Version 2.7.2 final.

The passphrase (Admin PIN) already exists and there's no
reason to check quiality of it.

.codeql-config.yml

@@ -0,0 +1,31 @@
+name: "Cryptsetup CodeQL config"
+
+query-filters:
+- exclude:
+     id: cpp/fixme-comment
+- exclude:
+     id: cpp/empty-block
+- exclude:
+     id: cpp/poorly-documented-function
+- exclude:
+     id: cpp/loop-variable-changed
+- exclude:
+     id: cpp/empty-if
+- exclude:
+     id: cpp/long-switch
+- exclude:
+     id: cpp/complex-condition
+- exclude:
+     id: cpp/commented-out-code
+
+# These produce many false positives
+- exclude:
+     id: cpp/uninitialized-local
+- exclude:
+     id: cpp/path-injection
+- exclude:
+     id: cpp/missing-check-scanf
+
+# CodeQL should understand coverity [toctou] comments
+- exclude:
+     id: cpp/toctou-race-condition

.github/workflows/cibuild-setup-ubuntu.sh

@@ -7,7 +7,7 @@ PACKAGES=(
 	gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev
 	libjson-c-dev libssh-dev libblkid-dev tar libargon2-0-dev libpwquality-dev
 	sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass
-	asciidoctor
+	asciidoctor meson ninja-build
 )
 
 COMPILER="${COMPILER:?}"

.github/workflows/cibuild.yml

@@ -4,8 +4,7 @@ on:
     branches:
       - 'main'
       - 'wip-luks2'
-      - 'v2.3.x'
-      - 'v2.4.x'
+      - 'v2.*.x'
     paths-ignore:
       - 'docs/**'
 
@@ -17,7 +16,7 @@ jobs:
       fail-fast: false
       matrix:
         env:
-          - { COMPILER: "gcc", COMPILER_VERSION: "11",  RUN_SSH_PLUGIN_TEST: "1" }
+          - { COMPILER: "gcc", COMPILER_VERSION: "13",  RUN_SSH_PLUGIN_TEST: "1" }
     env: ${{ matrix.env }}
     steps:
       - name: Repository checkout

.github/workflows/codeql.yml

@@ -0,0 +1,49 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches:
+      - 'main'
+      - 'wip-luks2'
+      - 'v2.*.x'
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    if: github.repository == 'mbroz/cryptsetup'
+    concurrency:
+      group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
+      cancel-in-progress: true
+    permissions:
+      actions: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp' ]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          queries: +security-extended,security-and-quality
+          config-file: .codeql-config.yml
+
+      - name: Install dependencies
+        run: sudo -E .github/workflows/cibuild-setup-ubuntu.sh
+        env: { COMPILER: "gcc", COMPILER_VERSION: "13",  RUN_SSH_PLUGIN_TEST: "1" }
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2

.github/workflows/coverity.yml

@@ -17,7 +17,7 @@ jobs:
         run: sudo -E .github/workflows/cibuild-setup-ubuntu.sh
         env:
           COMPILER: "gcc"
-          COMPILER_VERSION: "11"
+          COMPILER_VERSION: "13"
       - name: Install Coverity
         run: |
           wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=mbroz/cryptsetup" -O cov-analysis-linux64.tar.gz

.gitlab-ci.yml

@@ -1,22 +1,22 @@
 stages:
   - test
 
-.dump_kernel_log:
+.fail_if_coredump_generated:
   after_script:
-    - sudo dmesg > /mnt/artifacts/dmesg.log
-    - sudo journalctl > /mnt/artifacts/journalctl.log
     - '[ "$(ls -A /var/coredumps)" ] && exit 1 || true'
 
 include:
   - local: .gitlab/ci/debian.yml
   - local: .gitlab/ci/fedora.yml
+  - local: .gitlab/ci/fedora-opal.yml
   - local: .gitlab/ci/rhel.yml
   - local: .gitlab/ci/centos.yml
   - local: .gitlab/ci/annocheck.yml
   - local: .gitlab/ci/csmock.yml
   - local: .gitlab/ci/gitlab-shared-docker.yml
+  - local: .gitlab/ci/compilation-various-disables.yml
   - local: .gitlab/ci/compilation-gcc.gitlab-ci.yml
   - local: .gitlab/ci/compilation-clang.gitlab-ci.yml
   - local: .gitlab/ci/alpinelinux.yml
-  - local: .gitlab/ci/ubuntu-32bit.yml
+  - local: .gitlab/ci/debian-i686.yml
   - local: .gitlab/ci/cifuzz.yml

.gitlab/ci/alpinelinux.yml

@@ -1,12 +1,12 @@
 .alpinelinux-dependencies:
-  after_script:
-    - sudo dmesg > /mnt/artifacts/dmesg.log
-    - sudo cp /var/log/messages /mnt/artifacts/
-    - '[ "$(ls -A /var/coredumps)" ] && exit 1 || true'
+  variables:
+    DISTRO: cryptsetup-alpine-edge
+  extends:
+    - .fail_if_coredump_generated
   before_script:
     - >
       sudo apk add
-      lvm2-dev openssl1.1-compat-dev popt-dev util-linux-dev json-c-dev
+      lvm2-dev openssl-dev popt-dev util-linux-dev json-c-dev
       argon2-dev device-mapper which sharutils gettext gettext-dev automake
       autoconf libtool build-base keyutils tar jq expect git asciidoctor
     - ./autogen.sh
@@ -17,7 +17,7 @@ test-main-commit-job-alpinelinux:
     - .alpinelinux-dependencies
   tags:
     - libvirt
-    - alpinelinux
+    - cryptsetup-alpine-edge
   stage: test
   interruptible: true
   variables:
@@ -38,7 +38,7 @@ test-mergerq-job-alpinelinux:
     - .alpinelinux-dependencies
   tags:
     - libvirt
-    - alpinelinux
+    - cryptsetup-alpine-edge
   stage: test
   interruptible: true
   variables:

.gitlab/ci/annocheck.yml

@@ -1,19 +1,18 @@
 test-main-commit-job-annocheck:
   extends:
-    - .dump_kernel_log
+    - .fail_if_coredump_generated
   tags:
     - libvirt
-    - rhel9-annocheck
+    - cryptsetup-rhel-9
   stage: test
   interruptible: true
   allow_failure: true
   variables:
+    DISTRO: cryptsetup-rhel-9
     RUN_SSH_PLUGIN_TEST: "1"
   rules:
     - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
       when: never
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
   script:
-    - /opt/build-rpm-script.sh > /dev/null 2>&1
-    - annocheck /var/lib/mock/rhel-9.0.0-candidate-x86_64/result/*.rpm --profile=el9
-    - annocheck /var/lib/mock/rhel-9.0.0-candidate-x86_64/result/*.rpm --profile=el8
+    - sudo /opt/run-annocheck.sh

.gitlab/ci/centos.yml

@@ -1,6 +1,8 @@
 .centos-openssl-backend:
+  variables:
+    DISTRO: cryptsetup-centos-stream-9
   extends:
-    - .dump_kernel_log
+    - .fail_if_coredump_generated
   before_script:
     - >
       sudo dnf -y -q  install
@@ -21,7 +23,7 @@ test-main-commit-centos-stream9:
     - .centos-openssl-backend
   tags:
     - libvirt
-    - centos-stream9
+    - cryptsetup-centos-stream-9
   stage: test
   interruptible: true
   variables:
@@ -42,7 +44,7 @@ test-mergerq-centos-stream9:
     - .centos-openssl-backend
   tags:
     - libvirt
-    - centos-stream9
+    - cryptsetup-centos-stream-9
   stage: test
   interruptible: true
   variables:

.gitlab/ci/cibuild-setup-ubuntu.sh

@@ -6,8 +6,8 @@ PACKAGES=(
 	git make autoconf automake autopoint pkg-config libtool libtool-bin
 	gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev
 	libjson-c-dev libssh-dev libblkid-dev tar libargon2-0-dev libpwquality-dev
-	sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass
-	asciidoctor
+	sharutils dmsetup jq xxd expect keyutils netcat-openbsd passwd openssh-client
+	sshpass asciidoctor
 )
 
 COMPILER="${COMPILER:?}"

.gitlab/ci/clang-Wall

@@ -25,10 +25,9 @@ EXTRA="\
  -Wswitch \
  -Wmissing-format-attribute \
  -Winit-self \
- -Wdeclaration-after-statement \
  -Wold-style-definition \
  -Wno-missing-field-initializers \
- -Wno-unused-parameter \
+ -Wunused-parameter \
  -Wno-long-long"
 
 exec $CLANG $PEDANTIC $CONVERSION \

.gitlab/ci/compilation-clang.gitlab-ci.yml

@@ -3,6 +3,7 @@ test-clang-compilation:
     - .gitlab-shared-clang
   script:
     - export CFLAGS="-Wall -Werror"
+    - ./autogen.sh
     - ./configure
     - make -j
     - make -j check-programs
@@ -13,6 +14,7 @@ test-clang-Wall-script:
   script:
     - export CFLAGS="-g -O0"
     - export CC="$CI_PROJECT_DIR/.gitlab/ci/clang-Wall"
+    - ./autogen.sh
     - ./configure
     - make -j CFLAGS="-g -O0 -Werror"
     - make -j CFLAGS="-g -O0 -Werror" check-programs
@@ -21,6 +23,7 @@ test-scan-build:
   extends:
     - .gitlab-shared-clang
   script:
+    - ./autogen.sh
     - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} -V ./configure CFLAGS="-g -O0"
     - make clean
     - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --status-bugs -maxloop 10 make -j

.gitlab/ci/compilation-gcc.gitlab-ci.yml

@@ -3,6 +3,7 @@ test-gcc-compilation:
     - .gitlab-shared-gcc
   script:
     - export CFLAGS="-Wall -Werror"
+    - ./autogen.sh
     - ./configure
     - make -j
     - make -j check-programs
@@ -13,6 +14,7 @@ test-gcc-Wall-script:
   script:
     - export CFLAGS="-g -O0"
     - export CC="$CI_PROJECT_DIR/.gitlab/ci/gcc-Wall"
+    - ./autogen.sh
     - ./configure
     - make -j CFLAGS="-g -O0 -Werror"
     - make -j CFLAGS="-g -O0 -Werror" check-programs
@@ -22,6 +24,7 @@ test-gcc-fanalyzer:
     - .gitlab-shared-gcc
   script:
     - export CFLAGS="-Wall -Werror -g -O0 -fanalyzer -fdiagnostics-path-format=separate-events"
+    - ./autogen.sh
     - ./configure
     - make -j
     - make -j check-programs

.gitlab/ci/compilation-various-disables.yml

@@ -0,0 +1,33 @@
+test-gcc-disable-compiles:
+  extends:
+    - .gitlab-shared-gcc
+  parallel:
+    matrix:
+      - DISABLE_FLAGS: [
+          "keyring",
+          "external-tokens ssh-token",
+          "luks2-reencryption",
+          "cryptsetup veritysetup integritysetup",
+          "kernel_crypto",
+          "udev",
+          "internal-argon2",
+          "blkid",
+          "hw-opal"
+      ]
+  artifacts:
+    name: "meson-build-logs-$CI_COMMIT_REF_NAME"
+    paths:
+      - meson_builddir/meson-logs
+  script:
+    - DEBIAN_FRONTEND=noninteractive apt-get -yq install meson ninja-build
+    - export CFLAGS="-Wall -Werror"
+    - ./autogen.sh
+    - echo "Configuring with --disable-$DISABLE_FLAGS"
+    - ./configure $(for i in $DISABLE_FLAGS; do echo "--disable-$i"; done)
+    - make -j
+    - make -j check-programs
+    - git checkout -f && git clean -xdf
+    - meson -v
+    - echo "Configuring with -D$DISABLE_FLAGS=false"
+    - meson setup meson_builddir $(for i in $DISABLE_FLAGS; do [ "$i" == "internal-argon2" ] && echo "-Dargon-implementation=internal" || echo "-D$i=false"; done)
+    - ninja -C meson_builddir

.gitlab/ci/csmock.yml

@@ -1,17 +1,25 @@
 test-commit-job-csmock:
   extends:
-    - .dump_kernel_log
+    - .fail_if_coredump_generated
   tags:
     - libvirt
-    - rhel7-csmock
+    - cryptsetup-rhel-9
   stage: test
   interruptible: true
   allow_failure: true
   variables:
+    DISTRO: cryptsetup-rhel-9
     RUN_SSH_PLUGIN_TEST: "1"
+    DISK_SIZE: 20
   rules:
     - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
       when: never
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/ || $CI_PIPELINE_SOURCE == "merge_request_event"
   script:
-    - /opt/csmock-run-script.sh
+    - sudo /opt/run-csmock.sh
+  artifacts:
+    # Upload artifacts when a crash makes the job fail.
+    when: always
+    paths:
+      - cryptsetup-csmock-results.tar.xz
+      - cryptsetup-csmock-results

.gitlab/ci/debian-i686.yml

@@ -1,12 +1,13 @@
-test-mergerq-job-ubuntu-32bit:
+test-mergerq-job-debian-i686:
   extends:
     - .debian-prep
   tags:
     - libvirt
-    - ubuntu-bionic-32bit
+    - cryptsetup-debian-12i686
   stage: test
   interruptible: true
   variables:
+    DISTRO: cryptsetup-debian-12i686
     RUN_SSH_PLUGIN_TEST: "1"
   rules:
     - if: $RUN_SYSTEMD_PLUGIN_TEST != null
@@ -19,15 +20,16 @@ test-mergerq-job-ubuntu-32bit:
     - make -j -C tests check-programs
     - sudo -E make check
 
-test-main-commit-job-ubuntu-32bit:
+test-main-commit-job-debian-i686:
   extends:
     - .debian-prep
   tags:
     - libvirt
-    - ubuntu-bionic-32bit
+    - cryptsetup-debian-12i686
   stage: test
   interruptible: true
   variables:
+    DISTRO: cryptsetup-debian-12i686
     RUN_SSH_PLUGIN_TEST: "1"
   rules:
     - if: $RUN_SYSTEMD_PLUGIN_TEST != null

.gitlab/ci/debian.yml

@@ -1,17 +1,18 @@
 .debian-prep:
   extends:
-    - .dump_kernel_log
+    - .fail_if_coredump_generated
   before_script:
+    - sudo apt-get -y update
     - >
       [ -z "$RUN_SYSTEMD_PLUGIN_TEST" ] ||
       sudo apt-get -y install -y -qq swtpm meson ninja-build python3-jinja2
-      gperf libcap-dev tpm2-tss-engine-dev libmount-dev swtpm-tools
+      gperf libcap-dev libtss2-dev libmount-dev swtpm-tools
     - >
       sudo apt-get -y install -y -qq git gcc make autoconf automake autopoint
       pkgconf libtool libtool-bin gettext libssl-dev libdevmapper-dev
       libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev
-      tar libargon2-0-dev libpwquality-dev sharutils dmsetup jq xxd expect
-      keyutils netcat passwd openssh-client sshpass asciidoctor
+      tar libargon2-dev libpwquality-dev sharutils dmsetup jq xxd expect
+      keyutils netcat-openbsd passwd openssh-client sshpass asciidoctor
     - sudo apt-get -y build-dep cryptsetup
     - sudo -E git clean -xdf
     - ./autogen.sh
@@ -22,10 +23,11 @@ test-mergerq-job-debian:
     - .debian-prep
   tags:
     - libvirt
-    - debian11
+    - cryptsetup-debian-12
   stage: test
   interruptible: true
   variables:
+    DISTRO: cryptsetup-debian-12
     RUN_SSH_PLUGIN_TEST: "1"
   rules:
     - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
@@ -41,10 +43,11 @@ test-main-commit-job-debian:
     - .debian-prep
   tags:
     - libvirt
-    - debian11
+    - cryptsetup-debian-12
   stage: test
   interruptible: true
   variables:
+    DISTRO: cryptsetup-debian-12
     RUN_SSH_PLUGIN_TEST: "1"
   rules:
     - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
@@ -54,3 +57,46 @@ test-main-commit-job-debian:
     - make -j
     - make -j -C tests check-programs
     - sudo -E make check
+
+# meson tests
+test-mergerq-job-debian-meson:
+  extends:
+    - .debian-prep
+  tags:
+    - libvirt
+    - cryptsetup-debian-12
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-debian-12
+    RUN_SSH_PLUGIN_TEST: "1"
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  script:
+    - sudo apt-get -y install -y -qq meson ninja-build
+    - meson setup build
+    - ninja -C build
+    - cd build && sudo -E meson test --verbose --print-errorlogs
+
+test-main-commit-job-debian-meson:
+  extends:
+    - .debian-prep
+  tags:
+    - libvirt
+    - cryptsetup-debian-12
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-debian-12
+    RUN_SSH_PLUGIN_TEST: "1"
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+  script:
+    - sudo apt-get -y install -y -qq meson ninja-build
+    - meson setup build
+    - ninja -C build
+    - cd build && sudo -E meson test --verbose --print-errorlogs

.gitlab/ci/fedora-opal.yml

@@ -0,0 +1,134 @@
+.dnf-openssl-backend:
+  variables:
+    DISTRO: cryptsetup-fedora-rawhide
+  extends:
+    - .fail_if_coredump_generated
+  before_script:
+    - >
+      [ -z "$RUN_SYSTEMD_PLUGIN_TEST" ] ||
+      sudo dnf -y -q install
+      swtpm meson ninja-build python3-jinja2 gperf libcap-devel tpm2-tss-devel
+      libmount-devel swtpm-tools
+    - >
+      sudo dnf -y -q install
+      autoconf automake device-mapper-devel gcc gettext-devel json-c-devel
+      libargon2-devel libblkid-devel libpwquality-devel libselinux-devel
+      libssh-devel libtool libuuid-devel make popt-devel
+      libsepol-devel.x86_64 netcat openssh-clients passwd pkgconfig sharutils
+      sshpass tar uuid-devel vim-common device-mapper expect gettext git jq
+      keyutils openssl-devel openssl asciidoctor
+    - sudo -E git clean -xdf
+    - ./autogen.sh
+    - ./configure --enable-fips --enable-pwquality --enable-libargon2 --with-crypto_backend=openssl --enable-asciidoc
+
+.opal-template-fedora:
+  extends:
+    - .dnf-openssl-backend
+  tags:
+    - libvirt
+    - cryptsetup-fedora-rawhide
+  stage: test
+  interruptible: false
+  variables:
+    OPAL2_DEV: "/dev/nvme0n1"
+    OPAL2_PSID_FILE: "/home/gitlab-runner/psid.txt"
+    VOLATILE: 1
+  script:
+    - sudo dnf install -y -q nvme-cli
+    - sudo nvme list
+    - make -j
+    - make -j -C tests check-programs
+    - sudo -E make check TESTS="00modules-test compat-test-opal"
+
+# Samsung SSD 980 500GB (on tiber machine)
+test-commit-rawhide-samsung980:
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+  extends:
+    - .opal-template-fedora
+  tags:
+    - tiber
+  stage: test
+  interruptible: false
+  variables:
+    PCI_PASSTHROUGH_VENDOR_ID: "144d"
+    PCI_PASSTHROUGH_DEVICE_ID: "a809"
+
+test-mergerq-rawhide-samsung980:
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  extends:
+    - .opal-template-fedora
+  tags:
+    - tiber
+  stage: test
+  interruptible: false
+  variables:
+    PCI_PASSTHROUGH_VENDOR_ID: "144d"
+    PCI_PASSTHROUGH_DEVICE_ID: "a809"
+
+# WD PC SN740 SDDQNQD-512G-1014 (on tiber machine)
+test-commit-rawhide-sn740:
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+  extends:
+    - .opal-template-fedora
+  tags:
+    - tiber
+  stage: test
+  interruptible: false
+  variables:
+    PCI_PASSTHROUGH_VENDOR_ID: "15b7"
+    PCI_PASSTHROUGH_DEVICE_ID: "5017"
+
+test-mergerq-rawhide-sn740:
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  extends:
+    - .opal-template-fedora
+  tags:
+    - tiber
+  stage: test
+  interruptible: false
+  variables:
+    PCI_PASSTHROUGH_VENDOR_ID: "15b7"
+    PCI_PASSTHROUGH_DEVICE_ID: "5017"
+
+# # UMIS RPETJ256MGE2MDQ (on tiber machine)
+# test-commit-rawhide-umis:
+#   rules:
+#     - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+#       when: never
+#     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+#   extends:
+#     - .opal-template-fedora
+#   tags:
+#     - tiber
+#   stage: test
+#   interruptible: false
+#   variables:
+#     PCI_PASSTHROUGH_VENDOR_ID: "1cc4"
+#     PCI_PASSTHROUGH_DEVICE_ID: "6302"
+#
+# test-mergerq-rawhide-umis:
+#   rules:
+#     - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+#       when: never
+#     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+#   extends:
+#     - .opal-template-fedora
+#   tags:
+#     - tiber
+#   stage: test
+#   interruptible: false
+#   variables:
+#     PCI_PASSTHROUGH_VENDOR_ID: "1cc4"
+#     PCI_PASSTHROUGH_DEVICE_ID: "6302"

.gitlab/ci/fedora.yml

@@ -1,6 +1,8 @@
 .dnf-openssl-backend:
+  variables:
+    DISTRO: cryptsetup-fedora-rawhide
   extends:
-    - .dump_kernel_log
+    - .fail_if_coredump_generated
   before_script:
     - >
       [ -z "$RUN_SYSTEMD_PLUGIN_TEST" ] ||
@@ -24,7 +26,7 @@ test-main-commit-job-rawhide:
     - .dnf-openssl-backend
   tags:
     - libvirt
-    - fedora-rawhide
+    - cryptsetup-fedora-rawhide
   stage: test
   interruptible: true
   allow_failure: true
@@ -44,7 +46,7 @@ test-mergerq-job-rawhide:
     - .dnf-openssl-backend
   tags:
     - libvirt
-    - fedora-rawhide
+    - cryptsetup-fedora-rawhide
   stage: test
   interruptible: true
   allow_failure: true

.gitlab/ci/gcc-Wall

@@ -31,7 +31,7 @@ EXTRA="-Wextra \
  -Wunsafe-loop-optimizations \
  -Wold-style-definition \
  -Wno-missing-field-initializers \
- -Wno-unused-parameter \
+ -Wunused-parameter \
  -Wno-long-long \
  -Wmaybe-uninitialized \
  -Wvla \

.gitlab/ci/gitlab-shared-docker.yml

@@ -1,5 +1,5 @@
 .gitlab-shared-docker:
-  image: ubuntu:focal
+  image: ubuntu:lunar
   tags:
     - gitlab-org-docker
   stage: test
@@ -12,7 +12,6 @@
     - .gitlab/ci/cibuild-setup-ubuntu.sh
     - export CC="${COMPILER}${COMPILER_VERSION:+-$COMPILER_VERSION}"
     - export CXX="${COMPILER}++${COMPILER_VERSION:+-$COMPILER_VERSION}"
-    - ./autogen.sh
 
 .gitlab-shared-gcc:
   extends:
@@ -27,5 +26,5 @@
     - .gitlab-shared-docker
   variables:
     COMPILER: "clang"
-    COMPILER_VERSION: "13"
+    COMPILER_VERSION: "17"
     RUN_SSH_PLUGIN_TEST: "1"

.gitlab/ci/rhel.yml

@@ -1,6 +1,6 @@
 .rhel-openssl-backend:
   extends:
-    - .dump_kernel_log
+    - .fail_if_coredump_generated
   before_script:
     - >
       sudo yum -y -q  install
@@ -21,10 +21,11 @@ test-main-commit-rhel8:
     - .rhel-openssl-backend
   tags:
     - libvirt
-    - rhel8
+    - cryptsetup-rhel-8
   stage: test
   interruptible: true
   variables:
+    DISTRO: cryptsetup-rhel-8
     RUN_SSH_PLUGIN_TEST: "1"
   rules:
     - if: $RUN_SYSTEMD_PLUGIN_TEST != null
@@ -42,10 +43,11 @@ test-main-commit-rhel9:
     - .rhel-openssl-backend
   tags:
     - libvirt
-    - rhel9
+    - cryptsetup-rhel-9
   stage: test
   interruptible: true
   variables:
+    DISTRO: cryptsetup-rhel-9
     RUN_SSH_PLUGIN_TEST: "1"
   rules:
     - if: $RUN_SYSTEMD_PLUGIN_TEST != null
@@ -65,10 +67,11 @@ test-main-commit-rhel8-fips:
     - .rhel-openssl-backend
   tags:
     - libvirt
-    - rhel8-fips
+    - cryptsetup-rhel-8-fips
   stage: test
   interruptible: true
   variables:
+    DISTRO: cryptsetup-rhel-8-fips
     RUN_SSH_PLUGIN_TEST: "1"
   rules:
     - if: $RUN_SYSTEMD_PLUGIN_TEST != null
@@ -87,11 +90,12 @@ test-main-commit-rhel9-fips:
     - .rhel-openssl-backend
   tags:
     - libvirt
-    - rhel9-fips
+    - cryptsetup-rhel-9-fips
   stage: test
   interruptible: true
   allow_failure: true
   variables:
+    DISTRO: cryptsetup-rhel-9-fips
     RUN_SSH_PLUGIN_TEST: "1"
   rules:
     - if: $RUN_SYSTEMD_PLUGIN_TEST != null

.gitlab/issue_templates/Bug.md

@@ -9,7 +9,10 @@
 
 ### Debug log
 <!-- Paste a debug log of the failing command (add --debug option) between the markers below (to keep raw debug format).-->
+<!-- We need a lot of information from the debug log; without it, we cannot process your report. -->
+<!-- Debug log does not contain any private information. Do not paste private data; we'll ask you for more information if needed. -->
 ```
 Output with --debug option:
 
 ```
+<!-- NOTE: WITHOUT DEBUG LOG, THE BUG REPORT WILL BE CLOSED. ALSO, PLEASE DO NOT TRY TO REMOVE PARTS OF THE DEBUG LOG! -->

.lgtm.yml

@@ -1,11 +0,0 @@
-queries:
-  - exclude: cpp/fixme-comment
-  - exclude: cpp/empty-block
-# symver attribute detection cannot be used, disable it for lgtm
-extraction:
-  cpp:
-    configure:
-      command:
-      - "./autogen.sh"
-      - "./configure --enable-external-tokens --enable-ssh-token"
-      - "echo \"#undef HAVE_ATTRIBUTE_SYMVER\" >> config.h"

FAQ.md

@@ -169,17 +169,12 @@
   me write the section.  Please note that by contributing to this FAQ,
   you accept the license described below.
 
-  This work is under the "Attribution-Share Alike 3.0 Unported" license,
-  which means distribution is unlimited, you may create derived works, but
+  This work is licensed under a Creative Commons CC-BY-SA-4.0
+  "Attribution-ShareAlike 4.0 International" license which means
+  distribution is unlimited, you may create derived works, but
   attributions to original authors and this license statement must be
-  retained and the derived work must be under the same license.  See
-  https://creativecommons.org/licenses/by-sa/3.0/ for more details of the
-  license.
-
-  Side note: I did text license research some time ago and I think this
-  license is best suited for the purpose at hand and creates the least
-  problems.
-
+  retained and the derived work must be under the same license.
+  See https://creativecommons.org/licenses/by-sa/4.0/ for more details.
 
   * **1.6 Where is the project website?**
 

Makefile.am

@@ -1,4 +1,17 @@
-EXTRA_DIST = README.md COPYING.LGPL FAQ.md docs misc autogen.sh
+EXTRA_DIST = README.md SECURITY.md COPYING.LGPL FAQ.md docs misc autogen.sh
+EXTRA_DIST += meson_options.txt \
+	meson.build \
+	lib/crypto_backend/argon2/meson.build \
+	lib/crypto_backend/meson.build \
+	lib/meson.build \
+	man/meson.build \
+	po/meson.build \
+	scripts/meson.build \
+	src/meson.build \
+	tests/meson.build \
+	tokens/meson.build \
+	tokens/ssh/meson.build
+
 SUBDIRS = po tests tests/fuzz
 CLEANFILES =
 DISTCLEAN_TARGETS =

README.md

@@ -2,115 +2,144 @@
 
 What the ...?
 =============
-**Cryptsetup** is a utility used to conveniently set up disk encryption based
-on the [DMCrypt](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt) kernel module.
+**Cryptsetup** is an open-source utility used to conveniently set up disk encryption based
+on the [dm-crypt](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt) kernel module.
 
-These include **plain** **dm-crypt** volumes, **LUKS** volumes, **loop-AES**,
-**TrueCrypt** (including **VeraCrypt** extension), **BitLocker** and **FileVault2** formats.
+These formats are supported:
+  * **plain** volumes,
+  * **LUKS** volumes,
+  * **loop-AES**,
+  * **TrueCrypt** (including **VeraCrypt** extension),
+  * **BitLocker**, and
+  * **FileVault2**.
 
 The project also includes a **veritysetup** utility used to conveniently setup
-[DMVerity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity) block integrity checking kernel module
-and **integritysetup** to setup
-[DMIntegrity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMIntegrity) block integrity kernel module.
+[dm-verity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity)
+block integrity checking kernel module and **integritysetup** to setup
+[dm-integrity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMIntegrity)
+block integrity kernel module.
 
 LUKS Design
 -----------
-**LUKS** is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not  
-only facilitate compatibility among distributions, but also provides secure management of multiple user passwords.  
-LUKS stores all necessary setup information in the partition header, enabling to transport or migrate data seamlessly.
+**LUKS** is the standard for Linux disk encryption. By providing a standardized on-disk format,
+it not only facilitate compatibility among distributions, but also enables secure management
+of multiple user passwords. LUKS stores all necessary setup information in the partition header,
+which enables users to transport or migrate data seamlessly.
 
-### Specifications
-
-Last version of the LUKS2 format specification is
-[available here](https://gitlab.com/cryptsetup/LUKS2-docs).
-
-Last version of the LUKS1 format specification is
-[available here](https://www.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf).
-
-Why LUKS?
----------
- * compatibility via standardization,
- * secure against low entropy attacks,
- * support for multiple keys,
- * effective passphrase revocation,
- * free.
-
-[Project home page](https://gitlab.com/cryptsetup/cryptsetup/).
------------------
-
-[Frequently asked questions (FAQ)](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions)
---------------------------------
+### Specification and documentation
+  * The latest version of the
+  [LUKS2 format specification](https://gitlab.com/cryptsetup/LUKS2-docs).
+  * The latest version of the
+  [LUKS1 format specification](https://www.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf).
+  * [Project home page](https://gitlab.com/cryptsetup/cryptsetup/).
+  * [Frequently asked questions (FAQ)](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions)
 
 Download
 --------
-All release tarballs and release notes are hosted on [kernel.org](https://www.kernel.org/pub/linux/utils/cryptsetup/).
+Release notes and tarballs are available at
+[kernel.org](https://www.kernel.org/pub/linux/utils/cryptsetup/).
 
-**The latest stable cryptsetup release version is 2.6.0**
-  * [cryptsetup-2.6.0.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.0.tar.xz)
-  * Signature [cryptsetup-2.6.0.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.0.tar.sign)
+**The latest stable cryptsetup release version is 2.7.2**
+  * [cryptsetup-2.7.2.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.2.tar.xz)
+  * Signature [cryptsetup-2.7.2.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.2.tar.sign)
     _(You need to decompress file first to check signature.)_
-  * [Cryptsetup 2.6.0 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/v2.6.0-ReleaseNotes).
+  * [Cryptsetup 2.7.2 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.2-ReleaseNotes).
 
 Previous versions
- * [Version 2.5.0](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/cryptsetup-2.5.0.tar.xz) -
-   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/cryptsetup-2.5.0.tar.sign) -
+ * [Version 2.6.1](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.1.tar.xz) -
+   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.1.tar.sign) -
    [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/v2.5.0-ReleaseNotes).
  * [Version 1.7.5](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.xz) -
    [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.sign) -
    [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.5-ReleaseNotes).
 
-Source and API docs
--------------------
-For development version code, please refer to [source](https://gitlab.com/cryptsetup/cryptsetup/tree/master) page,
-mirror on [kernel.org](https://git.kernel.org/cgit/utils/cryptsetup/cryptsetup.git/) or [GitHub](https://github.com/mbroz/cryptsetup).
+Source and API documentation
+----------------------------
+For development version code, please refer to the
+[source](https://gitlab.com/cryptsetup/cryptsetup/tree/master) page, with mirrors
+at [kernel.org](https://git.kernel.org/cgit/utils/cryptsetup/cryptsetup.git/) and
+[GitHub](https://github.com/mbroz/cryptsetup).
 
-For libcryptsetup documentation see [libcryptsetup API](https://mbroz.fedorapeople.org/libcryptsetup_API/) page.
+For libcryptsetup documentation see
+[libcryptsetup API](https://mbroz.fedorapeople.org/libcryptsetup_API/) page.
 
-The libcryptsetup API/ABI changes are tracked in [compatibility report](https://abi-laboratory.pro/tracker/timeline/cryptsetup/).
-
-NLS PO files are maintained by [TranslationProject](https://translationproject.org/domain/cryptsetup.html).
+NLS PO files are maintained by
+[TranslationProject](https://translationproject.org/domain/cryptsetup.html).
 
 Required packages
 -----------------
-All distributions provide cryptsetup as distro package. If you need to compile cryptsetup yourself, some packages are required for compilation. Please always prefer distro specific build tools to manually configuring cryptsetup.
+All major Linux distributions provide cryptsetup as a bundled package. If you need
+to compile cryptsetup yourself, various additional packages are required.
+Any distribution-specific build tools are preferred when manually configuring cryptsetup.
 
-Here is the list of packages needed for the compilation of project for particular distributions:
- * For Fedora: `git gcc make autoconf automake gettext-devel pkgconfig openssl-devel popt-devel device-mapper-devel libuuid-devel json-c-devel libblkid-devel findutils libtool libssh-devel tar`. Optionally `libargon2-devel libpwquality-devel`. To run the internal testsuite you also need to install `sharutils device-mapper jq vim-common expect keyutils netcat shadow-utils openssh-clients openssh sshpass`.
+Below are the packages needed to build for certain Linux distributions:
 
- * For Debian and Ubuntu: `git gcc make autoconf automake autopoint pkg-config libtool gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol1-dev libjson-c-dev libssh-dev libblkid-dev tar`. Optionally `libargon2-0-dev libpwquality-dev`. To run the internal testsuite you also need to install `sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass`
+**For Fedora**:
+```
+git gcc make autoconf automake gettext-devel pkgconfig openssl-devel popt-devel device-mapper-devel
+libuuid-devel json-c-devel libblkid-devel findutils libtool libssh-devel tar
 
-Note that the list could change as the distributions evolve.
+Optionally: libargon2-devel libpwquality-devel
+```
+To run the internal testsuite (make check) you also need to install
+```
+sharutils device-mapper jq vim-common expect keyutils netcat shadow-utils openssh-clients openssh sshpass
+```
+
+**For Debian and Ubuntu**:
+```
+git gcc make autoconf automake autopoint pkg-config libtool gettext libssl-dev libdevmapper-dev
+libpopt-dev uuid-dev libsepol1-dev libjson-c-dev libssh-dev libblkid-dev tar
+
+Optionally: libargon2-0-dev libpwquality-dev
+```
+To run the internal testsuite (make check) you also need to install
+```
+sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass
+```
+
+Note that the list may change as Linux distributions evolve.
 
 Compilation
 -----------
-The cryptsetup project uses **automake** and **autoconf** system to generate all needed files for compilation. If you check it from the git snapshot, use ``./autogen.sh && ./configure && make`` to compile the project. If you use downloaded released ``*.tar.xz`` archive, the configure script is already pre-generated (no need to run ``autoconf.sh``).
-See ``./configure --help`` and use ``--disable-*`` and ``--enable-*`` options.
+The cryptsetup project uses **automake** and **autoconf** system to generate all files needed to build.
+When building from a git snapshot,, use **./autogen.sh && ./configure && make**
+to compile the project. When building from a release **tar.xz** tarball, the configure script
+is pre-generated (no need to run **autoconf.sh**).
+See **./configure --help** and use the **--disable-[feature]** and **--enable-[feature]** options.
 
-For running the test suite that come with the project, type ``make check``.
-Note that most tests will need root user privileges and run many dangerous storage fail simulations.
-Do **not** run tests with root privilege on production systems! Some tests will need scsi_debug kernel module to be available.
+To run the test suite that come with the project, type **make check**.
+Note that most tests will need root user privileges and will run dangerous storage failure simulations.
+Do **not** run tests with root privilege on production systems! Some tests will need the **scsi_debug**
+kernel module to be installed.
 
-For more details, please refer to [automake](https://www.gnu.org/software/automake/manual/automake.html) and [autoconf](https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf.html) manuals.
+For more details, please refer to the
+[automake](https://www.gnu.org/software/automake/manual/automake.html) and
+[autoconf](https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf.html) documentation.
 
 Help!
 -----
-
 ### Documentation
+Please read the following before posting questions to the mailing list so that
+you can ask better questions and better understand answers.
 
-Please read the following documentation before posting questions in the mailing list.   You will be able to ask better questions and better understand the answers.  
-
-* [FAQ](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions) 
-* LUKS Specifications
+* [Frequently asked questions (FAQ)](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions),
+* [LUKS Specifications](#specification-and-documentation), and
 * manuals (aka man page, man pages, man-page) 
 
-The FAQ is online and in the source code for the project.  The Specifications are referenced above in this document.  The man pages are in source and should be available after installation using standard man commands.  e.g.  man cryptsetup
+The FAQ is available online and in the source code for the project. The specifications are
+referenced above in this document. The man pages live within the source tree and should be
+available after installation using standard man commands, e.g. **man cryptsetup**.
 
 ### Mailing List
-
-For cryptsetup and LUKS related questions, please use the cryptsetup mailing list [cryptsetup@lists.linux.dev](mailto:cryptsetup@lists.linux.dev), hosted at [kernel.org subspace](https://subspace.kernel.org/lists.linux.dev.html).
-To subscribe send an empty mail to [cryptsetup+subscribe@lists.linux.dev](mailto:cryptsetup+subscribe@lists.linux.dev).
+For cryptsetup and LUKS related questions, please use the cryptsetup mailing list
+[cryptsetup@lists.linux.dev](mailto:cryptsetup@lists.linux.dev),
+hosted at [kernel.org subspace](https://subspace.kernel.org/lists.linux.dev.html).
+To subscribe send an empty email message to
+[cryptsetup+subscribe@lists.linux.dev](mailto:cryptsetup+subscribe@lists.linux.dev).
 
 You can also browse and/or search the mailing [list archive](https://lore.kernel.org/cryptsetup/).
-News (NNTP), Atom feed and git access to public inbox is available through [lore.kernel.org](https://lore.kernel.org) service.
+USEnet News (NNTP), Atom feed and git access to the public inbox is available through
+[lore.kernel.org](https://lore.kernel.org) service.
 
-The former dm-crypt [list archive](https://lore.kernel.org/dm-crypt/) is also available.
+The former **dm-crypt** [list archive](https://lore.kernel.org/dm-crypt/) is also available.

configure.ac

@@ -1,9 +1,9 @@
 AC_PREREQ([2.67])
-AC_INIT([cryptsetup],[2.6.0])
+AC_INIT([cryptsetup],[2.7.2])
 
 dnl library version from <major>.<minor>.<release>[-<suffix>]
 LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-)
-LIBCRYPTSETUP_VERSION_INFO=21:0:9
+LIBCRYPTSETUP_VERSION_INFO=22:0:10
 
 AM_SILENT_RULES([yes])
 AC_CONFIG_SRCDIR(src/cryptsetup.c)
@@ -128,7 +128,6 @@ if test "x$enable_largefile" = "xno"; then
   AC_MSG_ERROR([Building with --disable-largefile is not supported, it can cause data corruption.])
 fi
 
-AC_C_CONST
 AC_C_BIGENDIAN
 AC_TYPE_OFF_T
 AC_SYS_LARGEFILE
@@ -267,6 +266,9 @@ AC_DEFUN([CONFIGURE_GCRYPT], [
 		GCRYPT_REQ_VERSION=1.1.42
 	fi
 
+	use_internal_pbkdf2=0
+	use_internal_argon2=1
+
 	dnl libgcrypt rejects to use pkgconfig, use AM_PATH_LIBGCRYPT from gcrypt-devel here.
 	dnl Do not require gcrypt-devel if other crypto backend is used.
 	m4_ifdef([AM_PATH_LIBGCRYPT],[
@@ -290,7 +292,24 @@ AC_DEFUN([CONFIGURE_GCRYPT], [
 		NO_FIPS([])
 	fi
 
+	m4_ifdef([AM_PATH_LIBGCRYPT],[
+	AC_ARG_ENABLE([gcrypt-argon2],
+		dnl Check if we can use gcrypt Argon2 (1.11.0 supports empty password)
+		AS_HELP_STRING([--disable-gcrypt-argon2], [force disable internal gcrypt Argon2]),
+		[],
+		[AM_PATH_LIBGCRYPT([1.11.0], [use_internal_argon2=0], [use_internal_argon2=1])])
+	AM_PATH_LIBGCRYPT($GCRYPT_REQ_VERSION,,[AC_MSG_ERROR([You need the gcrypt library.])])],
+	AC_MSG_ERROR([Missing support for gcrypt: install gcrypt and regenerate configure.]))
+
+	AC_MSG_CHECKING([if internal cryptsetup Argon2 is compiled-in])
+	if test $use_internal_argon2 = 0; then
+		AC_MSG_RESULT([no])
+	else
+		AC_MSG_RESULT([yes])
+	fi
+
 	AC_CHECK_DECLS([GCRY_CIPHER_MODE_XTS], [], [], [#include <gcrypt.h>])
+	AC_CHECK_DECLS([GCRY_KDF_ARGON2], [], [], [#include <gcrypt.h>])
 
 	if test "x$enable_static_cryptsetup" = "xyes"; then
 		saved_LIBS=$LIBS
@@ -310,19 +329,25 @@ AC_DEFUN([CONFIGURE_GCRYPT], [
 ])
 
 AC_DEFUN([CONFIGURE_OPENSSL], [
-	PKG_CHECK_MODULES([OPENSSL], [openssl >= 0.9.8],,
+	PKG_CHECK_MODULES([LIBCRYPTO], [libcrypto >= 0.9.8],,
 		AC_MSG_ERROR([You need openssl library.]))
-	CRYPTO_CFLAGS=$OPENSSL_CFLAGS
-	CRYPTO_LIBS=$OPENSSL_LIBS
+	CRYPTO_CFLAGS=$LIBCRYPTO_CFLAGS
+	CRYPTO_LIBS=$LIBCRYPTO_LIBS
 	use_internal_pbkdf2=0
+	use_internal_argon2=1
 
 	if test "x$enable_static_cryptsetup" = "xyes"; then
 		saved_PKG_CONFIG=$PKG_CONFIG
 		PKG_CONFIG="$PKG_CONFIG --static"
-		PKG_CHECK_MODULES([OPENSSL_STATIC], [openssl])
-		CRYPTO_STATIC_LIBS=$OPENSSL_STATIC_LIBS
+		PKG_CHECK_MODULES([LIBCRYPTO_STATIC], [libcrypto])
+		CRYPTO_STATIC_LIBS=$LIBCRYPTO_STATIC_LIBS
 		PKG_CONFIG=$saved_PKG_CONFIG
 	fi
+
+	saved_LIBS=$LIBS
+	AC_CHECK_DECLS([OSSL_get_max_threads], [], [], [#include <openssl/thread.h>])
+	AC_CHECK_DECLS([OSSL_KDF_PARAM_ARGON2_VERSION], [use_internal_argon2=0], [], [#include <openssl/core_names.h>])
+	LIBS=$saved_LIBS
 ])
 
 AC_DEFUN([CONFIGURE_NSS], [
@@ -343,6 +368,7 @@ AC_DEFUN([CONFIGURE_NSS], [
 	CRYPTO_CFLAGS=$NSS_CFLAGS
 	CRYPTO_LIBS=$NSS_LIBS
 	use_internal_pbkdf2=1
+	use_internal_argon2=1
 	NO_FIPS([])
 ])
 
@@ -353,6 +379,7 @@ AC_DEFUN([CONFIGURE_KERNEL], [
 #		[AC_MSG_ERROR([You need Linux kernel with userspace crypto interface.])],
 #		[#include <sys/socket.h>])
 	use_internal_pbkdf2=1
+	use_internal_argon2=1
 	NO_FIPS([])
 ])
 
@@ -369,6 +396,7 @@ AC_DEFUN([CONFIGURE_NETTLE], [
 
 	CRYPTO_STATIC_LIBS=$CRYPTO_LIBS
 	use_internal_pbkdf2=0
+	use_internal_argon2=1
 	NO_FIPS([])
 ])
 
@@ -493,12 +521,21 @@ AC_ARG_ENABLE([internal-argon2],
 AC_ARG_ENABLE([libargon2],
 	AS_HELP_STRING([--enable-libargon2], [enable external libargon2 (PHC) library (disables internal bundled version)]))
 
-if test "x$enable_libargon2" = "xyes" ; then
+if test $use_internal_argon2 = 0 || ( test "x$enable_internal_argon2" = "xno" && test "x$enable_libargon2" != "xyes" ); then
+	if test "x$enable_internal_argon2" = "xyes" || test "x$enable_libargon2" = "xyes"; then
+		AC_MSG_NOTICE([Argon2 in $with_crypto_backend lib is used; internal Argon2 options are ignored.])
+	fi
+	enable_internal_argon2=no
+	enable_internal_sse_argon2=no
+	enable_libargon2=no
+	use_internal_argon2=0
+elif test "x$enable_libargon2" = "xyes" ; then
 	AC_CHECK_HEADERS(argon2.h,,
 		[AC_MSG_ERROR([You need libargon2 development library installed.])])
 	AC_CHECK_DECL(Argon2_id,,[AC_MSG_ERROR([You need more recent Argon2 library with support for Argon2id.])], [#include <argon2.h>])
 	PKG_CHECK_MODULES([LIBARGON2], [libargon2],,[LIBARGON2_LIBS="-largon2"])
 	enable_internal_argon2=no
+	use_internal_argon2=0
 else
 	AC_MSG_WARN([Argon2 bundled (slow) reference implementation will be used, please consider to use system library with --enable-libargon2.])
 
@@ -517,11 +554,10 @@ else
 	fi
 fi
 
-if test "x$enable_internal_argon2" = "xyes"; then
-	AC_DEFINE(USE_INTERNAL_ARGON2, 1, [Use internal Argon2])
-fi
 AM_CONDITIONAL(CRYPTO_INTERNAL_ARGON2, test "x$enable_internal_argon2" = "xyes")
 AM_CONDITIONAL(CRYPTO_INTERNAL_SSE_ARGON2, test "x$enable_internal_sse_argon2" = "xyes")
+dnl If libargon is in use, we have defined HAVE_ARGON2_H
+AC_DEFINE_UNQUOTED(USE_INTERNAL_ARGON2, [$use_internal_argon2], [Use internal Argon2])
 
 dnl Link with blkid to check for other device types
 AC_ARG_ENABLE([blkid],
@@ -556,6 +592,27 @@ AM_CONDITIONAL(HAVE_BLKID, test "x$enable_blkid" = "xyes")
 AM_CONDITIONAL(HAVE_BLKID_WIPE, test "x$enable_blkid_wipe" = "xyes")
 AM_CONDITIONAL(HAVE_BLKID_STEP_BACK, test "x$enable_blkid_step_back" = "xyes")
 
+AC_ARG_ENABLE([hw-opal],
+	AS_HELP_STRING([--disable-hw-opal], [disable use of hardware-backed OPAL for device encryption]),
+	[],
+	[enable_hw_opal=yes])
+
+if test "x$enable_hw_opal" = "xyes"; then
+	have_opal=yes
+	AC_CHECK_DECLS([ OPAL_FL_SUM_SUPPORTED,
+			 IOC_OPAL_GET_LR_STATUS,
+			 IOC_OPAL_GET_GEOMETRY
+		       ],
+		       [],
+		       [have_opal=no],
+		       [#include <linux/sed-opal.h>])
+	if test "x$have_opal" = "xyes"; then
+		AC_DEFINE([HAVE_HW_OPAL], 1, [Define to 1 to enable OPAL support.])
+	else
+		AC_MSG_WARN([Can not compile with OPAL support, kernel headers are too old, requires v6.4.])
+	fi
+fi
+
 dnl Magic for cryptsetup.static build.
 if test "x$enable_static_cryptsetup" = "xyes"; then
 	saved_PKG_CONFIG=$PKG_CONFIG
@@ -634,16 +691,16 @@ dnl Set Requires.private for libcryptsetup.pc
 dnl pwquality is used only by tools
 PKGMODULES="uuid devmapper json-c"
 case $with_crypto_backend in
-	gcrypt)  PKGMODULES+=" libgcrypt" ;;
-	openssl) PKGMODULES+=" openssl" ;;
-	nss)     PKGMODULES+=" nss" ;;
-	nettle)  PKGMODULES+=" nettle" ;;
+	gcrypt)  PKGMODULES="$PKGMODULES libgcrypt" ;;
+	openssl) PKGMODULES="$PKGMODULES openssl" ;;
+	nss)     PKGMODULES="$PKGMODULES nss" ;;
+	nettle)  PKGMODULES="$PKGMODULES nettle" ;;
 esac
 if test "x$enable_libargon2" = "xyes"; then
-	PKGMODULES+=" libargon2"
+	PKGMODULES="$PKGMODULES libargon2"
 fi
 if test "x$enable_blkid" = "xyes"; then
-	PKGMODULES+=" blkid"
+	PKGMODULES="$PKGMODULES blkid"
 fi
 AC_SUBST([PKGMODULES])
 dnl ==========================================================================
@@ -681,9 +738,9 @@ AC_DEFUN([CS_ABSPATH], [
 ])
 
 dnl ==========================================================================
-CS_STR_WITH([plain-hash],   [password hashing function for plain mode], [ripemd160])
+CS_STR_WITH([plain-hash],   [password hashing function for plain mode], [sha256])
 CS_STR_WITH([plain-cipher], [cipher for plain mode], [aes])
-CS_STR_WITH([plain-mode],   [cipher mode for plain mode], [cbc-essiv:sha256])
+CS_STR_WITH([plain-mode],   [cipher mode for plain mode], [xts-plain64])
 CS_NUM_WITH([plain-keybits],[key length in bits for plain mode], [256])
 
 CS_STR_WITH([luks1-hash],   [hash function for LUKS1 header], [sha256])

docs/Keyring.txt

@@ -12,30 +12,53 @@ no longer stored directly in dm-crypt target. Starting with cryptsetup 2.0 we
 load VK in kernel keyring by default for LUKSv2 devices (when dm-crypt with the
 feature is available).
 
-Currently cryptsetup loads VK in 'logon' type kernel key so that VK is passed in
-the kernel and can't be read from userspace afterward. Also cryptsetup loads VK in
-thread keyring (before passing the reference to dm-crypt target) so that the key
+Currently, cryptsetup loads VK in 'logon' type kernel key so that VK is passed in
+the kernel and can't be read from userspace afterwards. Also, cryptsetup loads VK in
+the thread keyring (before passing the reference to dm-crypt target) so that the key
 lifetime is directly bound to the process that performs the dm-crypt setup. When
-cryptsetup process exits (for whatever reason) the key gets unlinked in kernel
+cryptsetup process exits (for whatever reason) the key gets unlinked in the kernel
 automatically. In summary, the key description visible in dm-crypt table line is
 a reference to VK that usually no longer exists in kernel keyring service if you
-used cryptsetup to for device activation.
+used cryptsetup for device activation.
 
 Using this feature dm-crypt no longer maintains a direct key copy (but there's
-always at least one copy in kernel crypto layer).
+always at least one copy in the kernel crypto layer).
+
+Additionally, libcryptsetup supports the linking of volume keys to
+user-specified kernel keyring with crypt_set_keyring_to_link(). The user may
+specify keyring name, key type ('user' or 'logon') and key description where
+libcryptsetup should link the verified volume key upon subsequent device
+activation (or key verification alone).
+
+The volume key(s) (provided the key type is 'user') linked in the user keyring
+can be later used to activate the device via crypt_activate_by_keyslot_context()
+with CRYPT_KC_TYPE_VK_KEYRING type keyslot context
+(acquired by crypt_keyslot_context_init_by_vk_in_keyring()).
+
+Example of how to use volume key linked in custom user keyring from cryptsetup
+utility:
+
+1) Open the device and store the volume key to the session keyring:
+# cryptsetup open <device> --link-vk-to-keyring "@s::%user:testkey" tst
+
+2) Add a keyslot using the stored volume key in a keyring:
+# cryptsetup luksAddKey <device> --volume-key-keyring "%user:testkey"
+
+3) Activate the device using the volume key cached in a keyring ('user' type key)
+# cryptsetup open <device> <active_name> --volume-key-keyring "testkey"
 
 II) Keyslot passphrase
 The second use case for kernel keyring is to allow cryptsetup reading the keyslot
-passphrase stored in kernel keyring instead. The user may load passphrase in kernel
+passphrase stored in kernel keyring instead. The user may load the passphrase in the kernel
 keyring and notify cryptsetup to read it from there later. Currently, cryptsetup
 cli supports kernel keyring for passphrase only via LUKS2 internal token
-(luks2-keyring). Library also provides a general method for device activation by
-reading passphrase from keyring: crypt_activate_by_keyring(). The key type
+(luks2-keyring). The library also provides a general method for device activation by
+reading the passphrase from the keyring: crypt_activate_by_keyring(). The key type
 for use case II) must always be 'user' since we need to read the actual key
-data from userspace unlike with VK in I). Ability to read keyslot passphrase
-from kernel keyring also allows easily auto-activate LUKS2 devices.
+data from userspace unlike with VK in I). The ability to read keyslot passphrases
+from kernel keyring also allows easy auto-activate LUKS2 devices.
 
-Simple example how to use kernel keyring for keyslot passphrase:
+Simple example of how to use kernel keyring for keyslot passphrase:
 
 1) create LUKS2 keyring token for keyslot 0 (in LUKS2 device/image)
 cryptsetup token add --key-description my:key -S 0 /dev/device
@@ -43,7 +66,7 @@ cryptsetup token add --key-description my:key -S 0 /dev/device
 2) Load keyslot passphrase in user keyring
 read -s -p "Keyslot passphrase: "; echo -n $REPLY | keyctl padd user my:key @u
 
-3) Activate device using passphrase stored in kernel keyring
+3) Activate the device using the passphrase stored in the kernel keyring
 cryptsetup open /dev/device my_unlocked_device
 
 4a) unlink the key when no longer needed by
@@ -52,5 +75,5 @@ keyctl unlink %user:my:key @u
 4b) or revoke it immediately by
 keyctl revoke %user:my:key
 
-If cryptsetup asks for passphrase in step 3) something went wrong with keyring
+If cryptsetup asks for a passphrase in step 3) something went wrong with keyring
 activation. See --debug output then.

docs/LUKS2-locking.txt

@@ -5,7 +5,7 @@ Why
 ~~~
 
 LUKS2 format keeps two identical copies of metadata stored consecutively
-at the head of metadata device (file or bdev). The metadata
+at the head of the metadata device (file or bdev). The metadata
 area (both copies) must be updated in a single atomic operation to avoid
 header corruption during concurrent write.
 
@@ -15,17 +15,17 @@ locking with legacy format was not so obvious as it is with the LUKSv2 format.
 
 With LUKS2 the boundary between read-only and read-write is blurry and what
 used to be the exclusively read-only operation (i.e., cryptsetup open command) may
-easily become read-update operation silently without user's knowledge.
-Major feature of LUKS2 format is resilience against accidental
+easily become read-update operation silently without the user's knowledge.
+A major feature of the LUKS2 format is resilience against accidental
 corruption of metadata (i.e., partial header overwrite by parted or cfdisk
-while creating partition on mistaken block device).
-Such header corruption is detected early on header read and auto-recovery
+while creating a partition on a mistaken block device).
+Such header corruption is detected early on the header read and the auto-recovery
 procedure takes place (the corrupted header with checksum mismatch is being
 replaced by the secondary one if that one is intact).
-On current Linux systems header load operation may be triggered without user
-direct intervention for example by udev rule or from systemd service.
-Such clash of header read and auto-recovery procedure could have severe
-consequences with the worst case of having LUKS2 device unaccessible or being
+On current Linux systems header load operation may be triggered without the user
+direct intervention for example by an udev rule or from a systemd service.
+Such a clash of header read and auto-recovery procedure could have severe
+consequences with the worst case of having a LUKS2 device inaccessible or being
 broken beyond repair.
 
 The whole locking of LUKSv2 device headers split into two categories depending
@@ -36,17 +36,17 @@ I) block device
 
 We perform flock() on file descriptors of files stored in a private
 directory (by default /run/lock/cryptsetup). The file name is derived
-from major:minor couple of affected block device. Note we recommend
-that access to private locking directory is supposed to be limited
-to superuser only. For this method to work the distribution needs
+from major:minor couple of the affected block device. Note we recommend
+that access to the private locking directory is supposed to be limited
+to the superuser only. For this method to work the distribution needs
 to install the locking directory with appropriate access rights.
 
 II) regular files
 ~~~~~~~~~~~~~~~~~
 
-First notable difference between headers stored in a file
+A first notable difference between headers stored in a file
 vs. headers stored in a block device is that headers in a file may be
-manipulated by the regular user unlike headers on block devices. Therefore
+manipulated by the regular user, unlike headers on block devices. Therefore
 we perform flock() protection on file with the luks2 header directly.
 
 Limitations
@@ -58,4 +58,40 @@ while locking is enabled.
 We do not suppress any other negative effect that two or more concurrent
 writers of the same header may cause.
 
-b) The locking is not cluster aware in any way.
+b) The locking is not cluster-aware in any way.
+
+Additional LUKS2 locks
+======================
+
+LUKS2 reencryption device lock
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Device in LUKS2 reencryption is protected by an exclusive lock placed in the default
+locking directory. The lock's purpose is to exclude multiple processes from
+performing reencryption on the same device (identified by LUKS uuid). The lock
+is taken no matter the LUKS2 reencryption mode (online or offline).
+
+LUKS2 memory hard global lock
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+An optional global lock that makes libcryptsetup serialize memory hard
+pbkdf function when deriving a key encryption key from passphrase on unlocking
+LUKS2 keyslot. The lock has to be enabled via the CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF
+flag. The lock is placed in the default locking directory.
+
+LUKS2 OPAL lock
+~~~~~~~~~~~~~~~
+
+Exclusive per device lock taken when manipulating LUKS2 device configured for use with
+SED OPAL2 locking range.
+
+Lock ordering
+=============
+
+To avoid a deadlock following rules must apply:
+
+- LUKS2 reencrytpion lock must be taken before LUKS2 OPAL lock.
+
+- LUKS2 OPAL lock must be taken before LUKS2 metadata lock.
+
+- LUKS2 memory hard global lock can not be used with other locks.

docs/doxyfile

@@ -1,4 +1,4 @@
-# Doxyfile 1.9.1
+# Doxyfile 1.9.8
 
 #---------------------------------------------------------------------------
 # Project related configuration options
@@ -10,9 +10,9 @@ PROJECT_BRIEF          = "Public cryptsetup API"
 PROJECT_LOGO           =
 OUTPUT_DIRECTORY       = doxygen_api_docs
 CREATE_SUBDIRS         = NO
+CREATE_SUBDIRS_LEVEL   = 8
 ALLOW_UNICODE_NAMES    = NO
 OUTPUT_LANGUAGE        = English
-OUTPUT_TEXT_DIRECTION  = None
 BRIEF_MEMBER_DESC      = YES
 REPEAT_BRIEF           = YES
 ABBREVIATE_BRIEF       =
@@ -39,6 +39,7 @@ OPTIMIZE_OUTPUT_SLICE  = NO
 EXTENSION_MAPPING      =
 MARKDOWN_SUPPORT       = YES
 TOC_INCLUDE_HEADINGS   = 5
+MARKDOWN_ID_STYLE      = DOXYGEN
 AUTOLINK_SUPPORT       = YES
 BUILTIN_STL_SUPPORT    = NO
 CPP_CLI_SUPPORT        = NO
@@ -52,6 +53,7 @@ INLINE_SIMPLE_STRUCTS  = NO
 TYPEDEF_HIDES_STRUCT   = YES
 LOOKUP_CACHE_SIZE      = 0
 NUM_PROC_THREADS       = 1
+TIMESTAMP              = NO
 #---------------------------------------------------------------------------
 # Build related configuration options
 #---------------------------------------------------------------------------
@@ -72,6 +74,7 @@ INTERNAL_DOCS          = NO
 CASE_SENSE_NAMES       = YES
 HIDE_SCOPE_NAMES       = NO
 HIDE_COMPOUND_REFERENCE= NO
+SHOW_HEADERFILE        = YES
 SHOW_INCLUDE_FILES     = YES
 SHOW_GROUPED_MEMB_INC  = NO
 FORCE_LOCAL_INCLUDES   = NO
@@ -101,9 +104,12 @@ QUIET                  = NO
 WARNINGS               = YES
 WARN_IF_UNDOCUMENTED   = YES
 WARN_IF_DOC_ERROR      = YES
+WARN_IF_INCOMPLETE_DOC = YES
 WARN_NO_PARAMDOC       = NO
+WARN_IF_UNDOC_ENUM_VAL = NO
 WARN_AS_ERROR          = NO
 WARN_FORMAT            = "$file:$line: $text"
+WARN_LINE_FORMAT       = "at line $line of file $file"
 WARN_LOGFILE           =
 #---------------------------------------------------------------------------
 # Configuration options related to the input files
@@ -111,6 +117,7 @@ WARN_LOGFILE           =
 INPUT                  = doxygen_index.h \
                          ../lib/libcryptsetup.h
 INPUT_ENCODING         = UTF-8
+INPUT_FILE_ENCODING    =
 FILE_PATTERNS          =
 RECURSIVE              = NO
 EXCLUDE                =
@@ -126,6 +133,7 @@ FILTER_PATTERNS        =
 FILTER_SOURCE_FILES    = NO
 FILTER_SOURCE_PATTERNS =
 USE_MDFILE_AS_MAINPAGE =
+FORTRAN_COMMENT_AFTER  = 72
 #---------------------------------------------------------------------------
 # Configuration options related to source browsing
 #---------------------------------------------------------------------------
@@ -158,15 +166,17 @@ HTML_FOOTER            =
 HTML_STYLESHEET        =
 HTML_EXTRA_STYLESHEET  =
 HTML_EXTRA_FILES       =
+HTML_COLORSTYLE        = AUTO_LIGHT
 HTML_COLORSTYLE_HUE    = 220
 HTML_COLORSTYLE_SAT    = 100
 HTML_COLORSTYLE_GAMMA  = 80
-HTML_TIMESTAMP         = YES
 HTML_DYNAMIC_MENUS     = YES
 HTML_DYNAMIC_SECTIONS  = NO
+HTML_CODE_FOLDING      = YES
 HTML_INDEX_NUM_ENTRIES = 100
 GENERATE_DOCSET        = NO
 DOCSET_FEEDNAME        = "Doxygen generated docs"
+DOCSET_FEEDURL         =
 DOCSET_BUNDLE_ID       = org.doxygen.Project
 DOCSET_PUBLISHER_ID    = org.doxygen.Publisher
 DOCSET_PUBLISHER_NAME  = Publisher
@@ -177,6 +187,7 @@ GENERATE_CHI           = NO
 CHM_INDEX_ENCODING     =
 BINARY_TOC             = NO
 TOC_EXPAND             = NO
+SITEMAP_URL            =
 GENERATE_QHP           = NO
 QCH_FILE               =
 QHP_NAMESPACE          = org.doxygen.Project
@@ -189,14 +200,16 @@ GENERATE_ECLIPSEHELP   = NO
 ECLIPSE_DOC_ID         = org.doxygen.Project
 DISABLE_INDEX          = NO
 GENERATE_TREEVIEW      = NO
+FULL_SIDEBAR           = NO
 ENUM_VALUES_PER_LINE   = 4
 TREEVIEW_WIDTH         = 250
 EXT_LINKS_IN_WINDOW    = NO
+OBFUSCATE_EMAILS       = YES
 HTML_FORMULA_FORMAT    = png
 FORMULA_FONTSIZE       = 10
-FORMULA_TRANSPARENT    = YES
 FORMULA_MACROFILE      =
 USE_MATHJAX            = NO
+MATHJAX_VERSION        = MathJax_2
 MATHJAX_FORMAT         = HTML-CSS
 MATHJAX_RELPATH        = http://www.mathjax.org/mathjax
 MATHJAX_EXTENSIONS     =
@@ -227,9 +240,7 @@ PDF_HYPERLINKS         = YES
 USE_PDFLATEX           = YES
 LATEX_BATCHMODE        = NO
 LATEX_HIDE_INDICES     = NO
-LATEX_SOURCE_CODE      = NO
 LATEX_BIB_STYLE        = plain
-LATEX_TIMESTAMP        = NO
 LATEX_EMOJI_DIRECTORY  =
 #---------------------------------------------------------------------------
 # Configuration options related to the RTF output
@@ -240,7 +251,6 @@ COMPACT_RTF            = NO
 RTF_HYPERLINKS         = NO
 RTF_STYLESHEET_FILE    =
 RTF_EXTENSIONS_FILE    =
-RTF_SOURCE_CODE        = NO
 #---------------------------------------------------------------------------
 # Configuration options related to the man page output
 #---------------------------------------------------------------------------
@@ -261,12 +271,17 @@ XML_NS_MEMB_FILE_SCOPE = NO
 #---------------------------------------------------------------------------
 GENERATE_DOCBOOK       = NO
 DOCBOOK_OUTPUT         = docbook
-DOCBOOK_PROGRAMLISTING = NO
 #---------------------------------------------------------------------------
 # Configuration options for the AutoGen Definitions output
 #---------------------------------------------------------------------------
 GENERATE_AUTOGEN_DEF   = NO
 #---------------------------------------------------------------------------
+# Configuration options related to Sqlite3 output
+#---------------------------------------------------------------------------
+GENERATE_SQLITE3       = NO
+SQLITE3_OUTPUT         = sqlite3
+SQLITE3_RECREATE_DB    = YES
+#---------------------------------------------------------------------------
 # Configuration options related to the Perl module output
 #---------------------------------------------------------------------------
 GENERATE_PERLMOD       = NO
@@ -294,15 +309,14 @@ ALLEXTERNALS           = NO
 EXTERNAL_GROUPS        = YES
 EXTERNAL_PAGES         = YES
 #---------------------------------------------------------------------------
-# Configuration options related to the dot tool
+# Configuration options related to diagram generator tools
 #---------------------------------------------------------------------------
-CLASS_DIAGRAMS         = YES
-DIA_PATH               =
 HIDE_UNDOC_RELATIONS   = YES
 HAVE_DOT               = NO
 DOT_NUM_THREADS        = 0
-DOT_FONTNAME           = Helvetica
-DOT_FONTSIZE           = 10
+DOT_COMMON_ATTR        = "fontname=Helvetica,fontsize=10"
+DOT_EDGE_ATTR          = "labelfontname=Helvetica,labelfontsize=10"
+DOT_NODE_ATTR          = "shape=box,height=0.2,width=0.4"
 DOT_FONTPATH           =
 CLASS_GRAPH            = YES
 COLLABORATION_GRAPH    = YES
@@ -318,18 +332,20 @@ CALL_GRAPH             = NO
 CALLER_GRAPH           = NO
 GRAPHICAL_HIERARCHY    = YES
 DIRECTORY_GRAPH        = YES
+DIR_GRAPH_MAX_DEPTH    = 1
 DOT_IMAGE_FORMAT       = png
 INTERACTIVE_SVG        = NO
 DOT_PATH               =
 DOTFILE_DIRS           =
-MSCFILE_DIRS           =
+DIA_PATH               =
 DIAFILE_DIRS           =
 PLANTUML_JAR_PATH      =
 PLANTUML_CFG_FILE      =
 PLANTUML_INCLUDE_PATH  =
 DOT_GRAPH_MAX_NODES    = 50
 MAX_DOT_GRAPH_DEPTH    = 0
-DOT_TRANSPARENT        = NO
 DOT_MULTI_TARGETS      = NO
 GENERATE_LEGEND        = YES
 DOT_CLEANUP            = YES
+MSCGEN_TOOL            =
+MSCFILE_DIRS           =

docs/examples/crypt_log_usage.c

@@ -1,7 +1,7 @@
 /*
  * libcryptsetup API log example
  *
- * Copyright (C) 2011-2022 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved.
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public

docs/examples/crypt_luks_usage.c

@@ -1,7 +1,7 @@
 /*
  *  libcryptsetup API - using LUKS device example
  *
- * Copyright (C) 2011-2022 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved.
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public

docs/v2.6.1-ReleaseNotes

@@ -0,0 +1,50 @@
+Cryptsetup 2.6.1 Release Notes
+==============================
+Stable bug-fix release with minor extensions.
+
+All users of cryptsetup 2.6.0 should upgrade to this version.
+
+Changes since version 2.6.0
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* bitlk: Fixes for BitLocker-compatible on-disk metadata parser
+  (found by new cryptsetup OSS-Fuzz fuzzers).
+  - Fix a possible memory leak if the metadata contains more than
+    one description field.
+  - Harden parsing of metadata entries for key and description entries.
+  - Fix broken metadata parsing that can cause a crash or out of memory.
+
+* Fix possible iteration overflow in OpenSSL2 PBKDF2 crypto backend.
+  OpenSSL2 uses a signed integer for PBKDF2 iteration count.
+  As cryptsetup uses an unsigned value, this can lead to overflow and
+  a decrease in the actual iteration count.
+  This situation can happen only if the user specifies
+  --pbkdf-force-iterations option.
+  OpenSSL3 (and other supported crypto backends) are not affected.
+
+* Fix compilation for new ISO C standards (gcc with -std=c11 and higher).
+
+* fvault2: Fix compilation with very old uuid.h.
+
+* verity: Fix possible hash offset setting overflow.
+
+* bitlk: Fix use of startup BEK key on big-endian platforms.
+
+* Fix compilation with latest musl library.
+  Recent musl no longer implements lseek64() in some configurations.
+  Use lseek() as 64-bit offset is mandatory for cryptsetup.
+
+* Do not initiate encryption (reencryption command) when the header and
+  data devices are the same.
+  If data device reduction is not requsted, this leads to data corruption
+  since LUKS metadata was written over the data device.
+
+* Fix possible memory leak if crypt_load() fails.
+
+* Always use passphrases with a minimal 8 chars length for benchmarking.
+  Some enterprise distributions decided to set an unconditional check
+  for PBKDF2 password length when running in FIPS mode.
+  This questionable change led to unexpected failures during LUKS format
+  and keyslot operations, where short passwords were used for
+  benchmarking PBKDF2 speed.
+  PBKDF2 benchmark calculations should not be affected by this change.

docs/v2.7.0-ReleaseNotes

@@ -0,0 +1,437 @@
+Cryptsetup 2.7.0 Release Notes
+==============================
+Stable release with new features and bug fixes.
+
+Changes since version 2.6.1
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Introduce support for hardware OPAL disk encryption.
+
+  Some SATA and NVMe devices support hardware encryption through OPAL2
+  TCG interface (SEDs - self-encrypting drives). Using hardware disk
+  encryption is controversial as you must trust proprietary hardware.
+
+  On the other side, using both software and hardware encryption
+  layers increases the security margin by adding an additional layer
+  of protection. There is usually no performance drop if OPAL encryption
+  is used (the drive always operates with full throughput), and it does
+  not add any utilization to the main CPU.
+
+  LUKS2 now supports hardware encryption through the Linux kernel
+  SED OPAL interface (CONFIG_BLK_SED_OPAL Linux kernel option must be
+  enabled). Cryptsetup OPAL is never enabled by default; you have to use
+  luksFormat parameters to use it. OPAL support can be disabled during
+  the build phase with --disable-hw-opal configure option.
+
+  LUKS2 OPAL encryption is configured the same way as software encryption
+  - it stores metadata in the LUKS2 header and activates encryption for
+  the data area on the disk (configured OPAL locking range).
+  LUKS2 header metadata must always be visible (thus not encrypted).
+  The key stored in LUKS2 keyslots contains two parts - volume key
+  for software (dm-crypt) encryption and unlocking key for OPAL.
+  OPAL unlocking key is independent of the dm-crypt volume key and is
+  always 256 bits long. Cryptsetup does not support full drive OPAL
+  encryption; only a specific locking range is always used.
+
+  If the OPAL device is in its initial factory state (after factory
+  reset), cryptsetup needs to configure the OPAL admin user and password.
+  If the OPAL admin user is already set, the OPAL password must be
+  provided during luksFormat.
+  The provided password is needed only to configure or reset the OPAL
+  locking range; LUKS device activation requires LUKS passphrase only.
+  LUKS passphrase should be different from OPAL password (OPAL admin user
+  is configured inside OPAL hardware while LUKS unlocking passphrase
+  unlocks LUKS keyslot).
+
+  OPAL encryption can be used in combination with software (dm-crypt)
+  encryption (--hw-opal option) or without the software layer
+  (--hw-opal-only option).
+  You can see the configured segment parameters in the luksDump command.
+  LUKS2 devices with OPAL segments set a new requirement flag in
+  the LUKS2 header to prevent older cryptsetup metadata manipulation.
+  Do not use hardware-only encryption if you do not fully trust your
+  hardware vendor.
+
+  Compatibility notes:
+    - Linux kernel SED interface does NOT work through USB external
+    adapters due to the missing compatibility layer in Linux USB storage
+    drivers (even if USB hardware itself can support OPAL commands).
+    - other TCG security subsystems like Ruby or Pyrite are not
+    supported. Note that many drives support only Pyrite subsystem that
+    does NOT encrypt data (it provides only authentication).
+    - compatibility among OPAL-enabled drives is often very problematic,
+    specifically for older drives. Many drives have bugs in the firmware
+    that make the Linux kernel interface unusable.
+    - if you forget the OPAL admin password, the only way to recover is
+    the full drive factory reset through the PSID key (usually printed
+    on the drive itself) that wipes all data on the drive (not only the
+    LUKS area).
+    - cryptsetup reencryption is not supported for LUKS2 OPAL-enabled
+    devices
+    - most OPAL drives use AES-XTS cipher mode (older drives can use
+    AES-CBC). This information is not available through kernel SED API.
+    - locked OPAL locking ranges return IO errors while reading; this
+    can produce a lot of scary messages in the log if some tools (like
+    blkid) try to read the locked area.
+
+  Examples:
+
+  * Formatting the drive
+  Use --hw-opal with luksFormat (or --hw-opal-only for hardware only
+  encryption):
+
+  # cryptsetup luksFormat --hw-opal <device>
+  Enter passphrase for <device>: ***
+  Enter OPAL Admin password: ***
+
+  * Check configuration with luksDump.
+  Note "hw-opal-crypt" segment that uses both dm-crypt and OPAL
+  encryption - keyslot stores 768 bits key (512 sw + 256 bits OPAL key).
+
+  # cryptsetup luksDump <device>
+    LUKS header information
+    Version:        2
+    ...
+    Data segments:
+       0: hw-opal-crypt
+         offset: 16777216 [bytes]
+         length: ... [bytes]
+         cipher: aes-xts-plain64
+         sector: 512 [bytes]
+         HW OPAL encryption:
+                OPAL segment number: 1
+                OPAL key: 256 bits
+                OPAL segment length: ... [bytes]
+     Keyslots:
+       0: luks2
+         Key:        768 bits
+      ...
+
+  For devices with OPAL encryption ONLY (only 256 bits OPAL unlocking
+  key is stored):
+     LUKS header information
+     Version:        2
+     ...
+
+     Data segments:
+        0: hw-opal
+          offset: 16777216 [bytes]
+          length: ... [bytes]
+          cipher: (no SW encryption)
+          HW OPAL encryption:
+                OPAL segment number: 1
+                OPAL key: 256 bits
+                OPAL segment length: ... [bytes]
+     Keyslots:
+       0: luks2
+         Key:        256 bits
+         ...
+
+  * Activation and deactivation (open, close, luksSuspend, luksResume)
+  with OPAL works the same as for the LUKS2 device.
+
+  * Erase LUKS metadata (keyslots) and remove OPAL locking range:
+  # cryptsetup luksErase <device>
+    Enter OPAL Admin password: ***
+
+  The LUKS header is destroyed (unlike in normal LUKS luksErase) as
+  data are no longer accessible even with previous volume key knowledge.
+
+  * Factory reset OPAL drive (if you do not know the Admin password).
+    You need the PSID (physical presence security ID), which is usually
+    printed on the device label. Note this will reset the device to
+    factory state, erasing all data on it (not only LUKS).
+
+  # cryptsetup luksErase --hw-opal-factory-reset <device>
+    Enter OPAL PSID: ***
+
+* plain mode: Set default cipher to aes-xts-plain64 and password hashing
+  to sha256.
+
+  NOTE: this is a backward incompatible change for plain mode (if you
+  rely on defaults). It is not relevant for LUKS devices.
+
+  The default plain encryption mode was CBC for a long time, with many
+  performance problems. Using XTS mode aligns it with LUKS defaults.
+
+  The hash algorithm for plain mode was ripemd160, which is considered
+  deprecated, so the new default is sha256.
+
+  The default key size remains 256 bits (it means using AES-128 as XTS
+  requires two keys).
+
+  Always specify cipher, hash, and key size for plain mode (or even
+  better, use LUKS as it stores all options in its metadata on disk).
+  As we need to upgrade algorithms from time to time because of security
+  reasons, cryptsetup now warns users to specify these options explicitly
+  in the open cryptsetup command if plain mode is used.
+  Cryptsetup does not block using any legacy encryption type; just it
+  must be specified explicitly on the cryptsetup command line.
+
+  You can configure these defaults during build time if you need to
+  enforce backward compatibility.
+  To get the backward-compatible setting, use:
+    --with-plain-hash=ripemd160 --with-plain-cipher=aes
+    --with-plain-mode=cbc-essiv:sha256
+
+  Compiled-in defaults are visible in cryptsetup --help output.
+
+* Allow activation (open), luksResume, and luksAddKey to use the volume
+  key stored in a keyring.
+* Allow to store volume key to a user-specified keyring in open and
+  luksResume commands.
+
+  These options are intended to be used for integration with other
+  systems for automation.
+
+  Users can now use the volume key (not passphrase) stored in arbitrary
+  kernel keyring and directly use it in particular cryptsetup commands
+  with --volume-key-keyring option. The keyring can use various policies
+  (set outside of the cryptsetup scope, for example, by keyctl).
+
+  The --volume-key-keyring option takes a key description in
+  keyctl-compatible syntax and can either be a numeric key ID or
+  a string name in the format [%<key type>:]<key name>.
+  The default key type is "user".
+
+  To store the volume key in a keyring, you can use cryptsetup with
+  --link-vk-to-keyring option that is available for open and luksResume
+  cryptsetup command. The option argument has a more complex format:
+  <keyring_description>::<key_description>.
+  The <keyring_description> contains the existing kernel keyring
+  description (numeric id or keyctl format). The <keyring_description>
+  may be optionally prefixed with "%:" or "%keyring:". The string "::" is
+  a delimiter that separates keyring and key descriptions.
+  The <key_description> has the same syntax as used in the
+  --volume-key-keyring option.
+
+  Example:
+
+  Open the device and store the volume key to the keyring:
+  # cryptsetup open <device> --link-vk-to-keyring "@s::%user:testkey" tst
+
+  Add keyslot using the stored key in a keyring:
+  # cryptsetup luksAddKey <device> --volume-key-keyring "%user:testkey"
+
+* Do not flush IO operations if resize grows the device.
+  This can help performance in specific cases where the encrypted device
+  is extended automatically while running many IO operations.
+
+* Use only half of detected free memory for Argon2 PBKDF on systems
+  without swap (for LUKS2 new keyslot or format operations).
+
+  This should avoid out-of-memory crashes on low-memory systems without
+  swap. The benchmark for memory-hard KDF during format is tricky, and
+  it seems that relying on the maximum half of physical memory is not
+  enough; relying on free memory should bring the needed security margin
+  while still using Argon2.
+  There is no change for systems with active swap.
+  Note, for very-low memory-constrained systems, a user should avoid
+  memory-hard PBKDF completely (manually select legacy PBKDF2 instead
+  of Argon2); cryptsetup does not change PBKDF automatically.
+
+* Add the possibility to specify a directory for external LUKS2 token
+  handlers (plugins).
+
+  Use --external-tokens-path parameter in cryptsetup or
+  crypt_token_set_external_path API call. The parameter is required to be
+  an absolute path, and it is set per process context. This parameter is
+  intended mainly for testing and developing new tokens.
+
+* Do not allow reencryption/decryption on LUKS2 devices with
+  authenticated encryption or hardware (OPAL) encryption.
+
+  The operation fails later anyway; cryptsetup now detects incompatible
+  parameters early.
+
+* Do not fail LUKS format if the operation was interrupted on subsequent
+  device wipe.
+
+  Device wipe (used with authenticated encryption) is an optional
+  operation and can be interrupted; not yet wiped part of the device will
+  only report integrity errors (until overwritten with new data).
+
+* Fix the LUKS2 keyslot option to be used while activating the device
+  by a token.
+
+  It can also be used to check if a specific token (--token-id) can
+  unlock a specific keyslot (--key-slot option) when --test-passphrase
+  option is specified.
+
+* Properly report if the dm-verity device cannot be activated due to
+  the inability to verify the signed root hash (ENOKEY).
+
+* Fix to check passphrase for selected keyslot only when adding
+  new keyslot.
+
+  If the user specifies the exact keyslot to unlock, cryptsetup no longer
+  checks other keyslots.
+
+* Fix to not wipe the keyslot area before in-place overwrite.
+
+  If the LUKS2 keyslot area has to be overwritten (due to lack of free
+  space for keyslot swap), cryptsetup does not wipe the affected area as
+  the first step (it will be overwritten later anyway).
+  Previously, there was an unnecessary risk of losing the keyslot data
+  if the code crashed before adding the new keyslot.
+
+  If there is enough space in the keyslot area, cryptsetup never
+  overwrites the older keyslot before the new one is written correctly
+  (even if the keyslot number remains the same).
+
+* bitlk: Fix segfaults when attempting to verify the volume key.
+
+  Also, clarify that verifying the volume key is impossible without
+  providing a passphrase or recovery key.
+
+* Add --disable-blkid command line option to avoid blkid device check.
+
+* Add support for the meson build system.
+
+  All basic operations are supported (compile, test, and dist) with some
+  minor exceptions; please see the meson manual for more info.
+
+  The Meson build system will completely replace autotools in some future
+  major release. Both autotools and meson build systems are supported,
+  and the release archive is built with autotools.
+
+* Fix wipe operation that overwrites the whole device if used for LUKS2
+  header with no keyslot area.
+
+  Formatting a LUKS2 device with no defined keyslots area is a very
+  specific operation, and the code now properly recognizes such
+  configuration.
+
+* Fix luksErase to work with detached LUKS header.
+
+* Disallow the use of internal kernel crypto driver names in "capi"
+  specification.
+
+  The common way to specify cipher mode in cryptsetup is to use
+  cipher-mode-iv notation (like aes-xts-plain64).
+  With the introduction of authenticated ciphers, we also allow
+  "capi:<spec>" notation that is directly used by dm-crypt
+  (e.g., capi:xts(aes)-plain64).
+
+  CAPI specification was never intended to be used directly in the LUKS
+  header; unfortunately, the code allowed it until now.
+  Devices with CAPI specification in metadata can no longer be activated;
+  header repair is required.
+
+  CAPI specification could allow attackers to change the cipher
+  specification to enforce loading some specific kernel crypto driver
+  (for example, load driver with known side-channel issues).
+  This can be problematic, specifically in a cloud environment
+  (modifying LUKS2 metadata in container image).
+
+  Thanks to Jan Wichelmann, Luca Wilke, and Thomas Eisenbarth from
+  University of Luebeck for noticing the problems with this code.
+
+* Fix reencryption to fail early for unknown cipher.
+
+* tcrypt: Support new Blake2 hash for VeraCrypt.
+
+  VeraCrypt introduces support for Blake2 PRF for PBKDF2; also support it
+  in cryptsetup compatible tcrypt format.
+
+* tcrypt: use hash values as substring for limiting KDF check.
+
+  This allows the user to specify --hash sha or --hash blake2 to limit
+  the KDF scan without the need to specify the full algorithm name
+  (similar to cipher where we already use substring match).
+
+* Add Aria cipher support and block size info.
+
+  Aria cipher is similar to AES and is supported in Linux kernel crypto
+  API in recent releases.
+  It can be now used also for LUKS keyslot encryption.
+
+* Do not decrease PBKDF parameters if the user forces them.
+
+  If a user explicitly specifies PBKDF parameters (like iterations,
+  used memory, or threads), do not limit them, even if it can cause
+  resource exhaustion.
+  The force options were mostly used for decreasing parameters, but it
+  should work even opposite - despite the fact it can mean an
+  out-of-memory crash.
+
+  The only limits are hard limits per the PBKDF algorithm.
+
+* Support OpenSSL 3.2 Argon2 implementation.
+
+  Argon2 is now available directly in OpenSSL, so the code no longer
+  needs to use libargon implementation.
+  Configure script should detect this automatically.
+
+* Add support for Argon2 from libgcrypt
+  (requires yet unreleased gcrypt 1.11).
+
+  Argon2 has been available since version 1.10, but we need version 1.11,
+  which will allow empty passwords.
+
+* Used Argon2 PBKDF implementation is now reported in debug mode
+  in the cryptographic backend version. For native support in
+  OpenSSL 3.2 or libgcrypt 1.11, "argon2" is displayed.
+  If libargon2 is used, "cryptsetup libargon2" (for embedded
+  library) or "external libargon2" is displayed.
+
+* Link only libcrypto from OpenSSL.
+
+  This reduces dependencies as other OpenSSL libraries are not needed.
+
+* Disable reencryption for Direct-Access (DAX) devices.
+
+  Linux kernel device-mapper cannot stack DAX/non-DAX devices in
+  the mapping table, so online reencryption cannot work. Detect DAX
+  devices and warn users during LUKS format. Also, DAX or persistent
+  memory devices do not provide atomic sector updates; any single
+  modification can corrupt the whole encryption block.
+
+* Print a warning message if the device is not aligned to sector size.
+
+  If a partition is resized after format, activation could fail when
+  the device is not multiple of a sector size. Print at least a warning
+  here, as the activation error message is visible only in kernel syslog.
+
+* Fix sector size and integrity fields display for non-LUKS2 crypt
+  devices for the status command.
+
+* Fix suspend for LUKS2 with authenticated encryption (also suspend
+  dm-integrity device underneath).
+
+  This should stop the dm-integrity device from issuing journal updates
+  and possibly corrupt data if the user also tries to modify the
+  underlying device.
+
+* Update keyring and locking documentation and LUKS2 specification
+  for OPAL2 support.
+
+Libcryptsetup API extensions
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The libcryptsetup API is backward compatible for all existing symbols.
+
+New symbols:
+  crypt_activate_by_keyslot_context
+  crypt_format_luks2_opal
+  crypt_get_hw_encryption_type
+  crypt_get_hw_encryption_key_size
+  crypt_keyslot_context_init_by_keyring
+  crypt_keyslot_context_init_by_vk_in_keyring
+  crypt_keyslot_context_init_by_signed_key
+  crypt_resume_by_keyslot_context
+  crypt_token_set_external_path
+  crypt_set_keyring_to_link
+  crypt_wipe_hw_opal
+
+New defines (hw encryption status):
+  CRYPT_SW_ONLY
+  CRYPT_OPAL_HW_ONLY
+  CRYPT_SW_AND_OPAL_HW
+
+New keyslot context types:
+  CRYPT_KC_TYPE_KEYRING
+  CRYPT_KC_TYPE_VK_KEYRING
+  CRYPT_KC_TYPE_SIGNED_KEY
+
+New requirement flag:
+  CRYPT_REQUIREMENT_OPAL

docs/v2.7.1-ReleaseNotes

@@ -0,0 +1,30 @@
+Cryptsetup 2.7.1 Release Notes
+==============================
+Stable bug-fix release with minor extensions.
+
+All users of cryptsetup 2.7.0 should upgrade to this version.
+
+Changes since version 2.7.0
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Fix interrupted LUKS1 decryption resume.
+  With the replacement of the cryptsetup-reencrypt tool by the cryptsetup
+  reencrypt command, resuming the interrupted LUKS1 decryption operation
+  could fail. LUKS2 was not affected.
+
+* Allow --link-vk-to-keyring with --test-passphrase option.
+  This option allows uploading the volume key in a user-specified kernel
+  keyring without activating the device.
+
+* Fix crash when --active-name was used in decryption initialization.
+
+* Updates and changes to man pages, including indentation, sorting options
+  alphabetically, fixing mistakes in crypt_set_keyring_to_link, and fixing
+  some typos.
+
+* Fix compilation with libargon2 when --disable-internal-argon2 was used.
+
+* Do not require installed argon2.h header and never compile internal
+  libargon2 code if the crypto library directly supports Argon2.
+
+* Fixes to regression tests to support older Linux distributions.

docs/v2.7.2-ReleaseNotes

@@ -0,0 +1,31 @@
+Cryptsetup 2.7.2 Release Notes
+==============================
+Stable bug-fix release.
+
+All users of cryptsetup 2.7 should upgrade to this version.
+
+Changes since version 2.7.1
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+* Fix activation of OPAL-only encrypted LUKS device with tokens.
+  The issue was caused by an invalid volume key check (assert)
+  that is impossible without software encryption.
+
+* Fix formatting of OPAL devices with 4096-byte sector size.
+
+* Fix incorrect OPAL locking range alignment calculation if used
+  over an unaligned device partition.
+
+* Add --hw-opal-factory-reset option description to the manual page.
+
+* Do not check the passphrase quality for OPAL Admin PIN,
+  as this passphrase already exists.
+
+* Update license for FAQ document to CC BY-SA 4.0.
+
+NOTE: Please note that with OPAL-only (--hw-opal-only) encryption,
+the configured OPAL administrator PIN (passphrase) allows unlocking
+all configured locking ranges without LUKS keyslot decryption
+(without knowledge of LUKS passphrase).
+Because of many observed problems with compatibility, cryptsetup
+currently DOES NOT use OPAL single-user mode, which would allow such
+decoupling of OPAL admin PIN access.

lib/Makemodule.am

@@ -103,6 +103,8 @@ libcryptsetup_la_SOURCES = \
 	lib/luks2/luks2_token.c		\
 	lib/luks2/luks2_internal.h	\
 	lib/luks2/luks2.h		\
+	lib/luks2/hw_opal/hw_opal.c	\
+	lib/luks2/hw_opal/hw_opal.h	\
 	lib/utils_blkid.c		\
 	lib/utils_blkid.h		\
 	lib/bitlk/bitlk.h		\

lib/bitlk/bitlk.c

@@ -1,9 +1,9 @@
 /*
  * BITLK (BitLocker-compatible) volume handling
  *
- * Copyright (C) 2019-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2019-2022 Milan Broz
- * Copyright (C) 2019-2022 Vojtech Trefny
+ * Copyright (C) 2019-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2019-2024 Milan Broz
+ * Copyright (C) 2019-2024 Vojtech Trefny
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -255,13 +255,16 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
 		    (*vmk)->protection == BITLK_PROTECTION_RECOVERY_PASSPHRASE ||
 		    (*vmk)->protection == BITLK_PROTECTION_STARTUP_KEY;
 
-	while (end - start > 2) {
+	while ((end - start) >= (ssize_t)(sizeof(key_entry_size) + sizeof(key_entry_type) + sizeof(key_entry_value))) {
 		/* size of this entry */
 		memcpy(&key_entry_size, data + start, sizeof(key_entry_size));
 		key_entry_size = le16_to_cpu(key_entry_size);
 		if (key_entry_size == 0)
 			break;
 
+		if (key_entry_size > (end - start))
+			return -EINVAL;
+
 		/* type and value of this entry */
 		memcpy(&key_entry_type, data + start + sizeof(key_entry_size), sizeof(key_entry_type));
 		memcpy(&key_entry_value,
@@ -280,20 +283,24 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
 		}
 
 		/* stretch key with salt, skip 4 B (encryption method of the stretch key) */
-		if (key_entry_value == BITLK_ENTRY_VALUE_STRETCH_KEY)
+		if (key_entry_value == BITLK_ENTRY_VALUE_STRETCH_KEY) {
+			if ((end - start) < (BITLK_ENTRY_HEADER_LEN + BITLK_SALT_SIZE + 4))
+				return -EINVAL;
 			memcpy((*vmk)->salt,
 			       data + start + BITLK_ENTRY_HEADER_LEN + 4,
-			       sizeof((*vmk)->salt));
+			       BITLK_SALT_SIZE);
 		/* AES-CCM encrypted key */
-		else if (key_entry_value == BITLK_ENTRY_VALUE_ENCRYPTED_KEY) {
+		} else if (key_entry_value == BITLK_ENTRY_VALUE_ENCRYPTED_KEY) {
+			if (key_entry_size < (BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE))
+				return -EINVAL;
 			/* nonce */
 			memcpy((*vmk)->nonce,
 			       data + start + BITLK_ENTRY_HEADER_LEN,
-			       sizeof((*vmk)->nonce));
+			       BITLK_NONCE_SIZE);
 			/* MAC tag */
 			memcpy((*vmk)->mac_tag,
 			       data + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE,
-			       sizeof((*vmk)->mac_tag));
+			       BITLK_VMK_MAC_TAG_SIZE);
 			/* AES-CCM encrypted key */
 			key_size = key_entry_size - (BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE);
 			key = (const char *) data + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE;
@@ -318,6 +325,8 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
 		} else if (key_entry_value == BITLK_ENTRY_VALUE_RECOVERY_TIME) {
 			;
 		} else if (key_entry_value == BITLK_ENTRY_VALUE_STRING) {
+			if (key_entry_size < BITLK_ENTRY_HEADER_LEN)
+				return -EINVAL;
 			string = malloc((key_entry_size - BITLK_ENTRY_HEADER_LEN) * 2 + 1);
 			if (!string)
 				return -ENOMEM;
@@ -405,6 +414,7 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 	struct bitlk_fve_metadata fve = {};
 	struct bitlk_entry_vmk entry_vmk = {};
 	uint8_t *fve_entries = NULL;
+	size_t fve_entries_size = 0;
 	uint32_t fve_metadata_size = 0;
 	int fve_offset = 0;
 	char guid_buf[UUID_STR_LEN] = {0};
@@ -413,7 +423,6 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 	int i = 0;
 	int r = 0;
 	int start = 0;
-	int end = 0;
 	size_t key_size = 0;
 	const char *key = NULL;
 	char *description = NULL;
@@ -514,7 +523,6 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 
 	params->volume_size = le64_to_cpu(fve.volume_size);
 	params->metadata_version = le16_to_cpu(fve.fve_version);
-	fve_metadata_size = le32_to_cpu(fve.metadata_size);
 
 	switch (le16_to_cpu(fve.encryption)) {
 	/* AES-CBC with Elephant difuser */
@@ -569,40 +577,56 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 
 	params->creation_time = filetime_to_unixtime(le64_to_cpu(fve.creation_time));
 
+	fve_metadata_size = le32_to_cpu(fve.metadata_size);
+	if (fve_metadata_size < (BITLK_FVE_METADATA_HEADER_LEN + sizeof(entry_size) + sizeof(entry_type)) ||
+	    fve_metadata_size > BITLK_FVE_METADATA_SIZE) {
+		r = -EINVAL;
+		goto out;
+	}
+	fve_entries_size = fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN;
+
 	/* read and parse all FVE metadata entries */
-	fve_entries = malloc(fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN);
+	fve_entries = malloc(fve_entries_size);
 	if (!fve_entries) {
 		r = -ENOMEM;
 		goto out;
 	}
-	memset(fve_entries, 0, (fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN));
+	memset(fve_entries, 0, fve_entries_size);
 
-	log_dbg(cd, "Reading BITLK FVE metadata entries of size %" PRIu32 " on device %s, offset %" PRIu64 ".",
-		fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN, device_path(device),
-		params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN);
+	log_dbg(cd, "Reading BITLK FVE metadata entries of size %zu on device %s, offset %" PRIu64 ".",
+		fve_entries_size, device_path(device), params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN);
 
 	if (read_lseek_blockwise(devfd, device_block_size(cd, device),
-		device_alignment(device), fve_entries, fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN,
-		params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN) != (ssize_t)(fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN)) {
+		device_alignment(device), fve_entries, fve_entries_size,
+		params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN) != (ssize_t)fve_entries_size) {
 		log_err(cd, _("Failed to read BITLK metadata entries from %s."), device_path(device));
 		r = -EINVAL;
 		goto out;
 	}
 
-	end = fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN;
-	while (end - start > 2) {
+	while ((fve_entries_size - start) >= (sizeof(entry_size) + sizeof(entry_type))) {
+
 		/* size of this entry */
 		memcpy(&entry_size, fve_entries + start, sizeof(entry_size));
 		entry_size = le16_to_cpu(entry_size);
 		if (entry_size == 0)
 			break;
 
+		if (entry_size > (fve_entries_size - start)) {
+			r = -EINVAL;
+			goto out;
+		}
+
 		/* type of this entry */
 		memcpy(&entry_type, fve_entries + start + sizeof(entry_size), sizeof(entry_type));
 		entry_type = le16_to_cpu(entry_type);
 
 		/* VMK */
 		if (entry_type == BITLK_ENTRY_TYPE_VMK) {
+			if (entry_size < (BITLK_ENTRY_HEADER_LEN + sizeof(entry_vmk))) {
+				r = -EINVAL;
+				goto out;
+			}
 			/* skip first four variables in the entry (entry size, type, value and version) */
 			memcpy(&entry_vmk,
 			       fve_entries + start + BITLK_ENTRY_HEADER_LEN,
@@ -639,7 +663,11 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 			vmk_p = vmk;
 			vmk = vmk->next;
 		/* FVEK */
-		} else if (entry_type == BITLK_ENTRY_TYPE_FVEK) {
+		} else if (entry_type == BITLK_ENTRY_TYPE_FVEK && !params->fvek) {
+			if (entry_size < (BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE)) {
+				r = -EINVAL;
+				goto out;
+			}
 			params->fvek = malloc(sizeof(struct bitlk_fvek));
 			if (!params->fvek) {
 				r = -ENOMEM;
@@ -647,11 +675,11 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 			}
 			memcpy(params->fvek->nonce,
 			       fve_entries + start + BITLK_ENTRY_HEADER_LEN,
-			       sizeof(params->fvek->nonce));
+			       BITLK_NONCE_SIZE);
 			/* MAC tag */
 			memcpy(params->fvek->mac_tag,
 			       fve_entries + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE,
-			       sizeof(params->fvek->mac_tag));
+			       BITLK_VMK_MAC_TAG_SIZE);
 			/* AES-CCM encrypted key */
 			key_size = entry_size - (BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE);
 			key = (const char *) fve_entries + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE;
@@ -663,19 +691,29 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 		/* volume header info (location and size) */
 		} else if (entry_type == BITLK_ENTRY_TYPE_VOLUME_HEADER) {
 			struct bitlk_entry_header_block entry_header;
+			if ((fve_entries_size - start) < (BITLK_ENTRY_HEADER_LEN + sizeof(entry_header))) {
+				r = -EINVAL;
+				goto out;
+			}
 			memcpy(&entry_header,
 			       fve_entries + start + BITLK_ENTRY_HEADER_LEN,
 			       sizeof(entry_header));
 			params->volume_header_offset = le64_to_cpu(entry_header.offset);
 			params->volume_header_size = le64_to_cpu(entry_header.size);
 		/* volume description (utf-16 string) */
-		} else if (entry_type == BITLK_ENTRY_TYPE_DESCRIPTION) {
-			description = malloc((entry_size - BITLK_ENTRY_HEADER_LEN - BITLK_ENTRY_HEADER_LEN) * 2 + 1);
-			if (!description)
-				return -ENOMEM;
+		} else if (entry_type == BITLK_ENTRY_TYPE_DESCRIPTION && !params->description) {
+			if (entry_size < BITLK_ENTRY_HEADER_LEN) {
+				r = -EINVAL;
+				goto out;
+			}
+			description = malloc((entry_size - BITLK_ENTRY_HEADER_LEN) * 2 + 1);
+			if (!description) {
+				r = -ENOMEM;
+				goto out;
+			}
 			r = crypt_utf16_to_utf8(&description, CONST_CAST(char16_t *)(fve_entries + start + BITLK_ENTRY_HEADER_LEN),
 					                  entry_size - BITLK_ENTRY_HEADER_LEN);
-			if (r < 0 || !description) {
+			if (r < 0) {
 				free(description);
 				BITLK_bitlk_vmk_free(vmk);
 				log_err(cd, _("Failed to convert BITLK volume description"));
@@ -697,6 +735,7 @@ int BITLK_dump(struct crypt_device *cd, struct device *device, struct bitlk_meta
 {
 	struct volume_key *vk_p;
 	struct bitlk_vmk *vmk_p;
+	char time[32];
 	int next_id = 0;
 	int i = 0;
 
@@ -705,7 +744,8 @@ int BITLK_dump(struct crypt_device *cd, struct device *device, struct bitlk_meta
 	log_std(cd, "GUID:         \t%s\n", params->guid);
 	log_std(cd, "Sector size:  \t%u [bytes]\n", params->sector_size);
 	log_std(cd, "Volume size:  \t%" PRIu64 " [bytes]\n", params->volume_size);
-	log_std(cd, "Created:      \t%s", ctime((time_t *)&(params->creation_time)));
+	if (ctime_r((time_t *)&params->creation_time, time))
+		log_std(cd, "Created:      \t%s", time);
 	log_std(cd, "Description:  \t%s\n", params->description);
 	log_std(cd, "Cipher name:  \t%s\n", params->cipher);
 	log_std(cd, "Cipher mode:  \t%s\n", params->cipher_mode);
@@ -773,13 +813,13 @@ static int get_recovery_key(struct crypt_device *cd,
 	    - each part is a number dividable by 11
 	*/
 	if (passwordLen != BITLK_RECOVERY_KEY_LEN) {
-                if (passwordLen == BITLK_RECOVERY_KEY_LEN + 1 && password[passwordLen - 1] == '\n') {
-                        /* looks like a recovery key with an extra newline, possibly from a key file */
-                        passwordLen--;
-                        log_dbg(cd, "Possible extra EOL stripped from the recovery key.");
-                } else
-                        return 0;
-        }
+		if (passwordLen == BITLK_RECOVERY_KEY_LEN + 1 && password[passwordLen - 1] == '\n') {
+			/* looks like a recovery key with an extra newline, possibly from a key file */
+			passwordLen--;
+			log_dbg(cd, "Possible extra EOL stripped from the recovery key.");
+		} else
+			return 0;
+	}
 
 	for (i = BITLK_RECOVERY_PART_LEN; i < passwordLen; i += BITLK_RECOVERY_PART_LEN + 1) {
 		if (password[i] != '-')
@@ -822,13 +862,16 @@ static int parse_external_key_entry(struct crypt_device *cd,
 	struct bitlk_guid guid;
 	char guid_buf[UUID_STR_LEN] = {0};
 
-	while (end - start > 2) {
+	while ((end - start) >= (ssize_t)(sizeof(key_entry_size) + sizeof(key_entry_type) + sizeof(key_entry_value))) {
 		/* size of this entry */
 		memcpy(&key_entry_size, data + start, sizeof(key_entry_size));
 		key_entry_size = le16_to_cpu(key_entry_size);
 		if (key_entry_size == 0)
 			break;
 
+		if (key_entry_size > (end - start))
+			return -EINVAL;
+
 		/* type and value of this entry */
 		memcpy(&key_entry_type, data + start + sizeof(key_entry_size), sizeof(key_entry_type));
 		memcpy(&key_entry_value,
@@ -843,6 +886,8 @@ static int parse_external_key_entry(struct crypt_device *cd,
 		}
 
 		if (key_entry_value == BITLK_ENTRY_VALUE_KEY) {
+			if (key_entry_size < (BITLK_ENTRY_HEADER_LEN + 4))
+				return -EINVAL;
 			key_size = key_entry_size - (BITLK_ENTRY_HEADER_LEN + 4);
 			key = (const char *) data + start + BITLK_ENTRY_HEADER_LEN + 4;
 			*vk = crypt_alloc_volume_key(key_size, key);
@@ -854,6 +899,8 @@ static int parse_external_key_entry(struct crypt_device *cd,
 			;
 		/* GUID of the BitLocker device we are trying to open with this key */
 		else if (key_entry_value == BITLK_ENTRY_VALUE_GUID) {
+			if ((end - start) < (ssize_t)(BITLK_ENTRY_HEADER_LEN + sizeof(struct bitlk_guid)))
+				return -EINVAL;
 			memcpy(&guid, data + start + BITLK_ENTRY_HEADER_LEN, sizeof(struct bitlk_guid));
 			guid_to_string(&guid, guid_buf);
 			if (strcmp(guid_buf, params->guid) != 0) {
@@ -887,7 +934,7 @@ static int get_startup_key(struct crypt_device *cd,
 	uint16_t key_entry_type = 0;
 	uint16_t key_entry_value = 0;
 
-	if (passwordLen < BITLK_BEK_FILE_HEADER_LEN)
+	if (passwordLen < (BITLK_BEK_FILE_HEADER_LEN + sizeof(key_entry_size) + sizeof(key_entry_type) + sizeof(key_entry_value)))
 		return -EPERM;
 
 	memcpy(&bek_header, password, BITLK_BEK_FILE_HEADER_LEN);
@@ -899,13 +946,14 @@ static int get_startup_key(struct crypt_device *cd,
 	else
 		return -EPERM;
 
-	if (bek_header.metadata_version != 1) {
-		log_err(cd, _("Unsupported BEK metadata version %" PRIu32), bek_header.metadata_version);
+	if (le32_to_cpu(bek_header.metadata_version) != 1) {
+		log_err(cd, _("Unsupported BEK metadata version %" PRIu32), le32_to_cpu(bek_header.metadata_version));
 		return -ENOTSUP;
 	}
 
-	if (bek_header.metadata_size != passwordLen) {
-		log_err(cd, _("Unexpected BEK metadata size %" PRIu32 " does not match BEK file length"), bek_header.metadata_size);
+	if (le32_to_cpu(bek_header.metadata_size) != passwordLen) {
+		log_err(cd, _("Unexpected BEK metadata size %" PRIu32 " does not match BEK file length"),
+			le32_to_cpu(bek_header.metadata_size));
 		return -EINVAL;
 	}
 
@@ -936,8 +984,7 @@ static int get_startup_key(struct crypt_device *cd,
 	}
 }
 
-static int bitlk_kdf(struct crypt_device *cd,
-		     const char *password,
+static int bitlk_kdf(const char *password,
 		     size_t passwordLen,
 		     bool recovery,
 		     const uint8_t *salt,
@@ -1074,7 +1121,7 @@ int BITLK_get_volume_key(struct crypt_device *cd,
 	next_vmk = params->vmks;
 	while (next_vmk) {
 		if (next_vmk->protection == BITLK_PROTECTION_PASSPHRASE) {
-			r = bitlk_kdf(cd, password, passwordLen, false, next_vmk->salt, &vmk_dec_key);
+			r = bitlk_kdf(password, passwordLen, false, next_vmk->salt, &vmk_dec_key);
 			if (r) {
 				/* something wrong happened, but we still want to check other key slots */
 				next_vmk = next_vmk->next;
@@ -1094,7 +1141,7 @@ int BITLK_get_volume_key(struct crypt_device *cd,
 				continue;
 			}
 			log_dbg(cd, "Trying to use given password as a recovery key.");
-			r = bitlk_kdf(cd, recovery_key->key, recovery_key->keylength,
+			r = bitlk_kdf(recovery_key->key, recovery_key->keylength,
 				      true, next_vmk->salt, &vmk_dec_key);
 			crypt_free_volume_key(recovery_key);
 			if (r)

lib/bitlk/bitlk.h

@@ -1,9 +1,9 @@
 /*
  * BITLK (BitLocker-compatible) header definition
  *
- * Copyright (C) 2019-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2019-2022 Milan Broz
- * Copyright (C) 2019-2022 Vojtech Trefny
+ * Copyright (C) 2019-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2019-2024 Milan Broz
+ * Copyright (C) 2019-2024 Vojtech Trefny
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public

lib/crypt_plain.c

@@ -2,8 +2,8 @@
  * cryptsetup plain device helper functions
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
- * Copyright (C) 2010-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2022 Milan Broz
+ * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2024 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License

lib/crypto_backend/argon2/meson.build

@@ -0,0 +1,28 @@
+libargon2_sources = files(
+    'blake2/blake2b.c',
+    'argon2.c',
+    'core.c',
+    'encoding.c',
+    'thread.c',
+)
+
+if use_internal_sse_argon2
+    libargon2_sources += files(
+        'opt.c',
+    )
+else
+    libargon2_sources += files(
+        'ref.c',
+    )
+endif
+
+libargon2 = static_library('argon2',
+    libargon2_sources,
+    override_options : ['c_std=c89', 'optimization=3'],
+    build_by_default : false,
+    include_directories: include_directories(
+        'blake2',
+    ),
+    dependencies : [
+        threads,
+    ])

lib/crypto_backend/argon2_generic.c

@@ -1,8 +1,8 @@
 /*
  * Argon2 PBKDF2 library wrapper
  *
- * Copyright (C) 2016-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2022 Milan Broz
+ * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2024 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -21,22 +21,23 @@
 
 #include <errno.h>
 #include "crypto_backend_internal.h"
+
+/* Check for HAVE_ARGON2_H is run only if libargon2 code is used */
+#if USE_INTERNAL_ARGON2 || HAVE_ARGON2_H
+
+#define CONST_CAST(x) (x)(uintptr_t)
+
 #if HAVE_ARGON2_H
 #include <argon2.h>
 #else
 #include "argon2/argon2.h"
 #endif
 
-#define CONST_CAST(x) (x)(uintptr_t)
-
 int argon2(const char *type, const char *password, size_t password_length,
 	   const char *salt, size_t salt_length,
 	   char *key, size_t key_length,
 	   uint32_t iterations, uint32_t memory, uint32_t parallel)
 {
-#if !USE_INTERNAL_ARGON2 && !HAVE_ARGON2_H
-	return -EINVAL;
-#else
 	argon2_type atype;
 	argon2_context context = {
 		.flags = ARGON2_DEFAULT_FLAGS,
@@ -54,6 +55,9 @@ int argon2(const char *type, const char *password, size_t password_length,
 	};
 	int r;
 
+	/* This code must not be run if crypt backend library natively supports Argon2 */
+	assert(!(crypt_backend_flags() & CRYPT_BACKEND_ARGON2));
+
 	if (!strcmp(type, "argon2i"))
 		atype = Argon2_i;
 	else if(!strcmp(type, "argon2id"))
@@ -75,5 +79,33 @@ int argon2(const char *type, const char *password, size_t password_length,
 	}
 
 	return r;
-#endif
+}
+
+#else /* USE_INTERNAL_ARGON2 || HAVE_ARGON2_H */
+#pragma GCC diagnostic ignored "-Wunused-parameter"
+
+int argon2(const char *type, const char *password, size_t password_length,
+	   const char *salt, size_t salt_length,
+	   char *key, size_t key_length,
+	   uint32_t iterations, uint32_t memory, uint32_t parallel)
+{
+	return -EINVAL;
+}
+
+#endif
+
+/* Additional string for crypt backend version */
+const char *crypt_argon2_version(void)
+{
+	const char *version = "";
+
+	if (crypt_backend_flags() & CRYPT_BACKEND_ARGON2)
+		return version;
+
+#if HAVE_ARGON2_H /* this has priority over internal argon2 */
+	version = " [external libargon2]";
+#elif USE_INTERNAL_ARGON2
+	version = " [cryptsetup libargon2]";
+#endif
+	return version;
 }

lib/crypto_backend/base64.c

@@ -4,7 +4,7 @@
  * Copyright (C) 2010 Lennart Poettering
  *
  * cryptsetup related changes
- * Copyright (C) 2021-2022 Milan Broz
+ * Copyright (C) 2021-2024 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public

lib/crypto_backend/cipher_check.c

@@ -1,8 +1,8 @@
 /*
  * Cipher performance check
  *
- * Copyright (C) 2018-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2018-2022 Milan Broz
+ * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2024 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public

lib/crypto_backend/cipher_generic.c

@@ -1,8 +1,8 @@
 /*
  * Linux kernel cipher generic utilities
  *
- * Copyright (C) 2018-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2018-2022 Milan Broz
+ * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2024 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -51,6 +51,7 @@ static const struct cipher_alg cipher_algs[] = {
 	{ "xchacha12,aes", "adiantum", 32, false },
 	{ "xchacha20,aes", "adiantum", 32, false },
 	{ "sm4",         NULL, 16, false },
+	{ "aria",        NULL, 16, false },
 	{ NULL,          NULL,  0, false }
 };
 

lib/crypto_backend/crc32.c

@@ -158,7 +158,7 @@ static const uint32_t crc32c_tab[] = {
  * whatever they need.
  */
 static uint32_t compute_crc32(
-	const uint32_t *crc32_tab,
+	const uint32_t *crc32_table,
 	uint32_t seed,
 	const unsigned char *buf,
 	size_t len)
@@ -167,7 +167,7 @@ static uint32_t compute_crc32(
 	const unsigned char *p = buf;
 
 	while(len-- > 0)
-		crc = crc32_tab[(crc ^ *p++) & 0xff] ^ (crc >> 8);
+		crc = crc32_table[(crc ^ *p++) & 0xff] ^ (crc >> 8);
 
 	return crc;
 }

lib/crypto_backend/crypto_backend.h

@@ -1,8 +1,8 @@
 /*
  * crypto backend implementation
  *
- * Copyright (C) 2010-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2022 Milan Broz
+ * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2024 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -41,10 +41,13 @@ struct crypt_storage;
 int crypt_backend_init(bool fips);
 void crypt_backend_destroy(void);
 
-#define CRYPT_BACKEND_KERNEL (1 << 0)	/* Crypto uses kernel part, for benchmark */
+#define CRYPT_BACKEND_KERNEL     (1 << 0) /* Crypto uses kernel part, for benchmark */
+#define CRYPT_BACKEND_PBKDF2_INT (1 << 1) /* Iteration in PBKDF2 is signed int and can overflow */
+#define CRYPT_BACKEND_ARGON2     (1 << 2) /* Backend provides native Argon2 implementation */
 
 uint32_t crypt_backend_flags(void);
 const char *crypt_backend_version(void);
+const char *crypt_argon2_version(void);
 
 /* HASH */
 int crypt_hash_size(const char *name);

lib/crypto_backend/crypto_backend_internal.h

@@ -1,8 +1,8 @@
 /*
  * crypto backend implementation
  *
- * Copyright (C) 2010-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2022 Milan Broz
+ * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2024 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public

lib/crypto_backend/crypto_cipher_kernel.c

@@ -1,8 +1,8 @@
 /*
  * Linux kernel userspace API crypto backend implementation (skcipher)
  *
- * Copyright (C) 2012-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2022 Milan Broz
+ * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2024 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -109,6 +109,7 @@ int crypt_cipher_init_kernel(struct crypt_cipher_kernel *ctx, const char *name,
 }
 
 /* The in/out should be aligned to page boundary */
+/* coverity[ -taint_source : arg-3 ] */
 static int _crypt_cipher_crypt(struct crypt_cipher_kernel *ctx,
 			       const char *in, size_t in_length,
 			       char *out, size_t out_length,
@@ -312,6 +313,8 @@ int crypt_bitlk_decrypt_key_kernel(const void *key, size_t key_length,
 }
 
 #else /* ENABLE_AF_ALG */
+#pragma GCC diagnostic ignored "-Wunused-parameter"
+
 int crypt_cipher_init_kernel(struct crypt_cipher_kernel *ctx, const char *name,
 			     const char *mode, const void *key, size_t key_length)
 {

lib/crypto_backend/crypto_gcrypt.c

@@ -1,8 +1,8 @@
 /*
  * GCRYPT crypto backend implementation
  *
- * Copyright (C) 2010-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2022 Milan Broz
+ * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2024 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -23,6 +23,7 @@
 #include <stdio.h>
 #include <errno.h>
 #include <gcrypt.h>
+#include <pthread.h>
 #include "crypto_backend_internal.h"
 
 static int crypto_backend_initialised = 0;
@@ -126,10 +127,11 @@ int crypt_backend_init(bool fips __attribute__((unused)))
 	crypto_backend_initialised = 1;
 	crypt_hash_test_whirlpool_bug();
 
-	r = snprintf(version, sizeof(version), "gcrypt %s%s%s",
+	r = snprintf(version, sizeof(version), "gcrypt %s%s%s%s",
 		 gcry_check_version(NULL),
 		 crypto_backend_secmem ? "" : ", secmem disabled",
-		 crypto_backend_whirlpool_bug > 0 ? ", flawed whirlpool" : "");
+		 crypto_backend_whirlpool_bug > 0 ? ", flawed whirlpool" : "",
+		 crypt_backend_flags() & CRYPT_BACKEND_ARGON2 ? ", argon2" : "");
 	if (r < 0 || (size_t)r >= sizeof(version))
 		return -EINVAL;
 
@@ -151,7 +153,11 @@ const char *crypt_backend_version(void)
 
 uint32_t crypt_backend_flags(void)
 {
-	return 0;
+	uint32_t flags = 0;
+#if HAVE_DECL_GCRY_KDF_ARGON2 && !USE_INTERNAL_ARGON2
+	flags |= CRYPT_BACKEND_ARGON2;
+#endif
+	return flags;
 }
 
 static const char *crypt_hash_compat_name(const char *name, unsigned int *flags)
@@ -266,7 +272,6 @@ int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length)
 void crypt_hash_destroy(struct crypt_hash *ctx)
 {
 	gcry_md_close(ctx->hd);
-	memset(ctx, 0, sizeof(*ctx));
 	free(ctx);
 }
 
@@ -341,7 +346,6 @@ int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length)
 void crypt_hmac_destroy(struct crypt_hmac *ctx)
 {
 	gcry_md_close(ctx->hd);
-	memset(ctx, 0, sizeof(*ctx));
 	free(ctx);
 }
 
@@ -386,6 +390,130 @@ static int pbkdf2(const char *hash,
 #endif /* USE_INTERNAL_PBKDF2 */
 }
 
+#if HAVE_DECL_GCRY_KDF_ARGON2 && !USE_INTERNAL_ARGON2
+struct gcrypt_thread_job
+{
+	pthread_t thread;
+	struct job_thread_param {
+		gcry_kdf_job_fn_t job;
+		void *p;
+	} work;
+};
+
+struct gcrypt_threads
+{
+	pthread_attr_t attr;
+	unsigned int num_threads;
+	unsigned int max_threads;
+	struct gcrypt_thread_job *jobs_ctx;
+};
+
+static void *gcrypt_job_thread(void *p)
+{
+	struct job_thread_param *param = p;
+	param->job(param->p);
+	pthread_exit(NULL);
+}
+
+static int gcrypt_wait_all_jobs(void *ctx)
+{
+	unsigned int i;
+	struct gcrypt_threads *threads = ctx;
+
+	for (i = 0; i < threads->num_threads; i++) {
+		pthread_join(threads->jobs_ctx[i].thread, NULL);
+		threads->jobs_ctx[i].thread = 0;
+	}
+
+	threads->num_threads = 0;
+	return 0;
+}
+
+static int gcrypt_dispatch_job(void *ctx, gcry_kdf_job_fn_t job, void *p)
+{
+	struct gcrypt_threads *threads = ctx;
+
+	if (threads->num_threads >= threads->max_threads)
+		return -1;
+
+	threads->jobs_ctx[threads->num_threads].work.job = job;
+	threads->jobs_ctx[threads->num_threads].work.p = p;
+
+	if (pthread_create(&threads->jobs_ctx[threads->num_threads].thread, &threads->attr,
+			   gcrypt_job_thread, &threads->jobs_ctx[threads->num_threads].work))
+		return -1;
+
+	threads->num_threads++;
+	return 0;
+}
+
+static int gcrypt_argon2(const char *type,
+	const char *password, size_t password_length,
+	const char *salt, size_t salt_length,
+	char *key, size_t key_length,
+	uint32_t iterations, uint32_t memory, uint32_t parallel)
+{
+	gcry_kdf_hd_t hd;
+	int atype, r = -EINVAL;
+	unsigned long param[4];
+	struct gcrypt_threads threads = {
+		.max_threads = parallel,
+		.num_threads = 0
+	};
+	const gcry_kdf_thread_ops_t ops = {
+		.jobs_context = &threads,
+		.dispatch_job = gcrypt_dispatch_job,
+		.wait_all_jobs = gcrypt_wait_all_jobs
+	};
+
+	if (!strcmp(type, "argon2i"))
+		atype = GCRY_KDF_ARGON2I;
+	else if (!strcmp(type, "argon2id"))
+		atype = GCRY_KDF_ARGON2ID;
+	else
+		return -EINVAL;
+
+	param[0] = key_length;
+	param[1] = iterations;
+	param[2] = memory;
+	param[3] = parallel;
+
+	if (gcry_kdf_open(&hd, GCRY_KDF_ARGON2, atype, param, 4,
+			password, password_length, salt, salt_length,
+			NULL, 0, NULL, 0)) {
+		free(threads.jobs_ctx);
+		return -EINVAL;
+	}
+
+	if (parallel == 1) {
+		/* Do not use threads here */
+		if (gcry_kdf_compute(hd, NULL))
+			goto out;
+	} else {
+		threads.jobs_ctx = calloc(threads.max_threads,
+				      sizeof(struct gcrypt_thread_job));
+		if (!threads.jobs_ctx)
+			goto out;
+
+		if (pthread_attr_init(&threads.attr))
+			goto out;
+
+		if (gcry_kdf_compute(hd, &ops))
+			goto out;
+	}
+
+	if (gcry_kdf_final(hd, key_length, key))
+		goto out;
+	r = 0;
+out:
+	gcry_kdf_close(hd);
+	pthread_attr_destroy(&threads.attr);
+	free(threads.jobs_ctx);
+
+	return r;
+}
+#endif
+
 /* PBKDF */
 int crypt_pbkdf(const char *kdf, const char *hash,
 		const char *password, size_t password_length,
@@ -400,8 +528,13 @@ int crypt_pbkdf(const char *kdf, const char *hash,
 		return pbkdf2(hash, password, password_length, salt, salt_length,
 			      key, key_length, iterations);
 	else if (!strncmp(kdf, "argon2", 6))
+#if HAVE_DECL_GCRY_KDF_ARGON2 && !USE_INTERNAL_ARGON2
+		return gcrypt_argon2(kdf, password, password_length, salt, salt_length,
+				     key, key_length, iterations, memory, parallel);
+#else
 		return argon2(kdf, password, password_length, salt, salt_length,
 			      key, key_length, iterations, memory, parallel);
+#endif
 	return -EINVAL;
 }
 
@@ -565,6 +698,9 @@ bool crypt_fips_mode(void)
 	if (fips_checked)
 		return fips_mode;
 
+	if (crypt_backend_init(false /* ignored */))
+		return false;
+
 	fips_mode = gcry_fips_mode_active();
 	fips_checked = true;
 

lib/crypto_backend/crypto_kernel.c

@@ -1,8 +1,8 @@
 /*
  * Linux kernel userspace API crypto backend implementation
  *
- * Copyright (C) 2010-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2022 Milan Broz
+ * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2024 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -245,7 +245,6 @@ void crypt_hash_destroy(struct crypt_hash *ctx)
 		close(ctx->tfmfd);
 	if (ctx->opfd >= 0)
 		close(ctx->opfd);
-	memset(ctx, 0, sizeof(*ctx));
 	free(ctx);
 }
 
@@ -324,7 +323,6 @@ void crypt_hmac_destroy(struct crypt_hmac *ctx)
 		close(ctx->tfmfd);
 	if (ctx->opfd >= 0)
 		close(ctx->opfd);
-	memset(ctx, 0, sizeof(*ctx));
 	free(ctx);
 }
 

lib/crypto_backend/crypto_nettle.c

@@ -1,8 +1,8 @@
 /*
  * Nettle crypto backend implementation
  *
- * Copyright (C) 2011-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2011-2022 Milan Broz
+ * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2024 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public

lib/crypto_backend/crypto_nss.c

@@ -1,8 +1,8 @@
 /*
  * NSS crypto backend implementation
  *
- * Copyright (C) 2010-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2022 Milan Broz
+ * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2024 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public

lib/crypto_backend/crypto_openssl.c

@@ -1,8 +1,8 @@
 /*
  * OPENSSL crypto backend implementation
  *
- * Copyright (C) 2010-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2022 Milan Broz
+ * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2024 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -30,6 +30,7 @@
 
 #include <string.h>
 #include <errno.h>
+#include <limits.h>
 #include <openssl/crypto.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
@@ -43,9 +44,20 @@ static OSSL_PROVIDER *ossl_legacy = NULL;
 static OSSL_PROVIDER *ossl_default = NULL;
 static OSSL_LIB_CTX  *ossl_ctx = NULL;
 static char backend_version[256] = "OpenSSL";
+
+#define MAX_THREADS 8
+#if !HAVE_DECL_OSSL_GET_MAX_THREADS
+static int OSSL_set_max_threads(OSSL_LIB_CTX *ctx __attribute__((unused)),
+				uint64_t max_threads __attribute__((unused))) { return 0; }
+static uint64_t OSSL_get_max_threads(OSSL_LIB_CTX *ctx __attribute__((unused))) { return 0; }
+#else
+#include <openssl/thread.h>
+#endif
+
 #endif
 
 #define CONST_CAST(x) (x)(uintptr_t)
+#define UNUSED(x) (void)(x)
 
 static int crypto_backend_initialised = 0;
 
@@ -161,6 +173,7 @@ static int openssl_backend_init(bool fips)
  */
 #if OPENSSL_VERSION_MAJOR >= 3
 	int r;
+	bool ossl_threads = false;
 
 	/*
 	 * In FIPS mode we keep default OpenSSL context & global config
@@ -180,16 +193,24 @@ static int openssl_backend_init(bool fips)
 		ossl_legacy = OSSL_PROVIDER_try_load(ossl_ctx, "legacy", 0);
 	}
 
-	r = snprintf(backend_version, sizeof(backend_version), "%s %s%s%s",
+	if (OSSL_set_max_threads(ossl_ctx, MAX_THREADS) == 1 &&
+	    OSSL_get_max_threads(ossl_ctx) == MAX_THREADS)
+		ossl_threads = true;
+
+	r = snprintf(backend_version, sizeof(backend_version), "%s %s%s%s%s%s",
 		OpenSSL_version(OPENSSL_VERSION),
 		ossl_default ? "[default]" : "",
 		ossl_legacy  ? "[legacy]" : "",
-		fips  ? "[fips]" : "");
+		fips  ? "[fips]" : "",
+		ossl_threads ? "[threads]" : "",
+		crypt_backend_flags() & CRYPT_BACKEND_ARGON2 ? "[argon2]" : "");
 
 	if (r < 0 || (size_t)r >= sizeof(backend_version)) {
 		openssl_backend_exit();
 		return -EINVAL;
 	}
+#else
+	UNUSED(fips);
 #endif
 	return 0;
 }
@@ -231,7 +252,14 @@ void crypt_backend_destroy(void)
 
 uint32_t crypt_backend_flags(void)
 {
-	return 0;
+	uint32_t flags = 0;
+#if OPENSSL_VERSION_MAJOR < 3
+	flags |= CRYPT_BACKEND_PBKDF2_INT;
+#endif
+#if HAVE_DECL_OSSL_KDF_PARAM_ARGON2_VERSION
+	flags |= CRYPT_BACKEND_ARGON2;
+#endif
+	return flags;
 }
 
 const char *crypt_backend_version(void)
@@ -276,6 +304,8 @@ static void hash_id_free(const EVP_MD *hash_id)
 {
 #if OPENSSL_VERSION_MAJOR >= 3
 	EVP_MD_free(CONST_CAST(EVP_MD*)hash_id);
+#else
+	UNUSED(hash_id);
 #endif
 }
 
@@ -292,6 +322,8 @@ static void cipher_type_free(const EVP_CIPHER *cipher_type)
 {
 #if OPENSSL_VERSION_MAJOR >= 3
 	EVP_CIPHER_free(CONST_CAST(EVP_CIPHER*)cipher_type);
+#else
+	UNUSED(cipher_type);
 #endif
 }
 
@@ -386,7 +418,6 @@ void crypt_hash_destroy(struct crypt_hash *ctx)
 {
 	hash_id_free(ctx->hash_id);
 	EVP_MD_CTX_free(ctx->md);
-	memset(ctx, 0, sizeof(*ctx));
 	free(ctx);
 }
 
@@ -522,7 +553,6 @@ void crypt_hmac_destroy(struct crypt_hmac *ctx)
 	hash_id_free(ctx->hash_id);
 	HMAC_CTX_free(ctx->md);
 #endif
-	memset(ctx, 0, sizeof(*ctx));
 	free(ctx);
 }
 
@@ -574,6 +604,10 @@ static int openssl_pbkdf2(const char *password, size_t password_length,
 	if (!hash_id)
 		return -EINVAL;
 
+	/* OpenSSL2 has iteration as signed int, avoid overflow */
+	if (iterations > INT_MAX)
+		return -EINVAL;
+
 	r = PKCS5_PBKDF2_HMAC(password, (int)password_length, (const unsigned char *)salt,
 		(int)salt_length, iterations, hash_id, (int)key_length, (unsigned char*) key);
 #endif
@@ -584,8 +618,53 @@ static int openssl_argon2(const char *type, const char *password, size_t passwor
 	const char *salt, size_t salt_length, char *key, size_t key_length,
 	uint32_t iterations, uint32_t memory, uint32_t parallel)
 {
+#if HAVE_DECL_OSSL_KDF_PARAM_ARGON2_VERSION
+	EVP_KDF_CTX *ctx;
+	EVP_KDF *argon2;
+	unsigned int threads = parallel;
+	int r;
+	OSSL_PARAM params[] = {
+		OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD,
+			CONST_CAST(void*)password, password_length),
+		OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT,
+			CONST_CAST(void*)salt, salt_length),
+		OSSL_PARAM_uint32(OSSL_KDF_PARAM_ITER, &iterations),
+		OSSL_PARAM_uint(OSSL_KDF_PARAM_THREADS, &threads),
+		OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_LANES, &parallel),
+		OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_MEMCOST, &memory),
+		OSSL_PARAM_END
+	};
+
+	if (OSSL_get_max_threads(ossl_ctx) == 0)
+		threads = 1;
+
+	argon2 = EVP_KDF_fetch(ossl_ctx, type, NULL);
+	if (!argon2)
+		return -EINVAL;
+
+	ctx = EVP_KDF_CTX_new(argon2);
+	if (!ctx) {
+		EVP_KDF_free(argon2);
+		return -EINVAL;;
+	}
+
+	if (EVP_KDF_CTX_set_params(ctx, params) != 1) {
+		EVP_KDF_CTX_free(ctx);
+		EVP_KDF_free(argon2);
+		return -EINVAL;
+	}
+
+	r = EVP_KDF_derive(ctx, (unsigned char*)key, key_length, NULL /*params*/);
+
+	EVP_KDF_CTX_free(ctx);
+	EVP_KDF_free(argon2);
+
+	/* _derive() returns 0 or negative value on error, 1 on success */
+	return r == 1 ? 0 : -EINVAL;
+#else
 	return argon2(type, password, password_length, salt, salt_length,
 		      key, key_length, iterations, memory, parallel);
+#endif
 }
 
 /* PBKDF */

lib/crypto_backend/crypto_storage.c

@@ -2,7 +2,7 @@
  * Generic wrapper for storage encryption modes and Initial Vectors
  * (reimplementation of some functions from Linux dm-crypt kernel)
  *
- * Copyright (C) 2014-2022 Milan Broz
+ * Copyright (C) 2014-2024 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public

lib/crypto_backend/meson.build

@@ -0,0 +1,40 @@
+if use_internal_argon2
+    subdir('argon2')
+endif
+
+libcrypto_backend_dependencies = [
+    crypto_backend_library,
+    clock_gettime,
+]
+libcrypto_backend_link_with = []
+
+libcrypto_backend_sources = files(
+    'argon2_generic.c',
+    'base64.c',
+    'cipher_check.c',
+    'cipher_generic.c',
+    'crc32.c',
+    'crypto_cipher_kernel.c',
+    'crypto_storage.c',
+    'pbkdf_check.c',
+    'utf8.c',
+)
+
+crypto_backend = get_option('crypto-backend')
+libcrypto_backend_sources += files('crypto_@0@.c'.format(crypto_backend))
+
+if use_internal_pbkdf2
+    libcrypto_backend_sources += files('pbkdf2_generic.c')
+endif
+
+if use_internal_argon2 and get_option('argon-implementation') == 'internal'
+    libcrypto_backend_link_with += libargon2
+elif get_option('argon-implementation') == 'libargon2'
+    libcrypto_backend_dependencies += libargon2_external
+endif
+
+libcrypto_backend = static_library('crypto_backend',
+    libcrypto_backend_sources,
+    include_directories: includes_lib,
+    dependencies: libcrypto_backend_dependencies,
+    link_with: libcrypto_backend_link_with)

lib/crypto_backend/pbkdf2_generic.c

@@ -4,8 +4,8 @@
  * Copyright (C) 2004 Free Software Foundation
  *
  * cryptsetup related changes
- * Copyright (C) 2012-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2022 Milan Broz
+ * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2024 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public

lib/crypto_backend/pbkdf_check.c

@@ -1,7 +1,7 @@
 /*
  * PBKDF performance check
- * Copyright (C) 2012-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2022 Milan Broz
+ * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2024 Milan Broz
  * Copyright (C) 2016-2020 Ondrej Mosnacek
  *
  * This file is free software; you can redistribute it and/or

lib/crypto_backend/utf8.c

@@ -4,7 +4,7 @@
  * Copyright (C) 2010 Lennart Poettering
  *
  * cryptsetup related changes
- * Copyright (C) 2021-2022 Vojtech Trefny
+ * Copyright (C) 2021-2024 Vojtech Trefny
 
  * Parts of the original systemd implementation are based on the GLIB utf8
  * validation functions.

lib/fvault2/fvault2.c

@@ -435,7 +435,7 @@ static int _reformat_uuid(
 	const char *uuid_in,
 	char *uuid_out)
 {
-	uint8_t uuid_bin[UUID_STR_LEN];
+	uint8_t uuid_bin[FVAULT2_UUID_LEN];
 	int r;
 
 	r = uuid_parse(uuid_in, uuid_bin);

lib/integrity/integrity.c

@@ -1,7 +1,7 @@
 /*
  * Integrity volume handling
  *
- * Copyright (C) 2016-2022 Milan Broz
+ * Copyright (C) 2016-2024 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -335,13 +335,62 @@ int INTEGRITY_activate(struct crypt_device *cd,
 	return r;
 }
 
+static int _create_reduced_device(struct crypt_device *cd,
+				  const char *name,
+				  uint64_t device_size_sectors,
+				  struct device **ret_device)
+{
+	int r;
+	char path[PATH_MAX];
+	struct device *dev;
+
+	struct crypt_dm_active_device dmd = {
+		.size = device_size_sectors,
+		.flags = CRYPT_ACTIVATE_PRIVATE,
+	};
+
+	assert(cd);
+	assert(name);
+	assert(device_size_sectors);
+	assert(ret_device);
+
+	r = snprintf(path, sizeof(path), "%s/%s", dm_get_dir(), name);
+	if (r < 0 || (size_t)r >= sizeof(path))
+		return -EINVAL;
+
+	r = device_block_adjust(cd, crypt_data_device(cd), DEV_OK,
+				crypt_get_data_offset(cd), &device_size_sectors, &dmd.flags);
+	if (r)
+		return r;
+
+	log_dbg(cd, "Activating reduced helper device %s.", name);
+
+	r = dm_linear_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd), crypt_get_data_offset(cd));
+	if (!r)
+		r = dm_create_device(cd, name, CRYPT_SUBDEV, &dmd);
+	dm_targets_free(cd, &dmd);
+	if (r < 0)
+		return r;
+
+	r = device_alloc(cd, &dev, path);
+	if (!r) {
+		*ret_device = dev;
+		return 0;
+	}
+
+	dm_remove_device(cd, name, CRYPT_DEACTIVATE_FORCE);
+
+	return r;
+}
+
 int INTEGRITY_format(struct crypt_device *cd,
 		     const struct crypt_params_integrity *params,
 		     struct volume_key *journal_crypt_key,
-		     struct volume_key *journal_mac_key)
+		     struct volume_key *journal_mac_key,
+		     uint64_t backing_device_sectors)
 {
 	uint32_t dmi_flags;
-	char tmp_name[64], tmp_uuid[40];
+	char reduced_device_name[70], tmp_name[64], tmp_uuid[40];
 	struct crypt_dm_active_device dmdi = {
 		.size = 8,
 		.flags = CRYPT_ACTIVATE_PRIVATE, /* We always create journal but it can be unused later */
@@ -349,6 +398,8 @@ int INTEGRITY_format(struct crypt_device *cd,
 	struct dm_target *tgt = &dmdi.segment;
 	int r;
 	uuid_t tmp_uuid_bin;
+	uint64_t data_offset_sectors;
+	struct device *p_metadata_device, *p_data_device, *reduced_device = NULL;
 	struct volume_key *vk = NULL;
 
 	uuid_generate(tmp_uuid_bin);
@@ -358,18 +409,42 @@ int INTEGRITY_format(struct crypt_device *cd,
 	if (r < 0 || (size_t)r >= sizeof(tmp_name))
 		return -EINVAL;
 
+	p_metadata_device = INTEGRITY_metadata_device(cd);
+
+	if (backing_device_sectors) {
+		r = snprintf(reduced_device_name, sizeof(reduced_device_name),
+			     "temporary-cryptsetup-reduced-%s", tmp_uuid);
+		if (r < 0 || (size_t)r >= sizeof(reduced_device_name))
+			return -EINVAL;
+
+		/*
+		 * Creates reduced dm-linear mapping over data device starting at
+		 * crypt_data_offset(cd) and backing_device_sectors in size.
+		 */
+		r = _create_reduced_device(cd, reduced_device_name,
+					   backing_device_sectors, &reduced_device);
+		if (r < 0)
+			return r;
+
+		data_offset_sectors = 0;
+		p_data_device = reduced_device;
+		if (p_metadata_device == crypt_data_device(cd))
+			p_metadata_device = reduced_device;
+	} else {
+		data_offset_sectors = crypt_get_data_offset(cd);
+		p_data_device = crypt_data_device(cd);
+	}
+
 	/* There is no data area, we can actually use fake zeroed key */
 	if (params && params->integrity_key_size)
 		vk = crypt_alloc_volume_key(params->integrity_key_size, NULL);
 
-	r = dm_integrity_target_set(cd, tgt, 0, dmdi.size, INTEGRITY_metadata_device(cd),
-			crypt_data_device(cd), crypt_get_integrity_tag_size(cd),
-			crypt_get_data_offset(cd), crypt_get_sector_size(cd), vk,
+	r = dm_integrity_target_set(cd, tgt, 0, dmdi.size, p_metadata_device,
+			p_data_device, crypt_get_integrity_tag_size(cd),
+			data_offset_sectors, crypt_get_sector_size(cd), vk,
 			journal_crypt_key, journal_mac_key, params);
-	if (r < 0) {
-		crypt_free_volume_key(vk);
-		return r;
-	}
+	if (r < 0)
+		goto err;
 
 	log_dbg(cd, "Trying to format INTEGRITY device on top of %s, tmp name %s, tag size %d.",
 		device_path(tgt->data_device), tmp_name, tgt->u.integrity.tag_size);
@@ -379,24 +454,26 @@ int INTEGRITY_format(struct crypt_device *cd,
 		log_err(cd, _("Kernel does not support dm-integrity mapping."));
 		r = -ENOTSUP;
 	}
-	if (r) {
-		dm_targets_free(cd, &dmdi);
-		return r;
-	}
+	if (r)
+		goto err;
 
 	if (tgt->u.integrity.meta_device) {
 		r = device_block_adjust(cd, tgt->u.integrity.meta_device, DEV_EXCL, 0, NULL, NULL);
-		if (r) {
-			dm_targets_free(cd, &dmdi);
-			return r;
-		}
+		if (r)
+			goto err;
 	}
 
 	r = dm_create_device(cd, tmp_name, CRYPT_INTEGRITY, &dmdi);
-	crypt_free_volume_key(vk);
-	dm_targets_free(cd, &dmdi);
 	if (r)
-		return r;
+		goto err;
 
-	return dm_remove_device(cd, tmp_name, CRYPT_DEACTIVATE_FORCE);
+	r = dm_remove_device(cd, tmp_name, CRYPT_DEACTIVATE_FORCE);
+err:
+	dm_targets_free(cd, &dmdi);
+	crypt_free_volume_key(vk);
+	if (reduced_device) {
+		dm_remove_device(cd, reduced_device_name, CRYPT_DEACTIVATE_FORCE);
+		device_free(cd, reduced_device);
+	}
+	return r;
 }

lib/integrity/integrity.h

@@ -1,7 +1,7 @@
 /*
  * Integrity header definition
  *
- * Copyright (C) 2016-2022 Milan Broz
+ * Copyright (C) 2016-2024 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -75,7 +75,8 @@ int INTEGRITY_hash_tag_size(const char *integrity);
 int INTEGRITY_format(struct crypt_device *cd,
 		     const struct crypt_params_integrity *params,
 		     struct volume_key *journal_crypt_key,
-		     struct volume_key *journal_mac_key);
+		     struct volume_key *journal_mac_key,
+		     uint64_t backing_device_sectors);
 
 int INTEGRITY_activate(struct crypt_device *cd,
 		       const char *name,

lib/internal.h

@@ -3,8 +3,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2022 Milan Broz
+ * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2024 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -53,6 +53,7 @@
 #define MAX_DM_DEPS		32
 
 #define CRYPT_SUBDEV           "SUBDEV" /* prefix for sublayered devices underneath public crypt types */
+#define CRYPT_LUKS2_HW_OPAL    "LUKS2-OPAL" /* dm uuid prefix used for any HW OPAL enabled LUKS2 device */
 
 #ifndef O_CLOEXEC
 #define O_CLOEXEC 0
@@ -89,6 +90,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd,
 				   struct crypt_pbkdf_type *pbkdf,
 				   size_t volume_key_size);
 const char *crypt_get_cipher_spec(struct crypt_device *cd);
+uint32_t pbkdf_adjusted_phys_memory_kb(void);
 
 /* Device backend */
 struct device;
@@ -113,6 +115,7 @@ void device_release_excl(struct crypt_device *cd, struct device *device);
 void device_disable_direct_io(struct device *device);
 int device_is_identical(struct device *device1, struct device *device2);
 int device_is_rotational(struct device *device);
+int device_is_dax(struct device *device);
 size_t device_alignment(struct device *device);
 int device_direct_io(const struct device *device);
 int device_fallocate(struct device *device, uint64_t size);
@@ -153,21 +156,31 @@ int create_or_reload_device_with_integrity(struct crypt_device *cd, const char *
 struct device *crypt_metadata_device(struct crypt_device *cd);
 struct device *crypt_data_device(struct crypt_device *cd);
 
+uint64_t crypt_get_metadata_size_bytes(struct crypt_device *cd);
+uint64_t crypt_get_keyslots_size_bytes(struct crypt_device *cd);
+uint64_t crypt_get_data_offset_sectors(struct crypt_device *cd);
+int crypt_opal_supported(struct crypt_device *cd, struct device *opal_device);
+
 int crypt_confirm(struct crypt_device *cd, const char *msg);
 
 char *crypt_lookup_dev(const char *dev_id);
 int crypt_dev_is_rotational(int major, int minor);
+int crypt_dev_is_dax(int major, int minor);
 int crypt_dev_is_partition(const char *dev_path);
 char *crypt_get_partition_device(const char *dev_path, uint64_t offset, uint64_t size);
+int crypt_dev_get_partition_number(const char *dev_path);
 char *crypt_get_base_device(const char *dev_path);
 uint64_t crypt_dev_partition_offset(const char *dev_path);
 int lookup_by_disk_id(const char *dm_uuid);
 int lookup_by_sysfs_uuid_field(const char *dm_uuid);
 int crypt_uuid_cmp(const char *dm_uuid, const char *hdr_uuid);
+int crypt_uuid_type_cmp(const char *dm_uuid, const char *type);
 
 size_t crypt_getpagesize(void);
 unsigned crypt_cpusonline(void);
 uint64_t crypt_getphysmemory_kb(void);
+uint64_t crypt_getphysmemoryfree_kb(void);
+bool crypt_swapavailable(void);
 
 int init_crypto(struct crypt_device *ctx);
 
@@ -202,7 +215,7 @@ void crypt_set_luks2_reencrypt(struct crypt_device *cd, struct luks2_reencrypt *
 struct luks2_reencrypt *crypt_get_luks2_reencrypt(struct crypt_device *cd);
 
 int onlyLUKS2(struct crypt_device *cd);
-int onlyLUKS2mask(struct crypt_device *cd, uint32_t mask);
+int onlyLUKS2reencrypt(struct crypt_device *cd);
 
 int crypt_wipe_device(struct crypt_device *cd,
 	struct device *device,
@@ -221,6 +234,14 @@ int crypt_get_integrity_tag_size(struct crypt_device *cd);
 int crypt_key_in_keyring(struct crypt_device *cd);
 void crypt_set_key_in_keyring(struct crypt_device *cd, unsigned key_in_keyring);
 int crypt_volume_key_load_in_keyring(struct crypt_device *cd, struct volume_key *vk);
+int crypt_keyring_get_user_key(struct crypt_device *cd,
+		const char *key_description,
+		char **key,
+		size_t *key_size);
+int crypt_keyring_get_key_by_name(struct crypt_device *cd,
+		const char *key_description,
+		char **key,
+		size_t *key_size);
 int crypt_use_keyring_for_vk(struct crypt_device *cd);
 void crypt_drop_keyring_key_by_description(struct crypt_device *cd, const char *key_description, key_type_t ktype);
 void crypt_drop_keyring_key(struct crypt_device *cd, struct volume_key *vks);
@@ -250,4 +271,8 @@ static inline bool uint64_mult_overflow(uint64_t *u, uint64_t b, size_t size)
 	return false;
 }
 
+#define KEY_NOT_VERIFIED -2
+#define KEY_EXTERNAL_VERIFICATION -1
+#define KEY_VERIFIED 0
+
 #endif /* INTERNAL_H */

lib/keyslot_context.c

@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup, keyslot unlock helpers
  *
- * Copyright (C) 2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2022 Ondrej Kozina
+ * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2022-2024 Ondrej Kozina
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -173,7 +173,7 @@ static int get_luks1_volume_key_by_keyfile(struct crypt_device *cd,
 	return r;
 }
 
-static int get_key_by_key(struct crypt_device *cd,
+static int get_key_by_key(struct crypt_device *cd __attribute__((unused)),
 	struct crypt_keyslot_context *kc,
 	int keyslot __attribute__((unused)),
 	int segment __attribute__((unused)),
@@ -204,19 +204,73 @@ static int get_volume_key_by_key(struct crypt_device *cd,
 	return get_key_by_key(cd, kc, -2 /* unused */, -2 /* unused */, r_vk);
 }
 
+static int get_generic_volume_key_by_key(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	struct volume_key **r_vk)
+{
+	return get_key_by_key(cd, kc, -2 /* unused */, -2 /* unused */, r_vk);
+}
+
+static int get_generic_signed_key_by_key(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	struct volume_key **r_vk,
+	struct volume_key **r_signature)
+{
+	struct volume_key *vk, *vk_sig;
+
+	assert(kc && ((kc->type == CRYPT_KC_TYPE_KEY) ||
+		      (kc->type == CRYPT_KC_TYPE_SIGNED_KEY)));
+	assert(r_vk);
+	assert(r_signature);
+
+	/* return key with no signature */
+	if (kc->type == CRYPT_KC_TYPE_KEY) {
+		*r_signature = NULL;
+		return get_key_by_key(cd, kc, -2 /* unused */, -2 /* unused */, r_vk);
+	}
+
+	if (!kc->u.ks.volume_key || !kc->u.ks.signature) {
+		kc->error = -EINVAL;
+		return kc->error;
+	}
+
+	vk = crypt_alloc_volume_key(kc->u.ks.volume_key_size, kc->u.ks.volume_key);
+	if (!vk) {
+		kc->error = -ENOMEM;
+		return kc->error;
+	}
+
+	vk_sig = crypt_alloc_volume_key(kc->u.ks.signature_size, kc->u.ks.signature);
+	if (!vk_sig) {
+		crypt_free_volume_key(vk);
+		kc->error = -ENOMEM;
+		return kc->error;
+	}
+
+	*r_vk = vk;
+	*r_signature = vk_sig;
+
+	return 0;
+}
+
 static int get_luks2_key_by_token(struct crypt_device *cd,
 	struct crypt_keyslot_context *kc,
-	int keyslot __attribute__((unused)),
+	int keyslot,
 	int segment,
 	struct volume_key **r_vk)
 {
 	int r;
+	struct luks2_hdr *hdr;
 
 	assert(cd);
 	assert(kc && kc->type == CRYPT_KC_TYPE_TOKEN);
 	assert(r_vk);
 
-	r = LUKS2_token_unlock_key(cd, crypt_get_hdr(cd, CRYPT_LUKS2), kc->u.t.id, kc->u.t.type,
+	hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
+	if (!hdr)
+		return -EINVAL;
+
+	r = LUKS2_token_unlock_key(cd, hdr, keyslot, kc->u.t.id, kc->u.t.type,
 				   kc->u.t.pin, kc->u.t.pin_size, segment, kc->u.t.usrptr, r_vk);
 	if (r < 0)
 		kc->error = r;
@@ -226,10 +280,10 @@ static int get_luks2_key_by_token(struct crypt_device *cd,
 
 static int get_luks2_volume_key_by_token(struct crypt_device *cd,
 	struct crypt_keyslot_context *kc,
-	int keyslot __attribute__((unused)),
+	int keyslot,
 	struct volume_key **r_vk)
 {
-	return get_luks2_key_by_token(cd, kc, -2 /* unused */, CRYPT_DEFAULT_SEGMENT, r_vk);
+	return get_luks2_key_by_token(cd, kc, keyslot, CRYPT_DEFAULT_SEGMENT, r_vk);
 }
 
 static int get_passphrase_by_token(struct crypt_device *cd,
@@ -261,6 +315,136 @@ static int get_passphrase_by_token(struct crypt_device *cd,
 	return kc->u.t.id;
 }
 
+static int get_passphrase_by_keyring(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	const char **r_passphrase,
+	size_t *r_passphrase_size)
+{
+	int r;
+
+	assert(cd);
+	assert(kc && kc->type == CRYPT_KC_TYPE_KEYRING);
+	assert(r_passphrase);
+	assert(r_passphrase_size);
+
+	if (!kc->i_passphrase) {
+		r = crypt_keyring_get_user_key(cd, kc->u.kr.key_description,
+					       &kc->i_passphrase, &kc->i_passphrase_size);
+		if (r < 0) {
+			log_err(cd, _("Failed to read passphrase from keyring."));
+			kc->error = -EINVAL;
+			return -EINVAL;
+		}
+	}
+
+	*r_passphrase = kc->i_passphrase;
+	*r_passphrase_size = kc->i_passphrase_size;
+
+	return 0;
+}
+
+static int get_luks2_key_by_keyring(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	int keyslot,
+	int segment,
+	struct volume_key **r_vk)
+{
+	int r;
+
+	assert(cd);
+	assert(kc && kc->type == CRYPT_KC_TYPE_KEYRING);
+	assert(r_vk);
+
+	r = get_passphrase_by_keyring(cd, kc, CONST_CAST(const char **) &kc->i_passphrase,
+		&kc->i_passphrase_size);
+	if (r < 0) {
+		log_err(cd, _("Failed to read passphrase from keyring."));
+		kc->error = -EINVAL;
+		return -EINVAL;
+	}
+
+	r = LUKS2_keyslot_open(cd, keyslot, segment, kc->i_passphrase, kc->i_passphrase_size, r_vk);
+	if (r < 0)
+		kc->error = r;
+
+	return 0;
+}
+
+static int get_luks2_volume_key_by_keyring(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	int keyslot,
+	struct volume_key **r_vk)
+{
+	return get_luks2_key_by_keyring(cd, kc, keyslot, CRYPT_DEFAULT_SEGMENT, r_vk);
+}
+
+static int get_luks1_volume_key_by_keyring(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	int keyslot,
+	struct volume_key **r_vk)
+{
+	int r;
+
+	assert(cd);
+	assert(kc && kc->type == CRYPT_KC_TYPE_PASSPHRASE);
+	assert(r_vk);
+
+	r = get_passphrase_by_keyring(cd, kc, CONST_CAST(const char **) &kc->i_passphrase,
+		&kc->i_passphrase_size);
+	if (r < 0) {
+		log_err(cd, _("Failed to read passphrase from keyring."));
+		kc->error = -EINVAL;
+		return -EINVAL;
+	}
+
+	r = LUKS_open_key_with_hdr(keyslot, kc->i_passphrase, kc->i_passphrase_size,
+				   crypt_get_hdr(cd, CRYPT_LUKS1), r_vk, cd);
+	if (r < 0)
+		kc->error = r;
+
+	return r;
+}
+
+static int get_key_by_vk_in_keyring(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	int keyslot __attribute__((unused)),
+	int segment __attribute__((unused)),
+	struct volume_key **r_vk)
+{
+	char *key;
+	size_t key_size;
+	int r;
+
+	assert(cd);
+	assert(kc && kc->type == CRYPT_KC_TYPE_VK_KEYRING);
+	assert(r_vk);
+
+	r = crypt_keyring_get_key_by_name(cd, kc->u.vk_kr.key_description,
+					  &key, &key_size);
+	if (r < 0) {
+		log_err(cd, _("Failed to read volume key candidate from keyring."));
+		kc->error = -EINVAL;
+		return -EINVAL;
+	}
+
+	*r_vk = crypt_alloc_volume_key(key_size, key);
+	crypt_safe_free(key);
+	if (!*r_vk) {
+		kc->error = -ENOMEM;
+		return kc->error;
+	}
+
+	return 0;
+}
+
+static int get_volume_key_by_vk_in_keyring(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	int keyslot __attribute__((unused)),
+	struct volume_key **r_vk)
+{
+	return get_key_by_vk_in_keyring(cd, kc, -2 /* unused */, -2 /* unused */, r_vk);
+}
+
 static void unlock_method_init_internal(struct crypt_keyslot_context *kc)
 {
 	assert(kc);
@@ -270,6 +454,26 @@ static void unlock_method_init_internal(struct crypt_keyslot_context *kc)
 	kc->i_passphrase_size = 0;
 }
 
+void crypt_keyslot_unlock_by_keyring_internal(struct crypt_keyslot_context *kc,
+	const char *key_description)
+{
+	assert(kc);
+
+	kc->type = CRYPT_KC_TYPE_KEYRING;
+	kc->u.kr.key_description = key_description;
+
+	kc->get_luks2_key = get_luks2_key_by_keyring;
+	kc->get_luks2_volume_key = get_luks2_volume_key_by_keyring;
+	kc->get_luks1_volume_key = get_luks1_volume_key_by_keyring;
+	kc->get_passphrase = get_passphrase_by_keyring;
+	kc->get_plain_volume_key = NULL;
+	kc->get_bitlk_volume_key = NULL;
+	kc->get_fvault2_volume_key = NULL;
+	kc->get_verity_volume_key = NULL;
+	kc->get_integrity_volume_key = NULL;
+	unlock_method_init_internal(kc);
+}
+
 void crypt_keyslot_unlock_by_key_init_internal(struct crypt_keyslot_context *kc,
 	const char *volume_key,
 	size_t volume_key_size)
@@ -283,6 +487,36 @@ void crypt_keyslot_unlock_by_key_init_internal(struct crypt_keyslot_context *kc,
 	kc->get_luks2_volume_key = get_volume_key_by_key;
 	kc->get_luks1_volume_key = get_volume_key_by_key;
 	kc->get_passphrase = NULL; /* keyslot key context does not provide passphrase */
+	kc->get_plain_volume_key = get_generic_volume_key_by_key;
+	kc->get_bitlk_volume_key = get_generic_volume_key_by_key;
+	kc->get_fvault2_volume_key = get_generic_volume_key_by_key;
+	kc->get_verity_volume_key = get_generic_signed_key_by_key;
+	kc->get_integrity_volume_key = get_generic_volume_key_by_key;
+	unlock_method_init_internal(kc);
+}
+
+void crypt_keyslot_unlock_by_signed_key_init_internal(struct crypt_keyslot_context *kc,
+	const char *volume_key,
+	size_t volume_key_size,
+	const char *signature,
+	size_t signature_size)
+{
+	assert(kc);
+
+	kc->type = CRYPT_KC_TYPE_SIGNED_KEY;
+	kc->u.ks.volume_key = volume_key;
+	kc->u.ks.volume_key_size = volume_key_size;
+	kc->u.ks.signature = signature;
+	kc->u.ks.signature_size = signature_size;
+	kc->get_luks2_key = NULL;
+	kc->get_luks2_volume_key = NULL;
+	kc->get_luks1_volume_key = NULL;
+	kc->get_passphrase = NULL;
+	kc->get_plain_volume_key = NULL;
+	kc->get_bitlk_volume_key = NULL;
+	kc->get_fvault2_volume_key = NULL;
+	kc->get_verity_volume_key = get_generic_signed_key_by_key;
+	kc->get_integrity_volume_key = NULL;
 	unlock_method_init_internal(kc);
 }
 
@@ -299,6 +533,11 @@ void crypt_keyslot_unlock_by_passphrase_init_internal(struct crypt_keyslot_conte
 	kc->get_luks2_volume_key = get_luks2_volume_key_by_passphrase;
 	kc->get_luks1_volume_key = get_luks1_volume_key_by_passphrase;
 	kc->get_passphrase = get_passphrase_by_passphrase;
+	kc->get_plain_volume_key = NULL;
+	kc->get_bitlk_volume_key = NULL;
+	kc->get_fvault2_volume_key = NULL;
+	kc->get_verity_volume_key = NULL;
+	kc->get_integrity_volume_key = NULL;
 	unlock_method_init_internal(kc);
 }
 
@@ -317,6 +556,11 @@ void crypt_keyslot_unlock_by_keyfile_init_internal(struct crypt_keyslot_context
 	kc->get_luks2_volume_key = get_luks2_volume_key_by_keyfile;
 	kc->get_luks1_volume_key = get_luks1_volume_key_by_keyfile;
 	kc->get_passphrase = get_passphrase_by_keyfile;
+	kc->get_plain_volume_key = NULL;
+	kc->get_bitlk_volume_key = NULL;
+	kc->get_fvault2_volume_key = NULL;
+	kc->get_verity_volume_key = NULL;
+	kc->get_integrity_volume_key = NULL;
 	unlock_method_init_internal(kc);
 }
 
@@ -339,9 +583,35 @@ void crypt_keyslot_unlock_by_token_init_internal(struct crypt_keyslot_context *k
 	kc->get_luks2_volume_key = get_luks2_volume_key_by_token;
 	kc->get_luks1_volume_key = NULL; /* LUKS1 is not supported */
 	kc->get_passphrase = get_passphrase_by_token;
+	kc->get_plain_volume_key = NULL;
+	kc->get_bitlk_volume_key = NULL;
+	kc->get_fvault2_volume_key = NULL;
+	kc->get_verity_volume_key = NULL;
+	kc->get_integrity_volume_key = NULL;
 	unlock_method_init_internal(kc);
 }
 
+void crypt_keyslot_unlock_by_vk_in_keyring_internal(struct crypt_keyslot_context *kc,
+	const char *key_description)
+{
+	assert(kc);
+
+	kc->type = CRYPT_KC_TYPE_VK_KEYRING;
+	kc->u.vk_kr.key_description = key_description;
+
+	kc->get_luks2_key = get_key_by_vk_in_keyring;
+	kc->get_luks2_volume_key = get_volume_key_by_vk_in_keyring;
+	kc->get_luks1_volume_key = NULL;
+	kc->get_passphrase = NULL; /* keyslot key context does not provide passphrase */
+	kc->get_plain_volume_key = NULL;
+	kc->get_bitlk_volume_key = NULL;
+	kc->get_fvault2_volume_key = NULL;
+	kc->get_verity_volume_key = NULL;
+	kc->get_integrity_volume_key = NULL;
+	unlock_method_init_internal(kc);
+}
+
+
 void crypt_keyslot_context_destroy_internal(struct crypt_keyslot_context *kc)
 {
 	if (!kc)
@@ -358,7 +628,7 @@ void crypt_keyslot_context_free(struct crypt_keyslot_context *kc)
 	free(kc);
 }
 
-int crypt_keyslot_context_init_by_passphrase(struct crypt_device *cd,
+int crypt_keyslot_context_init_by_passphrase(struct crypt_device *cd __attribute__((unused)),
 	const char *passphrase,
 	size_t passphrase_size,
 	struct crypt_keyslot_context **kc)
@@ -379,7 +649,7 @@ int crypt_keyslot_context_init_by_passphrase(struct crypt_device *cd,
 	return 0;
 }
 
-int crypt_keyslot_context_init_by_keyfile(struct crypt_device *cd,
+int crypt_keyslot_context_init_by_keyfile(struct crypt_device *cd __attribute__((unused)),
 	const char *keyfile,
 	size_t keyfile_size,
 	uint64_t keyfile_offset,
@@ -401,7 +671,7 @@ int crypt_keyslot_context_init_by_keyfile(struct crypt_device *cd,
 	return 0;
 }
 
-int crypt_keyslot_context_init_by_token(struct crypt_device *cd,
+int crypt_keyslot_context_init_by_token(struct crypt_device *cd __attribute__((unused)),
 	int token,
 	const char *type,
 	const char *pin, size_t pin_size,
@@ -424,7 +694,7 @@ int crypt_keyslot_context_init_by_token(struct crypt_device *cd,
 	return 0;
 }
 
-int crypt_keyslot_context_init_by_volume_key(struct crypt_device *cd,
+int crypt_keyslot_context_init_by_volume_key(struct crypt_device *cd __attribute__((unused)),
 	const char *volume_key,
 	size_t volume_key_size,
 	struct crypt_keyslot_context **kc)
@@ -445,12 +715,76 @@ int crypt_keyslot_context_init_by_volume_key(struct crypt_device *cd,
 	return 0;
 }
 
+int crypt_keyslot_context_init_by_signed_key(struct crypt_device *cd __attribute__((unused)),
+	const char *volume_key,
+	size_t volume_key_size,
+	const char *signature,
+	size_t signature_size,
+	struct crypt_keyslot_context **kc)
+{
+	struct crypt_keyslot_context *tmp;
+
+	if (!kc)
+		return -EINVAL;
+
+	tmp = malloc(sizeof(*tmp));
+	if (!tmp)
+		return -ENOMEM;
+
+	crypt_keyslot_unlock_by_signed_key_init_internal(tmp, volume_key, volume_key_size,
+		signature, signature_size);
+
+	*kc = tmp;
+
+	return 0;
+}
+
+int crypt_keyslot_context_init_by_keyring(struct crypt_device *cd __attribute__((unused)),
+	const char *key_description,
+	struct crypt_keyslot_context **kc)
+{
+	struct crypt_keyslot_context *tmp;
+
+	if (!kc)
+		return -EINVAL;
+
+	tmp = malloc(sizeof(*tmp));
+	if (!tmp)
+		return -ENOMEM;
+
+	crypt_keyslot_unlock_by_keyring_internal(tmp, key_description);
+
+	*kc = tmp;
+
+	return 0;
+}
+
+int crypt_keyslot_context_init_by_vk_in_keyring(struct crypt_device *cd __attribute__((unused)),
+	const char *key_description,
+	struct crypt_keyslot_context **kc)
+{
+	struct crypt_keyslot_context *tmp;
+
+	if (!kc)
+		return -EINVAL;
+
+	tmp = malloc(sizeof(*tmp));
+	if (!tmp)
+		return -ENOMEM;
+
+	crypt_keyslot_unlock_by_vk_in_keyring_internal(tmp, key_description);
+
+	*kc = tmp;
+
+	return 0;
+}
+
 int crypt_keyslot_context_get_error(struct crypt_keyslot_context *kc)
 {
 	return kc ? kc->error : -EINVAL;
 }
 
-int crypt_keyslot_context_set_pin(struct crypt_device *cd,
+int crypt_keyslot_context_set_pin(struct crypt_device *cd __attribute__((unused)),
 	const char *pin, size_t pin_size,
 	struct crypt_keyslot_context *kc)
 {
@@ -482,6 +816,12 @@ const char *keyslot_context_type_string(const struct crypt_keyslot_context *kc)
 		return "token";
 	case CRYPT_KC_TYPE_KEY:
 		return "key";
+	case CRYPT_KC_TYPE_KEYRING:
+		return "keyring";
+	case CRYPT_KC_TYPE_VK_KEYRING:
+		return "volume key in keyring";
+	case CRYPT_KC_TYPE_SIGNED_KEY:
+		return "signed key";
 	default:
 		return "<unknown>";
 	}

lib/keyslot_context.h

@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup, keyslot unlock helpers
  *
- * Copyright (C) 2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2022 Ondrej Kozina
+ * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2022-2024 Ondrej Kozina
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -40,6 +40,17 @@ typedef int (*keyslot_context_get_volume_key) (
 	int keyslot,
 	struct volume_key **r_vk);
 
+typedef int (*keyslot_context_get_generic_volume_key) (
+	struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	struct volume_key **r_vk);
+
+typedef int (*keyslot_context_get_generic_signed_key) (
+	struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	struct volume_key **r_vk,
+	struct volume_key **r_signature);
+
 typedef int (*keyslot_context_get_passphrase) (
 	struct crypt_device *cd,
 	struct crypt_keyslot_context *kc,
@@ -71,6 +82,18 @@ struct crypt_keyslot_context {
 		const char *volume_key;
 		size_t volume_key_size;
 	} k;
+	struct {
+		const char *volume_key;
+		size_t volume_key_size;
+		const char *signature;
+		size_t signature_size;
+	} ks;
+	struct {
+		const char *key_description;
+	} kr;
+	struct {
+		const char *key_description;
+	} vk_kr;
 	} u;
 
 	int error;
@@ -78,10 +101,15 @@ struct crypt_keyslot_context {
 	char *i_passphrase;
 	size_t i_passphrase_size;
 
-	keyslot_context_get_key		get_luks2_key;
-	keyslot_context_get_volume_key	get_luks1_volume_key;
-	keyslot_context_get_volume_key	get_luks2_volume_key;
-	keyslot_context_get_passphrase	get_passphrase;
+	keyslot_context_get_key			get_luks2_key;
+	keyslot_context_get_volume_key		get_luks1_volume_key;
+	keyslot_context_get_volume_key		get_luks2_volume_key;
+	keyslot_context_get_generic_volume_key	get_plain_volume_key;
+	keyslot_context_get_generic_volume_key	get_bitlk_volume_key;
+	keyslot_context_get_generic_volume_key	get_fvault2_volume_key;
+	keyslot_context_get_generic_signed_key	get_verity_volume_key;
+	keyslot_context_get_generic_volume_key	get_integrity_volume_key;
+	keyslot_context_get_passphrase		get_passphrase;
 };
 
 void crypt_keyslot_context_destroy_internal(struct crypt_keyslot_context *method);
@@ -90,6 +118,12 @@ void crypt_keyslot_unlock_by_key_init_internal(struct crypt_keyslot_context *kc,
 	const char *volume_key,
 	size_t volume_key_size);
 
+void crypt_keyslot_unlock_by_signed_key_init_internal(struct crypt_keyslot_context *kc,
+	const char *volume_key,
+	size_t volume_key_size,
+	const char *signature,
+	size_t signature_size);
+
 void crypt_keyslot_unlock_by_passphrase_init_internal(struct crypt_keyslot_context *kc,
 	const char *passphrase,
 	size_t passphrase_size);
@@ -106,6 +140,12 @@ void crypt_keyslot_unlock_by_token_init_internal(struct crypt_keyslot_context *k
 	size_t pin_size,
 	void *usrptr);
 
+void crypt_keyslot_unlock_by_keyring_internal(struct crypt_keyslot_context *kc,
+	const char *key_description);
+
+void crypt_keyslot_unlock_by_vk_in_keyring_internal(struct crypt_keyslot_context *kc,
+	const char *key_description);
+
 const char *keyslot_context_type_string(const struct crypt_keyslot_context *kc);
 
 #endif /* KEYSLOT_CONTEXT_H */

lib/libcryptsetup.h

@@ -3,8 +3,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2022 Milan Broz
+ * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2024 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -273,7 +273,7 @@ struct crypt_pbkdf_type {
 
 /** Iteration time set by crypt_set_iteration_time(), for compatibility only. */
 #define CRYPT_PBKDF_ITER_TIME_SET   (UINT32_C(1) << 0)
-/** Never run benchmarks, use pre-set value or defaults. */
+/** Never run benchmarks or limit by system resources, use pre-set values or defaults. */
 #define CRYPT_PBKDF_NO_BENCHMARK    (UINT32_C(1) << 1)
 
 /** PBKDF2 according to RFC2898, LUKS1 legacy */
@@ -450,6 +450,34 @@ const char *crypt_get_type(struct crypt_device *cd);
  */
 const char *crypt_get_default_type(void);
 
+/**
+ * @defgroup crypt-hw-encryption-types HW encryption type
+ * @addtogroup crypt-hw-encryption-types
+ * @{
+ */
+/** SW encryption, no OPAL encryption in place (default) */
+#define CRYPT_SW_ONLY        INT16_C(0)
+/** OPAL HW encryption only (no SW encryption!) */
+#define CRYPT_OPAL_HW_ONLY   INT16_C(1)
+/** SW encryption stacked over OPAL HW encryption  */
+#define CRYPT_SW_AND_OPAL_HW INT16_C(2)
+/** @} */
+
+/**
+ * Get HW encryption type
+ *
+ * @return HW encryption type (see @link crypt-hw-encryption-types @endlink)
+ *         or negative errno otherwise.
+ */
+int crypt_get_hw_encryption_type(struct crypt_device *cd);
+
+/**
+ * Get HW encryption (like OPAL) key size (in bytes)
+ *
+ * @return key size or 0 if no HW encryption is used.
+ */
+int crypt_get_hw_encryption_key_size(struct crypt_device *cd);
+
 /**
  *
  * Structure used as parameter for PLAIN device type.
@@ -609,6 +637,18 @@ struct crypt_params_luks2 {
 	const char *label;       /**< header label or @e NULL*/
 	const char *subsystem;   /**< header subsystem label or @e NULL*/
 };
+
+/**
+ * Structure used as parameter for OPAL (HW encrypted) device type.
+ *
+ * @see crypt_format_luks2_opal
+ *
+ */
+struct crypt_params_hw_opal {
+	const char *admin_key;   /**< admin key */
+	size_t admin_key_size;   /**< admin key size in bytes */
+	size_t user_key_size;    /**< user authority key size part in bytes */
+};
 /** @} */
 
 /**
@@ -648,6 +688,34 @@ int crypt_format(struct crypt_device *cd,
 	size_t volume_key_size,
 	void *params);
 
+/**
+ * Create (format) new LUKS2 crypt device over HW OPAL device but do not activate it.
+ *
+ * @pre @e cd contains initialized and not formatted device context (device type must @b not be set)
+ *
+ * @param cd crypt device handle
+ * @param cipher for SW encryption (e.g. "aes") or NULL for HW encryption only
+ * @param cipher_mode including IV specification (e.g. "xts-plain") or NULL for HW encryption only
+ * @param uuid requested UUID or @e NULL if it should be generated
+ * @param volume_keys pre-generated volume keys or @e NULL if it should be generated (only for LUKS2 SW encryption)
+ * @param volume_keys_size size of volume keys in bytes (only for SW encryption).
+ * @param params LUKS2 crypt type specific parameters (see @link crypt-type @endlink)
+ * @param opal_params OPAL specific parameters
+ *
+ * @returns @e 0 on success or negative errno value otherwise.
+ *
+ * @note Note that crypt_format_luks2_opal does not create LUKS keyslot.
+ *       To create keyslot call any crypt_keyslot_add_* function.
+ */
+int crypt_format_luks2_opal(struct crypt_device *cd,
+	const char *cipher,
+	const char *cipher_mode,
+	const char *uuid,
+	const char *volume_keys,
+	size_t volume_keys_size,
+	struct crypt_params_luks2 *params,
+	struct crypt_params_hw_opal *opal_params);
+
 /**
  * Set format compatibility flags.
  *
@@ -941,6 +1009,23 @@ int crypt_resume_by_token_pin(struct crypt_device *cd,
 	const char *pin,
 	size_t pin_size,
 	void *usrptr);
+
+/**
+ * Resume crypt device using keyslot context.
+ *
+ * @param cd crypt device handle
+ * @param name name of device to resume
+ * @param keyslot requested keyslot to check or @e CRYPT_ANY_SLOT, keyslot is
+ *        ignored for unlock methods not based on passphrase
+ * @param kc keyslot context providing volume key or passphrase.
+ *
+ * @return unlocked key slot number for passphrase-based unlock, zero for other
+ *         unlock methods (e.g. volume key context) or negative errno on error.
+ */
+int crypt_resume_by_keyslot_context(struct crypt_device *cd,
+			       const char *name,
+			       int keyslot,
+			       struct crypt_keyslot_context *kc);
 /** @} */
 
 /**
@@ -1099,7 +1184,7 @@ int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
  * @warning CRYPT_VOLUME_KEY_SET flag force updates volume key. It is @b not @b reencryption!
  * 	    By doing so you will most probably destroy your ciphertext data device. It's supposed
  * 	    to be used only in wrapped keys scheme for key refresh process where real (inner) volume
- * 	    key stays untouched. It may be involed on active @e keyslot which makes the (previously
+ * 	    key stays untouched. It may be involved on active @e keyslot which makes the (previously
  * 	    unbound) keyslot new regular keyslot.
  */
 int crypt_keyslot_add_by_key(struct crypt_device *cd,
@@ -1194,6 +1279,59 @@ int crypt_keyslot_context_init_by_volume_key(struct crypt_device *cd,
 	size_t volume_key_size,
 	struct crypt_keyslot_context **kc);
 
+/**
+ * Initialize keyslot context via signed key.
+ *
+ * @param cd crypt device handle initialized to device context
+ *
+ * @param volume_key provided volume key
+ * @param volume_key_size size of volume_key
+ * @param signature buffer with signature for the key
+ * @param signature_size bsize of signature buffer
+ * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_SIGNED_KEY
+ *
+ * @return zero on success or negative errno otherwise.
+ *
+ * @note currently supported only with VERITY devices.
+ */
+int crypt_keyslot_context_init_by_signed_key(struct crypt_device *cd,
+	const char *volume_key,
+	size_t volume_key_size,
+	const char *signature,
+	size_t signature_size,
+	struct crypt_keyslot_context **kc);
+
+/**
+ * Initialize keyslot context via passphrase stored in a keyring.
+ *
+ * @param cd crypt device handle initialized to LUKS device context
+ *
+ * @param key_description kernel keyring key description library should look
+ *        for passphrase in
+ * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_KEYRING
+ *
+ * @return zero on success or negative errno otherwise.
+ */
+int crypt_keyslot_context_init_by_keyring(struct crypt_device *cd,
+	const char *key_description,
+	struct crypt_keyslot_context **kc);
+
+/**
+ * Initialize keyslot context via volume key stored in a keyring.
+ *
+ * @param cd crypt device handle initialized to LUKS device context
+ *
+ * @param key_description kernel keyring key description library should look
+ *        for passphrase in. The key can be passed either as number in ASCII,
+ *        or a text representation in the form "%<key_type>:<key_name>"
+ * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_KEYRING
+ *
+ * @return zero on success or negative errno otherwise.
+ */
+int crypt_keyslot_context_init_by_vk_in_keyring(struct crypt_device *cd,
+	const char *key_description,
+	struct crypt_keyslot_context **kc);
+
 /**
  * Get error code per keyslot context from last failed call.
  *
@@ -1225,7 +1363,7 @@ int crypt_keyslot_context_set_pin(struct crypt_device *cd,
 	struct crypt_keyslot_context *kc);
 
 /**
- * @defgroup crypt-keyslot-context-types Crypt keyslot context
+ * @defgroup crypt-keyslot-context-types Crypt keyslot context types
  * @addtogroup crypt-keyslot-context-types
  * @{
  */
@@ -1237,6 +1375,16 @@ int crypt_keyslot_context_set_pin(struct crypt_device *cd,
 #define CRYPT_KC_TYPE_TOKEN      INT16_C(3)
 /** keyslot context initialized by volume key or unbound key (@link crypt_keyslot_context_init_by_volume_key @endlink) */
 #define CRYPT_KC_TYPE_KEY        INT16_C(4)
+/** keyslot context initialized by description of a keyring key
+ * (@link crypt_keyslot_context_init_by_keyring @endlink)
+ */
+#define CRYPT_KC_TYPE_KEYRING    INT16_C(5)
+/** keyslot context initialized by description of a keyring key containing the volume key
+ * (@link crypt_keyslot_context_init_by_vk_in_keyring @endlink)
+ */
+#define CRYPT_KC_TYPE_VK_KEYRING    INT16_C(6)
+/** keyslot context initialized by signed key (@link crypt_keyslot_context_init_by_signed_key @endlink) */
+#define CRYPT_KC_TYPE_SIGNED_KEY    INT16_C(7)
 /** @} */
 
 /**
@@ -1281,7 +1429,7 @@ int crypt_keyslot_context_get_type(const struct crypt_keyslot_context *kc);
  * @warning CRYPT_VOLUME_KEY_SET flag force updates volume key. It is @b not @b reencryption!
  * 	    By doing so you will most probably destroy your ciphertext data device. It's supposed
  * 	    to be used only in wrapped keys scheme for key refresh process where real (inner) volume
- * 	    key stays untouched. It may be involed on active @e keyslot which makes the (previously
+ * 	    key stays untouched. It may be involved on active @e keyslot which makes the (previously
  * 	    unbound) keyslot new regular keyslot.
  */
 int crypt_keyslot_add_by_keyslot_context(struct crypt_device *cd,
@@ -1420,6 +1568,8 @@ uint64_t crypt_get_active_integrity_failures(struct crypt_device *cd,
 #define CRYPT_REQUIREMENT_OFFLINE_REENCRYPT	(UINT32_C(1) << 0)
 /** Online reencryption in-progress */
 #define CRYPT_REQUIREMENT_ONLINE_REENCRYPT	(UINT32_C(1) << 1)
+/** Device configured with OPAL support */
+#define CRYPT_REQUIREMENT_OPAL			(UINT32_C(1) << 2)
 /** unknown requirement in header (output only) */
 #define CRYPT_REQUIREMENT_UNKNOWN		(UINT32_C(1) << 31)
 
@@ -1473,6 +1623,39 @@ int crypt_persistent_flags_get(struct crypt_device *cd,
  * @{
  */
 
+/**
+ * Activate device or check using keyslot context. In some cases (device under
+ * reencryption), more than one keyslot context is required (e.g. one for the old
+ * volume key and one for the new volume key). The order of the keyslot
+ * contexts does not matter. When less keyslot contexts are supplied than
+ * required to unlock the device an -ESRCH error code is returned and you
+ * should call the function again with an additional keyslot context specified.
+ *
+ * NOTE: the API at the moment fully works for single keyslot context only,
+ * the additional keyslot context currently works only with
+ * @e CRYPT_KC_TYPE_VK_KEYRING or @e CRYPT_KC_TYPE_KEY contexts.
+ *
+ * @param cd crypt device handle
+ * @param name name of device to create, if @e NULL only check passphrase
+ * @param keyslot requested keyslot to check or @e CRYPT_ANY_SLOT, keyslot is
+ *        ignored for unlock methods not based on passphrase
+ * @param kc keyslot context providing volume key or passphrase.
+ * @param additional_keyslot requested additional keyslot to check or @e CRYPT_ANY_SLOT
+ * @param additional_kc keyslot context providing additional volume key or
+ *        passphrase (e.g. old volume key for device under reencryption).
+ * @param flags activation flags
+ *
+ * @return unlocked key slot number for passphrase-based unlock, zero for other
+ *         unlock methods (e.g. volume key context) or negative errno on error.
+ */
+int crypt_activate_by_keyslot_context(struct crypt_device *cd,
+	const char *name,
+	int keyslot,
+	struct crypt_keyslot_context *kc,
+	int additional_keyslot,
+	struct crypt_keyslot_context *additional_kc,
+	uint32_t flags);
+
 /**
  * Activate device or check passphrase.
  *
@@ -1553,6 +1736,9 @@ int crypt_activate_by_keyfile(struct crypt_device *cd,
  * 	 CRYPT_ACTIVATE_READONLY flag always.
  * @note For TCRYPT the volume key should be always NULL
  * 	 the key from decrypted header is used instead.
+ * @note For BITLK the name cannot be @e NULL checking volume key is not
+ * 	 supported for BITLK, the device will be activated even if the
+ * 	 provided key is not correct.
  */
 int crypt_activate_by_volume_key(struct crypt_device *cd,
 	const char *name,
@@ -2259,6 +2445,36 @@ int crypt_wipe(struct crypt_device *cd,
 
 /** Use direct-io */
 #define CRYPT_WIPE_NO_DIRECT_IO (UINT32_C(1) << 0)
+
+enum {
+	CRYPT_LUKS2_SEGMENT = -2,
+	CRYPT_NO_SEGMENT = -1,
+};
+
+/**
+ * Safe erase of a partition or an entire OPAL device. WARNING: ALL DATA ON
+ * PARTITION/DISK WILL BE LOST. If the CRYPT_NO_SEGMENT is passed as the segment
+ * parameter, the entire device will be wiped, not just what is included in the
+ * LUKS2 device/partition.
+ *
+ * @param cd crypt device handle
+ * @param segment the segment number to wipe (0..8), or CRYPT_LUKS2_SEGMENT
+ *        to wipe the segment configured in the LUKS2 header, or CRYPT_NO_SEGMENT
+ *        to wipe the entire device via a factory reset.
+ * @param password admin password/PSID (for factory reset) to wipe the
+ *        partition/device
+ * @param password_size length of password/PSID
+ * @param flags (currently unused)
+ *
+ * @return @e 0 on success or negative errno value otherwise.
+ */
+int crypt_wipe_hw_opal(struct crypt_device *cd,
+	int segment, /* 0..8, CRYPT_LUKS2_SEGMENT -2, CRYPT_NO_SEGMENT -1 */
+	const char *password, /* Admin1 PIN or PSID */
+	size_t password_size,
+	uint32_t flags /* currently unused */
+);
+
 /** @} */
 
 /**
@@ -2566,6 +2782,17 @@ int crypt_token_register(const crypt_token_handler *handler);
  */
 const char *crypt_token_external_path(void);
 
+/**
+ * Override configured external token handlers path for the library.
+ *
+ * @param path Absolute path (starts with '/') to new external token handlers directory or @e NULL.
+ *
+ * @note if @e path is @e NULL the external token path is reset to default path.
+ *
+ * @return @e 0 on success or negative errno value otherwise.
+ */
+int crypt_token_set_external_path(const char *path);
+
 /**
  * Disable external token handlers (plugins) support
  * If disabled, it cannot be enabled again.
@@ -2875,6 +3102,55 @@ void crypt_safe_memzero(void *data, size_t size);
 
 /** @} */
 
+/**
+ * @defgroup crypt-keyring Kernel keyring manipulation
+ * @addtogroup crypt-keyring
+ * @{
+ */
+
+/**
+ * Link the volume key to the specified kernel keyring.
+ *
+ * The volume can have one or two keys. Normally, the device has one key.
+ * However if reencryption was started and not finished yet, the volume will
+ * have two volume keys (the new VK for the already reencrypted segment and old
+ * VK for the not yet reencrypted segment).
+ *
+ * The @e old_key_description argument is required only for
+ * devices that are in re-encryption and have two volume keys at the same time
+ * (old and new). You can set the @e old_key_description to NULL,
+ * but if you supply number of keys less than required, the function will
+ * return -ESRCH.  In that case you need to call the function again and set
+ * the missing key description. When supplying just one key description, make
+ * sure to supply it in the @e key_description.
+ *
+ * @param cd crypt device handle
+ * @param key_description the key description of the volume key linked in desired keyring.
+ * @param old_key_description the key description of the old volume key linked in desired keyring
+ *	  (for devices in re-encryption).
+ * @param key_type_desc the key type used for the volume key. Currently only "user" and "logon" types are
+ *	  supported. if @e NULL is specified the default "user" type is applied.
+ * @param keyring_to_link_vk the keyring description of the keyring in which volume key should
+ *	  be linked, if @e NULL is specified, linking will be disabled.
+ *
+ * @note keyring_to_link_vk may be passed in various string formats:
+ * 	 It can be kernel key numeric id of existing keyring written as a string,
+ * 	 keyring name prefixed by either "%:" or "%keyring:" substrings or keyctl
+ * 	 special values for keyrings "@t", "@p", "@s" and so on. See keyctl(1) man page,
+ * 	 section KEY IDENTIFIERS for more information. All other prefixes starting "%<type>:"
+ * 	 are ignored.
+ *
+ * @note key_description "%<type>:" prefixes are ignored. Type is applied based on key_type parameter
+ * 	 value.
+ */
+int crypt_set_keyring_to_link(struct crypt_device* cd,
+	const char* key_description,
+	const char* old_key_description,
+	const char* key_type_desc,
+	const char* keyring_to_link_vk);
+
+/** @} */
+
 #ifdef __cplusplus
 }
 #endif

lib/libcryptsetup.sym

@@ -165,3 +165,18 @@ CRYPTSETUP_2.6 {
 		crypt_keyslot_add_by_keyslot_context;
 		crypt_volume_key_get_by_keyslot_context;
 } CRYPTSETUP_2.5;
+
+CRYPTSETUP_2.7 {
+	global:
+		crypt_activate_by_keyslot_context;
+		crypt_format_luks2_opal;
+		crypt_get_hw_encryption_type;
+		crypt_get_hw_encryption_key_size;
+		crypt_keyslot_context_init_by_keyring;
+		crypt_keyslot_context_init_by_vk_in_keyring;
+		crypt_keyslot_context_init_by_signed_key;
+		crypt_resume_by_keyslot_context;
+		crypt_token_set_external_path;
+		crypt_set_keyring_to_link;
+		crypt_wipe_hw_opal;
+} CRYPTSETUP_2.6;

lib/libcryptsetup_macros.h

@@ -1,8 +1,8 @@
 /*
  * Definitions of common constant and generic macros of libcryptsetup
  *
- * Copyright (C) 2009-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2022 Milan Broz
+ * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2024 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License

lib/libcryptsetup_symver.h

@@ -1,7 +1,7 @@
 /*
  * Helpers for defining versioned symbols
  *
- * Copyright (C) 2021-2022 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2021-2024 Red Hat, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -72,9 +72,9 @@
      __attribute__((__symver__(#_public_sym _ver_str #_maj "." #_min)))
 #endif
 
-#if !defined(_CRYPT_SYMVER) && defined(__GNUC__)
+#if !defined(_CRYPT_SYMVER) && (defined(__GNUC__) || defined(__clang__))
 #  define _CRYPT_SYMVER(_local_sym, _public_sym, _ver_str, _maj, _min)         \
-     asm(".symver " #_local_sym "," #_public_sym _ver_str #_maj "." #_min);
+     __asm__(".symver " #_local_sym "," #_public_sym _ver_str #_maj "." #_min);
 #endif
 
 #define _CRYPT_FUNC(_public_sym, _prefix_str, _maj, _min, _ret, ...)                                    \

lib/libdevmapper.c

@@ -3,8 +3,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2022 Milan Broz
+ * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2024 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -602,7 +602,8 @@ static char *get_dm_crypt_params(const struct dm_target *tgt, uint32_t flags)
 		hexkey = crypt_safe_alloc(keystr_len);
 		if (!hexkey)
 			goto out;
-		r = snprintf(hexkey, keystr_len, ":%zu:logon:%s", tgt->u.crypt.vk->keylength, tgt->u.crypt.vk->key_description);
+		r = snprintf(hexkey, keystr_len, ":%zu:logon:%s", tgt->u.crypt.vk->keylength,
+			     tgt->u.crypt.vk->key_description);
 		if (r < 0 || r >= keystr_len)
 			goto out;
 	} else
@@ -1330,7 +1331,15 @@ static int _dm_create_device(struct crypt_device *cd, const char *name, const ch
 		goto out;
 
 	if (!dm_task_run(dmt)) {
-		r = dm_status_device(cd, name);;
+
+		r = -dm_task_get_errno(dmt);
+		if (r == -ENOKEY || r == -EKEYREVOKED || r == -EKEYEXPIRED) {
+			/* propagate DM errors around key management as such */
+			r = -ENOKEY;
+			goto out;
+		}
+
+		r = dm_status_device(cd, name);
 		if (r >= 0)
 			r = -EEXIST;
 		if (r != -EEXIST && r != -ENODEV)
@@ -1663,6 +1672,11 @@ int dm_create_device(struct crypt_device *cd, const char *name,
 			log_err(cd, _("Requested sector_size option is not supported."));
 			r = -EINVAL;
 		}
+		if (dmd->segment.u.crypt.sector_size > SECTOR_SIZE &&
+		    dmd->size % dmd->segment.u.crypt.sector_size) {
+			log_err(cd, _("The device size is not multiple of the requested sector size."));
+			r = -EINVAL;
+		}
 	}
 
 	if (dmd->segment.type == DM_INTEGRITY && (dmd->flags & CRYPT_ACTIVATE_RECALCULATE) &&
@@ -2829,7 +2843,7 @@ static int _process_deps(struct crypt_device *cd, const char *prefix, struct dm_
 int dm_device_deps(struct crypt_device *cd, const char *name, const char *prefix,
 		   char **names, size_t names_length)
 {
-	struct dm_task *dmt;
+	struct dm_task *dmt = NULL;
 	struct dm_info dmi;
 	struct dm_deps *deps;
 	int r = -EINVAL;
@@ -2989,7 +3003,8 @@ int dm_resume_and_reinstate_key(struct crypt_device *cd, const char *name,
 	}
 
 	if (vk->key_description) {
-		r = snprintf(msg, msg_size, "key set :%zu:logon:%s", vk->keylength, vk->key_description);
+		r = snprintf(msg, msg_size, "key set :%zu:logon:%s", vk->keylength,
+			     vk->key_description);
 	} else  {
 		key = crypt_bytes_to_hex(vk->keylength, vk->key);
 		if (!key) {
@@ -3026,6 +3041,18 @@ const char *dm_get_dir(void)
 	return dm_dir();
 }
 
+int dm_get_iname(const char *name, char **iname, bool with_path)
+{
+	int r;
+
+	if (with_path)
+		r = asprintf(iname, "%s/%s_dif", dm_get_dir(), name);
+	else
+		r = asprintf(iname, "%s_dif", name);
+
+	return r < 0 ? -ENOMEM : 0;
+}
+
 int dm_is_dm_device(int major)
 {
 	return dm_is_dm_major((uint32_t)major);

lib/loopaes/loopaes.c

@@ -1,8 +1,8 @@
 /*
  * loop-AES compatible volume handling
  *
- * Copyright (C) 2011-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2011-2022 Milan Broz
+ * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2024 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public

lib/loopaes/loopaes.h

@@ -1,8 +1,8 @@
 /*
  * loop-AES compatible volume handling
  *
- * Copyright (C) 2011-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2011-2022 Milan Broz
+ * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2024 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public

lib/luks1/af.c

@@ -2,7 +2,7 @@
  * AFsplitter - Anti forensic information splitter
  *
  * Copyright (C) 2004 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2022 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
  *
  * AFsplitter diffuses information over a large stripe of data,
  * therefore supporting secure data destruction.

lib/luks1/af.h

@@ -2,7 +2,7 @@
  * AFsplitter - Anti forensic information splitter
  *
  * Copyright (C) 2004 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2022 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
  *
  * AFsplitter diffuses information over a large stripe of data,
  * therefore supporting secure data destruction.

lib/luks1/keyencryption.c

@@ -2,8 +2,8 @@
  * LUKS - Linux Unified Key Setup
  *
  * Copyright (C) 2004-2006 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2022 Milan Broz
+ * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2024 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License

lib/luks1/keymanage.c

@@ -2,8 +2,8 @@
  * LUKS - Linux Unified Key Setup
  *
  * Copyright (C) 2004-2006 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2013-2022 Milan Broz
+ * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2013-2024 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -29,6 +29,7 @@
 #include <string.h>
 #include <ctype.h>
 #include <uuid/uuid.h>
+#include <limits.h>
 
 #include "luks.h"
 #include "af.h"
@@ -924,8 +925,12 @@ int LUKS_set_key(unsigned int keyIndex,
 			hdr->keyblock[keyIndex].passwordSalt, LUKS_SALTSIZE,
 			derived_key->key, hdr->keyBytes,
 			hdr->keyblock[keyIndex].passwordIterations, 0, 0);
-	if (r < 0)
+	if (r < 0) {
+		if ((crypt_backend_flags() & CRYPT_BACKEND_PBKDF2_INT) &&
+		     hdr->keyblock[keyIndex].passwordIterations > INT_MAX)
+			log_err(ctx, _("PBKDF2 iteration value overflow."));
 		goto out;
+	}
 
 	/*
 	 * AF splitting, the volume key stored in vk->key is split to AfKey

lib/luks1/luks.h

@@ -2,7 +2,7 @@
  * LUKS - Linux Unified Key Setup
  *
  * Copyright (C) 2004-2006 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2022 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License

lib/luks2/hw_opal/hw_opal.h

@@ -0,0 +1,72 @@
+/*
+ * OPAL utilities
+ *
+ * Copyright (C) 2022-2023 Luca Boccassi <bluca@debian.org>
+ *               2023 Ondrej Kozina <okozina@redhat.com>
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _UTILS_OPAL
+#define _UTILS_OPAL
+
+#include "internal.h"
+
+struct crypt_lock_handle;
+
+int opal_setup_ranges(struct crypt_device *cd,
+		      struct device *dev,
+		      const struct volume_key *vk,
+		      uint64_t range_start_blocks,
+		      uint64_t range_length_blocks,
+		      uint32_t opal_block_bytes,
+		      uint32_t segment_number,
+		      const void *admin_key,
+		      size_t admin_key_len);
+int opal_lock(struct crypt_device *cd, struct device *dev, uint32_t segment_number);
+int opal_unlock(struct crypt_device *cd,
+		struct device *dev,
+		uint32_t segment_number,
+		const struct volume_key *vk);
+int opal_supported(struct crypt_device *cd, struct device *dev);
+int opal_factory_reset(struct crypt_device *cd,
+		       struct device *dev,
+		       const char *password,
+		       size_t password_len);
+int opal_reset_segment(struct crypt_device *cd,
+		       struct device *dev,
+		       uint32_t segment_number,
+		       const char *password,
+		       size_t password_len);
+int opal_geometry(struct crypt_device *cd,
+		  struct device *dev,
+		  bool *ret_align,
+		  uint32_t *ret_block_size,
+		  uint64_t *ret_alignment_granularity_blocks,
+		  uint64_t *ret_lowest_lba_blocks);
+int opal_range_check_attributes_and_get_lock_state(struct crypt_device *cd,
+				struct device *dev,
+				uint32_t segment_number,
+				const struct volume_key *vk,
+				const uint64_t *check_offset_sectors,
+				const uint64_t *check_length_sectors,
+				bool *ret_read_locked,
+				bool *ret_write_locked);
+int opal_exclusive_lock(struct crypt_device *cd,
+			struct device *opal_device,
+			struct crypt_lock_handle **opal_lock);
+void opal_exclusive_unlock(struct crypt_device *cd, struct crypt_lock_handle *opal_lock);
+
+#endif

lib/luks2/luks2.h

@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2
  *
- * Copyright (C) 2015-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2022 Milan Broz
+ * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2024 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -224,8 +224,7 @@ int LUKS2_keyslot_store(struct crypt_device *cd,
 
 int LUKS2_keyslot_wipe(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
-	int keyslot,
-	int wipe_area_only);
+	int keyslot);
 
 crypt_keyslot_priority LUKS2_keyslot_priority_get(struct luks2_hdr *hdr, int keyslot);
 
@@ -277,6 +276,7 @@ crypt_token_info LUKS2_token_status(struct crypt_device *cd,
 
 int LUKS2_token_open_and_activate(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
+	int keyslot,
 	int token,
 	const char *name,
 	const char *type,
@@ -287,6 +287,7 @@ int LUKS2_token_open_and_activate(struct crypt_device *cd,
 
 int LUKS2_token_unlock_key(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
+	int keyslot,
 	int token,
 	const char *type,
 	const char *pin,
@@ -359,7 +360,8 @@ int LUKS2_digest_create(struct crypt_device *cd,
  */
 int LUKS2_activate(struct crypt_device *cd,
 	const char *name,
-	struct volume_key *vk,
+	struct volume_key *crypt_key,
+	struct volume_key *opal_key,
 	uint32_t flags);
 
 int LUKS2_activate_multi(struct crypt_device *cd,
@@ -378,16 +380,23 @@ int LUKS2_generate_hdr(
 	struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	const struct volume_key *vk,
-	const char *cipherName,
-	const char *cipherMode,
+	const char *cipher_spec,
 	const char *integrity,
 	const char *uuid,
 	unsigned int sector_size,
 	uint64_t data_offset,
-	uint64_t align_offset,
-	uint64_t required_alignment,
-	uint64_t metadata_size,
-	uint64_t keyslots_size);
+	uint64_t metadata_size_bytes,
+	uint64_t keyslots_size_bytes,
+	uint64_t device_size_bytes,
+	uint32_t opal_segment_number,
+	uint32_t opal_key_size);
+
+int LUKS2_hdr_get_storage_params(struct crypt_device *cd,
+			    uint64_t alignment_offset_bytes,
+			    uint64_t alignment_bytes,
+			    uint64_t *ret_metadata_size_bytes,
+			    uint64_t *ret_keyslots_size_bytes,
+			    uint64_t *ret_data_offset_bytes);
 
 int LUKS2_check_metadata_area_size(uint64_t metadata_size);
 int LUKS2_check_keyslots_area_size(uint64_t keyslots_size);
@@ -414,6 +423,12 @@ int LUKS2_keyslot_area(struct luks2_hdr *hdr,
 	uint64_t *length);
 int LUKS2_keyslot_pbkdf(struct luks2_hdr *hdr, int keyslot, struct crypt_pbkdf_type *pbkdf);
 
+int LUKS2_split_crypt_and_opal_keys(struct crypt_device *cd,
+		struct luks2_hdr *hdr,
+		const struct volume_key *vk,
+		struct volume_key **ret_crypt_key,
+		struct volume_key **ret_opal_key);
+
 /*
  * Permanent activation flags stored in header
  */
@@ -457,6 +472,9 @@ int LUKS2_reencrypt_locked_recovery_by_passphrase(struct crypt_device *cd,
 	size_t passphrase_size,
 	struct volume_key **vks);
 
+int LUKS2_reencrypt_locked_recovery_by_vks(struct crypt_device *cd,
+	struct volume_key *vks);
+
 void LUKS2_reencrypt_free(struct crypt_device *cd,
 	struct luks2_reencrypt *rh);
 
@@ -479,9 +497,13 @@ int LUKS2_reencrypt_check_device_size(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	uint64_t check_size,
 	uint64_t *dev_size,
-	bool activation,
+	bool device_exclusive_check,
 	bool dynamic);
 
+void LUKS2_reencrypt_lookup_key_ids(struct crypt_device *cd,
+        struct luks2_hdr *hdr,
+        struct volume_key *vk);
+
 int LUKS2_reencrypt_digest_verify(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	struct volume_key *vks);

lib/luks2/luks2_digest.c

@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, digest handling
  *
- * Copyright (C) 2015-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2022 Milan Broz
+ * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2024 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -157,7 +157,7 @@ int LUKS2_digest_dump(struct crypt_device *cd, int digest)
 }
 
 int LUKS2_digest_any_matching(struct crypt_device *cd,
-		struct luks2_hdr *hdr,
+		struct luks2_hdr *hdr __attribute__((unused)),
 		const struct volume_key *vk)
 {
 	int digest;
@@ -174,6 +174,18 @@ int LUKS2_digest_verify_by_segment(struct crypt_device *cd,
 	int segment,
 	const struct volume_key *vk)
 {
+	int r = -EINVAL;
+	unsigned s;
+
+	if (segment == CRYPT_ANY_SEGMENT) {
+		for (s = 0; s < json_segments_count(LUKS2_get_segments_jobj(hdr)); s++) {
+			if ((r = LUKS2_digest_verify_by_digest(cd, LUKS2_digest_by_segment(hdr, s), vk)) >= 0)
+				return r;
+		}
+
+		return -EPERM;
+	}
+
 	return LUKS2_digest_verify_by_digest(cd, LUKS2_digest_by_segment(hdr, segment), vk);
 }
 

lib/luks2/luks2_digest_pbkdf2.c

@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, PBKDF2 digest handler (LUKS1 compatible)
  *
- * Copyright (C) 2015-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2022 Milan Broz
+ * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2024 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -147,6 +147,9 @@ static int PBKDF2_digest_store(struct crypt_device *cd,
 		json_object_object_get_ex(hdr->jobj, "digests", &jobj_digests);
 	}
 
+	if (!jobj_digest)
+		return -ENOMEM;
+
 	json_object_object_add(jobj_digest, "type", json_object_new_string("pbkdf2"));
 	json_object_object_add(jobj_digest, "keyslots", json_object_new_array());
 	json_object_object_add(jobj_digest, "segments", json_object_new_array());
@@ -169,8 +172,13 @@ static int PBKDF2_digest_store(struct crypt_device *cd,
 	json_object_object_add(jobj_digest, "digest", json_object_new_string(base64_str));
 	free(base64_str);
 
-	if (jobj_digests)
-		json_object_object_add_by_uint(jobj_digests, digest, jobj_digest);
+	if (jobj_digests) {
+		r = json_object_object_add_by_uint(jobj_digests, digest, jobj_digest);
+		if (r < 0) {
+			json_object_put(jobj_digest);
+			return r;
+		}
+	}
 
 	JSON_DBG(cd, jobj_digest, "Digest JSON:");
 	return 0;

lib/luks2/luks2_disk_metadata.c

@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2
  *
- * Copyright (C) 2015-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2022 Milan Broz
+ * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2024 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -256,6 +256,7 @@ static int hdr_read_disk(struct crypt_device *cd,
 	if (read_lseek_blockwise(devfd, device_block_size(cd, device),
 				 device_alignment(device), hdr_disk,
 				 LUKS2_HDR_BIN_LEN, offset) != LUKS2_HDR_BIN_LEN) {
+		memset(hdr_disk, 0, LUKS2_HDR_BIN_LEN);
 		return -EIO;
 	}
 
@@ -537,11 +538,20 @@ static int validate_luks2_json_object(struct crypt_device *cd, json_object *jobj
 }
 
 static json_object *parse_and_validate_json(struct crypt_device *cd,
-					    const char *json_area, uint64_t max_length)
+					    const char *json_area, uint64_t hdr_size)
 {
 	int json_len, r;
-	json_object *jobj = parse_json_len(cd, json_area, max_length, &json_len);
+	json_object *jobj;
+	uint64_t max_length;
 
+	if (hdr_size <= LUKS2_HDR_BIN_LEN || hdr_size > LUKS2_HDR_OFFSET_MAX) {
+		log_dbg(cd, "LUKS2 header JSON has bogus size 0x%04" PRIx64 ".", hdr_size);
+		return NULL;
+	}
+
+	max_length = hdr_size - LUKS2_HDR_BIN_LEN;
+
+	jobj = parse_json_len(cd, json_area, max_length, &json_len);
 	if (!jobj)
 		return NULL;
 
@@ -635,7 +645,7 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
 	state_hdr1 = HDR_FAIL;
 	r = hdr_read_disk(cd, device, &hdr_disk1, &json_area1, 0, 0);
 	if (r == 0) {
-		jobj_hdr1 = parse_and_validate_json(cd, json_area1, be64_to_cpu(hdr_disk1.hdr_size) - LUKS2_HDR_BIN_LEN);
+		jobj_hdr1 = parse_and_validate_json(cd, json_area1, be64_to_cpu(hdr_disk1.hdr_size));
 		state_hdr1 = jobj_hdr1 ? HDR_OK : HDR_OBSOLETE;
 	} else if (r == -EIO)
 		state_hdr1 = HDR_FAIL_IO;
@@ -647,7 +657,7 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
 	if (state_hdr1 != HDR_FAIL && state_hdr1 != HDR_FAIL_IO) {
 		r = hdr_read_disk(cd, device, &hdr_disk2, &json_area2, be64_to_cpu(hdr_disk1.hdr_size), 1);
 		if (r == 0) {
-			jobj_hdr2 = parse_and_validate_json(cd, json_area2, be64_to_cpu(hdr_disk2.hdr_size) - LUKS2_HDR_BIN_LEN);
+			jobj_hdr2 = parse_and_validate_json(cd, json_area2, be64_to_cpu(hdr_disk2.hdr_size));
 			state_hdr2 = jobj_hdr2 ? HDR_OK : HDR_OBSOLETE;
 		} else if (r == -EIO)
 			state_hdr2 = HDR_FAIL_IO;
@@ -655,11 +665,12 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
 		/*
 		 * No header size, check all known offsets.
 		 */
+		hdr_disk2.hdr_size = 0;
 		for (r = -EINVAL,i = 0; r < 0 && i < ARRAY_SIZE(hdr2_offsets); i++)
 			r = hdr_read_disk(cd, device, &hdr_disk2, &json_area2, hdr2_offsets[i], 1);
 
 		if (r == 0) {
-			jobj_hdr2 = parse_and_validate_json(cd, json_area2, be64_to_cpu(hdr_disk2.hdr_size) - LUKS2_HDR_BIN_LEN);
+			jobj_hdr2 = parse_and_validate_json(cd, json_area2, be64_to_cpu(hdr_disk2.hdr_size));
 			state_hdr2 = jobj_hdr2 ? HDR_OK : HDR_OBSOLETE;
 		} else if (r == -EIO)
 			state_hdr2 = HDR_FAIL_IO;

lib/luks2/luks2_internal.h

@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2
  *
- * Copyright (C) 2015-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2022 Milan Broz
+ * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2024 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -62,6 +62,7 @@ uint32_t crypt_jobj_get_uint32(json_object *jobj);
 json_object *crypt_jobj_new_uint64(uint64_t value);
 
 int json_object_object_add_by_uint(json_object *jobj, unsigned key, json_object *jobj_val);
+int json_object_object_add_by_uint_by_ref(json_object *jobj, unsigned key, json_object **jobj_val_ref);
 void json_object_object_del_by_uint(json_object *jobj, unsigned key);
 int json_object_copy(json_object *jobj_src, json_object **jobj_dst);
 
@@ -295,13 +296,24 @@ uint64_t json_segment_get_iv_offset(json_object *jobj_segment);
 uint64_t json_segment_get_size(json_object *jobj_segment, unsigned blockwise);
 const char *json_segment_get_cipher(json_object *jobj_segment);
 uint32_t json_segment_get_sector_size(json_object *jobj_segment);
+int json_segment_get_opal_segment_id(json_object *jobj_segment, uint32_t *ret_opal_segment_id);
+int json_segment_get_opal_key_size(json_object *jobj_segment, size_t *ret_key_size);
 bool json_segment_is_backup(json_object *jobj_segment);
 json_object *json_segments_get_segment(json_object *jobj_segments, int segment);
 unsigned json_segments_count(json_object *jobj_segments);
 void json_segment_remove_flag(json_object *jobj_segment, const char *flag);
 uint64_t json_segments_get_minimal_offset(json_object *jobj_segments, unsigned blockwise);
 json_object *json_segment_create_linear(uint64_t offset, const uint64_t *length, unsigned reencryption);
-json_object *json_segment_create_crypt(uint64_t offset, uint64_t iv_offset, const uint64_t *length, const char *cipher, uint32_t sector_size, unsigned reencryption);
+json_object *json_segment_create_crypt(uint64_t offset, uint64_t iv_offset, const uint64_t *length,
+				       const char *cipher, const char *integrity,
+				       uint32_t sector_size, unsigned reencryption);
+json_object *json_segment_create_opal(uint64_t offset, const uint64_t *length,
+				      uint32_t segment_number, uint32_t key_size);
+json_object *json_segment_create_opal_crypt(uint64_t offset, const uint64_t *length,
+					    uint32_t segment_number, uint32_t key_size,
+					    uint64_t iv_offset, const char *cipher,
+					    const char *integrity, uint32_t sector_size,
+					    unsigned reencryption);
 int json_segments_segment_in_reencrypt(json_object *jobj_segments);
 bool json_segment_cmp(json_object *jobj_segment_1, json_object *jobj_segment_2);
 bool json_segment_contains_flag(json_object *jobj_segment, const char *flag_str, size_t len);
@@ -338,10 +350,26 @@ uint64_t LUKS2_segment_size(struct luks2_hdr *hdr,
 	int segment,
 	unsigned blockwise);
 
+bool LUKS2_segment_set_size(struct luks2_hdr *hdr,
+	int segment,
+	const uint64_t *segment_size_bytes);
+
+uint64_t LUKS2_opal_segment_size(struct luks2_hdr *hdr,
+	int segment,
+	unsigned blockwise);
+
 int LUKS2_segment_is_type(struct luks2_hdr *hdr,
 	int segment,
 	const char *type);
 
+bool LUKS2_segment_is_hw_opal(struct luks2_hdr *hdr, int segment);
+bool LUKS2_segment_is_hw_opal_crypt(struct luks2_hdr *hdr, int segment);
+bool LUKS2_segment_is_hw_opal_only(struct luks2_hdr *hdr, int segment);
+
+int LUKS2_get_opal_segment_number(struct luks2_hdr *hdr, int segment,
+				  uint32_t *ret_opal_segment_number);
+int LUKS2_get_opal_key_size(struct luks2_hdr *hdr, int segment);
+
 int LUKS2_segment_by_type(struct luks2_hdr *hdr,
 	const char *type);
 
@@ -350,8 +378,11 @@ int LUKS2_last_segment_by_type(struct luks2_hdr *hdr,
 
 int LUKS2_get_default_segment(struct luks2_hdr *hdr);
 
+bool LUKS2_segments_dynamic_size(struct luks2_hdr *hdr);
+
 int LUKS2_reencrypt_digest_new(struct luks2_hdr *hdr);
 int LUKS2_reencrypt_digest_old(struct luks2_hdr *hdr);
+unsigned LUKS2_reencrypt_vks_count(struct luks2_hdr *hdr);
 int LUKS2_reencrypt_data_offset(struct luks2_hdr *hdr, bool blockwise);
 
 /*

lib/luks2/luks2_json_format.c

@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, LUKS2 header format code
  *
- * Copyright (C) 2015-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2022 Milan Broz
+ * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2024 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -204,76 +204,33 @@ int LUKS2_generate_hdr(
 	struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	const struct volume_key *vk,
-	const char *cipherName,
-	const char *cipherMode,
+	const char *cipher_spec,
 	const char *integrity,
 	const char *uuid,
 	unsigned int sector_size,  /* in bytes */
 	uint64_t data_offset,      /* in bytes */
-	uint64_t align_offset,     /* in bytes */
-	uint64_t required_alignment,
-	uint64_t metadata_size,
-	uint64_t keyslots_size)
+	uint64_t metadata_size_bytes,
+	uint64_t keyslots_size_bytes,
+	uint64_t device_size_bytes,
+	uint32_t opal_segment_number,
+	uint32_t opal_key_size)
 {
-	struct json_object *jobj_segment, *jobj_integrity, *jobj_keyslots, *jobj_segments, *jobj_config;
-	char cipher[128];
+	struct json_object *jobj_segment, *jobj_keyslots, *jobj_segments, *jobj_config;
 	uuid_t partitionUuid;
 	int r, digest;
-	uint64_t mdev_size;
 
-	if (!metadata_size)
-		metadata_size = LUKS2_HDR_16K_LEN;
-	hdr->hdr_size = metadata_size;
+	assert(cipher_spec || (opal_key_size > 0 && device_size_bytes));
 
-	if (data_offset && data_offset < get_min_offset(hdr)) {
-		log_err(cd, _("Requested data offset is too small."));
-		return -EINVAL;
-	}
-
-	/* Increase keyslot size according to data offset */
-	if (!keyslots_size && data_offset)
-		keyslots_size = data_offset - get_min_offset(hdr);
-
-	/* keyslots size has to be 4 KiB aligned */
-	keyslots_size -= (keyslots_size % 4096);
-
-	if (keyslots_size > LUKS2_MAX_KEYSLOTS_SIZE)
-		keyslots_size = LUKS2_MAX_KEYSLOTS_SIZE;
-
-	if (!keyslots_size) {
-		assert(LUKS2_DEFAULT_HDR_SIZE > 2 * LUKS2_HDR_OFFSET_MAX);
-		keyslots_size = LUKS2_DEFAULT_HDR_SIZE - get_min_offset(hdr);
-		/* Decrease keyslots_size due to metadata device being too small */
-		if (!device_size(crypt_metadata_device(cd), &mdev_size) &&
-		    ((keyslots_size + get_min_offset(hdr)) > mdev_size) &&
-		    device_fallocate(crypt_metadata_device(cd), keyslots_size + get_min_offset(hdr)) &&
-		    (get_min_offset(hdr) <= mdev_size))
-			keyslots_size = mdev_size - get_min_offset(hdr);
-	}
-
-	/* Decrease keyslots_size if we have smaller data_offset */
-	if (data_offset && (keyslots_size + get_min_offset(hdr)) > data_offset) {
-		keyslots_size = data_offset - get_min_offset(hdr);
-		log_dbg(cd, "Decreasing keyslot area size to %" PRIu64
-			" bytes due to the requested data offset %"
-			PRIu64 " bytes.", keyslots_size, data_offset);
-	}
-
-	/* Data offset has priority */
-	if (!data_offset && required_alignment) {
-		data_offset = size_round_up(get_min_offset(hdr) + keyslots_size,
-					    (size_t)required_alignment);
-		data_offset += align_offset;
-	}
+	hdr->hdr_size = metadata_size_bytes;
 
 	log_dbg(cd, "Formatting LUKS2 with JSON metadata area %" PRIu64
 		" bytes and keyslots area %" PRIu64 " bytes.",
-		metadata_size - LUKS2_HDR_BIN_LEN, keyslots_size);
+		metadata_size_bytes - LUKS2_HDR_BIN_LEN, keyslots_size_bytes);
 
-	if (keyslots_size < (LUKS2_HDR_OFFSET_MAX - 2*LUKS2_HDR_16K_LEN))
+	if (keyslots_size_bytes < (LUKS2_HDR_OFFSET_MAX - 2*LUKS2_HDR_16K_LEN))
 		log_std(cd, _("WARNING: keyslots area (%" PRIu64 " bytes) is very small,"
 			" available LUKS2 keyslot count is very limited.\n"),
-			keyslots_size);
+			keyslots_size_bytes);
 
 	hdr->seqid = 1;
 	hdr->version = 2;
@@ -291,54 +248,81 @@ int LUKS2_generate_hdr(
 
 	uuid_unparse(partitionUuid, hdr->uuid);
 
-	if (*cipherMode != '\0')
-		r = snprintf(cipher, sizeof(cipher), "%s-%s", cipherName, cipherMode);
-	else
-		r = snprintf(cipher, sizeof(cipher), "%s", cipherName);
-	if (r < 0 || (size_t)r >= sizeof(cipher))
-		return -EINVAL;
-
 	hdr->jobj = json_object_new_object();
+	if (!hdr->jobj) {
+		r = -ENOMEM;
+		goto err;
+	}
 
 	jobj_keyslots = json_object_new_object();
+	if (!jobj_keyslots) {
+		r = -ENOMEM;
+		goto err;
+	}
+
 	json_object_object_add(hdr->jobj, "keyslots", jobj_keyslots);
 	json_object_object_add(hdr->jobj, "tokens", json_object_new_object());
 	jobj_segments = json_object_new_object();
+	if (!jobj_segments) {
+		r = -ENOMEM;
+		goto err;
+	}
+
 	json_object_object_add(hdr->jobj, "segments", jobj_segments);
 	json_object_object_add(hdr->jobj, "digests", json_object_new_object());
 	jobj_config = json_object_new_object();
+	if (!jobj_config) {
+		r = -ENOMEM;
+		goto err;
+	}
+
 	json_object_object_add(hdr->jobj, "config", jobj_config);
 
 	digest = LUKS2_digest_create(cd, "pbkdf2", hdr, vk);
-	if (digest < 0)
+	if (digest < 0) {
+		r = -EINVAL;
 		goto err;
-
-	if (LUKS2_digest_segment_assign(cd, hdr, 0, digest, 1, 0) < 0)
-		goto err;
-
-	jobj_segment = json_segment_create_crypt(data_offset, 0, NULL, cipher, sector_size, 0);
-	if (!jobj_segment)
-		goto err;
-
-	if (integrity) {
-		jobj_integrity = json_object_new_object();
-		json_object_object_add(jobj_integrity, "type", json_object_new_string(integrity));
-		json_object_object_add(jobj_integrity, "journal_encryption", json_object_new_string("none"));
-		json_object_object_add(jobj_integrity, "journal_integrity", json_object_new_string("none"));
-		json_object_object_add(jobj_segment, "integrity", jobj_integrity);
 	}
 
-	json_object_object_add_by_uint(jobj_segments, 0, jobj_segment);
+	if (LUKS2_digest_segment_assign(cd, hdr, 0, digest, 1, 0) < 0) {
+		r = -EINVAL;
+		goto err;
+	}
 
-	json_object_object_add(jobj_config, "json_size", crypt_jobj_new_uint64(metadata_size - LUKS2_HDR_BIN_LEN));
-	json_object_object_add(jobj_config, "keyslots_size", crypt_jobj_new_uint64(keyslots_size));
+	if (!opal_key_size)
+		jobj_segment = json_segment_create_crypt(data_offset, 0,
+							 NULL, cipher_spec,
+							 integrity, sector_size,
+							 0);
+	else if (opal_key_size && cipher_spec)
+		jobj_segment = json_segment_create_opal_crypt(data_offset, &device_size_bytes,
+							      opal_segment_number, opal_key_size, 0,
+							      cipher_spec, integrity,
+							      sector_size, 0);
+	else
+		jobj_segment = json_segment_create_opal(data_offset, &device_size_bytes,
+							opal_segment_number, opal_key_size);
+
+	if (!jobj_segment) {
+		r = -EINVAL;
+		goto err;
+	}
+
+	if (json_object_object_add_by_uint(jobj_segments, 0, jobj_segment)) {
+		json_object_put(jobj_segment);
+		r = -ENOMEM;
+		goto err;
+	}
+
+	json_object_object_add(jobj_config, "json_size", crypt_jobj_new_uint64(metadata_size_bytes - LUKS2_HDR_BIN_LEN));
+	json_object_object_add(jobj_config, "keyslots_size", crypt_jobj_new_uint64(keyslots_size_bytes));
 
 	JSON_DBG(cd, hdr->jobj, "Header JSON:");
 	return 0;
 err:
 	json_object_put(hdr->jobj);
 	hdr->jobj = NULL;
-	return -EINVAL;
+	return r;
 }
 
 int LUKS2_wipe_header_areas(struct crypt_device *cd,
@@ -379,6 +363,14 @@ int LUKS2_wipe_header_areas(struct crypt_device *cd,
 	offset = get_min_offset(hdr);
 	length = LUKS2_keyslots_size(hdr);
 
+	/*
+	 * Skip keyslots area wipe in case it is not defined.
+	 * Otherwise we would wipe whole data device (length == 0)
+	 * starting at offset get_min_offset(hdr).
+	 */
+	if (!length)
+		return 0;
+
 	log_dbg(cd, "Wiping keyslots area (0x%06" PRIx64 " - 0x%06" PRIx64") with random data.",
 		offset, length + offset);
 
@@ -409,3 +401,80 @@ int LUKS2_set_keyslots_size(struct luks2_hdr *hdr, uint64_t data_offset)
 	json_object_object_add(jobj_config, "keyslots_size", crypt_jobj_new_uint64(keyslots_size));
 	return 0;
 }
+
+int LUKS2_hdr_get_storage_params(struct crypt_device *cd,
+			    uint64_t alignment_offset_bytes,
+			    uint64_t alignment_bytes,
+			    uint64_t *ret_metadata_size_bytes,
+			    uint64_t *ret_keyslots_size_bytes,
+			    uint64_t *ret_data_offset_bytes)
+{
+	uint64_t data_offset_bytes, keyslots_size_bytes, metadata_size_bytes, mdev_size_bytes;
+
+	assert(cd);
+	assert(ret_metadata_size_bytes);
+	assert(ret_keyslots_size_bytes);
+	assert(ret_data_offset_bytes);
+
+	metadata_size_bytes = crypt_get_metadata_size_bytes(cd);
+	keyslots_size_bytes = crypt_get_keyslots_size_bytes(cd);
+	data_offset_bytes = crypt_get_data_offset_sectors(cd) * SECTOR_SIZE;
+
+	if (!metadata_size_bytes)
+		metadata_size_bytes = LUKS2_HDR_16K_LEN;
+
+	if (data_offset_bytes && data_offset_bytes < 2 * metadata_size_bytes) {
+		log_err(cd, _("Requested data offset is too small."));
+		return -EINVAL;
+	}
+
+	/* Increase keyslot size according to data offset */
+	if (!keyslots_size_bytes && data_offset_bytes)
+		keyslots_size_bytes = data_offset_bytes - 2 * metadata_size_bytes;
+
+	/* keyslots size has to be 4 KiB aligned */
+	keyslots_size_bytes -= (keyslots_size_bytes % 4096);
+
+	if (keyslots_size_bytes > LUKS2_MAX_KEYSLOTS_SIZE)
+		keyslots_size_bytes = LUKS2_MAX_KEYSLOTS_SIZE;
+
+	if (!keyslots_size_bytes) {
+		assert(LUKS2_DEFAULT_HDR_SIZE > 2 * LUKS2_HDR_OFFSET_MAX);
+		keyslots_size_bytes = LUKS2_DEFAULT_HDR_SIZE - 2 * metadata_size_bytes;
+		/* Decrease keyslots_size due to metadata device being too small */
+		if (!device_size(crypt_metadata_device(cd), &mdev_size_bytes) &&
+		    ((keyslots_size_bytes + 2 * metadata_size_bytes) > mdev_size_bytes) &&
+		    device_fallocate(crypt_metadata_device(cd), keyslots_size_bytes + 2 * metadata_size_bytes) &&
+		    ((2 * metadata_size_bytes) <= mdev_size_bytes))
+			keyslots_size_bytes = mdev_size_bytes - 2 * metadata_size_bytes;
+	}
+
+	/* Decrease keyslots_size if we have smaller data_offset */
+	if (data_offset_bytes && (keyslots_size_bytes + 2 * metadata_size_bytes) > data_offset_bytes) {
+		keyslots_size_bytes = data_offset_bytes - 2 * metadata_size_bytes;
+		log_dbg(cd, "Decreasing keyslot area size to %" PRIu64
+			" bytes due to the requested data offset %"
+			PRIu64 " bytes.", keyslots_size_bytes, data_offset_bytes);
+	}
+
+	/* Data offset has priority */
+	if (!data_offset_bytes && alignment_bytes) {
+		data_offset_bytes = size_round_up(2 * metadata_size_bytes + keyslots_size_bytes,
+					    (size_t)alignment_bytes);
+		data_offset_bytes += alignment_offset_bytes;
+	}
+
+	if (crypt_get_metadata_size_bytes(cd) && (crypt_get_metadata_size_bytes(cd) != metadata_size_bytes))
+		log_std(cd, _("WARNING: LUKS2 metadata size changed to %" PRIu64 " bytes.\n"),
+			metadata_size_bytes);
+
+	if (crypt_get_keyslots_size_bytes(cd) && (crypt_get_keyslots_size_bytes(cd) != keyslots_size_bytes))
+		log_std(cd, _("WARNING: LUKS2 keyslots area size changed to %" PRIu64 " bytes.\n"),
+			keyslots_size_bytes);
+
+	*ret_metadata_size_bytes = metadata_size_bytes;
+	*ret_keyslots_size_bytes = keyslots_size_bytes;
+	*ret_data_offset_bytes = data_offset_bytes;
+
+	return 0;
+}

lib/luks2/luks2_json_metadata.c

@@ -1,9 +1,9 @@
 /*
  * LUKS - Linux Unified Key Setup v2
  *
- * Copyright (C) 2015-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2022 Milan Broz
- * Copyright (C) 2015-2022 Ondrej Kozina
+ * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2024 Milan Broz
+ * Copyright (C) 2015-2024 Ondrej Kozina
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -21,6 +21,7 @@
  */
 
 #include "luks2_internal.h"
+#include "luks2/hw_opal/hw_opal.h"
 #include "../integrity/integrity.h"
 #include <ctype.h>
 #include <uuid/uuid.h>
@@ -88,6 +89,9 @@ struct json_object *LUKS2_array_remove(struct json_object *array, const char *nu
 
 	/* Create new array without jobj_removing. */
 	array_new = json_object_new_array();
+	if (!array_new)
+		return NULL;
+
 	for (i = 0; i < (int) json_object_array_length(array); i++) {
 		jobj1 = json_object_array_get_idx(array, i);
 		if (jobj1 != jobj_removing)
@@ -478,6 +482,9 @@ static int hdr_validate_json_size(struct crypt_device *cd, json_object *hdr_jobj
 
 	json = json_object_to_json_string_ext(hdr_jobj,
 		JSON_C_TO_STRING_PLAIN | JSON_C_TO_STRING_NOSLASHESCAPE);
+	if (!json)
+		return 1;
+
 	json_area_size = crypt_jobj_get_uint64(jobj1);
 	json_size = (uint64_t)strlen(json);
 
@@ -637,6 +644,11 @@ static int reqs_reencrypt_online(uint32_t reqs)
 	return reqs & CRYPT_REQUIREMENT_ONLINE_REENCRYPT;
 }
 
+static int reqs_opal(uint32_t reqs)
+{
+	return reqs & CRYPT_REQUIREMENT_OPAL;
+}
+
 /*
  * Config section requirements object must be valid.
  * Also general segments section must be validated first.
@@ -697,7 +709,7 @@ static int validate_reencrypt_segments(struct crypt_device *cd, json_object *hdr
 static int hdr_validate_segments(struct crypt_device *cd, json_object *hdr_jobj)
 {
 	json_object *jobj_segments, *jobj_digests, *jobj_offset, *jobj_size, *jobj_type, *jobj_flags, *jobj;
-	uint64_t offset, size;
+	uint64_t offset, size, opal_segment_size;
 	int i, r, count, first_backup = -1;
 	struct interval *intervals = NULL;
 
@@ -777,6 +789,32 @@ static int hdr_validate_segments(struct crypt_device *cd, json_object *hdr_jobj)
 		if (!strcmp(json_object_get_string(jobj_type), "crypt") &&
 		    hdr_validate_crypt_segment(cd, val, key, jobj_digests, size))
 			return 1;
+
+		/* opal */
+		if (!strncmp(json_object_get_string(jobj_type), "hw-opal", 7)) {
+			if (!size) {
+				log_dbg(cd, "segment type %s does not support dynamic size.",
+					json_object_get_string(jobj_type));
+				return 1;
+			}
+			if (!json_contains(cd, val, key, "Segment", "opal_segment_number", json_type_int) ||
+			    !json_contains(cd, val, key, "Segment", "opal_key_size", json_type_int) ||
+			    !(jobj_size = json_contains_string(cd, val, key, "Segment", "opal_segment_size")))
+				return 1;
+			if (!numbered(cd, "opal_segment_size", json_object_get_string(jobj_size)))
+				return 1;
+			if (!json_str_to_uint64(jobj_size, &opal_segment_size) || !opal_segment_size) {
+				log_dbg(cd, "Illegal OPAL segment size value.");
+				return 1;
+			}
+			if (size > opal_segment_size) {
+				log_dbg(cd, "segment size overflows OPAL locking range size.");
+				return 1;
+			}
+			if (!strcmp(json_object_get_string(jobj_type), "hw-opal-crypt") &&
+			    hdr_validate_crypt_segment(cd, val, key, jobj_digests, size))
+				return 1;
+		}
 	}
 
 	if (first_backup == 0) {
@@ -1575,6 +1613,8 @@ int LUKS2_config_set_flags(struct crypt_device *cd, struct luks2_hdr *hdr, uint3
 		return 0;
 
 	jobj_flags = json_object_new_array();
+	if (!jobj_flags)
+		return -ENOMEM;
 
 	for (i = 0; persistent_flags[i].description; i++) {
 		if (flags & persistent_flags[i].flag) {
@@ -1615,6 +1655,7 @@ static const struct requirement_flag requirements_flags[] = {
 	{ CRYPT_REQUIREMENT_ONLINE_REENCRYPT, 2, "online-reencrypt-v2" },
 	{ CRYPT_REQUIREMENT_ONLINE_REENCRYPT, 3, "online-reencrypt-v3" },
 	{ CRYPT_REQUIREMENT_ONLINE_REENCRYPT, 1, "online-reencrypt" },
+	{ CRYPT_REQUIREMENT_OPAL,	      1, "opal" },
 	{ 0, 0, NULL }
 };
 
@@ -1707,7 +1748,7 @@ int LUKS2_config_get_reencrypt_version(struct luks2_hdr *hdr, uint8_t *version)
 	return -ENOENT;
 }
 
-static const struct requirement_flag *stored_requirement_name_by_id(struct crypt_device *cd, struct luks2_hdr *hdr, uint32_t req_id)
+static const struct requirement_flag *stored_requirement_name_by_id(struct luks2_hdr *hdr, uint32_t req_id)
 {
 	json_object *jobj_mandatory, *jobj;
 	int i, len;
@@ -1786,7 +1827,7 @@ int LUKS2_config_set_requirements(struct crypt_device *cd, struct luks2_hdr *hdr
 		req_id = reqs & requirements_flags[i].flag;
 		if (req_id) {
 			/* retain already stored version of requirement flag */
-			req = stored_requirement_name_by_id(cd, hdr, req_id);
+			req = stored_requirement_name_by_id(hdr, req_id);
 			if (req)
 				jobj = json_object_new_string(req->description);
 			else
@@ -2090,6 +2131,8 @@ static void hdr_dump_segments(struct crypt_device *cd, json_object *hdr_jobj)
 
 		if (json_object_object_get_ex(jobj_segment, "encryption", &jobj1))
 			log_std(cd, "\tcipher: %s\n", json_object_get_string(jobj1));
+		else
+			log_std(cd, "\tcipher: (no SW encryption)\n");
 
 		if (json_object_object_get_ex(jobj_segment, "sector_size", &jobj1))
 			log_std(cd, "\tsector: %" PRIu32 " [bytes]\n", crypt_jobj_get_uint32(jobj1));
@@ -2109,6 +2152,18 @@ static void hdr_dump_segments(struct crypt_device *cd, json_object *hdr_jobj)
 			log_std(cd, "\n");
 		}
 
+		json_object_object_get_ex(jobj_segment, "type", &jobj1);
+		if (!strncmp(json_object_get_string(jobj1), "hw-opal", 7)) {
+			log_std(cd, "\tHW OPAL encryption:\n");
+			json_object_object_get_ex(jobj_segment, "opal_segment_number", &jobj1);
+			log_std(cd, "\t\tOPAL segment number: %" PRIu32 "\n", crypt_jobj_get_uint32(jobj1));
+			json_object_object_get_ex(jobj_segment, "opal_key_size", &jobj1);
+			log_std(cd, "\t\tOPAL key: %" PRIu32 " bits\n", crypt_jobj_get_uint32(jobj1) * 8);
+			json_object_object_get_ex(jobj_segment, "opal_segment_size", &jobj1);
+			json_str_to_uint64(jobj1, &value);
+			log_std(cd, "\t\tOPAL segment length: %" PRIu64 " [bytes]\n", value);
+		}
+
 		log_std(cd, "\n");
 	}
 }
@@ -2584,26 +2639,104 @@ int LUKS2_activate_multi(struct crypt_device *cd,
 
 int LUKS2_activate(struct crypt_device *cd,
 	const char *name,
-	struct volume_key *vk,
+	struct volume_key *crypt_key,
+	struct volume_key *opal_key,
 	uint32_t flags)
 {
 	int r;
+	bool dynamic, read_lock, write_lock, opal_lock_on_error = false;
+	uint32_t opal_segment_number;
+	uint64_t range_offset_sectors, range_length_sectors, device_length_bytes;
 	struct luks2_hdr *hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
 	struct crypt_dm_active_device dmdi = {}, dmd = {
 		.uuid   = crypt_get_uuid(cd)
 	};
+	struct crypt_lock_handle *opal_lh = NULL;
 
 	/* do not allow activation when particular requirements detected */
-	if ((r = LUKS2_unmet_requirements(cd, hdr, 0, 0)))
+	if ((r = LUKS2_unmet_requirements(cd, hdr, CRYPT_REQUIREMENT_OPAL, 0)))
 		return r;
 
-	r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd),
-			vk, crypt_get_cipher_spec(cd), crypt_get_iv_offset(cd),
-			crypt_get_data_offset(cd), crypt_get_integrity(cd) ?: "none",
-			crypt_get_integrity_tag_size(cd), crypt_get_sector_size(cd));
-	if (r < 0)
+	/* Check that cipher is in compatible format */
+	if (!crypt_get_cipher(cd)) {
+		log_err(cd, _("No known cipher specification pattern detected in LUKS2 header."));
+		return -EINVAL;
+	}
+
+	if ((r = LUKS2_get_data_size(hdr, &device_length_bytes, &dynamic)))
 		return r;
 
+	if (dynamic && opal_key) {
+		log_err(cd, _("OPAL device must have static device size."));
+		return -EINVAL;
+	}
+
+	if (!dynamic)
+		dmd.size = device_length_bytes / SECTOR_SIZE;
+
+	if (opal_key) {
+		r = crypt_opal_supported(cd, crypt_data_device(cd));
+		if (r < 0)
+			return r;
+
+		r = LUKS2_get_opal_segment_number(hdr, CRYPT_DEFAULT_SEGMENT, &opal_segment_number);
+		if (r < 0)
+			return -EINVAL;
+
+		range_length_sectors = LUKS2_opal_segment_size(hdr, CRYPT_DEFAULT_SEGMENT, 1);
+
+		if (crypt_get_integrity_tag_size(cd)) {
+			if (dmd.size >= range_length_sectors) {
+				log_err(cd, _("Encrypted OPAL device with integrity must be smaller than locking range."));
+				return -EINVAL;
+			}
+		} else {
+			if (range_length_sectors != dmd.size) {
+				log_err(cd, _("OPAL device must have same size as locking range."));
+				return -EINVAL;
+			}
+		}
+
+		range_offset_sectors = crypt_get_data_offset(cd) + crypt_dev_partition_offset(device_path(crypt_data_device(cd)));
+		r = opal_exclusive_lock(cd, crypt_data_device(cd), &opal_lh);
+		if (r < 0) {
+			log_err(cd, _("Failed to acquire OPAL lock on device %s."), device_path(crypt_data_device(cd)));
+			return -EINVAL;
+		}
+
+		r = opal_range_check_attributes_and_get_lock_state(cd, crypt_data_device(cd), opal_segment_number,
+						opal_key, &range_offset_sectors, &range_length_sectors,
+						&read_lock, &write_lock);
+		if (r < 0)
+			goto out;
+
+		opal_lock_on_error = read_lock && write_lock;
+		if (!opal_lock_on_error && !(flags & CRYPT_ACTIVATE_REFRESH))
+			log_std(cd, _("OPAL device is %s already unlocked.\n"),
+				    device_path(crypt_data_device(cd)));
+
+		r = opal_unlock(cd, crypt_data_device(cd), opal_segment_number, opal_key);
+		if (r < 0)
+			goto out;
+	}
+
+	if (LUKS2_segment_is_type(hdr, CRYPT_DEFAULT_SEGMENT, "crypt") ||
+	    LUKS2_segment_is_type(hdr, CRYPT_DEFAULT_SEGMENT, "hw-opal-crypt")) {
+		r = dm_crypt_target_set(&dmd.segment, 0,
+					dmd.size, crypt_data_device(cd),
+					crypt_key, crypt_get_cipher_spec(cd),
+					crypt_get_iv_offset(cd), crypt_get_data_offset(cd),
+					crypt_get_integrity(cd) ?: "none",
+					crypt_get_integrity_tag_size(cd),
+					crypt_get_sector_size(cd));
+	} else
+		r = dm_linear_target_set(&dmd.segment, 0,
+					 dmd.size, crypt_data_device(cd),
+					 crypt_get_data_offset(cd));
+
+	if (r < 0)
+		goto out;
+
 	/* Add persistent activation flags */
 	if (!(flags & CRYPT_ACTIVATE_IGNORE_PERSISTENT))
 		LUKS2_config_get_flags(cd, hdr, &dmd.flags);
@@ -2613,29 +2746,47 @@ int LUKS2_activate(struct crypt_device *cd,
 	if (crypt_get_integrity_tag_size(cd)) {
 		if (!LUKS2_integrity_compatible(hdr)) {
 			log_err(cd, _("Unsupported device integrity configuration."));
-			return -EINVAL;
+			r = -EINVAL;
+			goto out;
 		}
 
 		if (dmd.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS) {
 			log_err(cd, _("Discard/TRIM is not supported."));
-			return -EINVAL;
+			r = -EINVAL;
+			goto out;
 		}
 
 		r = INTEGRITY_create_dmd_device(cd, NULL, NULL, NULL, NULL, &dmdi, dmd.flags, 0);
 		if (r)
-			return r;
+			goto out;
+
+		if (!dynamic && dmdi.size != dmd.size) {
+			log_err(cd, _("Underlying dm-integrity device with unexpected provided data sectors."));
+			r = -EINVAL;
+			goto out;
+		}
 
 		dmdi.flags |= CRYPT_ACTIVATE_PRIVATE;
 		dmdi.uuid = dmd.uuid;
 		dmd.segment.u.crypt.offset = 0;
-		dmd.segment.size = dmdi.segment.size;
+		if (dynamic)
+			dmd.segment.size = dmdi.segment.size;
 
-		r = create_or_reload_device_with_integrity(cd, name, CRYPT_LUKS2, &dmd, &dmdi);
+		r = create_or_reload_device_with_integrity(cd, name,
+							   opal_key ? CRYPT_LUKS2_HW_OPAL : CRYPT_LUKS2,
+							   &dmd, &dmdi);
 	} else
-		r = create_or_reload_device(cd, name, CRYPT_LUKS2, &dmd);
+		r = create_or_reload_device(cd, name,
+					    opal_key ? CRYPT_LUKS2_HW_OPAL : CRYPT_LUKS2,
+					    &dmd);
 
 	dm_targets_free(cd, &dmd);
 	dm_targets_free(cd, &dmdi);
+out:
+	if (r < 0 && opal_lock_on_error)
+		opal_lock(cd, crypt_data_device(cd), opal_segment_number);
+
+	opal_exclusive_unlock(cd, opal_lh);
 
 	return r;
 }
@@ -2665,13 +2816,15 @@ static bool contains_reencryption_helper(char **names)
 
 int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr *hdr, struct crypt_dm_active_device *dmd, uint32_t flags)
 {
+	bool dm_opal_uuid;
 	int r, ret;
 	struct dm_target *tgt;
 	crypt_status_info ci;
 	struct crypt_dm_active_device dmdc;
+	uint32_t opal_segment_number;
 	char **dep, deps_uuid_prefix[40], *deps[MAX_DM_DEPS+1] = { 0 };
 	const char *namei = NULL;
-	struct crypt_lock_handle *reencrypt_lock = NULL;
+	struct crypt_lock_handle *reencrypt_lock = NULL, *opal_lh = NULL;
 
 	if (!dmd || !dmd->uuid || strncmp(CRYPT_LUKS2, dmd->uuid, sizeof(CRYPT_LUKS2)-1))
 		return -EINVAL;
@@ -2684,6 +2837,11 @@ int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr
 	if (r < 0 || (size_t)r != (sizeof(deps_uuid_prefix) - 1))
 		return -EINVAL;
 
+	/* check if active device has LUKS2-OPAL dm uuid prefix */
+	dm_opal_uuid = !crypt_uuid_type_cmp(dmd->uuid, CRYPT_LUKS2_HW_OPAL);
+	if (dm_opal_uuid && hdr && !LUKS2_segment_is_hw_opal(hdr, CRYPT_DEFAULT_SEGMENT))
+		return -EINVAL;
+
 	tgt = &dmd->segment;
 
 	/* TODO: We have LUKS2 dependencies now */
@@ -2726,7 +2884,8 @@ int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr
 		tgt = &dmdc.segment;
 		while (tgt) {
 			if (tgt->type == DM_CRYPT)
-				crypt_drop_keyring_key_by_description(cd, tgt->u.crypt.vk->key_description, LOGON_KEY);
+				crypt_drop_keyring_key_by_description(cd, tgt->u.crypt.vk->key_description,
+					LOGON_KEY);
 			tgt = tgt->next;
 		}
 	}
@@ -2761,7 +2920,8 @@ int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr
 				tgt = &dmdc.segment;
 				while (tgt) {
 					if (tgt->type == DM_CRYPT)
-						crypt_drop_keyring_key_by_description(cd, tgt->u.crypt.vk->key_description, LOGON_KEY);
+						crypt_drop_keyring_key_by_description(cd, tgt->u.crypt.vk->key_description,
+							LOGON_KEY);
 					tgt = tgt->next;
 				}
 			}
@@ -2773,7 +2933,35 @@ int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr
 		r = ret;
 	}
 
+	if (!r && dm_opal_uuid) {
+		if (hdr) {
+			if (LUKS2_get_opal_segment_number(hdr, CRYPT_DEFAULT_SEGMENT, &opal_segment_number)) {
+				log_err(cd, _("Device %s was deactivated but hardware OPAL device cannot be locked."),
+					name);
+				r = -EINVAL;
+				goto out;
+			}
+		} else {
+			/* Guess OPAL range number for LUKS2-OPAL device with missing header */
+			opal_segment_number = 1;
+			ret = crypt_dev_get_partition_number(device_path(crypt_data_device(cd)));
+			if (ret > 0)
+				opal_segment_number = ret;
+		}
+
+		if (crypt_data_device(cd)) {
+			r = opal_exclusive_lock(cd, crypt_data_device(cd), &opal_lh);
+			if (r < 0) {
+				log_err(cd, _("Failed to acquire OPAL lock on device %s."), device_path(crypt_data_device(cd)));
+				goto out;
+			}
+		}
+
+		if (!crypt_data_device(cd) || opal_lock(cd, crypt_data_device(cd), opal_segment_number))
+			log_err(cd, _("Device %s was deactivated but hardware OPAL device cannot be locked."), name);
+	}
 out:
+	opal_exclusive_unlock(cd, opal_lh);
 	LUKS2_reencrypt_unlock(cd, reencrypt_lock);
 	dep = deps;
 	while (*dep)
@@ -2807,6 +2995,8 @@ int LUKS2_unmet_requirements(struct crypt_device *cd, struct luks2_hdr *hdr, uin
 		log_err(cd, _("Operation incompatible with device marked for legacy reencryption. Aborting."));
 	if (reqs_reencrypt_online(reqs) && !quiet)
 		log_err(cd, _("Operation incompatible with device marked for LUKS2 reencryption. Aborting."));
+	if (reqs_opal(reqs) && !quiet)
+		log_err(cd, _("Operation incompatible with device using OPAL. Aborting."));
 
 	/* any remaining unmasked requirement fails the check */
 	return reqs ? -EINVAL : 0;
@@ -2859,6 +3049,20 @@ int json_object_object_add_by_uint(json_object *jobj, unsigned key, json_object
 #endif
 }
 
+int json_object_object_add_by_uint_by_ref(json_object *jobj, unsigned key, json_object **jobj_val_ref)
+{
+	int r;
+
+	assert(jobj);
+	assert(jobj_val_ref);
+
+	r = json_object_object_add_by_uint(jobj, key, *jobj_val_ref);
+	if (!r)
+		*jobj_val_ref = NULL;
+
+	return r;
+}
+
 /* jobj_dst must contain pointer initialized to NULL (see json-c json_object_deep_copy API) */
 int json_object_copy(json_object *jobj_src, json_object **jobj_dst)
 {
@@ -2872,3 +3076,58 @@ int json_object_copy(json_object *jobj_src, json_object **jobj_dst)
 	return *jobj_dst ? 0 : -1;
 #endif
 }
+
+int LUKS2_split_crypt_and_opal_keys(struct crypt_device *cd __attribute__((unused)),
+		struct luks2_hdr *hdr,
+		const struct volume_key *vk,
+		struct volume_key **ret_crypt_key,
+		struct volume_key **ret_opal_key)
+{
+	int r;
+	uint32_t opal_segment_number;
+	size_t opal_user_key_size;
+	json_object *jobj_segment;
+	struct volume_key *opal_key, *crypt_key;
+
+	assert(vk);
+	assert(ret_crypt_key);
+	assert(ret_opal_key);
+
+	jobj_segment = LUKS2_get_segment_jobj(hdr, CRYPT_DEFAULT_SEGMENT);
+	if (!jobj_segment)
+		return -EINVAL;
+
+	r = json_segment_get_opal_segment_id(jobj_segment, &opal_segment_number);
+	if (r < 0)
+		return -EINVAL;
+
+	r = json_segment_get_opal_key_size(jobj_segment, &opal_user_key_size);
+	if (r < 0)
+		return -EINVAL;
+
+	if (vk->keylength < opal_user_key_size)
+		return -EINVAL;
+
+	/* OPAL SEGMENT only */
+	if (vk->keylength == opal_user_key_size) {
+		*ret_crypt_key = NULL;
+		*ret_opal_key = NULL;
+		return 0;
+	}
+
+	opal_key = crypt_alloc_volume_key(opal_user_key_size, vk->key);
+	if (!opal_key)
+		return -ENOMEM;
+
+	crypt_key = crypt_alloc_volume_key(vk->keylength - opal_user_key_size,
+					   vk->key + opal_user_key_size);
+	if (!crypt_key) {
+		crypt_free_volume_key(opal_key);
+		return -ENOMEM;
+	}
+
+	*ret_opal_key = opal_key;
+	*ret_crypt_key = crypt_key;
+
+	return 0;
+}

lib/luks2/luks2_keyslot.c

@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, keyslot handling
  *
- * Copyright (C) 2015-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2022 Milan Broz
+ * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2024 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -578,6 +578,8 @@ int LUKS2_keyslot_open(struct crypt_device *cd,
 	int r_prio, r = -EINVAL;
 
 	hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
+	if (!hdr)
+		return -EINVAL;
 
 	if (keyslot == CRYPT_ANY_SLOT) {
 		r_prio = LUKS2_keyslot_open_priority(cd, hdr, CRYPT_SLOT_PRIORITY_PREFER,
@@ -676,8 +678,7 @@ int LUKS2_keyslot_store(struct crypt_device *cd,
 
 int LUKS2_keyslot_wipe(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
-	int keyslot,
-	int wipe_area_only)
+	int keyslot)
 {
 	struct device *device = crypt_metadata_device(cd);
 	uint64_t area_offset, area_length;
@@ -694,9 +695,6 @@ int LUKS2_keyslot_wipe(struct crypt_device *cd,
 	if (!jobj_keyslot)
 		return -ENOENT;
 
-	if (wipe_area_only)
-		log_dbg(cd, "Wiping keyslot %d area only.", keyslot);
-
 	r = LUKS2_device_write_lock(cd, hdr, device);
 	if (r)
 		return r;
@@ -720,9 +718,6 @@ int LUKS2_keyslot_wipe(struct crypt_device *cd,
 		}
 	}
 
-	if (wipe_area_only)
-		goto out;
-
 	/* Slot specific wipe */
 	if (h) {
 		r = h->wipe(cd, keyslot);
@@ -803,6 +798,9 @@ int placeholder_keyslot_alloc(struct crypt_device *cd,
 		return -EINVAL;
 
 	jobj_keyslot = json_object_new_object();
+	if (!jobj_keyslot)
+		return -ENOMEM;
+
 	json_object_object_add(jobj_keyslot, "type", json_object_new_string("placeholder"));
 	/*
 	 * key_size = -1 makes placeholder keyslot impossible to pass validation.
@@ -813,11 +811,19 @@ int placeholder_keyslot_alloc(struct crypt_device *cd,
 
 	/* Area object */
 	jobj_area = json_object_new_object();
+	if (!jobj_area) {
+		json_object_put(jobj_keyslot);
+		return -ENOMEM;
+	}
+
 	json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(area_offset));
 	json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_length));
 	json_object_object_add(jobj_keyslot, "area", jobj_area);
 
-	json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot);
+	if (json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot)) {
+		json_object_put(jobj_keyslot);
+		return -EINVAL;
+	}
 
 	return 0;
 }
@@ -899,7 +905,7 @@ int LUKS2_keyslots_validate(struct crypt_device *cd, json_object *hdr_jobj)
 	return 0;
 }
 
-void LUKS2_keyslots_repair(struct crypt_device *cd, json_object *jobj_keyslots)
+void LUKS2_keyslots_repair(struct crypt_device *cd __attribute__((unused)), json_object *jobj_keyslots)
 {
 	const keyslot_handler *h;
 	json_object *jobj_type;
@@ -964,14 +970,17 @@ int LUKS2_keyslot_swap(struct crypt_device *cd, struct luks2_hdr *hdr,
 	json_object_object_del_by_uint(jobj_keyslots, keyslot);
 	r = json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot2);
 	if (r < 0) {
+		json_object_put(jobj_keyslot2);
 		log_dbg(cd, "Failed to swap keyslot %d.", keyslot);
 		return r;
 	}
 
 	json_object_object_del_by_uint(jobj_keyslots, keyslot2);
 	r = json_object_object_add_by_uint(jobj_keyslots, keyslot2, jobj_keyslot);
-	if (r < 0)
+	if (r < 0) {
+		json_object_put(jobj_keyslot);
 		log_dbg(cd, "Failed to swap keyslot2 %d.", keyslot2);
+	}
 
 	return r;
 }

lib/luks2/luks2_keyslot_luks2.c

@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, LUKS2 type keyslot handler
  *
- * Copyright (C) 2015-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2022 Milan Broz
+ * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2024 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -19,6 +19,7 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
+#include <limits.h>
 #include "luks2_internal.h"
 
 /* FIXME: move keyslot encryption to crypto backend */
@@ -264,6 +265,9 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
 			pbkdf.parallel_threads);
 	free(salt);
 	if (r < 0) {
+		if ((crypt_backend_flags() & CRYPT_BACKEND_PBKDF2_INT) &&
+		     pbkdf.iterations > INT_MAX)
+			log_err(cd, _("PBKDF2 iteration value overflow."));
 		crypt_free_volume_key(derived_key);
 		return r;
 	}
@@ -303,7 +307,7 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
 	char *volume_key, size_t volume_key_len)
 {
 	struct volume_key *derived_key = NULL;
-	struct crypt_pbkdf_type pbkdf;
+	struct crypt_pbkdf_type pbkdf, *cd_pbkdf;
 	char *AfKey = NULL;
 	size_t AFEKSize;
 	const char *af_hash = NULL;
@@ -356,6 +360,16 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
 		goto out;
 	}
 
+	/*
+	 * Print warning when keyslot requires more memory than available
+	 * (if maximum memory was adjusted - no swap, not enough memory),
+	 * but be silent if user set keyslot memory cost above default limit intentionally.
+	 */
+	cd_pbkdf = crypt_get_pbkdf(cd);
+	if (cd_pbkdf->max_memory_kb && pbkdf.max_memory_kb > cd_pbkdf->max_memory_kb &&
+	    pbkdf.max_memory_kb <= DEFAULT_LUKS2_MEMORY_KB)
+		log_std(cd, _("Warning: keyslot operation could fail as it requires more than available memory.\n"));
+
 	/*
 	 * If requested, serialize unlocking for memory-hard KDF. Usually NOOP.
 	 */
@@ -508,23 +522,42 @@ static int luks2_keyslot_alloc(struct crypt_device *cd,
 	}
 
 	jobj_keyslot = json_object_new_object();
+	if (!jobj_keyslot) {
+		r = -ENOMEM;
+		goto err;
+	}
+
 	json_object_object_add(jobj_keyslot, "type", json_object_new_string("luks2"));
 	json_object_object_add(jobj_keyslot, "key_size", json_object_new_int(volume_key_len));
 
 	/* AF object */
 	jobj_af = json_object_new_object();
+	if (!jobj_af) {
+		r = -ENOMEM;
+		goto err;
+	}
+
 	json_object_object_add(jobj_af, "type", json_object_new_string("luks1"));
 	json_object_object_add(jobj_af, "stripes", json_object_new_int(params->af.luks1.stripes));
 	json_object_object_add(jobj_keyslot, "af", jobj_af);
 
 	/* Area object */
 	jobj_area = json_object_new_object();
+	if (!jobj_area) {
+		r = -ENOMEM;
+		goto err;
+	}
+
 	json_object_object_add(jobj_area, "type", json_object_new_string("raw"));
 	json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(area_offset));
 	json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_length));
 	json_object_object_add(jobj_keyslot, "area", jobj_area);
 
-	json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot);
+	r = json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot);
+	if (r) {
+		json_object_put(jobj_keyslot);
+		return r;
+	}
 
 	r = luks2_keyslot_update_json(cd, jobj_keyslot, params);
 
@@ -537,6 +570,9 @@ static int luks2_keyslot_alloc(struct crypt_device *cd,
 		json_object_object_del_by_uint(jobj_keyslots, keyslot);
 
 	return r;
+err:
+	json_object_put(jobj_keyslot);
+	return r;
 }
 
 static int luks2_keyslot_open(struct crypt_device *cd,

lib/luks2/luks2_keyslot_reenc.c

@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, reencryption keyslot handler
  *
- * Copyright (C) 2016-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2022 Ondrej Kozina
+ * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2024 Ondrej Kozina
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -145,7 +145,12 @@ static int reenc_keyslot_alloc(struct crypt_device *cd,
 	else
 		json_object_object_add(jobj_keyslot, "direction", json_object_new_string("backward"));
 
-	json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot);
+	r = json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot);
+	if (r) {
+		json_object_put(jobj_keyslot);
+		return r;
+	}
+
 	if (LUKS2_check_json_size(cd, hdr)) {
 		log_dbg(cd, "New keyslot too large to fit in free metadata space.");
 		json_object_object_del_by_uint(jobj_keyslots, keyslot);
@@ -371,8 +376,7 @@ static int reenc_keyslot_validate(struct crypt_device *cd, json_object *jobj_key
 	return 0;
 }
 
-static int reenc_keyslot_update_needed(struct crypt_device *cd,
-	json_object *jobj_keyslot,
+static int reenc_keyslot_update_needed(json_object *jobj_keyslot,
 	const struct crypt_params_reencrypt *params,
 	size_t alignment)
 {
@@ -537,8 +541,7 @@ static int reenc_keyslot_load_resilience(struct crypt_device *cd,
 		return reenc_keyslot_load_resilience_secondary(cd, type, jobj_area, area_length, rp);
 }
 
-static bool reenc_keyslot_update_is_valid(struct crypt_device *cd,
-	json_object *jobj_area,
+static bool reenc_keyslot_update_is_valid(json_object *jobj_area,
 	const struct crypt_params_reencrypt *params)
 {
 	const char *type;
@@ -589,7 +592,7 @@ static int reenc_keyslot_update(struct crypt_device *cd,
 	if (!params || !params->resilience)
 		jobj_area_new = reencrypt_keyslot_area_jobj_update_block_size(cd, jobj_area, alignment);
 	else {
-		if (!reenc_keyslot_update_is_valid(cd, jobj_area, params)) {
+		if (!reenc_keyslot_update_is_valid(jobj_area, params)) {
 			log_err(cd, _("Invalid reencryption resilience mode change requested."));
 			return -EINVAL;
 		}
@@ -661,7 +664,7 @@ int LUKS2_keyslot_reencrypt_update_needed(struct crypt_device *cd,
 	    strcmp(json_object_get_string(jobj_type), "reencrypt"))
 		return -EINVAL;
 
-	r = reenc_keyslot_update_needed(cd, jobj_keyslot, params, alignment);
+	r = reenc_keyslot_update_needed(jobj_keyslot, params, alignment);
 	if (!r)
 		log_dbg(cd, "No update of reencrypt keyslot needed.");
 

lib/luks2/luks2_luks1_convert.c

@@ -1,9 +1,9 @@
 /*
  * LUKS - Linux Unified Key Setup v2, LUKS1 conversion code
  *
- * Copyright (C) 2015-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2022 Ondrej Kozina
- * Copyright (C) 2015-2022 Milan Broz
+ * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2024 Ondrej Kozina
+ * Copyright (C) 2015-2024 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -67,11 +67,21 @@ static int json_luks1_keyslot(const struct luks_phdr *hdr_v1, int keyslot, struc
 	int r;
 
 	keyslot_obj = json_object_new_object();
+	if (!keyslot_obj) {
+		r = -ENOMEM;
+		goto err;
+	}
+
 	json_object_object_add(keyslot_obj, "type", json_object_new_string("luks2"));
 	json_object_object_add(keyslot_obj, "key_size", json_object_new_int64(hdr_v1->keyBytes));
 
 	/* KDF */
 	jobj_kdf = json_object_new_object();
+	if (!jobj_kdf) {
+		r = -ENOMEM;
+		goto err;
+	}
+
 	json_object_object_add(jobj_kdf, "type", json_object_new_string(CRYPT_KDF_PBKDF2));
 	json_object_object_add(jobj_kdf, "hash", json_object_new_string(hdr_v1->hashSpec));
 	json_object_object_add(jobj_kdf, "iterations", json_object_new_int64(hdr_v1->keyblock[keyslot].passwordIterations));
@@ -89,6 +99,11 @@ static int json_luks1_keyslot(const struct luks_phdr *hdr_v1, int keyslot, struc
 
 	/* AF */
 	jobj_af = json_object_new_object();
+	if (!jobj_af) {
+		r = -ENOMEM;
+		goto err;
+	}
+
 	json_object_object_add(jobj_af, "type", json_object_new_string("luks1"));
 	json_object_object_add(jobj_af, "hash", json_object_new_string(hdr_v1->hashSpec));
 	/* stripes field ignored, fixed to LUKS_STRIPES (4000) */
@@ -97,6 +112,11 @@ static int json_luks1_keyslot(const struct luks_phdr *hdr_v1, int keyslot, struc
 
 	/* Area */
 	jobj_area = json_object_new_object();
+	if (!jobj_area) {
+		r = -ENOMEM;
+		goto err;
+	}
+
 	json_object_object_add(jobj_area, "type", json_object_new_string("raw"));
 
 	/* encryption algorithm field */
@@ -124,6 +144,9 @@ static int json_luks1_keyslot(const struct luks_phdr *hdr_v1, int keyslot, struc
 
 	*keyslot_object = keyslot_obj;
 	return 0;
+err:
+	json_object_put(keyslot_obj);
+	return r;
 }
 
 static int json_luks1_keyslots(const struct luks_phdr *hdr_v1, struct json_object **keyslots_object)
@@ -143,7 +166,12 @@ static int json_luks1_keyslots(const struct luks_phdr *hdr_v1, struct json_objec
 			json_object_put(keyslot_obj);
 			return r;
 		}
-		json_object_object_add_by_uint(keyslot_obj, keyslot, field);
+		r = json_object_object_add_by_uint(keyslot_obj, keyslot, field);
+		if (r) {
+			json_object_put(field);
+			json_object_put(keyslot_obj);
+			return r;
+		}
 	}
 
 	*keyslots_object = keyslot_obj;
@@ -238,7 +266,12 @@ static int json_luks1_segments(const struct luks_phdr *hdr_v1, struct json_objec
 		json_object_put(segments_obj);
 		return r;
 	}
-	json_object_object_add_by_uint(segments_obj, 0, field);
+	r = json_object_object_add_by_uint(segments_obj, 0, field);
+	if (r) {
+		json_object_put(field);
+		json_object_put(segments_obj);
+		return r;
+	}
 
 	*segments_object = segments_obj;
 	return 0;

lib/luks2/luks2_reencrypt.c

@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, reencryption helpers
  *
- * Copyright (C) 2015-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2022 Ondrej Kozina
+ * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2024 Ondrej Kozina
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -162,6 +162,7 @@ static uint64_t reencrypt_get_data_offset_old(struct luks2_hdr *hdr)
 	return reencrypt_data_offset(hdr, 0);
 }
 #endif
+
 static int reencrypt_digest(struct luks2_hdr *hdr, unsigned new)
 {
 	int segment = LUKS2_get_segment_id_by_flag(hdr, new ? "backup-final" : "backup-previous");
@@ -182,6 +183,21 @@ int LUKS2_reencrypt_digest_old(struct luks2_hdr *hdr)
 	return reencrypt_digest(hdr, 0);
 }
 
+unsigned LUKS2_reencrypt_vks_count(struct luks2_hdr *hdr)
+{
+	int digest_old, digest_new;
+	unsigned vks_count = 0;
+
+	if ((digest_new = LUKS2_reencrypt_digest_new(hdr)) >= 0)
+		vks_count++;
+	if ((digest_old = LUKS2_reencrypt_digest_old(hdr)) >= 0) {
+		if (digest_old != digest_new)
+			vks_count++;
+	}
+
+	return vks_count;
+}
+
 /* none, checksums, journal or shift */
 static const char *reencrypt_resilience_type(struct luks2_hdr *hdr)
 {
@@ -224,7 +240,7 @@ static const char *reencrypt_resilience_hash(struct luks2_hdr *hdr)
 static json_object *_enc_create_segments_shift_after(struct luks2_reencrypt *rh, uint64_t data_offset)
 {
 	int reenc_seg, i = 0;
-	json_object *jobj_copy, *jobj_seg_new = NULL, *jobj_segs_post = json_object_new_object();
+	json_object *jobj, *jobj_copy = NULL, *jobj_seg_new = NULL, *jobj_segs_post = json_object_new_object();
 	uint64_t tmp;
 
 	if (!rh->jobj_segs_hot || !jobj_segs_post)
@@ -239,17 +255,21 @@ static json_object *_enc_create_segments_shift_after(struct luks2_reencrypt *rh,
 
 	while (i < reenc_seg) {
 		jobj_copy = json_segments_get_segment(rh->jobj_segs_hot, i);
-		if (!jobj_copy)
+		if (!jobj_copy || json_object_object_add_by_uint(jobj_segs_post, i++, json_object_get(jobj_copy)))
 			goto err;
-		json_object_object_add_by_uint(jobj_segs_post, i++, json_object_get(jobj_copy));
 	}
+	jobj_copy = NULL;
 
-	if (json_object_copy(json_segments_get_segment(rh->jobj_segs_hot, reenc_seg + 1), &jobj_seg_new)) {
-		if (json_object_copy(json_segments_get_segment(rh->jobj_segs_hot, reenc_seg), &jobj_seg_new))
+	jobj = json_segments_get_segment(rh->jobj_segs_hot, reenc_seg + 1);
+	if (!jobj) {
+		jobj = json_segments_get_segment(rh->jobj_segs_hot, reenc_seg);
+		if (!jobj || json_object_copy(jobj, &jobj_seg_new))
 			goto err;
 		json_segment_remove_flag(jobj_seg_new, "in-reencryption");
 		tmp = rh->length;
 	} else {
+		if (json_object_copy(jobj, &jobj_seg_new))
+			goto err;
 		json_object_object_add(jobj_seg_new, "offset", crypt_jobj_new_uint64(rh->offset + data_offset));
 		json_object_object_add(jobj_seg_new, "iv_tweak", crypt_jobj_new_uint64(rh->offset >> SECTOR_SHIFT));
 		tmp = json_segment_get_size(jobj_seg_new, 0) + rh->length;
@@ -257,10 +277,12 @@ static json_object *_enc_create_segments_shift_after(struct luks2_reencrypt *rh,
 
 	/* alter size of new segment, reenc_seg == 0 we're finished */
 	json_object_object_add(jobj_seg_new, "size", reenc_seg > 0 ? crypt_jobj_new_uint64(tmp) : json_object_new_string("dynamic"));
-	json_object_object_add_by_uint(jobj_segs_post, reenc_seg, jobj_seg_new);
+	if (!json_object_object_add_by_uint(jobj_segs_post, reenc_seg, jobj_seg_new))
+		return jobj_segs_post;
 
-	return jobj_segs_post;
 err:
+	json_object_put(jobj_seg_new);
+	json_object_put(jobj_copy);
 	json_object_put(jobj_segs_post);
 	return NULL;
 }
@@ -271,7 +293,7 @@ static json_object *reencrypt_make_hot_segments_encrypt_shift(struct luks2_hdr *
 {
 	int sg, crypt_seg, i = 0;
 	uint64_t segment_size;
-	json_object *jobj_seg_shrunk, *jobj_seg_new, *jobj_copy, *jobj_enc_seg = NULL,
+	json_object *jobj_seg_shrunk = NULL, *jobj_seg_new = NULL, *jobj_copy = NULL, *jobj_enc_seg = NULL,
 		     *jobj_segs_hot = json_object_new_object();
 
 	if (!jobj_segs_hot)
@@ -290,38 +312,41 @@ static json_object *reencrypt_make_hot_segments_encrypt_shift(struct luks2_hdr *
 						      rh->offset >> SECTOR_SHIFT,
 						      &rh->length,
 						      reencrypt_segment_cipher_new(hdr),
+						      NULL, /* integrity */
 						      reencrypt_get_sector_size_new(hdr),
 						      1);
 
 	while (i < sg) {
 		jobj_copy = LUKS2_get_segment_jobj(hdr, i);
-		if (!jobj_copy)
+		if (!jobj_copy || json_object_object_add_by_uint(jobj_segs_hot, i++, json_object_get(jobj_copy)))
 			goto err;
-		json_object_object_add_by_uint(jobj_segs_hot, i++, json_object_get(jobj_copy));
 	}
+	jobj_copy = NULL;
 
 	segment_size = LUKS2_segment_size(hdr, sg, 0);
 	if (segment_size > rh->length) {
-		jobj_seg_shrunk = NULL;
 		if (json_object_copy(LUKS2_get_segment_jobj(hdr, sg), &jobj_seg_shrunk))
 			goto err;
 		json_object_object_add(jobj_seg_shrunk, "size", crypt_jobj_new_uint64(segment_size - rh->length));
-		json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_seg_shrunk);
+		if (json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg++, &jobj_seg_shrunk))
+			goto err;
 	}
 
-	json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_enc_seg);
-	jobj_enc_seg = NULL; /* see err: label */
+	if (json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg++, &jobj_enc_seg))
+		goto err;
 
 	/* first crypt segment after encryption ? */
 	if (crypt_seg >= 0) {
 		jobj_seg_new = LUKS2_get_segment_jobj(hdr, crypt_seg);
-		if (!jobj_seg_new)
+		if (!jobj_seg_new || json_object_object_add_by_uint(jobj_segs_hot, sg, json_object_get(jobj_seg_new)))
 			goto err;
-		json_object_object_add_by_uint(jobj_segs_hot, sg, json_object_get(jobj_seg_new));
 	}
 
 	return jobj_segs_hot;
 err:
+	json_object_put(jobj_copy);
+	json_object_put(jobj_seg_new);
+	json_object_put(jobj_seg_shrunk);
 	json_object_put(jobj_enc_seg);
 	json_object_put(jobj_segs_hot);
 
@@ -343,6 +368,7 @@ static json_object *reencrypt_make_segment_new(struct crypt_device *cd,
 						  crypt_get_iv_offset(cd) + (iv_offset >> SECTOR_SHIFT),
 						  segment_length,
 						  reencrypt_segment_cipher_new(hdr),
+						  NULL, /* integrity */
 						  reencrypt_get_sector_size_new(hdr), 0);
 	case CRYPT_REENCRYPT_DECRYPT:
 		return json_segment_create_linear(data_offset + segment_offset, segment_length, 0);
@@ -357,7 +383,7 @@ static json_object *reencrypt_make_post_segments_forward(struct crypt_device *cd
 	uint64_t data_offset)
 {
 	int reenc_seg;
-	json_object *jobj_new_seg_after, *jobj_old_seg, *jobj_old_seg_copy = NULL,
+	json_object *jobj_old_seg, *jobj_new_seg_after = NULL, *jobj_old_seg_copy = NULL,
 		    *jobj_segs_post = json_object_new_object();
 	uint64_t fixed_length = rh->offset + rh->length;
 
@@ -366,7 +392,7 @@ static json_object *reencrypt_make_post_segments_forward(struct crypt_device *cd
 
 	reenc_seg = json_segments_segment_in_reencrypt(rh->jobj_segs_hot);
 	if (reenc_seg < 0)
-		return NULL;
+		goto err;
 
 	jobj_old_seg = json_segments_get_segment(rh->jobj_segs_hot, reenc_seg + 1);
 
@@ -375,24 +401,26 @@ static json_object *reencrypt_make_post_segments_forward(struct crypt_device *cd
 	 * Set size to 'dynamic' again.
 	 */
 	jobj_new_seg_after = reencrypt_make_segment_new(cd, hdr, rh, data_offset, 0, 0, jobj_old_seg ? &fixed_length : NULL);
-	if (!jobj_new_seg_after)
+	if (!jobj_new_seg_after || json_object_object_add_by_uint_by_ref(jobj_segs_post, 0, &jobj_new_seg_after))
 		goto err;
-	json_object_object_add_by_uint(jobj_segs_post, 0, jobj_new_seg_after);
 
 	if (jobj_old_seg) {
 		if (rh->fixed_length) {
 			if (json_object_copy(jobj_old_seg, &jobj_old_seg_copy))
 				goto err;
-			jobj_old_seg = jobj_old_seg_copy;
 			fixed_length = rh->device_size - fixed_length;
-			json_object_object_add(jobj_old_seg, "size", crypt_jobj_new_uint64(fixed_length));
+			json_object_object_add(jobj_old_seg_copy, "size", crypt_jobj_new_uint64(fixed_length));
 		} else
-			json_object_get(jobj_old_seg);
-		json_object_object_add_by_uint(jobj_segs_post, 1, jobj_old_seg);
+			jobj_old_seg_copy = json_object_get(jobj_old_seg);
+
+		if (json_object_object_add_by_uint_by_ref(jobj_segs_post, 1, &jobj_old_seg_copy))
+			goto err;
 	}
 
 	return jobj_segs_post;
 err:
+	json_object_put(jobj_new_seg_after);
+	json_object_put(jobj_old_seg_copy);
 	json_object_put(jobj_segs_post);
 	return NULL;
 }
@@ -405,7 +433,7 @@ static json_object *reencrypt_make_post_segments_backward(struct crypt_device *c
 	int reenc_seg;
 	uint64_t fixed_length;
 
-	json_object *jobj_new_seg_after, *jobj_old_seg,
+	json_object *jobj_new_seg_after = NULL, *jobj_old_seg = NULL,
 		    *jobj_segs_post = json_object_new_object();
 
 	if (!rh->jobj_segs_hot || !jobj_segs_post)
@@ -413,22 +441,26 @@ static json_object *reencrypt_make_post_segments_backward(struct crypt_device *c
 
 	reenc_seg = json_segments_segment_in_reencrypt(rh->jobj_segs_hot);
 	if (reenc_seg < 0)
-		return NULL;
+		goto err;
 
 	jobj_old_seg = json_segments_get_segment(rh->jobj_segs_hot, reenc_seg - 1);
-	if (jobj_old_seg)
-		json_object_object_add_by_uint(jobj_segs_post, reenc_seg - 1, json_object_get(jobj_old_seg));
+	if (jobj_old_seg) {
+		json_object_get(jobj_old_seg);
+		if (json_object_object_add_by_uint_by_ref(jobj_segs_post, reenc_seg - 1, &jobj_old_seg))
+			goto err;
+	}
+
 	if (rh->fixed_length && rh->offset) {
 		fixed_length = rh->device_size - rh->offset;
 		jobj_new_seg_after = reencrypt_make_segment_new(cd, hdr, rh, data_offset, rh->offset, rh->offset, &fixed_length);
 	} else
 		jobj_new_seg_after = reencrypt_make_segment_new(cd, hdr, rh, data_offset, rh->offset, rh->offset, NULL);
-	if (!jobj_new_seg_after)
-		goto err;
-	json_object_object_add_by_uint(jobj_segs_post, reenc_seg, jobj_new_seg_after);
 
-	return jobj_segs_post;
+	if (jobj_new_seg_after && !json_object_object_add_by_uint(jobj_segs_post, reenc_seg, jobj_new_seg_after))
+		return jobj_segs_post;
 err:
+	json_object_put(jobj_new_seg_after);
+	json_object_put(jobj_old_seg);
 	json_object_put(jobj_segs_post);
 	return NULL;
 }
@@ -448,6 +480,7 @@ static json_object *reencrypt_make_segment_reencrypt(struct crypt_device *cd,
 				crypt_get_iv_offset(cd) + (iv_offset >> SECTOR_SHIFT),
 				segment_length,
 				reencrypt_segment_cipher_new(hdr),
+			        NULL, /* integrity */
 				reencrypt_get_sector_size_new(hdr), 1);
 	case CRYPT_REENCRYPT_DECRYPT:
 		return json_segment_create_linear(data_offset + segment_offset, segment_length, 1);
@@ -472,6 +505,7 @@ static json_object *reencrypt_make_segment_old(struct crypt_device *cd,
 						    crypt_get_iv_offset(cd) + (segment_offset >> SECTOR_SHIFT),
 						    segment_length,
 						    reencrypt_segment_cipher_old(hdr),
+						    NULL, /* integrity */
 						    reencrypt_get_sector_size_old(hdr),
 						    0);
 		break;
@@ -488,38 +522,40 @@ static json_object *reencrypt_make_hot_segments_forward(struct crypt_device *cd,
 		uint64_t device_size,
 		uint64_t data_offset)
 {
-	json_object *jobj_segs_hot, *jobj_reenc_seg, *jobj_old_seg, *jobj_new_seg;
 	uint64_t fixed_length, tmp = rh->offset + rh->length;
+	json_object *jobj_segs_hot = json_object_new_object(), *jobj_reenc_seg = NULL,
+		    *jobj_old_seg = NULL, *jobj_new_seg = NULL;
 	unsigned int sg = 0;
 
-	jobj_segs_hot = json_object_new_object();
 	if (!jobj_segs_hot)
 		return NULL;
 
 	if (rh->offset) {
 		jobj_new_seg = reencrypt_make_segment_new(cd, hdr, rh, data_offset, 0, 0, &rh->offset);
-		if (!jobj_new_seg)
+		if (!jobj_new_seg || json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg++, &jobj_new_seg))
 			goto err;
-		json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_new_seg);
 	}
 
 	jobj_reenc_seg = reencrypt_make_segment_reencrypt(cd, hdr, rh, data_offset, rh->offset, rh->offset, &rh->length);
 	if (!jobj_reenc_seg)
 		goto err;
 
-	json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_reenc_seg);
+	if (json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg++, &jobj_reenc_seg))
+		goto err;
 
 	if (tmp < device_size) {
 		fixed_length = device_size - tmp;
 		jobj_old_seg = reencrypt_make_segment_old(cd, hdr, rh, data_offset + data_shift_value(&rh->rp),
 							  rh->offset + rh->length, rh->fixed_length ? &fixed_length : NULL);
-		if (!jobj_old_seg)
+		if (!jobj_old_seg || json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg, &jobj_old_seg))
 			goto err;
-		json_object_object_add_by_uint(jobj_segs_hot, sg, jobj_old_seg);
 	}
 
 	return jobj_segs_hot;
 err:
+	json_object_put(jobj_reenc_seg);
+	json_object_put(jobj_old_seg);
+	json_object_put(jobj_new_seg);
 	json_object_put(jobj_segs_hot);
 	return NULL;
 }
@@ -528,29 +564,31 @@ static json_object *reencrypt_make_hot_segments_decrypt_shift(struct crypt_devic
 	struct luks2_hdr *hdr, struct luks2_reencrypt *rh,
 	uint64_t device_size, uint64_t data_offset)
 {
-	json_object *jobj_segs_hot, *jobj_reenc_seg, *jobj_old_seg, *jobj_new_seg;
 	uint64_t fixed_length, tmp = rh->offset + rh->length, linear_length = rh->progress;
+	json_object *jobj, *jobj_segs_hot = json_object_new_object(), *jobj_reenc_seg = NULL,
+		    *jobj_old_seg = NULL, *jobj_new_seg = NULL;
 	unsigned int sg = 0;
 
-	jobj_segs_hot = json_object_new_object();
 	if (!jobj_segs_hot)
 		return NULL;
 
 	if (rh->offset) {
-		jobj_new_seg = LUKS2_get_segment_jobj(hdr, 0);
-		if (!jobj_new_seg)
+		jobj = LUKS2_get_segment_jobj(hdr, 0);
+		if (!jobj)
+			goto err;
+
+		jobj_new_seg = json_object_get(jobj);
+		if (json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg++, &jobj_new_seg))
 			goto err;
-		json_object_object_add_by_uint(jobj_segs_hot, sg++, json_object_get(jobj_new_seg));
 
 		if (linear_length) {
 			jobj_new_seg = reencrypt_make_segment_new(cd, hdr, rh,
 								  data_offset,
-								  json_segment_get_size(jobj_new_seg, 0),
+								  json_segment_get_size(jobj, 0),
 								  0,
 								  &linear_length);
-			if (!jobj_new_seg)
+			if (!jobj_new_seg || json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg++, &jobj_new_seg))
 				goto err;
-			json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_new_seg);
 		}
 	}
 
@@ -558,27 +596,29 @@ static json_object *reencrypt_make_hot_segments_decrypt_shift(struct crypt_devic
 							  rh->offset,
 							  rh->offset,
 							  &rh->length);
-	if (!jobj_reenc_seg)
+	if (!jobj_reenc_seg || json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg++, &jobj_reenc_seg))
 		goto err;
 
-	json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_reenc_seg);
-
-	if (!rh->offset && (jobj_new_seg = LUKS2_get_segment_jobj(hdr, 1)) &&
-	    !json_segment_is_backup(jobj_new_seg))
-		json_object_object_add_by_uint(jobj_segs_hot, sg++, json_object_get(jobj_new_seg));
-	else if (tmp < device_size) {
+	if (!rh->offset && (jobj = LUKS2_get_segment_jobj(hdr, 1)) &&
+	    !json_segment_is_backup(jobj)) {
+		jobj_new_seg = json_object_get(jobj);
+		if (json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg++, &jobj_new_seg))
+			goto err;
+	} else if (tmp < device_size) {
 		fixed_length = device_size - tmp;
 		jobj_old_seg = reencrypt_make_segment_old(cd, hdr, rh,
 							  data_offset + data_shift_value(&rh->rp),
 							  rh->offset + rh->length,
 							  rh->fixed_length ? &fixed_length : NULL);
-		if (!jobj_old_seg)
+		if (!jobj_old_seg || json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg, &jobj_old_seg))
 			goto err;
-		json_object_object_add_by_uint(jobj_segs_hot, sg, jobj_old_seg);
 	}
 
 	return jobj_segs_hot;
 err:
+	json_object_put(jobj_reenc_seg);
+	json_object_put(jobj_old_seg);
+	json_object_put(jobj_new_seg);
 	json_object_put(jobj_segs_hot);
 	return NULL;
 }
@@ -589,7 +629,7 @@ static json_object *_dec_create_segments_shift_after(struct crypt_device *cd,
 	uint64_t data_offset)
 {
 	int reenc_seg, i = 0;
-	json_object *jobj_copy, *jobj_seg_old, *jobj_seg_new,
+	json_object *jobj_seg_old, *jobj_copy = NULL, *jobj_seg_old_copy = NULL, *jobj_seg_new = NULL,
 		    *jobj_segs_post = json_object_new_object();
 	unsigned segs;
 	uint64_t tmp;
@@ -607,9 +647,8 @@ static json_object *_dec_create_segments_shift_after(struct crypt_device *cd,
 
 	if (reenc_seg == 0) {
 		jobj_seg_new = reencrypt_make_segment_new(cd, hdr, rh, data_offset, 0, 0, NULL);
-		if (!jobj_seg_new)
+		if (!jobj_seg_new || json_object_object_add_by_uint(jobj_segs_post, 0, jobj_seg_new))
 			goto err;
-		json_object_object_add_by_uint(jobj_segs_post, 0, jobj_seg_new);
 
 		return jobj_segs_post;
 	}
@@ -617,22 +656,29 @@ static json_object *_dec_create_segments_shift_after(struct crypt_device *cd,
 	jobj_copy = json_segments_get_segment(rh->jobj_segs_hot, 0);
 	if (!jobj_copy)
 		goto err;
-	json_object_object_add_by_uint(jobj_segs_post, i++, json_object_get(jobj_copy));
+	json_object_get(jobj_copy);
+	if (json_object_object_add_by_uint_by_ref(jobj_segs_post, i++, &jobj_copy))
+		goto err;
 
-	jobj_seg_old = json_segments_get_segment(rh->jobj_segs_hot, reenc_seg + 1);
+	if ((jobj_seg_old = json_segments_get_segment(rh->jobj_segs_hot, reenc_seg + 1)))
+		jobj_seg_old_copy = json_object_get(jobj_seg_old);
 
 	tmp = rh->length + rh->progress;
 	jobj_seg_new = reencrypt_make_segment_new(cd, hdr, rh, data_offset,
 						  json_segment_get_size(rh->jobj_segment_moved, 0),
 						  data_shift_value(&rh->rp),
 						  jobj_seg_old ? &tmp : NULL);
-	json_object_object_add_by_uint(jobj_segs_post, i++, jobj_seg_new);
+	if (!jobj_seg_new || json_object_object_add_by_uint_by_ref(jobj_segs_post, i++, &jobj_seg_new))
+		goto err;
 
-	if (jobj_seg_old)
-		json_object_object_add_by_uint(jobj_segs_post, i, json_object_get(jobj_seg_old));
+	if (jobj_seg_old_copy && json_object_object_add_by_uint(jobj_segs_post, i, jobj_seg_old_copy))
+		goto err;
 
 	return jobj_segs_post;
 err:
+	json_object_put(jobj_copy);
+	json_object_put(jobj_seg_old_copy);
+	json_object_put(jobj_seg_new);
 	json_object_put(jobj_segs_post);
 	return NULL;
 }
@@ -643,10 +689,10 @@ static json_object *reencrypt_make_hot_segments_backward(struct crypt_device *cd
 		uint64_t device_size,
 		uint64_t data_offset)
 {
-	json_object *jobj_reenc_seg, *jobj_new_seg, *jobj_old_seg = NULL,
+	uint64_t fixed_length, tmp = rh->offset + rh->length;
+	json_object *jobj_reenc_seg = NULL, *jobj_new_seg = NULL, *jobj_old_seg = NULL,
 		    *jobj_segs_hot = json_object_new_object();
 	int sg = 0;
-	uint64_t fixed_length, tmp = rh->offset + rh->length;
 
 	if (!jobj_segs_hot)
 		return NULL;
@@ -656,26 +702,27 @@ static json_object *reencrypt_make_hot_segments_backward(struct crypt_device *cd
 			goto err;
 		json_object_object_add(jobj_old_seg, "size", crypt_jobj_new_uint64(rh->offset));
 
-		json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_old_seg);
+		if (json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg++, &jobj_old_seg))
+			goto err;
 	}
 
 	jobj_reenc_seg = reencrypt_make_segment_reencrypt(cd, hdr, rh, data_offset, rh->offset, rh->offset, &rh->length);
-	if (!jobj_reenc_seg)
+	if (!jobj_reenc_seg || json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg++, &jobj_reenc_seg))
 		goto err;
 
-	json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_reenc_seg);
-
 	if (tmp < device_size) {
 		fixed_length = device_size - tmp;
 		jobj_new_seg = reencrypt_make_segment_new(cd, hdr, rh, data_offset, rh->offset + rh->length,
 							  rh->offset + rh->length, rh->fixed_length ? &fixed_length : NULL);
-		if (!jobj_new_seg)
+		if (!jobj_new_seg || json_object_object_add_by_uint_by_ref(jobj_segs_hot, sg, &jobj_new_seg))
 			goto err;
-		json_object_object_add_by_uint(jobj_segs_hot, sg, jobj_new_seg);
 	}
 
 	return jobj_segs_hot;
 err:
+	json_object_put(jobj_reenc_seg);
+	json_object_put(jobj_new_seg);
+	json_object_put(jobj_old_seg);
 	json_object_put(jobj_segs_hot);
 	return NULL;
 }
@@ -733,6 +780,7 @@ static int reencrypt_make_post_segments(struct crypt_device *cd,
 	return rh->jobj_segs_post ? 0 : -EINVAL;
 }
 #endif
+
 static uint64_t reencrypt_data_shift(struct luks2_hdr *hdr)
 {
 	json_object *jobj_keyslot, *jobj_area, *jobj_data_shift;
@@ -847,13 +895,13 @@ void LUKS2_reencrypt_free(struct crypt_device *cd, struct luks2_reencrypt *rh)
 	free(rh);
 }
 
-int LUKS2_reencrypt_max_hotzone_size(struct crypt_device *cd,
+#if USE_LUKS2_REENCRYPTION
+int LUKS2_reencrypt_max_hotzone_size(struct crypt_device *cd __attribute__((unused)),
 	struct luks2_hdr *hdr,
 	const struct reenc_protection *rp,
 	int reencrypt_keyslot,
 	uint64_t *r_length)
 {
-#if USE_LUKS2_REENCRYPTION
 	int r;
 	uint64_t dummy, area_length;
 
@@ -886,11 +934,8 @@ int LUKS2_reencrypt_max_hotzone_size(struct crypt_device *cd,
 	}
 
 	return -EINVAL;
-#else
-	return -ENOTSUP;
-#endif
 }
-#if USE_LUKS2_REENCRYPTION
+
 static size_t reencrypt_get_alignment(struct crypt_device *cd,
 		struct luks2_hdr *hdr)
 {
@@ -971,7 +1016,6 @@ static int reencrypt_offset_backward_moved(struct luks2_hdr *hdr, json_object *j
 }
 
 static int reencrypt_offset_forward_moved(struct luks2_hdr *hdr,
-	json_object *jobj_segments,
 	uint64_t data_shift,
 	uint64_t *offset)
 {
@@ -1049,7 +1093,7 @@ static int reencrypt_offset(struct luks2_hdr *hdr,
 	if (di == CRYPT_REENCRYPT_FORWARD) {
 		if (reencrypt_mode(hdr) == CRYPT_REENCRYPT_DECRYPT &&
 		    LUKS2_get_segment_id_by_flag(hdr, "backup-moved-segment") >= 0) {
-			r = reencrypt_offset_forward_moved(hdr, jobj_segments, data_shift, offset);
+			r = reencrypt_offset_forward_moved(hdr, data_shift, offset);
 			if (!r && *offset > device_size)
 				*offset = device_size;
 			return r;
@@ -1386,7 +1430,7 @@ static int reencrypt_init_storage_wrappers(struct crypt_device *cd,
 
 static int reencrypt_context_set_names(struct luks2_reencrypt *rh, const char *name)
 {
-	if (!rh | !name)
+	if (!rh || !name)
 		return -EINVAL;
 
 	if (*name == '/') {
@@ -1964,9 +2008,7 @@ static int reencrypt_set_decrypt_shift_segments(struct crypt_device *cd,
 	crypt_reencrypt_direction_info di)
 {
 	int r;
-	uint64_t first_segment_offset, first_segment_length,
-		 second_segment_offset, second_segment_length,
-		 data_offset = LUKS2_get_data_offset(hdr) << SECTOR_SHIFT;
+	uint64_t data_offset = LUKS2_get_data_offset(hdr) << SECTOR_SHIFT;
 	json_object *jobj_segment_first = NULL, *jobj_segment_second = NULL, *jobj_segments;
 
 	if (di == CRYPT_REENCRYPT_BACKWARD)
@@ -1976,47 +2018,49 @@ static int reencrypt_set_decrypt_shift_segments(struct crypt_device *cd,
 	 * future data_device layout:
 	 * [encrypted first segment (max data shift size)][gap (data shift size)][second encrypted data segment]
 	 */
-	first_segment_offset = 0;
-	first_segment_length = moved_segment_length;
-	if (dev_size > moved_segment_length) {
-		second_segment_offset = data_offset + first_segment_length;
-		second_segment_length = 0;
-	}
-
 	jobj_segments = json_object_new_object();
 	if (!jobj_segments)
 		return -ENOMEM;
 
 	r = -EINVAL;
-	jobj_segment_first = json_segment_create_crypt(first_segment_offset,
-				crypt_get_iv_offset(cd), &first_segment_length,
-				crypt_get_cipher_spec(cd), crypt_get_sector_size(cd), 0);
+	jobj_segment_first = json_segment_create_crypt(0, crypt_get_iv_offset(cd),
+				&moved_segment_length, crypt_get_cipher_spec(cd),
+				NULL, crypt_get_sector_size(cd), 0);
 
 	if (!jobj_segment_first) {
 		log_dbg(cd, "Failed generate 1st segment.");
-		return r;
+		goto err;
 	}
 
+	r = json_object_object_add_by_uint_by_ref(jobj_segments, 0, &jobj_segment_first);
+	if (r)
+		goto err;
+
 	if (dev_size > moved_segment_length) {
-		jobj_segment_second = json_segment_create_crypt(second_segment_offset,
-								crypt_get_iv_offset(cd) + (first_segment_length >> SECTOR_SHIFT),
-								second_segment_length ? &second_segment_length : NULL,
+		jobj_segment_second = json_segment_create_crypt(data_offset + moved_segment_length,
+								crypt_get_iv_offset(cd) + (moved_segment_length >> SECTOR_SHIFT),
+								NULL,
 								crypt_get_cipher_spec(cd),
+								NULL, /* integrity */
 								crypt_get_sector_size(cd), 0);
 		if (!jobj_segment_second) {
-			json_object_put(jobj_segment_first);
+			r = -EINVAL;
 			log_dbg(cd, "Failed generate 2nd segment.");
-			return r;
+			goto err;
 		}
+
+		r = json_object_object_add_by_uint_by_ref(jobj_segments, 1, &jobj_segment_second);
+		if (r)
+			goto err;
 	}
 
-	json_object_object_add(jobj_segments, "0", jobj_segment_first);
-	if (jobj_segment_second)
-		json_object_object_add(jobj_segments, "1", jobj_segment_second);
-
-	r = LUKS2_segments_set(cd, hdr, jobj_segments, 0);
-
-	return r ?: LUKS2_digest_segment_assign(cd, hdr, CRYPT_ANY_SEGMENT, 0, 1, 0);
+	if (!(r = LUKS2_segments_set(cd, hdr, jobj_segments, 0)))
+		return LUKS2_digest_segment_assign(cd, hdr, CRYPT_ANY_SEGMENT, 0, 1, 0);
+err:
+	json_object_put(jobj_segment_first);
+	json_object_put(jobj_segment_second);
+	json_object_put(jobj_segments);
+	return r;
 }
 
 static int reencrypt_make_targets(struct crypt_device *cd,
@@ -2429,6 +2473,7 @@ static int reencrypt_make_backup_segments(struct crypt_device *cd,
 		uint64_t data_offset,
 		const struct crypt_params_reencrypt *params)
 {
+	const char *type;
 	int r, segment, moved_segment = -1, digest_old = -1, digest_new = -1;
 	json_object *jobj_tmp, *jobj_segment_new = NULL, *jobj_segment_old = NULL, *jobj_segment_bcp = NULL;
 	uint32_t sector_size = params->luks2 ? params->luks2->sector_size : SECTOR_SIZE;
@@ -2460,9 +2505,17 @@ static int reencrypt_make_backup_segments(struct crypt_device *cd,
 		if (r)
 			goto err;
 		moved_segment = segment++;
-		json_object_object_add_by_uint(LUKS2_get_segments_jobj(hdr), moved_segment, jobj_segment_bcp);
-		if (!strcmp(json_segment_type(jobj_segment_bcp), "crypt"))
-			LUKS2_digest_segment_assign(cd, hdr, moved_segment, digest_old, 1, 0);
+		r = json_object_object_add_by_uint_by_ref(LUKS2_get_segments_jobj(hdr), moved_segment, &jobj_segment_bcp);
+		if (r)
+			goto err;
+
+		if (!(type = json_segment_type(LUKS2_get_segment_jobj(hdr, moved_segment)))) {
+			r = -EINVAL;
+			goto err;
+		}
+
+		if (!strcmp(type, "crypt") && ((r = LUKS2_digest_segment_assign(cd, hdr, moved_segment, digest_old, 1, 0))))
+			goto err;
 	}
 
 	/* FIXME: Add detection for case (digest old == digest new && old segment == new segment) */
@@ -2478,6 +2531,7 @@ static int reencrypt_make_backup_segments(struct crypt_device *cd,
 						json_segment_get_iv_offset(jobj_tmp),
 						device_size ? &device_size : NULL,
 						json_segment_get_cipher(jobj_tmp),
+						NULL, /* integrity */
 						json_segment_get_sector_size(jobj_tmp),
 						0);
 		} else {
@@ -2505,10 +2559,14 @@ static int reencrypt_make_backup_segments(struct crypt_device *cd,
 	r = LUKS2_segment_set_flag(jobj_segment_old, "backup-previous");
 	if (r)
 		goto err;
-	json_object_object_add_by_uint(LUKS2_get_segments_jobj(hdr), segment, jobj_segment_old);
-	jobj_segment_old = NULL;
-	if (digest_old >= 0)
-		LUKS2_digest_segment_assign(cd, hdr, segment, digest_old, 1, 0);
+
+	r = json_object_object_add_by_uint_by_ref(LUKS2_get_segments_jobj(hdr), segment, &jobj_segment_old);
+	if (r)
+		goto err;
+
+	if (digest_old >= 0 && (r = LUKS2_digest_segment_assign(cd, hdr, segment, digest_old, 1, 0)))
+		goto err;
+
 	segment++;
 
 	if (digest_new >= 0) {
@@ -2520,7 +2578,7 @@ static int reencrypt_make_backup_segments(struct crypt_device *cd,
 		}
 		jobj_segment_new = json_segment_create_crypt(segment_offset,
 							crypt_get_iv_offset(cd),
-							NULL, cipher, sector_size, 0);
+							NULL, cipher, NULL, sector_size, 0);
 	} else if (params->mode == CRYPT_REENCRYPT_DECRYPT) {
 		segment_offset = data_offset;
 		if (modify_offset(&segment_offset, data_shift, params->direction)) {
@@ -2538,10 +2596,13 @@ static int reencrypt_make_backup_segments(struct crypt_device *cd,
 	r = LUKS2_segment_set_flag(jobj_segment_new, "backup-final");
 	if (r)
 		goto err;
-	json_object_object_add_by_uint(LUKS2_get_segments_jobj(hdr), segment, jobj_segment_new);
-	jobj_segment_new = NULL;
-	if (digest_new >= 0)
-		LUKS2_digest_segment_assign(cd, hdr, segment, digest_new, 1, 0);
+
+	r = json_object_object_add_by_uint_by_ref(LUKS2_get_segments_jobj(hdr), segment, &jobj_segment_new);
+	if (r)
+		goto err;
+
+	if (digest_new >= 0 && (r = LUKS2_digest_segment_assign(cd, hdr, segment, digest_new, 1, 0)))
+		goto err;
 
 	/* FIXME: also check occupied space by keyslot in shrunk area */
 	if (params->direction == CRYPT_REENCRYPT_FORWARD && data_shift &&
@@ -2556,6 +2617,7 @@ static int reencrypt_make_backup_segments(struct crypt_device *cd,
 err:
 	json_object_put(jobj_segment_new);
 	json_object_put(jobj_segment_old);
+	json_object_put(jobj_segment_bcp);
 	return r;
 }
 
@@ -2590,7 +2652,6 @@ static int reencrypt_verify_keys(struct crypt_device *cd,
 }
 
 static int reencrypt_upload_single_key(struct crypt_device *cd,
-	struct luks2_hdr *hdr,
 	int digest,
 	struct volume_key *vks)
 {
@@ -2615,11 +2676,11 @@ static int reencrypt_upload_keys(struct crypt_device *cd,
 		return 0;
 
 	if (digest_new >= 0 && !crypt_is_cipher_null(reencrypt_segment_cipher_new(hdr)) &&
-	    (r = reencrypt_upload_single_key(cd, hdr, digest_new, vks)))
+	    (r = reencrypt_upload_single_key(cd, digest_new, vks)))
 		return r;
 
 	if (digest_old >= 0 && !crypt_is_cipher_null(reencrypt_segment_cipher_old(hdr)) &&
-	    (r = reencrypt_upload_single_key(cd, hdr, digest_old, vks))) {
+	    (r = reencrypt_upload_single_key(cd, digest_old, vks))) {
 		crypt_drop_keyring_key(cd, vks);
 		return r;
 	}
@@ -3256,7 +3317,17 @@ static int reencrypt_load(struct crypt_device *cd, struct luks2_hdr *hdr,
 
 	return 0;
 }
+#else
+int LUKS2_reencrypt_max_hotzone_size(struct crypt_device *cd __attribute__((unused)),
+	struct luks2_hdr *hdr __attribute__((unused)),
+	const struct reenc_protection *rp __attribute__((unused)),
+	int reencrypt_keyslot __attribute__((unused)),
+	uint64_t *r_length __attribute__((unused)))
+{
+	return -ENOTSUP;
+}
 #endif
+
 static int reencrypt_lock_internal(struct crypt_device *cd, const char *uuid, struct crypt_lock_handle **reencrypt_lock)
 {
 	int r;
@@ -3705,7 +3776,7 @@ out:
 	return r;
 
 }
-#endif
+
 static int reencrypt_init_by_passphrase(struct crypt_device *cd,
 	const char *name,
 	const char *passphrase,
@@ -3716,7 +3787,6 @@ static int reencrypt_init_by_passphrase(struct crypt_device *cd,
 	const char *cipher_mode,
 	const struct crypt_params_reencrypt *params)
 {
-#if USE_LUKS2_REENCRYPTION
 	int r;
 	crypt_reencrypt_info ri;
 	struct volume_key *vks = NULL;
@@ -3778,11 +3848,22 @@ out:
 		crypt_drop_keyring_key(cd, vks);
 	crypt_free_volume_key(vks);
 	return r < 0 ? r : LUKS2_find_keyslot(hdr, "reencrypt");
+}
 #else
+static int reencrypt_init_by_passphrase(struct crypt_device *cd,
+	const char *name __attribute__((unused)),
+	const char *passphrase __attribute__((unused)),
+	size_t passphrase_size __attribute__((unused)),
+	int keyslot_old __attribute__((unused)),
+	int keyslot_new __attribute__((unused)),
+	const char *cipher __attribute__((unused)),
+	const char *cipher_mode __attribute__((unused)),
+	const struct crypt_params_reencrypt *params __attribute__((unused)))
+{
 	log_err(cd, _("This operation is not supported for this device type."));
 	return -ENOTSUP;
-#endif
 }
+#endif
 
 int crypt_reencrypt_init_by_keyring(struct crypt_device *cd,
 	const char *name,
@@ -3797,14 +3878,20 @@ int crypt_reencrypt_init_by_keyring(struct crypt_device *cd,
 	char *passphrase;
 	size_t passphrase_size;
 
-	if (onlyLUKS2mask(cd, CRYPT_REQUIREMENT_ONLINE_REENCRYPT) || !passphrase_description)
+	if (onlyLUKS2reencrypt(cd) || !passphrase_description)
 		return -EINVAL;
 	if (params && (params->flags & CRYPT_REENCRYPT_INITIALIZE_ONLY) && (params->flags & CRYPT_REENCRYPT_RESUME_ONLY))
 		return -EINVAL;
 
-	r = keyring_get_passphrase(passphrase_description, &passphrase, &passphrase_size);
+	if (device_is_dax(crypt_data_device(cd)) > 0) {
+		log_err(cd, _("Reencryption is not supported for DAX (persistent memory) devices."));
+		return -EINVAL;
+	}
+
+	r = crypt_keyring_get_user_key(cd, passphrase_description, &passphrase, &passphrase_size);
 	if (r < 0) {
-		log_err(cd, _("Failed to read passphrase from keyring (error %d)."), r);
+		log_dbg(cd, "crypt_keyring_get_user_key failed (error %d)", r);
+		log_err(cd, _("Failed to read passphrase from keyring."));
 		return -EINVAL;
 	}
 
@@ -3826,11 +3913,16 @@ int crypt_reencrypt_init_by_passphrase(struct crypt_device *cd,
 	const char *cipher_mode,
 	const struct crypt_params_reencrypt *params)
 {
-	if (onlyLUKS2mask(cd, CRYPT_REQUIREMENT_ONLINE_REENCRYPT) || !passphrase)
+	if (onlyLUKS2reencrypt(cd) || !passphrase)
 		return -EINVAL;
 	if (params && (params->flags & CRYPT_REENCRYPT_INITIALIZE_ONLY) && (params->flags & CRYPT_REENCRYPT_RESUME_ONLY))
 		return -EINVAL;
 
+	if (device_is_dax(crypt_data_device(cd)) > 0) {
+		log_err(cd, _("Reencryption is not supported for DAX (persistent memory) devices."));
+		return -EINVAL;
+	}
+
 	return reencrypt_init_by_passphrase(cd, name, passphrase, passphrase_size, keyslot_old, keyslot_new, cipher, cipher_mode, params);
 }
 
@@ -4112,14 +4204,12 @@ static int reencrypt_teardown(struct crypt_device *cd, struct luks2_hdr *hdr,
 
 	return r;
 }
-#endif
 
 int crypt_reencrypt_run(
 	struct crypt_device *cd,
 	int (*progress)(uint64_t size, uint64_t offset, void *usrptr),
 	void *usrptr)
 {
-#if USE_LUKS2_REENCRYPTION
 	int r;
 	crypt_reencrypt_info ri;
 	struct luks2_hdr *hdr;
@@ -4127,7 +4217,7 @@ int crypt_reencrypt_run(
 	reenc_status_t rs;
 	bool quit = false;
 
-	if (onlyLUKS2mask(cd, CRYPT_REQUIREMENT_ONLINE_REENCRYPT))
+	if (onlyLUKS2reencrypt(cd))
 		return -EINVAL;
 
 	hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
@@ -4180,19 +4270,9 @@ int crypt_reencrypt_run(
 
 	r = reencrypt_teardown(cd, hdr, rh, rs, quit, progress, usrptr);
 	return r;
-#else
-	log_err(cd, _("This operation is not supported for this device type."));
-	return -ENOTSUP;
-#endif
 }
 
-int crypt_reencrypt(
-	struct crypt_device *cd,
-	int (*progress)(uint64_t size, uint64_t offset, void *usrptr))
-{
-	return crypt_reencrypt_run(cd, progress, NULL);
-}
-#if USE_LUKS2_REENCRYPTION
+
 static int reencrypt_recovery(struct crypt_device *cd,
 		struct luks2_hdr *hdr,
 		uint64_t device_size,
@@ -4228,7 +4308,27 @@ out:
 
 	return r;
 }
+#else /* USE_LUKS2_REENCRYPTION */
+int crypt_reencrypt_run(
+	struct crypt_device *cd,
+	int (*progress)(uint64_t size, uint64_t offset, void *usrptr),
+	void *usrptr)
+{
+	UNUSED(progress);
+	UNUSED(usrptr);
+
+	log_err(cd, _("This operation is not supported for this device type."));
+	return -ENOTSUP;
+}
 #endif
+
+int crypt_reencrypt(
+	struct crypt_device *cd,
+	int (*progress)(uint64_t size, uint64_t offset, void *usrptr))
+{
+	return crypt_reencrypt_run(cd, progress, NULL);
+}
+
 /*
  * use only for calculation of minimal data device size.
  * The real data offset is taken directly from segments!
@@ -4246,7 +4346,7 @@ int LUKS2_reencrypt_data_offset(struct luks2_hdr *hdr, bool blockwise)
 
 /* internal only */
 int LUKS2_reencrypt_check_device_size(struct crypt_device *cd, struct luks2_hdr *hdr,
-	uint64_t check_size, uint64_t *dev_size, bool activation, bool dynamic)
+	uint64_t check_size, uint64_t *dev_size, bool device_exclusive_check, bool dynamic)
 {
 	int r;
 	uint64_t data_offset, real_size = 0;
@@ -4255,7 +4355,8 @@ int LUKS2_reencrypt_check_device_size(struct crypt_device *cd, struct luks2_hdr
 	    (LUKS2_get_segment_by_flag(hdr, "backup-moved-segment") || dynamic))
 		check_size += reencrypt_data_shift(hdr);
 
-	r = device_check_access(cd, crypt_data_device(cd), activation ? DEV_EXCL : DEV_OK);
+	r = device_check_access(cd, crypt_data_device(cd),
+				device_exclusive_check ? DEV_EXCL : DEV_OK);
 	if (r)
 		return r;
 
@@ -4333,6 +4434,39 @@ out:
 
 	return r < 0 ? r : keyslot;
 }
+
+int LUKS2_reencrypt_locked_recovery_by_vks(struct crypt_device *cd,
+	struct volume_key *vks)
+{
+	uint64_t minimal_size, device_size;
+	int r = -EINVAL;
+	struct luks2_hdr *hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
+	struct volume_key *vk = NULL;
+
+	log_dbg(cd, "Entering reencryption crash recovery.");
+
+	if (LUKS2_get_data_size(hdr, &minimal_size, NULL))
+		return r;
+
+	if (crypt_use_keyring_for_vk(cd))
+		vk = vks;
+	while (vk) {
+		r = LUKS2_volume_key_load_in_keyring_by_digest(cd, vk, crypt_volume_key_get_id(vk));
+		if (r < 0)
+			goto out;
+		vk = crypt_volume_key_next(vk);
+	}
+
+	if (LUKS2_reencrypt_check_device_size(cd, hdr, minimal_size, &device_size, true, false))
+		goto out;
+
+	r = reencrypt_recovery(cd, hdr, device_size, vks);
+
+out:
+	if (r < 0)
+		crypt_drop_keyring_key(cd, vks);
+	return r;
+}
 #endif
 crypt_reencrypt_info LUKS2_reencrypt_get_params(struct luks2_hdr *hdr,
 	struct crypt_params_reencrypt *params)

lib/luks2/luks2_reencrypt_digest.c

@@ -1,9 +1,9 @@
 /*
  * LUKS - Linux Unified Key Setup v2, reencryption digest helpers
  *
- * Copyright (C) 2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2022 Ondrej Kozina
- * Copyright (C) 2022 Milan Broz
+ * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2022-2024 Ondrej Kozina
+ * Copyright (C) 2022-2024 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -375,6 +375,22 @@ int LUKS2_keyslot_reencrypt_digest_create(struct crypt_device *cd,
 	return LUKS2_digest_assign(cd, hdr, keyslot_reencrypt, digest_reencrypt, 1, 0);
 }
 
+void LUKS2_reencrypt_lookup_key_ids(struct crypt_device *cd, struct luks2_hdr *hdr, struct volume_key *vk)
+{
+	int digest_old, digest_new;
+
+	digest_old = LUKS2_reencrypt_digest_old(hdr);
+	digest_new = LUKS2_reencrypt_digest_new(hdr);
+
+	while (vk) {
+		if (digest_old >= 0 && LUKS2_digest_verify_by_digest(cd, digest_old, vk) == digest_old)
+			crypt_volume_key_set_id(vk, digest_old);
+		if (digest_new >= 0 && LUKS2_digest_verify_by_digest(cd, digest_new, vk) == digest_new)
+			crypt_volume_key_set_id(vk, digest_new);
+		vk = vk->next;
+	}
+}
+
 int LUKS2_reencrypt_digest_verify(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	struct volume_key *vks)

lib/luks2/luks2_segment.c

@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, internal segment handling
  *
- * Copyright (C) 2018-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2018-2022 Ondrej Kozina
+ * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2024 Ondrej Kozina
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -91,6 +91,33 @@ uint64_t json_segment_get_size(json_object *jobj_segment, unsigned blockwise)
 	return blockwise ? crypt_jobj_get_uint64(jobj) >> SECTOR_SHIFT : crypt_jobj_get_uint64(jobj);
 }
 
+static uint64_t json_segment_get_opal_size(json_object *jobj_segment, unsigned blockwise)
+{
+	json_object *jobj;
+
+	if (!jobj_segment ||
+	    !json_object_object_get_ex(jobj_segment, "opal_segment_size", &jobj))
+		return 0;
+
+	return blockwise ? crypt_jobj_get_uint64(jobj) >> SECTOR_SHIFT : crypt_jobj_get_uint64(jobj);
+}
+
+static bool json_segment_set_size(json_object *jobj_segment, const uint64_t *size_bytes)
+{
+	json_object *jobj;
+
+	if (!jobj_segment)
+		return false;
+
+	jobj = size_bytes ? crypt_jobj_new_uint64(*size_bytes) : json_object_new_string("dynamic");
+	if (!jobj)
+		return false;
+
+	json_object_object_add(jobj_segment, "size", jobj);
+
+	return true;
+}
+
 const char *json_segment_get_cipher(json_object *jobj_segment)
 {
 	json_object *jobj;
@@ -116,6 +143,37 @@ uint32_t json_segment_get_sector_size(json_object *jobj_segment)
 	return i < 0 ? SECTOR_SIZE : i;
 }
 
+int json_segment_get_opal_segment_id(json_object *jobj_segment, uint32_t *ret_opal_segment_id)
+{
+	json_object *jobj_segment_id;
+
+	assert(ret_opal_segment_id);
+
+	if (!json_object_object_get_ex(jobj_segment, "opal_segment_number", &jobj_segment_id))
+		return -EINVAL;
+
+	*ret_opal_segment_id = json_object_get_int(jobj_segment_id);
+
+	return 0;
+}
+
+int json_segment_get_opal_key_size(json_object *jobj_segment, size_t *ret_key_size)
+{
+	json_object *jobj_key_size;
+
+	assert(ret_key_size);
+
+	if (!jobj_segment)
+		return -EINVAL;
+
+	if (!json_object_object_get_ex(jobj_segment, "opal_key_size", &jobj_key_size))
+		return -EINVAL;
+
+	*ret_key_size = json_object_get_int(jobj_key_size);
+
+	return 0;
+}
+
 static json_object *json_segment_get_flags(json_object *jobj_segment)
 {
 	json_object *jobj;
@@ -245,24 +303,94 @@ json_object *json_segment_create_linear(uint64_t offset, const uint64_t *length,
 	return jobj;
 }
 
+static bool json_add_crypt_fields(json_object *jobj_segment, uint64_t iv_offset,
+				  const char *cipher, const char *integrity,
+				  uint32_t sector_size, unsigned reencryption)
+{
+	json_object *jobj_integrity;
+
+	assert(cipher);
+
+	json_object_object_add(jobj_segment, "iv_tweak",    crypt_jobj_new_uint64(iv_offset));
+	json_object_object_add(jobj_segment, "encryption",  json_object_new_string(cipher));
+	json_object_object_add(jobj_segment, "sector_size", json_object_new_int(sector_size));
+
+	if (integrity) {
+		jobj_integrity = json_object_new_object();
+		if (!jobj_integrity)
+			return false;
+
+		json_object_object_add(jobj_integrity, "type", json_object_new_string(integrity));
+		json_object_object_add(jobj_integrity, "journal_encryption", json_object_new_string("none"));
+		json_object_object_add(jobj_integrity, "journal_integrity", json_object_new_string("none"));
+		json_object_object_add(jobj_segment,   "integrity", jobj_integrity);
+	}
+
+	if (reencryption)
+		LUKS2_segment_set_flag(jobj_segment, "in-reencryption");
+
+	return true;
+}
+
 json_object *json_segment_create_crypt(uint64_t offset,
 				  uint64_t iv_offset, const uint64_t *length,
-				  const char *cipher, uint32_t sector_size,
-				  unsigned reencryption)
+				  const char *cipher, const char *integrity,
+				  uint32_t sector_size, unsigned reencryption)
 {
 	json_object *jobj = _segment_create_generic("crypt", offset, length);
+
 	if (!jobj)
 		return NULL;
 
-	json_object_object_add(jobj, "iv_tweak",	crypt_jobj_new_uint64(iv_offset));
-	json_object_object_add(jobj, "encryption",	json_object_new_string(cipher));
-	json_object_object_add(jobj, "sector_size",	json_object_new_int(sector_size));
-	if (reencryption)
-		LUKS2_segment_set_flag(jobj, "in-reencryption");
+	if (json_add_crypt_fields(jobj, iv_offset, cipher, integrity, sector_size, reencryption))
+		return jobj;
+
+	json_object_put(jobj);
+	return NULL;
+}
+
+static void json_add_opal_fields(json_object *jobj_segment, const uint64_t *length,
+				 uint32_t segment_number, uint32_t key_size)
+{
+	assert(jobj_segment);
+	assert(length);
+
+	json_object_object_add(jobj_segment, "opal_segment_number", json_object_new_int(segment_number));
+	json_object_object_add(jobj_segment, "opal_key_size", json_object_new_int(key_size));
+	json_object_object_add(jobj_segment, "opal_segment_size", crypt_jobj_new_uint64(*length));
+}
+
+json_object *json_segment_create_opal(uint64_t offset, const uint64_t *length,
+				      uint32_t segment_number, uint32_t key_size)
+{
+	json_object *jobj = _segment_create_generic("hw-opal", offset, length);
+	if (!jobj)
+		return NULL;
+
+	json_add_opal_fields(jobj, length, segment_number, key_size);
 
 	return jobj;
 }
 
+json_object *json_segment_create_opal_crypt(uint64_t offset, const uint64_t *length,
+					    uint32_t segment_number, uint32_t key_size,
+					    uint64_t iv_offset, const char *cipher,
+					    const char *integrity, uint32_t sector_size,
+					    unsigned reencryption)
+{
+	json_object *jobj = _segment_create_generic("hw-opal-crypt", offset, length);
+	if (!jobj)
+		return NULL;
+
+	json_add_opal_fields(jobj, length, segment_number, key_size);
+
+	if (json_add_crypt_fields(jobj, iv_offset, cipher, integrity, sector_size, reencryption))
+		return jobj;
+
+	json_object_put(jobj);
+	return NULL;
+}
+
 uint64_t LUKS2_segment_offset(struct luks2_hdr *hdr, int segment, unsigned blockwise)
 {
 	return json_segment_get_offset(LUKS2_get_segment_jobj(hdr, segment), blockwise);
@@ -288,11 +416,85 @@ uint64_t LUKS2_segment_size(struct luks2_hdr *hdr, int segment, unsigned blockwi
 	return json_segment_get_size(LUKS2_get_segment_jobj(hdr, segment), blockwise);
 }
 
+uint64_t LUKS2_opal_segment_size(struct luks2_hdr *hdr, int segment, unsigned blockwise)
+{
+	return json_segment_get_opal_size(LUKS2_get_segment_jobj(hdr, segment), blockwise);
+}
+
+bool LUKS2_segment_set_size(struct luks2_hdr *hdr, int segment, const uint64_t *segment_size_bytes)
+{
+	return json_segment_set_size(LUKS2_get_segment_jobj(hdr, segment), segment_size_bytes);
+}
+
 int LUKS2_segment_is_type(struct luks2_hdr *hdr, int segment, const char *type)
 {
 	return !strcmp(json_segment_type(LUKS2_get_segment_jobj(hdr, segment)) ?: "", type);
 }
 
+static bool json_segment_is_hw_opal_only(json_object *jobj_segment)
+{
+	const char *type = json_segment_type(jobj_segment);
+
+	if (!type)
+		return false;
+
+	return !strcmp(type, "hw-opal");
+}
+
+static bool json_segment_is_hw_opal_crypt(json_object *jobj_segment)
+{
+	const char *type = json_segment_type(jobj_segment);
+
+	if (!type)
+		return false;
+
+	return !strcmp(type, "hw-opal-crypt");
+}
+
+static bool json_segment_is_hw_opal(json_object *jobj_segment)
+{
+	return json_segment_is_hw_opal_crypt(jobj_segment) ||
+	       json_segment_is_hw_opal_only(jobj_segment);
+}
+
+bool LUKS2_segment_is_hw_opal_only(struct luks2_hdr *hdr, int segment)
+{
+	return json_segment_is_hw_opal_only(LUKS2_get_segment_jobj(hdr, segment));
+}
+
+bool LUKS2_segment_is_hw_opal_crypt(struct luks2_hdr *hdr, int segment)
+{
+	return json_segment_is_hw_opal_crypt(LUKS2_get_segment_jobj(hdr, segment));
+}
+
+bool LUKS2_segment_is_hw_opal(struct luks2_hdr *hdr, int segment)
+{
+	return json_segment_is_hw_opal(LUKS2_get_segment_jobj(hdr, segment));
+}
+
+int LUKS2_get_opal_segment_number(struct luks2_hdr *hdr, int segment, uint32_t *ret_opal_segment_number)
+{
+	json_object *jobj_segment = LUKS2_get_segment_jobj(hdr, segment);
+
+	assert(ret_opal_segment_number);
+
+	if (!json_segment_is_hw_opal(jobj_segment))
+		return -ENOENT;
+
+	return json_segment_get_opal_segment_id(jobj_segment, ret_opal_segment_number);
+}
+
+int LUKS2_get_opal_key_size(struct luks2_hdr *hdr, int segment)
+{
+	size_t key_size = 0;
+	json_object *jobj_segment = LUKS2_get_segment_jobj(hdr, segment);
+
+	if (json_segment_get_opal_key_size(jobj_segment, &key_size) < 0)
+		return 0;
+
+	return key_size;
+}
+
 int LUKS2_last_segment_by_type(struct luks2_hdr *hdr, const char *type)
 {
 	json_object *jobj_segments;
@@ -424,3 +626,27 @@ bool json_segment_cmp(json_object *jobj_segment_1, json_object *jobj_segment_2)
 
 	return true;
 }
+
+bool LUKS2_segments_dynamic_size(struct luks2_hdr *hdr)
+{
+	json_object *jobj_segments, *jobj_size;
+
+	assert(hdr);
+
+	jobj_segments = LUKS2_get_segments_jobj(hdr);
+	if (!jobj_segments)
+		return false;
+
+	json_object_object_foreach(jobj_segments, key, val) {
+		UNUSED(key);
+
+		if (json_segment_is_backup(val))
+			continue;
+
+		if (json_object_object_get_ex(val, "size", &jobj_size) &&
+		    !strcmp(json_object_get_string(jobj_size), "dynamic"))
+			return true;
+	}
+
+	return false;
+}

lib/luks2/luks2_token.c

@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, token handling
  *
- * Copyright (C) 2016-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2022 Milan Broz
+ * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2024 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -25,7 +25,9 @@
 #include "luks2_internal.h"
 
 #if USE_EXTERNAL_TOKENS
+#define TOKENS_PATH_MAX PATH_MAX
 static bool external_tokens_enabled = true;
+static char external_tokens_path[TOKENS_PATH_MAX] = EXTERNAL_LUKS2_TOKENS_PATH;
 #else
 static bool external_tokens_enabled = false;
 #endif
@@ -51,7 +53,56 @@ void crypt_token_external_disable(void)
 
 const char *crypt_token_external_path(void)
 {
-	return external_tokens_enabled ? EXTERNAL_LUKS2_TOKENS_PATH : NULL;
+#if USE_EXTERNAL_TOKENS
+	return external_tokens_enabled ? external_tokens_path : NULL;
+#else
+	return NULL;
+#endif
+}
+
+#if USE_EXTERNAL_TOKENS
+int crypt_token_set_external_path(const char *path)
+{
+	int r;
+	char tokens_path[TOKENS_PATH_MAX];
+
+	if (!path)
+		path = EXTERNAL_LUKS2_TOKENS_PATH;
+	else if (*path != '/')
+		return -EINVAL;
+
+	r = snprintf(tokens_path, sizeof(tokens_path), "%s", path);
+	if (r < 0 || (size_t)r >= sizeof(tokens_path))
+		return -EINVAL;
+
+	(void)strcpy(external_tokens_path, tokens_path);
+
+	return 0;
+}
+#else
+#pragma GCC diagnostic ignored "-Wunused-parameter"
+int crypt_token_set_external_path(const char *path)
+{
+	return -ENOTSUP;
+}
+#endif
+
+static bool token_validate_v1(struct crypt_device *cd, const crypt_token_handler *h)
+{
+	if (!h)
+		return false;
+
+	if (!h->name) {
+		log_dbg(cd, "Error: token handler does not provide name attribute.");
+		return false;
+	}
+
+	if (!h->open) {
+		log_dbg(cd, "Error: token handler does not provide open function.");
+		return false;
+	}
+
+	return true;
 }
 
 #if USE_EXTERNAL_TOKENS
@@ -77,27 +128,7 @@ static void *token_dlvsym(struct crypt_device *cd,
 
 	return sym;
 }
-#endif
 
-static bool token_validate_v1(struct crypt_device *cd, const crypt_token_handler *h)
-{
-	if (!h)
-		return false;
-
-	if (!h->name) {
-		log_dbg(cd, "Error: token handler does not provide name attribute.");
-		return false;
-	}
-
-	if (!h->open) {
-		log_dbg(cd, "Error: token handler does not provide open function.");
-		return false;
-	}
-
-	return true;
-}
-
-#if USE_EXTERNAL_TOKENS
 static bool token_validate_v2(struct crypt_device *cd, const struct crypt_token_handler_internal *h)
 {
 	if (!h)
@@ -127,12 +158,10 @@ static bool external_token_name_valid(const char *name)
 
 	return true;
 }
-#endif
 
 static int
 crypt_token_load_external(struct crypt_device *cd, const char *name, struct crypt_token_handler_internal *ret)
 {
-#if USE_EXTERNAL_TOKENS
 	struct crypt_token_handler_v2 *token;
 	void *h;
 	char buf[PATH_MAX];
@@ -192,11 +221,40 @@ crypt_token_load_external(struct crypt_device *cd, const char *name, struct cryp
 	ret->version = 2;
 
 	return 0;
-#else
-	return -ENOTSUP;
-#endif
 }
 
+void crypt_token_unload_external_all(struct crypt_device *cd)
+{
+	int i;
+
+	for (i = LUKS2_TOKENS_MAX - 1; i >= 0; i--) {
+		if (token_handlers[i].version < 2)
+			continue;
+
+		log_dbg(cd, "Unloading %s token handler.", token_handlers[i].u.v2.name);
+
+		free(CONST_CAST(void *)token_handlers[i].u.v2.name);
+
+		if (dlclose(CONST_CAST(void *)token_handlers[i].u.v2.dlhandle))
+			log_dbg(cd, "%s", dlerror());
+	}
+}
+
+#else /* USE_EXTERNAL_TOKENS */
+
+static int crypt_token_load_external(struct crypt_device *cd __attribute__((unused)),
+				     const char *name __attribute__((unused)),
+				     struct crypt_token_handler_internal *ret __attribute__((unused)))
+{
+	return -ENOTSUP;
+}
+
+void crypt_token_unload_external_all(struct crypt_device *cd __attribute__((unused)))
+{
+}
+
+#endif
+
 static int is_builtin_candidate(const char *type)
 {
 	return !strncmp(type, LUKS2_BUILTIN_TOKEN_PREFIX, LUKS2_BUILTIN_TOKEN_PREFIX_LEN);
@@ -243,25 +301,6 @@ int crypt_token_register(const crypt_token_handler *handler)
 	return 0;
 }
 
-void crypt_token_unload_external_all(struct crypt_device *cd)
-{
-#if USE_EXTERNAL_TOKENS
-	int i;
-
-	for (i = LUKS2_TOKENS_MAX - 1; i >= 0; i--) {
-		if (token_handlers[i].version < 2)
-			continue;
-
-		log_dbg(cd, "Unloading %s token handler.", token_handlers[i].u.v2.name);
-
-		free(CONST_CAST(void *)token_handlers[i].u.v2.name);
-
-		if (dlclose(CONST_CAST(void *)token_handlers[i].u.v2.dlhandle))
-			log_dbg(cd, "%s", dlerror());
-	}
-#endif
-}
-
 static const void
 *LUKS2_token_handler_type(struct crypt_device *cd, const char *type)
 {
@@ -423,12 +462,12 @@ static const char *token_json_to_string(json_object *jobj_token)
 		JSON_C_TO_STRING_PLAIN | JSON_C_TO_STRING_NOSLASHESCAPE);
 }
 
-static int token_is_usable(struct luks2_hdr *hdr, json_object *jobj_token, int segment,
+static int token_is_usable(struct luks2_hdr *hdr, json_object *jobj_token, int keyslot, int segment,
 			   crypt_keyslot_priority minimal_priority, bool requires_keyslot)
 {
 	crypt_keyslot_priority keyslot_priority;
 	json_object *jobj_array;
-	int i, keyslot, len, r = -ENOENT;
+	int i, slot, len, r = -ENOENT;
 
 	if (!jobj_token)
 		return -EINVAL;
@@ -451,16 +490,19 @@ static int token_is_usable(struct luks2_hdr *hdr, json_object *jobj_token, int s
 		return -ENOENT;
 
 	for (i = 0; i < len; i++) {
-		keyslot = atoi(json_object_get_string(json_object_array_get_idx(jobj_array, i)));
+		slot = atoi(json_object_get_string(json_object_array_get_idx(jobj_array, i)));
 
-		keyslot_priority = LUKS2_keyslot_priority_get(hdr, keyslot);
+		if (keyslot != CRYPT_ANY_SLOT && slot != keyslot)
+			continue;
+
+		keyslot_priority = LUKS2_keyslot_priority_get(hdr, slot);
 		if (keyslot_priority == CRYPT_SLOT_PRIORITY_INVALID)
 			return -EINVAL;
 
 		if (keyslot_priority < minimal_priority)
 			continue;
 
-		r = LUKS2_keyslot_for_segment(hdr, keyslot, segment);
+		r = LUKS2_keyslot_for_segment(hdr, slot, segment);
 		if (r != -ENOENT)
 			return r;
 	}
@@ -480,6 +522,7 @@ static int translate_errno(struct crypt_device *cd, int ret_val, const char *typ
 
 static int token_open(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
+	int keyslot,
 	int token,
 	json_object *jobj_token,
 	const char *type,
@@ -507,7 +550,7 @@ static int token_open(struct crypt_device *cd,
 			return -ENOENT;
 	}
 
-	r = token_is_usable(hdr, jobj_token, segment, priority, requires_keyslot);
+	r = token_is_usable(hdr, jobj_token, keyslot, segment, priority, requires_keyslot);
 	if (r < 0) {
 		if (r == -ENOENT)
 			log_dbg(cd, "Token %d unusable for segment %d with desired keyslot priority %d.",
@@ -569,32 +612,22 @@ static void update_return_errno(int r, int *stored)
 		*stored = r;
 }
 
-static int LUKS2_keyslot_open_by_token(struct crypt_device *cd,
+static int try_token_keyslot_unlock(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
+	const char *type,
+	json_object *jobj_token_keyslots,
 	int token,
 	int segment,
 	crypt_keyslot_priority priority,
 	const char *buffer,
 	size_t buffer_len,
-	struct volume_key **vk)
+	struct volume_key **r_vk)
 {
+	json_object *jobj;
 	crypt_keyslot_priority keyslot_priority;
-	json_object *jobj_token, *jobj_token_keyslots, *jobj_type, *jobj;
-	unsigned int num = 0;
 	int i, r = -ENOENT, stored_retval = -ENOENT;
+	unsigned int num = 0;
 
-	jobj_token = LUKS2_get_token_jobj(hdr, token);
-	if (!jobj_token)
-		return -EINVAL;
-
-	if (!json_object_object_get_ex(jobj_token, "type", &jobj_type))
-		return -EINVAL;
-
-	json_object_object_get_ex(jobj_token, "keyslots", &jobj_token_keyslots);
-	if (!jobj_token_keyslots)
-		return -EINVAL;
-
-	/* Try to open keyslot referenced in token */
 	for (i = 0; i < (int) json_object_array_length(jobj_token_keyslots) && r < 0; i++) {
 		jobj = json_object_array_get_idx(jobj_token_keyslots, i);
 		num = atoi(json_object_get_string(jobj));
@@ -604,8 +637,8 @@ static int LUKS2_keyslot_open_by_token(struct crypt_device *cd,
 		if (keyslot_priority < priority)
 			continue;
 		log_dbg(cd, "Trying to open keyslot %u with token %d (type %s).",
-			num, token, json_object_get_string(jobj_type));
-		r = LUKS2_keyslot_open(cd, num, segment, buffer, buffer_len, vk);
+			num, token, type);
+		r = LUKS2_keyslot_open(cd, num, segment, buffer, buffer_len, r_vk);
 		/* short circuit on fatal error */
 		if (r < 0 && r != -EPERM && r != -ENOENT)
 			return r;
@@ -620,6 +653,53 @@ static int LUKS2_keyslot_open_by_token(struct crypt_device *cd,
 	return num;
 }
 
+static int LUKS2_keyslot_open_by_token(struct crypt_device *cd,
+	struct luks2_hdr *hdr,
+	int keyslot,
+	int token,
+	int segment,
+	crypt_keyslot_priority min_priority,
+	const char *buffer,
+	size_t buffer_len,
+	struct volume_key **vk)
+{
+	json_object *jobj_token, *jobj_token_keyslots, *jobj_type;
+	crypt_keyslot_priority priority = CRYPT_SLOT_PRIORITY_PREFER;
+	int r = -ENOENT, stored_retval = -ENOENT;
+
+	jobj_token = LUKS2_get_token_jobj(hdr, token);
+	if (!jobj_token)
+		return -EINVAL;
+
+	if (!json_object_object_get_ex(jobj_token, "type", &jobj_type))
+		return -EINVAL;
+
+	json_object_object_get_ex(jobj_token, "keyslots", &jobj_token_keyslots);
+	if (!jobj_token_keyslots)
+		return -EINVAL;
+
+	/* with specific keyslot just ignore priorities and unlock */
+	if (keyslot != CRYPT_ANY_SLOT) {
+		log_dbg(cd, "Trying to open keyslot %u with token %d (type %s).",
+			keyslot, token, json_object_get_string(jobj_type));
+		return LUKS2_keyslot_open(cd, keyslot, segment, buffer, buffer_len, vk);
+	}
+
+	/* Try to open keyslot referenced in token */
+	while (priority >= min_priority) {
+		r = try_token_keyslot_unlock(cd, hdr, json_object_get_string(jobj_type),
+					     jobj_token_keyslots, token, segment,
+					     priority, buffer, buffer_len, vk);
+		if (r == -EINVAL || r >= 0)
+			return r;
+		if (r == -EPERM)
+			stored_retval = r;
+		priority--;
+	}
+
+	return stored_retval;
+}
+
 static bool token_is_blocked(int token, uint32_t *block_list)
 {
 	/* it is safe now, but have assert in case LUKS2_TOKENS_MAX grows */
@@ -640,6 +720,7 @@ static int token_open_priority(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	json_object *jobj_tokens,
 	const char *type,
+	int keyslot,
 	int segment,
 	crypt_keyslot_priority priority,
 	const char *pin,
@@ -660,9 +741,10 @@ static int token_open_priority(struct crypt_device *cd,
 		token = atoi(slot);
 		if (token_is_blocked(token, block_list))
 			continue;
-		r = token_open(cd, hdr, token, val, type, segment, priority, pin, pin_size, &buffer, &buffer_size, usrptr, true);
+		r = token_open(cd, hdr, keyslot, token, val, type, segment, priority, pin, pin_size,
+			       &buffer, &buffer_size, usrptr, true);
 		if (!r) {
-			r = LUKS2_keyslot_open_by_token(cd, hdr, token, segment, priority,
+			r = LUKS2_keyslot_open_by_token(cd, hdr, keyslot, token, segment, priority,
 							buffer, buffer_size, vk);
 			LUKS2_token_buffer_free(cd, token, buffer, buffer_size);
 		}
@@ -679,8 +761,9 @@ static int token_open_priority(struct crypt_device *cd,
 	return *stored_retval;
 }
 
-static int token_open_any(struct crypt_device *cd, struct luks2_hdr *hdr, const char *type, int segment,
-			  const char *pin, size_t pin_size, void *usrptr, struct volume_key **vk)
+static int token_open_any(struct crypt_device *cd, struct luks2_hdr *hdr, const char *type,
+			  int keyslot, int segment, const char *pin, size_t pin_size, void *usrptr,
+			  struct volume_key **vk)
 {
 	json_object *jobj_tokens;
 	int r, retval = -ENOENT;
@@ -692,17 +775,22 @@ static int token_open_any(struct crypt_device *cd, struct luks2_hdr *hdr, const
 	if (!type)
 		usrptr = NULL;
 
-	r = token_open_priority(cd, hdr, jobj_tokens, type, segment, CRYPT_SLOT_PRIORITY_PREFER,
+	if (keyslot != CRYPT_ANY_SLOT)
+		return token_open_priority(cd, hdr, jobj_tokens, type, keyslot, segment, CRYPT_SLOT_PRIORITY_IGNORE,
+				pin, pin_size, usrptr, &retval, &blocked, vk);
+
+	r = token_open_priority(cd, hdr, jobj_tokens, type, keyslot, segment, CRYPT_SLOT_PRIORITY_PREFER,
 				pin, pin_size, usrptr, &retval, &blocked, vk);
 	if (break_loop_retval(r))
 		return r;
 
-	return token_open_priority(cd, hdr, jobj_tokens, type, segment, CRYPT_SLOT_PRIORITY_NORMAL,
+	return token_open_priority(cd, hdr, jobj_tokens, type, keyslot, segment, CRYPT_SLOT_PRIORITY_NORMAL,
 				   pin, pin_size, usrptr, &retval, &blocked, vk);
 }
 
 int LUKS2_token_unlock_key(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
+	int keyslot,
 	int token,
 	const char *type,
 	const char *pin,
@@ -714,6 +802,7 @@ int LUKS2_token_unlock_key(struct crypt_device *cd,
 	char *buffer;
 	size_t buffer_size;
 	json_object *jobj_token;
+	crypt_keyslot_priority min_priority;
 	int r = -ENOENT;
 
 	assert(vk);
@@ -724,13 +813,27 @@ int LUKS2_token_unlock_key(struct crypt_device *cd,
 	if (segment < 0 && segment != CRYPT_ANY_SEGMENT)
 		return -EINVAL;
 
+	if (keyslot != CRYPT_ANY_SLOT || token != CRYPT_ANY_TOKEN)
+		min_priority = CRYPT_SLOT_PRIORITY_IGNORE;
+	else
+		min_priority = CRYPT_SLOT_PRIORITY_NORMAL;
+
+	if (keyslot != CRYPT_ANY_SLOT) {
+		r = LUKS2_keyslot_for_segment(hdr, keyslot, segment);
+		if (r < 0) {
+			if (r == -ENOENT)
+				log_dbg(cd, "Keyslot %d unusable for segment %d.", keyslot, segment);
+			return r;
+		}
+	}
+
 	if (token >= 0 && token < LUKS2_TOKENS_MAX) {
 		if ((jobj_token = LUKS2_get_token_jobj(hdr, token))) {
-			r = token_open(cd, hdr, token, jobj_token, type, segment, CRYPT_SLOT_PRIORITY_IGNORE,
+			r = token_open(cd, hdr, keyslot, token, jobj_token, type, segment, min_priority,
 				       pin, pin_size, &buffer, &buffer_size, usrptr, true);
 			if (!r) {
-				r = LUKS2_keyslot_open_by_token(cd, hdr, token, segment, CRYPT_SLOT_PRIORITY_IGNORE,
-								buffer, buffer_size, vk);
+				r = LUKS2_keyslot_open_by_token(cd, hdr, keyslot, token, segment,
+								min_priority, buffer, buffer_size, vk);
 				LUKS2_token_buffer_free(cd, token, buffer, buffer_size);
 			}
 		}
@@ -745,7 +848,7 @@ int LUKS2_token_unlock_key(struct crypt_device *cd,
 		 * success (>= 0) or any other negative errno short-circuits token activation loop
 		 * immediately
 		 */
-		r = token_open_any(cd, hdr, type, segment, pin, pin_size, usrptr, vk);
+		r = token_open_any(cd, hdr, type, keyslot, segment, pin, pin_size, usrptr, vk);
 	else
 		r = -EINVAL;
 
@@ -754,6 +857,7 @@ int LUKS2_token_unlock_key(struct crypt_device *cd,
 
 int LUKS2_token_open_and_activate(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
+	int keyslot,
 	int token,
 	const char *name,
 	const char *type,
@@ -763,15 +867,15 @@ int LUKS2_token_open_and_activate(struct crypt_device *cd,
 	void *usrptr)
 {
 	bool use_keyring;
-	int keyslot, r, segment;
-	struct volume_key *vk = NULL;
+	int r, segment;
+	struct volume_key *p_crypt, *p_opal, *crypt_key = NULL, *opal_key = NULL, *vk = NULL;
 
 	if (flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY)
 		segment = CRYPT_ANY_SEGMENT;
 	else
 		segment = CRYPT_DEFAULT_SEGMENT;
 
-	r = LUKS2_token_unlock_key(cd, hdr, token, type, pin, pin_size, segment, usrptr, &vk);
+	r = LUKS2_token_unlock_key(cd, hdr, keyslot, token, type, pin, pin_size, segment, usrptr, &vk);
 	if (r < 0)
 		return r;
 
@@ -779,23 +883,39 @@ int LUKS2_token_open_and_activate(struct crypt_device *cd,
 
 	keyslot = r;
 
-	if (!crypt_use_keyring_for_vk(cd))
+	if (LUKS2_segment_is_hw_opal(hdr, CRYPT_DEFAULT_SEGMENT)) {
+		r = LUKS2_split_crypt_and_opal_keys(cd, hdr, vk, &crypt_key, &opal_key);
+		if (r < 0) {
+			crypt_free_volume_key(vk);
+			return r;
+		}
+
+		p_crypt = crypt_key;
+		p_opal = opal_key ?: vk;
+	} else {
+		p_crypt = vk;
+		p_opal = NULL;
+	}
+
+	if (!crypt_use_keyring_for_vk(cd) || !p_crypt)
 		use_keyring = false;
 	else
 		use_keyring = ((name && !crypt_is_cipher_null(crypt_get_cipher(cd))) ||
 			       (flags & CRYPT_ACTIVATE_KEYRING_KEY));
 
 	if (use_keyring) {
-		if (!(r = LUKS2_volume_key_load_in_keyring_by_keyslot(cd, hdr, vk, keyslot)))
+		if (!(r = LUKS2_volume_key_load_in_keyring_by_keyslot(cd, hdr, p_crypt, keyslot)))
 			flags |= CRYPT_ACTIVATE_KEYRING_KEY;
 	}
 
 	if (r >= 0 && name)
-		r = LUKS2_activate(cd, name, vk, flags);
+		r = LUKS2_activate(cd, name, p_crypt, p_opal, flags);
 
 	if (r < 0)
-		crypt_drop_keyring_key(cd, vk);
+		crypt_drop_keyring_key(cd, p_crypt);
 	crypt_free_volume_key(vk);
+	crypt_free_volume_key(crypt_key);
+	crypt_free_volume_key(opal_key);
 
 	return r < 0 ? r : keyslot;
 }
@@ -995,8 +1115,9 @@ int LUKS2_token_unlock_passphrase(struct crypt_device *cd,
 
 	if (token >= 0 && token < LUKS2_TOKENS_MAX) {
 		if ((jobj_token = LUKS2_get_token_jobj(hdr, token)))
-			r = token_open(cd, hdr, token, jobj_token, type, CRYPT_ANY_SEGMENT, CRYPT_SLOT_PRIORITY_IGNORE,
-				       pin, pin_size, &buffer, &buffer_size, usrptr, false);
+			r = token_open(cd, hdr, CRYPT_ANY_SLOT, token, jobj_token, type,
+				       CRYPT_ANY_SEGMENT, CRYPT_SLOT_PRIORITY_IGNORE, pin, pin_size,
+				       &buffer, &buffer_size, usrptr, false);
 	} else if (token == CRYPT_ANY_TOKEN) {
 		json_object_object_get_ex(hdr->jobj, "tokens", &jobj_tokens);
 
@@ -1005,7 +1126,7 @@ int LUKS2_token_unlock_passphrase(struct crypt_device *cd,
 
 		json_object_object_foreach(jobj_tokens, slot, val) {
 			token = atoi(slot);
-			r = token_open(cd, hdr, token, val, type, CRYPT_ANY_SEGMENT, CRYPT_SLOT_PRIORITY_IGNORE,
+			r = token_open(cd, hdr, CRYPT_ANY_SLOT, token, val, type, CRYPT_ANY_SEGMENT, CRYPT_SLOT_PRIORITY_IGNORE,
 				       pin, pin_size, &buffer, &buffer_size, usrptr, false);
 
 			/*

lib/luks2/luks2_token_keyring.c

@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, kernel keyring token
  *
- * Copyright (C) 2016-2022 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2022 Ondrej Kozina
+ * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2024 Ondrej Kozina
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -40,14 +40,11 @@ int keyring_open(struct crypt_device *cd,
 
 	json_object_object_get_ex(jobj_token, "key_description", &jobj_key);
 
-	r = keyring_get_passphrase(json_object_get_string(jobj_key), buffer, buffer_len);
-	if (r == -ENOTSUP) {
-		log_dbg(cd, "Kernel keyring features disabled.");
+	r = crypt_keyring_get_user_key(cd, json_object_get_string(jobj_key), buffer, buffer_len);
+	if (r == -ENOTSUP)
 		return -ENOENT;
-	} else if (r < 0) {
-		log_dbg(cd, "keyring_get_passphrase failed (error %d)", r);
+	else if (r < 0)
 		return -EPERM;
-	}
 
 	return 0;
 }

lib/meson.build

@@ -0,0 +1,116 @@
+subdir('crypto_backend')
+lib_build_dir = meson.current_build_dir()
+
+libutils_io = static_library('utils_io',
+    files(
+        'utils_io.c',
+    ))
+
+libcryptsetup_sym_path = join_paths(meson.current_source_dir(), 'libcryptsetup.sym')
+
+libcryptsetup_deps = [
+    uuid,
+    devmapper,
+    libargon2_external,
+    jsonc,
+    blkid,
+    dl,
+]
+
+libcryptsetup_sources = files(
+    'bitlk/bitlk.c',
+    'fvault2/fvault2.c',
+    'integrity/integrity.c',
+    'loopaes/loopaes.c',
+    'luks1/af.c',
+    'luks1/keyencryption.c',
+    'luks1/keymanage.c',
+    'luks2/hw_opal/hw_opal.c',
+    'luks2/luks2_digest.c',
+    'luks2/luks2_digest_pbkdf2.c',
+    'luks2/luks2_disk_metadata.c',
+    'luks2/luks2_json_format.c',
+    'luks2/luks2_json_metadata.c',
+    'luks2/luks2_keyslot.c',
+    'luks2/luks2_keyslot_luks2.c',
+    'luks2/luks2_keyslot_reenc.c',
+    'luks2/luks2_luks1_convert.c',
+    'luks2/luks2_reencrypt.c',
+    'luks2/luks2_reencrypt_digest.c',
+    'luks2/luks2_segment.c',
+    'luks2/luks2_token.c',
+    'luks2/luks2_token_keyring.c',
+    'tcrypt/tcrypt.c',
+    'verity/rs_decode_char.c',
+    'verity/rs_encode_char.c',
+    'verity/verity.c',
+    'verity/verity_fec.c',
+    'verity/verity_hash.c',
+    'crypt_plain.c',
+    'keyslot_context.c',
+    'libdevmapper.c',
+    'random.c',
+    'setup.c',
+    'utils.c',
+    'utils_benchmark.c',
+    'utils_blkid.c',
+    'utils_crypt.c',
+    'utils_device.c',
+    'utils_device_locking.c',
+    'utils_devpath.c',
+    'utils_keyring.c',
+    'utils_loop.c',
+    'utils_pbkdf.c',
+    'utils_safe_memory.c',
+    'utils_storage_wrappers.c',
+    'utils_wipe.c',
+    'volumekey.c',
+)
+
+if enable_static
+    libcryptsetup = static_library('cryptsetup',
+        libcryptsetup_sources,
+        dependencies: libcryptsetup_deps,
+        link_with: [
+            libcrypto_backend,
+            libutils_io,
+        ],
+        install: true)
+else
+    libcryptsetup = library('cryptsetup',
+        libcryptsetup_sources,
+        dependencies: libcryptsetup_deps,
+        version: libcryptsetup_version,
+        link_args: [
+            '-Wl,--version-script=' +
+            libcryptsetup_sym_path,
+        ],
+        link_with: [
+            libcrypto_backend,
+            libutils_io,
+        ],
+        install: true)
+endif
+
+lib_tools_files = files(
+    'utils_blkid.c',
+    'utils_crypt.c',
+    'utils_io.c',
+    'utils_loop.c',
+)
+lib_utils_crypt_files = files(
+    'utils_crypt.c',
+)
+lib_ssh_token_files = files(
+    'utils_io.c',
+    'utils_loop.c',
+)
+
+install_headers(
+    'libcryptsetup.h',
+)
+pkgconfig.generate(
+    libcryptsetup,
+    name: 'libcryptsetup',
+    version: PACKAGE_VERSION,
+    description: 'cryptsetup library')

lib/random.c

@@ -1,7 +1,7 @@
 /*
  * cryptsetup kernel RNG access functions
  *
- * Copyright (C) 2010-2022 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License