Version 2.7.5.

We use common libcryptsetup-token.sym version script that contain
all symbols, but some of them are optional.

As clang linker treats missing symbols as errors, the linker
phase for ssh token fails as optional cryptsetup_token_buffer_free
is not defined.
(Most of distros has this option still disabled, though).

As the sym file is also example for token authors, removing symbols
there is not an option. For clang, we can use --undefined-version option,
but it is not supported by other linkers, so it requires non-trivial
checks for usable LDFLAGS (for both autoconf and meson).

Instead, fix it by simply defining the symbol in ssh token, which
duplicates the internal libcryptsetup functionality.

Fixes: #830

.gitlab-ci.yml

@@ -21,3 +21,4 @@ include:
   - local: .gitlab/ci/alpinelinux.yml
   - local: .gitlab/ci/debian-i686.yml
   - local: .gitlab/ci/cifuzz.yml
+  - local: .gitlab/ci/ubuntu.yml

.gitlab/ci/cibuild-setup-ubuntu.sh

@@ -5,7 +5,7 @@ set -ex
 PACKAGES=(
 	git make autoconf automake autopoint pkg-config libtool libtool-bin
 	gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev
-	libjson-c-dev libssh-dev libblkid-dev tar libargon2-0-dev libpwquality-dev
+	libjson-c-dev libssh-dev libblkid-dev tar libargon2-dev libpwquality-dev
 	sharutils dmsetup jq xxd expect keyutils netcat-openbsd passwd openssh-client
 	sshpass asciidoctor
 )
@@ -13,9 +13,12 @@ PACKAGES=(
 COMPILER="${COMPILER:?}"
 COMPILER_VERSION="${COMPILER_VERSION:?}"
 
-grep -E '^deb' /etc/apt/sources.list > /etc/apt/sources.list~
-sed -Ei 's/^deb /deb-src /' /etc/apt/sources.list~
-cat /etc/apt/sources.list~ >> /etc/apt/sources.list
+sed -i 's/^Types: deb$/Types: deb deb-src/' /etc/apt/sources.list.d/ubuntu.sources
+
+# use this on older Ubuntu
+# grep -E '^deb' /etc/apt/sources.list > /etc/apt/sources.list~
+# sed -Ei 's/^deb /deb-src /' /etc/apt/sources.list~
+# cat /etc/apt/sources.list~ >> /etc/apt/sources.list
 
 apt-get -y update --fix-missing
 DEBIAN_FRONTEND=noninteractive apt-get -yq install software-properties-common wget lsb-release

.gitlab/ci/compilation-gcc.gitlab-ci.yml

@@ -23,9 +23,8 @@ test-gcc-fanalyzer:
   extends:
     - .gitlab-shared-gcc
   script:
-    - export CFLAGS="-Wall -Werror -g -O0 -fanalyzer -fdiagnostics-path-format=separate-events"
     - ./autogen.sh
-    - ./configure
+    - ./configure CFLAGS="-Wall -Werror -g -O0 -fanalyzer -fdiagnostics-path-format=separate-events" --host=x86_64
     - make -j
     - make -j check-programs
 
@@ -49,9 +48,8 @@ test-gcc-fanalyzer-backends:
         - lib/crypto_backend/*
   script:
     - DEBIAN_FRONTEND=noninteractive apt-get -yq install libgcrypt20-dev libnss3-dev nettle-dev
-    - export CFLAGS="-Wall -Werror -g -O0 -fanalyzer -fdiagnostics-path-format=separate-events"
     - ./autogen.sh
     - echo "Configuring with crypto backend $BACKENDS"
-    - ./configure --with-crypto_backend=$BACKENDS
+    - ./configure CFLAGS="-Wall -Werror -g -O0 -fanalyzer -fdiagnostics-path-format=separate-events" --host=x86_64 --with-crypto_backend=$BACKENDS
     - make -j
     - make -j check-programs

.gitlab/ci/gitlab-shared-docker.yml

@@ -1,5 +1,5 @@
 .gitlab-shared-docker:
-  image: ubuntu:lunar
+  image: ubuntu:noble
   tags:
     - gitlab-org-docker
   stage: test
@@ -19,6 +19,7 @@
   variables:
     COMPILER: "gcc"
     COMPILER_VERSION: "13"
+    CC: "gcc-13"
     RUN_SSH_PLUGIN_TEST: "1"
 
 .gitlab-shared-clang:
@@ -27,4 +28,5 @@
   variables:
     COMPILER: "clang"
     COMPILER_VERSION: "18"
+    CC: "clang-18"
     RUN_SSH_PLUGIN_TEST: "1"

.gitlab/ci/ubuntu.yml

@@ -0,0 +1,102 @@
+.ubuntu-prep:
+  extends:
+    - .fail_if_coredump_generated
+  before_script:
+    - sudo apt-get -y update
+    - >
+      [ -z "$RUN_SYSTEMD_PLUGIN_TEST" ] ||
+      sudo apt-get -y install -y -qq swtpm meson ninja-build python3-jinja2
+      gperf libcap-dev libtss2-dev libmount-dev swtpm-tools
+    - >
+      sudo apt-get -y install -y -qq git gcc make autoconf automake autopoint
+      pkgconf libtool libtool-bin gettext libssl-dev libdevmapper-dev
+      libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev
+      tar libargon2-dev libpwquality-dev sharutils dmsetup jq xxd expect
+      keyutils netcat-openbsd passwd openssh-client sshpass asciidoctor
+    - sudo apt-get -y build-dep cryptsetup
+    - sudo -E git clean -xdf
+    - ./autogen.sh
+    - ./configure --enable-libargon2 --enable-asciidoc
+
+test-mergerq-job-ubuntu:
+  extends:
+    - .ubuntu-prep
+  tags:
+    - libvirt
+    - cryptsetup-ubuntu-2404
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-ubuntu-2404
+    RUN_SSH_PLUGIN_TEST: "1"
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  script:
+    - make -j
+    - make -j -C tests check-programs
+    - sudo -E make check
+
+test-main-commit-job-ubuntu:
+  extends:
+    - .ubuntu-prep
+  tags:
+    - libvirt
+    - cryptsetup-ubuntu-2404
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-ubuntu-2404
+    RUN_SSH_PLUGIN_TEST: "1"
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+  script:
+    - make -j
+    - make -j -C tests check-programs
+    - sudo -E make check
+
+# meson tests
+test-mergerq-job-ubuntu-meson:
+  extends:
+    - .ubuntu-prep
+  tags:
+    - libvirt
+    - cryptsetup-ubuntu-2404
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-ubuntu-2404
+    RUN_SSH_PLUGIN_TEST: "1"
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  script:
+    - sudo apt-get -y install -y -qq meson ninja-build
+    - meson setup build
+    - ninja -C build
+    - cd build && sudo -E meson test --verbose --print-errorlogs
+
+test-main-commit-job-ubuntu-meson:
+  extends:
+    - .ubuntu-prep
+  tags:
+    - libvirt
+    - cryptsetup-ubuntu-2404
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-ubuntu-2404
+    RUN_SSH_PLUGIN_TEST: "1"
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+  script:
+    - sudo apt-get -y install -y -qq meson ninja-build
+    - meson setup build
+    - ninja -C build
+    - cd build && sudo -E meson test --verbose --print-errorlogs

README.md

@@ -39,11 +39,11 @@ Download
 Release notes and tarballs are available at
 [kernel.org](https://www.kernel.org/pub/linux/utils/cryptsetup/).
 
-**The latest stable cryptsetup release version is 2.7.4**
-  * [cryptsetup-2.7.4.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.4.tar.xz)
-  * Signature [cryptsetup-2.7.4.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.4.tar.sign)
+**The latest stable cryptsetup release version is 2.7.5**
+  * [cryptsetup-2.7.5.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.5.tar.xz)
+  * Signature [cryptsetup-2.7.5.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.5.tar.sign)
     _(You need to decompress file first to check signature.)_
-  * [Cryptsetup 2.7.4 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.4-ReleaseNotes).
+  * [Cryptsetup 2.7.5 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.5-ReleaseNotes).
 
 Previous versions
  * [Version 2.6.1](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.1.tar.xz) -

configure.ac

@@ -1,5 +1,5 @@
 AC_PREREQ([2.67])
-AC_INIT([cryptsetup],[2.7.4])
+AC_INIT([cryptsetup],[2.7.5])
 
 dnl library version from <major>.<minor>.<release>[-<suffix>]
 LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-)

docs/v2.7.5-ReleaseNotes

@@ -0,0 +1,23 @@
+Cryptsetup 2.7.5 Release Notes
+==============================
+Stable bug-fix release.
+
+All users of cryptsetup 2.7 must upgrade to this version.
+
+Changes since version 2.7.4
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+* Fix possible online reencryption data corruption (only in 2.7.x).
+
+  In some situations (initializing a suspended device-mapper device),
+  cryptsetup disabled direct-io device access. This caused unsafe
+  online reencryption operations that could lead to data corruption.
+  The code now adds strict checks (and aborts the operation) and
+  changes direct-io detection code to prevent data corruption.
+
+* Fix a clang compilation error in SSH token plugin.
+
+  As clang linker treats missing symbols as errors, the linker phase
+  for the SSH token failed as the optional cryptsetup_token_buffer_free
+  was not defined.
+
+* Fix crypto backend initialization in crypt_format_luks2_opal API call.

lib/crypto_backend/crypto_backend_internal.h

@@ -11,7 +11,7 @@
 
 #include "crypto_backend.h"
 
-/* internal PBKDF2 implementation */
+/* Internal PBKDF2 implementation */
 int pkcs5_pbkdf2(const char *hash,
 		 const char *P, size_t Plen,
 		 const char *S, size_t Slen,

lib/crypto_backend/crypto_openssl.c

@@ -624,7 +624,7 @@ static int openssl_argon2(const char *type, const char *password, size_t passwor
 	ctx = EVP_KDF_CTX_new(argon2);
 	if (!ctx) {
 		EVP_KDF_free(argon2);
-		return -EINVAL;;
+		return -EINVAL;
 	}
 
 	if (EVP_KDF_CTX_set_params(ctx, params) != 1) {

lib/libcryptsetup.h

@@ -3019,6 +3019,8 @@ __attribute__((deprecated));
  * @param usrptr progress specific data
  *
  * @return @e 0 on success or negative errno value otherwise.
+ *
+ * @note A @e progress callback can interrupt reencryption process by returning non-zero code.
  */
 int crypt_reencrypt_run(struct crypt_device *cd,
 		    int (*progress)(uint64_t size, uint64_t offset, void *usrptr),

lib/libdevmapper.c

@@ -1897,7 +1897,7 @@ int dm_status_suspended(struct crypt_device *cd, const char *name)
 	r = dm_status_dmi(name, &dmi, NULL, NULL);
 	dm_exit_context();
 
-	if (r < 0)
+	if (r < 0 && r != -EEXIST)
 		return r;
 
 	return dmi.suspended ? 1 : 0;

lib/loopaes/loopaes.c

@@ -145,7 +145,7 @@ int LOOPAES_parse_keyfile(struct crypt_device *cd,
 	key_lengths[0] = 0;
 	while (offset < buffer_len && key_index < LOOPAES_KEYS_MAX) {
 		keys[key_index] = &buffer[offset];
-		key_lengths[key_index] = 0;;
+		key_lengths[key_index] = 0;
 		while (offset < buffer_len && buffer[offset]) {
 			offset++;
 			key_lengths[key_index]++;

lib/luks2/luks2_reencrypt.c

@@ -3788,6 +3788,13 @@ static int reencrypt_init_by_passphrase(struct crypt_device *cd,
 	if (flags & CRYPT_REENCRYPT_RECOVERY)
 		return reencrypt_recovery_by_passphrase(cd, hdr, keyslot_old, keyslot_new, passphrase, passphrase_size);
 
+	if (name && !device_direct_io(crypt_data_device(cd))) {
+		log_dbg(cd, "Device %s does not support direct I/O.", device_path(crypt_data_device(cd)));
+		/* FIXME: Add more specific error mesage for translation later. */
+		log_err(cd, _("Failed to initialize reencryption device stack."));
+		return -EINVAL;
+	}
+
 	if (cipher && !crypt_cipher_wrapped_key(cipher, cipher_mode)) {
 		r = crypt_keyslot_get_key_size(cd, keyslot_new);
 		if (r < 0)
@@ -4223,9 +4230,14 @@ int crypt_reencrypt_run(
 
 	log_dbg(cd, "Resuming LUKS2 reencryption.");
 
-	if (rh->online && reencrypt_init_device_stack(cd, rh)) {
-		log_err(cd, _("Failed to initialize reencryption device stack."));
-		return -EINVAL;
+	if (rh->online) {
+		/* This is last resort to avoid data corruption. Abort is justified here. */
+		assert(device_direct_io(crypt_data_device(cd)));
+
+		if (reencrypt_init_device_stack(cd, rh)) {
+			log_err(cd, _("Failed to initialize reencryption device stack."));
+			return -EINVAL;
+		}
 	}
 
 	log_dbg(cd, "Progress %" PRIu64 ", device_size %" PRIu64, rh->progress, rh->device_size);

lib/setup.c

@@ -2355,6 +2355,10 @@ int crypt_format_luks2_opal(struct crypt_device *cd,
 
 	log_dbg(cd, "Formatting device %s as type LUKS2 with OPAL HW encryption.", mdata_device_path(cd) ?: "(none)");
 
+	r = init_crypto(cd);
+	if (r < 0)
+		return r;
+
 	if (volume_keys_size < opal_params->user_key_size)
 		return -EINVAL;
 
@@ -4849,7 +4853,7 @@ int create_or_reload_device(struct crypt_device *cd, const char *name,
 	if (dmd->flags & CRYPT_ACTIVATE_REFRESH) {
 		/* Refresh and recalculate means increasing dm-integrity device */
 		if (tgt->type == DM_INTEGRITY && dmd->flags & CRYPT_ACTIVATE_RECALCULATE)
-			dmflags = DM_SUSPEND_SKIP_LOCKFS | DM_SUSPEND_NOFLUSH;;
+			dmflags = DM_SUSPEND_SKIP_LOCKFS | DM_SUSPEND_NOFLUSH;
 		r = _reload_device(cd, name, dmd, dmflags);
 	} else {
 		if (tgt->type == DM_CRYPT || tgt->type == DM_LINEAR) {

lib/utils_blkid.c

@@ -170,7 +170,7 @@ int blk_is_partition(struct blkid_handle *h)
 
 int blk_is_superblock(struct blkid_handle *h)
 {
-	return blkid_probe_has_value(h->pr, "TYPE");;
+	return blkid_probe_has_value(h->pr, "TYPE");
 }
 
 const char *blk_get_partition_type(struct blkid_handle *h)

lib/utils_device.c

@@ -127,11 +127,19 @@ static size_t device_alignment_fd(int devfd)
 	return (size_t)alignment;
 }
 
-static int device_read_test(int devfd)
+static int device_read_test(struct crypt_device *cd, int devfd, struct device *device)
 {
 	char buffer[512];
 	int r = -EIO;
 	size_t minsize = 0, blocksize, alignment;
+	const char *dm_name;
+
+	/* skip check for suspended DM devices */
+	dm_name = device_dm_name(device);
+	if (dm_name && dm_status_suspended(cd, dm_name) > 0) {
+		log_dbg(cd, "Device %s is suspended, assuming direct-io is supported.", dm_name);
+		return 0;
+	}
 
 	blocksize = device_block_size_fd(devfd, &minsize);
 	alignment = device_alignment_fd(devfd);
@@ -148,6 +156,8 @@ static int device_read_test(int devfd)
 	if (read_blockwise(devfd, blocksize, alignment, buffer, minsize) == (ssize_t)minsize)
 		r = 0;
 
+	log_dbg(cd, "Direct-io is supported and works.");
+
 	crypt_safe_memzero(buffer, sizeof(buffer));
 	return r;
 }
@@ -165,7 +175,6 @@ static int device_ready(struct crypt_device *cd, struct device *device)
 	int devfd = -1, r = 0;
 	struct stat st;
 	size_t tmp_size;
-	const char *dm_name;
 
 	if (!device)
 		return -EINVAL;
@@ -176,12 +185,7 @@ static int device_ready(struct crypt_device *cd, struct device *device)
 		device->o_direct = 0;
 		devfd = open(device_path(device), O_RDONLY | O_DIRECT);
 		if (devfd >= 0) {
-			/* skip check for suspended DM devices */
-			dm_name = device_dm_name(device);
-			if (dm_name && dm_status_suspended(cd, dm_name)) {
-				close(devfd);
-				devfd = -1;
-			} else if (device_read_test(devfd) == 0) {
+			if (device_read_test(cd, devfd, device) == 0) {
 				device->o_direct = 1;
 			} else {
 				close(devfd);

meson.build

@@ -2,7 +2,7 @@ project('cryptsetup',
     'c',
     default_options: [ 'prefix=/usr' ],
     meson_version: '>=0.64',
-    version: '2.7.4')
+    version: '2.7.5')
 
 libcryptsetup_version = '12.10.0'
 

misc/fedora/cryptsetup.spec

@@ -2,7 +2,7 @@
 
 Summary: Utility for setting up encrypted disks
 Name: cryptsetup
-Version: 2.7.4
+Version: 2.7.5
 Release: 1%{?dist}
 License: GPL-2.0-or-later WITH cryptsetup-OpenSSL-exception AND LGPL-2.1-or-later WITH cryptsetup-OpenSSL-exception
 URL: https://gitlab.com/cryptsetup/cryptsetup

po/cryptsetup.pot

@@ -5,9 +5,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.7.4\n"
+"Project-Id-Version: cryptsetup 2.7.5\n"
 "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
-"POT-Creation-Date: 2024-07-27 22:42+0200\n"
+"POT-Creation-Date: 2024-09-02 22:57+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -129,7 +129,7 @@ msgstr ""
 msgid "Cannot initialize crypto backend."
 msgstr ""
 
-#: lib/setup.c:305 lib/setup.c:2786 lib/verity/verity.c:109
+#: lib/setup.c:305 lib/setup.c:2790 lib/verity/verity.c:109
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr ""
@@ -143,7 +143,7 @@ msgstr ""
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr ""
 
-#: lib/setup.c:385 lib/setup.c:3981
+#: lib/setup.c:385 lib/setup.c:3985
 msgid "This operation is supported only for LUKS device."
 msgstr ""
 
@@ -165,7 +165,7 @@ msgstr ""
 msgid "Key slot %d is full, please select another one."
 msgstr ""
 
-#: lib/setup.c:607 lib/setup.c:3681
+#: lib/setup.c:607 lib/setup.c:3685
 msgid "Device size is not aligned to device logical block size."
 msgstr ""
 
@@ -174,8 +174,8 @@ msgstr ""
 msgid "Header detected but device %s is too small."
 msgstr ""
 
-#: lib/setup.c:746 lib/setup.c:3572 lib/setup.c:5360 lib/setup.c:5380
-#: lib/luks2/luks2_reencrypt.c:3850 lib/luks2/luks2_reencrypt.c:4307
+#: lib/setup.c:746 lib/setup.c:3576 lib/setup.c:5364 lib/setup.c:5384
+#: lib/luks2/luks2_reencrypt.c:3857 lib/luks2/luks2_reencrypt.c:4319
 msgid "This operation is not supported for this device type."
 msgstr ""
 
@@ -207,8 +207,8 @@ msgstr ""
 msgid "No known cipher specification pattern detected for active device %s."
 msgstr ""
 
-#: lib/setup.c:1592 lib/setup.c:3326 lib/setup.c:3408 lib/setup.c:3420
-#: lib/setup.c:3590 lib/setup.c:6004
+#: lib/setup.c:1592 lib/setup.c:3330 lib/setup.c:3412 lib/setup.c:3424
+#: lib/setup.c:3594 lib/setup.c:6008
 #, c-format
 msgid "Device %s is not active."
 msgstr ""
@@ -222,15 +222,15 @@ msgstr ""
 msgid "Invalid plain crypt parameters."
 msgstr ""
 
-#: lib/setup.c:1696 lib/setup.c:2689
+#: lib/setup.c:1696 lib/setup.c:2693
 msgid "Invalid key size."
 msgstr ""
 
-#: lib/setup.c:1701 lib/setup.c:2694 lib/setup.c:2897
+#: lib/setup.c:1701 lib/setup.c:2698 lib/setup.c:2901
 msgid "UUID is not supported for this crypt type."
 msgstr ""
 
-#: lib/setup.c:1706 lib/setup.c:2699
+#: lib/setup.c:1706 lib/setup.c:2703
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr ""
 
@@ -239,11 +239,11 @@ msgstr ""
 msgid "Unsupported encryption sector size."
 msgstr ""
 
-#: lib/setup.c:1724 lib/setup.c:1986 lib/setup.c:3675
+#: lib/setup.c:1724 lib/setup.c:1986 lib/setup.c:3679
 msgid "Device size is not aligned to requested sector size."
 msgstr ""
 
-#: lib/setup.c:1776 lib/setup.c:2019 lib/setup.c:2365
+#: lib/setup.c:1776 lib/setup.c:2019 lib/setup.c:2369
 msgid "Can't format LUKS without device."
 msgstr ""
 
@@ -252,7 +252,7 @@ msgstr ""
 msgid "Zoned device %s cannot be used for LUKS header."
 msgstr ""
 
-#: lib/setup.c:1788 lib/setup.c:2031 lib/setup.c:2371
+#: lib/setup.c:1788 lib/setup.c:2031 lib/setup.c:2375
 msgid "Requested data alignment is not compatible with data offset."
 msgstr ""
 
@@ -262,8 +262,8 @@ msgid ""
 "updates.\n"
 msgstr ""
 
-#: lib/setup.c:1866 lib/setup.c:2144 lib/setup.c:2165 lib/setup.c:2549
-#: lib/setup.c:2596 lib/setup.c:2909
+#: lib/setup.c:1866 lib/setup.c:2144 lib/setup.c:2165 lib/setup.c:2553
+#: lib/setup.c:2600 lib/setup.c:2913
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr ""
@@ -290,29 +290,29 @@ msgid ""
 "requested encryption sector size.\n"
 msgstr ""
 
-#: lib/setup.c:2147 lib/setup.c:2492 lib/setup.c:2552 lib/utils_device.c:904
+#: lib/setup.c:2147 lib/setup.c:2496 lib/setup.c:2556 lib/utils_device.c:908
 #: lib/luks1/keyencryption.c:242 lib/luks2/luks2_reencrypt.c:3082
-#: lib/luks2/luks2_reencrypt.c:4367
+#: lib/luks2/luks2_reencrypt.c:4379
 #, c-format
 msgid "Device %s is too small."
 msgstr ""
 
-#: lib/setup.c:2158 lib/setup.c:2184 lib/setup.c:2589 lib/setup.c:2635
+#: lib/setup.c:2158 lib/setup.c:2184 lib/setup.c:2593 lib/setup.c:2639
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr ""
 
-#: lib/setup.c:2161 lib/setup.c:2187 lib/setup.c:2592 lib/setup.c:2638
+#: lib/setup.c:2161 lib/setup.c:2187 lib/setup.c:2596 lib/setup.c:2642
 #, c-format
 msgid "Cannot format device %s, permission denied."
 msgstr ""
 
-#: lib/setup.c:2173 lib/setup.c:2609 lib/setup.c:2969
+#: lib/setup.c:2173 lib/setup.c:2613 lib/setup.c:2973
 #, c-format
 msgid "Cannot format integrity for device %s."
 msgstr ""
 
-#: lib/setup.c:2191 lib/setup.c:2646
+#: lib/setup.c:2191 lib/setup.c:2650
 #, c-format
 msgid "Cannot format device %s."
 msgstr ""
@@ -347,387 +347,387 @@ msgid ""
 "requirements."
 msgstr ""
 
-#: lib/setup.c:2502
+#: lib/setup.c:2506
 #, c-format
 msgid ""
 "Compensating device size by %<PRIu64> sectors to align it with OPAL "
 "alignment granularity."
 msgstr ""
 
-#: lib/setup.c:2560 lib/setup.c:4078 lib/setup.c:4261 lib/utils_wipe.c:355
+#: lib/setup.c:2564 lib/setup.c:4082 lib/setup.c:4265 lib/utils_wipe.c:355
 #: lib/luks2/luks2_json_metadata.c:2690 lib/luks2/luks2_json_metadata.c:2942
 #, c-format
 msgid "Failed to acquire OPAL lock on device %s."
 msgstr ""
 
-#: lib/setup.c:2570
+#: lib/setup.c:2574
 msgid "Incorrect OPAL Admin key."
 msgstr ""
 
-#: lib/setup.c:2572
+#: lib/setup.c:2576
 msgid "Cannot setup OPAL segment."
 msgstr ""
 
-#: lib/setup.c:2642
+#: lib/setup.c:2646
 #, c-format
 msgid ""
 "Cannot format device %s, OPAL device seems to be fully write-protected now."
 msgstr ""
 
-#: lib/setup.c:2644
+#: lib/setup.c:2648
 msgid ""
 "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for "
 "recovery."
 msgstr ""
 
-#: lib/setup.c:2664
+#: lib/setup.c:2668
 #, c-format
 msgid "Locking range %d reset on device %s failed."
 msgstr ""
 
-#: lib/setup.c:2684
+#: lib/setup.c:2688
 msgid "Can't format LOOPAES without device."
 msgstr ""
 
-#: lib/setup.c:2729
+#: lib/setup.c:2733
 msgid "Can't format VERITY without device."
 msgstr ""
 
-#: lib/setup.c:2740 lib/verity/verity.c:88
+#: lib/setup.c:2744 lib/verity/verity.c:88
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr ""
 
-#: lib/setup.c:2746 lib/verity/verity.c:96
+#: lib/setup.c:2750 lib/verity/verity.c:96
 msgid "Unsupported VERITY block size."
 msgstr ""
 
-#: lib/setup.c:2751 lib/verity/verity.c:61
+#: lib/setup.c:2755 lib/verity/verity.c:61
 msgid "Unsupported VERITY hash offset."
 msgstr ""
 
-#: lib/setup.c:2756
+#: lib/setup.c:2760
 msgid "Unsupported VERITY FEC offset."
 msgstr ""
 
-#: lib/setup.c:2780
+#: lib/setup.c:2784
 msgid "Data area overlaps with hash area."
 msgstr ""
 
-#: lib/setup.c:2805
+#: lib/setup.c:2809
 msgid "Hash area overlaps with FEC area."
 msgstr ""
 
-#: lib/setup.c:2812
+#: lib/setup.c:2816
 msgid "Data area overlaps with FEC area."
 msgstr ""
 
-#: lib/setup.c:2948
+#: lib/setup.c:2952
 #, c-format
 msgid ""
 "WARNING: Requested tag size %d bytes differs from %s size output (%d "
 "bytes).\n"
 msgstr ""
 
-#: lib/setup.c:3027
+#: lib/setup.c:3031
 #, c-format
 msgid "Unknown crypt device type %s requested."
 msgstr ""
 
-#: lib/setup.c:3334 lib/setup.c:3413 lib/setup.c:3426
+#: lib/setup.c:3338 lib/setup.c:3417 lib/setup.c:3430
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr ""
 
-#: lib/setup.c:3340 lib/setup.c:3433 lib/luks2/luks2_reencrypt.c:2910
+#: lib/setup.c:3344 lib/setup.c:3437 lib/luks2/luks2_reencrypt.c:2910
 #: lib/luks2/luks2_reencrypt.c:3147 lib/luks2/luks2_reencrypt.c:3542
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr ""
 
-#: lib/setup.c:3457
+#: lib/setup.c:3461
 msgid "Crypt devices mismatch."
 msgstr ""
 
-#: lib/setup.c:3494 lib/setup.c:3499 lib/luks2/luks2_reencrypt.c:2392
-#: lib/luks2/luks2_reencrypt.c:2926 lib/luks2/luks2_reencrypt.c:4111
+#: lib/setup.c:3498 lib/setup.c:3503 lib/luks2/luks2_reencrypt.c:2392
+#: lib/luks2/luks2_reencrypt.c:2926 lib/luks2/luks2_reencrypt.c:4118
 #, c-format
 msgid "Failed to reload device %s."
 msgstr ""
 
-#: lib/setup.c:3505 lib/setup.c:3511 lib/luks2/luks2_reencrypt.c:2363
+#: lib/setup.c:3509 lib/setup.c:3515 lib/luks2/luks2_reencrypt.c:2363
 #: lib/luks2/luks2_reencrypt.c:2370 lib/luks2/luks2_reencrypt.c:2940
 #, c-format
 msgid "Failed to suspend device %s."
 msgstr ""
 
-#: lib/setup.c:3517 lib/luks2/luks2_reencrypt.c:2377
-#: lib/luks2/luks2_reencrypt.c:2961 lib/luks2/luks2_reencrypt.c:4024
-#: lib/luks2/luks2_reencrypt.c:4115
+#: lib/setup.c:3521 lib/luks2/luks2_reencrypt.c:2377
+#: lib/luks2/luks2_reencrypt.c:2961 lib/luks2/luks2_reencrypt.c:4031
+#: lib/luks2/luks2_reencrypt.c:4122
 #, c-format
 msgid "Failed to resume device %s."
 msgstr ""
 
-#: lib/setup.c:3532
+#: lib/setup.c:3536
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
 msgstr ""
 
-#: lib/setup.c:3535 lib/setup.c:3537
+#: lib/setup.c:3539 lib/setup.c:3541
 #, c-format
 msgid "Failed to switch device %s to dm-error."
 msgstr ""
 
-#: lib/setup.c:3577
+#: lib/setup.c:3581
 msgid "Can not resize LUKS2 device with static size."
 msgstr ""
 
-#: lib/setup.c:3622
+#: lib/setup.c:3626
 msgid "Cannot resize loop device."
 msgstr ""
 
-#: lib/setup.c:3666
+#: lib/setup.c:3670
 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
 msgstr ""
 
-#: lib/setup.c:3732
+#: lib/setup.c:3736
 msgid "Resize failed, the kernel doesn't support it."
 msgstr ""
 
-#: lib/setup.c:3764
+#: lib/setup.c:3768
 msgid "Do you really want to change UUID of device?"
 msgstr ""
 
-#: lib/setup.c:3856
+#: lib/setup.c:3860
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr ""
 
-#: lib/setup.c:3966
+#: lib/setup.c:3970
 #, c-format
 msgid "Volume %s is not active."
 msgstr ""
 
-#: lib/setup.c:4032
+#: lib/setup.c:4036
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr ""
 
-#: lib/setup.c:4060
+#: lib/setup.c:4064
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr ""
 
-#: lib/setup.c:4062 lib/setup.c:4070
+#: lib/setup.c:4066 lib/setup.c:4074
 #, c-format
 msgid "Error during suspending device %s."
 msgstr ""
 
-#: lib/setup.c:4084
+#: lib/setup.c:4088
 #, c-format
 msgid "Device %s was suspended but hardware OPAL device cannot be locked."
 msgstr ""
 
-#: lib/setup.c:4116 lib/setup.c:4288
+#: lib/setup.c:4120 lib/setup.c:4292
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr ""
 
-#: lib/setup.c:4118 lib/setup.c:4279 lib/setup.c:4290
+#: lib/setup.c:4122 lib/setup.c:4283 lib/setup.c:4294
 #, c-format
 msgid "Error during resuming device %s."
 msgstr ""
 
-#: lib/setup.c:4137
+#: lib/setup.c:4141
 msgid "Failed to unlink volume key from user specified keyring."
 msgstr ""
 
-#: lib/setup.c:4252 lib/setup.c:4974 lib/setup.c:5796
+#: lib/setup.c:4256 lib/setup.c:4978 lib/setup.c:5800
 msgid "Failed to link volume key in user defined keyring."
 msgstr ""
 
-#: lib/setup.c:4353 src/cryptsetup.c:2848
+#: lib/setup.c:4357 src/cryptsetup.c:2848
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr ""
 
-#: lib/setup.c:4454 lib/setup.c:5114 lib/setup.c:5532 lib/setup.c:5551
-#: lib/setup.c:7425 lib/setup.c:7447 lib/setup.c:7496 src/cryptsetup.c:2358
+#: lib/setup.c:4458 lib/setup.c:5118 lib/setup.c:5536 lib/setup.c:5555
+#: lib/setup.c:7429 lib/setup.c:7451 lib/setup.c:7500 src/cryptsetup.c:2358
 msgid "Volume key does not match the volume."
 msgstr ""
 
-#: lib/setup.c:4608
+#: lib/setup.c:4612
 msgid "Failed to swap new key slot."
 msgstr ""
 
-#: lib/setup.c:4706
+#: lib/setup.c:4710
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr ""
 
-#: lib/setup.c:4712 src/cryptsetup.c:2068 src/cryptsetup.c:2560
+#: lib/setup.c:4716 src/cryptsetup.c:2068 src/cryptsetup.c:2560
 #: src/cryptsetup.c:3241 src/cryptsetup.c:3301
 #, c-format
 msgid "Keyslot %d is not active."
 msgstr ""
 
-#: lib/setup.c:4731
+#: lib/setup.c:4735
 msgid "Device header overlaps with data area."
 msgstr ""
 
-#: lib/setup.c:5084 lib/setup.c:5184
+#: lib/setup.c:5088 lib/setup.c:5188
 msgid "Reencryption in-progress. Cannot activate device."
 msgstr ""
 
-#: lib/setup.c:5086 lib/setup.c:5186 lib/luks2/luks2_json_metadata.c:2848
+#: lib/setup.c:5090 lib/setup.c:5190 lib/luks2/luks2_json_metadata.c:2848
 #: lib/luks2/luks2_reencrypt.c:3648
 msgid "Failed to get reencryption lock."
 msgstr ""
 
-#: lib/setup.c:5098
+#: lib/setup.c:5102
 msgid "LUKS2 reencryption recovery using volume key(s) failed."
 msgstr ""
 
-#: lib/setup.c:5150 lib/setup.c:5240
+#: lib/setup.c:5154 lib/setup.c:5244
 msgid "Failed to link volume keys in user defined keyring."
 msgstr ""
 
-#: lib/setup.c:5199 lib/luks2/luks2_reencrypt.c:3667
+#: lib/setup.c:5203 lib/luks2/luks2_reencrypt.c:3667
 msgid "LUKS2 reencryption recovery failed."
 msgstr ""
 
-#: lib/setup.c:5448 lib/setup.c:5562 lib/setup.c:5619
+#: lib/setup.c:5452 lib/setup.c:5566 lib/setup.c:5623
 msgid "Device type is not properly initialized."
 msgstr ""
 
-#: lib/setup.c:5503
+#: lib/setup.c:5507
 #, c-format
 msgid "Device %s already exists."
 msgstr ""
 
-#: lib/setup.c:5510
+#: lib/setup.c:5514
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr ""
 
-#: lib/setup.c:5528
+#: lib/setup.c:5532
 msgid "Incorrect volume key specified for plain device."
 msgstr ""
 
-#: lib/setup.c:5542
+#: lib/setup.c:5546
 msgid "Reencryption volume keys do not match the volume."
 msgstr ""
 
-#: lib/setup.c:5655
+#: lib/setup.c:5659
 msgid "Kernel keyring is not supported by the kernel."
 msgstr ""
 
-#: lib/setup.c:5659
+#: lib/setup.c:5663
 msgid "Kernel keyring missing: required for passing signature to kernel."
 msgstr ""
 
-#: lib/setup.c:5917
+#: lib/setup.c:5921
 msgid "Incorrect root hash specified for verity device."
 msgstr ""
 
-#: lib/setup.c:5960
+#: lib/setup.c:5964
 msgid "OPAL does not support deferred deactivation."
 msgstr ""
 
-#: lib/setup.c:5976
+#: lib/setup.c:5980
 #, c-format
 msgid "Could not cancel deferred remove from device %s."
 msgstr ""
 
-#: lib/setup.c:5983 lib/setup.c:5999 lib/luks2/luks2_json_metadata.c:2902
+#: lib/setup.c:5987 lib/setup.c:6003 lib/luks2/luks2_json_metadata.c:2902
 #: src/utils_reencrypt.c:103
 #, c-format
 msgid "Device %s is still in use."
 msgstr ""
 
-#: lib/setup.c:6008
+#: lib/setup.c:6012
 #, c-format
 msgid "Invalid device %s."
 msgstr ""
 
-#: lib/setup.c:6148
+#: lib/setup.c:6152
 msgid "Volume key buffer too small."
 msgstr ""
 
-#: lib/setup.c:6165
+#: lib/setup.c:6169
 msgid "Cannot retrieve volume key for LUKS2 device."
 msgstr ""
 
-#: lib/setup.c:6174
+#: lib/setup.c:6178
 msgid "Cannot retrieve volume key for LUKS1 device."
 msgstr ""
 
-#: lib/setup.c:6184
+#: lib/setup.c:6188
 msgid "Cannot retrieve volume key for plain device."
 msgstr ""
 
-#: lib/setup.c:6192
+#: lib/setup.c:6196
 msgid "Cannot retrieve root hash for verity device."
 msgstr ""
 
-#: lib/setup.c:6199
+#: lib/setup.c:6203
 msgid "Cannot retrieve volume key for BITLK device."
 msgstr ""
 
-#: lib/setup.c:6204
+#: lib/setup.c:6208
 msgid "Cannot retrieve volume key for FVAULT2 device."
 msgstr ""
 
-#: lib/setup.c:6206
+#: lib/setup.c:6210
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr ""
 
-#: lib/setup.c:6390 lib/setup.c:6401
+#: lib/setup.c:6394 lib/setup.c:6405
 msgid "Dump operation is not supported for this device type."
 msgstr ""
 
-#: lib/setup.c:6760
+#: lib/setup.c:6764
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
 msgstr ""
 
-#: lib/setup.c:7068
+#: lib/setup.c:7072
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr ""
 
-#: lib/setup.c:7366 lib/setup.c:7505
+#: lib/setup.c:7370 lib/setup.c:7509
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr ""
 
-#: lib/setup.c:7390
+#: lib/setup.c:7394
 msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr ""
 
-#: lib/setup.c:7396
+#: lib/setup.c:7400
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr ""
 
-#: lib/setup.c:7621
+#: lib/setup.c:7625
 msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr ""
 
-#: lib/setup.c:7690 lib/verity/verity.c:330
+#: lib/setup.c:7694 lib/verity/verity.c:330
 msgid "Failed to load key in kernel keyring."
 msgstr ""
 
-#: lib/setup.c:7808
+#: lib/setup.c:7812
 msgid "Failed to unlink volume key from thread keyring."
 msgstr ""
 
-#: lib/setup.c:7852
+#: lib/setup.c:7856
 #, c-format
 msgid "Could not find keyring described by \"%s\"."
 msgstr ""
 
-#: lib/setup.c:7917
+#: lib/setup.c:7921
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr ""
 
@@ -768,58 +768,58 @@ msgstr ""
 msgid "Cannot read requested amount of data."
 msgstr ""
 
-#: lib/utils_device.c:200 lib/utils_storage_wrappers.c:97
+#: lib/utils_device.c:204 lib/utils_storage_wrappers.c:97
 #: lib/luks1/keyencryption.c:78 src/utils_reencrypt.c:1458
 #, c-format
 msgid "Device %s does not exist or access denied."
 msgstr ""
 
-#: lib/utils_device.c:210
+#: lib/utils_device.c:214
 #, c-format
 msgid "Device %s is not compatible."
 msgstr ""
 
-#: lib/utils_device.c:554
+#: lib/utils_device.c:558
 #, c-format
 msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
 msgstr ""
 
-#: lib/utils_device.c:715
+#: lib/utils_device.c:719
 #, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
 msgstr ""
 
-#: lib/utils_device.c:796
+#: lib/utils_device.c:800
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr ""
 
-#: lib/utils_device.c:800
+#: lib/utils_device.c:804
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr ""
 
-#: lib/utils_device.c:803
+#: lib/utils_device.c:807
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr ""
 
-#: lib/utils_device.c:826
+#: lib/utils_device.c:830
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr ""
 
-#: lib/utils_device.c:837
+#: lib/utils_device.c:841
 msgid ""
 "Attaching loopback device failed (loop device with autoclear flag is "
 "required)."
 msgstr ""
 
-#: lib/utils_device.c:885
+#: lib/utils_device.c:889
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr ""
 
-#: lib/utils_device.c:893
+#: lib/utils_device.c:897
 #, c-format
 msgid "Device %s has zero size."
 msgstr ""
@@ -1678,7 +1678,7 @@ msgstr ""
 msgid "Reencryption in-progress. Cannot deactivate device."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2857 lib/luks2/luks2_reencrypt.c:4161
+#: lib/luks2/luks2_json_metadata.c:2857 lib/luks2/luks2_reencrypt.c:4168
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
 msgstr ""
@@ -1763,7 +1763,7 @@ msgstr ""
 msgid "Unable to convert header with LUKSMETA additional metadata."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:589 lib/luks2/luks2_reencrypt.c:3797
+#: lib/luks2/luks2_luks1_convert.c:589 lib/luks2/luks2_reencrypt.c:3804
 #, c-format
 msgid "Unable to use cipher specification %s-%s for LUKS2."
 msgstr ""
@@ -1838,7 +1838,7 @@ msgstr ""
 
 #: lib/luks2/luks2_reencrypt.c:1395 lib/luks2/luks2_reencrypt.c:1582
 #: lib/luks2/luks2_reencrypt.c:1665 lib/luks2/luks2_reencrypt.c:1707
-#: lib/luks2/luks2_reencrypt.c:3956
+#: lib/luks2/luks2_reencrypt.c:3963
 msgid "Failed to initialize old segment storage wrapper."
 msgstr ""
 
@@ -1846,7 +1846,7 @@ msgstr ""
 msgid "Failed to initialize new segment storage wrapper."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:1536 lib/luks2/luks2_reencrypt.c:3968
+#: lib/luks2/luks2_reencrypt.c:1536 lib/luks2/luks2_reencrypt.c:3975
 msgid "Failed to initialize hotzone protection."
 msgstr ""
 
@@ -1854,7 +1854,7 @@ msgstr ""
 msgid "Failed to read checksums for current hotzone."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:1616 lib/luks2/luks2_reencrypt.c:3982
+#: lib/luks2/luks2_reencrypt.c:1616 lib/luks2/luks2_reencrypt.c:3989
 #, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
 msgstr ""
@@ -1955,7 +1955,7 @@ msgstr ""
 msgid "Device not marked for LUKS2 reencryption."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3299 lib/luks2/luks2_reencrypt.c:4273
+#: lib/luks2/luks2_reencrypt.c:3299 lib/luks2/luks2_reencrypt.c:4285
 msgid "Failed to load LUKS2 reencryption context."
 msgstr ""
 
@@ -1991,92 +1991,92 @@ msgstr ""
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3814
-msgid "LUKS2 reencryption already initialized in metadata."
+#: lib/luks2/luks2_reencrypt.c:3794 lib/luks2/luks2_reencrypt.c:4238
+msgid "Failed to initialize reencryption device stack."
 msgstr ""
 
 #: lib/luks2/luks2_reencrypt.c:3821
+msgid "LUKS2 reencryption already initialized in metadata."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3828
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3874 lib/luks2/luks2_reencrypt.c:3909
+#: lib/luks2/luks2_reencrypt.c:3881 lib/luks2/luks2_reencrypt.c:3916
 msgid "Reencryption is not supported for DAX (persistent memory) devices."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3881
+#: lib/luks2/luks2_reencrypt.c:3888
 msgid "Failed to read passphrase from keyring."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3938
+#: lib/luks2/luks2_reencrypt.c:3945
 msgid "Failed to set device segments for next reencryption hotzone."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3990
+#: lib/luks2/luks2_reencrypt.c:3997
 msgid "Failed to write reencryption resilience metadata."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3997
+#: lib/luks2/luks2_reencrypt.c:4004
 msgid "Decryption failed."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4002
+#: lib/luks2/luks2_reencrypt.c:4009
 #, c-format
 msgid "Failed to write hotzone area starting at %<PRIu64>."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4007
+#: lib/luks2/luks2_reencrypt.c:4014
 msgid "Failed to sync data."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4015
+#: lib/luks2/luks2_reencrypt.c:4022
 msgid "Failed to update metadata after current reencryption hotzone completed."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4104
+#: lib/luks2/luks2_reencrypt.c:4111
 msgid "Failed to write LUKS2 metadata."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4127
+#: lib/luks2/luks2_reencrypt.c:4134
 msgid "Failed to wipe unused data device area."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4133
+#: lib/luks2/luks2_reencrypt.c:4140
 #, c-format
 msgid "Failed to remove unused (unbound) keyslot %d."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4143
+#: lib/luks2/luks2_reencrypt.c:4150
 msgid "Failed to remove reencryption keyslot."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4153
+#: lib/luks2/luks2_reencrypt.c:4160
 #, c-format
 msgid ""
 "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> "
 "sectors long."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4157
+#: lib/luks2/luks2_reencrypt.c:4164
 msgid "Online reencryption failed."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4162
+#: lib/luks2/luks2_reencrypt.c:4169
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4214
+#: lib/luks2/luks2_reencrypt.c:4221
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4220
+#: lib/luks2/luks2_reencrypt.c:4227
 msgid "Missing or invalid reencrypt context."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4227
-msgid "Failed to initialize reencryption device stack."
-msgstr ""
-
-#: lib/luks2/luks2_reencrypt.c:4249 lib/luks2/luks2_reencrypt.c:4286
+#: lib/luks2/luks2_reencrypt.c:4261 lib/luks2/luks2_reencrypt.c:4298
 msgid "Failed to update reencryption context."
 msgstr ""
 

src/utils_password.c

@@ -99,7 +99,7 @@ static ssize_t read_tty_eol(int fd, char *pass, size_t maxlen)
 	ssize_t r, read_size = 0;
 
 	if (maxlen > SSIZE_MAX)
-		return -EINVAL;
+		return -1;
 
 	do {
 		r = read(fd, pass, maxlen - read_size);

tests/api-test.c

@@ -1694,7 +1694,7 @@ static void VerityTest(void)
 
 	OK_(crypt_activate_by_volume_key(cd, NULL, root_hash, 32, 0));
 	OK_(crypt_set_data_device(cd, DEVICE_1));
-	FAIL_(crypt_activate_by_volume_key(cd, NULL, root_hash, 32, 0), "Data corrupted");;
+	FAIL_(crypt_activate_by_volume_key(cd, NULL, root_hash, 32, 0), "Data corrupted");
 
 	OK_(crypt_set_data_device(cd, DEVICE_EMPTY));
 	if (crypt_activate_by_volume_key(cd, CDEVICE_1, root_hash, 32,

tokens/libcryptsetup-token.sym

@@ -1,9 +1,13 @@
 CRYPTSETUP_TOKEN_1.0 {
-    global: cryptsetup_token_open;
-	    cryptsetup_token_open_pin;
-	    cryptsetup_token_buffer_free;
-	    cryptsetup_token_validate;
-	    cryptsetup_token_dump;
-	    cryptsetup_token_version;
-    local: *;
+	global:
+		/* Mandatory functions */
+		cryptsetup_token_open;
+		cryptsetup_token_version;
+
+		/* Optional functions */
+		cryptsetup_token_open_pin;
+		cryptsetup_token_buffer_free;
+		cryptsetup_token_validate;
+		cryptsetup_token_dump;
+	local: *;
 };

tokens/ssh/libcryptsetup-token-ssh.c

@@ -39,13 +39,20 @@ int cryptsetup_token_open(struct crypt_device *cd, int token,
 	char **password, size_t *password_len, void *usrptr);
 void cryptsetup_token_dump(struct crypt_device *cd, const char *json);
 int cryptsetup_token_validate(struct crypt_device *cd, const char *json);
-
+void cryptsetup_token_buffer_free(void *buffer, size_t buffer_len);
 
 const char *cryptsetup_token_version(void)
 {
 	return TOKEN_VERSION_MAJOR "." TOKEN_VERSION_MINOR;
 }
 
+void cryptsetup_token_buffer_free(void *buffer, size_t buffer_len)
+{
+	/* libcryptsetup API call */
+	crypt_safe_memzero(buffer, buffer_len);
+	free(buffer);
+}
+
 static json_object *get_token_jobj(struct crypt_device *cd, int token)
 {
 	const char *json_slot;