-template-fedora
+  tags:
+    - tiber
+  interruptible: false
+  variables:
+    PCI_PASSTHROUGH_VENDOR_ID: "15b7"
+    PCI_PASSTHROUGH_DEVICE_ID: "5017"
+
+test-mergerq-rawhide-sn740:
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  extends:
+    - .opal-template-fedora
+  tags:
+    - tiber
+  interruptible: false
+  variables:
+    PCI_PASSTHROUGH_VENDOR_ID: "15b7"
+    PCI_PASSTHROUGH_DEVICE_ID: "5017"
+
+# Samsung SSD 980 PRO 1TB (on trantor machine)
+test-commit-rawhide-samsung980pro:
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+  extends:
+    - .opal-template-fedora
+  tags:
+    - trantor
+  interruptible: false
+  variables:
+    PCI_PASSTHROUGH_VENDOR_ID: "144d"
+    PCI_PASSTHROUGH_DEVICE_ID: "a80a"
+
+test-mergerq-rawhide-samsung980pro:
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  extends:
+    - .opal-template-fedora
+  tags:
+    - trantor
+  interruptible: false
+  variables:
+    PCI_PASSTHROUGH_VENDOR_ID: "144d"
+    PCI_PASSTHROUGH_DEVICE_ID: "a80a"
+
+# # UMIS RPETJ256MGE2MDQ (on tiber machine)
+# test-commit-rawhide-umis:
+#   rules:
+#     - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+#       when: never
+#     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+#   extends:
+#     - .opal-template-fedora
+#   tags:
+#     - tiber
+#   stage: test
+#   interruptible: false
+#   variables:
+#     PCI_PASSTHROUGH_VENDOR_ID: "1cc4"
+#     PCI_PASSTHROUGH_DEVICE_ID: "6302"
+#
+# test-mergerq-rawhide-umis:
+#   rules:
+#     - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+#       when: never
+#     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+#   extends:
+#     - .opal-template-fedora
+#   tags:
+#     - tiber
+#   stage: test
+#   interruptible: false
+#   variables:
+#     PCI_PASSTHROUGH_VENDOR_ID: "1cc4"
+#     PCI_PASSTHROUGH_DEVICE_ID: "6302"
--- a/.gitlab/ci/fedora.yml
+++ b/.gitlab/ci/fedora.yml
@@ -1,9 +1,16 @@
 .dnf-openssl-backend:
+  variables:
+    DISTRO: cryptsetup-fedora-rawhide
  extends:
-    - .dump_kernel_log
+    - .fail_if_coredump_generated
  before_script:
    - >
-      sudo dnf -y -q  install
+      [ -z "$RUN_SYSTEMD_PLUGIN_TEST" ] ||
+      sudo dnf -y -q install
+      swtpm meson ninja-build python3-jinja2 gperf libcap-devel tpm2-tss-devel
+      libmount-devel swtpm-tools
+    - >
+      sudo dnf -y -q install
      autoconf automake device-mapper-devel gcc gettext-devel json-c-devel
      libargon2-devel libblkid-devel libpwquality-devel libselinux-devel
      libssh-devel libtool libuuid-devel make popt-devel
@@ -19,7 +26,7 @@ test-main-commit-job-rawhide:
    - .dnf-openssl-backend
  tags:
    - libvirt
-    - fedora-rawhide
+    - cryptsetup-fedora-rawhide
  stage: test
  interruptible: true
  allow_failure: true
@@ -39,7 +46,7 @@ test-mergerq-job-rawhide:
    - .dnf-openssl-backend
  tags:
    - libvirt
-    - fedora-rawhide
+    - cryptsetup-fedora-rawhide
  stage: test
  interruptible: true
  allow_failure: true
--- a/.gitlab/ci/gcc-Wall
+++ b/.gitlab/ci/gcc-Wall
@@ -31,7 +31,7 @@ EXTRA="-Wextra \
 -Wunsafe-loop-optimizations \
 -Wold-style-definition \
 -Wno-missing-field-initializers \
- -Wno-unused-parameter \
+ -Wunused-parameter \
 -Wno-long-long \
 -Wmaybe-uninitialized \
 -Wvla \
--- a/.gitlab/ci/gitlab-shared-docker.yml
+++ b/.gitlab/ci/gitlab-shared-docker.yml
@@ -1,5 +1,5 @@
 .gitlab-shared-docker:
-  image: ubuntu:focal
+  image: ubuntu:lunar
  tags:
    - gitlab-org-docker
  stage: test
@@ -12,7 +12,6 @@
    - .gitlab/ci/cibuild-setup-ubuntu.sh
    - export CC="${COMPILER}${COMPILER_VERSION:+-$COMPILER_VERSION}"
    - export CXX="${COMPILER}++${COMPILER_VERSION:+-$COMPILER_VERSION}"
-    - ./autogen.sh

 .gitlab-shared-gcc:
  extends:
@@ -27,5 +26,5 @@
    - .gitlab-shared-docker
  variables:
    COMPILER: "clang"
-    COMPILER_VERSION: "13"
+    COMPILER_VERSION: "17"
    RUN_SSH_PLUGIN_TEST: "1"
--- a/.gitlab/ci/rhel.yml
+++ b/.gitlab/ci/rhel.yml
@@ -1,6 +1,6 @@
 .rhel-openssl-backend:
  extends:
-    - .dump_kernel_log
+    - .fail_if_coredump_generated
  before_script:
    - >
      sudo yum -y -q  install
@@ -21,12 +21,15 @@ test-main-commit-rhel8:
    - .rhel-openssl-backend
  tags:
    - libvirt
-    - rhel8
+    - cryptsetup-rhel-8
  stage: test
  interruptible: true
  variables:
+    DISTRO: cryptsetup-rhel-8
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
+    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+      when: never
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
@@ -40,12 +43,15 @@ test-main-commit-rhel9:
    - .rhel-openssl-backend
  tags:
    - libvirt
-    - rhel9
+    - cryptsetup-rhel-9
  stage: test
  interruptible: true
  variables:
+    DISTRO: cryptsetup-rhel-9
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
+    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+      when: never
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
@@ -61,16 +67,20 @@ test-main-commit-rhel8-fips:
    - .rhel-openssl-backend
  tags:
    - libvirt
-    - rhel8-fips
+    - cryptsetup-rhel-8-fips
  stage: test
  interruptible: true
  variables:
+    DISTRO: cryptsetup-rhel-8-fips
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
+    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+      when: never
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
  script:
+    - fips-mode-setup --check || exit 1
    - make -j
    - make -j -C tests check-programs
    - sudo -E make check
@@ -80,17 +90,21 @@ test-main-commit-rhel9-fips:
    - .rhel-openssl-backend
  tags:
    - libvirt
-    - rhel9-fips
+    - cryptsetup-rhel-9-fips
  stage: test
  interruptible: true
  allow_failure: true
  variables:
+    DISTRO: cryptsetup-rhel-9-fips
    RUN_SSH_PLUGIN_TEST: "1"
  rules:
+    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+      when: never
    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
      when: never
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
  script:
+    - fips-mode-setup --check || exit 1
    - make -j
    - make -j -C tests check-programs
    - sudo -E make check
--- a/.gitlab/issue_templates/Bug.md
+++ b/.gitlab/issue_templates/Bug.md
@@ -9,7 +9,10 @@

 ### Debug log
 <!-- Paste a debug log of the failing command (add --debug option) between the markers below (to keep raw debug format).-->
+<!-- We need a lot of information from the debug log; without it, we cannot process your report. -->
+<!-- Debug log does not contain any private information. Do not paste private data; we'll ask you for more information if needed. -->
 ```
 Output with --debug option:

 ```
+<!-- NOTE: WITHOUT DEBUG LOG, THE BUG REPORT WILL BE CLOSED. ALSO, PLEASE DO NOT TRY TO REMOVE PARTS OF THE DEBUG LOG! -->
--- a/.lgtm.yml
+++ b/.lgtm.yml
@@ -1,11 +0,0 @@
-queries:
-  - exclude: cpp/fixme-comment
-  - exclude: cpp/empty-block
-# symver attribute detection cannot be used, disable it for lgtm
-extraction:
-  cpp:
-    configure:
-      command:
-      - "./autogen.sh"
-      - "./configure --enable-external-tokens --enable-ssh-token"
-      - "echo \"#undef HAVE_ATTRIBUTE_SYMVER\" >> config.h"
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,157 @@
+Contributing to cryptsetup
+==========================
+For basic information about the cryptsetup project, please read [README](README.md).
+
+The Cryptsetup project uses free, open-source licenses; details are described in [licensing](README.licensing).
+
+For contribution code or documentation to the cryptsetup project, you must have the necessary rights to the content, and your contribution must be provided under the required license.
+
+We welcome contributions from everyone.
+
+Cryptsetup is an independent project with much volunteer effort, and our resources are limited.
+Following the guidelines specified in this file makes it easier for us to process your issue.
+
+Project maintainers can remove or reject abusive or otherwise unacceptable comments or code.
+
+Git repository
+--------------
+The primary repository is located at [gitlab.com/cryptsetup/cryptsetup](https://gitlab.com/cryptsetup/cryptsetup).
+The development branch is ``main``; minor stable releases can use their branches with cherry-picked or backported patches.
+
+There are backup mirrors located at [github.com/mbroz/cryptsetup](https://github.com/mbroz/cryptsetup) and [git.kernel.org/pub/scm/utils/cryptsetup/cryptsetup.git](https://git.kernel.org/pub/scm/utils/cryptsetup/cryptsetup.git).
+
+How to make a bug report
+------------------------
+To report an issue or feature request, please use GitLab [cryptsetup issue tracker](https://gitlab.com/cryptsetup/cryptsetup/-/issues).
+
+Before reporting an issue, please try to search documentation and existing issues. Always try to reproduce the problem on the latest supported release.
+Please *always* collect and attach ``--debug`` log and other information as instructed in the issue template.
+Even if you think the problem is obvious, we need logged information about the environment (like versions of kernel modules, etc.).
+
+Please do not report distribution-specific issues if they are not present in the latest upstream release.
+For such reports, please use downstream distribution-specific trackers.
+If the issue is related to upstream, downstream maintainers will redirect you here, or upstream maintainers will join the discussion.
+
+If you think that you found some security bug, please follow the instructions in the [SECURITY](SECURITY.md) file.
+
+How to contribute changes to cryptsetup
+---------------------------------------
+The following notes are a very short introduction to cryptsetup internal processes and an overview of generic rules that should be followed for all changes.
+
+Changes from developers and external contributors should go through the GitLab repository [merge reguests](https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests).
+Alternatively (for trivial changes), you can send a patch to [cryptsetup mailing list](mailto:cryptsetup@lists.linux.dev).
+
+Please do not write personal emails with questions or patches to maintainers and developers.
+
+### Project structure
+Cryptsetup projects include a libcryptsetup library, tools, token plugins, documentation, and a test suite.
+
+Cryptsetup library (libcryptsetup) exports [versioned symbols](lib/libcryptsetup.sym).
+Tools (cryptsetup, veritysetup, integritysetup) use libcryptsetup shared library.
+Some isolated parts in the lib directory can be reused for tools (the source is recompiled).
+
+The basic directory structure in the repository is
+```
+├── docs - Documentation and release notes.
+├── lib  - libcryptsetup implementation
+│   ├── bitlk           - Bitlocker format
+│   ├── crypto_backend  - Cryptography backend
+│   ├── fvault2         - FileVault2 format
+│   ├── integrity       - Linux dm-integrity interface
+│   ├── loopaes         - Linux LoopAES format
+│   ├── luks1           - LUKS1 format
+│   ├── luks2           - LUKS2 format including OPAL2 SED
+│   ├── tcrypt          - TrueCrypt / VeraCrypt format
+│   └── verity          - Linux dm-verity interface
+├── man - Manual pages (in AsciiDoc format)
+├── misc - Miscellaneous additions
+├── po - Translation files
+├── scripts - Scripts for system configuration
+├── src - Tools implementation
+├── tests - Testsuite (test units, regression tests, fuzzing)
+└── tokens - Token plugins
+```
+### Coordination with other projects
+The cryptsetup tools and library use low-level functions that depend on many other subsystems.
+Currently, the project is supported only for Linux (it will not work on Android or other systems).
+
+Cryptsetup project requires some parts of the Linux kernel, notably the *Device Mapper* (dm-crypt, dm-integrity, dm-verity, dm-zero modules) and kernel *userspace cryptographic interface*.
+Missing kernel interface can significantly limit (or even disallow) cryptsetup functionality.
+
+Integration in operating systems also depends on several other projects, most notably *systemd* (that implements its own tooling using libcryptsetup) and *util-Linux* (*blkid* parsing of supported format metadata). Some changes must be synchronized in all needed places (kernel, blkid, libcryptsetup).
+
+Several other projects implement their own token metadata (either through binary token plugins or through generic libcryptsetup JSON token access functions).
+
+### Used cryptography algorithms
+Cryptsetup avoids implementing cryptographic primitives but uses cryptographic libraries.
+Exceptions were PBKDF internal implementations - PBKDF2 and Argon2 until these were integrated into major cryptographic libraries.
+
+Cryptsetup can be compiled with several cryptographic libraries backend (OpenSSL, libgcrypt, Nettle, NSS, and Linux kernel userspace API).
+OpenSSL is the default and strongly recommended configuration.
+
+If the cryptographic library does not implement some cryptographic primitive (for example, if running in a FIPS-140 environment or just
+because it does not include it at all), functionality could be limited.
+
+### Configuration and versioning
+Cryptsetup can be configured using *Autoconf* or *Meson*. Autoconf support is being deprecated in the long term.
+Currently, all new configuration options must be implemented in both systems.
+
+Cryptsetup intentionally does not use a system configuration file (located in /etc).
+All functionality must be determined dynamically.
+
+All related /etc configuration files (crypttab, fstab and others) are maintained by systemd (in some legacy distributions by cryptsetup downstream).
+
+Cryptsetup uses [semantic versioning](https://semver.org/).
+Major and minor releases are always based on the main git branch; the minor stable (patch) versions can have some specific branch with backported or cherry-picked patches (from the main branch).
+Usually, minor releases happen twice per year and stable patch updates according to reported bugs (in 1-3 month intervals).
+
+### Compilation and debugging
+The library and tools are written in C language; we require C99 and support gcc and Clang compilers.
+Manual pages are generated from AsciiDoc sources and libcryptsetup API documentation by Doxygen (from libcryptsetup.h comments).
+Testsuite is a combination of local C utilities, fuzzing implementation in C++, bash scripts, and uses many other system utilities.
+
+All tools contain compiled-in debug messages that are available through --debug options.
+
+With Autoconf and libtool, you can run the cryptsetup tool in the debugger without installation using this one-line script:
+```
+libtool --mode=execute gdb --args ./cryptsetup --debug $@
+```
+This will ensure that a properly compiled libcryptsetup file is used.
+
+### Coding style
+Cryptsetup uses [Linux kernel coding style](https://www.kernel.org/doc/html/latest/process/coding-style.html) for libcryptsetup and tools (where applicable) with some additional notes:
+- Use tabulators for indentation; the line should not exceed 100 characters with an 8-character tabulator. Otherwise, use a tab of any length. :-).
+- The minimal C standard required is C99.
+- The ``goto`` use is allowed only for error path (``goto out`` for common code path, ``goto err`` for specific error code path).
+- Split patches per change; do not submit huge patches combining several changes.
+- Use an elaborative description in the patch header.
+- No need to use sign-off-by lines.
+- Use name prefixes (``crypt_``, ``LUKS2_`` and similar).
+- Avoid extensive preprocessor use (specifically ``#ifdef`` sections).
+- Use output only through ``log_err, log_std, log_verbose, log_dbg`` macros.
+  The ``log_dbg`` is always in English; the others should be wrapped in the ``_()`` macro for translation.
+- Use ``assert()`` but only for simple invariants and variables (avoid calling functions).
+  Do not use assert for user-defined input (this should be a normal error path).
+- The code style is quite relaxed in testing scripts (code there is not intended for production use).
+
+### General rules and testing
+- Cryptsetup should work on all architectures supported by the Linux kernel.
+Only very few functionalities require specific hardware (notably Opal SED support).
+If you want to introduce some specific hardware support, please discuss it with the maintainers first.
+
+- All code changes should go through merge requests and reviews.
+Code can be merged after review approval (done by someone with the commit right to the development repository), but reviews from external people are very welcome, too.
+
+- All new functionality must come with at least rudimentary coverage in the test suite.
+Always run the test suite before opening the merge request (``make check`` with root privilege).
+
+- We have continuous integration (CI) that runs many tests automatically, but the output is not directly visible for external merge request authors (for security reasons).
+All CI scripts are available in .gitlab and .github folders in the project repository.
+
+  Maintainers will provide you log files if anything fails. Your code must produce no warnings before it is merged.
+
+- We run compilation with many extended [gcc](.gitlab/ci/gcc-Wall) and [Clang](.gitlab/ci/clang-Wall) warnings and include some analyzers, notably
+  - [Coverity](https://scan.coverity.com), GitHub CodeQL, Clang scan-build, and gcc static analyzer, and
+  - fuzzing integrated in [OSS-fuzz project](https://github.com/google/oss-fuzz/tree/master/projects/cryptsetup).
+
+- Testsuite can also partially run under Valgrind dynamic analyzer with ``make valgrind-check``.
--- a/FAQ.md
+++ b/FAQ.md
@@ -169,17 +169,12 @@
  me write the section.  Please note that by contributing to this FAQ,
  you accept the license described below.

-  This work is under the "Attribution-Share Alike 3.0 Unported" license,
-  which means distribution is unlimited, you may create derived works, but
+  This work is licensed under a Creative Commons CC-BY-SA-4.0
+  "Attribution-ShareAlike 4.0 International" license which means
+  distribution is unlimited, you may create derived works, but
  attributions to original authors and this license statement must be
-  retained and the derived work must be under the same license.  See
-  https://creativecommons.org/licenses/by-sa/3.0/ for more details of the
-  license.
-
-  Side note: I did text license research some time ago and I think this
-  license is best suited for the purpose at hand and creates the least
-  problems.
-
+  retained and the derived work must be under the same license.
+  See https://creativecommons.org/licenses/by-sa/4.0/ for more details.

  * **1.6 Where is the project website?**

@@ -1192,7 +1187,7 @@

  More references can be found at the end of this document.  Note that
  these are estimates from the defender side, so assuming something is
-  easier than it actually is is fine.  An attacker may still have
+  easier than it actually is fine.  An attacker may still have
  significantly higher cost than estimated here.

  LUKS1 used SHA1 (since version 1.7.0 it uses SHA256) for hashing per
@@ -1864,11 +1859,11 @@

  This basically means that if you already have a slot-key, and you have
  set the PBKDF2 iteration count to 1 (it is > 10'000 normally), you could
-  (maybe) derive a different passphrase that gives you the the same
-  slot-key.  But if you have the slot-key, you can already unlock the
-  key-slot and get the volume key, breaking everything.  So basically,
-  this SHA-1 vulnerability allows you to open a LUKS1 container with high
-  effort when you already have it open.
+  (maybe) derive a different passphrase that gives you the same slot-key.
+  But if you have the slot-key, you can already unlock the key-slot and
+  get the volume key, breaking everything.  So basically, this SHA-1
+  vulnerability allows you to open a LUKS1 container with high effort when
+  you already have it open.

  The real problem here is people that do not understand crypto and claim
  things are broken just because some mechanism is used that has been
@@ -2506,6 +2501,31 @@ offset  length  name                  data type  description
  individually created (and hence has its own volume key).  In this case,
  changing the default passphrase will make it secure again.

+  * **6.16 How to convert the printed volume key to a raw one?**
+  A volume key printed via something like:
+```
+      cryptsetup --dump-volume-key luksDump /dev/<device> >volume-key
+```
+(i.e. without using `--volume-key-file`), which gives something like:
+```
+LUKS header information for /dev/<device>
+Cipher name:   	aes
+Cipher mode:   	xts-plain64
+Payload offset:	32768
+UUID:          	6e914442-e8b5-4eb5-98c4-5bf0cf17ecad
+MK bits:       	512
+MK dump:	e0 3f 15 c2 0f e5 80 ab 35 b4 10 03 ae 30 b9 5d 
+		4c 0d 28 9e 1b 0f e3 b0 50 57 ef d4 4d 53 a0 12 
+		b7 4e 43 a1 20 7e c5 02 1f f1 f5 08 04 3c f5 20 
+		a6 0b 23 f6 7b 53 55 aa 22 d8 aa 02 e0 2f d5 04 
+```
+can be converted to the raw volume key for example via:
+```
+      sed -E -n '/^MK dump:\t/,/^[^\t]/{0,/^MK dump:\t/s/^MK dump://; /^([^\t].*)?$/q; s/\t+//p;};' volume-key  |  xxd -r -p
+```
+
+
+

 # 7. Interoperability with other Disk Encryption Tools

@@ -3014,9 +3034,9 @@ offset  length  name                  data type  description
  currently associated with any data/crypt segment (encrypted area) in the 
  LUKS2 'Segments' section (displayed by luksDump).

-  This is a bit of a more general idea. It basically allows to use a keyslot
-  as a container for a key to be used in other things than decrypting a 
-  data segment.
+  This is a bit of a more general idea. It basically allows one to use a
+  keyslot as a container for a key to be used in other things than decrypting
+  a data segment.

  As of April 2020, the following uses are defined:

--- a/Makefile.am
+++ b/Makefile.am
@@ -1,5 +1,18 @@
-EXTRA_DIST = README.md COPYING.LGPL FAQ.md docs misc autogen.sh
-SUBDIRS = po tests
+EXTRA_DIST = README.md SECURITY.md COPYING.LGPL CONTRIBUTING.md FAQ.md docs misc autogen.sh
+EXTRA_DIST += meson_options.txt \
+	meson.build \
+	lib/crypto_backend/argon2/meson.build \
+	lib/crypto_backend/meson.build \
+	lib/meson.build \
+	man/meson.build \
+	po/meson.build \
+	scripts/meson.build \
+	src/meson.build \
+	tests/meson.build \
+	tokens/meson.build \
+	tokens/ssh/meson.build
+
+SUBDIRS = po tests tests/fuzz
 CLEANFILES =
 DISTCLEAN_TARGETS =

@@ -14,8 +27,14 @@ AM_CPPFLAGS = \
        -DVERSION=\""$(VERSION)"\"              \
        -DEXTERNAL_LUKS2_TOKENS_PATH=\"${EXTERNAL_LUKS2_TOKENS_PATH}\"
 AM_CFLAGS = -Wall
+AM_CXXFLAGS = -Wall
 AM_LDFLAGS =

+if ENABLE_FUZZ_TARGETS
+AM_CFLAGS += -fsanitize=fuzzer-no-link
+AM_CXXFLAGS += -fsanitize=fuzzer-no-link
+endif
+
 LDADD = $(LTLIBINTL)

 tmpfilesddir = @DEFAULT_TMPFILESDIR@
@@ -64,3 +83,8 @@ uninstall-local:

 check-programs: libcryptsetup.la
 	$(MAKE) -C tests $@
+
+if ENABLE_FUZZ_TARGETS
+fuzz-targets: libcryptsetup.la libcrypto_backend.la
+	$(MAKE) -C tests/fuzz $@
+endif
--- a/README.md
+++ b/README.md
@@ -2,121 +2,144 @@

 What the ...?
 =============
-**Cryptsetup** is a utility used to conveniently set up disk encryption based
-on the [DMCrypt](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt) kernel module.
+**Cryptsetup** is an open-source utility used to conveniently set up disk encryption based
+on the [dm-crypt](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt) kernel module.

-These include **plain** **dm-crypt** volumes, **LUKS** volumes, **loop-AES**,
-**TrueCrypt** (including **VeraCrypt** extension) and **BitLocker** formats.
+These formats are supported:
+  * **plain** volumes,
+  * **LUKS** volumes,
+  * **loop-AES**,
+  * **TrueCrypt** (including **VeraCrypt** extension),
+  * **BitLocker**, and
+  * **FileVault2**.

 The project also includes a **veritysetup** utility used to conveniently setup
-[DMVerity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity) block integrity checking kernel module
-and **integritysetup** to setup
-[DMIntegrity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMIntegrity) block integrity kernel module.
+[dm-verity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity)
+block integrity checking kernel module and **integritysetup** to setup
+[dm-integrity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMIntegrity)
+block integrity kernel module.

 LUKS Design
 -----------
-**LUKS** is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not  
-only facilitate compatibility among distributions, but also provides secure management of multiple user passwords.  
-LUKS stores all necessary setup information in the partition header, enabling to transport or migrate data seamlessly.
+**LUKS** is the standard for Linux disk encryption. By providing a standardized on-disk format,
+it not only facilitate compatibility among distributions, but also enables secure management
+of multiple user passwords. LUKS stores all necessary setup information in the partition header,
+which enables users to transport or migrate data seamlessly.

-### Specifications
-
-Last version of the LUKS2 format specification is
-[available here](https://gitlab.com/cryptsetup/LUKS2-docs).
-
-Last version of the LUKS1 format specification is
-[available here](https://www.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf).
-
-Why LUKS?
---------
- * compatibility via standardization,
- * secure against low entropy attacks,
- * support for multiple keys,
- * effective passphrase revocation,
- * free.
-
-[Project home page](https://gitlab.com/cryptsetup/cryptsetup/).
-----------------
-
-[Frequently asked questions (FAQ)](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions)
--------------------------------
+### Specification and documentation
+  * The latest version of the
+  [LUKS2 format specification](https://gitlab.com/cryptsetup/LUKS2-docs).
+  * The latest version of the
+  [LUKS1 format specification](https://www.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf).
+  * [Project home page](https://gitlab.com/cryptsetup/cryptsetup/).
+  * [Frequently asked questions (FAQ)](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions)

 Download
 --------
-All release tarballs and release notes are hosted on [kernel.org](https://www.kernel.org/pub/linux/utils/cryptsetup/).
+Release notes and tarballs are available at
+[kernel.org](https://www.kernel.org/pub/linux/utils/cryptsetup/).

-**The latest stable release candidate cryptsetup version is 2.5.0-rc1**
-  * [cryptsetup-2.5.0-rc1.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/cryptsetup-2.5.0-rc1.tar.xz)
-  * Signature [cryptsetup-2.5.0-rc1.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/cryptsetup-2.5.0-rc1.tar.sign)
+**The latest stable cryptsetup release version is 2.7.3**
+  * [cryptsetup-2.7.3.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.3.tar.xz)
+  * Signature [cryptsetup-2.7.3.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.3.tar.sign)
    _(You need to decompress file first to check signature.)_
-  * [Cryptsetup 2.5.0-rc1 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/v2.5.0-rc1-ReleaseNotes).
-
-**The latest stable cryptsetup version is 2.4.3**
-  * [cryptsetup-2.4.3.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-2.4.3.tar.xz)
-  * Signature [cryptsetup-2.4.3.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-2.4.3.tar.sign)
-    _(You need to decompress file first to check signature.)_
-  * [Cryptsetup 2.4.3 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/v2.4.3-ReleaseNotes).
+  * [Cryptsetup 2.7.3 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.3-ReleaseNotes).

 Previous versions
- * [Version 2.3.7](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-2.3.7.tar.xz) -
-   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-2.3.7.tar.sign) -
-   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/v2.3.7-ReleaseNotes).
+ * [Version 2.6.1](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.1.tar.xz) -
+   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.1.tar.sign) -
+   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/v2.5.0-ReleaseNotes).
 * [Version 1.7.5](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.xz) -
   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.sign) -
   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.5-ReleaseNotes).

-Source and API docs
-------------------
-For development version code, please refer to [source](https://gitlab.com/cryptsetup/cryptsetup/tree/master) page,
-mirror on [kernel.org](https://git.kernel.org/cgit/utils/cryptsetup/cryptsetup.git/) or [GitHub](https://github.com/mbroz/cryptsetup).
+Source and API documentation
+----------------------------
+For development version code, please refer to the
+[source](https://gitlab.com/cryptsetup/cryptsetup/tree/master) page, with mirrors
+at [kernel.org](https://git.kernel.org/cgit/utils/cryptsetup/cryptsetup.git/) and
+[GitHub](https://github.com/mbroz/cryptsetup).

-For libcryptsetup documentation see [libcryptsetup API](https://mbroz.fedorapeople.org/libcryptsetup_API/) page.
+For libcryptsetup documentation see
+[libcryptsetup API](https://mbroz.fedorapeople.org/libcryptsetup_API/) page.

-The libcryptsetup API/ABI changes are tracked in [compatibility report](https://abi-laboratory.pro/tracker/timeline/cryptsetup/).
-
-NLS PO files are maintained by [TranslationProject](https://translationproject.org/domain/cryptsetup.html).
+NLS PO files are maintained by
+[TranslationProject](https://translationproject.org/domain/cryptsetup.html).

 Required packages
 -----------------
-All distributions provide cryptsetup as distro package. If you need to compile cryptsetup yourself, some packages are required for compilation. Please always prefer distro specific build tools to manually configuring cryptsetup.
+All major Linux distributions provide cryptsetup as a bundled package. If you need
+to compile cryptsetup yourself, various additional packages are required.
+Any distribution-specific build tools are preferred when manually configuring cryptsetup.

-Here is the list of packages needed for the compilation of project for particular distributions:
- * For Fedora: `git gcc make autoconf automake gettext-devel pkgconfig openssl-devel popt-devel device-mapper-devel libuuid-devel json-c-devel libblkid-devel findutils libtool libssh-devel tar`. Optionally `libargon2-devel libpwquality-devel`. To run the internal testsuite you also need to install `sharutils device-mapper jq vim-common expect keyutils netcat shadow-utils openssh-clients openssh sshpass`.
+Below are the packages needed to build for certain Linux distributions:

- * For Debian and Ubuntu: `git gcc make autoconf automake autopoint pkg-config libtool gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol1-dev libjson-c-dev libssh-dev libblkid-dev tar`. Optionally `libargon2-0-dev libpwquality-dev`. To run the internal testsuite you also need to install `sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass`
+**For Fedora**:
+```
+git gcc make autoconf automake gettext-devel pkgconfig openssl-devel popt-devel device-mapper-devel
+libuuid-devel json-c-devel libblkid-devel findutils libtool libssh-devel tar

-Note that the list could change as the distributions evolve.
+Optionally: libargon2-devel libpwquality-devel
+```
+To run the internal testsuite (make check) you also need to install
+```
+sharutils device-mapper jq vim-common expect keyutils netcat shadow-utils openssh-clients openssh sshpass
+```
+
+**For Debian and Ubuntu**:
+```
+git gcc make autoconf automake autopoint pkg-config libtool gettext libssl-dev libdevmapper-dev
+libpopt-dev uuid-dev libsepol1-dev libjson-c-dev libssh-dev libblkid-dev tar
+
+Optionally: libargon2-0-dev libpwquality-dev
+```
+To run the internal testsuite (make check) you also need to install
+```
+sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass
+```
+
+Note that the list may change as Linux distributions evolve.

 Compilation
 -----------
-The cryptsetup project uses **automake** and **autoconf** system to generate all needed files for compilation. If you check it from the git snapshot, use ``./autogen.sh && ./configure && make`` to compile the project. If you use downloaded released ``*.tar.xz`` archive, the configure script is already pre-generated (no need to run ``autoconf.sh``).
-See ``./configure --help`` and use ``--disable-*`` and ``--enable-*`` options.
+The cryptsetup project uses **automake** and **autoconf** system to generate all files needed to build.
+When building from a git snapshot,, use **./autogen.sh && ./configure && make**
+to compile the project. When building from a release **tar.xz** tarball, the configure script
+is pre-generated (no need to run **autoconf.sh**).
+See **./configure --help** and use the **--disable-[feature]** and **--enable-[feature]** options.

-For running the test suite that come with the project, type ``make check``.
-Note that most tests will need root user privileges and run many dangerous storage fail simulations.
-Do **not** run tests with root privilege on production systems! Some tests will need scsi_debug kernel module to be available.
+To run the test suite that come with the project, type **make check**.
+Note that most tests will need root user privileges and will run dangerous storage failure simulations.
+Do **not** run tests with root privilege on production systems! Some tests will need the **scsi_debug**
+kernel module to be installed.

-For more details, please refer to [automake](https://www.gnu.org/software/automake/manual/automake.html) and [autoconf](https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf.html) manuals.
+For more details, please refer to the
+[automake](https://www.gnu.org/software/automake/manual/automake.html) and
+[autoconf](https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf.html) documentation.

 Help!
 -----
-
 ### Documentation
+Please read the following before posting questions to the mailing list so that
+you can ask better questions and better understand answers.

-Please read the following documentation before posting questions in the mailing list.   You will be able to ask better questions and better understand the answers.  
-
-* [FAQ](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions) 
-* LUKS Specifications
+* [Frequently asked questions (FAQ)](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions),
+* [LUKS Specifications](#specification-and-documentation), and
 * manuals (aka man page, man pages, man-page) 

-The FAQ is online and in the source code for the project.  The Specifications are referenced above in this document.  The man pages are in source and should be available after installation using standard man commands.  e.g.  man cryptsetup
+The FAQ is available online and in the source code for the project. The specifications are
+referenced above in this document. The man pages live within the source tree and should be
+available after installation using standard man commands, e.g. **man cryptsetup**.

 ### Mailing List
-
-For cryptsetup and LUKS related questions, please use the cryptsetup mailing list [cryptsetup@lists.linux.dev](mailto:cryptsetup@lists.linux.dev), hosted at [kernel.org subspace](https://subspace.kernel.org/lists.linux.dev.html).
-To subscribe send an empty mail to [cryptsetup+subscribe@lists.linux.dev](mailto:cryptsetup+subscribe@lists.linux.dev).
+For cryptsetup and LUKS related questions, please use the cryptsetup mailing list
+[cryptsetup@lists.linux.dev](mailto:cryptsetup@lists.linux.dev),
+hosted at [kernel.org subspace](https://subspace.kernel.org/lists.linux.dev.html).
+To subscribe send an empty email message to
+[cryptsetup+subscribe@lists.linux.dev](mailto:cryptsetup+subscribe@lists.linux.dev).

 You can also browse and/or search the mailing [list archive](https://lore.kernel.org/cryptsetup/).
-News (NNTP), Atom feed and git access to public inbox is available through [lore.kernel.org](https://lore.kernel.org) service.
+USEnet News (NNTP), Atom feed and git access to the public inbox is available through
+[lore.kernel.org](https://lore.kernel.org) service.

-The former dm-crypt [list archive](https://lore.kernel.org/dm-crypt/) is also available.
+The former **dm-crypt** [list archive](https://lore.kernel.org/dm-crypt/) is also available.
--- a/autogen.sh
+++ b/autogen.sh
@@ -74,7 +74,7 @@ autopoint --force $AP_OPTS
 libtoolize --force --copy
 aclocal -I m4 $AL_OPTS
 autoheader $AH_OPTS
-automake --add-missing --copy --gnu $AM_OPTS
+automake --force-missing --add-missing --copy --gnu $AM_OPTS
 autoconf $AC_OPTS

 echo
--- a/configure.ac
+++ b/configure.ac
@@ -1,9 +1,9 @@
 AC_PREREQ([2.67])
-AC_INIT([cryptsetup],[2.5.0-rc1])
+AC_INIT([cryptsetup],[2.7.3])

 dnl library version from <major>.<minor>.<release>[-<suffix>]
 LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-)
-LIBCRYPTSETUP_VERSION_INFO=20:0:8
+LIBCRYPTSETUP_VERSION_INFO=22:0:10

 AM_SILENT_RULES([yes])
 AC_CONFIG_SRCDIR(src/cryptsetup.c)
@@ -28,6 +28,7 @@ AC_USE_SYSTEM_EXTENSIONS
 AC_PROG_CC
 AM_PROG_CC_C_O
 AC_PROG_CPP
+AC_PROG_CXX
 AC_PROG_INSTALL
 AC_PROG_MAKE_SET
 AC_PROG_MKDIR_P
@@ -127,7 +128,6 @@ if test "x$enable_largefile" = "xno"; then
  AC_MSG_ERROR([Building with --disable-largefile is not supported, it can cause data corruption.])
 fi

-AC_C_CONST
 AC_C_BIGENDIAN
 AC_TYPE_OFF_T
 AC_SYS_LARGEFILE
@@ -150,6 +150,7 @@ if test "x$enable_external_tokens" = "xyes"; then
 	AC_SUBST(DL_LIBS, $LIBS)
 	LIBS=$saved_LIBS
 fi
+AM_CONDITIONAL(EXTERNAL_TOKENS, test "x$enable_external_tokens" = "xyes")

 AC_ARG_ENABLE([ssh-token],
 	AS_HELP_STRING([--disable-ssh-token], [disable LUKS2 ssh-token]),
@@ -213,6 +214,17 @@ if test "x$enable_pwquality" = "xyes"; then
 	PWQUALITY_STATIC_LIBS="$PWQUALITY_LIBS -lcrack -lz"
 fi

+dnl ==========================================================================
+dnl fuzzers, it requires own static library compilation later
+AC_ARG_ENABLE([fuzz-targets],
+	AS_HELP_STRING([--enable-fuzz-targets], [enable building fuzz targets]))
+AM_CONDITIONAL(ENABLE_FUZZ_TARGETS, test "x$enable_fuzz_targets" = "xyes")
+
+if test "x$enable_fuzz_targets" = "xyes"; then
+	AX_CHECK_COMPILE_FLAG([-fsanitize=fuzzer-no-link],,
+		AC_MSG_ERROR([Required compiler options not supported; use clang.]), [-Werror])
+fi
+
 dnl ==========================================================================
 dnl passwdqc library (cryptsetup CLI only)
 AC_ARG_ENABLE([passwdqc],
@@ -254,6 +266,9 @@ AC_DEFUN([CONFIGURE_GCRYPT], [
 		GCRYPT_REQ_VERSION=1.1.42
 	fi

+	use_internal_pbkdf2=0
+	use_internal_argon2=1
+
 	dnl libgcrypt rejects to use pkgconfig, use AM_PATH_LIBGCRYPT from gcrypt-devel here.
 	dnl Do not require gcrypt-devel if other crypto backend is used.
 	m4_ifdef([AM_PATH_LIBGCRYPT],[
@@ -277,7 +292,24 @@ AC_DEFUN([CONFIGURE_GCRYPT], [
 		NO_FIPS([])
 	fi

+	m4_ifdef([AM_PATH_LIBGCRYPT],[
+	AC_ARG_ENABLE([gcrypt-argon2],
+		dnl Check if we can use gcrypt Argon2 (1.11.0 supports empty password)
+		AS_HELP_STRING([--disable-gcrypt-argon2], [force disable internal gcrypt Argon2]),
+		[],
+		[AM_PATH_LIBGCRYPT([1.11.0], [use_internal_argon2=0], [use_internal_argon2=1])])
+	AM_PATH_LIBGCRYPT($GCRYPT_REQ_VERSION,,[AC_MSG_ERROR([You need the gcrypt library.])])],
+	AC_MSG_ERROR([Missing support for gcrypt: install gcrypt and regenerate configure.]))
+
+	AC_MSG_CHECKING([if internal cryptsetup Argon2 is compiled-in])
+	if test $use_internal_argon2 = 0; then
+		AC_MSG_RESULT([no])
+	else
+		AC_MSG_RESULT([yes])
+	fi
+
 	AC_CHECK_DECLS([GCRY_CIPHER_MODE_XTS], [], [], [#include <gcrypt.h>])
+	AC_CHECK_DECLS([GCRY_KDF_ARGON2], [], [], [#include <gcrypt.h>])

 	if test "x$enable_static_cryptsetup" = "xyes"; then
 		saved_LIBS=$LIBS
@@ -297,19 +329,25 @@ AC_DEFUN([CONFIGURE_GCRYPT], [
 ])

 AC_DEFUN([CONFIGURE_OPENSSL], [
-	PKG_CHECK_MODULES([OPENSSL], [openssl >= 0.9.8],,
+	PKG_CHECK_MODULES([LIBCRYPTO], [libcrypto >= 0.9.8],,
 		AC_MSG_ERROR([You need openssl library.]))
-	CRYPTO_CFLAGS=$OPENSSL_CFLAGS
-	CRYPTO_LIBS=$OPENSSL_LIBS
+	CRYPTO_CFLAGS=$LIBCRYPTO_CFLAGS
+	CRYPTO_LIBS=$LIBCRYPTO_LIBS
 	use_internal_pbkdf2=0
+	use_internal_argon2=1

 	if test "x$enable_static_cryptsetup" = "xyes"; then
 		saved_PKG_CONFIG=$PKG_CONFIG
 		PKG_CONFIG="$PKG_CONFIG --static"
-		PKG_CHECK_MODULES([OPENSSL_STATIC], [openssl])
-		CRYPTO_STATIC_LIBS=$OPENSSL_STATIC_LIBS
+		PKG_CHECK_MODULES([LIBCRYPTO_STATIC], [libcrypto])
+		CRYPTO_STATIC_LIBS=$LIBCRYPTO_STATIC_LIBS
 		PKG_CONFIG=$saved_PKG_CONFIG
 	fi
+
+	saved_LIBS=$LIBS
+	AC_CHECK_DECLS([OSSL_get_max_threads], [], [], [#include <openssl/thread.h>])
+	AC_CHECK_DECLS([OSSL_KDF_PARAM_ARGON2_VERSION], [use_internal_argon2=0], [], [#include <openssl/core_names.h>])
+	LIBS=$saved_LIBS
 ])

 AC_DEFUN([CONFIGURE_NSS], [
@@ -330,6 +368,7 @@ AC_DEFUN([CONFIGURE_NSS], [
 	CRYPTO_CFLAGS=$NSS_CFLAGS
 	CRYPTO_LIBS=$NSS_LIBS
 	use_internal_pbkdf2=1
+	use_internal_argon2=1
 	NO_FIPS([])
 ])

@@ -340,6 +379,7 @@ AC_DEFUN([CONFIGURE_KERNEL], [
 #		[AC_MSG_ERROR([You need Linux kernel with userspace crypto interface.])],
 #		[#include <sys/socket.h>])
 	use_internal_pbkdf2=1
+	use_internal_argon2=1
 	NO_FIPS([])
 ])

@@ -356,6 +396,7 @@ AC_DEFUN([CONFIGURE_NETTLE], [

 	CRYPTO_STATIC_LIBS=$CRYPTO_LIBS
 	use_internal_pbkdf2=0
+	use_internal_argon2=1
 	NO_FIPS([])
 ])

@@ -480,12 +521,21 @@ AC_ARG_ENABLE([internal-argon2],
 AC_ARG_ENABLE([libargon2],
 	AS_HELP_STRING([--enable-libargon2], [enable external libargon2 (PHC) library (disables internal bundled version)]))

-if test "x$enable_libargon2" = "xyes" ; then
+if test $use_internal_argon2 = 0 || ( test "x$enable_internal_argon2" = "xno" && test "x$enable_libargon2" != "xyes" ); then
+	if test "x$enable_internal_argon2" = "xyes" || test "x$enable_libargon2" = "xyes"; then
+		AC_MSG_NOTICE([Argon2 in $with_crypto_backend lib is used; internal Argon2 options are ignored.])
+	fi
+	enable_internal_argon2=no
+	enable_internal_sse_argon2=no
+	enable_libargon2=no
+	use_internal_argon2=0
+elif test "x$enable_libargon2" = "xyes" ; then
 	AC_CHECK_HEADERS(argon2.h,,
 		[AC_MSG_ERROR([You need libargon2 development library installed.])])
 	AC_CHECK_DECL(Argon2_id,,[AC_MSG_ERROR([You need more recent Argon2 library with support for Argon2id.])], [#include <argon2.h>])
 	PKG_CHECK_MODULES([LIBARGON2], [libargon2],,[LIBARGON2_LIBS="-largon2"])
 	enable_internal_argon2=no
+	use_internal_argon2=0
 else
 	AC_MSG_WARN([Argon2 bundled (slow) reference implementation will be used, please consider to use system library with --enable-libargon2.])

@@ -504,11 +554,10 @@ else
 	fi
 fi

-if test "x$enable_internal_argon2" = "xyes"; then
-	AC_DEFINE(USE_INTERNAL_ARGON2, 1, [Use internal Argon2])
-fi
 AM_CONDITIONAL(CRYPTO_INTERNAL_ARGON2, test "x$enable_internal_argon2" = "xyes")
 AM_CONDITIONAL(CRYPTO_INTERNAL_SSE_ARGON2, test "x$enable_internal_sse_argon2" = "xyes")
+dnl If libargon is in use, we have defined HAVE_ARGON2_H
+AC_DEFINE_UNQUOTED(USE_INTERNAL_ARGON2, [$use_internal_argon2], [Use internal Argon2])

 dnl Link with blkid to check for other device types
 AC_ARG_ENABLE([blkid],
@@ -543,6 +592,27 @@ AM_CONDITIONAL(HAVE_BLKID, test "x$enable_blkid" = "xyes")
 AM_CONDITIONAL(HAVE_BLKID_WIPE, test "x$enable_blkid_wipe" = "xyes")
 AM_CONDITIONAL(HAVE_BLKID_STEP_BACK, test "x$enable_blkid_step_back" = "xyes")

+AC_ARG_ENABLE([hw-opal],
+	AS_HELP_STRING([--disable-hw-opal], [disable use of hardware-backed OPAL for device encryption]),
+	[],
+	[enable_hw_opal=yes])
+
+if test "x$enable_hw_opal" = "xyes"; then
+	have_opal=yes
+	AC_CHECK_DECLS([ OPAL_FL_SUM_SUPPORTED,
+			 IOC_OPAL_GET_LR_STATUS,
+			 IOC_OPAL_GET_GEOMETRY
+		       ],
+		       [],
+		       [have_opal=no],
+		       [#include <linux/sed-opal.h>])
+	if test "x$have_opal" = "xyes"; then
+		AC_DEFINE([HAVE_HW_OPAL], 1, [Define to 1 to enable OPAL support.])
+	else
+		AC_MSG_WARN([Can not compile with OPAL support, kernel headers are too old, requires v6.4.])
+	fi
+fi
+
 dnl Magic for cryptsetup.static build.
 if test "x$enable_static_cryptsetup" = "xyes"; then
 	saved_PKG_CONFIG=$PKG_CONFIG
@@ -617,6 +687,22 @@ AC_SUBST([LIBSSH_LIBS])
 AC_SUBST([LIBCRYPTSETUP_VERSION])
 AC_SUBST([LIBCRYPTSETUP_VERSION_INFO])

+dnl Set Requires.private for libcryptsetup.pc
+dnl pwquality is used only by tools
+PKGMODULES="uuid devmapper json-c"
+case $with_crypto_backend in
+	gcrypt)  PKGMODULES="$PKGMODULES libgcrypt" ;;
+	openssl) PKGMODULES="$PKGMODULES openssl" ;;
+	nss)     PKGMODULES="$PKGMODULES nss" ;;
+	nettle)  PKGMODULES="$PKGMODULES nettle" ;;
+esac
+if test "x$enable_libargon2" = "xyes"; then
+	PKGMODULES="$PKGMODULES libargon2"
+fi
+if test "x$enable_blkid" = "xyes"; then
+	PKGMODULES="$PKGMODULES blkid"
+fi
+AC_SUBST([PKGMODULES])
 dnl ==========================================================================
 AC_ARG_ENABLE([dev-random],
 	AS_HELP_STRING([--enable-dev-random], [use /dev/random by default for key generation (otherwise use /dev/urandom)]))
@@ -652,9 +738,9 @@ AC_DEFUN([CS_ABSPATH], [
 ])

 dnl ==========================================================================
-CS_STR_WITH([plain-hash],   [password hashing function for plain mode], [ripemd160])
+CS_STR_WITH([plain-hash],   [password hashing function for plain mode], [sha256])
 CS_STR_WITH([plain-cipher], [cipher for plain mode], [aes])
-CS_STR_WITH([plain-mode],   [cipher mode for plain mode], [cbc-essiv:sha256])
+CS_STR_WITH([plain-mode],   [cipher mode for plain mode], [xts-plain64])
 CS_NUM_WITH([plain-keybits],[key length in bits for plain mode], [256])

 CS_STR_WITH([luks1-hash],   [hash function for LUKS1 header], [sha256])
@@ -739,5 +825,6 @@ lib/libcryptsetup.pc
 po/Makefile.in
 scripts/cryptsetup.conf
 tests/Makefile
+tests/fuzz/Makefile
 ])
 AC_OUTPUT
--- a/docs/ChangeLog.old
+++ b/docs/ChangeLog.old
@@ -74,7 +74,7 @@
 2012-03-16  Milan Broz  <gmazyland@gmail.com>
 	* Add --keyfile-offset and --new-keyfile-offset parameters to API and CLI.
 	* Add repair command and crypt_repair() for known LUKS metadata problems repair.
-	* Allow to specify --align-payload only for luksFormat.
+	* Allow one to specify --align-payload only for luksFormat.

 2012-03-16  Milan Broz  <mbroz@redhat.com>
 	* Unify password verification option.
@@ -228,7 +228,7 @@
 	* Fix password callback call.
 	* Fix default plain password entry from terminal in activate_by_passphrase.
 	* Add --dump-master-key option for luksDump to allow volume key dump.
-	* Allow to activate by internally cached volume key
+	* Allow one to activate by internally cached volume key
 	  (format/activate without keyslots active - used for temporary devices).
 	* Initialize volume key from active device in crypt_init_by_name()
 	* Fix cryptsetup binary exitcodes.
--- a/docs/Keyring.txt
+++ b/docs/Keyring.txt
@@ -12,30 +12,53 @@ no longer stored directly in dm-crypt target. Starting with cryptsetup 2.0 we
 load VK in kernel keyring by default for LUKSv2 devices (when dm-crypt with the
 feature is available).

-Currently cryptsetup loads VK in 'logon' type kernel key so that VK is passed in
-the kernel and can't be read from userspace afterward. Also cryptsetup loads VK in
-thread keyring (before passing the reference to dm-crypt target) so that the key
+Currently, cryptsetup loads VK in 'logon' type kernel key so that VK is passed in
+the kernel and can't be read from userspace afterwards. Also, cryptsetup loads VK in
+the thread keyring (before passing the reference to dm-crypt target) so that the key
 lifetime is directly bound to the process that performs the dm-crypt setup. When
-cryptsetup process exits (for whatever reason) the key gets unlinked in kernel
+cryptsetup process exits (for whatever reason) the key gets unlinked in the kernel
 automatically. In summary, the key description visible in dm-crypt table line is
 a reference to VK that usually no longer exists in kernel keyring service if you
-used cryptsetup to for device activation.
+used cryptsetup for device activation.

 Using this feature dm-crypt no longer maintains a direct key copy (but there's
-always at least one copy in kernel crypto layer).
+always at least one copy in the kernel crypto layer).
+
+Additionally, libcryptsetup supports the linking of volume keys to
+user-specified kernel keyring with crypt_set_keyring_to_link(). The user may
+specify keyring name, key type ('user' or 'logon') and key description where
+libcryptsetup should link the verified volume key upon subsequent device
+activation (or key verification alone).
+
+The volume key(s) (provided the key type is 'user') linked in the user keyring
+can be later used to activate the device via crypt_activate_by_keyslot_context()
+with CRYPT_KC_TYPE_VK_KEYRING type keyslot context
+(acquired by crypt_keyslot_context_init_by_vk_in_keyring()).
+
+Example of how to use volume key linked in custom user keyring from cryptsetup
+utility:
+
+1) Open the device and store the volume key to the session keyring:
+# cryptsetup open <device> --link-vk-to-keyring "@s::%user:testkey" tst
+
+2) Add a keyslot using the stored volume key in a keyring:
+# cryptsetup luksAddKey <device> --volume-key-keyring "%user:testkey"
+
+3) Activate the device using the volume key cached in a keyring ('user' type key)
+# cryptsetup open <device> <active_name> --volume-key-keyring "testkey"

 II) Keyslot passphrase
 The second use case for kernel keyring is to allow cryptsetup reading the keyslot
-passphrase stored in kernel keyring instead. The user may load passphrase in kernel
+passphrase stored in kernel keyring instead. The user may load the passphrase in the kernel
 keyring and notify cryptsetup to read it from there later. Currently, cryptsetup
 cli supports kernel keyring for passphrase only via LUKS2 internal token
-(luks2-keyring). Library also provides a general method for device activation by
-reading passphrase from keyring: crypt_activate_by_keyring(). The key type
+(luks2-keyring). The library also provides a general method for device activation by
+reading the passphrase from the keyring: crypt_activate_by_keyring(). The key type
 for use case II) must always be 'user' since we need to read the actual key
-data from userspace unlike with VK in I). Ability to read keyslot passphrase
-from kernel keyring also allows easily auto-activate LUKS2 devices.
+data from userspace unlike with VK in I). The ability to read keyslot passphrases
+from kernel keyring also allows easy auto-activate LUKS2 devices.

-Simple example how to use kernel keyring for keyslot passphrase:
+Simple example of how to use kernel keyring for keyslot passphrase:

 1) create LUKS2 keyring token for keyslot 0 (in LUKS2 device/image)
 cryptsetup token add --key-description my:key -S 0 /dev/device
@@ -43,7 +66,7 @@ cryptsetup token add --key-description my:key -S 0 /dev/device
 2) Load keyslot passphrase in user keyring
 read -s -p "Keyslot passphrase: "; echo -n $REPLY | keyctl padd user my:key @u

-3) Activate device using passphrase stored in kernel keyring
+3) Activate the device using the passphrase stored in the kernel keyring
 cryptsetup open /dev/device my_unlocked_device

 4a) unlink the key when no longer needed by
@@ -52,5 +75,5 @@ keyctl unlink %user:my:key @u
 4b) or revoke it immediately by
 keyctl revoke %user:my:key

-If cryptsetup asks for passphrase in step 3) something went wrong with keyring
+If cryptsetup asks for a passphrase in step 3) something went wrong with keyring
 activation. See --debug output then.
--- a/docs/LUKS2-locking.txt
+++ b/docs/LUKS2-locking.txt
@@ -5,7 +5,7 @@ Why
 ~~~

 LUKS2 format keeps two identical copies of metadata stored consecutively
-at the head of metadata device (file or bdev). The metadata
+at the head of the metadata device (file or bdev). The metadata
 area (both copies) must be updated in a single atomic operation to avoid
 header corruption during concurrent write.

@@ -15,17 +15,17 @@ locking with legacy format was not so obvious as it is with the LUKSv2 format.

 With LUKS2 the boundary between read-only and read-write is blurry and what
 used to be the exclusively read-only operation (i.e., cryptsetup open command) may
-easily become read-update operation silently without user's knowledge.
-Major feature of LUKS2 format is resilience against accidental
+easily become read-update operation silently without the user's knowledge.
+A major feature of the LUKS2 format is resilience against accidental
 corruption of metadata (i.e., partial header overwrite by parted or cfdisk
-while creating partition on mistaken block device).
-Such header corruption is detected early on header read and auto-recovery
+while creating a partition on a mistaken block device).
+Such header corruption is detected early on the header read and the auto-recovery
 procedure takes place (the corrupted header with checksum mismatch is being
 replaced by the secondary one if that one is intact).
-On current Linux systems header load operation may be triggered without user
-direct intervention for example by udev rule or from systemd service.
-Such clash of header read and auto-recovery procedure could have severe
-consequences with the worst case of having LUKS2 device unaccessible or being
+On current Linux systems header load operation may be triggered without the user
+direct intervention for example by an udev rule or from a systemd service.
+Such a clash of header read and auto-recovery procedure could have severe
+consequences with the worst case of having a LUKS2 device inaccessible or being
 broken beyond repair.

 The whole locking of LUKSv2 device headers split into two categories depending
@@ -36,17 +36,17 @@ I) block device

 We perform flock() on file descriptors of files stored in a private
 directory (by default /run/lock/cryptsetup). The file name is derived
-from major:minor couple of affected block device. Note we recommend
-that access to private locking directory is supposed to be limited
-to superuser only. For this method to work the distribution needs
+from major:minor couple of the affected block device. Note we recommend
+that access to the private locking directory is supposed to be limited
+to the superuser only. For this method to work the distribution needs
 to install the locking directory with appropriate access rights.

 II) regular files
 ~~~~~~~~~~~~~~~~~

-First notable difference between headers stored in a file
+A first notable difference between headers stored in a file
 vs. headers stored in a block device is that headers in a file may be
-manipulated by the regular user unlike headers on block devices. Therefore
+manipulated by the regular user, unlike headers on block devices. Therefore
 we perform flock() protection on file with the luks2 header directly.

 Limitations
@@ -58,4 +58,40 @@ while locking is enabled.
 We do not suppress any other negative effect that two or more concurrent
 writers of the same header may cause.

-b) The locking is not cluster aware in any way.
+b) The locking is not cluster-aware in any way.
+
+Additional LUKS2 locks
+======================
+
+LUKS2 reencryption device lock
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Device in LUKS2 reencryption is protected by an exclusive lock placed in the default
+locking directory. The lock's purpose is to exclude multiple processes from
+performing reencryption on the same device (identified by LUKS uuid). The lock
+is taken no matter the LUKS2 reencryption mode (online or offline).
+
+LUKS2 memory hard global lock
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+An optional global lock that makes libcryptsetup serialize memory hard
+pbkdf function when deriving a key encryption key from passphrase on unlocking
+LUKS2 keyslot. The lock has to be enabled via the CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF
+flag. The lock is placed in the default locking directory.
+
+LUKS2 OPAL lock
+~~~~~~~~~~~~~~~
+
+Exclusive per device lock taken when manipulating LUKS2 device configured for use with
+SED OPAL2 locking range.
+
+Lock ordering
+=============
+
+To avoid a deadlock following rules must apply:
+
+- LUKS2 reencrytpion lock must be taken before LUKS2 OPAL lock.
+
+- LUKS2 OPAL lock must be taken before LUKS2 metadata lock.
+
+- LUKS2 memory hard global lock can not be used with other locks.
--- a/docs/doxyfile
+++ b/docs/doxyfile
@@ -1,4 +1,4 @@
-# Doxyfile 1.9.1
+# Doxyfile 1.9.8

 #---------------------------------------------------------------------------
 # Project related configuration options
@@ -10,9 +10,9 @@ PROJECT_BRIEF          = "Public cryptsetup API"
 PROJECT_LOGO           =
 OUTPUT_DIRECTORY       = doxygen_api_docs
 CREATE_SUBDIRS         = NO
+CREATE_SUBDIRS_LEVEL   = 8
 ALLOW_UNICODE_NAMES    = NO
 OUTPUT_LANGUAGE        = English
-OUTPUT_TEXT_DIRECTION  = None
 BRIEF_MEMBER_DESC      = YES
 REPEAT_BRIEF           = YES
 ABBREVIATE_BRIEF       =
@@ -39,6 +39,7 @@ OPTIMIZE_OUTPUT_SLICE  = NO
 EXTENSION_MAPPING      =
 MARKDOWN_SUPPORT       = YES
 TOC_INCLUDE_HEADINGS   = 5
+MARKDOWN_ID_STYLE      = DOXYGEN
 AUTOLINK_SUPPORT       = YES
 BUILTIN_STL_SUPPORT    = NO
 CPP_CLI_SUPPORT        = NO
@@ -52,6 +53,7 @@ INLINE_SIMPLE_STRUCTS  = NO
 TYPEDEF_HIDES_STRUCT   = YES
 LOOKUP_CACHE_SIZE      = 0
 NUM_PROC_THREADS       = 1
+TIMESTAMP              = NO
 #---------------------------------------------------------------------------
 # Build related configuration options
 #---------------------------------------------------------------------------
@@ -72,6 +74,7 @@ INTERNAL_DOCS          = NO
 CASE_SENSE_NAMES       = YES
 HIDE_SCOPE_NAMES       = NO
 HIDE_COMPOUND_REFERENCE= NO
+SHOW_HEADERFILE        = YES
 SHOW_INCLUDE_FILES     = YES
 SHOW_GROUPED_MEMB_INC  = NO
 FORCE_LOCAL_INCLUDES   = NO
@@ -101,9 +104,12 @@ QUIET                  = NO
 WARNINGS               = YES
 WARN_IF_UNDOCUMENTED   = YES
 WARN_IF_DOC_ERROR      = YES
+WARN_IF_INCOMPLETE_DOC = YES
 WARN_NO_PARAMDOC       = NO
+WARN_IF_UNDOC_ENUM_VAL = NO
 WARN_AS_ERROR          = NO
 WARN_FORMAT            = "$file:$line: $text"
+WARN_LINE_FORMAT       = "at line $line of file $file"
 WARN_LOGFILE           =
 #---------------------------------------------------------------------------
 # Configuration options related to the input files
@@ -111,6 +117,7 @@ WARN_LOGFILE           =
 INPUT                  = doxygen_index.h \
                         ../lib/libcryptsetup.h
 INPUT_ENCODING         = UTF-8
+INPUT_FILE_ENCODING    =
 FILE_PATTERNS          =
 RECURSIVE              = NO
 EXCLUDE                =
@@ -126,6 +133,7 @@ FILTER_PATTERNS        =
 FILTER_SOURCE_FILES    = NO
 FILTER_SOURCE_PATTERNS =
 USE_MDFILE_AS_MAINPAGE =
+FORTRAN_COMMENT_AFTER  = 72
 #---------------------------------------------------------------------------
 # Configuration options related to source browsing
 #---------------------------------------------------------------------------
@@ -158,15 +166,17 @@ HTML_FOOTER            =
 HTML_STYLESHEET        =
 HTML_EXTRA_STYLESHEET  =
 HTML_EXTRA_FILES       =
+HTML_COLORSTYLE        = AUTO_LIGHT
 HTML_COLORSTYLE_HUE    = 220
 HTML_COLORSTYLE_SAT    = 100
 HTML_COLORSTYLE_GAMMA  = 80
-HTML_TIMESTAMP         = YES
 HTML_DYNAMIC_MENUS     = YES
 HTML_DYNAMIC_SECTIONS  = NO
+HTML_CODE_FOLDING      = YES
 HTML_INDEX_NUM_ENTRIES = 100
 GENERATE_DOCSET        = NO
 DOCSET_FEEDNAME        = "Doxygen generated docs"
+DOCSET_FEEDURL         =
 DOCSET_BUNDLE_ID       = org.doxygen.Project
 DOCSET_PUBLISHER_ID    = org.doxygen.Publisher
 DOCSET_PUBLISHER_NAME  = Publisher
@@ -177,6 +187,7 @@ GENERATE_CHI           = NO
 CHM_INDEX_ENCODING     =
 BINARY_TOC             = NO
 TOC_EXPAND             = NO
+SITEMAP_URL            =
 GENERATE_QHP           = NO
 QCH_FILE               =
 QHP_NAMESPACE          = org.doxygen.Project
@@ -189,14 +200,16 @@ GENERATE_ECLIPSEHELP   = NO
 ECLIPSE_DOC_ID         = org.doxygen.Project
 DISABLE_INDEX          = NO
 GENERATE_TREEVIEW      = NO
+FULL_SIDEBAR           = NO
 ENUM_VALUES_PER_LINE   = 4
 TREEVIEW_WIDTH         = 250
 EXT_LINKS_IN_WINDOW    = NO
+OBFUSCATE_EMAILS       = YES
 HTML_FORMULA_FORMAT    = png
 FORMULA_FONTSIZE       = 10
-FORMULA_TRANSPARENT    = YES
 FORMULA_MACROFILE      =
 USE_MATHJAX            = NO
+MATHJAX_VERSION        = MathJax_2
 MATHJAX_FORMAT         = HTML-CSS
 MATHJAX_RELPATH        = http://www.mathjax.org/mathjax
 MATHJAX_EXTENSIONS     =
@@ -227,9 +240,7 @@ PDF_HYPERLINKS         = YES
 USE_PDFLATEX           = YES
 LATEX_BATCHMODE        = NO
 LATEX_HIDE_INDICES     = NO
-LATEX_SOURCE_CODE      = NO
 LATEX_BIB_STYLE        = plain
-LATEX_TIMESTAMP        = NO
 LATEX_EMOJI_DIRECTORY  =
 #---------------------------------------------------------------------------
 # Configuration options related to the RTF output
@@ -240,7 +251,6 @@ COMPACT_RTF            = NO
 RTF_HYPERLINKS         = NO
 RTF_STYLESHEET_FILE    =
 RTF_EXTENSIONS_FILE    =
-RTF_SOURCE_CODE        = NO
 #---------------------------------------------------------------------------
 # Configuration options related to the man page output
 #---------------------------------------------------------------------------
@@ -261,12 +271,17 @@ XML_NS_MEMB_FILE_SCOPE = NO
 #---------------------------------------------------------------------------
 GENERATE_DOCBOOK       = NO
 DOCBOOK_OUTPUT         = docbook
-DOCBOOK_PROGRAMLISTING = NO
 #---------------------------------------------------------------------------
 # Configuration options for the AutoGen Definitions output
 #---------------------------------------------------------------------------
 GENERATE_AUTOGEN_DEF   = NO
 #---------------------------------------------------------------------------
+# Configuration options related to Sqlite3 output
+#---------------------------------------------------------------------------
+GENERATE_SQLITE3       = NO
+SQLITE3_OUTPUT         = sqlite3
+SQLITE3_RECREATE_DB    = YES
+#---------------------------------------------------------------------------
 # Configuration options related to the Perl module output
 #---------------------------------------------------------------------------
 GENERATE_PERLMOD       = NO
@@ -294,15 +309,14 @@ ALLEXTERNALS           = NO
 EXTERNAL_GROUPS        = YES
 EXTERNAL_PAGES         = YES
 #---------------------------------------------------------------------------
-# Configuration options related to the dot tool
+# Configuration options related to diagram generator tools
 #---------------------------------------------------------------------------
-CLASS_DIAGRAMS         = YES
-DIA_PATH               =
 HIDE_UNDOC_RELATIONS   = YES
 HAVE_DOT               = NO
 DOT_NUM_THREADS        = 0
-DOT_FONTNAME           = Helvetica
-DOT_FONTSIZE           = 10
+DOT_COMMON_ATTR        = "fontname=Helvetica,fontsize=10"
+DOT_EDGE_ATTR          = "labelfontname=Helvetica,labelfontsize=10"
+DOT_NODE_ATTR          = "shape=box,height=0.2,width=0.4"
 DOT_FONTPATH           =
 CLASS_GRAPH            = YES
 COLLABORATION_GRAPH    = YES
@@ -318,18 +332,20 @@ CALL_GRAPH             = NO
 CALLER_GRAPH           = NO
 GRAPHICAL_HIERARCHY    = YES
 DIRECTORY_GRAPH        = YES
+DIR_GRAPH_MAX_DEPTH    = 1
 DOT_IMAGE_FORMAT       = png
 INTERACTIVE_SVG        = NO
 DOT_PATH               =
 DOTFILE_DIRS           =
-MSCFILE_DIRS           =
+DIA_PATH               =
 DIAFILE_DIRS           =
 PLANTUML_JAR_PATH      =
 PLANTUML_CFG_FILE      =
 PLANTUML_INCLUDE_PATH  =
 DOT_GRAPH_MAX_NODES    = 50
 MAX_DOT_GRAPH_DEPTH    = 0
-DOT_TRANSPARENT        = NO
 DOT_MULTI_TARGETS      = NO
 GENERATE_LEGEND        = YES
 DOT_CLEANUP            = YES
+MSCGEN_TOOL            =
+MSCFILE_DIRS           =
--- a/docs/examples/crypt_log_usage.c
+++ b/docs/examples/crypt_log_usage.c
@@ -1,21 +1,8 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * libcryptsetup API log example
 *
- * Copyright (C) 2011-2022 Red Hat, Inc. All rights reserved.
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved.
 */

 #include <stdio.h>
--- a/docs/examples/crypt_luks_usage.c
+++ b/docs/examples/crypt_luks_usage.c
@@ -1,21 +1,8 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 *  libcryptsetup API - using LUKS device example
 *
- * Copyright (C) 2011-2022 Red Hat, Inc. All rights reserved.
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved.
 */

 #include <stdio.h>
--- a/docs/on-disk-format-luks2.pdf
+++ b/docs/on-disk-format-luks2.pdf
--- a/docs/v1.2.0-ReleaseNotes
+++ b/docs/v1.2.0-ReleaseNotes
@@ -85,7 +85,7 @@ Libcryptsetup API additions:

 * Fix optional password callback handling.

- * Allow to activate by internally cached volume key immediately after
+ * Allow one to activate by internally cached volume key immediately after
 crypt_format() without active slot (for temporary devices with
 on-disk metadata)

--- a/docs/v1.4.2-ReleaseNotes
+++ b/docs/v1.4.2-ReleaseNotes
@@ -24,7 +24,7 @@ Changes since version 1.4.1
 * Fix header check to support old (cryptsetup 1.0.0) header alignment.
  (Regression in 1.4.0)

-* Allow to specify --align-payload only for luksFormat.
+* Allow one to specify --align-payload only for luksFormat.

 * Add --master-key-file option to luksOpen (open using volume key).

--- a/docs/v1.4.3-ReleaseNotes
+++ b/docs/v1.4.3-ReleaseNotes
@@ -32,7 +32,7 @@ Changes since version 1.4.2
  Device-mapper now retry removal if device is busy.

 * Allow "private" activation (skip some udev global rules) flag.
-  Cryptsetup library API now allows to specify CRYPT_ACTIVATE_PRIVATE,
+  Cryptsetup library API now allows one to specify CRYPT_ACTIVATE_PRIVATE,
  which means that some udev rules are not processed.
  (Used for temporary devices, like internal keyslot mappings where
  it is not desirable to run any device scans.)
--- a/docs/v1.6.0-ReleaseNotes
+++ b/docs/v1.6.0-ReleaseNotes
@@ -4,7 +4,7 @@ Cryptsetup 1.6.0 Release Notes
 Changes since version 1.6.0-rc1
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- * Change LUKS default cipher to to use XTS encryption mode,
+ * Change LUKS default cipher to use XTS encryption mode,
   aes-xts-plain64 (i.e. using AES128-XTS).

   XTS mode becomes standard in hard disk encryption.
@@ -209,7 +209,7 @@ Important changes

     WARNING: these tests do not use dmcrypt, only crypto API.
     You have to benchmark the whole device stack and you can get completely
-     different results. But is is usable for basic comparison.
+     different results. But it is usable for basic comparison.
     (Note for example AES-NI decryption optimization effect in example above.)

 Features
--- a/docs/v1.6.2-ReleaseNotes
+++ b/docs/v1.6.2-ReleaseNotes
@@ -8,7 +8,7 @@ Changes since version 1.6.1
 * Fix cipher specification string parsing (found by gcc -fsanitize=address option).

 * Try to map TCRYPT system encryption through partition
-  (allows to activate mapping when other partition on the same device is mounted).
+  (allows one to activate mapping when other partition on the same device is mounted).

 * Print a warning if system encryption is used and device is a partition.
  (TCRYPT system encryption uses whole device argument.)
--- a/docs/v1.6.4-ReleaseNotes
+++ b/docs/v1.6.4-ReleaseNotes
@@ -25,7 +25,7 @@ Changes since version 1.6.3

  Please refer to cryptsetup FAQ for detail how to fix this situation.

-* Allow to use --disable-gcrypt-pbkdf2 during configuration
+* Allow one to use --disable-gcrypt-pbkdf2 during configuration
  to force use internal PBKDF2 code.

 * Require gcrypt 1.6.1 for imported implementation of PBKDF2
--- a/docs/v1.6.5-ReleaseNotes
+++ b/docs/v1.6.5-ReleaseNotes
@@ -38,7 +38,7 @@ Changes since version 1.6.4
  The command "cryptsetup status" will print basic info, even if you
  do not provide detached header argument.

-* Allow to specify ECB mode in cryptsetup benchmark.
+* Allow one to specify ECB mode in cryptsetup benchmark.

 * Add some LUKS images for regression testing.
  Note that if image with Whirlpool fails, the most probable cause is that
--- a/docs/v1.6.7-ReleaseNotes
+++ b/docs/v1.6.7-ReleaseNotes
@@ -35,14 +35,14 @@ Changes since version 1.6.6
 * Support permanent device decryption for cryptsetup-reencrypt.
  To remove LUKS encryption from a device, you can now use --decrypt option.

-* Allow to use --header option in all LUKS commands.
+* Allow one to use --header option in all LUKS commands.
  The --header always takes precedence over positional device argument.

 * Allow luksSuspend without need to specify a detached header.

 * Detect if O_DIRECT is usable on a device allocation.
  There are some strange storage stack configurations which wrongly allows
-  to open devices with direct-io but fails on all IO operations later.
+  one to open devices with direct-io but fails on all IO operations later.

  Cryptsetup now tries to read the device first sector to ensure it can use
  direct-io.
--- a/docs/v1.6.8-ReleaseNotes
+++ b/docs/v1.6.8-ReleaseNotes
@@ -30,7 +30,7 @@ Changes since version 1.6.7
  cryptsetup resize will try to resize underlying loop device as well.
  (It can be used to grow up file-backed device in one step.)

-* Cryptsetup now allows to use empty password through stdin pipe.
+* Cryptsetup now allows one to use empty password through stdin pipe.
  (Intended only for testing in scripts.)

 Cryptsetup API NOTE:
--- a/docs/v1.7.4-ReleaseNotes
+++ b/docs/v1.7.4-ReleaseNotes
@@ -3,7 +3,7 @@ Cryptsetup 1.7.4 Release Notes

 Changes since version 1.7.3

-* Allow to specify LUKS1 hash algorithm in Python luksFormat wrapper.
+* Allow one to specify LUKS1 hash algorithm in Python luksFormat wrapper.

 * Use LUKS1 compiled-in defaults also in Python wrapper.

--- a/docs/v2.0.2-ReleaseNotes
+++ b/docs/v2.0.2-ReleaseNotes
@@ -30,7 +30,7 @@ Changes since version 2.0.1

 * Add LUKS2 specific options for cryptsetup-reencrypt.
  Tokens and persistent flags are now transferred during reencryption;
-  change of PBKDF keyslot parameters is now supported and allows
+  change of PBKDF keyslot parameters is now supported and allows one
  to set precalculated values (no benchmarks).

 * Do not allow LUKS2 --persistent and --test-passphrase cryptsetup flags
--- a/docs/v2.0.3-ReleaseNotes
+++ b/docs/v2.0.3-ReleaseNotes
@@ -28,7 +28,7 @@ Changes since version 2.0.2

 * New API extensions for unbound keyslots (LUKS2 only)
  crypt_keyslot_get_key_size() and crypt_volume_key_get()
-  These functions allow to get key and key size for unbound keyslots.
+  These functions allow one to get key and key size for unbound keyslots.

 * New enum value CRYPT_SLOT_UNBOUND for keyslot status (LUKS2 only).

--- a/docs/v2.1.0-ReleaseNotes
+++ b/docs/v2.1.0-ReleaseNotes
@@ -170,21 +170,21 @@ These new calls are now exported, for details see libcryptsetup.h:

 * crypt_get_metadata_size
 * crypt_set_metadata_size
-     allows to set/get area sizes in LUKS header
+     allows one to set/get area sizes in LUKS header
     (according to specification).

 * crypt_get_default_type
     get default compiled-in LUKS type (version).

 * crypt_get_pbkdf_type_params
-     allows to get compiled-in PBKDF parameters.
+     allows one to get compiled-in PBKDF parameters.

 * crypt_keyslot_set_encryption
 * crypt_keyslot_get_encryption
-     allows to set/get per-keyslot encryption algorithm for LUKS2.
+     allows one to set/get per-keyslot encryption algorithm for LUKS2.

 * crypt_keyslot_get_pbkdf
-     allows to get PBKDF parameters per-keyslot.
+     allows one to get PBKDF parameters per-keyslot.

 and these new defines:
 * CRYPT_LOG_DEBUG_JSON (message type for JSON debug)
--- a/docs/v2.3.0-ReleaseNotes
+++ b/docs/v2.3.0-ReleaseNotes
@@ -9,7 +9,7 @@ native read-write access to BitLocker Full Disk Encryption devices.

 The BITLK implementation is based on publicly available information
 and it is an independent and opensource implementation that allows
-to access this proprietary disk encryption.
+one to access this proprietary disk encryption.

 Changes since version 2.2.2
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- a/docs/v2.3.2-ReleaseNotes
+++ b/docs/v2.3.2-ReleaseNotes
@@ -18,7 +18,7 @@ Changes since version 2.3.1
  The slot number --key-slot (-S) option is mandatory here.

  An unbound keyslot store a key is that is not assigned to data
-  area on disk (LUKS2 allows to store arbitrary keys).
+  area on disk (LUKS2 allows one to store arbitrary keys).

 * Rephrase some error messages and remove redundant end-of-lines.

--- a/docs/v2.5.0-rc1-ReleaseNotes
+++ b/docs/v2.5.0-rc1-ReleaseNotes
@@ -1,6 +1,6 @@
-Cryptsetup 2.5.0-rc1 Release Notes
-==================================
-Stable release candidate with new features and bug fixes.
+Cryptsetup 2.5.0 Release Notes
+==============================
+Stable release with new features and bug fixes.

 Changes since version 2.4.3
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -125,6 +125,11 @@ LUKS volume reencryption changes

 * Support all options allowed with luksFormat with encrypt action.

+* Add prompt if LUKS2 decryption is run with a detached header.
+
+* Add warning for reencryption of file image and mention
+  the possible use of --force-offline-reencrypt option.
+
 Other changes
 ~~~~~~~~~~~~~

@@ -258,6 +263,11 @@ Other changes

 * Reimplement BASE64 with simplified code instead of coreutils version.

+* Fix regression when warning messages were not displayed
+  if some kernel feature is not supported (2.4.2).
+
+* Add support for --key-slot option in luksResume action.
+
 Libcryptsetup API extensions and changes
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- a/docs/v2.6.0-ReleaseNotes
+++ b/docs/v2.6.0-ReleaseNotes
@@ -0,0 +1,236 @@
+Cryptsetup 2.6.0 Release Notes
+==============================
+Stable release with new features and bug fixes.
+
+Changes since version 2.5.0
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Introduce support for handling macOS FileVault2 devices (FVAULT2).
+
+  Cryptsetup now supports the mapping of FileVault2 full-disk encryption
+  by Apple for the macOS operating system using a native Linux kernel.
+  You can open an existing USB FileVault portable device and (with
+  the hfsplus filesystem driver) access the native data read/write.
+
+  Cryptsetup supports only (legacy) FileVault2 based on Core Storage
+  and HFS+ filesystem (introduced in MacOS X 10.7 Lion).
+  It does NOT support the new version of FileVault based on the APFS
+  filesystem used in recent macOS versions.
+
+  Header formatting and changes are not supported; cryptsetup never
+  changes the metadata on the device.
+
+  FVAULT2 extension requires kernel userspace crypto API and kernel
+  driver for HFS+ (hfsplus) filesystem (available on most systems today).
+
+  Example of using FileVault2 formatted USB device:
+
+  A typical encrypted device contains three partitions; the FileVault
+  encrypted partition is here sda2:
+
+  $ lsblk -o NAME,FSTYPE,LABEL /dev/sda
+    NAME   FSTYPE  LABEL
+    sda
+    |-sda1 vfat    EFI
+    |-sda2
+    `-sda3 hfsplus Boot OS X
+
+  Note: blkid does not recognize FileVault2 format yet.
+
+  To dump metadata information about the device, you can use
+  the fvault2Dump command:
+
+  $ cryptsetup fvault2Dump /dev/sda2
+    Header information for FVAULT2 device /dev/sda2.
+    Physical volume UUID:   6f353c05-daae-4e76-a0ee-6a9569a22d81
+    Family UUID:            f82cceb0-a788-4815-945a-53d57fcd55a8
+    Logical volume offset:  67108864 [bytes]
+    Logical volume size:    3288334336 [bytes]
+    Cipher:                 aes
+    Cipher mode:            xts-plain64
+    PBKDF2 iterations:      97962
+    PBKDF2 salt:            173a4ec7447662ec79ca7a47df6c2a01
+
+ To activate the device, use open --type fvault2 option:
+
+ $ cryptsetup open --type fvault2 /dev/sda2 test
+   Enter passphrase for /dev/sda2: ...
+
+ And check the status of the active device:
+
+ $ cryptsetup status test
+   /dev/mapper/test is active.
+   type:    FVAULT2
+   cipher:  aes-xts-plain64
+   keysize: 256 bits
+   key location: dm-crypt
+   device:  /dev/sda2
+   sector size:  512
+   offset:  131072 sectors
+   size:    6422528 sectors
+   mode:    read/write
+
+ Now, if the kernel contains hfsplus filesystem driver, you can mount
+ decrypted content:
+
+ $ mount /dev/mapper/test /mnt/test
+
+ For more info about implementation, please refer to the master thesis
+ by Pavel Tobias, which was the source for this extension.
+ https://is.muni.cz/th/p0aok/?lang=en
+
+* libcryptsetup: no longer use global memory locking through mlockall()
+
+  For many years, libcryptsetup locked all memory (including dependent
+  library address space) to prevent swapping sensitive content outside
+  of RAM.
+
+  This strategy no longer works as the locking of basic libraries exceeds
+  the memory locking limit if running as a non-root user.
+
+  Libcryptsetup now locks only memory ranges containing sensitive
+  material (keys) through crypt_safe_alloc() calls.
+
+  This change solves many reported mysterious problems of unexpected
+  failures. If the initial lock was still under the limit and succeeded,
+  some following memory allocation could fail later as it exceeded
+  the locking limit. If the initial locking fails,  memory locking
+  was quietly ignored completely.
+
+  The whole crypt_memory_lock() API call is deprecated; it no longer
+  calls memlockall().
+
+* libcryptsetup: process priority is increased only for key derivation
+  (PBKDF) calls.
+
+  Increasing priority was tight to memory locking and works only if
+  running under superuser.
+  Only PBKDF calls and benchmarking now increase the process priority.
+
+* Add new LUKS keyslot context handling functions and API.
+
+  In practice, the luksAddKey action does two operations.
+  It unlocks the existing device volume key and stores the unlocked
+  volume key in a new keyslot.
+  Previously the options were limited to key files and passphrases.
+
+  Newly available methods (keyslot contexts) are passphrase, keyfile,
+  key (binary representation), and LUKS2 token.
+
+  To unlock a keyslot user may:
+    - provide existing passphrase via interactive prompt (default method)
+    - use --key-file option to provide a file with a valid passphrase
+    - provide volume key directly via --volume-key-file
+    - unlock keyslot via all available LUKS2 tokens by --token-only
+    - unlock keyslot via specific token with --token-id
+    - unlock keyslot via specific token type by --token-type
+
+  To provide the passphrase for a new keyslot, a user may:
+    - provide existing passphrase via interactive prompt (default method)
+    - use --new-keyfile to read the passphrase from the file
+    - use --new-token-id to select LUKS2 token to get passphrase
+      for new keyslot. The new keyslot is assigned to the selected token
+      id if the operation is successful.
+
+* The volume key may now be extracted using a passphrase, keyfile, or
+  token. For LUKS devices, it also returns the volume key after
+  a successful crypt_format call.
+
+* Fix --disable-luks2-reencryption configuration option.
+
+* cryptsetup: Print a better error message and warning if the format
+  produces an image without space available for data.
+
+  Activation now fails early with a more descriptive message.
+
+* Print error if anti-forensic LUKS2 hash setting is not available.
+  If the specified hash was not available, activation quietly failed.
+
+* Fix internal crypt segment compare routine if the user
+  specified cipher in kernel format (capi: prefix).
+
+* cryptsetup: Add token unassign action.
+
+  This action allows removing token binding on specific keyslot.
+
+* veritysetup: add support for --use-tasklets option.
+
+  This option sets try_verify_in_tasklet kernel dm-verity option
+  (available since Linux kernel 6.0) to allow some performance
+  improvement on specific systems.
+
+* Provide pkgconfig Require.private settings.
+
+  While we do not completely provide static build on udev systems,
+  it helps produce statically linked binaries in certain situations.
+
+* Always update automake library files if autogen.sh is run.
+
+  For several releases, we distributed older automake scripts by mistake.
+
+* reencryption: Fix user defined moved segment size in LUKS2 decryption.
+
+  The --hotzone-size argument was ignored in cases where the actual data
+  size was less than the original LUKS2 data offset.
+
+* Delegate FIPS mode detection to configured crypto backend.
+  System FIPS mode check no longer depends on /etc/system-fips file.
+
+* tests: externally provided systemd plugin is now optionally compiled
+  from systemd git and tested with cryptsetup
+
+* tests: initial integration to OSS-fuzz project with basic crypt_load()
+  test for LUKS2 and JSON mutated fuzzing.
+
+  For more info, see README in tests/fuzz directory.
+
+* Update documentation, including FAQ and man pages.
+
+Libcryptsetup API extensions
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The libcryptsetup API is backward compatible with existing symbols.
+
+New symbols:
+  crypt_keyslot_context_init_by_passphrase
+  crypt_keyslot_context_init_by_keyfile
+  crypt_keyslot_context_init_by_token
+  crypt_keyslot_context_init_by_volume_key
+  crypt_keyslot_context_get_error
+  crypt_keyslot_context_set_pin
+  crypt_keyslot_context_get_type
+  crypt_keyslot_context_free
+  crypt_keyslot_add_by_keyslot_context
+  crypt_volume_key_get_by_keyslot_context
+
+New defines:
+  CRYPT_FVAULT2 "FVAULT2" (FileVault2 compatible mode)
+
+Keyslot context types:
+  CRYPT_KC_TYPE_PASSPHRASE
+  CRYPT_KC_TYPE_KEYFILE
+  CRYPT_KC_TYPE_TOKEN
+  CRYPT_KC_TYPE_KEY
+
+  CRYPT_ACTIVATE_TASKLETS (dm-verity: use tasklets activation flag)
+
+WARNING!
+~~~~~~~~
+The next version of cryptsetup will change the encryption mode and key
+derivation option for the PLAIN format.
+
+This change will cause backward incompatibility.
+For this reason, the user will have to specify the exact parameters
+for cipher, key size, and key derivation parameters for plain format.
+
+The default encryption mode will be AES-XTS with 512bit key (AES-256).
+The CBC mode is no longer considered the best default, as it allows easy
+bit-flipped ciphertext modification attacks and performance problems.
+
+For the passphrase hashing in plain mode, the encryption key is directly
+derived through iterative hashing from a user-provided passphrase
+(except a keyfile that is not hashed).
+
+The default hash is RIPEMD160, which is no longer the best default
+option. The exact change will be yet discussed but should include
+the possibility of using a password-based key derivation function
+instead of iterative hashing.
--- a/docs/v2.6.1-ReleaseNotes
+++ b/docs/v2.6.1-ReleaseNotes
@@ -0,0 +1,50 @@
+Cryptsetup 2.6.1 Release Notes
+==============================
+Stable bug-fix release with minor extensions.
+
+All users of cryptsetup 2.6.0 should upgrade to this version.
+
+Changes since version 2.6.0
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* bitlk: Fixes for BitLocker-compatible on-disk metadata parser
+  (found by new cryptsetup OSS-Fuzz fuzzers).
+  - Fix a possible memory leak if the metadata contains more than
+    one description field.
+  - Harden parsing of metadata entries for key and description entries.
+  - Fix broken metadata parsing that can cause a crash or out of memory.
+
+* Fix possible iteration overflow in OpenSSL2 PBKDF2 crypto backend.
+  OpenSSL2 uses a signed integer for PBKDF2 iteration count.
+  As cryptsetup uses an unsigned value, this can lead to overflow and
+  a decrease in the actual iteration count.
+  This situation can happen only if the user specifies
+  --pbkdf-force-iterations option.
+  OpenSSL3 (and other supported crypto backends) are not affected.
+
+* Fix compilation for new ISO C standards (gcc with -std=c11 and higher).
+
+* fvault2: Fix compilation with very old uuid.h.
+
+* verity: Fix possible hash offset setting overflow.
+
+* bitlk: Fix use of startup BEK key on big-endian platforms.
+
+* Fix compilation with latest musl library.
+  Recent musl no longer implements lseek64() in some configurations.
+  Use lseek() as 64-bit offset is mandatory for cryptsetup.
+
+* Do not initiate encryption (reencryption command) when the header and
+  data devices are the same.
+  If data device reduction is not requsted, this leads to data corruption
+  since LUKS metadata was written over the data device.
+
+* Fix possible memory leak if crypt_load() fails.
+
+* Always use passphrases with a minimal 8 chars length for benchmarking.
+  Some enterprise distributions decided to set an unconditional check
+  for PBKDF2 password length when running in FIPS mode.
+  This questionable change led to unexpected failures during LUKS format
+  and keyslot operations, where short passwords were used for
+  benchmarking PBKDF2 speed.
+  PBKDF2 benchmark calculations should not be affected by this change.
--- a/docs/v2.7.0-ReleaseNotes
+++ b/docs/v2.7.0-ReleaseNotes
@@ -0,0 +1,437 @@
+Cryptsetup 2.7.0 Release Notes
+==============================
+Stable release with new features and bug fixes.
+
+Changes since version 2.6.1
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Introduce support for hardware OPAL disk encryption.
+
+  Some SATA and NVMe devices support hardware encryption through OPAL2
+  TCG interface (SEDs - self-encrypting drives). Using hardware disk
+  encryption is controversial as you must trust proprietary hardware.
+
+  On the other side, using both software and hardware encryption
+  layers increases the security margin by adding an additional layer
+  of protection. There is usually no performance drop if OPAL encryption
+  is used (the drive always operates with full throughput), and it does
+  not add any utilization to the main CPU.
+
+  LUKS2 now supports hardware encryption through the Linux kernel
+  SED OPAL interface (CONFIG_BLK_SED_OPAL Linux kernel option must be
+  enabled). Cryptsetup OPAL is never enabled by default; you have to use
+  luksFormat parameters to use it. OPAL support can be disabled during
+  the build phase with --disable-hw-opal configure option.
+
+  LUKS2 OPAL encryption is configured the same way as software encryption
+  - it stores metadata in the LUKS2 header and activates encryption for
+  the data area on the disk (configured OPAL locking range).
+  LUKS2 header metadata must always be visible (thus not encrypted).
+  The key stored in LUKS2 keyslots contains two parts - volume key
+  for software (dm-crypt) encryption and unlocking key for OPAL.
+  OPAL unlocking key is independent of the dm-crypt volume key and is
+  always 256 bits long. Cryptsetup does not support full drive OPAL
+  encryption; only a specific locking range is always used.
+
+  If the OPAL device is in its initial factory state (after factory
+  reset), cryptsetup needs to configure the OPAL admin user and password.
+  If the OPAL admin user is already set, the OPAL password must be
+  provided during luksFormat.
+  The provided password is needed only to configure or reset the OPAL
+  locking range; LUKS device activation requires LUKS passphrase only.
+  LUKS passphrase should be different from OPAL password (OPAL admin user
+  is configured inside OPAL hardware while LUKS unlocking passphrase
+  unlocks LUKS keyslot).
+
+  OPAL encryption can be used in combination with software (dm-crypt)
+  encryption (--hw-opal option) or without the software layer
+  (--hw-opal-only option).
+  You can see the configured segment parameters in the luksDump command.
+  LUKS2 devices with OPAL segments set a new requirement flag in
+  the LUKS2 header to prevent older cryptsetup metadata manipulation.
+  Do not use hardware-only encryption if you do not fully trust your
+  hardware vendor.
+
+  Compatibility notes:
+    - Linux kernel SED interface does NOT work through USB external
+    adapters due to the missing compatibility layer in Linux USB storage
+    drivers (even if USB hardware itself can support OPAL commands).
+    - other TCG security subsystems like Ruby or Pyrite are not
+    supported. Note that many drives support only Pyrite subsystem that
+    does NOT encrypt data (it provides only authentication).
+    - compatibility among OPAL-enabled drives is often very problematic,
+    specifically for older drives. Many drives have bugs in the firmware
+    that make the Linux kernel interface unusable.
+    - if you forget the OPAL admin password, the only way to recover is
+    the full drive factory reset through the PSID key (usually printed
+    on the drive itself) that wipes all data on the drive (not only the
+    LUKS area).
+    - cryptsetup reencryption is not supported for LUKS2 OPAL-enabled
+    devices
+    - most OPAL drives use AES-XTS cipher mode (older drives can use
+    AES-CBC). This information is not available through kernel SED API.
+    - locked OPAL locking ranges return IO errors while reading; this
+    can produce a lot of scary messages in the log if some tools (like
+    blkid) try to read the locked area.
+
+  Examples:
+
+  * Formatting the drive
+  Use --hw-opal with luksFormat (or --hw-opal-only for hardware only
+  encryption):
+
+  # cryptsetup luksFormat --hw-opal <device>
+  Enter passphrase for <device>: ***
+  Enter OPAL Admin password: ***
+
+  * Check configuration with luksDump.
+  Note "hw-opal-crypt" segment that uses both dm-crypt and OPAL
+  encryption - keyslot stores 768 bits key (512 sw + 256 bits OPAL key).
+
+  # cryptsetup luksDump <device>
+    LUKS header information
+    Version:        2
+    ...
+    Data segments:
+       0: hw-opal-crypt
+         offset: 16777216 [bytes]
+         length: ... [bytes]
+         cipher: aes-xts-plain64
+         sector: 512 [bytes]
+         HW OPAL encryption:
+                OPAL segment number: 1
+                OPAL key: 256 bits
+                OPAL segment length: ... [bytes]
+     Keyslots:
+       0: luks2
+         Key:        768 bits
+      ...
+
+  For devices with OPAL encryption ONLY (only 256 bits OPAL unlocking
+  key is stored):
+     LUKS header information
+     Version:        2
+     ...
+
+     Data segments:
+        0: hw-opal
+          offset: 16777216 [bytes]
+          length: ... [bytes]
+          cipher: (no SW encryption)
+          HW OPAL encryption:
+                OPAL segment number: 1
+                OPAL key: 256 bits
+                OPAL segment length: ... [bytes]
+     Keyslots:
+       0: luks2
+         Key:        256 bits
+         ...
+
+  * Activation and deactivation (open, close, luksSuspend, luksResume)
+  with OPAL works the same as for the LUKS2 device.
+
+  * Erase LUKS metadata (keyslots) and remove OPAL locking range:
+  # cryptsetup luksErase <device>
+    Enter OPAL Admin password: ***
+
+  The LUKS header is destroyed (unlike in normal LUKS luksErase) as
+  data are no longer accessible even with previous volume key knowledge.
+
+  * Factory reset OPAL drive (if you do not know the Admin password).
+    You need the PSID (physical presence security ID), which is usually
+    printed on the device label. Note this will reset the device to
+    factory state, erasing all data on it (not only LUKS).
+
+  # cryptsetup luksErase --hw-opal-factory-reset <device>
+    Enter OPAL PSID: ***
+
+* plain mode: Set default cipher to aes-xts-plain64 and password hashing
+  to sha256.
+
+  NOTE: this is a backward incompatible change for plain mode (if you
+  rely on defaults). It is not relevant for LUKS devices.
+
+  The default plain encryption mode was CBC for a long time, with many
+  performance problems. Using XTS mode aligns it with LUKS defaults.
+
+  The hash algorithm for plain mode was ripemd160, which is considered
+  deprecated, so the new default is sha256.
+
+  The default key size remains 256 bits (it means using AES-128 as XTS
+  requires two keys).
+
+  Always specify cipher, hash, and key size for plain mode (or even
+  better, use LUKS as it stores all options in its metadata on disk).
+  As we need to upgrade algorithms from time to time because of security
+  reasons, cryptsetup now warns users to specify these options explicitly
+  in the open cryptsetup command if plain mode is used.
+  Cryptsetup does not block using any legacy encryption type; just it
+  must be specified explicitly on the cryptsetup command line.
+
+  You can configure these defaults during build time if you need to
+  enforce backward compatibility.
+  To get the backward-compatible setting, use:
+    --with-plain-hash=ripemd160 --with-plain-cipher=aes
+    --with-plain-mode=cbc-essiv:sha256
+
+  Compiled-in defaults are visible in cryptsetup --help output.
+
+* Allow activation (open), luksResume, and luksAddKey to use the volume
+  key stored in a keyring.
+* Allow to store volume key to a user-specified keyring in open and
+  luksResume commands.
+
+  These options are intended to be used for integration with other
+  systems for automation.
+
+  Users can now use the volume key (not passphrase) stored in arbitrary
+  kernel keyring and directly use it in particular cryptsetup commands
+  with --volume-key-keyring option. The keyring can use various policies
+  (set outside of the cryptsetup scope, for example, by keyctl).
+
+  The --volume-key-keyring option takes a key description in
+  keyctl-compatible syntax and can either be a numeric key ID or
+  a string name in the format [%<key type>:]<key name>.
+  The default key type is "user".
+
+  To store the volume key in a keyring, you can use cryptsetup with
+  --link-vk-to-keyring option that is available for open and luksResume
+  cryptsetup command. The option argument has a more complex format:
+  <keyring_description>::<key_description>.
+  The <keyring_description> contains the existing kernel keyring
+  description (numeric id or keyctl format). The <keyring_description>
+  may be optionally prefixed with "%:" or "%keyring:". The string "::" is
+  a delimiter that separates keyring and key descriptions.
+  The <key_description> has the same syntax as used in the
+  --volume-key-keyring option.
+
+  Example:
+
+  Open the device and store the volume key to the keyring:
+  # cryptsetup open <device> --link-vk-to-keyring "@s::%user:testkey" tst
+
+  Add keyslot using the stored key in a keyring:
+  # cryptsetup luksAddKey <device> --volume-key-keyring "%user:testkey"
+
+* Do not flush IO operations if resize grows the device.
+  This can help performance in specific cases where the encrypted device
+  is extended automatically while running many IO operations.
+
+* Use only half of detected free memory for Argon2 PBKDF on systems
+  without swap (for LUKS2 new keyslot or format operations).
+
+  This should avoid out-of-memory crashes on low-memory systems without
+  swap. The benchmark for memory-hard KDF during format is tricky, and
+  it seems that relying on the maximum half of physical memory is not
+  enough; relying on free memory should bring the needed security margin
+  while still using Argon2.
+  There is no change for systems with active swap.
+  Note, for very-low memory-constrained systems, a user should avoid
+  memory-hard PBKDF completely (manually select legacy PBKDF2 instead
+  of Argon2); cryptsetup does not change PBKDF automatically.
+
+* Add the possibility to specify a directory for external LUKS2 token
+  handlers (plugins).
+
+  Use --external-tokens-path parameter in cryptsetup or
+  crypt_token_set_external_path API call. The parameter is required to be
+  an absolute path, and it is set per process context. This parameter is
+  intended mainly for testing and developing new tokens.
+
+* Do not allow reencryption/decryption on LUKS2 devices with
+  authenticated encryption or hardware (OPAL) encryption.
+
+  The operation fails later anyway; cryptsetup now detects incompatible
+  parameters early.
+
+* Do not fail LUKS format if the operation was interrupted on subsequent
+  device wipe.
+
+  Device wipe (used with authenticated encryption) is an optional
+  operation and can be interrupted; not yet wiped part of the device will
+  only report integrity errors (until overwritten with new data).
+
+* Fix the LUKS2 keyslot option to be used while activating the device
+  by a token.
+
+  It can also be used to check if a specific token (--token-id) can
+  unlock a specific keyslot (--key-slot option) when --test-passphrase
+  option is specified.
+
+* Properly report if the dm-verity device cannot be activated due to
+  the inability to verify the signed root hash (ENOKEY).
+
+* Fix to check passphrase for selected keyslot only when adding
+  new keyslot.
+
+  If the user specifies the exact keyslot to unlock, cryptsetup no longer
+  checks other keyslots.
+
+* Fix to not wipe the keyslot area before in-place overwrite.
+
+  If the LUKS2 keyslot area has to be overwritten (due to lack of free
+  space for keyslot swap), cryptsetup does not wipe the affected area as
+  the first step (it will be overwritten later anyway).
+  Previously, there was an unnecessary risk of losing the keyslot data
+  if the code crashed before adding the new keyslot.
+
+  If there is enough space in the keyslot area, cryptsetup never
+  overwrites the older keyslot before the new one is written correctly
+  (even if the keyslot number remains the same).
+
+* bitlk: Fix segfaults when attempting to verify the volume key.
+
+  Also, clarify that verifying the volume key is impossible without
+  providing a passphrase or recovery key.
+
+* Add --disable-blkid command line option to avoid blkid device check.
+
+* Add support for the meson build system.
+
+  All basic operations are supported (compile, test, and dist) with some
+  minor exceptions; please see the meson manual for more info.
+
+  The Meson build system will completely replace autotools in some future
+  major release. Both autotools and meson build systems are supported,
+  and the release archive is built with autotools.
+
+* Fix wipe operation that overwrites the whole device if used for LUKS2
+  header with no keyslot area.
+
+  Formatting a LUKS2 device with no defined keyslots area is a very
+  specific operation, and the code now properly recognizes such
+  configuration.
+
+* Fix luksErase to work with detached LUKS header.
+
+* Disallow the use of internal kernel crypto driver names in "capi"
+  specification.
+
+  The common way to specify cipher mode in cryptsetup is to use
+  cipher-mode-iv notation (like aes-xts-plain64).
+  With the introduction of authenticated ciphers, we also allow
+  "capi:<spec>" notation that is directly used by dm-crypt
+  (e.g., capi:xts(aes)-plain64).
+
+  CAPI specification was never intended to be used directly in the LUKS
+  header; unfortunately, the code allowed it until now.
+  Devices with CAPI specification in metadata can no longer be activated;
+  header repair is required.
+
+  CAPI specification could allow attackers to change the cipher
+  specification to enforce loading some specific kernel crypto driver
+  (for example, load driver with known side-channel issues).
+  This can be problematic, specifically in a cloud environment
+  (modifying LUKS2 metadata in container image).
+
+  Thanks to Jan Wichelmann, Luca Wilke, and Thomas Eisenbarth from
+  University of Luebeck for noticing the problems with this code.
+
+* Fix reencryption to fail early for unknown cipher.
+
+* tcrypt: Support new Blake2 hash for VeraCrypt.
+
+  VeraCrypt introduces support for Blake2 PRF for PBKDF2; also support it
+  in cryptsetup compatible tcrypt format.
+
+* tcrypt: use hash values as substring for limiting KDF check.
+
+  This allows the user to specify --hash sha or --hash blake2 to limit
+  the KDF scan without the need to specify the full algorithm name
+  (similar to cipher where we already use substring match).
+
+* Add Aria cipher support and block size info.
+
+  Aria cipher is similar to AES and is supported in Linux kernel crypto
+  API in recent releases.
+  It can be now used also for LUKS keyslot encryption.
+
+* Do not decrease PBKDF parameters if the user forces them.
+
+  If a user explicitly specifies PBKDF parameters (like iterations,
+  used memory, or threads), do not limit them, even if it can cause
+  resource exhaustion.
+  The force options were mostly used for decreasing parameters, but it
+  should work even opposite - despite the fact it can mean an
+  out-of-memory crash.
+
+  The only limits are hard limits per the PBKDF algorithm.
+
+* Support OpenSSL 3.2 Argon2 implementation.
+
+  Argon2 is now available directly in OpenSSL, so the code no longer
+  needs to use libargon implementation.
+  Configure script should detect this automatically.
+
+* Add support for Argon2 from libgcrypt
+  (requires yet unreleased gcrypt 1.11).
+
+  Argon2 has been available since version 1.10, but we need version 1.11,
+  which will allow empty passwords.
+
+* Used Argon2 PBKDF implementation is now reported in debug mode
+  in the cryptographic backend version. For native support in
+  OpenSSL 3.2 or libgcrypt 1.11, "argon2" is displayed.
+  If libargon2 is used, "cryptsetup libargon2" (for embedded
+  library) or "external libargon2" is displayed.
+
+* Link only libcrypto from OpenSSL.
+
+  This reduces dependencies as other OpenSSL libraries are not needed.
+
+* Disable reencryption for Direct-Access (DAX) devices.
+
+  Linux kernel device-mapper cannot stack DAX/non-DAX devices in
+  the mapping table, so online reencryption cannot work. Detect DAX
+  devices and warn users during LUKS format. Also, DAX or persistent
+  memory devices do not provide atomic sector updates; any single
+  modification can corrupt the whole encryption block.
+
+* Print a warning message if the device is not aligned to sector size.
+
+  If a partition is resized after format, activation could fail when
+  the device is not multiple of a sector size. Print at least a warning
+  here, as the activation error message is visible only in kernel syslog.
+
+* Fix sector size and integrity fields display for non-LUKS2 crypt
+  devices for the status command.
+
+* Fix suspend for LUKS2 with authenticated encryption (also suspend
+  dm-integrity device underneath).
+
+  This should stop the dm-integrity device from issuing journal updates
+  and possibly corrupt data if the user also tries to modify the
+  underlying device.
+
+* Update keyring and locking documentation and LUKS2 specification
+  for OPAL2 support.
+
+Libcryptsetup API extensions
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The libcryptsetup API is backward compatible for all existing symbols.
+
+New symbols:
+  crypt_activate_by_keyslot_context
+  crypt_format_luks2_opal
+  crypt_get_hw_encryption_type
+  crypt_get_hw_encryption_key_size
+  crypt_keyslot_context_init_by_keyring
+  crypt_keyslot_context_init_by_vk_in_keyring
+  crypt_keyslot_context_init_by_signed_key
+  crypt_resume_by_keyslot_context
+  crypt_token_set_external_path
+  crypt_set_keyring_to_link
+  crypt_wipe_hw_opal
+
+New defines (hw encryption status):
+  CRYPT_SW_ONLY
+  CRYPT_OPAL_HW_ONLY
+  CRYPT_SW_AND_OPAL_HW
+
+New keyslot context types:
+  CRYPT_KC_TYPE_KEYRING
+  CRYPT_KC_TYPE_VK_KEYRING
+  CRYPT_KC_TYPE_SIGNED_KEY
+
+New requirement flag:
+  CRYPT_REQUIREMENT_OPAL
--- a/docs/v2.7.1-ReleaseNotes
+++ b/docs/v2.7.1-ReleaseNotes
@@ -0,0 +1,30 @@
+Cryptsetup 2.7.1 Release Notes
+==============================
+Stable bug-fix release with minor extensions.
+
+All users of cryptsetup 2.7.0 should upgrade to this version.
+
+Changes since version 2.7.0
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Fix interrupted LUKS1 decryption resume.
+  With the replacement of the cryptsetup-reencrypt tool by the cryptsetup
+  reencrypt command, resuming the interrupted LUKS1 decryption operation
+  could fail. LUKS2 was not affected.
+
+* Allow --link-vk-to-keyring with --test-passphrase option.
+  This option allows uploading the volume key in a user-specified kernel
+  keyring without activating the device.
+
+* Fix crash when --active-name was used in decryption initialization.
+
+* Updates and changes to man pages, including indentation, sorting options
+  alphabetically, fixing mistakes in crypt_set_keyring_to_link, and fixing
+  some typos.
+
+* Fix compilation with libargon2 when --disable-internal-argon2 was used.
+
+* Do not require installed argon2.h header and never compile internal
+  libargon2 code if the crypto library directly supports Argon2.
+
+* Fixes to regression tests to support older Linux distributions.
--- a/docs/v2.7.2-ReleaseNotes
+++ b/docs/v2.7.2-ReleaseNotes
@@ -0,0 +1,31 @@
+Cryptsetup 2.7.2 Release Notes
+==============================
+Stable bug-fix release.
+
+All users of cryptsetup 2.7 should upgrade to this version.
+
+Changes since version 2.7.1
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+* Fix activation of OPAL-only encrypted LUKS device with tokens.
+  The issue was caused by an invalid volume key check (assert)
+  that is impossible without software encryption.
+
+* Fix formatting of OPAL devices with 4096-byte sector size.
+
+* Fix incorrect OPAL locking range alignment calculation if used
+  over an unaligned device partition.
+
+* Add --hw-opal-factory-reset option description to the manual page.
+
+* Do not check the passphrase quality for OPAL Admin PIN,
+  as this passphrase already exists.
+
+* Update license for FAQ document to CC BY-SA 4.0.
+
+NOTE: Please note that with OPAL-only (--hw-opal-only) encryption,
+the configured OPAL administrator PIN (passphrase) allows unlocking
+all configured locking ranges without LUKS keyslot decryption
+(without knowledge of LUKS passphrase).
+Because of many observed problems with compatibility, cryptsetup
+currently DOES NOT use OPAL single-user mode, which would allow such
+decoupling of OPAL admin PIN access.
--- a/docs/v2.7.3-ReleaseNotes
+++ b/docs/v2.7.3-ReleaseNotes
@@ -0,0 +1,114 @@
+Cryptsetup 2.7.3 Release Notes
+==============================
+Stable bug-fix release with security fixes.
+
+All users of cryptsetup 2.7 must upgrade to this version.
+
+Changes since version 2.7.2
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Do not allow formatting LUKS2 with Opal SED (hardware encryption)
+  if the reported logical sector size for the block device and Opal
+  encryption logical block differs.
+
+  Such a configuration can lead to a partially encrypted Opal locking
+  range or data destruction following the expected locking range.
+
+  Some NVMe drives support multiple LBAF profiles (typically supporting
+  512-byte and 4096-byte sector size). Some broken Opal NVMe firmware can
+  report bogus encryption size that disagrees with real used sector size.
+  This usually happens after low-level NVMe reformatting (LBAF profile
+  change with nvme utility) to different sector size.
+  Moreover, some firmware versions do not properly reset this even after
+  explicit PSID revert.
+
+  Cryptsetup calculates the Opal locking range using the reported block
+  size in Opal geometry ioctl.  Unfortunately, the broken firmware drive
+  internally uses the logical block size of the block device, which can
+  differ. This can lead to two possible situations:
+
+  - Opal reports a smaller block size (512-byte) while the drive uses
+  a 4096-byte sector. The configured locking range is then much larger,
+  destroying data following the expected locking range setting.
+
+  - Opal reports a larger block size (4096-byte) while the drive uses
+  a 512-byte sector. The configured locking range is then much smaller,
+  leaving the remaining space in the locking range unencrypted (violating
+  the confidentiality of data).
+
+  Cryptsetup now detects this discrepancy and disallows LUKS2 format with
+  Opal hardware encryption in such a case.
+
+  For already formatted devices, you will see this warning:
+    "Bogus OPAL logical block size differs from device block size."
+
+  If you also used software encryption (dm-crypt over Opal), data will
+  still be fully encrypted with software dm-crypt.
+  With hw-only encryption,  your configuration is probably already broken
+  (insecure or accessing data beyond the assigned area).
+
+  Note that this is caused by bad firmware (seen with multiple vendors),
+  and the problem was reported, at least for drives we have access to.
+
+* Fixes to wiping LUKS2 headers after Opal locking area erase.
+
+  As the hardware locking range is destroyed (cryptsetup erase command),
+  the LUKS2 header is no longer usable and was partially wiped.
+  Now the code fully wipes also the secondary header, as the previous
+  code wiped only the primary LUKS area.
+
+  Note that this is an exception, as the normal erase command wipes only
+  the keyslots, keeping the LUKS2 header in place.  With Opal encryption,
+  the data segment is no longer valid, so the whole LUKS2 header is no
+  longer usable.
+
+* Mention the need for possible PSID revert before Opal format for some
+  drives (man page).
+
+* Fix Bitlocker-compatible code to ignore newly seen metadata entries.
+
+  Recent Windows OS versions started to include new (undocumented)
+  metadata entries in Bitlocker. These entries are now quietly ignored,
+  allowing Bitlocker images to open with cryptsetup again.
+
+* Fix interactive query retry if LUKS2 unbound keyslot is present.
+
+  If an unbound keyslot is present, the password query retry count is
+  now properly applied.
+
+* Detect unsupported zoned devices for LUKS header devices.
+
+  Zoned devices cannot be written with direct-io and used for LUKS header
+  logic in general. Code now rejects placing the LUKS header on a zoned
+  device, while you can still create a detached header and use a zoned
+  device for encrypted data.
+
+* Allow "capi" cipher format for benchmark command and fix parsing
+  of plain IV in "capi" format.
+
+  Some ciphers can be specified only in Linux kernel crypto notation
+  (in short, "capi"). Code now allows this format also for benchmark,
+  for example, "benchmark -c capi:xts\(aes\)-plain64"
+  (that is equivalent to -c aes-xts-plain64).
+
+* Add support for HCTR2 encryption mode.
+
+  The HCTR2 encryption mode was added to the Linux kernel for fscrypt,
+  but as it is a length-preserving mode (with sector tweak), it can be
+  easily used for disk encryption, too.
+  The mode has the same property as wide modes (any change is propagated
+  to the whole sector instead of only one block as in XTS mode).
+
+  As it needs a larger initialization vector (32 bytes), we need to add
+  an exception in the userspace format code.
+  You can now use --cipher aes-hctr2-plain64 for the format operation.
+
+* Source code now uses SPDX license identifiers instead of full
+  license preambles.
+
+* Fix missing includes for cryptographic backend that could cause
+  compilation errors for some systems.
+
+* Fix tests to work correctly in FIPS mode with recent OpenSSL 3.2.
+
+* Fix various (mostly false positive) issues detected by Coverity.
--- a/lib/Makemodule.am
+++ b/lib/Makemodule.am
@@ -53,8 +53,6 @@ libcryptsetup_la_SOURCES = \
 	lib/utils_loop.h		\
 	lib/utils_devpath.c		\
 	lib/utils_wipe.c		\
-	lib/utils_fips.c		\
-	lib/utils_fips.h		\
 	lib/utils_device.c		\
 	lib/utils_keyring.c		\
 	lib/utils_keyring.h		\
@@ -75,6 +73,8 @@ libcryptsetup_la_SOURCES = \
 	lib/loopaes/loopaes.c		\
 	lib/tcrypt/tcrypt.h		\
 	lib/tcrypt/tcrypt.c		\
+	lib/keyslot_context.h		\
+	lib/keyslot_context.c		\
 	lib/luks1/af.h			\
 	lib/luks1/af.c			\
 	lib/luks1/keyencryption.c	\
@@ -103,7 +103,11 @@ libcryptsetup_la_SOURCES = \
 	lib/luks2/luks2_token.c		\
 	lib/luks2/luks2_internal.h	\
 	lib/luks2/luks2.h		\
+	lib/luks2/hw_opal/hw_opal.c	\
+	lib/luks2/hw_opal/hw_opal.h	\
 	lib/utils_blkid.c		\
 	lib/utils_blkid.h		\
 	lib/bitlk/bitlk.h		\
-	lib/bitlk/bitlk.c
+	lib/bitlk/bitlk.c		\
+	lib/fvault2/fvault2.h		\
+	lib/fvault2/fvault2.c
--- a/lib/bitlk/bitlk.c
+++ b/lib/bitlk/bitlk.c
@@ -1,23 +1,10 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * BITLK (BitLocker-compatible) volume handling
 *
- * Copyright (C) 2019-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2019-2022 Milan Broz
- * Copyright (C) 2019-2022 Vojtech Trefny
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2019-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2019-2024 Milan Broz
+ * Copyright (C) 2019-2024 Vojtech Trefny
 */

 #include <errno.h>
@@ -255,13 +242,16 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
 		    (*vmk)->protection == BITLK_PROTECTION_RECOVERY_PASSPHRASE ||
 		    (*vmk)->protection == BITLK_PROTECTION_STARTUP_KEY;

-	while (end - start > 2) {
+	while ((end - start) >= (ssize_t)(sizeof(key_entry_size) + sizeof(key_entry_type) + sizeof(key_entry_value))) {
 		/* size of this entry */
 		memcpy(&key_entry_size, data + start, sizeof(key_entry_size));
 		key_entry_size = le16_to_cpu(key_entry_size);
 		if (key_entry_size == 0)
 			break;

+		if (key_entry_size > (end - start))
+			return -EINVAL;
+
 		/* type and value of this entry */
 		memcpy(&key_entry_type, data + start + sizeof(key_entry_size), sizeof(key_entry_type));
 		memcpy(&key_entry_value,
@@ -280,20 +270,24 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
 		}

 		/* stretch key with salt, skip 4 B (encryption method of the stretch key) */
-		if (key_entry_value == BITLK_ENTRY_VALUE_STRETCH_KEY)
+		if (key_entry_value == BITLK_ENTRY_VALUE_STRETCH_KEY) {
+			if ((end - start) < (BITLK_ENTRY_HEADER_LEN + BITLK_SALT_SIZE + 4))
+				return -EINVAL;
 			memcpy((*vmk)->salt,
 			       data + start + BITLK_ENTRY_HEADER_LEN + 4,
-			       sizeof((*vmk)->salt));
+			       BITLK_SALT_SIZE);
 		/* AES-CCM encrypted key */
-		else if (key_entry_value == BITLK_ENTRY_VALUE_ENCRYPTED_KEY) {
+		} else if (key_entry_value == BITLK_ENTRY_VALUE_ENCRYPTED_KEY) {
+			if (key_entry_size < (BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE))
+				return -EINVAL;
 			/* nonce */
 			memcpy((*vmk)->nonce,
 			       data + start + BITLK_ENTRY_HEADER_LEN,
-			       sizeof((*vmk)->nonce));
+			       BITLK_NONCE_SIZE);
 			/* MAC tag */
 			memcpy((*vmk)->mac_tag,
 			       data + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE,
-			       sizeof((*vmk)->mac_tag));
+			       BITLK_VMK_MAC_TAG_SIZE);
 			/* AES-CCM encrypted key */
 			key_size = key_entry_size - (BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE);
 			key = (const char *) data + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE;
@@ -317,7 +311,12 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
 		/* unknown timestamps in recovery protected VMK */
 		} else if (key_entry_value == BITLK_ENTRY_VALUE_RECOVERY_TIME) {
 			;
+		/* optional hint (?) string (masked email?), we can safely ignore it */
+		} else if (key_entry_value == BITLK_ENTRY_VALUE_HINT) {
+			;
 		} else if (key_entry_value == BITLK_ENTRY_VALUE_STRING) {
+			if (key_entry_size < BITLK_ENTRY_HEADER_LEN)
+				return -EINVAL;
 			string = malloc((key_entry_size - BITLK_ENTRY_HEADER_LEN) * 2 + 1);
 			if (!string)
 				return -ENOMEM;
@@ -344,6 +343,9 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
 		/* no idea what this is, lets hope it's not important */
 		} else if (key_entry_value == BITLK_ENTRY_VALUE_USE_KEY && (*vmk)->protection == BITLK_PROTECTION_STARTUP_KEY) {
 			;
+		/* quietly ignore unsupported TPM key */
+		} else if (key_entry_value == BITLK_ENTRY_VALUE_TPM_KEY && (*vmk)->protection == BITLK_PROTECTION_TPM) {
+			;
 		} else {
 			if (supported) {
 				log_err(cd, _("Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."), key_entry_value);
@@ -405,6 +407,7 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 	struct bitlk_fve_metadata fve = {};
 	struct bitlk_entry_vmk entry_vmk = {};
 	uint8_t *fve_entries = NULL;
+	size_t fve_entries_size = 0;
 	uint32_t fve_metadata_size = 0;
 	int fve_offset = 0;
 	char guid_buf[UUID_STR_LEN] = {0};
@@ -413,7 +416,6 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 	int i = 0;
 	int r = 0;
 	int start = 0;
-	int end = 0;
 	size_t key_size = 0;
 	const char *key = NULL;
 	char *description = NULL;
@@ -514,7 +516,6 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)

 	params->volume_size = le64_to_cpu(fve.volume_size);
 	params->metadata_version = le16_to_cpu(fve.fve_version);
-	fve_metadata_size = le32_to_cpu(fve.metadata_size);

 	switch (le16_to_cpu(fve.encryption)) {
 	/* AES-CBC with Elephant difuser */
@@ -569,40 +570,56 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)

 	params->creation_time = filetime_to_unixtime(le64_to_cpu(fve.creation_time));

+	fve_metadata_size = le32_to_cpu(fve.metadata_size);
+	if (fve_metadata_size < (BITLK_FVE_METADATA_HEADER_LEN + sizeof(entry_size) + sizeof(entry_type)) ||
+	    fve_metadata_size > BITLK_FVE_METADATA_SIZE) {
+		r = -EINVAL;
+		goto out;
+	}
+	fve_entries_size = fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN;
+
 	/* read and parse all FVE metadata entries */
-	fve_entries = malloc(fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN);
+	fve_entries = malloc(fve_entries_size);
 	if (!fve_entries) {
 		r = -ENOMEM;
 		goto out;
 	}
-	memset(fve_entries, 0, (fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN));
+	memset(fve_entries, 0, fve_entries_size);

-	log_dbg(cd, "Reading BITLK FVE metadata entries of size %" PRIu32 " on device %s, offset %" PRIu64 ".",
-		fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN, device_path(device),
-		params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN);
+	log_dbg(cd, "Reading BITLK FVE metadata entries of size %zu on device %s, offset %" PRIu64 ".",
+		fve_entries_size, device_path(device), params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN);

 	if (read_lseek_blockwise(devfd, device_block_size(cd, device),
-		device_alignment(device), fve_entries, fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN,
-		params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN) != (ssize_t)(fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN)) {
+		device_alignment(device), fve_entries, fve_entries_size,
+		params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN) != (ssize_t)fve_entries_size) {
 		log_err(cd, _("Failed to read BITLK metadata entries from %s."), device_path(device));
 		r = -EINVAL;
 		goto out;
 	}

-	end = fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN;
-	while (end - start > 2) {
+	while ((fve_entries_size - start) >= (sizeof(entry_size) + sizeof(entry_type))) {
+
 		/* size of this entry */
 		memcpy(&entry_size, fve_entries + start, sizeof(entry_size));
 		entry_size = le16_to_cpu(entry_size);
 		if (entry_size == 0)
 			break;

+		if (entry_size > (fve_entries_size - start)) {
+			r = -EINVAL;
+			goto out;
+		}
+
 		/* type of this entry */
 		memcpy(&entry_type, fve_entries + start + sizeof(entry_size), sizeof(entry_type));
 		entry_type = le16_to_cpu(entry_type);

 		/* VMK */
 		if (entry_type == BITLK_ENTRY_TYPE_VMK) {
+			if (entry_size < (BITLK_ENTRY_HEADER_LEN + sizeof(entry_vmk))) {
+				r = -EINVAL;
+				goto out;
+			}
 			/* skip first four variables in the entry (entry size, type, value and version) */
 			memcpy(&entry_vmk,
 			       fve_entries + start + BITLK_ENTRY_HEADER_LEN,
@@ -639,7 +656,11 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 			vmk_p = vmk;
 			vmk = vmk->next;
 		/* FVEK */
-		} else if (entry_type == BITLK_ENTRY_TYPE_FVEK) {
+		} else if (entry_type == BITLK_ENTRY_TYPE_FVEK && !params->fvek) {
+			if (entry_size < (BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE)) {
+				r = -EINVAL;
+				goto out;
+			}
 			params->fvek = malloc(sizeof(struct bitlk_fvek));
 			if (!params->fvek) {
 				r = -ENOMEM;
@@ -647,11 +668,11 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 			}
 			memcpy(params->fvek->nonce,
 			       fve_entries + start + BITLK_ENTRY_HEADER_LEN,
-			       sizeof(params->fvek->nonce));
+			       BITLK_NONCE_SIZE);
 			/* MAC tag */
 			memcpy(params->fvek->mac_tag,
 			       fve_entries + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE,
-			       sizeof(params->fvek->mac_tag));
+			       BITLK_VMK_MAC_TAG_SIZE);
 			/* AES-CCM encrypted key */
 			key_size = entry_size - (BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE);
 			key = (const char *) fve_entries + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE;
@@ -663,19 +684,29 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 		/* volume header info (location and size) */
 		} else if (entry_type == BITLK_ENTRY_TYPE_VOLUME_HEADER) {
 			struct bitlk_entry_header_block entry_header;
+			if ((fve_entries_size - start) < (BITLK_ENTRY_HEADER_LEN + sizeof(entry_header))) {
+				r = -EINVAL;
+				goto out;
+			}
 			memcpy(&entry_header,
 			       fve_entries + start + BITLK_ENTRY_HEADER_LEN,
 			       sizeof(entry_header));
 			params->volume_header_offset = le64_to_cpu(entry_header.offset);
 			params->volume_header_size = le64_to_cpu(entry_header.size);
 		/* volume description (utf-16 string) */
-		} else if (entry_type == BITLK_ENTRY_TYPE_DESCRIPTION) {
-			description = malloc((entry_size - BITLK_ENTRY_HEADER_LEN - BITLK_ENTRY_HEADER_LEN) * 2 + 1);
-			if (!description)
-				return -ENOMEM;
+		} else if (entry_type == BITLK_ENTRY_TYPE_DESCRIPTION && !params->description) {
+			if (entry_size < BITLK_ENTRY_HEADER_LEN) {
+				r = -EINVAL;
+				goto out;
+			}
+			description = malloc((entry_size - BITLK_ENTRY_HEADER_LEN) * 2 + 1);
+			if (!description) {
+				r = -ENOMEM;
+				goto out;
+			}
 			r = crypt_utf16_to_utf8(&description, CONST_CAST(char16_t *)(fve_entries + start + BITLK_ENTRY_HEADER_LEN),
 					                  entry_size - BITLK_ENTRY_HEADER_LEN);
-			if (r < 0 || !description) {
+			if (r < 0) {
 				free(description);
 				BITLK_bitlk_vmk_free(vmk);
 				log_err(cd, _("Failed to convert BITLK volume description"));
@@ -697,6 +728,7 @@ int BITLK_dump(struct crypt_device *cd, struct device *device, struct bitlk_meta
 {
 	struct volume_key *vk_p;
 	struct bitlk_vmk *vmk_p;
+	char time[32];
 	int next_id = 0;
 	int i = 0;

@@ -705,7 +737,8 @@ int BITLK_dump(struct crypt_device *cd, struct device *device, struct bitlk_meta
 	log_std(cd, "GUID:         \t%s\n", params->guid);
 	log_std(cd, "Sector size:  \t%u [bytes]\n", params->sector_size);
 	log_std(cd, "Volume size:  \t%" PRIu64 " [bytes]\n", params->volume_size);
-	log_std(cd, "Created:      \t%s", ctime((time_t *)&(params->creation_time)));
+	if (ctime_r((time_t *)&params->creation_time, time))
+		log_std(cd, "Created:      \t%s", time);
 	log_std(cd, "Description:  \t%s\n", params->description);
 	log_std(cd, "Cipher name:  \t%s\n", params->cipher);
 	log_std(cd, "Cipher mode:  \t%s\n", params->cipher_mode);
@@ -773,13 +806,13 @@ static int get_recovery_key(struct crypt_device *cd,
 	    - each part is a number dividable by 11
 	*/
 	if (passwordLen != BITLK_RECOVERY_KEY_LEN) {
-                if (passwordLen == BITLK_RECOVERY_KEY_LEN + 1 && password[passwordLen - 1] == '\n') {
-                        /* looks like a recovery key with an extra newline, possibly from a key file */
-                        passwordLen--;
-                        log_dbg(cd, "Possible extra EOL stripped from the recovery key.");
-                } else
-                        return 0;
-        }
+		if (passwordLen == BITLK_RECOVERY_KEY_LEN + 1 && password[passwordLen - 1] == '\n') {
+			/* looks like a recovery key with an extra newline, possibly from a key file */
+			passwordLen--;
+			log_dbg(cd, "Possible extra EOL stripped from the recovery key.");
+		} else
+			return 0;
+	}

 	for (i = BITLK_RECOVERY_PART_LEN; i < passwordLen; i += BITLK_RECOVERY_PART_LEN + 1) {
 		if (password[i] != '-')
@@ -822,13 +855,16 @@ static int parse_external_key_entry(struct crypt_device *cd,
 	struct bitlk_guid guid;
 	char guid_buf[UUID_STR_LEN] = {0};

-	while (end - start > 2) {
+	while ((end - start) >= (ssize_t)(sizeof(key_entry_size) + sizeof(key_entry_type) + sizeof(key_entry_value))) {
 		/* size of this entry */
 		memcpy(&key_entry_size, data + start, sizeof(key_entry_size));
 		key_entry_size = le16_to_cpu(key_entry_size);
 		if (key_entry_size == 0)
 			break;

+		if (key_entry_size > (end - start))
+			return -EINVAL;
+
 		/* type and value of this entry */
 		memcpy(&key_entry_type, data + start + sizeof(key_entry_size), sizeof(key_entry_type));
 		memcpy(&key_entry_value,
@@ -843,6 +879,8 @@ static int parse_external_key_entry(struct crypt_device *cd,
 		}

 		if (key_entry_value == BITLK_ENTRY_VALUE_KEY) {
+			if (key_entry_size < (BITLK_ENTRY_HEADER_LEN + 4))
+				return -EINVAL;
 			key_size = key_entry_size - (BITLK_ENTRY_HEADER_LEN + 4);
 			key = (const char *) data + start + BITLK_ENTRY_HEADER_LEN + 4;
 			*vk = crypt_alloc_volume_key(key_size, key);
@@ -854,6 +892,8 @@ static int parse_external_key_entry(struct crypt_device *cd,
 			;
 		/* GUID of the BitLocker device we are trying to open with this key */
 		else if (key_entry_value == BITLK_ENTRY_VALUE_GUID) {
+			if ((end - start) < (ssize_t)(BITLK_ENTRY_HEADER_LEN + sizeof(struct bitlk_guid)))
+				return -EINVAL;
 			memcpy(&guid, data + start + BITLK_ENTRY_HEADER_LEN, sizeof(struct bitlk_guid));
 			guid_to_string(&guid, guid_buf);
 			if (strcmp(guid_buf, params->guid) != 0) {
@@ -887,7 +927,7 @@ static int get_startup_key(struct crypt_device *cd,
 	uint16_t key_entry_type = 0;
 	uint16_t key_entry_value = 0;

-	if (passwordLen < BITLK_BEK_FILE_HEADER_LEN)
+	if (passwordLen < (BITLK_BEK_FILE_HEADER_LEN + sizeof(key_entry_size) + sizeof(key_entry_type) + sizeof(key_entry_value)))
 		return -EPERM;

 	memcpy(&bek_header, password, BITLK_BEK_FILE_HEADER_LEN);
@@ -899,13 +939,14 @@ static int get_startup_key(struct crypt_device *cd,
 	else
 		return -EPERM;

-	if (bek_header.metadata_version != 1) {
-		log_err(cd, _("Unsupported BEK metadata version %" PRIu32), bek_header.metadata_version);
+	if (le32_to_cpu(bek_header.metadata_version) != 1) {
+		log_err(cd, _("Unsupported BEK metadata version %" PRIu32), le32_to_cpu(bek_header.metadata_version));
 		return -ENOTSUP;
 	}

-	if (bek_header.metadata_size != passwordLen) {
-		log_err(cd, _("Unexpected BEK metadata size %" PRIu32 " does not match BEK file length"), bek_header.metadata_size);
+	if (le32_to_cpu(bek_header.metadata_size) != passwordLen) {
+		log_err(cd, _("Unexpected BEK metadata size %" PRIu32 " does not match BEK file length"),
+			le32_to_cpu(bek_header.metadata_size));
 		return -EINVAL;
 	}

@@ -936,8 +977,7 @@ static int get_startup_key(struct crypt_device *cd,
 	}
 }

-static int bitlk_kdf(struct crypt_device *cd,
-		     const char *password,
+static int bitlk_kdf(const char *password,
 		     size_t passwordLen,
 		     bool recovery,
 		     const uint8_t *salt,
@@ -1074,7 +1114,7 @@ int BITLK_get_volume_key(struct crypt_device *cd,
 	next_vmk = params->vmks;
 	while (next_vmk) {
 		if (next_vmk->protection == BITLK_PROTECTION_PASSPHRASE) {
-			r = bitlk_kdf(cd, password, passwordLen, false, next_vmk->salt, &vmk_dec_key);
+			r = bitlk_kdf(password, passwordLen, false, next_vmk->salt, &vmk_dec_key);
 			if (r) {
 				/* something wrong happened, but we still want to check other key slots */
 				next_vmk = next_vmk->next;
@@ -1094,7 +1134,7 @@ int BITLK_get_volume_key(struct crypt_device *cd,
 				continue;
 			}
 			log_dbg(cd, "Trying to use given password as a recovery key.");
-			r = bitlk_kdf(cd, recovery_key->key, recovery_key->keylength,
+			r = bitlk_kdf(recovery_key->key, recovery_key->keylength,
 				      true, next_vmk->salt, &vmk_dec_key);
 			crypt_free_volume_key(recovery_key);
 			if (r)
--- a/lib/bitlk/bitlk.h
+++ b/lib/bitlk/bitlk.h
@@ -1,23 +1,10 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * BITLK (BitLocker-compatible) header definition
 *
- * Copyright (C) 2019-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2019-2022 Milan Broz
- * Copyright (C) 2019-2022 Vojtech Trefny
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2019-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2019-2024 Milan Broz
+ * Copyright (C) 2019-2024 Vojtech Trefny
 */

 #ifndef _CRYPTSETUP_BITLK_H
@@ -78,6 +65,7 @@ typedef enum {
 	BITLK_ENTRY_VALUE_OFFSET_SIZE = 0x000f,
 	BITLK_ENTRY_VALUE_RECOVERY_TIME = 0x015,
 	BITLK_ENTRY_VALUE_GUID = 0x0017,
+	BITLK_ENTRY_VALUE_HINT = 0x0018,
 } BITLKFVEEntryValue;

 struct bitlk_vmk {
--- a/lib/crypt_plain.c
+++ b/lib/crypt_plain.c
@@ -1,23 +1,10 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
 * cryptsetup plain device helper functions
 *
 * Copyright (C) 2004 Jana Saout <jana@saout.de>
- * Copyright (C) 2010-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2022 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2024 Milan Broz
 */

 #include <string.h>
--- a/lib/crypto_backend/argon2/meson.build
+++ b/lib/crypto_backend/argon2/meson.build
@@ -0,0 +1,28 @@
+libargon2_sources = files(
+    'blake2/blake2b.c',
+    'argon2.c',
+    'core.c',
+    'encoding.c',
+    'thread.c',
+)
+
+if use_internal_sse_argon2
+    libargon2_sources += files(
+        'opt.c',
+    )
+else
+    libargon2_sources += files(
+        'ref.c',
+    )
+endif
+
+libargon2 = static_library('argon2',
+    libargon2_sources,
+    override_options : ['c_std=c89', 'optimization=3'],
+    build_by_default : false,
+    include_directories: include_directories(
+        'blake2',
+    ),
+    dependencies : [
+        threads,
+    ])
--- a/lib/crypto_backend/argon2_generic.c
+++ b/lib/crypto_backend/argon2_generic.c
@@ -1,42 +1,30 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * Argon2 PBKDF2 library wrapper
 *
- * Copyright (C) 2016-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2022 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2024 Milan Broz
 */

 #include <errno.h>
 #include "crypto_backend_internal.h"
+
+/* Check for HAVE_ARGON2_H is run only if libargon2 code is used */
+#if USE_INTERNAL_ARGON2 || HAVE_ARGON2_H
+
+#define CONST_CAST(x) (x)(uintptr_t)
+
 #if HAVE_ARGON2_H
 #include <argon2.h>
 #else
 #include "argon2/argon2.h"
 #endif

-#define CONST_CAST(x) (x)(uintptr_t)
-
 int argon2(const char *type, const char *password, size_t password_length,
 	   const char *salt, size_t salt_length,
 	   char *key, size_t key_length,
 	   uint32_t iterations, uint32_t memory, uint32_t parallel)
 {
-#if !USE_INTERNAL_ARGON2 && !HAVE_ARGON2_H
-	return -EINVAL;
-#else
 	argon2_type atype;
 	argon2_context context = {
 		.flags = ARGON2_DEFAULT_FLAGS,
@@ -54,6 +42,9 @@ int argon2(const char *type, const char *password, size_t password_length,
 	};
 	int r;

+	/* This code must not be run if crypt backend library natively supports Argon2 */
+	assert(!(crypt_backend_flags() & CRYPT_BACKEND_ARGON2));
+
 	if (!strcmp(type, "argon2i"))
 		atype = Argon2_i;
 	else if(!strcmp(type, "argon2id"))
@@ -75,5 +66,33 @@ int argon2(const char *type, const char *password, size_t password_length,
 	}

 	return r;
-#endif
+}
+
+#else /* USE_INTERNAL_ARGON2 || HAVE_ARGON2_H */
+#pragma GCC diagnostic ignored "-Wunused-parameter"
+
+int argon2(const char *type, const char *password, size_t password_length,
+	   const char *salt, size_t salt_length,
+	   char *key, size_t key_length,
+	   uint32_t iterations, uint32_t memory, uint32_t parallel)
+{
+	return -EINVAL;
+}
+
+#endif
+
+/* Additional string for crypt backend version */
+const char *crypt_argon2_version(void)
+{
+	const char *version = "";
+
+	if (crypt_backend_flags() & CRYPT_BACKEND_ARGON2)
+		return version;
+
+#if HAVE_ARGON2_H /* this has priority over internal argon2 */
+	version = " [external libargon2]";
+#elif USE_INTERNAL_ARGON2
+	version = " [cryptsetup libargon2]";
+#endif
+	return version;
 }
--- a/lib/crypto_backend/base64.c
+++ b/lib/crypto_backend/base64.c
@@ -1,30 +1,16 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * Base64 "Not encryption" helpers, copied and adapted from systemd project.
 *
 * Copyright (C) 2010 Lennart Poettering
 *
 * cryptsetup related changes
- * Copyright (C) 2021-2022 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2021-2024 Milan Broz
 */

 #include <errno.h>
 #include <stdlib.h>
 #include <limits.h>
-#include <assert.h>

 #include "crypto_backend.h"

--- a/lib/crypto_backend/cipher_check.c
+++ b/lib/crypto_backend/cipher_check.c
@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * Cipher performance check
 *
- * Copyright (C) 2018-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2018-2022 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2024 Milan Broz
 */

 #include <errno.h>
--- a/lib/crypto_backend/cipher_generic.c
+++ b/lib/crypto_backend/cipher_generic.c
@@ -1,27 +1,13 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * Linux kernel cipher generic utilities
 *
- * Copyright (C) 2018-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2018-2022 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2024 Milan Broz
 */

-#include <string.h>
-#include <stdbool.h>
 #include <errno.h>
+#include <strings.h>
 #include "crypto_backend.h"

 struct cipher_alg {
@@ -51,6 +37,7 @@ static const struct cipher_alg cipher_algs[] = {
 	{ "xchacha12,aes", "adiantum", 32, false },
 	{ "xchacha20,aes", "adiantum", 32, false },
 	{ "sm4",         NULL, 16, false },
+	{ "aria",        NULL, 16, false },
 	{ NULL,          NULL,  0, false }
 };

@@ -75,6 +62,9 @@ int crypt_cipher_ivsize(const char *name, const char *mode)
 	if (!ca)
 		return -EINVAL;

+	if (mode && !strcasecmp(mode, "hctr2"))
+		return 32;
+
 	if (mode && !strcasecmp(mode, "ecb"))
 		return 0;

--- a/lib/crypto_backend/crc32.c
+++ b/lib/crypto_backend/crc32.c
@@ -38,8 +38,6 @@
 *
 */

-#include <stdio.h>
-
 #include "crypto_backend.h"

 static const uint32_t crc32_tab[] = {
@@ -97,18 +95,87 @@ static const uint32_t crc32_tab[] = {
 	0x2d02ef8dL
 };

+static const uint32_t crc32c_tab[] = {
+	0x00000000L, 0xF26B8303L, 0xE13B70F7L, 0x1350F3F4L, 0xC79A971FL,
+	0x35F1141CL, 0x26A1E7E8L, 0xD4CA64EBL, 0x8AD958CFL, 0x78B2DBCCL,
+	0x6BE22838L, 0x9989AB3BL, 0x4D43CFD0L, 0xBF284CD3L, 0xAC78BF27L,
+	0x5E133C24L, 0x105EC76FL, 0xE235446CL, 0xF165B798L, 0x030E349BL,
+	0xD7C45070L, 0x25AFD373L, 0x36FF2087L, 0xC494A384L, 0x9A879FA0L,
+	0x68EC1CA3L, 0x7BBCEF57L, 0x89D76C54L, 0x5D1D08BFL, 0xAF768BBCL,
+	0xBC267848L, 0x4E4DFB4BL, 0x20BD8EDEL, 0xD2D60DDDL, 0xC186FE29L,
+	0x33ED7D2AL, 0xE72719C1L, 0x154C9AC2L, 0x061C6936L, 0xF477EA35L,
+	0xAA64D611L, 0x580F5512L, 0x4B5FA6E6L, 0xB93425E5L, 0x6DFE410EL,
+	0x9F95C20DL, 0x8CC531F9L, 0x7EAEB2FAL, 0x30E349B1L, 0xC288CAB2L,
+	0xD1D83946L, 0x23B3BA45L, 0xF779DEAEL, 0x05125DADL, 0x1642AE59L,
+	0xE4292D5AL, 0xBA3A117EL, 0x4851927DL, 0x5B016189L, 0xA96AE28AL,
+	0x7DA08661L, 0x8FCB0562L, 0x9C9BF696L, 0x6EF07595L, 0x417B1DBCL,
+	0xB3109EBFL, 0xA0406D4BL, 0x522BEE48L, 0x86E18AA3L, 0x748A09A0L,
+	0x67DAFA54L, 0x95B17957L, 0xCBA24573L, 0x39C9C670L, 0x2A993584L,
+	0xD8F2B687L, 0x0C38D26CL, 0xFE53516FL, 0xED03A29BL, 0x1F682198L,
+	0x5125DAD3L, 0xA34E59D0L, 0xB01EAA24L, 0x42752927L, 0x96BF4DCCL,
+	0x64D4CECFL, 0x77843D3BL, 0x85EFBE38L, 0xDBFC821CL, 0x2997011FL,
+	0x3AC7F2EBL, 0xC8AC71E8L, 0x1C661503L, 0xEE0D9600L, 0xFD5D65F4L,
+	0x0F36E6F7L, 0x61C69362L, 0x93AD1061L, 0x80FDE395L, 0x72966096L,
+	0xA65C047DL, 0x5437877EL, 0x4767748AL, 0xB50CF789L, 0xEB1FCBADL,
+	0x197448AEL, 0x0A24BB5AL, 0xF84F3859L, 0x2C855CB2L, 0xDEEEDFB1L,
+	0xCDBE2C45L, 0x3FD5AF46L, 0x7198540DL, 0x83F3D70EL, 0x90A324FAL,
+	0x62C8A7F9L, 0xB602C312L, 0x44694011L, 0x5739B3E5L, 0xA55230E6L,
+	0xFB410CC2L, 0x092A8FC1L, 0x1A7A7C35L, 0xE811FF36L, 0x3CDB9BDDL,
+	0xCEB018DEL, 0xDDE0EB2AL, 0x2F8B6829L, 0x82F63B78L, 0x709DB87BL,
+	0x63CD4B8FL, 0x91A6C88CL, 0x456CAC67L, 0xB7072F64L, 0xA457DC90L,
+	0x563C5F93L, 0x082F63B7L, 0xFA44E0B4L, 0xE9141340L, 0x1B7F9043L,
+	0xCFB5F4A8L, 0x3DDE77ABL, 0x2E8E845FL, 0xDCE5075CL, 0x92A8FC17L,
+	0x60C37F14L, 0x73938CE0L, 0x81F80FE3L, 0x55326B08L, 0xA759E80BL,
+	0xB4091BFFL, 0x466298FCL, 0x1871A4D8L, 0xEA1A27DBL, 0xF94AD42FL,
+	0x0B21572CL, 0xDFEB33C7L, 0x2D80B0C4L, 0x3ED04330L, 0xCCBBC033L,
+	0xA24BB5A6L, 0x502036A5L, 0x4370C551L, 0xB11B4652L, 0x65D122B9L,
+	0x97BAA1BAL, 0x84EA524EL, 0x7681D14DL, 0x2892ED69L, 0xDAF96E6AL,
+	0xC9A99D9EL, 0x3BC21E9DL, 0xEF087A76L, 0x1D63F975L, 0x0E330A81L,
+	0xFC588982L, 0xB21572C9L, 0x407EF1CAL, 0x532E023EL, 0xA145813DL,
+	0x758FE5D6L, 0x87E466D5L, 0x94B49521L, 0x66DF1622L, 0x38CC2A06L,
+	0xCAA7A905L, 0xD9F75AF1L, 0x2B9CD9F2L, 0xFF56BD19L, 0x0D3D3E1AL,
+	0x1E6DCDEEL, 0xEC064EEDL, 0xC38D26C4L, 0x31E6A5C7L, 0x22B65633L,
+	0xD0DDD530L, 0x0417B1DBL, 0xF67C32D8L, 0xE52CC12CL, 0x1747422FL,
+	0x49547E0BL, 0xBB3FFD08L, 0xA86F0EFCL, 0x5A048DFFL, 0x8ECEE914L,
+	0x7CA56A17L, 0x6FF599E3L, 0x9D9E1AE0L, 0xD3D3E1ABL, 0x21B862A8L,
+	0x32E8915CL, 0xC083125FL, 0x144976B4L, 0xE622F5B7L, 0xF5720643L,
+	0x07198540L, 0x590AB964L, 0xAB613A67L, 0xB831C993L, 0x4A5A4A90L,
+	0x9E902E7BL, 0x6CFBAD78L, 0x7FAB5E8CL, 0x8DC0DD8FL, 0xE330A81AL,
+	0x115B2B19L, 0x020BD8EDL, 0xF0605BEEL, 0x24AA3F05L, 0xD6C1BC06L,
+	0xC5914FF2L, 0x37FACCF1L, 0x69E9F0D5L, 0x9B8273D6L, 0x88D28022L,
+	0x7AB90321L, 0xAE7367CAL, 0x5C18E4C9L, 0x4F48173DL, 0xBD23943EL,
+	0xF36E6F75L, 0x0105EC76L, 0x12551F82L, 0xE03E9C81L, 0x34F4F86AL,
+	0xC69F7B69L, 0xD5CF889DL, 0x27A40B9EL, 0x79B737BAL, 0x8BDCB4B9L,
+	0x988C474DL, 0x6AE7C44EL, 0xBE2DA0A5L, 0x4C4623A6L, 0x5F16D052L,
+	0xAD7D5351L
+};
+
 /*
 * This a generic crc32() function, it takes seed as an argument,
 * and does __not__ xor at the end. Then individual users can do
 * whatever they need.
 */
-uint32_t crypt_crc32(uint32_t seed, const unsigned char *buf, size_t len)
+static uint32_t compute_crc32(
+	const uint32_t *crc32_table,
+	uint32_t seed,
+	const unsigned char *buf,
+	size_t len)
 {
 	uint32_t crc = seed;
 	const unsigned char *p = buf;

 	while(len-- > 0)
-		crc = crc32_tab[(crc ^ *p++) & 0xff] ^ (crc >> 8);
+		crc = crc32_table[(crc ^ *p++) & 0xff] ^ (crc >> 8);

 	return crc;
 }
+
+uint32_t crypt_crc32(uint32_t seed, const unsigned char *buf, size_t len)
+{
+	return compute_crc32(crc32_tab, seed, buf, len);
+}
+
+uint32_t crypt_crc32c(uint32_t seed, const unsigned char *buf, size_t len)
+{
+	return compute_crc32(crc32c_tab, seed, buf, len);
+}
--- a/lib/crypto_backend/crypto_backend.h
+++ b/lib/crypto_backend/crypto_backend.h
@@ -1,26 +1,15 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * crypto backend implementation
 *
- * Copyright (C) 2010-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2022 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2024 Milan Broz
 */
+
 #ifndef _CRYPTO_BACKEND_H
 #define _CRYPTO_BACKEND_H

+#include <assert.h>
 #include <stdint.h>
 #include <stdbool.h>
 #include <stddef.h>
@@ -40,10 +29,13 @@ struct crypt_storage;
 int crypt_backend_init(bool fips);
 void crypt_backend_destroy(void);

-#define CRYPT_BACKEND_KERNEL (1 << 0)	/* Crypto uses kernel part, for benchmark */
+#define CRYPT_BACKEND_KERNEL     (1 << 0) /* Crypto uses kernel part, for benchmark */
+#define CRYPT_BACKEND_PBKDF2_INT (1 << 1) /* Iteration in PBKDF2 is signed int and can overflow */
+#define CRYPT_BACKEND_ARGON2     (1 << 2) /* Backend provides native Argon2 implementation */

 uint32_t crypt_backend_flags(void);
 const char *crypt_backend_version(void);
+const char *crypt_argon2_version(void);

 /* HASH */
 int crypt_hash_size(const char *name);
@@ -88,6 +80,7 @@ int crypt_pbkdf_perf(const char *kdf, const char *hash,

 /* CRC32 */
 uint32_t crypt_crc32(uint32_t seed, const unsigned char *buf, size_t len);
+uint32_t crypt_crc32c(uint32_t seed, const unsigned char *buf, size_t len);

 /* Base64 */
 int crypt_base64_encode(char **out, size_t *out_length, const char *in, size_t in_length);
@@ -152,4 +145,7 @@ static inline void crypt_backend_memzero(void *s, size_t n)
 /* Memcmp helper (memcmp in constant time) */
 int crypt_backend_memeq(const void *m1, const void *m2, size_t n);

+/* crypto backend running in FIPS mode */
+bool crypt_fips_mode(void);
+
 #endif /* _CRYPTO_BACKEND_H */
--- a/lib/crypto_backend/crypto_backend_internal.h
+++ b/lib/crypto_backend/crypto_backend_internal.h
@@ -1,23 +1,11 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * crypto backend implementation
 *
- * Copyright (C) 2010-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2022 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2024 Milan Broz
 */
+
 #ifndef _CRYPTO_BACKEND_INTERNAL_H
 #define _CRYPTO_BACKEND_INTERNAL_H

--- a/lib/crypto_backend/crypto_cipher_kernel.c
+++ b/lib/crypto_backend/crypto_cipher_kernel.c
@@ -1,28 +1,13 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * Linux kernel userspace API crypto backend implementation (skcipher)
 *
- * Copyright (C) 2012-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2022 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2024 Milan Broz
 */

-#include <string.h>
 #include <stdlib.h>
 #include <stdio.h>
-#include <stdbool.h>
 #include <errno.h>
 #include <unistd.h>
 #include <sys/socket.h>
@@ -101,14 +86,19 @@ int crypt_cipher_init_kernel(struct crypt_cipher_kernel *ctx, const char *name,
 	if (!strcmp(name, "cipher_null"))
 		key_length = 0;

-	r = snprintf((char *)sa.salg_name, sizeof(sa.salg_name), "%s(%s)", mode, name);
-	if (r < 0 || (size_t)r >= sizeof(sa.salg_name))
-		return -EINVAL;
+	if (!strncmp(name, "capi:", 5))
+		strncpy((char *)sa.salg_name, &name[5], sizeof(sa.salg_name) - 1);
+	else {
+		r = snprintf((char *)sa.salg_name, sizeof(sa.salg_name), "%s(%s)", mode, name);
+		if (r < 0 || (size_t)r >= sizeof(sa.salg_name))
+			return -EINVAL;
+	}

 	return _crypt_cipher_init(ctx, key, key_length, 0, &sa);
 }

 /* The in/out should be aligned to page boundary */
+/* coverity[ -taint_source : arg-3 ] */
 static int _crypt_cipher_crypt(struct crypt_cipher_kernel *ctx,
 			       const char *in, size_t in_length,
 			       char *out, size_t out_length,
@@ -312,6 +302,8 @@ int crypt_bitlk_decrypt_key_kernel(const void *key, size_t key_length,
 }

 #else /* ENABLE_AF_ALG */
+#pragma GCC diagnostic ignored "-Wunused-parameter"
+
 int crypt_cipher_init_kernel(struct crypt_cipher_kernel *ctx, const char *name,
 			     const char *mode, const void *key, size_t key_length)
 {
--- a/lib/crypto_backend/crypto_gcrypt.c
+++ b/lib/crypto_backend/crypto_gcrypt.c
@@ -1,29 +1,16 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * GCRYPT crypto backend implementation
 *
- * Copyright (C) 2010-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2022 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2024 Milan Broz
 */

-#include <string.h>
 #include <stdio.h>
 #include <errno.h>
-#include <assert.h>
+#include <strings.h>
 #include <gcrypt.h>
+#include <pthread.h>
 #include "crypto_backend_internal.h"

 static int crypto_backend_initialised = 0;
@@ -127,10 +114,11 @@ int crypt_backend_init(bool fips __attribute__((unused)))
 	crypto_backend_initialised = 1;
 	crypt_hash_test_whirlpool_bug();

-	r = snprintf(version, sizeof(version), "gcrypt %s%s%s",
+	r = snprintf(version, sizeof(version), "gcrypt %s%s%s%s",
 		 gcry_check_version(NULL),
 		 crypto_backend_secmem ? "" : ", secmem disabled",
-		 crypto_backend_whirlpool_bug > 0 ? ", flawed whirlpool" : "");
+		 crypto_backend_whirlpool_bug > 0 ? ", flawed whirlpool" : "",
+		 crypt_backend_flags() & CRYPT_BACKEND_ARGON2 ? ", argon2" : "");
 	if (r < 0 || (size_t)r >= sizeof(version))
 		return -EINVAL;

@@ -152,7 +140,11 @@ const char *crypt_backend_version(void)

 uint32_t crypt_backend_flags(void)
 {
-	return 0;
+	uint32_t flags = 0;
+#if HAVE_DECL_GCRY_KDF_ARGON2 && !USE_INTERNAL_ARGON2
+	flags |= CRYPT_BACKEND_ARGON2;
+#endif
+	return flags;
 }

 static const char *crypt_hash_compat_name(const char *name, unsigned int *flags)
@@ -267,7 +259,6 @@ int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length)
 void crypt_hash_destroy(struct crypt_hash *ctx)
 {
 	gcry_md_close(ctx->hd);
-	memset(ctx, 0, sizeof(*ctx));
 	free(ctx);
 }

@@ -342,7 +333,6 @@ int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length)
 void crypt_hmac_destroy(struct crypt_hmac *ctx)
 {
 	gcry_md_close(ctx->hd);
-	memset(ctx, 0, sizeof(*ctx));
 	free(ctx);
 }

@@ -387,6 +377,130 @@ static int pbkdf2(const char *hash,
 #endif /* USE_INTERNAL_PBKDF2 */
 }

+#if HAVE_DECL_GCRY_KDF_ARGON2 && !USE_INTERNAL_ARGON2
+struct gcrypt_thread_job
+{
+	pthread_t thread;
+	struct job_thread_param {
+		gcry_kdf_job_fn_t job;
+		void *p;
+	} work;
+};
+
+struct gcrypt_threads
+{
+	pthread_attr_t attr;
+	unsigned int num_threads;
+	unsigned int max_threads;
+	struct gcrypt_thread_job *jobs_ctx;
+};
+
+static void *gcrypt_job_thread(void *p)
+{
+	struct job_thread_param *param = p;
+	param->job(param->p);
+	pthread_exit(NULL);
+}
+
+static int gcrypt_wait_all_jobs(void *ctx)
+{
+	unsigned int i;
+	struct gcrypt_threads *threads = ctx;
+
+	for (i = 0; i < threads->num_threads; i++) {
+		pthread_join(threads->jobs_ctx[i].thread, NULL);
+		threads->jobs_ctx[i].thread = 0;
+	}
+
+	threads->num_threads = 0;
+	return 0;
+}
+
+static int gcrypt_dispatch_job(void *ctx, gcry_kdf_job_fn_t job, void *p)
+{
+	struct gcrypt_threads *threads = ctx;
+
+	if (threads->num_threads >= threads->max_threads)
+		return -1;
+
+	threads->jobs_ctx[threads->num_threads].work.job = job;
+	threads->jobs_ctx[threads->num_threads].work.p = p;
+
+	if (pthread_create(&threads->jobs_ctx[threads->num_threads].thread, &threads->attr,
+			   gcrypt_job_thread, &threads->jobs_ctx[threads->num_threads].work))
+		return -1;
+
+	threads->num_threads++;
+	return 0;
+}
+
+static int gcrypt_argon2(const char *type,
+	const char *password, size_t password_length,
+	const char *salt, size_t salt_length,
+	char *key, size_t key_length,
+	uint32_t iterations, uint32_t memory, uint32_t parallel)
+{
+	gcry_kdf_hd_t hd;
+	int atype, r = -EINVAL;
+	unsigned long param[4];
+	struct gcrypt_threads threads = {
+		.max_threads = parallel,
+		.num_threads = 0
+	};
+	const gcry_kdf_thread_ops_t ops = {
+		.jobs_context = &threads,
+		.dispatch_job = gcrypt_dispatch_job,
+		.wait_all_jobs = gcrypt_wait_all_jobs
+	};
+
+	if (!strcmp(type, "argon2i"))
+		atype = GCRY_KDF_ARGON2I;
+	else if (!strcmp(type, "argon2id"))
+		atype = GCRY_KDF_ARGON2ID;
+	else
+		return -EINVAL;
+
+	param[0] = key_length;
+	param[1] = iterations;
+	param[2] = memory;
+	param[3] = parallel;
+
+	if (gcry_kdf_open(&hd, GCRY_KDF_ARGON2, atype, param, 4,
+			password, password_length, salt, salt_length,
+			NULL, 0, NULL, 0)) {
+		free(threads.jobs_ctx);
+		return -EINVAL;
+	}
+
+	if (parallel == 1) {
+		/* Do not use threads here */
+		if (gcry_kdf_compute(hd, NULL))
+			goto out;
+	} else {
+		threads.jobs_ctx = calloc(threads.max_threads,
+				      sizeof(struct gcrypt_thread_job));
+		if (!threads.jobs_ctx)
+			goto out;
+
+		if (pthread_attr_init(&threads.attr))
+			goto out;
+
+		if (gcry_kdf_compute(hd, &ops))
+			goto out;
+	}
+
+	if (gcry_kdf_final(hd, key_length, key))
+		goto out;
+	r = 0;
+out:
+	gcry_kdf_close(hd);
+	pthread_attr_destroy(&threads.attr);
+	free(threads.jobs_ctx);
+
+	return r;
+}
+#endif
+
 /* PBKDF */
 int crypt_pbkdf(const char *kdf, const char *hash,
 		const char *password, size_t password_length,
@@ -401,8 +515,13 @@ int crypt_pbkdf(const char *kdf, const char *hash,
 		return pbkdf2(hash, password, password_length, salt, salt_length,
 			      key, key_length, iterations);
 	else if (!strncmp(kdf, "argon2", 6))
+#if HAVE_DECL_GCRY_KDF_ARGON2 && !USE_INTERNAL_ARGON2
+		return gcrypt_argon2(kdf, password, password_length, salt, salt_length,
+				     key, key_length, iterations, memory, parallel);
+#else
 		return argon2(kdf, password, password_length, salt, salt_length,
 			      key, key_length, iterations, memory, parallel);
+#endif
 	return -EINVAL;
 }

@@ -555,3 +674,23 @@ int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
 {
 	return crypt_internal_memeq(m1, m2, n);
 }
+
+#if !ENABLE_FIPS
+bool crypt_fips_mode(void) { return false; }
+#else
+bool crypt_fips_mode(void)
+{
+	static bool fips_mode = false, fips_checked = false;
+
+	if (fips_checked)
+		return fips_mode;
+
+	if (crypt_backend_init(false /* ignored */))
+		return false;
+
+	fips_mode = gcry_fips_mode_active();
+	fips_checked = true;
+
+	return fips_mode;
+}
+#endif /* ENABLE FIPS */
--- a/lib/crypto_backend/crypto_kernel.c
+++ b/lib/crypto_backend/crypto_kernel.c
@@ -1,25 +1,11 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * Linux kernel userspace API crypto backend implementation
 *
- * Copyright (C) 2010-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2022 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2024 Milan Broz
 */

-#include <string.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <errno.h>
@@ -245,7 +231,6 @@ void crypt_hash_destroy(struct crypt_hash *ctx)
 		close(ctx->tfmfd);
 	if (ctx->opfd >= 0)
 		close(ctx->opfd);
-	memset(ctx, 0, sizeof(*ctx));
 	free(ctx);
 }

@@ -324,7 +309,6 @@ void crypt_hmac_destroy(struct crypt_hmac *ctx)
 		close(ctx->tfmfd);
 	if (ctx->opfd >= 0)
 		close(ctx->opfd);
-	memset(ctx, 0, sizeof(*ctx));
 	free(ctx);
 }

@@ -421,3 +405,8 @@ int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
 {
 	return crypt_internal_memeq(m1, m2, n);
 }
+
+bool crypt_fips_mode(void)
+{
+	return false;
+}
--- a/lib/crypto_backend/crypto_nettle.c
+++ b/lib/crypto_backend/crypto_nettle.c
@@ -1,26 +1,12 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * Nettle crypto backend implementation
 *
- * Copyright (C) 2011-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2011-2022 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2024 Milan Broz
 */

 #include <stdlib.h>
-#include <string.h>
 #include <errno.h>
 #include <nettle/sha.h>
 #include <nettle/sha3.h>
@@ -453,3 +439,8 @@ int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
 	/* The logic is inverse to memcmp... */
 	return !memeql_sec(m1, m2, n);
 }
+
+bool crypt_fips_mode(void)
+{
+	return false;
+}
--- a/lib/crypto_backend/crypto_nss.c
+++ b/lib/crypto_backend/crypto_nss.c
@@ -1,25 +1,12 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * NSS crypto backend implementation
 *
- * Copyright (C) 2010-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2022 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2024 Milan Broz
 */

-#include <string.h>
+#include <stdio.h>
 #include <errno.h>
 #include <nss.h>
 #include <pk11pub.h>
@@ -400,3 +387,8 @@ int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
 {
 	return NSS_SecureMemcmp(m1, m2, n);
 }
+
+bool crypt_fips_mode(void)
+{
+	return false;
+}
--- a/lib/crypto_backend/crypto_openssl.c
+++ b/lib/crypto_backend/crypto_openssl.c
@@ -1,35 +1,15 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later WITH cryptsetup-OpenSSL-exception
 /*
 * OPENSSL crypto backend implementation
 *
- * Copyright (C) 2010-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2022 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * In addition, as a special exception, the copyright holders give
- * permission to link the code of portions of this program with the
- * OpenSSL library under certain conditions as described in each
- * individual source file, and distribute linked combinations
- * including the two.
- *
- * You must obey the GNU Lesser General Public License in all respects
- * for all of the code used other than OpenSSL.
+ * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2024 Milan Broz
 */

-#include <string.h>
+#include <stdio.h>
 #include <errno.h>
+#include <limits.h>
+#include <strings.h>
 #include <openssl/crypto.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
@@ -43,9 +23,20 @@ static OSSL_PROVIDER *ossl_legacy = NULL;
 static OSSL_PROVIDER *ossl_default = NULL;
 static OSSL_LIB_CTX  *ossl_ctx = NULL;
 static char backend_version[256] = "OpenSSL";
+
+#define MAX_THREADS 8
+#if !HAVE_DECL_OSSL_GET_MAX_THREADS
+static int OSSL_set_max_threads(OSSL_LIB_CTX *ctx __attribute__((unused)),
+				uint64_t max_threads __attribute__((unused))) { return 0; }
+static uint64_t OSSL_get_max_threads(OSSL_LIB_CTX *ctx __attribute__((unused))) { return 0; }
+#else
+#include <openssl/thread.h>
+#endif
+
 #endif

 #define CONST_CAST(x) (x)(uintptr_t)
+#define UNUSED(x) (void)(x)

 static int crypto_backend_initialised = 0;

@@ -161,6 +152,7 @@ static int openssl_backend_init(bool fips)
 */
 #if OPENSSL_VERSION_MAJOR >= 3
 	int r;
+	bool ossl_threads = false;

 	/*
 	 * In FIPS mode we keep default OpenSSL context & global config
@@ -180,16 +172,24 @@ static int openssl_backend_init(bool fips)
 		ossl_legacy = OSSL_PROVIDER_try_load(ossl_ctx, "legacy", 0);
 	}

-	r = snprintf(backend_version, sizeof(backend_version), "%s %s%s%s",
+	if (OSSL_set_max_threads(ossl_ctx, MAX_THREADS) == 1 &&
+	    OSSL_get_max_threads(ossl_ctx) == MAX_THREADS)
+		ossl_threads = true;
+
+	r = snprintf(backend_version, sizeof(backend_version), "%s %s%s%s%s%s",
 		OpenSSL_version(OPENSSL_VERSION),
 		ossl_default ? "[default]" : "",
 		ossl_legacy  ? "[legacy]" : "",
-		fips  ? "[fips]" : "");
+		fips  ? "[fips]" : "",
+		ossl_threads ? "[threads]" : "",
+		crypt_backend_flags() & CRYPT_BACKEND_ARGON2 ? "[argon2]" : "");

 	if (r < 0 || (size_t)r >= sizeof(backend_version)) {
 		openssl_backend_exit();
 		return -EINVAL;
 	}
+#else
+	UNUSED(fips);
 #endif
 	return 0;
 }
@@ -231,7 +231,14 @@ void crypt_backend_destroy(void)

 uint32_t crypt_backend_flags(void)
 {
-	return 0;
+	uint32_t flags = 0;
+#if OPENSSL_VERSION_MAJOR < 3
+	flags |= CRYPT_BACKEND_PBKDF2_INT;
+#endif
+#if HAVE_DECL_OSSL_KDF_PARAM_ARGON2_VERSION
+	flags |= CRYPT_BACKEND_ARGON2;
+#endif
+	return flags;
 }

 const char *crypt_backend_version(void)
@@ -276,6 +283,8 @@ static void hash_id_free(const EVP_MD *hash_id)
 {
 #if OPENSSL_VERSION_MAJOR >= 3
 	EVP_MD_free(CONST_CAST(EVP_MD*)hash_id);
+#else
+	UNUSED(hash_id);
 #endif
 }

@@ -292,6 +301,8 @@ static void cipher_type_free(const EVP_CIPHER *cipher_type)
 {
 #if OPENSSL_VERSION_MAJOR >= 3
 	EVP_CIPHER_free(CONST_CAST(EVP_CIPHER*)cipher_type);
+#else
+	UNUSED(cipher_type);
 #endif
 }

@@ -386,7 +397,6 @@ void crypt_hash_destroy(struct crypt_hash *ctx)
 {
 	hash_id_free(ctx->hash_id);
 	EVP_MD_CTX_free(ctx->md);
-	memset(ctx, 0, sizeof(*ctx));
 	free(ctx);
 }

@@ -522,7 +532,6 @@ void crypt_hmac_destroy(struct crypt_hmac *ctx)
 	hash_id_free(ctx->hash_id);
 	HMAC_CTX_free(ctx->md);
 #endif
-	memset(ctx, 0, sizeof(*ctx));
 	free(ctx);
 }

@@ -574,6 +583,10 @@ static int openssl_pbkdf2(const char *password, size_t password_length,
 	if (!hash_id)
 		return -EINVAL;

+	/* OpenSSL2 has iteration as signed int, avoid overflow */
+	if (iterations > INT_MAX)
+		return -EINVAL;
+
 	r = PKCS5_PBKDF2_HMAC(password, (int)password_length, (const unsigned char *)salt,
 		(int)salt_length, iterations, hash_id, (int)key_length, (unsigned char*) key);
 #endif
@@ -584,8 +597,53 @@ static int openssl_argon2(const char *type, const char *password, size_t passwor
 	const char *salt, size_t salt_length, char *key, size_t key_length,
 	uint32_t iterations, uint32_t memory, uint32_t parallel)
 {
+#if HAVE_DECL_OSSL_KDF_PARAM_ARGON2_VERSION
+	EVP_KDF_CTX *ctx;
+	EVP_KDF *argon2;
+	unsigned int threads = parallel;
+	int r;
+	OSSL_PARAM params[] = {
+		OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD,
+			CONST_CAST(void*)password, password_length),
+		OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT,
+			CONST_CAST(void*)salt, salt_length),
+		OSSL_PARAM_uint32(OSSL_KDF_PARAM_ITER, &iterations),
+		OSSL_PARAM_uint(OSSL_KDF_PARAM_THREADS, &threads),
+		OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_LANES, &parallel),
+		OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_MEMCOST, &memory),
+		OSSL_PARAM_END
+	};
+
+	if (OSSL_get_max_threads(ossl_ctx) == 0)
+		threads = 1;
+
+	argon2 = EVP_KDF_fetch(ossl_ctx, type, NULL);
+	if (!argon2)
+		return -EINVAL;
+
+	ctx = EVP_KDF_CTX_new(argon2);
+	if (!ctx) {
+		EVP_KDF_free(argon2);
+		return -EINVAL;;
+	}
+
+	if (EVP_KDF_CTX_set_params(ctx, params) != 1) {
+		EVP_KDF_CTX_free(ctx);
+		EVP_KDF_free(argon2);
+		return -EINVAL;
+	}
+
+	r = EVP_KDF_derive(ctx, (unsigned char*)key, key_length, NULL /*params*/);
+
+	EVP_KDF_CTX_free(ctx);
+	EVP_KDF_free(argon2);
+
+	/* _derive() returns 0 or negative value on error, 1 on success */
+	return r == 1 ? 0 : -EINVAL;
+#else
 	return argon2(type, password, password_length, salt, salt_length,
 		      key, key_length, iterations, memory, parallel);
+#endif
 }

 /* PBKDF */
@@ -812,3 +870,29 @@ int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
 {
 	return CRYPTO_memcmp(m1, m2, n);
 }
+
+#if !ENABLE_FIPS
+bool crypt_fips_mode(void) { return false; }
+#else
+static bool openssl_fips_mode(void)
+{
+#if OPENSSL_VERSION_MAJOR >= 3
+	return EVP_default_properties_is_fips_enabled(NULL);
+#else
+	return FIPS_mode();
+#endif
+}
+
+bool crypt_fips_mode(void)
+{
+	static bool fips_mode = false, fips_checked = false;
+
+	if (fips_checked)
+		return fips_mode;
+
+	fips_mode = openssl_fips_mode();
+	fips_checked = true;
+
+	return fips_mode;
+}
+#endif /* ENABLE FIPS */
--- a/lib/crypto_backend/crypto_storage.c
+++ b/lib/crypto_backend/crypto_storage.c
@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * Generic wrapper for storage encryption modes and Initial Vectors
 * (reimplementation of some functions from Linux dm-crypt kernel)
 *
- * Copyright (C) 2014-2022 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2014-2024 Milan Broz
 */

 #include <stdlib.h>
@@ -261,7 +248,7 @@ int crypt_storage_init(struct crypt_storage **ctx,
 	}

 	s->sector_size = sector_size;
-	s->iv_shift = large_iv ? int_log2(sector_size) - SECTOR_SHIFT : 0;
+	s->iv_shift = large_iv ? (unsigned)int_log2(sector_size) - SECTOR_SHIFT : 0;

 	*ctx = s;
 	return 0;
--- a/lib/crypto_backend/meson.build
+++ b/lib/crypto_backend/meson.build
@@ -0,0 +1,40 @@
+if use_internal_argon2
+    subdir('argon2')
+endif
+
+libcrypto_backend_dependencies = [
+    crypto_backend_library,
+    clock_gettime,
+]
+libcrypto_backend_link_with = []
+
+libcrypto_backend_sources = files(
+    'argon2_generic.c',
+    'base64.c',
+    'cipher_check.c',
+    'cipher_generic.c',
+    'crc32.c',
+    'crypto_cipher_kernel.c',
+    'crypto_storage.c',
+    'pbkdf_check.c',
+    'utf8.c',
+)
+
+crypto_backend = get_option('crypto-backend')
+libcrypto_backend_sources += files('crypto_@0@.c'.format(crypto_backend))
+
+if use_internal_pbkdf2
+    libcrypto_backend_sources += files('pbkdf2_generic.c')
+endif
+
+if use_internal_argon2 and get_option('argon-implementation') == 'internal'
+    libcrypto_backend_link_with += libargon2
+elif get_option('argon-implementation') == 'libargon2'
+    libcrypto_backend_dependencies += libargon2_external
+endif
+
+libcrypto_backend = static_library('crypto_backend',
+    libcrypto_backend_sources,
+    include_directories: includes_lib,
+    dependencies: libcrypto_backend_dependencies,
+    link_with: libcrypto_backend_link_with)
--- a/lib/crypto_backend/pbkdf2_generic.c
+++ b/lib/crypto_backend/pbkdf2_generic.c
@@ -1,26 +1,12 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * Implementation of Password-Based Cryptography as per PKCS#5
 * Copyright (C) 2002,2003 Simon Josefsson
 * Copyright (C) 2004 Free Software Foundation
 *
 * cryptsetup related changes
- * Copyright (C) 2012-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2022 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
+ * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2024 Milan Broz
 */

 #include <errno.h>
--- a/lib/crypto_backend/pbkdf_check.c
+++ b/lib/crypto_backend/pbkdf_check.c
@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * PBKDF performance check
- * Copyright (C) 2012-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2022 Milan Broz
+ * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2024 Milan Broz
 * Copyright (C) 2016-2020 Ondrej Mosnacek
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */

 #include <stdlib.h>
--- a/lib/crypto_backend/utf8.c
+++ b/lib/crypto_backend/utf8.c
@@ -1,10 +1,11 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * UTF8/16 helpers, copied and adapted from systemd project.
 *
 * Copyright (C) 2010 Lennart Poettering
 *
 * cryptsetup related changes
- * Copyright (C) 2021-2022 Vojtech Trefny
+ * Copyright (C) 2021-2024 Vojtech Trefny

 * Parts of the original systemd implementation are based on the GLIB utf8
 * validation functions.
@@ -12,23 +13,8 @@
 *
 * Copyright (C) 1999 Tom Tromey
 * Copyright (C) 2000 Red Hat, Inc.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Library General Public
- * License as published by the Free Software Foundation; either
- * version 2 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Library General Public License for more details.
- *
- * You should have received a copy of the GNU Library General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 */

-#include <assert.h>
 #include <errno.h>
 #include <endian.h>

@@ -231,6 +217,7 @@ static size_t utf16_encode_unichar(char16_t *out, char32_t c)
 		return 1;

 	case 0x10000U ... 0x10ffffU:
+		/* coverity[overflow_const:FALSE] */
 		c -= 0x10000U;
 		out[0] = htole16((c >> 10) + 0xd800U);
 		out[1] = htole16((c & 0x3ffU) + 0xdc00U);
--- a/lib/fvault2/fvault2.c
+++ b/lib/fvault2/fvault2.c
--- a/lib/fvault2/fvault2.h
+++ b/lib/fvault2/fvault2.h
@@ -0,0 +1,67 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
+/*
+ * FVAULT2 (FileVault2-compatible) volume handling
+ *
+ * Copyright (C) 2021-2022 Pavel Tobias
+ */
+
+#ifndef _CRYPTSETUP_FVAULT2_H
+#define _CRYPTSETUP_FVAULT2_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define FVAULT2_WRAPPED_KEY_SIZE 24
+#define FVAULT2_PBKDF2_SALT_SIZE 16
+#define FVAULT2_UUID_LEN 37
+
+struct crypt_device;
+struct volume_key;
+
+struct fvault2_params {
+	const char *cipher;
+	const char *cipher_mode;
+	uint16_t key_size;
+	uint32_t pbkdf2_iters;
+	char pbkdf2_salt[FVAULT2_PBKDF2_SALT_SIZE];
+	char wrapped_kek[FVAULT2_WRAPPED_KEY_SIZE];
+	char wrapped_vk[FVAULT2_WRAPPED_KEY_SIZE];
+	char family_uuid[FVAULT2_UUID_LEN];
+	char ph_vol_uuid[FVAULT2_UUID_LEN];
+	uint64_t log_vol_off;
+	uint64_t log_vol_size;
+};
+
+int FVAULT2_read_metadata(
+	struct crypt_device *cd,
+	struct fvault2_params *params);
+
+int FVAULT2_get_volume_key(
+	struct crypt_device *cd,
+	const char *passphrase,
+	size_t passphrase_len,
+	const struct fvault2_params *params,
+	struct volume_key **vol_key);
+
+int FVAULT2_dump(
+	struct crypt_device *cd,
+	struct device *device,
+	const struct fvault2_params *params);
+
+int FVAULT2_activate_by_passphrase(
+	struct crypt_device *cd,
+	const char *name,
+	const char *passphrase,
+	size_t passphrase_len,
+	const struct fvault2_params *params,
+	uint32_t flags);
+
+int FVAULT2_activate_by_volume_key(
+	struct crypt_device *cd,
+	const char *name,
+	const char *key,
+	size_t key_size,
+	const struct fvault2_params *params,
+	uint32_t flags);
+
+#endif
--- a/lib/integrity/integrity.c
+++ b/lib/integrity/integrity.c
@@ -1,21 +1,8 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * Integrity volume handling
 *
- * Copyright (C) 2016-2022 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2016-2024 Milan Broz
 */

 #include <errno.h>
@@ -335,13 +322,62 @@ int INTEGRITY_activate(struct crypt_device *cd,
 	return r;
 }

+static int _create_reduced_device(struct crypt_device *cd,
+				  const char *name,
+				  uint64_t device_size_sectors,
+				  struct device **ret_device)
+{
+	int r;
+	char path[PATH_MAX];
+	struct device *dev;
+
+	struct crypt_dm_active_device dmd = {
+		.size = device_size_sectors,
+		.flags = CRYPT_ACTIVATE_PRIVATE,
+	};
+
+	assert(cd);
+	assert(name);
+	assert(device_size_sectors);
+	assert(ret_device);
+
+	r = snprintf(path, sizeof(path), "%s/%s", dm_get_dir(), name);
+	if (r < 0 || (size_t)r >= sizeof(path))
+		return -EINVAL;
+
+	r = device_block_adjust(cd, crypt_data_device(cd), DEV_OK,
+				crypt_get_data_offset(cd), &device_size_sectors, &dmd.flags);
+	if (r)
+		return r;
+
+	log_dbg(cd, "Activating reduced helper device %s.", name);
+
+	r = dm_linear_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd), crypt_get_data_offset(cd));
+	if (!r)
+		r = dm_create_device(cd, name, CRYPT_SUBDEV, &dmd);
+	dm_targets_free(cd, &dmd);
+	if (r < 0)
+		return r;
+
+	r = device_alloc(cd, &dev, path);
+	if (!r) {
+		*ret_device = dev;
+		return 0;
+	}
+
+	dm_remove_device(cd, name, CRYPT_DEACTIVATE_FORCE);
+
+	return r;
+}
+
 int INTEGRITY_format(struct crypt_device *cd,
 		     const struct crypt_params_integrity *params,
 		     struct volume_key *journal_crypt_key,
-		     struct volume_key *journal_mac_key)
+		     struct volume_key *journal_mac_key,
+		     uint64_t backing_device_sectors)
 {
 	uint32_t dmi_flags;
-	char tmp_name[64], tmp_uuid[40];
+	char reduced_device_name[70], tmp_name[64], tmp_uuid[40];
 	struct crypt_dm_active_device dmdi = {
 		.size = 8,
 		.flags = CRYPT_ACTIVATE_PRIVATE, /* We always create journal but it can be unused later */
@@ -349,6 +385,8 @@ int INTEGRITY_format(struct crypt_device *cd,
 	struct dm_target *tgt = &dmdi.segment;
 	int r;
 	uuid_t tmp_uuid_bin;
+	uint64_t data_offset_sectors;
+	struct device *p_metadata_device, *p_data_device, *reduced_device = NULL;
 	struct volume_key *vk = NULL;

 	uuid_generate(tmp_uuid_bin);
@@ -358,18 +396,42 @@ int INTEGRITY_format(struct crypt_device *cd,
 	if (r < 0 || (size_t)r >= sizeof(tmp_name))
 		return -EINVAL;

+	p_metadata_device = INTEGRITY_metadata_device(cd);
+
+	if (backing_device_sectors) {
+		r = snprintf(reduced_device_name, sizeof(reduced_device_name),
+			     "temporary-cryptsetup-reduced-%s", tmp_uuid);
+		if (r < 0 || (size_t)r >= sizeof(reduced_device_name))
+			return -EINVAL;
+
+		/*
+		 * Creates reduced dm-linear mapping over data device starting at
+		 * crypt_data_offset(cd) and backing_device_sectors in size.
+		 */
+		r = _create_reduced_device(cd, reduced_device_name,
+					   backing_device_sectors, &reduced_device);
+		if (r < 0)
+			return r;
+
+		data_offset_sectors = 0;
+		p_data_device = reduced_device;
+		if (p_metadata_device == crypt_data_device(cd))
+			p_metadata_device = reduced_device;
+	} else {
+		data_offset_sectors = crypt_get_data_offset(cd);
+		p_data_device = crypt_data_device(cd);
+	}
+
 	/* There is no data area, we can actually use fake zeroed key */
 	if (params && params->integrity_key_size)
 		vk = crypt_alloc_volume_key(params->integrity_key_size, NULL);

-	r = dm_integrity_target_set(cd, tgt, 0, dmdi.size, INTEGRITY_metadata_device(cd),
-			crypt_data_device(cd), crypt_get_integrity_tag_size(cd),
-			crypt_get_data_offset(cd), crypt_get_sector_size(cd), vk,
+	r = dm_integrity_target_set(cd, tgt, 0, dmdi.size, p_metadata_device,
+			p_data_device, crypt_get_integrity_tag_size(cd),
+			data_offset_sectors, crypt_get_sector_size(cd), vk,
 			journal_crypt_key, journal_mac_key, params);
-	if (r < 0) {
-		crypt_free_volume_key(vk);
-		return r;
-	}
+	if (r < 0)
+		goto err;

 	log_dbg(cd, "Trying to format INTEGRITY device on top of %s, tmp name %s, tag size %d.",
 		device_path(tgt->data_device), tmp_name, tgt->u.integrity.tag_size);
@@ -379,24 +441,26 @@ int INTEGRITY_format(struct crypt_device *cd,
 		log_err(cd, _("Kernel does not support dm-integrity mapping."));
 		r = -ENOTSUP;
 	}
-	if (r) {
-		dm_targets_free(cd, &dmdi);
-		return r;
-	}
+	if (r)
+		goto err;

 	if (tgt->u.integrity.meta_device) {
 		r = device_block_adjust(cd, tgt->u.integrity.meta_device, DEV_EXCL, 0, NULL, NULL);
-		if (r) {
-			dm_targets_free(cd, &dmdi);
-			return r;
-		}
+		if (r)
+			goto err;
 	}

 	r = dm_create_device(cd, tmp_name, CRYPT_INTEGRITY, &dmdi);
-	crypt_free_volume_key(vk);
-	dm_targets_free(cd, &dmdi);
 	if (r)
-		return r;
+		goto err;

-	return dm_remove_device(cd, tmp_name, CRYPT_DEACTIVATE_FORCE);
+	r = dm_remove_device(cd, tmp_name, CRYPT_DEACTIVATE_FORCE);
+err:
+	dm_targets_free(cd, &dmdi);
+	crypt_free_volume_key(vk);
+	if (reduced_device) {
+		dm_remove_device(cd, reduced_device_name, CRYPT_DEACTIVATE_FORCE);
+		device_free(cd, reduced_device);
+	}
+	return r;
 }
--- a/lib/integrity/integrity.h
+++ b/lib/integrity/integrity.h
@@ -1,21 +1,8 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * Integrity header definition
 *
- * Copyright (C) 2016-2022 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2016-2024 Milan Broz
 */

 #ifndef _CRYPTSETUP_INTEGRITY_H
@@ -75,7 +62,8 @@ int INTEGRITY_hash_tag_size(const char *integrity);
 int INTEGRITY_format(struct crypt_device *cd,
 		     const struct crypt_params_integrity *params,
 		     struct volume_key *journal_crypt_key,
-		     struct volume_key *journal_mac_key);
+		     struct volume_key *journal_mac_key,
+		     uint64_t backing_device_sectors);

 int INTEGRITY_activate(struct crypt_device *cd,
 		       const char *name,
--- a/lib/internal.h
+++ b/lib/internal.h
@@ -1,24 +1,11 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
 * libcryptsetup - cryptsetup library internal
 *
 * Copyright (C) 2004 Jana Saout <jana@saout.de>
 * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2022 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2024 Milan Broz
 */

 #ifndef INTERNAL_H
@@ -31,6 +18,7 @@
 #include <unistd.h>
 #include <inttypes.h>
 #include <fcntl.h>
+#include <assert.h>

 #include "nls.h"
 #include "bitops.h"
@@ -38,7 +26,6 @@
 #include "utils_crypt.h"
 #include "utils_loop.h"
 #include "utils_dm.h"
-#include "utils_fips.h"
 #include "utils_keyring.h"
 #include "utils_io.h"
 #include "crypto_backend/crypto_backend.h"
@@ -53,6 +40,7 @@
 #define MAX_DM_DEPS		32

 #define CRYPT_SUBDEV           "SUBDEV" /* prefix for sublayered devices underneath public crypt types */
+#define CRYPT_LUKS2_HW_OPAL    "LUKS2-OPAL" /* dm uuid prefix used for any HW OPAL enabled LUKS2 device */

 #ifndef O_CLOEXEC
 #define O_CLOEXEC 0
@@ -89,6 +77,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd,
 				   struct crypt_pbkdf_type *pbkdf,
 				   size_t volume_key_size);
 const char *crypt_get_cipher_spec(struct crypt_device *cd);
+uint32_t pbkdf_adjusted_phys_memory_kb(void);

 /* Device backend */
 struct device;
@@ -113,6 +102,8 @@ void device_release_excl(struct crypt_device *cd, struct device *device);
 void device_disable_direct_io(struct device *device);
 int device_is_identical(struct device *device1, struct device *device2);
 int device_is_rotational(struct device *device);
+int device_is_dax(struct device *device);
+int device_is_zoned(struct device *device);
 size_t device_alignment(struct device *device);
 int device_direct_io(const struct device *device);
 int device_fallocate(struct device *device, uint64_t size);
@@ -153,21 +144,32 @@ int create_or_reload_device_with_integrity(struct crypt_device *cd, const char *
 struct device *crypt_metadata_device(struct crypt_device *cd);
 struct device *crypt_data_device(struct crypt_device *cd);

+uint64_t crypt_get_metadata_size_bytes(struct crypt_device *cd);
+uint64_t crypt_get_keyslots_size_bytes(struct crypt_device *cd);
+uint64_t crypt_get_data_offset_sectors(struct crypt_device *cd);
+int crypt_opal_supported(struct crypt_device *cd, struct device *opal_device);
+
 int crypt_confirm(struct crypt_device *cd, const char *msg);

 char *crypt_lookup_dev(const char *dev_id);
 int crypt_dev_is_rotational(int major, int minor);
+int crypt_dev_is_dax(int major, int minor);
+int crypt_dev_is_zoned(int major, int minor);
 int crypt_dev_is_partition(const char *dev_path);
 char *crypt_get_partition_device(const char *dev_path, uint64_t offset, uint64_t size);
+int crypt_dev_get_partition_number(const char *dev_path);
 char *crypt_get_base_device(const char *dev_path);
 uint64_t crypt_dev_partition_offset(const char *dev_path);
 int lookup_by_disk_id(const char *dm_uuid);
 int lookup_by_sysfs_uuid_field(const char *dm_uuid);
 int crypt_uuid_cmp(const char *dm_uuid, const char *hdr_uuid);
+int crypt_uuid_type_cmp(const char *dm_uuid, const char *type);

 size_t crypt_getpagesize(void);
 unsigned crypt_cpusonline(void);
 uint64_t crypt_getphysmemory_kb(void);
+uint64_t crypt_getphysmemoryfree_kb(void);
+bool crypt_swapavailable(void);

 int init_crypto(struct crypt_device *ctx);

@@ -178,8 +180,7 @@ int init_crypto(struct crypt_device *ctx);

 int crypt_get_debug_level(void);

-int crypt_memlock_inc(struct crypt_device *ctx);
-int crypt_memlock_dec(struct crypt_device *ctx);
+void crypt_process_priority(struct crypt_device *cd, int *priority, bool raise);

 int crypt_metadata_locking_enabled(void);

@@ -203,7 +204,7 @@ void crypt_set_luks2_reencrypt(struct crypt_device *cd, struct luks2_reencrypt *
 struct luks2_reencrypt *crypt_get_luks2_reencrypt(struct crypt_device *cd);

 int onlyLUKS2(struct crypt_device *cd);
-int onlyLUKS2mask(struct crypt_device *cd, uint32_t mask);
+int onlyLUKS2reencrypt(struct crypt_device *cd);

 int crypt_wipe_device(struct crypt_device *cd,
 	struct device *device,
@@ -222,6 +223,14 @@ int crypt_get_integrity_tag_size(struct crypt_device *cd);
 int crypt_key_in_keyring(struct crypt_device *cd);
 void crypt_set_key_in_keyring(struct crypt_device *cd, unsigned key_in_keyring);
 int crypt_volume_key_load_in_keyring(struct crypt_device *cd, struct volume_key *vk);
+int crypt_keyring_get_user_key(struct crypt_device *cd,
+		const char *key_description,
+		char **key,
+		size_t *key_size);
+int crypt_keyring_get_key_by_name(struct crypt_device *cd,
+		const char *key_description,
+		char **key,
+		size_t *key_size);
 int crypt_use_keyring_for_vk(struct crypt_device *cd);
 void crypt_drop_keyring_key_by_description(struct crypt_device *cd, const char *key_description, key_type_t ktype);
 void crypt_drop_keyring_key(struct crypt_device *cd, struct volume_key *vks);
@@ -246,9 +255,15 @@ static inline void *crypt_zalloc(size_t size) { return calloc(1, size); }
 static inline bool uint64_mult_overflow(uint64_t *u, uint64_t b, size_t size)
 {
 	*u = (uint64_t)b * size;
+	if (size == 0)
+		return true;
 	if ((uint64_t)(*u / size) != b)
 		return true;
 	return false;
 }

+#define KEY_NOT_VERIFIED -2
+#define KEY_EXTERNAL_VERIFICATION -1
+#define KEY_VERIFIED 0
+
 #endif /* INTERNAL_H */
--- a/lib/keyslot_context.c
+++ b/lib/keyslot_context.c
@@ -0,0 +1,815 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * LUKS - Linux Unified Key Setup, keyslot unlock helpers
+ *
+ * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2022-2024 Ondrej Kozina
+ */
+
+#include <errno.h>
+
+#include "luks1/luks.h"
+#include "luks2/luks2.h"
+#include "keyslot_context.h"
+
+static int get_luks2_key_by_passphrase(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	int keyslot,
+	int segment,
+	struct volume_key **r_vk)
+{
+	int r;
+
+	assert(cd);
+	assert(kc && kc->type == CRYPT_KC_TYPE_PASSPHRASE);
+	assert(r_vk);
+
+	r = LUKS2_keyslot_open(cd, keyslot, segment, kc->u.p.passphrase, kc->u.p.passphrase_size, r_vk);
+	if (r < 0)
+		kc->error = r;
+
+	return r;
+}
+
+static int get_luks1_volume_key_by_passphrase(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	int keyslot,
+	struct volume_key **r_vk)
+{
+	int r;
+
+	assert(cd);
+	assert(kc && kc->type == CRYPT_KC_TYPE_PASSPHRASE);
+	assert(r_vk);
+
+	r = LUKS_open_key_with_hdr(keyslot, kc->u.p.passphrase, kc->u.p.passphrase_size,
+				   crypt_get_hdr(cd, CRYPT_LUKS1), r_vk, cd);
+	if (r < 0)
+		kc->error = r;
+
+	return r;
+}
+
+static int get_luks2_volume_key_by_passphrase(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	int keyslot,
+	struct volume_key **r_vk)
+{
+	return get_luks2_key_by_passphrase(cd, kc, keyslot, CRYPT_DEFAULT_SEGMENT, r_vk);
+}
+
+static int get_passphrase_by_passphrase(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	const char **r_passphrase,
+	size_t *r_passphrase_size)
+{
+	assert(cd);
+	assert(kc && kc->type == CRYPT_KC_TYPE_PASSPHRASE);
+	assert(r_passphrase);
+	assert(r_passphrase_size);
+
+	*r_passphrase = kc->u.p.passphrase;
+	*r_passphrase_size = kc->u.p.passphrase_size;
+
+	return 0;
+}
+
+static int get_passphrase_by_keyfile(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	const char **r_passphrase,
+	size_t *r_passphrase_size)
+{
+	int r;
+
+	assert(cd);
+	assert(kc && kc->type == CRYPT_KC_TYPE_KEYFILE);
+	assert(r_passphrase);
+	assert(r_passphrase_size);
+
+	if (!kc->i_passphrase) {
+		r = crypt_keyfile_device_read(cd, kc->u.kf.keyfile,
+				       &kc->i_passphrase, &kc->i_passphrase_size,
+				       kc->u.kf.keyfile_offset, kc->u.kf.keyfile_size, 0);
+		if (r < 0) {
+			kc->error = r;
+			return r;
+		}
+	}
+
+	*r_passphrase = kc->i_passphrase;
+	*r_passphrase_size = kc->i_passphrase_size;
+
+	return 0;
+}
+
+static int get_luks2_key_by_keyfile(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	int keyslot,
+	int segment,
+	struct volume_key **r_vk)
+{
+	int r;
+	const char *passphrase;
+	size_t passphrase_size;
+
+	assert(cd);
+	assert(kc && kc->type == CRYPT_KC_TYPE_KEYFILE);
+	assert(r_vk);
+
+	r = get_passphrase_by_keyfile(cd, kc, &passphrase, &passphrase_size);
+	if (r)
+		return r;
+
+	r = LUKS2_keyslot_open(cd, keyslot, segment, passphrase, passphrase_size, r_vk);
+	if (r < 0)
+		kc->error = r;
+
+	return r;
+}
+
+static int get_luks2_volume_key_by_keyfile(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	int keyslot,
+	struct volume_key **r_vk)
+{
+	return get_luks2_key_by_keyfile(cd, kc, keyslot, CRYPT_DEFAULT_SEGMENT, r_vk);
+}
+
+static int get_luks1_volume_key_by_keyfile(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	int keyslot,
+	struct volume_key **r_vk)
+{
+	int r;
+	const char *passphrase;
+	size_t passphrase_size;
+
+	assert(cd);
+	assert(kc && kc->type == CRYPT_KC_TYPE_KEYFILE);
+	assert(r_vk);
+
+	r = get_passphrase_by_keyfile(cd, kc, &passphrase, &passphrase_size);
+	if (r)
+		return r;
+
+	r = LUKS_open_key_with_hdr(keyslot, passphrase, passphrase_size,
+				   crypt_get_hdr(cd, CRYPT_LUKS1), r_vk, cd);
+	if (r < 0)
+		kc->error = r;
+
+	return r;
+}
+
+static int get_key_by_key(struct crypt_device *cd __attribute__((unused)),
+	struct crypt_keyslot_context *kc,
+	int keyslot __attribute__((unused)),
+	int segment __attribute__((unused)),
+	struct volume_key **r_vk)
+{
+	assert(kc && kc->type == CRYPT_KC_TYPE_KEY);
+	assert(r_vk);
+
+	if (!kc->u.k.volume_key) {
+		kc->error = -ENOENT;
+		return kc->error;
+	}
+
+	*r_vk = crypt_alloc_volume_key(kc->u.k.volume_key_size, kc->u.k.volume_key);
+	if (!*r_vk) {
+		kc->error = -ENOMEM;
+		return kc->error;
+	}
+
+	return 0;
+}
+
+static int get_volume_key_by_key(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	int keyslot __attribute__((unused)),
+	struct volume_key **r_vk)
+{
+	return get_key_by_key(cd, kc, -2 /* unused */, -2 /* unused */, r_vk);
+}
+
+static int get_generic_volume_key_by_key(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	struct volume_key **r_vk)
+{
+	return get_key_by_key(cd, kc, -2 /* unused */, -2 /* unused */, r_vk);
+}
+
+static int get_generic_signed_key_by_key(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	struct volume_key **r_vk,
+	struct volume_key **r_signature)
+{
+	struct volume_key *vk, *vk_sig;
+
+	assert(kc && ((kc->type == CRYPT_KC_TYPE_KEY) ||
+		      (kc->type == CRYPT_KC_TYPE_SIGNED_KEY)));
+	assert(r_vk);
+	assert(r_signature);
+
+	/* return key with no signature */
+	if (kc->type == CRYPT_KC_TYPE_KEY) {
+		*r_signature = NULL;
+		return get_key_by_key(cd, kc, -2 /* unused */, -2 /* unused */, r_vk);
+	}
+
+	if (!kc->u.ks.volume_key || !kc->u.ks.signature) {
+		kc->error = -EINVAL;
+		return kc->error;
+	}
+
+	vk = crypt_alloc_volume_key(kc->u.ks.volume_key_size, kc->u.ks.volume_key);
+	if (!vk) {
+		kc->error = -ENOMEM;
+		return kc->error;
+	}
+
+	vk_sig = crypt_alloc_volume_key(kc->u.ks.signature_size, kc->u.ks.signature);
+	if (!vk_sig) {
+		crypt_free_volume_key(vk);
+		kc->error = -ENOMEM;
+		return kc->error;
+	}
+
+	*r_vk = vk;
+	*r_signature = vk_sig;
+
+	return 0;
+}
+
+static int get_luks2_key_by_token(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	int keyslot,
+	int segment,
+	struct volume_key **r_vk)
+{
+	int r;
+	struct luks2_hdr *hdr;
+
+	assert(cd);
+	assert(kc && kc->type == CRYPT_KC_TYPE_TOKEN);
+	assert(r_vk);
+
+	hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
+	if (!hdr)
+		return -EINVAL;
+
+	r = LUKS2_token_unlock_key(cd, hdr, keyslot, kc->u.t.id, kc->u.t.type,
+				   kc->u.t.pin, kc->u.t.pin_size, segment, kc->u.t.usrptr, r_vk);
+	if (r < 0)
+		kc->error = r;
+
+	return r;
+}
+
+static int get_luks2_volume_key_by_token(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	int keyslot,
+	struct volume_key **r_vk)
+{
+	return get_luks2_key_by_token(cd, kc, keyslot, CRYPT_DEFAULT_SEGMENT, r_vk);
+}
+
+static int get_passphrase_by_token(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	const char **r_passphrase,
+	size_t *r_passphrase_size)
+{
+	int r;
+
+	assert(cd);
+	assert(kc && kc->type == CRYPT_KC_TYPE_TOKEN);
+	assert(r_passphrase);
+	assert(r_passphrase_size);
+
+	if (!kc->i_passphrase) {
+		r = LUKS2_token_unlock_passphrase(cd, crypt_get_hdr(cd, CRYPT_LUKS2), kc->u.t.id,
+				kc->u.t.type, kc->u.t.pin, kc->u.t.pin_size,
+				kc->u.t.usrptr, &kc->i_passphrase, &kc->i_passphrase_size);
+		if (r < 0) {
+			kc->error = r;
+			return r;
+		}
+		kc->u.t.id = r;
+	}
+
+	*r_passphrase = kc->i_passphrase;
+	*r_passphrase_size = kc->i_passphrase_size;
+
+	return kc->u.t.id;
+}
+
+static int get_passphrase_by_keyring(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	const char **r_passphrase,
+	size_t *r_passphrase_size)
+{
+	int r;
+
+	assert(cd);
+	assert(kc && kc->type == CRYPT_KC_TYPE_KEYRING);
+	assert(r_passphrase);
+	assert(r_passphrase_size);
+
+	if (!kc->i_passphrase) {
+		r = crypt_keyring_get_user_key(cd, kc->u.kr.key_description,
+					       &kc->i_passphrase, &kc->i_passphrase_size);
+		if (r < 0) {
+			log_err(cd, _("Failed to read passphrase from keyring."));
+			kc->error = -EINVAL;
+			return -EINVAL;
+		}
+	}
+
+	*r_passphrase = kc->i_passphrase;
+	*r_passphrase_size = kc->i_passphrase_size;
+
+	return 0;
+}
+
+static int get_luks2_key_by_keyring(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	int keyslot,
+	int segment,
+	struct volume_key **r_vk)
+{
+	int r;
+
+	assert(cd);
+	assert(kc && kc->type == CRYPT_KC_TYPE_KEYRING);
+	assert(r_vk);
+
+	r = get_passphrase_by_keyring(cd, kc, CONST_CAST(const char **) &kc->i_passphrase,
+		&kc->i_passphrase_size);
+	if (r < 0) {
+		log_err(cd, _("Failed to read passphrase from keyring."));
+		kc->error = -EINVAL;
+		return -EINVAL;
+	}
+
+	r = LUKS2_keyslot_open(cd, keyslot, segment, kc->i_passphrase, kc->i_passphrase_size, r_vk);
+	if (r < 0)
+		kc->error = r;
+
+	return 0;
+}
+
+static int get_luks2_volume_key_by_keyring(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	int keyslot,
+	struct volume_key **r_vk)
+{
+	return get_luks2_key_by_keyring(cd, kc, keyslot, CRYPT_DEFAULT_SEGMENT, r_vk);
+}
+
+static int get_luks1_volume_key_by_keyring(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	int keyslot,
+	struct volume_key **r_vk)
+{
+	int r;
+
+	assert(cd);
+	assert(kc && kc->type == CRYPT_KC_TYPE_PASSPHRASE);
+	assert(r_vk);
+
+	r = get_passphrase_by_keyring(cd, kc, CONST_CAST(const char **) &kc->i_passphrase,
+		&kc->i_passphrase_size);
+	if (r < 0) {
+		log_err(cd, _("Failed to read passphrase from keyring."));
+		kc->error = -EINVAL;
+		return -EINVAL;
+	}
+
+	r = LUKS_open_key_with_hdr(keyslot, kc->i_passphrase, kc->i_passphrase_size,
+				   crypt_get_hdr(cd, CRYPT_LUKS1), r_vk, cd);
+	if (r < 0)
+		kc->error = r;
+
+	return r;
+}
+
+static int get_key_by_vk_in_keyring(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	int keyslot __attribute__((unused)),
+	int segment __attribute__((unused)),
+	struct volume_key **r_vk)
+{
+	char *key;
+	size_t key_size;
+	int r;
+
+	assert(cd);
+	assert(kc && kc->type == CRYPT_KC_TYPE_VK_KEYRING);
+	assert(r_vk);
+
+	r = crypt_keyring_get_key_by_name(cd, kc->u.vk_kr.key_description,
+					  &key, &key_size);
+	if (r < 0) {
+		log_err(cd, _("Failed to read volume key candidate from keyring."));
+		kc->error = -EINVAL;
+		return -EINVAL;
+	}
+
+	*r_vk = crypt_alloc_volume_key(key_size, key);
+	crypt_safe_free(key);
+	if (!*r_vk) {
+		kc->error = -ENOMEM;
+		return kc->error;
+	}
+
+	return 0;
+}
+
+static int get_volume_key_by_vk_in_keyring(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	int keyslot __attribute__((unused)),
+	struct volume_key **r_vk)
+{
+	return get_key_by_vk_in_keyring(cd, kc, -2 /* unused */, -2 /* unused */, r_vk);
+}
+
+static void unlock_method_init_internal(struct crypt_keyslot_context *kc)
+{
+	assert(kc);
+
+	kc->error = 0;
+	kc->i_passphrase = NULL;
+	kc->i_passphrase_size = 0;
+}
+
+void crypt_keyslot_unlock_by_keyring_internal(struct crypt_keyslot_context *kc,
+	const char *key_description)
+{
+	assert(kc);
+
+	kc->type = CRYPT_KC_TYPE_KEYRING;
+	kc->u.kr.key_description = key_description;
+
+	kc->get_luks2_key = get_luks2_key_by_keyring;
+	kc->get_luks2_volume_key = get_luks2_volume_key_by_keyring;
+	kc->get_luks1_volume_key = get_luks1_volume_key_by_keyring;
+	kc->get_passphrase = get_passphrase_by_keyring;
+	kc->get_plain_volume_key = NULL;
+	kc->get_bitlk_volume_key = NULL;
+	kc->get_fvault2_volume_key = NULL;
+	kc->get_verity_volume_key = NULL;
+	kc->get_integrity_volume_key = NULL;
+	unlock_method_init_internal(kc);
+}
+
+void crypt_keyslot_unlock_by_key_init_internal(struct crypt_keyslot_context *kc,
+	const char *volume_key,
+	size_t volume_key_size)
+{
+	assert(kc);
+
+	kc->type = CRYPT_KC_TYPE_KEY;
+	kc->u.k.volume_key = volume_key;
+	kc->u.k.volume_key_size = volume_key_size;
+	kc->get_luks2_key = get_key_by_key;
+	kc->get_luks2_volume_key = get_volume_key_by_key;
+	kc->get_luks1_volume_key = get_volume_key_by_key;
+	kc->get_passphrase = NULL; /* keyslot key context does not provide passphrase */
+	kc->get_plain_volume_key = get_generic_volume_key_by_key;
+	kc->get_bitlk_volume_key = get_generic_volume_key_by_key;
+	kc->get_fvault2_volume_key = get_generic_volume_key_by_key;
+	kc->get_verity_volume_key = get_generic_signed_key_by_key;
+	kc->get_integrity_volume_key = get_generic_volume_key_by_key;
+	unlock_method_init_internal(kc);
+}
+
+void crypt_keyslot_unlock_by_signed_key_init_internal(struct crypt_keyslot_context *kc,
+	const char *volume_key,
+	size_t volume_key_size,
+	const char *signature,
+	size_t signature_size)
+{
+	assert(kc);
+
+	kc->type = CRYPT_KC_TYPE_SIGNED_KEY;
+	kc->u.ks.volume_key = volume_key;
+	kc->u.ks.volume_key_size = volume_key_size;
+	kc->u.ks.signature = signature;
+	kc->u.ks.signature_size = signature_size;
+	kc->get_luks2_key = NULL;
+	kc->get_luks2_volume_key = NULL;
+	kc->get_luks1_volume_key = NULL;
+	kc->get_passphrase = NULL;
+	kc->get_plain_volume_key = NULL;
+	kc->get_bitlk_volume_key = NULL;
+	kc->get_fvault2_volume_key = NULL;
+	kc->get_verity_volume_key = get_generic_signed_key_by_key;
+	kc->get_integrity_volume_key = NULL;
+	unlock_method_init_internal(kc);
+}
+
+void crypt_keyslot_unlock_by_passphrase_init_internal(struct crypt_keyslot_context *kc,
+	const char *passphrase,
+	size_t passphrase_size)
+{
+	assert(kc);
+
+	kc->type = CRYPT_KC_TYPE_PASSPHRASE;
+	kc->u.p.passphrase = passphrase;
+	kc->u.p.passphrase_size = passphrase_size;
+	kc->get_luks2_key = get_luks2_key_by_passphrase;
+	kc->get_luks2_volume_key = get_luks2_volume_key_by_passphrase;
+	kc->get_luks1_volume_key = get_luks1_volume_key_by_passphrase;
+	kc->get_passphrase = get_passphrase_by_passphrase;
+	kc->get_plain_volume_key = NULL;
+	kc->get_bitlk_volume_key = NULL;
+	kc->get_fvault2_volume_key = NULL;
+	kc->get_verity_volume_key = NULL;
+	kc->get_integrity_volume_key = NULL;
+	unlock_method_init_internal(kc);
+}
+
+void crypt_keyslot_unlock_by_keyfile_init_internal(struct crypt_keyslot_context *kc,
+	const char *keyfile,
+	size_t keyfile_size,
+	uint64_t keyfile_offset)
+{
+	assert(kc);
+
+	kc->type = CRYPT_KC_TYPE_KEYFILE;
+	kc->u.kf.keyfile = keyfile;
+	kc->u.kf.keyfile_size = keyfile_size;
+	kc->u.kf.keyfile_offset = keyfile_offset;
+	kc->get_luks2_key = get_luks2_key_by_keyfile;
+	kc->get_luks2_volume_key = get_luks2_volume_key_by_keyfile;
+	kc->get_luks1_volume_key = get_luks1_volume_key_by_keyfile;
+	kc->get_passphrase = get_passphrase_by_keyfile;
+	kc->get_plain_volume_key = NULL;
+	kc->get_bitlk_volume_key = NULL;
+	kc->get_fvault2_volume_key = NULL;
+	kc->get_verity_volume_key = NULL;
+	kc->get_integrity_volume_key = NULL;
+	unlock_method_init_internal(kc);
+}
+
+void crypt_keyslot_unlock_by_token_init_internal(struct crypt_keyslot_context *kc,
+	int token,
+	const char *type,
+	const char *pin,
+	size_t pin_size,
+	void *usrptr)
+{
+	assert(kc);
+
+	kc->type = CRYPT_KC_TYPE_TOKEN;
+	kc->u.t.id = token;
+	kc->u.t.type = type;
+	kc->u.t.pin = pin;
+	kc->u.t.pin_size = pin_size;
+	kc->u.t.usrptr = usrptr;
+	kc->get_luks2_key = get_luks2_key_by_token;
+	kc->get_luks2_volume_key = get_luks2_volume_key_by_token;
+	kc->get_luks1_volume_key = NULL; /* LUKS1 is not supported */
+	kc->get_passphrase = get_passphrase_by_token;
+	kc->get_plain_volume_key = NULL;
+	kc->get_bitlk_volume_key = NULL;
+	kc->get_fvault2_volume_key = NULL;
+	kc->get_verity_volume_key = NULL;
+	kc->get_integrity_volume_key = NULL;
+	unlock_method_init_internal(kc);
+}
+
+void crypt_keyslot_unlock_by_vk_in_keyring_internal(struct crypt_keyslot_context *kc,
+	const char *key_description)
+{
+	assert(kc);
+
+	kc->type = CRYPT_KC_TYPE_VK_KEYRING;
+	kc->u.vk_kr.key_description = key_description;
+
+	kc->get_luks2_key = get_key_by_vk_in_keyring;
+	kc->get_luks2_volume_key = get_volume_key_by_vk_in_keyring;
+	kc->get_luks1_volume_key = NULL;
+	kc->get_passphrase = NULL; /* keyslot key context does not provide passphrase */
+	kc->get_plain_volume_key = NULL;
+	kc->get_bitlk_volume_key = NULL;
+	kc->get_fvault2_volume_key = NULL;
+	kc->get_verity_volume_key = NULL;
+	kc->get_integrity_volume_key = NULL;
+	unlock_method_init_internal(kc);
+}
+
+
+void crypt_keyslot_context_destroy_internal(struct crypt_keyslot_context *kc)
+{
+	if (!kc)
+		return;
+
+	crypt_safe_free(kc->i_passphrase);
+	kc->i_passphrase = NULL;
+	kc->i_passphrase_size = 0;
+}
+
+void crypt_keyslot_context_free(struct crypt_keyslot_context *kc)
+{
+	crypt_keyslot_context_destroy_internal(kc);
+	free(kc);
+}
+
+int crypt_keyslot_context_init_by_passphrase(struct crypt_device *cd __attribute__((unused)),
+	const char *passphrase,
+	size_t passphrase_size,
+	struct crypt_keyslot_context **kc)
+{
+	struct crypt_keyslot_context *tmp;
+
+	if (!kc || !passphrase)
+		return -EINVAL;
+
+	tmp = malloc(sizeof(*tmp));
+	if (!tmp)
+		return -ENOMEM;
+
+	crypt_keyslot_unlock_by_passphrase_init_internal(tmp, passphrase, passphrase_size);
+
+	*kc = tmp;
+
+	return 0;
+}
+
+int crypt_keyslot_context_init_by_keyfile(struct crypt_device *cd __attribute__((unused)),
+	const char *keyfile,
+	size_t keyfile_size,
+	uint64_t keyfile_offset,
+	struct crypt_keyslot_context **kc)
+{
+	struct crypt_keyslot_context *tmp;
+
+	if (!kc || !keyfile)
+		return -EINVAL;
+
+	tmp = malloc(sizeof(*tmp));
+	if (!tmp)
+		return -ENOMEM;
+
+	crypt_keyslot_unlock_by_keyfile_init_internal(tmp, keyfile, keyfile_size, keyfile_offset);
+
+	*kc = tmp;
+
+	return 0;
+}
+
+int crypt_keyslot_context_init_by_token(struct crypt_device *cd __attribute__((unused)),
+	int token,
+	const char *type,
+	const char *pin, size_t pin_size,
+	void *usrptr,
+	struct crypt_keyslot_context **kc)
+{
+	struct crypt_keyslot_context *tmp;
+
+	if (!kc || (token < 0 && token != CRYPT_ANY_TOKEN))
+		return -EINVAL;
+
+	tmp = malloc(sizeof(*tmp));
+	if (!tmp)
+		return -ENOMEM;
+
+	crypt_keyslot_unlock_by_token_init_internal(tmp, token, type, pin, pin_size, usrptr);
+
+	*kc = tmp;
+
+	return 0;
+}
+
+int crypt_keyslot_context_init_by_volume_key(struct crypt_device *cd __attribute__((unused)),
+	const char *volume_key,
+	size_t volume_key_size,
+	struct crypt_keyslot_context **kc)
+{
+	struct crypt_keyslot_context *tmp;
+
+	if (!kc)
+		return -EINVAL;
+
+	tmp = malloc(sizeof(*tmp));
+	if (!tmp)
+		return -ENOMEM;
+
+	crypt_keyslot_unlock_by_key_init_internal(tmp, volume_key, volume_key_size);
+
+	*kc = tmp;
+
+	return 0;
+}
+
+int crypt_keyslot_context_init_by_signed_key(struct crypt_device *cd __attribute__((unused)),
+	const char *volume_key,
+	size_t volume_key_size,
+	const char *signature,
+	size_t signature_size,
+	struct crypt_keyslot_context **kc)
+{
+	struct crypt_keyslot_context *tmp;
+
+	if (!kc)
+		return -EINVAL;
+
+	tmp = malloc(sizeof(*tmp));
+	if (!tmp)
+		return -ENOMEM;
+
+	crypt_keyslot_unlock_by_signed_key_init_internal(tmp, volume_key, volume_key_size,
+		signature, signature_size);
+
+	*kc = tmp;
+
+	return 0;
+}
+
+int crypt_keyslot_context_init_by_keyring(struct crypt_device *cd __attribute__((unused)),
+	const char *key_description,
+	struct crypt_keyslot_context **kc)
+{
+	struct crypt_keyslot_context *tmp;
+
+	if (!kc)
+		return -EINVAL;
+
+	tmp = malloc(sizeof(*tmp));
+	if (!tmp)
+		return -ENOMEM;
+
+	crypt_keyslot_unlock_by_keyring_internal(tmp, key_description);
+
+	*kc = tmp;
+
+	return 0;
+}
+
+int crypt_keyslot_context_init_by_vk_in_keyring(struct crypt_device *cd __attribute__((unused)),
+	const char *key_description,
+	struct crypt_keyslot_context **kc)
+{
+	struct crypt_keyslot_context *tmp;
+
+	if (!kc)
+		return -EINVAL;
+
+	tmp = malloc(sizeof(*tmp));
+	if (!tmp)
+		return -ENOMEM;
+
+	crypt_keyslot_unlock_by_vk_in_keyring_internal(tmp, key_description);
+
+	*kc = tmp;
+
+	return 0;
+}
+
+int crypt_keyslot_context_get_error(struct crypt_keyslot_context *kc)
+{
+	return kc ? kc->error : -EINVAL;
+}
+
+int crypt_keyslot_context_set_pin(struct crypt_device *cd __attribute__((unused)),
+	const char *pin, size_t pin_size,
+	struct crypt_keyslot_context *kc)
+{
+	if (!kc || kc->type != CRYPT_KC_TYPE_TOKEN)
+		return -EINVAL;
+
+	kc->u.t.pin = pin;
+	kc->u.t.pin_size = pin_size;
+	kc->error = 0;
+
+	return 0;
+}
+
+int crypt_keyslot_context_get_type(const struct crypt_keyslot_context *kc)
+{
+	return kc ? kc->type : -EINVAL;
+}
+
+const char *keyslot_context_type_string(const struct crypt_keyslot_context *kc)
+{
+	assert(kc);
+
+	switch (kc->type) {
+	case CRYPT_KC_TYPE_PASSPHRASE:
+		return "passphrase";
+	case CRYPT_KC_TYPE_KEYFILE:
+		return "keyfile";
+	case CRYPT_KC_TYPE_TOKEN:
+		return "token";
+	case CRYPT_KC_TYPE_KEY:
+		return "key";
+	case CRYPT_KC_TYPE_KEYRING:
+		return "keyring";
+	case CRYPT_KC_TYPE_VK_KEYRING:
+		return "volume key in keyring";
+	case CRYPT_KC_TYPE_SIGNED_KEY:
+		return "signed key";
+	default:
+		return "<unknown>";
+	}
+}
--- a/lib/keyslot_context.h
+++ b/lib/keyslot_context.h
@@ -0,0 +1,138 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * LUKS - Linux Unified Key Setup, keyslot unlock helpers
+ *
+ * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2022-2024 Ondrej Kozina
+ */
+
+#ifndef KEYSLOT_CONTEXT_H
+#define KEYSLOT_CONTEXT_H
+
+#include <stdbool.h>
+#include <stdint.h>
+
+#include "internal.h"
+
+typedef int (*keyslot_context_get_key) (
+	struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	int keyslot,
+	int segment,
+	struct volume_key **r_vk);
+
+typedef int (*keyslot_context_get_volume_key) (
+	struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	int keyslot,
+	struct volume_key **r_vk);
+
+typedef int (*keyslot_context_get_generic_volume_key) (
+	struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	struct volume_key **r_vk);
+
+typedef int (*keyslot_context_get_generic_signed_key) (
+	struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	struct volume_key **r_vk,
+	struct volume_key **r_signature);
+
+typedef int (*keyslot_context_get_passphrase) (
+	struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	const char **r_passphrase,
+	size_t *r_passphrase_size);
+
+/* crypt_keyslot_context */
+struct crypt_keyslot_context {
+	int type;
+
+	union {
+	struct {
+		const char *passphrase;
+		size_t passphrase_size;
+	} p;
+	struct {
+		const char *keyfile;
+		uint64_t keyfile_offset;
+		size_t keyfile_size;
+	} kf;
+	struct {
+		int id;
+		const char *type;
+		const char *pin;
+		size_t pin_size;
+		void *usrptr;
+	} t;
+	struct {
+		const char *volume_key;
+		size_t volume_key_size;
+	} k;
+	struct {
+		const char *volume_key;
+		size_t volume_key_size;
+		const char *signature;
+		size_t signature_size;
+	} ks;
+	struct {
+		const char *key_description;
+	} kr;
+	struct {
+		const char *key_description;
+	} vk_kr;
+	} u;
+
+	int error;
+
+	char *i_passphrase;
+	size_t i_passphrase_size;
+
+	keyslot_context_get_key			get_luks2_key;
+	keyslot_context_get_volume_key		get_luks1_volume_key;
+	keyslot_context_get_volume_key		get_luks2_volume_key;
+	keyslot_context_get_generic_volume_key	get_plain_volume_key;
+	keyslot_context_get_generic_volume_key	get_bitlk_volume_key;
+	keyslot_context_get_generic_volume_key	get_fvault2_volume_key;
+	keyslot_context_get_generic_signed_key	get_verity_volume_key;
+	keyslot_context_get_generic_volume_key	get_integrity_volume_key;
+	keyslot_context_get_passphrase		get_passphrase;
+};
+
+void crypt_keyslot_context_destroy_internal(struct crypt_keyslot_context *method);
+
+void crypt_keyslot_unlock_by_key_init_internal(struct crypt_keyslot_context *kc,
+	const char *volume_key,
+	size_t volume_key_size);
+
+void crypt_keyslot_unlock_by_signed_key_init_internal(struct crypt_keyslot_context *kc,
+	const char *volume_key,
+	size_t volume_key_size,
+	const char *signature,
+	size_t signature_size);
+
+void crypt_keyslot_unlock_by_passphrase_init_internal(struct crypt_keyslot_context *kc,
+	const char *passphrase,
+	size_t passphrase_size);
+
+void crypt_keyslot_unlock_by_keyfile_init_internal(struct crypt_keyslot_context *kc,
+	const char *keyfile,
+	size_t keyfile_size,
+	uint64_t keyfile_offset);
+
+void crypt_keyslot_unlock_by_token_init_internal(struct crypt_keyslot_context *kc,
+	int token,
+	const char *type,
+	const char *pin,
+	size_t pin_size,
+	void *usrptr);
+
+void crypt_keyslot_unlock_by_keyring_internal(struct crypt_keyslot_context *kc,
+	const char *key_description);
+
+void crypt_keyslot_unlock_by_vk_in_keyring_internal(struct crypt_keyslot_context *kc,
+	const char *key_description);
+
+const char *keyslot_context_type_string(const struct crypt_keyslot_context *kc);
+
+#endif /* KEYSLOT_CONTEXT_H */
--- a/lib/libcryptsetup.h
+++ b/lib/libcryptsetup.h
@@ -1,24 +1,11 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
 /*
 * libcryptsetup - cryptsetup library
 *
 * Copyright (C) 2004 Jana Saout <jana@saout.de>
 * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2022 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2024 Milan Broz
 */

 /**
@@ -46,6 +33,7 @@ extern "C" {
 */

 struct crypt_device; /* crypt device handle */
+struct crypt_keyslot_context;

 /**
 * Initialize crypt device handle and check if the provided device exists.
@@ -272,7 +260,7 @@ struct crypt_pbkdf_type {

 /** Iteration time set by crypt_set_iteration_time(), for compatibility only. */
 #define CRYPT_PBKDF_ITER_TIME_SET   (UINT32_C(1) << 0)
-/** Never run benchmarks, use pre-set value or defaults. */
+/** Never run benchmarks or limit by system resources, use pre-set values or defaults. */
 #define CRYPT_PBKDF_NO_BENCHMARK    (UINT32_C(1) << 1)

 /** PBKDF2 according to RFC2898, LUKS1 legacy */
@@ -344,6 +332,7 @@ void crypt_set_iteration_time(struct crypt_device *cd, uint64_t iteration_time_m

 /**
 * Helper to lock/unlock memory to avoid swap sensitive data to disk.
+ * \b Deprecated, only for backward compatibility. Memory with keys are locked automatically.
 *
 * @param cd crypt device handle, can be @e NULL
 * @param lock 0 to unlock otherwise lock memory
@@ -353,7 +342,7 @@ void crypt_set_iteration_time(struct crypt_device *cd, uint64_t iteration_time_m
 * @note Only root can do this.
 * @note It locks/unlocks all process memory, not only crypt context.
 */
-int crypt_memory_lock(struct crypt_device *cd, int lock);
+int crypt_memory_lock(struct crypt_device *cd, int lock) __attribute__((deprecated));

 /**
 * Set global lock protection for on-disk metadata (file-based locking).
@@ -427,6 +416,8 @@ int crypt_get_metadata_size(struct crypt_device *cd,
 #define CRYPT_INTEGRITY "INTEGRITY"
 /** BITLK (BitLocker-compatible mode) */
 #define CRYPT_BITLK "BITLK"
+/** FVAULT2 (FileVault2-compatible mode) */
+#define CRYPT_FVAULT2 "FVAULT2"

 /** LUKS any version */
 #define CRYPT_LUKS NULL
@@ -446,6 +437,34 @@ const char *crypt_get_type(struct crypt_device *cd);
 */
 const char *crypt_get_default_type(void);

+/**
+ * @defgroup crypt-hw-encryption-types HW encryption type
+ * @addtogroup crypt-hw-encryption-types
+ * @{
+ */
+/** SW encryption, no OPAL encryption in place (default) */
+#define CRYPT_SW_ONLY        INT16_C(0)
+/** OPAL HW encryption only (no SW encryption!) */
+#define CRYPT_OPAL_HW_ONLY   INT16_C(1)
+/** SW encryption stacked over OPAL HW encryption  */
+#define CRYPT_SW_AND_OPAL_HW INT16_C(2)
+/** @} */
+
+/**
+ * Get HW encryption type
+ *
+ * @return HW encryption type (see @link crypt-hw-encryption-types @endlink)
+ *         or negative errno otherwise.
+ */
+int crypt_get_hw_encryption_type(struct crypt_device *cd);
+
+/**
+ * Get HW encryption (like OPAL) key size (in bytes)
+ *
+ * @return key size or 0 if no HW encryption is used.
+ */
+int crypt_get_hw_encryption_key_size(struct crypt_device *cd);
+
 /**
 *
 * Structure used as parameter for PLAIN device type.
@@ -605,6 +624,18 @@ struct crypt_params_luks2 {
 	const char *label;       /**< header label or @e NULL*/
 	const char *subsystem;   /**< header subsystem label or @e NULL*/
 };
+
+/**
+ * Structure used as parameter for OPAL (HW encrypted) device type.
+ *
+ * @see crypt_format_luks2_opal
+ *
+ */
+struct crypt_params_hw_opal {
+	const char *admin_key;   /**< admin key */
+	size_t admin_key_size;   /**< admin key size in bytes */
+	size_t user_key_size;    /**< user authority key size part in bytes */
+};
 /** @} */

 /**
@@ -644,6 +675,34 @@ int crypt_format(struct crypt_device *cd,
 	size_t volume_key_size,
 	void *params);

+/**
+ * Create (format) new LUKS2 crypt device over HW OPAL device but do not activate it.
+ *
+ * @pre @e cd contains initialized and not formatted device context (device type must @b not be set)
+ *
+ * @param cd crypt device handle
+ * @param cipher for SW encryption (e.g. "aes") or NULL for HW encryption only
+ * @param cipher_mode including IV specification (e.g. "xts-plain") or NULL for HW encryption only
+ * @param uuid requested UUID or @e NULL if it should be generated
+ * @param volume_keys pre-generated volume keys or @e NULL if it should be generated (only for LUKS2 SW encryption)
+ * @param volume_keys_size size of volume keys in bytes (only for SW encryption).
+ * @param params LUKS2 crypt type specific parameters (see @link crypt-type @endlink)
+ * @param opal_params OPAL specific parameters
+ *
+ * @returns @e 0 on success or negative errno value otherwise.
+ *
+ * @note Note that crypt_format_luks2_opal does not create LUKS keyslot.
+ *       To create keyslot call any crypt_keyslot_add_* function.
+ */
+int crypt_format_luks2_opal(struct crypt_device *cd,
+	const char *cipher,
+	const char *cipher_mode,
+	const char *uuid,
+	const char *volume_keys,
+	size_t volume_keys_size,
+	struct crypt_params_luks2 *params,
+	struct crypt_params_hw_opal *opal_params);
+
 /**
 * Set format compatibility flags.
 *
@@ -937,6 +996,23 @@ int crypt_resume_by_token_pin(struct crypt_device *cd,
 	const char *pin,
 	size_t pin_size,
 	void *usrptr);
+
+/**
+ * Resume crypt device using keyslot context.
+ *
+ * @param cd crypt device handle
+ * @param name name of device to resume
+ * @param keyslot requested keyslot to check or @e CRYPT_ANY_SLOT, keyslot is
+ *        ignored for unlock methods not based on passphrase
+ * @param kc keyslot context providing volume key or passphrase.
+ *
+ * @return unlocked key slot number for passphrase-based unlock, zero for other
+ *         unlock methods (e.g. volume key context) or negative errno on error.
+ */
+int crypt_resume_by_keyslot_context(struct crypt_device *cd,
+			       const char *name,
+			       int keyslot,
+			       struct crypt_keyslot_context *kc);
 /** @} */

 /**
@@ -1095,7 +1171,7 @@ int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
 * @warning CRYPT_VOLUME_KEY_SET flag force updates volume key. It is @b not @b reencryption!
 * 	    By doing so you will most probably destroy your ciphertext data device. It's supposed
 * 	    to be used only in wrapped keys scheme for key refresh process where real (inner) volume
- * 	    key stays untouched. It may be involed on active @e keyslot which makes the (previously
+ * 	    key stays untouched. It may be involved on active @e keyslot which makes the (previously
 * 	    unbound) keyslot new regular keyslot.
 */
 int crypt_keyslot_add_by_key(struct crypt_device *cd,
@@ -1106,6 +1182,250 @@ int crypt_keyslot_add_by_key(struct crypt_device *cd,
 	size_t passphrase_size,
 	uint32_t flags);

+/**
+ * @defgroup crypt-keyslot-context Crypt keyslot context
+ * @addtogroup crypt-keyslot-context
+ * @{
+ */
+
+/**
+ * Release crypt keyslot context and used memory.
+ *
+ * @param kc crypt keyslot context
+ */
+void crypt_keyslot_context_free(struct crypt_keyslot_context *kc);
+
+/**
+ * Initialize keyslot context via passphrase.
+ *
+ * @param cd crypt device handle initialized to LUKS device context
+ * @param passphrase passphrase for a keyslot
+ * @param passphrase_size size of passphrase
+ * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_PASSPHRASE
+ *
+ * @return zero on success or negative errno otherwise.
+ */
+int crypt_keyslot_context_init_by_passphrase(struct crypt_device *cd,
+	const char *passphrase,
+	size_t passphrase_size,
+	struct crypt_keyslot_context **kc);
+
+/**
+ * Initialize keyslot context via key file path.
+ *
+ * @param cd crypt device handle initialized to LUKS device context
+ *
+ * @param keyfile key file with passphrase for a keyslot
+ * @param keyfile_size number of bytes to read from keyfile, @e 0 is unlimited
+ * @param keyfile_offset number of bytes to skip at start of keyfile
+ * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_KEYFILE
+ *
+ * @return zero on success or negative errno otherwise.
+ */
+int crypt_keyslot_context_init_by_keyfile(struct crypt_device *cd,
+	const char *keyfile,
+	size_t keyfile_size,
+	uint64_t keyfile_offset,
+	struct crypt_keyslot_context **kc);
+
+/**
+ * Initialize keyslot context via LUKS2 token.
+ *
+ * @param cd crypt device handle initialized to LUKS2 device context
+ *
+ * @param token token providing passphrase for a keyslot or CRYPT_ANY_TOKEN
+ * @param type restrict type of token, if @e NULL all types are allowed
+ * @param pin passphrase (or PIN) to unlock token (may be binary data)
+ * @param pin_size size of @e pin
+ * @param usrptr provided identification in callback
+ * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_TOKEN
+ *
+ * @return zero on success or negative errno otherwise.
+ */
+int crypt_keyslot_context_init_by_token(struct crypt_device *cd,
+	int token,
+	const char *type,
+	const char *pin, size_t pin_size,
+	void *usrptr,
+	struct crypt_keyslot_context **kc);
+
+/**
+ * Initialize keyslot context via key.
+ *
+ * @param cd crypt device handle initialized to LUKS device context
+ *
+ * @param volume_key provided volume key or @e NULL if used after crypt_format
+ *        or with CRYPT_VOLUME_KEY_NO_SEGMENT flag
+ * @param volume_key_size size of volume_key
+ * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_KEY
+ *
+ * @return zero on success or negative errno otherwise.
+ */
+int crypt_keyslot_context_init_by_volume_key(struct crypt_device *cd,
+	const char *volume_key,
+	size_t volume_key_size,
+	struct crypt_keyslot_context **kc);
+
+/**
+ * Initialize keyslot context via signed key.
+ *
+ * @param cd crypt device handle initialized to device context
+ *
+ * @param volume_key provided volume key
+ * @param volume_key_size size of volume_key
+ * @param signature buffer with signature for the key
+ * @param signature_size bsize of signature buffer
+ * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_SIGNED_KEY
+ *
+ * @return zero on success or negative errno otherwise.
+ *
+ * @note currently supported only with VERITY devices.
+ */
+int crypt_keyslot_context_init_by_signed_key(struct crypt_device *cd,
+	const char *volume_key,
+	size_t volume_key_size,
+	const char *signature,
+	size_t signature_size,
+	struct crypt_keyslot_context **kc);
+
+/**
+ * Initialize keyslot context via passphrase stored in a keyring.
+ *
+ * @param cd crypt device handle initialized to LUKS device context
+ *
+ * @param key_description kernel keyring key description library should look
+ *        for passphrase in
+ * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_KEYRING
+ *
+ * @return zero on success or negative errno otherwise.
+ */
+int crypt_keyslot_context_init_by_keyring(struct crypt_device *cd,
+	const char *key_description,
+	struct crypt_keyslot_context **kc);
+
+/**
+ * Initialize keyslot context via volume key stored in a keyring.
+ *
+ * @param cd crypt device handle initialized to LUKS device context
+ *
+ * @param key_description kernel keyring key description library should look
+ *        for passphrase in. The key can be passed either as number in ASCII,
+ *        or a text representation in the form "%<key_type>:<key_name>"
+ * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_KEYRING
+ *
+ * @return zero on success or negative errno otherwise.
+ */
+int crypt_keyslot_context_init_by_vk_in_keyring(struct crypt_device *cd,
+	const char *key_description,
+	struct crypt_keyslot_context **kc);
+
+/**
+ * Get error code per keyslot context from last failed call.
+ *
+ * @note If @link crypt_keyslot_add_by_keyslot_context @endlink passed with
+ * 	 no negative return code. The return value of this function is undefined.
+ *
+ * @param kc keyslot context involved in failed @link crypt_keyslot_add_by_keyslot_context @endlink
+ *
+ * @return Negative errno if keyslot context caused a failure, zero otherwise.
+ */
+int crypt_keyslot_context_get_error(struct crypt_keyslot_context *kc);
+
+/**
+ * Set new pin to token based keyslot context.
+ *
+ * @note Use when @link crypt_keyslot_add_by_keyslot_context @endlink failed
+ *	 and token keyslot context returned -ENOANO error code via
+ *	 @link crypt_keyslot_context_get_error @endlink.
+ *
+ * @param cd crypt device handle initialized to LUKS2 device context
+ * @param pin passphrase (or PIN) to unlock token (may be binary data)
+ * @param pin_size size of @e pin
+ * @param kc LUKS2 keyslot context (only @link CRYPT_KC_TYPE_TOKEN @endlink is allowed)
+ *
+ * @return zero on success or negative errno otherwise
+ */
+int crypt_keyslot_context_set_pin(struct crypt_device *cd,
+	const char *pin, size_t pin_size,
+	struct crypt_keyslot_context *kc);
+
+/**
+ * @defgroup crypt-keyslot-context-types Crypt keyslot context types
+ * @addtogroup crypt-keyslot-context-types
+ * @{
+ */
+/** keyslot context initialized by passphrase (@link crypt_keyslot_context_init_by_passphrase @endlink) */
+#define CRYPT_KC_TYPE_PASSPHRASE INT16_C(1)
+/** keyslot context initialized by keyfile (@link crypt_keyslot_context_init_by_keyfile @endlink) */
+#define CRYPT_KC_TYPE_KEYFILE    INT16_C(2)
+/** keyslot context initialized by token (@link crypt_keyslot_context_init_by_token @endlink) */
+#define CRYPT_KC_TYPE_TOKEN      INT16_C(3)
+/** keyslot context initialized by volume key or unbound key (@link crypt_keyslot_context_init_by_volume_key @endlink) */
+#define CRYPT_KC_TYPE_KEY        INT16_C(4)
+/** keyslot context initialized by description of a keyring key
+ * (@link crypt_keyslot_context_init_by_keyring @endlink)
+ */
+#define CRYPT_KC_TYPE_KEYRING    INT16_C(5)
+/** keyslot context initialized by description of a keyring key containing the volume key
+ * (@link crypt_keyslot_context_init_by_vk_in_keyring @endlink)
+ */
+#define CRYPT_KC_TYPE_VK_KEYRING    INT16_C(6)
+/** keyslot context initialized by signed key (@link crypt_keyslot_context_init_by_signed_key @endlink) */
+#define CRYPT_KC_TYPE_SIGNED_KEY    INT16_C(7)
+/** @} */
+
+/**
+ * Get type identifier for crypt keyslot context.
+ *
+ * @param kc keyslot context
+ *
+ * @return crypt keyslot context type id (see @link crypt-keyslot-context-types @endlink) or negative errno otherwise.
+ */
+int crypt_keyslot_context_get_type(const struct crypt_keyslot_context *kc);
+/** @} */
+
+/**
+ * Add key slot by volume key provided by keyslot context (kc). New
+ * keyslot will be protected by passphrase provided by new keyslot context (new_kc).
+ * See @link crypt-keyslot-context @endlink for context initialization routines.
+ *
+ * @pre @e cd contains initialized and formatted LUKS device context.
+ *
+ * @param cd crypt device handle
+ * @param keyslot_existing existing keyslot or CRYPT_ANY_SLOT to get volume key from.
+ * @param kc keyslot context providing volume key.
+ * @param keyslot_new new keyslot or CRYPT_ANY_SLOT (first free number is used).
+ * @param new_kc keyslot context providing passphrase for new keyslot.
+ * @param flags key flags to set
+ *
+ * @return allocated key slot number or negative errno otherwise.
+ *
+ * @note new_kc can not be @e CRYPT_KC_TYPE_KEY type keyslot context.
+ *
+ * @note For kc parameter with type @e CRYPT_KC_TYPE_KEY the keyslot_existing
+ *       parameter is ignored.
+ *
+ * @note in case there is no active LUKS keyslot to get existing volume key from, one of following must apply:
+ * 	 @li @e cd must be device handle used in crypt_format() by current process (it holds reference to generated volume key)
+ * 	 @li kc must be of @e CRYPT_KC_TYPE_KEY type with valid volume key.
+ *
+ * @note With CRYPT_VOLUME_KEY_NO_SEGMENT flag raised and kc of type @e CRYPT_KC_TYPE_KEY with @e volume_key set to @e NULL
+ *     the new volume_key will be generated and stored in new keyslot. The keyslot will become unbound (unusable to
+ *     dm-crypt device activation).
+ *
+ * @warning CRYPT_VOLUME_KEY_SET flag force updates volume key. It is @b not @b reencryption!
+ * 	    By doing so you will most probably destroy your ciphertext data device. It's supposed
+ * 	    to be used only in wrapped keys scheme for key refresh process where real (inner) volume
+ * 	    key stays untouched. It may be involved on active @e keyslot which makes the (previously
+ * 	    unbound) keyslot new regular keyslot.
+ */
+int crypt_keyslot_add_by_keyslot_context(struct crypt_device *cd,
+	int keyslot_existing,
+	struct crypt_keyslot_context *kc,
+	int keyslot_new,
+	struct crypt_keyslot_context *new_kc,
+	uint32_t flags);
+
 /**
 * Destroy (and disable) key slot.
 *
@@ -1182,6 +1502,8 @@ int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot);
 #define CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE (UINT32_C(1) << 25)
 /** dm-integrity: reset automatic recalculation */
 #define CRYPT_ACTIVATE_RECALCULATE_RESET (UINT32_C(1) << 26)
+/** dm-verity: try to use tasklets */
+#define CRYPT_ACTIVATE_TASKLETS (UINT32_C(1) << 27)

 /**
 * Active device runtime attributes
@@ -1233,6 +1555,8 @@ uint64_t crypt_get_active_integrity_failures(struct crypt_device *cd,
 #define CRYPT_REQUIREMENT_OFFLINE_REENCRYPT	(UINT32_C(1) << 0)
 /** Online reencryption in-progress */
 #define CRYPT_REQUIREMENT_ONLINE_REENCRYPT	(UINT32_C(1) << 1)
+/** Device configured with OPAL support */
+#define CRYPT_REQUIREMENT_OPAL			(UINT32_C(1) << 2)
 /** unknown requirement in header (output only) */
 #define CRYPT_REQUIREMENT_UNKNOWN		(UINT32_C(1) << 31)

@@ -1286,6 +1610,39 @@ int crypt_persistent_flags_get(struct crypt_device *cd,
 * @{
 */

+/**
+ * Activate device or check using keyslot context. In some cases (device under
+ * reencryption), more than one keyslot context is required (e.g. one for the old
+ * volume key and one for the new volume key). The order of the keyslot
+ * contexts does not matter. When less keyslot contexts are supplied than
+ * required to unlock the device an -ESRCH error code is returned and you
+ * should call the function again with an additional keyslot context specified.
+ *
+ * NOTE: the API at the moment fully works for single keyslot context only,
+ * the additional keyslot context currently works only with
+ * @e CRYPT_KC_TYPE_VK_KEYRING or @e CRYPT_KC_TYPE_KEY contexts.
+ *
+ * @param cd crypt device handle
+ * @param name name of device to create, if @e NULL only check passphrase
+ * @param keyslot requested keyslot to check or @e CRYPT_ANY_SLOT, keyslot is
+ *        ignored for unlock methods not based on passphrase
+ * @param kc keyslot context providing volume key or passphrase.
+ * @param additional_keyslot requested additional keyslot to check or @e CRYPT_ANY_SLOT
+ * @param additional_kc keyslot context providing additional volume key or
+ *        passphrase (e.g. old volume key for device under reencryption).
+ * @param flags activation flags
+ *
+ * @return unlocked key slot number for passphrase-based unlock, zero for other
+ *         unlock methods (e.g. volume key context) or negative errno on error.
+ */
+int crypt_activate_by_keyslot_context(struct crypt_device *cd,
+	const char *name,
+	int keyslot,
+	struct crypt_keyslot_context *kc,
+	int additional_keyslot,
+	struct crypt_keyslot_context *additional_kc,
+	uint32_t flags);
+
 /**
 * Activate device or check passphrase.
 *
@@ -1366,6 +1723,9 @@ int crypt_activate_by_keyfile(struct crypt_device *cd,
 * 	 CRYPT_ACTIVATE_READONLY flag always.
 * @note For TCRYPT the volume key should be always NULL
 * 	 the key from decrypted header is used instead.
+ * @note For BITLK the name cannot be @e NULL checking volume key is not
+ * 	 supported for BITLK, the device will be activated even if the
+ * 	 provided key is not correct.
 */
 int crypt_activate_by_volume_key(struct crypt_device *cd,
 	const char *name,
@@ -1471,6 +1831,9 @@ int crypt_deactivate(struct crypt_device *cd, const char *name);
 * @note For TCRYPT cipher chain is the volume key concatenated
 * 	 for all ciphers in chain.
 * @note For VERITY the volume key means root hash used for activation.
+ * @note For LUKS devices, if passphrase is @e NULL and volume key is cached in
+ * 	 device context it returns the volume key generated in preceding
+ * 	 @link crypt_format @endlink call.
 */
 int crypt_volume_key_get(struct crypt_device *cd,
 	int keyslot,
@@ -1479,6 +1842,41 @@ int crypt_volume_key_get(struct crypt_device *cd,
 	const char *passphrase,
 	size_t passphrase_size);

+/**
+ * Get volume key from crypt device by keyslot context.
+ *
+ * @param cd crypt device handle
+ * @param keyslot use this keyslot or @e CRYPT_ANY_SLOT
+ * @param volume_key buffer for volume key
+ * @param volume_key_size on input, size of buffer @e volume_key,
+ *        on output size of @e volume_key
+ * @param kc keyslot context used to unlock volume key
+ *
+ * @return unlocked key slot number or negative errno otherwise.
+ *
+ * @note See @link crypt-keyslot-context-types @endlink for info on keyslot
+ * 	 context initialization.
+ * @note For TCRYPT cipher chain is the volume key concatenated
+ * 	 for all ciphers in chain (kc may be NULL).
+ * @note For VERITY the volume key means root hash used for activation
+ * 	 (kc may be NULL).
+ * @note For LUKS devices, if kc is @e NULL and volume key is cached in
+ * 	 device context it returns the volume key generated in preceding
+ * 	 @link crypt_format @endlink call.
+ * @note @link CRYPT_KC_TYPE_TOKEN @endlink keyslot context is usable only with LUKS2 devices.
+ * @note @link CRYPT_KC_TYPE_KEY @endlink keyslot context can not be used.
+ * @note To get LUKS2 unbound key, keyslot parameter must not be @e CRYPT_ANY_SLOT.
+ * @note EPERM errno means provided keyslot context could not unlock any (or selected)
+ * 	 keyslot.
+ * @note ENOENT errno means no LUKS keyslot is available to retrieve volume key from
+ * 	 and there's no cached volume key in device handle.
+ */
+int crypt_volume_key_get_by_keyslot_context(struct crypt_device *cd,
+	int keyslot,
+	char *volume_key,
+	size_t *volume_key_size,
+	struct crypt_keyslot_context *kc);
+
 /**
 * Verify that provided volume key is valid for crypt device.
 *
@@ -2034,6 +2432,36 @@ int crypt_wipe(struct crypt_device *cd,

 /** Use direct-io */
 #define CRYPT_WIPE_NO_DIRECT_IO (UINT32_C(1) << 0)
+
+enum {
+	CRYPT_LUKS2_SEGMENT = -2,
+	CRYPT_NO_SEGMENT = -1,
+};
+
+/**
+ * Safe erase of a partition or an entire OPAL device. WARNING: ALL DATA ON
+ * PARTITION/DISK WILL BE LOST. If the CRYPT_NO_SEGMENT is passed as the segment
+ * parameter, the entire device will be wiped, not just what is included in the
+ * LUKS2 device/partition.
+ *
+ * @param cd crypt device handle
+ * @param segment the segment number to wipe (0..8), or CRYPT_LUKS2_SEGMENT
+ *        to wipe the segment configured in the LUKS2 header, or CRYPT_NO_SEGMENT
+ *        to wipe the entire device via a factory reset.
+ * @param password admin password/PSID (for factory reset) to wipe the
+ *        partition/device
+ * @param password_size length of password/PSID
+ * @param flags (currently unused)
+ *
+ * @return @e 0 on success or negative errno value otherwise.
+ */
+int crypt_wipe_hw_opal(struct crypt_device *cd,
+	int segment, /* 0..8, CRYPT_LUKS2_SEGMENT -2, CRYPT_NO_SEGMENT -1 */
+	const char *password, /* Admin1 PIN or PSID */
+	size_t password_size,
+	uint32_t flags /* currently unused */
+);
+
 /** @} */

 /**
@@ -2341,6 +2769,17 @@ int crypt_token_register(const crypt_token_handler *handler);
 */
 const char *crypt_token_external_path(void);

+/**
+ * Override configured external token handlers path for the library.
+ *
+ * @param path Absolute path (starts with '/') to new external token handlers directory or @e NULL.
+ *
+ * @note if @e path is @e NULL the external token path is reset to default path.
+ *
+ * @return @e 0 on success or negative errno value otherwise.
+ */
+int crypt_token_set_external_path(const char *path);
+
 /**
 * Disable external token handlers (plugins) support
 * If disabled, it cannot be enabled again.
@@ -2650,6 +3089,55 @@ void crypt_safe_memzero(void *data, size_t size);

 /** @} */

+/**
+ * @defgroup crypt-keyring Kernel keyring manipulation
+ * @addtogroup crypt-keyring
+ * @{
+ */
+
+/**
+ * Link the volume key to the specified kernel keyring.
+ *
+ * The volume can have one or two keys. Normally, the device has one key.
+ * However if reencryption was started and not finished yet, the volume will
+ * have two volume keys (the new VK for the already reencrypted segment and old
+ * VK for the not yet reencrypted segment).
+ *
+ * The @e old_key_description argument is required only for
+ * devices that are in re-encryption and have two volume keys at the same time
+ * (old and new). You can set the @e old_key_description to NULL,
+ * but if you supply number of keys less than required, the function will
+ * return -ESRCH.  In that case you need to call the function again and set
+ * the missing key description. When supplying just one key description, make
+ * sure to supply it in the @e key_description.
+ *
+ * @param cd crypt device handle
+ * @param key_description the key description of the volume key linked in desired keyring.
+ * @param old_key_description the key description of the old volume key linked in desired keyring
+ *	  (for devices in re-encryption).
+ * @param key_type_desc the key type used for the volume key. Currently only "user" and "logon" types are
+ *	  supported. if @e NULL is specified the default "user" type is applied.
+ * @param keyring_to_link_vk the keyring description of the keyring in which volume key should
+ *	  be linked, if @e NULL is specified, linking will be disabled.
+ *
+ * @note keyring_to_link_vk may be passed in various string formats:
+ * 	 It can be kernel key numeric id of existing keyring written as a string,
+ * 	 keyring name prefixed by either "%:" or "%keyring:" substrings or keyctl
+ * 	 special values for keyrings "@t", "@p", "@s" and so on. See keyctl(1) man page,
+ * 	 section KEY IDENTIFIERS for more information. All other prefixes starting "%<type>:"
+ * 	 are ignored.
+ *
+ * @note key_description "%<type>:" prefixes are ignored. Type is applied based on key_type parameter
+ * 	 value.
+ */
+int crypt_set_keyring_to_link(struct crypt_device* cd,
+	const char* key_description,
+	const char* old_key_description,
+	const char* key_type_desc,
+	const char* keyring_to_link_vk);
+
+/** @} */
+
 #ifdef __cplusplus
 }
 #endif
--- a/lib/libcryptsetup.pc.in
+++ b/lib/libcryptsetup.pc.in
@@ -8,3 +8,4 @@ Description: cryptsetup library
 Version: @LIBCRYPTSETUP_VERSION@
 Cflags: -I${includedir}
 Libs: -L${libdir} -lcryptsetup
+Requires.private: @PKGMODULES@
--- a/lib/libcryptsetup.sym
+++ b/lib/libcryptsetup.sym
@@ -151,3 +151,32 @@ CRYPTSETUP_2.5 {
 		crypt_get_subsystem;
 		crypt_resume_by_token_pin;
 } CRYPTSETUP_2.4;
+
+CRYPTSETUP_2.6 {
+	global:
+		crypt_keyslot_context_free;
+		crypt_keyslot_context_init_by_passphrase;
+		crypt_keyslot_context_init_by_keyfile;
+		crypt_keyslot_context_init_by_token;
+		crypt_keyslot_context_init_by_volume_key;
+		crypt_keyslot_context_get_error;
+		crypt_keyslot_context_set_pin;
+		crypt_keyslot_context_get_type;
+		crypt_keyslot_add_by_keyslot_context;
+		crypt_volume_key_get_by_keyslot_context;
+} CRYPTSETUP_2.5;
+
+CRYPTSETUP_2.7 {
+	global:
+		crypt_activate_by_keyslot_context;
+		crypt_format_luks2_opal;
+		crypt_get_hw_encryption_type;
+		crypt_get_hw_encryption_key_size;
+		crypt_keyslot_context_init_by_keyring;
+		crypt_keyslot_context_init_by_vk_in_keyring;
+		crypt_keyslot_context_init_by_signed_key;
+		crypt_resume_by_keyslot_context;
+		crypt_token_set_external_path;
+		crypt_set_keyring_to_link;
+		crypt_wipe_hw_opal;
+} CRYPTSETUP_2.6;
--- a/lib/libcryptsetup_macros.h
+++ b/lib/libcryptsetup_macros.h
@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
 * Definitions of common constant and generic macros of libcryptsetup
 *
- * Copyright (C) 2009-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2022 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2024 Milan Broz
 */

 #ifndef _LIBCRYPTSETUP_MACROS_H
--- a/lib/libcryptsetup_symver.h
+++ b/lib/libcryptsetup_symver.h
@@ -1,21 +1,8 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
 * Helpers for defining versioned symbols
 *
- * Copyright (C) 2021-2022 Red Hat, Inc. All rights reserved.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2021-2024 Red Hat, Inc. All rights reserved.
 */

 #ifndef _LIBCRYPTSETUP_SYMVER_H
@@ -72,9 +59,9 @@
     __attribute__((__symver__(#_public_sym _ver_str #_maj "." #_min)))
 #endif

-#if !defined(_CRYPT_SYMVER) && defined(__GNUC__)
+#if !defined(_CRYPT_SYMVER) && (defined(__GNUC__) || defined(__clang__))
 #  define _CRYPT_SYMVER(_local_sym, _public_sym, _ver_str, _maj, _min)         \
-     asm(".symver " #_local_sym "," #_public_sym _ver_str #_maj "." #_min);
+     __asm__(".symver " #_local_sym "," #_public_sym _ver_str #_maj "." #_min);
 #endif

 #define _CRYPT_FUNC(_public_sym, _prefix_str, _maj, _min, _ret, ...)                                    \
--- a/lib/libdevmapper.c
+++ b/lib/libdevmapper.c
@@ -1,24 +1,11 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
 * libdevmapper - device-mapper backend for cryptsetup
 *
 * Copyright (C) 2004 Jana Saout <jana@saout.de>
 * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2022 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2024 Milan Broz
 */

 #include <stdio.h>
@@ -31,7 +18,6 @@
 #ifdef HAVE_SYS_SYSMACROS_H
 # include <sys/sysmacros.h>     /* for major, minor */
 #endif
-#include <assert.h>
 #include "internal.h"

 #define DM_CRYPT_TARGET		"crypt"
@@ -205,6 +191,9 @@ static void _dm_set_verity_compat(struct crypt_device *cd,
 	if (_dm_satisfies_version(1, 7, 0, verity_maj, verity_min, verity_patch))
 		_dm_flags |= DM_VERITY_PANIC_CORRUPTION_SUPPORTED;

+	if (_dm_satisfies_version(1, 9, 0, verity_maj, verity_min, verity_patch))
+		_dm_flags |= DM_VERITY_TASKLETS_SUPPORTED;
+
 	_dm_verity_checked = true;
 }

@@ -473,27 +462,22 @@ static size_t int_log10(uint64_t x)
 	return r;
 }

-#define CLEN    64   /* 2*MAX_CIPHER_LEN */
-#define CLENS  "63"  /* for sscanf length + '\0' */
-#define CAPIL  144   /* should be enough to fit whole capi string */
-#define CAPIS "143"  /* for sscanf of crypto API string + 16  + \0 */
-
-static int cipher_c2dm(const char *org_c, const char *org_i, unsigned tag_size,
+static int cipher_dm2c(const char *org_c, const char *org_i, unsigned tag_size,
 		       char *c_dm, int c_dm_size,
 		       char *i_dm, int i_dm_size)
 {
 	int c_size = 0, i_size = 0, i;
-	char cipher[CLEN], mode[CLEN], iv[CLEN+1], tmp[CLEN];
-	char capi[CAPIL];
+	char cipher[MAX_CAPI_ONE_LEN], mode[MAX_CAPI_ONE_LEN], iv[MAX_CAPI_ONE_LEN+1],
+	     tmp[MAX_CAPI_ONE_LEN], capi[MAX_CAPI_LEN];

 	if (!c_dm || !c_dm_size || !i_dm || !i_dm_size)
 		return -EINVAL;

-	i = sscanf(org_c, "%" CLENS "[^-]-%" CLENS "s", cipher, tmp);
+	i = sscanf(org_c, "%" MAX_CAPI_ONE_LEN_STR "[^-]-%" MAX_CAPI_ONE_LEN_STR "s", cipher, tmp);
 	if (i != 2)
 		return -EINVAL;

-	i = sscanf(tmp, "%" CLENS "[^-]-%" CLENS "s", mode, iv);
+	i = sscanf(tmp, "%" MAX_CAPI_ONE_LEN_STR "[^-]-%" MAX_CAPI_ONE_LEN_STR "s", mode, iv);
 	if (i == 1) {
 		memset(iv, 0, sizeof(iv));
 		strncpy(iv, mode, sizeof(iv)-1);
@@ -540,75 +524,6 @@ static int cipher_c2dm(const char *org_c, const char *org_i, unsigned tag_size,
 	return 0;
 }

-static int cipher_dm2c(char **org_c, char **org_i, const char *c_dm, const char *i_dm)
-{
-	char cipher[CLEN], mode[CLEN], iv[CLEN], auth[CLEN];
-	char tmp[CAPIL], dmcrypt_tmp[CAPIL*2], capi[CAPIL+1];
-	size_t len;
-	int i;
-
-	if (!c_dm)
-		return -EINVAL;
-
-	/* legacy mode */
-	if (strncmp(c_dm, "capi:", 4)) {
-		if (!(*org_c = strdup(c_dm)))
-			return -ENOMEM;
-		*org_i = NULL;
-		return 0;
-	}
-
-	/* modes with capi: prefix */
-	i = sscanf(c_dm, "capi:%" CAPIS "[^-]-%" CLENS "s", tmp, iv);
-	if (i != 2)
-		return -EINVAL;
-
-	len = strlen(tmp);
-	if (len < 2)
-		return -EINVAL;
-
-	if (tmp[len-1] == ')')
-		tmp[len-1] = '\0';
-
-	if (sscanf(tmp, "rfc4309(%" CAPIS "s", capi) == 1) {
-		if (!(*org_i = strdup("aead")))
-			return -ENOMEM;
-	} else if (sscanf(tmp, "rfc7539(%" CAPIS "[^,],%" CLENS "s", capi, auth) == 2) {
-		if (!(*org_i = strdup(auth)))
-			return -ENOMEM;
-	} else if (sscanf(tmp, "authenc(%" CLENS "[^,],%" CAPIS "s", auth, capi) == 2) {
-		if (!(*org_i = strdup(auth)))
-			return -ENOMEM;
-	} else {
-		if (i_dm) {
-			if (!(*org_i = strdup(i_dm)))
-				return -ENOMEM;
-		} else
-			*org_i = NULL;
-		memset(capi, 0, sizeof(capi));
-		strncpy(capi, tmp, sizeof(capi)-1);
-	}
-
-	i = sscanf(capi, "%" CLENS "[^(](%" CLENS "[^)])", mode, cipher);
-	if (i == 2)
-		i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s-%s", cipher, mode, iv);
-	else
-		i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s", capi, iv);
-	if (i < 0 || (size_t)i >= sizeof(dmcrypt_tmp)) {
-		free(*org_i);
-		*org_i = NULL;
-		return -EINVAL;
-	}
-
-	if (!(*org_c = strdup(dmcrypt_tmp))) {
-		free(*org_i);
-		*org_i = NULL;
-		return -ENOMEM;
-	}
-
-	return 0;
-}
-
 static char *_uf(char *buf, size_t buf_size, const char *s, unsigned u)
 {
 	size_t r = snprintf(buf, buf_size, " %s:%u", s, u);
@@ -626,7 +541,7 @@ static char *get_dm_crypt_params(const struct dm_target *tgt, uint32_t flags)
 	if (!tgt)
 		return NULL;

-	r = cipher_c2dm(tgt->u.crypt.cipher, tgt->u.crypt.integrity, tgt->u.crypt.tag_size,
+	r = cipher_dm2c(tgt->u.crypt.cipher, tgt->u.crypt.integrity, tgt->u.crypt.tag_size,
 			cipher_dm, sizeof(cipher_dm), integrity_dm, sizeof(integrity_dm));
 	if (r < 0)
 		return NULL;
@@ -674,7 +589,8 @@ static char *get_dm_crypt_params(const struct dm_target *tgt, uint32_t flags)
 		hexkey = crypt_safe_alloc(keystr_len);
 		if (!hexkey)
 			goto out;
-		r = snprintf(hexkey, keystr_len, ":%zu:logon:%s", tgt->u.crypt.vk->keylength, tgt->u.crypt.vk->key_description);
+		r = snprintf(hexkey, keystr_len, ":%zu:logon:%s", tgt->u.crypt.vk->keylength,
+			     tgt->u.crypt.vk->key_description);
 		if (r < 0 || r >= keystr_len)
 			goto out;
 	} else
@@ -734,6 +650,8 @@ static char *get_dm_verity_params(const struct dm_target *tgt, uint32_t flags)
 		num_options++;
 	if (flags & CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE)
 		num_options++;
+	if (flags & CRYPT_ACTIVATE_TASKLETS)
+		num_options++;

 	max_fec_size = (tgt->u.verity.fec_device ? strlen(device_block_path(tgt->u.verity.fec_device)) : 0) + 256;
 	fec_features = crypt_safe_alloc(max_fec_size);
@@ -764,13 +682,14 @@ static char *get_dm_verity_params(const struct dm_target *tgt, uint32_t flags)
 	} else
 		*verity_verify_args = '\0';

-	if (num_options) {  /* MAX length int32 + 18 + 22 + 20 + 19 + 19 */
-		r = snprintf(features, sizeof(features), " %d%s%s%s%s%s", num_options,
+	if (num_options) {  /* MAX length int32 + 18 + 22 + 20 + 19 + 19 + 22 */
+		r = snprintf(features, sizeof(features), " %d%s%s%s%s%s%s", num_options,
 		(flags & CRYPT_ACTIVATE_IGNORE_CORRUPTION) ? " ignore_corruption" : "",
 		(flags & CRYPT_ACTIVATE_RESTART_ON_CORRUPTION) ? " restart_on_corruption" : "",
 		(flags & CRYPT_ACTIVATE_PANIC_ON_CORRUPTION) ? " panic_on_corruption" : "",
 		(flags & CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS) ? " ignore_zero_blocks" : "",
-		(flags & CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE) ? " check_at_most_once" : "");
+		(flags & CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE) ? " check_at_most_once" : "",
+		(flags & CRYPT_ACTIVATE_TASKLETS) ? " try_verify_in_tasklet" : "");
 		if (r < 0 || (size_t)r >= sizeof(features))
 			goto out;
 	} else
@@ -1399,7 +1318,15 @@ static int _dm_create_device(struct crypt_device *cd, const char *name, const ch
 		goto out;

 	if (!dm_task_run(dmt)) {
-		r = dm_status_device(cd, name);;
+
+		r = -dm_task_get_errno(dmt);
+		if (r == -ENOKEY || r == -EKEYREVOKED || r == -EKEYEXPIRED) {
+			/* propagate DM errors around key management as such */
+			r = -ENOKEY;
+			goto out;
+		}
+
+		r = dm_status_device(cd, name);
 		if (r >= 0)
 			r = -EEXIST;
 		if (r != -EEXIST && r != -ENODEV)
@@ -1670,16 +1597,99 @@ int dm_create_device(struct crypt_device *cd, const char *name,
 		return -ENOTSUP;

 	r = _dm_create_device(cd, name, type, dmd);
-
-	if (r < 0 && dm_flags(cd, dmd->segment.type, &dmt_flags))
+	if (!r || r == -EEXIST)
 		goto out;

-	if (r && (dmd->segment.type == DM_CRYPT || dmd->segment.type == DM_LINEAR || dmd->segment.type == DM_ZERO) &&
+	if (dm_flags(cd, dmd->segment.type, &dmt_flags))
+		goto out;
+
+	if ((dmd->segment.type == DM_CRYPT || dmd->segment.type == DM_LINEAR || dmd->segment.type == DM_ZERO) &&
 		check_retry(cd, &dmd->flags, dmt_flags)) {
 		log_dbg(cd, "Retrying open without incompatible options.");
 		r = _dm_create_device(cd, name, type, dmd);
+		if (!r || r == -EEXIST)
+			goto out;
 	}

+	if (dmd->flags & (CRYPT_ACTIVATE_SAME_CPU_CRYPT|CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS) &&
+	    !(dmt_flags & (DM_SAME_CPU_CRYPT_SUPPORTED|DM_SUBMIT_FROM_CRYPT_CPUS_SUPPORTED))) {
+		log_err(cd, _("Requested dm-crypt performance options are not supported."));
+		r = -EINVAL;
+	}
+
+	if (dmd->flags & (CRYPT_ACTIVATE_NO_READ_WORKQUEUE | CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE) &&
+	    !(dmt_flags & DM_CRYPT_NO_WORKQUEUE_SUPPORTED)) {
+		log_err(cd, _("Requested dm-crypt performance options are not supported."));
+		r = -EINVAL;
+	}
+
+	if (dmd->flags & (CRYPT_ACTIVATE_IGNORE_CORRUPTION|
+			  CRYPT_ACTIVATE_RESTART_ON_CORRUPTION|
+			  CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS|
+			  CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE) &&
+	    !(dmt_flags & DM_VERITY_ON_CORRUPTION_SUPPORTED)) {
+		log_err(cd, _("Requested dm-verity data corruption handling options are not supported."));
+		r = -EINVAL;
+	}
+
+	if (dmd->flags & CRYPT_ACTIVATE_TASKLETS &&
+	    !(dmt_flags & DM_VERITY_TASKLETS_SUPPORTED)) {
+		log_err(cd, _("Requested dm-verity tasklets option is not supported."));
+		r = -EINVAL;
+	}
+
+	if (dmd->flags & CRYPT_ACTIVATE_PANIC_ON_CORRUPTION &&
+	    !(dmt_flags & DM_VERITY_PANIC_CORRUPTION_SUPPORTED)) {
+		log_err(cd, _("Requested dm-verity data corruption handling options are not supported."));
+		r = -EINVAL;
+	}
+
+	if (dmd->segment.type == DM_VERITY &&
+	    dmd->segment.u.verity.fec_device && !(dmt_flags & DM_VERITY_FEC_SUPPORTED)) {
+		log_err(cd, _("Requested dm-verity FEC options are not supported."));
+		r = -EINVAL;
+	}
+
+	if (dmd->segment.type == DM_CRYPT) {
+		if (dmd->segment.u.crypt.integrity && !(dmt_flags & DM_INTEGRITY_SUPPORTED)) {
+			log_err(cd, _("Requested data integrity options are not supported."));
+			r = -EINVAL;
+		}
+		if (dmd->segment.u.crypt.sector_size != SECTOR_SIZE && !(dmt_flags & DM_SECTOR_SIZE_SUPPORTED)) {
+			log_err(cd, _("Requested sector_size option is not supported."));
+			r = -EINVAL;
+		}
+		if (dmd->segment.u.crypt.sector_size > SECTOR_SIZE &&
+		    dmd->size % dmd->segment.u.crypt.sector_size) {
+			log_err(cd, _("The device size is not multiple of the requested sector size."));
+			r = -EINVAL;
+		}
+	}
+
+	if (dmd->segment.type == DM_INTEGRITY && (dmd->flags & CRYPT_ACTIVATE_RECALCULATE) &&
+	    !(dmt_flags & DM_INTEGRITY_RECALC_SUPPORTED)) {
+		log_err(cd, _("Requested automatic recalculation of integrity tags is not supported."));
+		r = -EINVAL;
+	}
+
+	if (dmd->segment.type == DM_INTEGRITY && (dmd->flags & CRYPT_ACTIVATE_RECALCULATE_RESET) &&
+	    !(dmt_flags & DM_INTEGRITY_RESET_RECALC_SUPPORTED)) {
+		log_err(cd, _("Requested automatic recalculation of integrity tags is not supported."));
+		r = -EINVAL;
+	}
+
+	if (dmd->segment.type == DM_INTEGRITY && (dmd->flags & CRYPT_ACTIVATE_ALLOW_DISCARDS) &&
+	    !(dmt_flags & DM_INTEGRITY_DISCARDS_SUPPORTED)) {
+		log_err(cd, _("Discard/TRIM is not supported."));
+		r = -EINVAL;
+	}
+
+	if (dmd->segment.type == DM_INTEGRITY && (dmd->flags & CRYPT_ACTIVATE_NO_JOURNAL_BITMAP) &&
+	    !(dmt_flags & DM_INTEGRITY_BITMAP_SUPPORTED)) {
+		log_err(cd, _("Requested dm-integrity bitmap mode is not supported."));
+		r = -EINVAL;
+	}
+out:
 	/*
 	 * Print warning if activating dm-crypt cipher_null device unless it's reencryption helper or
 	 * keyslot encryption helper device (LUKS1 cipher_null devices).
@@ -1688,54 +1698,6 @@ int dm_create_device(struct crypt_device *cd, const char *name,
 	    crypt_is_cipher_null(dmd->segment.u.crypt.cipher))
 		log_dbg(cd, "Activated dm-crypt device with cipher_null. Device is not encrypted.");

-	if (r == -EINVAL &&
-	    dmd->flags & (CRYPT_ACTIVATE_SAME_CPU_CRYPT|CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS) &&
-	    !(dmt_flags & (DM_SAME_CPU_CRYPT_SUPPORTED|DM_SUBMIT_FROM_CRYPT_CPUS_SUPPORTED)))
-		log_err(cd, _("Requested dm-crypt performance options are not supported."));
-
-	if (r == -EINVAL &&
-	    dmd->flags & (CRYPT_ACTIVATE_NO_READ_WORKQUEUE | CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE) &&
-	    !(dmt_flags & DM_CRYPT_NO_WORKQUEUE_SUPPORTED))
-		log_err(cd, _("Requested dm-crypt performance options are not supported."));
-
-	if (r == -EINVAL && dmd->flags & (CRYPT_ACTIVATE_IGNORE_CORRUPTION|
-					  CRYPT_ACTIVATE_RESTART_ON_CORRUPTION|
-					  CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS|
-					  CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE) &&
-	    !(dmt_flags & DM_VERITY_ON_CORRUPTION_SUPPORTED))
-		log_err(cd, _("Requested dm-verity data corruption handling options are not supported."));
-
-	if (r == -EINVAL && dmd->flags & CRYPT_ACTIVATE_PANIC_ON_CORRUPTION &&
-	    !(dmt_flags & DM_VERITY_PANIC_CORRUPTION_SUPPORTED))
-		log_err(cd, _("Requested dm-verity data corruption handling options are not supported."));
-
-	if (r == -EINVAL && dmd->segment.type == DM_VERITY &&
-	    dmd->segment.u.verity.fec_device && !(dmt_flags & DM_VERITY_FEC_SUPPORTED))
-		log_err(cd, _("Requested dm-verity FEC options are not supported."));
-
-	if (r == -EINVAL && dmd->segment.type == DM_CRYPT) {
-		if (dmd->segment.u.crypt.integrity && !(dmt_flags & DM_INTEGRITY_SUPPORTED))
-			log_err(cd, _("Requested data integrity options are not supported."));
-		if (dmd->segment.u.crypt.sector_size != SECTOR_SIZE && !(dmt_flags & DM_SECTOR_SIZE_SUPPORTED))
-			log_err(cd, _("Requested sector_size option is not supported."));
-	}
-
-	if (r == -EINVAL && dmd->segment.type == DM_INTEGRITY && (dmd->flags & CRYPT_ACTIVATE_RECALCULATE) &&
-	    !(dmt_flags & DM_INTEGRITY_RECALC_SUPPORTED))
-		log_err(cd, _("Requested automatic recalculation of integrity tags is not supported."));
-
-	if (r == -EINVAL && dmd->segment.type == DM_INTEGRITY && (dmd->flags & CRYPT_ACTIVATE_RECALCULATE_RESET) &&
-	    !(dmt_flags & DM_INTEGRITY_RESET_RECALC_SUPPORTED))
-		log_err(cd, _("Requested automatic recalculation of integrity tags is not supported."));
-
-	if (r == -EINVAL && dmd->segment.type == DM_INTEGRITY && (dmd->flags & CRYPT_ACTIVATE_ALLOW_DISCARDS) &&
-	    !(dmt_flags & DM_INTEGRITY_DISCARDS_SUPPORTED))
-		log_err(cd, _("Discard/TRIM is not supported."));
-
-	if (r == -EINVAL && dmd->segment.type == DM_INTEGRITY && (dmd->flags & CRYPT_ACTIVATE_NO_JOURNAL_BITMAP) &&
-	    !(dmt_flags & DM_INTEGRITY_BITMAP_SUPPORTED))
-		log_err(cd, _("Requested dm-integrity bitmap mode is not supported."));
-out:
 	dm_exit_context();
 	return r;
 }
@@ -2030,9 +1992,7 @@ static int _dm_target_query_crypt(struct crypt_device *cd, uint32_t get_flags,

 	/* cipher */
 	if (get_flags & DM_ACTIVE_CRYPT_CIPHER) {
-		r = cipher_dm2c(CONST_CAST(char**)&cipher,
-				CONST_CAST(char**)&integrity,
-				rcipher, rintegrity);
+		r = crypt_capi_to_cipher(&cipher, &integrity, rcipher, rintegrity);
 		if (r < 0)
 			goto err;
 	}
@@ -2265,6 +2225,8 @@ static int _dm_target_query_verity(struct crypt_device *cd,
 				*act_flags |= CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS;
 			else if (!strcasecmp(arg, "check_at_most_once"))
 				*act_flags |= CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE;
+			else if (!strcasecmp(arg, "try_verify_in_tasklet"))
+				*act_flags |= CRYPT_ACTIVATE_TASKLETS;
 			else if (!strcasecmp(arg, "use_fec_from_device")) {
 				str = strsep(&params, " ");
 				str2 = crypt_lookup_dev(str);
@@ -2736,7 +2698,7 @@ static int _dm_query_device(struct crypt_device *cd, const char *name,
 		goto out;
 	}

-	/* Never allow to return empty key */
+	/* Never allow one to return empty key */
 	if ((get_flags & DM_ACTIVE_CRYPT_KEY) && dmi.suspended) {
 		log_dbg(cd, "Cannot read volume key while suspended.");
 		r = -EINVAL;
@@ -2818,7 +2780,8 @@ int dm_query_device(struct crypt_device *cd, const char *name,
 	return r;
 }

-static int _process_deps(struct crypt_device *cd, const char *prefix, struct dm_deps *deps, char **names, size_t names_offset, size_t names_length)
+static int _process_deps(struct crypt_device *cd, const char *prefix, struct dm_deps *deps,
+			 char **names, size_t names_offset, size_t names_length)
 {
 #if HAVE_DECL_DM_DEVICE_GET_NAME
 	struct crypt_dm_active_device dmd;
@@ -2864,9 +2827,10 @@ static int _process_deps(struct crypt_device *cd, const char *prefix, struct dm_
 #endif
 }

-int dm_device_deps(struct crypt_device *cd, const char *name, const char *prefix, char **names, size_t names_length)
+int dm_device_deps(struct crypt_device *cd, const char *name, const char *prefix,
+		   char **names, size_t names_length)
 {
-	struct dm_task *dmt;
+	struct dm_task *dmt = NULL;
 	struct dm_info dmi;
 	struct dm_deps *deps;
 	int r = -EINVAL;
@@ -3026,7 +2990,8 @@ int dm_resume_and_reinstate_key(struct crypt_device *cd, const char *name,
 	}

 	if (vk->key_description) {
-		r = snprintf(msg, msg_size, "key set :%zu:logon:%s", vk->keylength, vk->key_description);
+		r = snprintf(msg, msg_size, "key set :%zu:logon:%s", vk->keylength,
+			     vk->key_description);
 	} else  {
 		key = crypt_bytes_to_hex(vk->keylength, vk->key);
 		if (!key) {
@@ -3063,6 +3028,18 @@ const char *dm_get_dir(void)
 	return dm_dir();
 }

+int dm_get_iname(const char *name, char **iname, bool with_path)
+{
+	int r;
+
+	if (with_path)
+		r = asprintf(iname, "%s/%s_dif", dm_get_dir(), name);
+	else
+		r = asprintf(iname, "%s_dif", name);
+
+	return r < 0 ? -ENOMEM : 0;
+}
+
 int dm_is_dm_device(int major)
 {
 	return dm_is_dm_major((uint32_t)major);
--- a/lib/loopaes/loopaes.c
+++ b/lib/loopaes/loopaes.c
@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * loop-AES compatible volume handling
 *
- * Copyright (C) 2011-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2011-2022 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2024 Milan Broz
 */

 #include <errno.h>
--- a/lib/loopaes/loopaes.h
+++ b/lib/loopaes/loopaes.h
@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
 * loop-AES compatible volume handling
 *
- * Copyright (C) 2011-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2011-2022 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2024 Milan Broz
 */

 #ifndef _LOOPAES_H
--- a/lib/luks1/af.c
+++ b/lib/luks1/af.c
@@ -1,25 +1,12 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
 * AFsplitter - Anti forensic information splitter
 *
 * Copyright (C) 2004 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2022 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
 *
 * AFsplitter diffuses information over a large stripe of data,
 * therefore supporting secure data destruction.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Library General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */

 #include <stddef.h>
--- a/Show More
+++ b/Show More