Ubuntu
cryptsetup package

Merge ~vpa1977/ubuntu/+source/cryptsetup:merge-lp2004423-lunar into ubuntu/+source/cryptsetup:ubuntu/devel

Proposed by Vladimir Petko on 2023-02-13

Status:	Superseded
Proposed branch:	~vpa1977/ubuntu/+source/cryptsetup:merge-lp2004423-lunar
Merge into:	ubuntu/+source/cryptsetup:ubuntu/devel
Diff against target:	60499 lines (+25488/-8727) (has conflicts) 230 files modified .github/workflows/cibuild-setup-ubuntu.sh (+1/-1) .gitignore (+1/-0) .gitlab-ci.yml (+3/-0) .gitlab/ci/alpinelinux.yml (+4/-2) .gitlab/ci/centos.yml (+4/-0) .gitlab/ci/cibuild-setup-ubuntu.sh (+1/-1) .gitlab/ci/cifuzz.yml (+46/-0) .gitlab/ci/compilation-various-disables.yml (+21/-0) .gitlab/ci/debian.yml (+11/-8) .gitlab/ci/fedora.yml (+6/-1) .gitlab/ci/rhel.yml (+10/-0) .gitlab/ci/ubuntu-32bit.yml (+41/-0) FAQ.md (+25/-0) Makefile.am (+12/-1) README.md (+93/-61) autogen.sh (+1/-1) configure.ac (+32/-2) debian/README.Debian (+1/-1) debian/changelog (+83/-0) debian/clean (+5/-0) debian/control (+11/-2) debian/copyright (+26/-17) debian/cryptsetup-bin.manpages (+2/-0) debian/doc/crypttab.xml (+16/-2) debian/functions (+4/-0) debian/initramfs/hooks/cryptgnupg-sc (+11/-1) debian/libcryptsetup12.symbols (+11/-0) debian/patches/decrease_memlock_ulimit.patch (+20/-0) debian/rules (+4/-0) debian/upstream/metadata (+3/-2) dev/null (+0/-55) docs/examples/crypt_log_usage.c (+1/-1) docs/examples/crypt_luks_usage.c (+1/-1) docs/v2.6.0-ReleaseNotes (+236/-0) docs/v2.6.1-ReleaseNotes (+50/-0) lib/Makemodule.am (+5/-3) lib/bitlk/bitlk.c (+87/-41) lib/bitlk/bitlk.h (+3/-3) lib/crypt_plain.c (+2/-2) lib/crypto_backend/argon2_generic.c (+2/-2) lib/crypto_backend/base64.c (+1/-2) lib/crypto_backend/cipher_check.c (+2/-2) lib/crypto_backend/cipher_generic.c (+2/-2) lib/crypto_backend/crc32.c (+70/-1) lib/crypto_backend/crypto_backend.h (+9/-3) lib/crypto_backend/crypto_backend_internal.h (+2/-2) lib/crypto_backend/crypto_cipher_kernel.c (+2/-2) lib/crypto_backend/crypto_gcrypt.c (+19/-3) lib/crypto_backend/crypto_kernel.c (+7/-2) lib/crypto_backend/crypto_nettle.c (+7/-2) lib/crypto_backend/crypto_nss.c (+7/-2) lib/crypto_backend/crypto_openssl.c (+37/-2) lib/crypto_backend/crypto_storage.c (+1/-1) lib/crypto_backend/pbkdf2_generic.c (+2/-2) lib/crypto_backend/pbkdf_check.c (+2/-2) lib/crypto_backend/utf8.c (+1/-2) lib/fvault2/fvault2.c (+1057/-0) lib/fvault2/fvault2.h (+80/-0) lib/integrity/integrity.c (+1/-1) lib/integrity/integrity.h (+1/-1) lib/internal.h (+4/-5) lib/keyslot_context.c (+488/-0) lib/keyslot_context.h (+111/-0) lib/libcryptsetup.h (+228/-3) lib/libcryptsetup.pc.in (+1/-0) lib/libcryptsetup.sym (+14/-0) lib/libcryptsetup_macros.h (+2/-2) lib/libcryptsetup_symver.h (+3/-3) lib/libdevmapper.c (+30/-91) lib/loopaes/loopaes.c (+2/-2) lib/loopaes/loopaes.h (+2/-2) lib/luks1/af.c (+1/-1) lib/luks1/af.h (+1/-1) lib/luks1/keyencryption.c (+2/-2) lib/luks1/keymanage.c (+19/-8) lib/luks1/luks.h (+1/-1) lib/luks2/luks2.h (+16/-4) lib/luks2/luks2_digest.c (+2/-2) lib/luks2/luks2_digest_pbkdf2.c (+2/-2) lib/luks2/luks2_disk_metadata.c (+2/-4) lib/luks2/luks2_internal.h (+4/-2) lib/luks2/luks2_json_format.c (+6/-3) lib/luks2/luks2_json_metadata.c (+94/-26) lib/luks2/luks2_keyslot.c (+2/-2) lib/luks2/luks2_keyslot_luks2.c (+19/-5) lib/luks2/luks2_keyslot_reenc.c (+2/-2) lib/luks2/luks2_luks1_convert.c (+3/-3) lib/luks2/luks2_reencrypt.c (+82/-67) lib/luks2/luks2_reencrypt_digest.c (+3/-4) lib/luks2/luks2_segment.c (+2/-2) lib/luks2/luks2_token.c (+116/-28) lib/luks2/luks2_token_keyring.c (+7/-4) lib/random.c (+2/-2) lib/setup.c (+594/-390) lib/tcrypt/tcrypt.c (+2/-3) lib/tcrypt/tcrypt.h (+2/-2) lib/utils.c (+27/-37) lib/utils_benchmark.c (+8/-5) lib/utils_blkid.c (+1/-1) lib/utils_blkid.h (+1/-1) lib/utils_crypt.c (+81/-2) lib/utils_crypt.h (+10/-5) lib/utils_device.c (+6/-4) lib/utils_device_locking.c (+3/-4) lib/utils_device_locking.h (+2/-2) lib/utils_devpath.c (+2/-2) lib/utils_dm.h (+3/-2) lib/utils_io.c (+3/-2) lib/utils_io.h (+2/-2) lib/utils_keyring.c (+4/-6) lib/utils_keyring.h (+2/-2) lib/utils_loop.c (+2/-2) lib/utils_loop.h (+2/-2) lib/utils_pbkdf.c (+2/-2) lib/utils_safe_memory.c (+25/-9) lib/utils_storage_wrappers.c (+1/-1) lib/utils_storage_wrappers.h (+1/-1) lib/utils_wipe.c (+4/-4) lib/verity/rs.h (+1/-1) lib/verity/rs_decode_char.c (+1/-1) lib/verity/rs_encode_char.c (+1/-1) lib/verity/verity.c (+1/-1) lib/verity/verity.h (+1/-1) lib/verity/verity_fec.c (+1/-1) lib/verity/verity_hash.c (+1/-1) lib/volumekey.c (+1/-1) m4/ax_check_compile_flag.m4 (+53/-0) man/Makemodule.am (+3/-0) man/common_options.adoc (+109/-27) man/cryptsetup-fvault2Dump.8.adoc (+34/-0) man/cryptsetup-luksAddKey.8.adoc (+39/-9) man/cryptsetup-open.8.adoc (+21/-4) man/cryptsetup-token.8.adoc (+5/-2) man/cryptsetup.8.adoc (+45/-1) man/veritysetup.8.adoc (+5/-1) po/LINGUAS (+2/-0) po/POTFILES.in (+1/-1) po/cryptsetup.pot (+699/-621) po/cs.po (+750/-651) po/de.po (+749/-652) po/fr.po (+749/-652) po/ja.po (+736/-717) po/ka.po (+3756/-0) po/pl.po (+700/-613) po/ro.po (+3874/-0) po/ru.po (+749/-651) po/sr.po (+1315/-1039) po/sv.po (+1315/-1045) po/uk.po (+748/-651) src/cryptsetup.c (+389/-72) src/cryptsetup.h (+2/-3) src/cryptsetup_arg_list.h (+9/-3) src/cryptsetup_args.h (+7/-3) src/integritysetup.c (+2/-2) src/integritysetup_arg_list.h (+2/-2) src/integritysetup_args.h (+2/-2) src/utils_arg_macros.h (+2/-2) src/utils_arg_names.h (+6/-2) src/utils_args.c (+2/-2) src/utils_blockdev.c (+2/-2) src/utils_luks.c (+3/-3) src/utils_luks.h (+3/-3) src/utils_password.c (+4/-5) src/utils_progress.c (+2/-2) src/utils_reencrypt.c (+40/-8) src/utils_reencrypt_luks1.c (+8/-8) src/utils_tools.c (+19/-14) src/veritysetup.c (+9/-5) src/veritysetup_arg_list.h (+4/-2) src/veritysetup_args.h (+3/-2) tests/Makefile.am (+38/-9) tests/Makefile.localtest (+8/-0) tests/align-test (+28/-2) tests/align-test2 (+17/-1) tests/all-symbols-test.c (+1/-1) tests/api-test-2.c (+344/-62) tests/api-test.c (+263/-13) tests/api_test.h (+23/-4) tests/bitlk-compat-test (+3/-3) tests/compat-test (+50/-15) tests/compat-test2 (+131/-31) tests/crypto-vectors.c (+1/-1) tests/device-test (+17/-1) tests/differ.c (+1/-1) tests/discards-test (+16/-0) tests/fake_systemd_tpm_path.c (+17/-0) tests/fuzz/FuzzerInterface.h (+81/-0) tests/fuzz/LUKS2.proto (+379/-0) tests/fuzz/LUKS2_plain_JSON.proto (+190/-0) tests/fuzz/Makefile.am (+122/-0) tests/fuzz/README.md (+66/-0) tests/fuzz/crypt2_load_fuzz.cc (+112/-0) tests/fuzz/crypt2_load_fuzz.dict (+130/-0) tests/fuzz/crypt2_load_ondisk_fuzz.cc (+64/-0) tests/fuzz/crypt2_load_ondisk_fuzz.dict (+9/-0) tests/fuzz/crypt2_load_proto_fuzz.cc (+30/-7) tests/fuzz/crypt2_load_proto_plain_json_fuzz.cc (+51/-0) tests/fuzz/crypt2_load_proto_plain_json_fuzz.dict (+72/-0) tests/fuzz/json_proto_converter.cc (+87/-0) tests/fuzz/json_proto_converter.h (+43/-0) tests/fuzz/oss-fuzz-build.sh (+152/-0) tests/fuzz/plain_json_proto_to_luks2.cc (+75/-0) tests/fuzz/plain_json_proto_to_luks2_converter.cc (+153/-0) tests/fuzz/plain_json_proto_to_luks2_converter.h (+58/-0) tests/fuzz/proto_to_luks2.cc (+75/-0) tests/fuzz/proto_to_luks2_converter.cc (+604/-0) tests/fuzz/proto_to_luks2_converter.h (+91/-0) tests/fuzz/unpoison-mutated-buffers-from-libfuzzer.patch (+29/-0) tests/fvault2-compat-test (+134/-0) tests/keyring-compat-test (+18/-2) tests/loopaes-test (+16/-0) tests/luks1-compat-test (+27/-12) tests/luks2-integrity-test (+16/-0) tests/luks2-reencryption-mangle-test (+2/-1) tests/luks2-reencryption-test (+43/-19) tests/mode-test (+20/-2) tests/password-hash-test (+16/-0) tests/reencryption-compat-test (+42/-2) tests/ssh-test-plugin (+27/-2) tests/systemd-test-plugin (+150/-0) tests/tcrypt-compat-test (+3/-3) tests/test_utils.c (+66/-9) tests/unit-utils-crypt.c (+1/-1) tests/unit-utils-io.c (+1/-1) tests/unit-wipe.c (+1/-1) tests/verity-compat-test (+6/-0) tokens/ssh/cryptsetup-ssh.c (+2/-2) tokens/ssh/libcryptsetup-token-ssh.c (+8/-2) tokens/ssh/ssh-utils.c (+2/-2) tokens/ssh/ssh-utils.h (+2/-2) Conflict in debian/changelog Conflict in debian/patches/decrease_memlock_ulimit.patch
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
git-ubuntu import		2023-02-13	Pending
Review via email: mp+437183@code.launchpad.net

This proposal has been superseded by a proposal from 2023-02-13.

Description of the change

  * Merge with Debian unstable (LP: #2004423). Remaining changes:
   - debian/control:
      + Recommend plymouth.
      + Depend on busybox-initramfs instead of busybox | busybox-static.
      + Move cryptsetup-initramfs back to cryptsetup's Recommends.
      + Do not build cryptsetup-suspend binary package on i386.
    - Fix cryptroot-unlock for busybox compatibility.
    - Fix warning and error when running on ZFS on root
      - d/functions: Return an empty devno for ZFS devices as they don't have
        major:minor device numbers.
      - d/initramfs/hooks/cryptroot: Ignore and don't print an error message
        when devices don't have a devno.
    - debian/patches/decrease_memlock_ulimit.patch
      Fixed FTBFS due to a restricted build environment
    - Fix cryptroot-* autopkgtests on Ubuntu. (LP: #1983522)
      + debian/tests/utils/mock.pm: return from consume() function if select()
        times out or fails
      + debian/tests/utils/cryptroot-common: fix apt source and kernel package
        names for Ubuntu
      + debian/tests/cryptroot-sysvinit.d: use systemd-sysv init for Ubuntu
        cryptroot-sysvinit package test
      + debian/tests/cryptroot-nested.d: fix cryptsetup-nested test, add
        workaround for LP1831747 by adding a e2fsprogs dependency
      + debian/tests/initramfs-hook: fix test's initramfs layout for Ubuntu and
        allow blowfish test use 64Mb of provisioned space (drop --size)
      + debian/tests/control: disable cryptdisks test

PPA: ppa:vpa1977/cryptsetup-review-comments

Package Test Results:

autopkgtest [16:57:03]: @@@@@@@@@@@@@@@@@@@@ summary
hint-testsuite-triggers SKIP unknown restriction hint-testsuite-triggers
hint-testsuite-triggers SKIP unknown restriction hint-testsuite-triggers
upstream-testsuite PASS
ssh-test-plugin PASS
cryptdisks.init PASS
initramfs-hook PASS
cryptroot-lvm PASS
cryptroot-legacy PASS
cryptroot-md PASS
cryptroot-nested PASS
cryptroot-sysvinit PASS
qemu-system-x86_64: terminating on signal 15 from pid 1553342 (/usr/bin/pyt)

Unmerged commits

a930e85... by Vladimir Petko on 2023-02-13

update-maintainer

8cdbacc... by Vladimir Petko on 2023-02-13

changelog

c6e9d40... by Vladimir Petko on 2023-02-13

merge-changelogs

b50d064... by Vladimir Petko on 2023-02-13

refresh patch

2d43026... by Vladimir Petko on 2023-02-13

* Fix cryptroot-* autopkgtests on Ubuntu. (LP: #1983522)

- debian/tests/control: enable cryptroot-lvm

8c5bf17... by Vladimir Petko on 2023-02-13

    - debian/tests/utils/cryptroot-common: fix apt source and kernel package
      names for Ubuntu
    - debian/tests/cryptroot-sysvinit.d: use systemd-sysv init for Ubuntu
      cryptroot-sysvinit package test
    - debian/tests/cryptroot-nested.d: fix cryptsetup-nested test, add
      workaround for LP1831747 by adding a e2fsprogs dependency
    - debian/tests/initramfs-hook: fix test's initramfs layout for Ubuntu and
      allow blowfish test use 64Mb of provisioned space (drop --size)

71bc417... by Vladimir Petko on 2023-02-13

- debian/tests/utils/mock.pm: return from consume() function if select()
times out or fails

9463315... by Vladimir Petko on 2023-02-13

- Fix cryptroot-unlock for busybox compatibility.

59550be... by Vladimir Petko on 2023-02-13

- debian/patches/decrease_memlock_ulimit.patch
Fixed FTBFS due to a restricted build environment

fa40a7d... by Vladimir Petko on 2023-02-13

- d/initramfs/hooks/cryptroot: Ignore and don't print an error message
when devices don't have a devno.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes:

Vladimir Petko

git-ubuntu developers

 diff --git a/.github/workflows/cibuild-setup-ubuntu.sh b/.github/workflows/cibuild-setup-ubuntu.sh
 index 85c15e5..2c0adb2 100755
 --- a/.github/workflows/cibuild-setup-ubuntu.sh
 +++ b/.github/workflows/cibuild-setup-ubuntu.sh
@@ -4,7 +4,7 @@ set -ex
  PACKAGES=(
  	git make autoconf automake autopoint pkg-config libtool libtool-bin
--	gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol1-dev
++	gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev
  	libjson-c-dev libssh-dev libblkid-dev tar libargon2-0-dev libpwquality-dev
  	sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass
  	asciidoctor
 diff --git a/.gitignore b/.gitignore
 index db7afde..41715d1 100644
 --- a/.gitignore
 +++ b/.gitignore
@@ -58,3 +58,4 @@ tests/unit-utils-io
  tests/vectors-test
  tests/test-symbols-list.h
  tests/all-symbols-test
++tests/fuzz/LUKS2.pb*
 diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
 index 5481515..3153145 100644
 --- a/.gitlab-ci.yml
 +++ b/.gitlab-ci.yml
@@ -15,6 +15,9 @@ include:
    - local: .gitlab/ci/annocheck.yml
    - local: .gitlab/ci/csmock.yml
    - local: .gitlab/ci/gitlab-shared-docker.yml
++  - local: .gitlab/ci/compilation-various-disables.yml
    - local: .gitlab/ci/compilation-gcc.gitlab-ci.yml
    - local: .gitlab/ci/compilation-clang.gitlab-ci.yml
    - local: .gitlab/ci/alpinelinux.yml
++  - local: .gitlab/ci/ubuntu-32bit.yml
++  - local: .gitlab/ci/cifuzz.yml
 diff --git a/.gitlab/ci/alpinelinux.yml b/.gitlab/ci/alpinelinux.yml
 index 130c897..81bd6cb 100644
 --- a/.gitlab/ci/alpinelinux.yml
 +++ b/.gitlab/ci/alpinelinux.yml
@@ -23,11 +23,11 @@ test-main-commit-job-alpinelinux:
    variables:
      RUN_SSH_PLUGIN_TEST: "0"
    rules:
++    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
++      when: never
      - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
        when: never
      - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
--  rules:
--    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
    script:
      - make -j
      - make -j -C tests check-programs
@@ -44,6 +44,8 @@ test-mergerq-job-alpinelinux:
    variables:
      RUN_SSH_PLUGIN_TEST: "0"
    rules:
++    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
++      when: never
      - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
        when: never
      - if: $CI_PIPELINE_SOURCE == "merge_request_event"
 diff --git a/.gitlab/ci/centos.yml b/.gitlab/ci/centos.yml
 index 2c607cf..6f5559c 100644
 --- a/.gitlab/ci/centos.yml
 +++ b/.gitlab/ci/centos.yml
@@ -27,6 +27,8 @@ test-main-commit-centos-stream9:
    variables:
      RUN_SSH_PLUGIN_TEST: "1"
    rules:
++    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
++      when: never
      - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
        when: never
      - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
@@ -46,6 +48,8 @@ test-mergerq-centos-stream9:
    variables:
      RUN_SSH_PLUGIN_TEST: "1"
    rules:
++    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
++      when: never
      - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
        when: never
      - if: $CI_PIPELINE_SOURCE == "merge_request_event"
 diff --git a/.gitlab/ci/cibuild-setup-ubuntu.sh b/.gitlab/ci/cibuild-setup-ubuntu.sh
 index a966fde..07b0990 100755
 --- a/.gitlab/ci/cibuild-setup-ubuntu.sh
 +++ b/.gitlab/ci/cibuild-setup-ubuntu.sh
@@ -4,7 +4,7 @@ set -ex
  PACKAGES=(
  	git make autoconf automake autopoint pkg-config libtool libtool-bin
--	gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol1-dev
++	gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev
  	libjson-c-dev libssh-dev libblkid-dev tar libargon2-0-dev libpwquality-dev
  	sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass
  	asciidoctor
 diff --git a/.gitlab/ci/cifuzz.yml b/.gitlab/ci/cifuzz.yml
 new file mode 100644
 index 0000000..063b912
 --- /dev/null
 +++ b/.gitlab/ci/cifuzz.yml
@@ -0,0 +1,46 @@
++cifuzz:
++  variables:
++    OSS_FUZZ_PROJECT_NAME: cryptsetup
++    CFL_PLATFORM: gitlab
++    CIFUZZ_DEBUG: "True"
++    FUZZ_SECONDS: 300 # 5 minutes per fuzzer
++    ARCHITECTURE: "x86_64"
++    DRY_RUN: "False"
++    LOW_DISK_SPACE: "True"
++    BAD_BUILD_CHECK: "True"
++    LANGUAGE: "c"
++    DOCKER_HOST: "tcp://docker:2375"
++    DOCKER_IN_DOCKER: "true"
++    DOCKER_DRIVER: overlay2
++    DOCKER_TLS_CERTDIR: ""
++  image:
++    name: gcr.io/oss-fuzz-base/cifuzz-base
++    entrypoint: [""]
++  services:
++    - docker:dind
++
++  stage: test
++  parallel:
++    matrix:
++      - SANITIZER: [address, undefined, memory]
++  rules:
++    # Default code change.
++    # - if: $CI_PIPELINE_SOURCE == "merge_request_event"
++    #   variables:
++    #     MODE: "code-change"
++    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
++      when: never
++    - if: $BUILD_AND_RUN_FUZZERS != null
++  before_script:
++    # Get gitlab's container id.
++    - export CFL_CONTAINER_ID=`cut -c9- < /proc/1/cpuset`
++  script:
++    # Will build and run the fuzzers.
++    # We use a hack to override CI_JOB_ID, because otherwise a bad path is used
++    # in GitLab CI environment
++    - CI_JOB_ID="$CI_PROJECT_NAMESPACE/$CI_PROJECT_TITLE" python3 "/opt/oss-fuzz/infra/cifuzz/cifuzz_combined_entrypoint.py"
++  artifacts:
++    # Upload artifacts when a crash makes the job fail.
++    when: always
++    paths:
++      - artifacts/
 diff --git a/.gitlab/ci/compilation-various-disables.yml b/.gitlab/ci/compilation-various-disables.yml
 new file mode 100644
 index 0000000..1414f9e
 --- /dev/null
 +++ b/.gitlab/ci/compilation-various-disables.yml
@@ -0,0 +1,21 @@
++test-gcc-disable-compiles:
++  extends:
++    - .gitlab-shared-gcc
++  parallel:
++    matrix:
++      - DISABLE_FLAGS: [
++          "--disable-keyring",
++          "--disable-external-tokens --disable-ssh-token",
++          "--disable-luks2-reencryption",
++          "--disable-cryptsetup --disable-veritysetup --disable-integritysetup",
++          "--disable-kernel_crypto",
++          "--disable-selinux",
++          "--disable-udev",
++          "--disable-internal-argon2",
++          "--disable-blkid"
++      ]
++  script:
++    - export CFLAGS="-Wall -Werror"
++    - ./configure $DISABLE_FLAGS
++    - make -j
++    - make -j check-programs
 diff --git a/.gitlab/ci/debian.yml b/.gitlab/ci/debian.yml
 index fbc8c26..fad9d97 100644
 --- a/.gitlab/ci/debian.yml
 +++ b/.gitlab/ci/debian.yml
@@ -3,12 +3,15 @@
      - .dump_kernel_log
    before_script:
      - >
--      sudo apt-get -y install -y -qq  git gcc make
--      autoconf automake autopoint pkg-config libtool libtool-bin gettext
--      libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol1-dev
--      libjson-c-dev libssh-dev libblkid-dev tar libargon2-0-dev
--      libpwquality-dev sharutils dmsetup jq xxd expect keyutils
--      netcat passwd openssh-client sshpass asciidoctor
++      [ -z "$RUN_SYSTEMD_PLUGIN_TEST" ] ||
++      sudo apt-get -y install -y -qq swtpm meson ninja-build python3-jinja2
++      gperf libcap-dev tpm2-tss-engine-dev libmount-dev swtpm-tools
++    - >
++      sudo apt-get -y install -y -qq git gcc make autoconf automake autopoint
++      pkgconf libtool libtool-bin gettext libssl-dev libdevmapper-dev
++      libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev
++      tar libargon2-0-dev libpwquality-dev sharutils dmsetup jq xxd expect
++      keyutils netcat passwd openssh-client sshpass asciidoctor
      - sudo apt-get -y build-dep cryptsetup
      - sudo -E git clean -xdf
      - ./autogen.sh
@@ -19,7 +22,7 @@ test-mergerq-job-debian:
      - .debian-prep
    tags:
      - libvirt
--    - debian10
++    - debian11
    stage: test
    interruptible: true
    variables:
@@ -38,7 +41,7 @@ test-main-commit-job-debian:
      - .debian-prep
    tags:
      - libvirt
--    - debian10
++    - debian11
    stage: test
    interruptible: true
    variables:
 diff --git a/.gitlab/ci/fedora.yml b/.gitlab/ci/fedora.yml
 index 39f8e31..7fd9c7e 100644
 --- a/.gitlab/ci/fedora.yml
 +++ b/.gitlab/ci/fedora.yml
@@ -3,7 +3,12 @@
      - .dump_kernel_log
    before_script:
      - >
--      sudo dnf -y -q  install
++      [ -z "$RUN_SYSTEMD_PLUGIN_TEST" ] ||
++      sudo dnf -y -q install
++      swtpm meson ninja-build python3-jinja2 gperf libcap-devel tpm2-tss-devel
++      libmount-devel swtpm-tools
++    - >
++      sudo dnf -y -q install
        autoconf automake device-mapper-devel gcc gettext-devel json-c-devel
        libargon2-devel libblkid-devel libpwquality-devel libselinux-devel
        libssh-devel libtool libuuid-devel make popt-devel
 diff --git a/.gitlab/ci/rhel.yml b/.gitlab/ci/rhel.yml
 index 77657b5..f71533c 100644
 --- a/.gitlab/ci/rhel.yml
 +++ b/.gitlab/ci/rhel.yml
@@ -27,6 +27,8 @@ test-main-commit-rhel8:
    variables:
      RUN_SSH_PLUGIN_TEST: "1"
    rules:
++    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
++      when: never
      - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
        when: never
      - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
@@ -46,6 +48,8 @@ test-main-commit-rhel9:
    variables:
      RUN_SSH_PLUGIN_TEST: "1"
    rules:
++    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
++      when: never
      - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
        when: never
      - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
@@ -67,10 +71,13 @@ test-main-commit-rhel8-fips:
    variables:
      RUN_SSH_PLUGIN_TEST: "1"
    rules:
++    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
++      when: never
      - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
        when: never
      - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
    script:
++    - fips-mode-setup --check || exit 1
      - make -j
      - make -j -C tests check-programs
      - sudo -E make check
@@ -87,10 +94,13 @@ test-main-commit-rhel9-fips:
    variables:
      RUN_SSH_PLUGIN_TEST: "1"
    rules:
++    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
++      when: never
      - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
        when: never
      - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
    script:
++    - fips-mode-setup --check || exit 1
      - make -j
      - make -j -C tests check-programs
      - sudo -E make check
 diff --git a/.gitlab/ci/ubuntu-32bit.yml b/.gitlab/ci/ubuntu-32bit.yml
 new file mode 100644
 index 0000000..f51c059
 --- /dev/null
 +++ b/.gitlab/ci/ubuntu-32bit.yml
@@ -0,0 +1,41 @@
++test-mergerq-job-ubuntu-32bit:
++  extends:
++    - .debian-prep
++  tags:
++    - libvirt
++    - ubuntu-bionic-32bit
++  stage: test
++  interruptible: true
++  variables:
++    RUN_SSH_PLUGIN_TEST: "1"
++  rules:
++    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
++      when: never
++    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
++      when: never
++    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
++  script:
++    - make -j
++    - make -j -C tests check-programs
++    - sudo -E make check
++
++test-main-commit-job-ubuntu-32bit:
++  extends:
++    - .debian-prep
++  tags:
++    - libvirt
++    - ubuntu-bionic-32bit
++  stage: test
++  interruptible: true
++  variables:
++    RUN_SSH_PLUGIN_TEST: "1"
++  rules:
++    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
++      when: never
++    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
++      when: never
++    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
++  script:
++    - make -j
++    - make -j -C tests check-programs
++    - sudo -E make check
 diff --git a/FAQ.md b/FAQ.md
 index efa26bd..74ad955 100644
 --- a/FAQ.md
 +++ b/FAQ.md
@@ -2506,6 +2506,31 @@ offset  length  name                  data type  description
    individually created (and hence has its own volume key).  In this case,
    changing the default passphrase will make it secure again.
++  * **6.16 How to convert the printed volume key to a raw one?**
++  A volume key printed via something like:
++```
++      cryptsetup --dump-volume-key luksDump /dev/<device> >volume-key
++```
++(i.e. without using `--volume-key-file`), which gives something like:
++```
++LUKS header information for /dev/<device>
++Cipher name:   	aes
++Cipher mode:   	xts-plain64
++Payload offset:	32768
++UUID:          	6e914442-e8b5-4eb5-98c4-5bf0cf17ecad
++MK bits:       	512
++MK dump:	e0 3f 15 c2 0f e5 80 ab 35 b4 10 03 ae 30 b9 5d
++		4c 0d 28 9e 1b 0f e3 b0 50 57 ef d4 4d 53 a0 12
++		b7 4e 43 a1 20 7e c5 02 1f f1 f5 08 04 3c f5 20
++		a6 0b 23 f6 7b 53 55 aa 22 d8 aa 02 e0 2f d5 04
++```
++can be converted to the raw volume key for example via:
++```
++      sed -E -n '/^MK dump:\t/,/^[^\t]/{0,/^MK dump:\t/s/^MK dump://; /^([^\t].*)?$/q; s/\t+//p;};' volume-key  |  xxd -r -p
++```
++
++
++
  # 7. Interoperability with other Disk Encryption Tools
 diff --git a/Makefile.am b/Makefile.am
 index c2ccb5e..fb7cb18 100644
 --- a/Makefile.am
 +++ b/Makefile.am
@@ -1,5 +1,5 @@
  EXTRA_DIST = README.md COPYING.LGPL FAQ.md docs misc autogen.sh
--SUBDIRS = po tests
++SUBDIRS = po tests tests/fuzz
  CLEANFILES =
  DISTCLEAN_TARGETS =
@@ -14,8 +14,14 @@ AM_CPPFLAGS = \
          -DVERSION=\""$(VERSION)"\"              \
          -DEXTERNAL_LUKS2_TOKENS_PATH=\"${EXTERNAL_LUKS2_TOKENS_PATH}\"
  AM_CFLAGS = -Wall
++AM_CXXFLAGS = -Wall
  AM_LDFLAGS =
++if ENABLE_FUZZ_TARGETS
++AM_CFLAGS += -fsanitize=fuzzer-no-link
++AM_CXXFLAGS += -fsanitize=fuzzer-no-link
++endif
++
  LDADD = $(LTLIBINTL)
  tmpfilesddir = @DEFAULT_TMPFILESDIR@
@@ -64,3 +70,8 @@ uninstall-local:
  check-programs: libcryptsetup.la
  	$(MAKE) -C tests $@
++
++if ENABLE_FUZZ_TARGETS
++fuzz-targets: libcryptsetup.la libcrypto_backend.la
++	$(MAKE) -C tests/fuzz $@
++endif
 diff --git a/README.md b/README.md
 index b944304..daec8f7 100644
 --- a/README.md
 +++ b/README.md
@@ -2,113 +2,145 @@
  What the ...?
  =============
--**Cryptsetup** is a utility used to conveniently set up disk encryption based
--on the [DMCrypt](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt) kernel module.
++**Cryptsetup** is an open-source utility used to conveniently set up disk encryption based
++on the [dm-crypt](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt) kernel module.
--These include **plain** **dm-crypt** volumes, **LUKS** volumes, **loop-AES**,
--**TrueCrypt** (including **VeraCrypt** extension) and **BitLocker** formats.
++These formats are supported:
++  * **plain** volumes,
++  * **LUKS** volumes,
++  * **loop-AES**,
++  * **TrueCrypt** (including **VeraCrypt** extension),
++  * **BitLocker**, and
++  * **FileVault2**.
  The project also includes a **veritysetup** utility used to conveniently setup
--[DMVerity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity) block integrity checking kernel module
--and **integritysetup** to setup
--[DMIntegrity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMIntegrity) block integrity kernel module.
++[dm-verity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity)
++block integrity checking kernel module and **integritysetup** to setup
++[dm-integrity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMIntegrity)
++block integrity kernel module.
  LUKS Design
  -----------
--**LUKS** is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not
--only facilitate compatibility among distributions, but also provides secure management of multiple user passwords.
--LUKS stores all necessary setup information in the partition header, enabling to transport or migrate data seamlessly.
++**LUKS** is the standard for Linux disk encryption. By providing a standard on-disk format,
++it does not only facilitate compatibility among distributions, but also provides secure management
++of multiple user passwords. LUKS stores all necessary setup information in the partition header,
++enabling to transport or migrate data seamlessly.
--### Specifications
++### Specification and documentation
--Last version of the LUKS2 format specification is
--[available here](https://gitlab.com/cryptsetup/LUKS2-docs).
--
--Last version of the LUKS1 format specification is
--[available here](https://www.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf).
--
--Why LUKS?
-----------
-- * compatibility via standardization,
-- * secure against low entropy attacks,
-- * support for multiple keys,
-- * effective passphrase revocation,
-- * free.
--
--[Project home page](https://gitlab.com/cryptsetup/cryptsetup/).
-------------------
--
--[Frequently asked questions (FAQ)](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions)
----------------------------------
++  * The latest version of the
++  [LUKS2 format specification](https://gitlab.com/cryptsetup/LUKS2-docs).
++  * The latest version of the
++  [LUKS1 format specification](https://www.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf).
++  * [Project home page](https://gitlab.com/cryptsetup/cryptsetup/).
++  * [Frequently asked questions (FAQ)](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions)
  Download
  --------
--All release tarballs and release notes are hosted on [kernel.org](https://www.kernel.org/pub/linux/utils/cryptsetup/).
++All release tarballs and release notes are hosted on
++[kernel.org](https://www.kernel.org/pub/linux/utils/cryptsetup/).
--**The latest stable cryptsetup version is 2.5.0**
--  * [cryptsetup-2.5.0.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/cryptsetup-2.5.0.tar.xz)
--  * Signature [cryptsetup-2.5.0.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/cryptsetup-2.5.0.tar.sign)
++**The latest stable cryptsetup release version is 2.6.1**
++  * [cryptsetup-2.6.1.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.1.tar.xz)
++  * Signature [cryptsetup-2.6.1.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.1.tar.sign)
      _(You need to decompress file first to check signature.)_
--  * [Cryptsetup 2.5.0 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/v2.5.0-ReleaseNotes).
++  * [Cryptsetup 2.6.1 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/v2.6.1-ReleaseNotes).
  Previous versions
-- * [Version 2.4.3](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-2.4.3.tar.xz) -
--   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-2.4.3.tar.sign) -
--   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/v2.4.3-ReleaseNotes).
++ * [Version 2.5.0](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/cryptsetup-2.5.0.tar.xz) -
++   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/cryptsetup-2.5.0.tar.sign) -
++   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/v2.5.0-ReleaseNotes).
   * [Version 1.7.5](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.xz) -
     [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.sign) -
     [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.5-ReleaseNotes).
--Source and API docs
---------------------
--For development version code, please refer to [source](https://gitlab.com/cryptsetup/cryptsetup/tree/master) page,
--mirror on [kernel.org](https://git.kernel.org/cgit/utils/cryptsetup/cryptsetup.git/) or [GitHub](https://github.com/mbroz/cryptsetup).
++Source and API documentation
++----------------------------
++For development version code, please refer to
++[source](https://gitlab.com/cryptsetup/cryptsetup/tree/master) page,
++mirror on [kernel.org](https://git.kernel.org/cgit/utils/cryptsetup/cryptsetup.git/) or
++[GitHub](https://github.com/mbroz/cryptsetup).
--For libcryptsetup documentation see [libcryptsetup API](https://mbroz.fedorapeople.org/libcryptsetup_API/) page.
++For libcryptsetup documentation see
++[libcryptsetup API](https://mbroz.fedorapeople.org/libcryptsetup_API/) page.
--The libcryptsetup API/ABI changes are tracked in [compatibility report](https://abi-laboratory.pro/tracker/timeline/cryptsetup/).
++The libcryptsetup API/ABI changes are tracked in
++[compatibility report](https://abi-laboratory.pro/tracker/timeline/cryptsetup/).
--NLS PO files are maintained by [TranslationProject](https://translationproject.org/domain/cryptsetup.html).
++NLS PO files are maintained by
++[TranslationProject](https://translationproject.org/domain/cryptsetup.html).
  Required packages
  -----------------
--All distributions provide cryptsetup as distro package. If you need to compile cryptsetup yourself, some packages are required for compilation. Please always prefer distro specific build tools to manually configuring cryptsetup.
++All distributions provide cryptsetup as distro package. If you need to compile cryptsetup yourself,
++some packages are required for compilation.
++Please always prefer distro specific build tools to manually configuring cryptsetup.
  Here is the list of packages needed for the compilation of project for particular distributions:
-- * For Fedora: `git gcc make autoconf automake gettext-devel pkgconfig openssl-devel popt-devel device-mapper-devel libuuid-devel json-c-devel libblkid-devel findutils libtool libssh-devel tar`. Optionally `libargon2-devel libpwquality-devel`. To run the internal testsuite you also need to install `sharutils device-mapper jq vim-common expect keyutils netcat shadow-utils openssh-clients openssh sshpass`.
-- * For Debian and Ubuntu: `git gcc make autoconf automake autopoint pkg-config libtool gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol1-dev libjson-c-dev libssh-dev libblkid-dev tar`. Optionally `libargon2-0-dev libpwquality-dev`. To run the internal testsuite you also need to install `sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass`
++**For Fedora**:
++```
++git gcc make autoconf automake gettext-devel pkgconfig openssl-devel popt-devel device-mapper-devel
++libuuid-devel json-c-devel libblkid-devel findutils libtool libssh-devel tar
++
++Optionally: libargon2-devel libpwquality-devel
++```
++To run the internal testsuite (make check) you also need to install
++```
++sharutils device-mapper jq vim-common expect keyutils netcat shadow-utils openssh-clients openssh sshpass
++```
++
++**For Debian and Ubuntu**:
++```
++git gcc make autoconf automake autopoint pkg-config libtool gettext libssl-dev libdevmapper-dev
++libpopt-dev uuid-dev libsepol1-dev libjson-c-dev libssh-dev libblkid-dev tar
++
++Optionally: libargon2-0-dev libpwquality-dev
++```
++To run the internal testsuite (make check) you also need to install
++```
++sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass
++```
  Note that the list could change as the distributions evolve.
  Compilation
  -----------
--The cryptsetup project uses **automake** and **autoconf** system to generate all needed files for compilation. If you check it from the git snapshot, use ``./autogen.sh && ./configure && make`` to compile the project. If you use downloaded released ``*.tar.xz`` archive, the configure script is already pre-generated (no need to run ``autoconf.sh``).
--See ``./configure --help`` and use ``--disable-*`` and ``--enable-*`` options.
++The cryptsetup project uses **automake** and **autoconf** system to generate all needed files
++for compilation. If you check it from the git snapshot, use **./autogen.sh && ./configure && make**
++to compile the project. If you use downloaded released **tar.xz** archive, the configure script
++is already pre-generated (no need to run **autoconf.sh**).
++See **./configure --help** and use **--disable-[feature]** and **--enable-[feature]** options.
--For running the test suite that come with the project, type ``make check``.
++For running the test suite that come with the project, type **make check**.
  Note that most tests will need root user privileges and run many dangerous storage fail simulations.
--Do **not** run tests with root privilege on production systems! Some tests will need scsi_debug kernel module to be available.
++Do **not** run tests with root privilege on production systems! Some tests will need scsi_debug
++kernel module to be available.
--For more details, please refer to [automake](https://www.gnu.org/software/automake/manual/automake.html) and [autoconf](https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf.html) manuals.
++For more details, please refer to [automake](https://www.gnu.org/software/automake/manual/automake.html)
++and [autoconf](https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf.html) manuals.
  Help!
  -----
--
  ### Documentation
++Please read the following documentation before posting questions in the mailing list...
++You will be able to ask better questions and better understand the answers.
--Please read the following documentation before posting questions in the mailing list.   You will be able to ask better questions and better understand the answers.
--
--* [FAQ](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions)
--* LUKS Specifications
++* [Frequently asked questions (FAQ)](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions),
++* [LUKS Specifications](#specification-and-documentation), and
  * manuals (aka man page, man pages, man-page)
--The FAQ is online and in the source code for the project.  The Specifications are referenced above in this document.  The man pages are in source and should be available after installation using standard man commands.  e.g.  man cryptsetup
++The FAQ is online and in the source code for the project. The Specifications are referenced above
++in this document. The man pages are in source and should be available after installation using
++standard man commands, e.g. **man cryptsetup**.
  ### Mailing List
--For cryptsetup and LUKS related questions, please use the cryptsetup mailing list [cryptsetup@lists.linux.dev](mailto:cryptsetup@lists.linux.dev), hosted at [kernel.org subspace](https://subspace.kernel.org/lists.linux.dev.html).
--To subscribe send an empty mail to [cryptsetup+subscribe@lists.linux.dev](mailto:cryptsetup+subscribe@lists.linux.dev).
++For cryptsetup and LUKS related questions, please use the cryptsetup mailing list
++[cryptsetup@lists.linux.dev](mailto:cryptsetup@lists.linux.dev),
++hosted at [kernel.org subspace](https://subspace.kernel.org/lists.linux.dev.html).
++To subscribe send an empty mail to
++[cryptsetup+subscribe@lists.linux.dev](mailto:cryptsetup+subscribe@lists.linux.dev).
  You can also browse and/or search the mailing [list archive](https://lore.kernel.org/cryptsetup/).
  News (NNTP), Atom feed and git access to public inbox is available through [lore.kernel.org](https://lore.kernel.org) service.
 diff --git a/autogen.sh b/autogen.sh
 index 1b77be6..c111f79 100755
 --- a/autogen.sh
 +++ b/autogen.sh
@@ -74,7 +74,7 @@ autopoint --force $AP_OPTS
  libtoolize --force --copy
  aclocal -I m4 $AL_OPTS
  autoheader $AH_OPTS
--automake --add-missing --copy --gnu $AM_OPTS
++automake --force-missing --add-missing --copy --gnu $AM_OPTS
  autoconf $AC_OPTS
  echo
 diff --git a/configure.ac b/configure.ac
 index 0175ee5..ccf2112 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -1,9 +1,9 @@
  AC_PREREQ([2.67])
--AC_INIT([cryptsetup],[2.5.0])
++AC_INIT([cryptsetup],[2.6.1])
  dnl library version from <major>.<minor>.<release>[-<suffix>]
  LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-)
--LIBCRYPTSETUP_VERSION_INFO=20:0:8
++LIBCRYPTSETUP_VERSION_INFO=21:0:9
  AM_SILENT_RULES([yes])
  AC_CONFIG_SRCDIR(src/cryptsetup.c)
@@ -28,6 +28,7 @@ AC_USE_SYSTEM_EXTENSIONS
  AC_PROG_CC
  AM_PROG_CC_C_O
  AC_PROG_CPP
++AC_PROG_CXX
  AC_PROG_INSTALL
  AC_PROG_MAKE_SET
  AC_PROG_MKDIR_P
@@ -150,6 +151,7 @@ if test "x$enable_external_tokens" = "xyes"; then
  	AC_SUBST(DL_LIBS, $LIBS)
  	LIBS=$saved_LIBS
  fi
++AM_CONDITIONAL(EXTERNAL_TOKENS, test "x$enable_external_tokens" = "xyes")
  AC_ARG_ENABLE([ssh-token],
  	AS_HELP_STRING([--disable-ssh-token], [disable LUKS2 ssh-token]),
@@ -214,6 +216,17 @@ if test "x$enable_pwquality" = "xyes"; then
  fi
  dnl ==========================================================================
++dnl fuzzers, it requires own static library compilation later
++AC_ARG_ENABLE([fuzz-targets],
++	AS_HELP_STRING([--enable-fuzz-targets], [enable building fuzz targets]))
++AM_CONDITIONAL(ENABLE_FUZZ_TARGETS, test "x$enable_fuzz_targets" = "xyes")
++
++if test "x$enable_fuzz_targets" = "xyes"; then
++	AX_CHECK_COMPILE_FLAG([-fsanitize=fuzzer-no-link],,
++		AC_MSG_ERROR([Required compiler options not supported; use clang.]), [-Werror])
++fi
++
++dnl ==========================================================================
  dnl passwdqc library (cryptsetup CLI only)
  AC_ARG_ENABLE([passwdqc],
  	AS_HELP_STRING([--enable-passwdqc@<:@=CONFIG_PATH@:>@],
@@ -617,6 +630,22 @@ AC_SUBST([LIBSSH_LIBS])
  AC_SUBST([LIBCRYPTSETUP_VERSION])
  AC_SUBST([LIBCRYPTSETUP_VERSION_INFO])
++dnl Set Requires.private for libcryptsetup.pc
++dnl pwquality is used only by tools
++PKGMODULES="uuid devmapper json-c"
++case $with_crypto_backend in
++	gcrypt)  PKGMODULES+=" libgcrypt" ;;
++	openssl) PKGMODULES+=" openssl" ;;
++	nss)     PKGMODULES+=" nss" ;;
++	nettle)  PKGMODULES+=" nettle" ;;
++esac
++if test "x$enable_libargon2" = "xyes"; then
++	PKGMODULES+=" libargon2"
++fi
++if test "x$enable_blkid" = "xyes"; then
++	PKGMODULES+=" blkid"
++fi
++AC_SUBST([PKGMODULES])
  dnl ==========================================================================
  AC_ARG_ENABLE([dev-random],
  	AS_HELP_STRING([--enable-dev-random], [use /dev/random by default for key generation (otherwise use /dev/urandom)]))
@@ -739,5 +768,6 @@ lib/libcryptsetup.pc
  po/Makefile.in
  scripts/cryptsetup.conf
  tests/Makefile
++tests/fuzz/Makefile
  ])
  AC_OUTPUT
 diff --git a/debian/README.Debian b/debian/README.Debian
 index a0ef9ad..99633bf 100644
 --- a/debian/README.Debian
 +++ b/debian/README.Debian
@@ -63,7 +63,7 @@ that may be written to disk when memory is swapped to disk.
  sure to place the source device (here `/dev/sde9`) with your swap devices:
      # <target name> <source device> <key file>      <options>
--    cswap1          /dev/sde9       /dev/urandom    swap,cipher=aes-xts-plain64,size=256,hash=sha1
++    cswap1          /dev/sde9       /dev/urandom    plain,cipher=aes-xts-plain64,size=256,swap
   Now you need to change the swap devices in `/etc/fstab` to the encrypted swap
  device names (`/dev/mapper/cswap1` in this example).
 diff --git a/debian/changelog b/debian/changelog
 index f24081f..ed8fb12 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,86 @@
++<<<<<<< debian/changelog
++=======
++cryptsetup (2:2.6.1-1ubuntu1) lunar; urgency=medium
++
++  * Merge with Debian unstable (LP: #2004423). Remaining changes:
++   - debian/control:
++      + Recommend plymouth.
++      + Depend on busybox-initramfs instead of busybox | busybox-static.
++      + Move cryptsetup-initramfs back to cryptsetup's Recommends.
++      + Do not build cryptsetup-suspend binary package on i386.
++    - Fix cryptroot-unlock for busybox compatibility.
++    - Fix warning and error when running on ZFS on root
++      - d/functions: Return an empty devno for ZFS devices as they don't have
++        major:minor device numbers.
++      - d/initramfs/hooks/cryptroot: Ignore and don't print an error message
++        when devices don't have a devno.
++    - debian/patches/decrease_memlock_ulimit.patch
++      Fixed FTBFS due to a restricted build environment
++    - Fix cryptroot-* autopkgtests on Ubuntu. (LP: #1983522)
++      + debian/tests/utils/mock.pm: return from consume() function if select()
++        times out or fails
++      + debian/tests/utils/cryptroot-common: fix apt source and kernel package
++        names for Ubuntu
++      + debian/tests/cryptroot-sysvinit.d: use systemd-sysv init for Ubuntu
++        cryptroot-sysvinit package test
++      + debian/tests/cryptroot-nested.d: fix cryptsetup-nested test, add
++        workaround for LP1831747 by adding a e2fsprogs dependency
++      + debian/tests/initramfs-hook: fix test's initramfs layout for Ubuntu and
++        allow blowfish test use 64Mb of provisioned space (drop --size)
++      + debian/tests/control: disable cryptdisks test
++
++ -- Vladimir Petko <vladimir.petko@canonical.com>  Mon, 13 Feb 2023 15:57:18 +1300
++
++cryptsetup (2:2.6.1-1) unstable; urgency=medium
++
++  * New upstream bugfix release.
++  * d/README.Debian: Explicitly set cswap1's device type to 'plain'.
++    (Closes: #1025136)
++  * d/control: Update standards version to 4.6.2, no changes needed.
++  * d/clean: Add some gitignore(5)'d files. (Closes: #1026838)
++  * cryptgnupg-sc hook: Look terminfo file in /usr/share/terminfo in adition
++    to /lib/terminfo, see #1028202. (Closes: 1028234)
++  * d/copyright: Bump copyright years.
++
++ -- Guilhem Moulin <guilhem@debian.org>  Fri, 10 Feb 2023 00:50:42 +0100
++
++cryptsetup (2:2.6.0-2) unstable; urgency=low
++
++  * libcryptsetup-dev: Add 'Depends: libargon2-dev, libblkid-dev,
++    libdevmapper-dev, libjson-c-dev, libssl-dev, uuid-dev' to account for
++    libcryptsetup.pc's Requires.private.  Closes: #1025054.
++
++ -- Guilhem Moulin <guilhem@debian.org>  Tue, 29 Nov 2022 15:42:25 +0100
++
++cryptsetup (2:2.6.0-1) unstable; urgency=low
++
++  * New upstream release 2.6.0.
++
++ -- Guilhem Moulin <guilhem@debian.org>  Tue, 29 Nov 2022 01:20:38 +0100
++
++cryptsetup (2:2.6.0~rc0-1) experimental; urgency=medium
++
++  * New upstream release candidate 2.6.0, introducing support for handling
++    macOS FileVault2 devices (FVAULT2).  The new version of FileVault based on
++    the APFS filesystem used in recent macOS versions is currently not
++    supported: only the (legacy) FileVault2 format based on Core Storage and
++    HFS+ filesystem (introduced in MacOS X 10.7 Lion) is supported.  Moreover
++    header formatting and changes are not supported; cryptsetup never changes
++    the metadata on the device.
++    Closes: #923513.
++  * Update d/copyright for 2:2.6.0~rc0-1.
++  * Ship cryptsetup-fvault2Dump(8) and cryptsetup-fvault2Open(8) to
++    cryptsetup-bin binary package.
++  * Update d/libcryptsetup12.symbols for 2:2.6.0~rc0-1.
++  * Add 'fvault2' flag to crypttab(5) to force detection of Apple's FileVault2
++    volumes.
++  * d/rules: Add new target execute_before_dh_auto_test so blhc ignores
++    compilations of tests/*.c.
++  * d/u/metadata: Set 'Security-Contact' upstream metadata field.
++
++ -- Guilhem Moulin <guilhem@debian.org>  Sat, 19 Nov 2022 17:30:40 +0100
++
++>>>>>>> debian/changelog
  cryptsetup (2:2.5.0-6ubuntu3) lunar; urgency=medium
    * Fix cryptroot-lvm autopkgtest on Ubuntu. (LP: #1983522)
 diff --git a/debian/clean b/debian/clean
 index 8f6ae6f..f1aea9d 100644
 --- a/debian/clean
 +++ b/debian/clean
@@ -3,3 +3,8 @@ debian/doc/*.[0-9]
  debian/doc/variables.xml
  debian/scripts/passdev
  debian/scripts/suspend/cryptsetup-suspend
++# `make clean` doesn't remove all gitignore(5)'d files, instead
++# .gitlab/ci/debian.yml runs `git clean -xdf`
++man/*.8
++po/*.gmo
++po/stamp-po
 diff --git a/debian/control b/debian/control
 index 981726e..d218d7a 100644
 --- a/debian/control
 +++ b/debian/control
@@ -32,7 +32,7 @@ Build-Depends: asciidoctor <!nodoc>,
                 uuid-dev,
                 xsltproc <!nodoc>,
                 xxd <!nocheck>
--Standards-Version: 4.6.1
++Standards-Version: 4.6.2
  Homepage: https://gitlab.com/cryptsetup/cryptsetup
  Vcs-Browser: https://salsa.debian.org/cryptsetup-team/cryptsetup
  Vcs-Git: https://salsa.debian.org/cryptsetup-team/cryptsetup.git -b debian/latest
@@ -161,7 +161,16 @@ Package: libcryptsetup-dev
  Section: libdevel
  Architecture: linux-any
  Multi-Arch: same
--Depends: libcryptsetup12 (= ${binary:Version}), ${misc:Depends}
++# XXX [#1025065] ideal we would have "Depends: libcryptsetup12
++# (= ${binary:Version}), ${misc:Depends}, ${pkgconf:Depends}"
++Depends: libargon2-dev,
++         libblkid-dev,
++         libcryptsetup12 (= ${binary:Version}),
++         libdevmapper-dev,
++         libjson-c-dev,
++         libssl-dev,
++         uuid-dev,
++         ${misc:Depends}
  Description: disk encryption support - development files
   Cryptsetup provides an interface for configuring encryption on block
   devices (such as /home or swap partitions), using the Linux kernel
 diff --git a/debian/copyright b/debian/copyright
 index b8047db..5e9553d 100644
 --- a/debian/copyright
 +++ b/debian/copyright
@@ -6,8 +6,8 @@ Upstream-Name: cryptsetup
  Files: *
  Copyright: © 2004      Christophe Saout <christophe@saout.de>
             © 2004-2008 Clemens Fruhwirth <clemens@endorphin.org>
--           © 2008-2022 Red Hat, Inc.
--           © 2008-2022 Milan Broz <gmazyland@gmail.com>
++           © 2008-2023 Red Hat, Inc.
++           © 2008-2023 Milan Broz <gmazyland@gmail.com>
  License: GPL-2+ with OpenSSL exception
  Files: debian/*
@@ -15,7 +15,7 @@ Copyright: © 2004-2005 Wesley W. Terpstra <terpstra@debian.org>
             © 2005-2006 Michael Gebetsroither <michael.geb@gmx.at>
             © 2006-2008 David Härdeman <david@hardeman.nu>
             © 2005-2015 Jonas Meurer <jonas@freesources.org>
--           © 2016-2022 Guilhem Moulin <guilhem@debian.org>
++           © 2016-2023 Guilhem Moulin <guilhem@debian.org>
  License: GPL-2+
  Files: debian/scripts/suspend/cryptsetup-suspend.c
@@ -61,47 +61,56 @@ Copyright: © 2021-2022 Guilhem Moulin <guilhem@debian.org>
  License: GPL-3+
  Files: docs/examples/* tests/all-symbols-test.c
--Copyright: © 2011-2022 Red Hat, Inc.
++Copyright: © 2011-2023 Red Hat, Inc.
  License: LGPL-2.1+
  Files: lib/bitlk/*
--Copyright: © 2019-2022 Red Hat, Inc.
--           © 2019-2022 Milan Broz <gmazyland@gmail.com>
--           © 2019-2022 Vojtech Trefny
++Copyright: © 2019-2023 Red Hat, Inc.
++           © 2019-2023 Milan Broz <gmazyland@gmail.com>
++           © 2019-2023 Vojtech Trefny
  License: LGPL-2.1+
  Files: tokens/ssh/*
--Copyright: © 2016-2022 Milan Broz <gmazyland@gmail.com>
--           © 2020-2022 Vojtech Trefny
++Copyright: © 2016-2023 Milan Broz <gmazyland@gmail.com>
++           © 2020-2023 Vojtech Trefny
  License: LGPL-2.1+
  Files: tokens/ssh/cryptsetup-ssh.c
--Copyright: © 2016-2022 Milan Broz <gmazyland@gmail.com>
--           © 2021-2022 Vojtech Trefny
++Copyright: © 2016-2023 Milan Broz <gmazyland@gmail.com>
++           © 2021-2023 Vojtech Trefny
  License: GPL-2+
  Files: lib/crypto_backend/* lib/integrity/* lib/loopaes/* lib/tcrypt/* lib/verity/*
--Copyright: © 2009-2022 Red Hat, Inc.
--           © 2010-2022 Milan Broz <gmazyland@gmail.com>
++Copyright: © 2009-2023 Red Hat, Inc.
++           © 2010-2023 Milan Broz <gmazyland@gmail.com>
  License: LGPL-2.1+
  Files: lib/crypto_backend/base64.c
  Copyright: © 2010 Lennart Poettering
--           © 2021-2022 Milan Broz <gmazyland@gmail.com>
++           © 2021-2023 Milan Broz <gmazyland@gmail.com>
  License: LGPL-2.1+
  Files: lib/crypto_backend/utf8.c
  Copyright: © 2010 Lennart Poettering
--           © 2021-2022 Vojtech Trefny
++           © 2021-2023 Vojtech Trefny
             © 1999 Tom Tromey
             © 2000 Red Hat, Inc.
  License: GPL-2+
  Files: lib/crypto_backend/crypto_openssl.c
--Copyright: © 2009-2022 Red Hat, Inc.
--           © 2010-2022 Milan Broz <gmazyland@gmail.com>
++Copyright: © 2009-2023 Red Hat, Inc.
++           © 2010-2023 Milan Broz <gmazyland@gmail.com>
  License: LGPL-2.1+ with OpenSSL exception
++Files: lib/fvault2/fvault2.c lib/fvault2/fvault2.h
++Copyright: © 2021-2022 Pavel Tobias
++License: LGPL-2.1+ with OpenSSL exception
++
++Files: lib/keyslot_context.c lib/keyslot_context.h
++Copyright: © 2022-2023 Red Hat, Inc.
++           © 2022-2023 Ondrej Kozina <okozina@redhat.com>
++License: GPL-2+
++
  Files: lib/crypto_backend/argon2/*
  Copyright: © 2015 Daniel Dinu
             © 2015 Dmitry Khovratovich
 diff --git a/debian/cryptsetup-bin.manpages b/debian/cryptsetup-bin.manpages
 index 3d1724d..759911e 100644
 --- a/debian/cryptsetup-bin.manpages
 +++ b/debian/cryptsetup-bin.manpages
@@ -11,6 +11,8 @@ usr/share/man/man8/cryptsetup-config.8
  usr/share/man/man8/cryptsetup-convert.8
  usr/share/man/man8/cryptsetup-create.8
  usr/share/man/man8/cryptsetup-erase.8
++usr/share/man/man8/cryptsetup-fvault2Dump.8
++usr/share/man/man8/cryptsetup-fvault2Open.8
  usr/share/man/man8/cryptsetup-isLuks.8
  usr/share/man/man8/cryptsetup-loopaesOpen.8
  usr/share/man/man8/cryptsetup-luksAddKey.8
 diff --git a/debian/doc/crypttab.xml b/debian/doc/crypttab.xml
 index 9327157..c6077a7 100644
 --- a/debian/doc/crypttab.xml
 +++ b/debian/doc/crypttab.xml
@@ -81,8 +81,9 @@
    <simpara>
     The fourth field, <emphasis>options</emphasis>, is an optional comma-separated
     list of options and/or flags describing the device type (<emphasis>luks</emphasis>,
--   <emphasis>tcrypt</emphasis>, <emphasis>bitlk</emphasis>, or <emphasis>plain</emphasis>
--   which is also the default) and cryptsetup options associated with the encryption process.
++   <emphasis>tcrypt</emphasis>, <emphasis>bitlk</emphasis>, <emphasis>fvault2</emphasis>,
++   or <emphasis>plain</emphasis> which is also the default) and cryptsetup options
++   associated with the encryption process.
     The supported options are described below.
     For plain dm-crypt devices the <emphasis>cipher</emphasis>, <emphasis>hash</emphasis>
     and <emphasis>size</emphasis> options are required.
@@ -298,6 +299,19 @@
     </varlistentry>
     <varlistentry>
++    <term><emphasis>fvault2</emphasis></term>
++    <listitem>
++     <simpara>
++       Force Apple's FileVault2 mode.
++       Only the (legacy) FileVault2 format based on Core Storage and HFS+
++       filesystem (introduced in MacOS X 10.7 Lion) is currently supported;
++       the new version of FileVault based on the APFS filesystem used in
++       recent macOS versions is not supported.
++     </simpara>
++    </listitem>
++   </varlistentry>
++
++   <varlistentry>
      <term><emphasis>tcrypt</emphasis></term>
      <listitem>
       <simpara>Use TrueCrypt encryption mode. When this mode is used, the
 diff --git a/debian/functions b/debian/functions
 index 35fd321..73f5f2a 100644
 --- a/debian/functions
 +++ b/debian/functions
@@ -68,6 +68,7 @@ crypttab_parse_options() {
               CRYPTTAB_OPTION_tcrypt \
               CRYPTTAB_OPTION_veracrypt \
               CRYPTTAB_OPTION_bitlk \
++             CRYPTTAB_OPTION_fvault2 \
               CRYPTTAB_OPTION_swap \
               CRYPTTAB_OPTION_tmp \
               CRYPTTAB_OPTION_check \
@@ -241,6 +242,7 @@ crypttab_validate_option() {
          veracrypt) ;;
          tcrypthidden) ;;
          bitlk) ;;
++        fvault2) ;;
          same-cpu-crypt) ;;
          submit-from-crypt-cpus) ;;
          no-read-workqueue) ;;
@@ -311,6 +313,8 @@ _get_crypt_type() {
          t="plain"
      elif [ "${CRYPTTAB_OPTION_bitlk-}" = "yes" ]; then
          t="bitlk"
++    elif [ "${CRYPTTAB_OPTION_fvault2-}" = "yes" ]; then
++        t="fvault2"
      elif [ -n "${CRYPTTAB_OPTION_header+x}" ]; then
          # detached headers are only supported for LUKS devices
          if [ -e "$CRYPTTAB_OPTION_header" ] && /sbin/cryptsetup isLuks -- "$CRYPTTAB_OPTION_header"; then
 diff --git a/debian/initramfs/hooks/cryptgnupg-sc b/debian/initramfs/hooks/cryptgnupg-sc
 index 752474a..9e45000 100644
 --- a/debian/initramfs/hooks/cryptgnupg-sc
 +++ b/debian/initramfs/hooks/cryptgnupg-sc
@@ -72,6 +72,16 @@ if [ ! -x "$DESTDIR/usr/bin/pinentry" ]; then
      copy_exec "$pinentry"
      ln -s "$pinentry" "$DESTDIR/usr/bin/pinentry"
  fi
--[ -f "$DESTDIR/lib/terminfo/l/linux" ] || copy_file terminfo /lib/terminfo/l/linux || RV=$?
++
++# #1028202: ncurses-base: move terminfo files from /lib/terminfo to
++# /usr/share/terminfo
++for d in "/usr/share/terminfo" "/lib/terminfo"; do
++    if [ -f "$d/l/linux" ]; then
++        if [ ! -f "$DESTDIR$d/l/linux" ]; then
++            copy_file terminfo "$d/l/linux" || RV=$?
++        fi
++        break
++    fi
++done
  exit $RV
 diff --git a/debian/libcryptsetup12.symbols b/debian/libcryptsetup12.symbols
 index f6303a1..f124910 100644
 --- a/debian/libcryptsetup12.symbols
 +++ b/debian/libcryptsetup12.symbols
@@ -3,6 +3,7 @@ libcryptsetup.so.12 libcryptsetup12 #MINVER#
   CRYPTSETUP_2.0@CRYPTSETUP_2.0 2:2.0
   CRYPTSETUP_2.4@CRYPTSETUP_2.4 2:2.4
   CRYPTSETUP_2.5@CRYPTSETUP_2.5 2:2.5
++ CRYPTSETUP_2.6@CRYPTSETUP_2.6 2:2.6
   crypt_activate_by_keyfile@CRYPTSETUP_2.0 2:1.4
   crypt_activate_by_keyfile_offset@CRYPTSETUP_2.0 2:1.4.3
   crypt_activate_by_keyring@CRYPTSETUP_2.0 2:2.0
@@ -59,10 +60,19 @@ libcryptsetup.so.12 libcryptsetup12 #MINVER#
   crypt_keyslot_add_by_key@CRYPTSETUP_2.0 2:2.0
   crypt_keyslot_add_by_keyfile@CRYPTSETUP_2.0 2:1.4
   crypt_keyslot_add_by_keyfile_offset@CRYPTSETUP_2.0 2:1.4.3
++ crypt_keyslot_add_by_keyslot_context@CRYPTSETUP_2.6 2:2.6
   crypt_keyslot_add_by_passphrase@CRYPTSETUP_2.0 2:1.4
   crypt_keyslot_add_by_volume_key@CRYPTSETUP_2.0 2:1.4
   crypt_keyslot_area@CRYPTSETUP_2.0 2:1.6
   crypt_keyslot_change_by_passphrase@CRYPTSETUP_2.0 2:1.6
++ crypt_keyslot_context_free@CRYPTSETUP_2.6 2:2.6
++ crypt_keyslot_context_get_error@CRYPTSETUP_2.6 2:2.6
++ crypt_keyslot_context_get_type@CRYPTSETUP_2.6 2:2.6
++ crypt_keyslot_context_init_by_keyfile@CRYPTSETUP_2.6 2:2.6
++ crypt_keyslot_context_init_by_passphrase@CRYPTSETUP_2.6 2:2.6
++ crypt_keyslot_context_init_by_token@CRYPTSETUP_2.6 2:2.6
++ crypt_keyslot_context_init_by_volume_key@CRYPTSETUP_2.6 2:2.6
++ crypt_keyslot_context_set_pin@CRYPTSETUP_2.6 2:2.6
   crypt_keyslot_destroy@CRYPTSETUP_2.0 2:1.4
   crypt_keyslot_get_encryption@CRYPTSETUP_2.0 2:2.1
   crypt_keyslot_get_key_size@CRYPTSETUP_2.0 2:2.0.3
@@ -123,6 +133,7 @@ libcryptsetup.so.12 libcryptsetup12 #MINVER#
   crypt_token_status@CRYPTSETUP_2.0 2:2.0
   crypt_token_unassign_keyslot@CRYPTSETUP_2.0 2:2.0
   crypt_volume_key_get@CRYPTSETUP_2.0 2:1.4
++ crypt_volume_key_get_by_keyslot_context@CRYPTSETUP_2.6 2:2.6
   crypt_volume_key_keyring@CRYPTSETUP_2.0 2:2.0
   crypt_volume_key_verify@CRYPTSETUP_2.0 2:1.4
   crypt_wipe@CRYPTSETUP_2.0 2:2.0
 diff --git a/debian/patches/decrease_memlock_ulimit.patch b/debian/patches/decrease_memlock_ulimit.patch
 index be9b6ab..30b264a 100644
 --- a/debian/patches/decrease_memlock_ulimit.patch
 +++ b/debian/patches/decrease_memlock_ulimit.patch
@@ -8,6 +8,7 @@ Author: Guilherme G. Piccoli <gpiccoli@canonical.com>
  Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891473
  Last-Update: 2020-09-09
++<<<<<<< debian/patches/decrease_memlock_ulimit.patch
  Index: cryptsetup-2.3.3/tests/compat-test
  ===================================================================
  --- cryptsetup-2.3.3.orig/tests/compat-test
@@ -15,6 +16,13 @@ Index: cryptsetup-2.3.3/tests/compat-test
@@ -45,6 +45,10 @@ TEST_UUID="12345678-1234-1234-1234-12345
   LOOPDEV=$(losetup -f 2>/dev/null)
   [ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
++=======
++--- a/tests/compat-test
+++++ b/tests/compat-test
++@@ -47,6 +47,10 @@
++ LOOPDEV=$(losetup -f 2>/dev/null)
++ FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
++>>>>>>> debian/patches/decrease_memlock_ulimit.patch
  +# Circumvent test failure due to Bionic builder; we need to decrease
  +# the memlock limit here to mimic Xenial builder (see LP #1891473).
@@ -23,11 +31,17 @@ Index: cryptsetup-2.3.3/tests/compat-test
   function remove_mapping()
+  {
   	[ -b /dev/mapper/$DEV_NAME3 ] && dmsetup remove --retry $DEV_NAME3 >/dev/null 2>&1
++<<<<<<< debian/patches/decrease_memlock_ulimit.patch
  Index: cryptsetup-2.3.3/tests/luks2-validation-test
  ===================================================================
  --- cryptsetup-2.3.3.orig/tests/luks2-validation-test
  +++ cryptsetup-2.3.3/tests/luks2-validation-test
@@ -21,6 +21,10 @@ FAILS=0
++=======
++--- a/tests/luks2-validation-test
+++++ b/tests/luks2-validation-test
++@@ -21,6 +21,10 @@
++>>>>>>> debian/patches/decrease_memlock_ulimit.patch
   [ -z "$srcdir" ] && srcdir="."
@@ -38,11 +52,17 @@ Index: cryptsetup-2.3.3/tests/luks2-validation-test
   function remove_mapping()
+  {
   	rm -rf $IMG $TST_IMGS >/dev/null 2>&1
++<<<<<<< debian/patches/decrease_memlock_ulimit.patch
  Index: cryptsetup-2.3.3/tests/tcrypt-compat-test
  ===================================================================
  --- cryptsetup-2.3.3.orig/tests/tcrypt-compat-test
  +++ cryptsetup-2.3.3/tests/tcrypt-compat-test
@@ -13,6 +13,10 @@ PIM=1234
++=======
++--- a/tests/tcrypt-compat-test
+++++ b/tests/tcrypt-compat-test
++@@ -16,6 +16,10 @@
++>>>>>>> debian/patches/decrease_memlock_ulimit.patch
   [ -z "$srcdir" ] && srcdir="."
 diff --git a/debian/rules b/debian/rules
 index a8761cd..08074b4 100755
 --- a/debian/rules
 +++ b/debian/rules
@@ -55,6 +55,10 @@ endif
  	# generate gettext po files (for luksformat)
  	$(MAKE) -C debian/scripts/po all luksformat.pot
++execute_before_dh_auto_test:
++	# tests/fake_token_path.so is built without global $(CFLAGS)
++	@echo "blhc: ignore-line-regexp: gcc\\s.*\\s\\.\\./tests/[0-9A-Za-z_-]+\\.c\\s.*"
++
  execute_after_dh_auto_install:
  	# install gettext po files (for luksformat)
  	$(MAKE) -C debian/scripts/po DESTDIR=$(CURDIR)/debian/cryptsetup-bin install
 diff --git a/debian/upstream/metadata b/debian/upstream/metadata
 index 639d138..abb325c 100644
 --- a/debian/upstream/metadata
 +++ b/debian/upstream/metadata
@@ -1,5 +1,6 @@
--Bug-Database: https://gitlab.com/cryptsetup/cryptsetup/issues
--Bug-Submit: https://gitlab.com/cryptsetup/cryptsetup/issues/new
++Bug-Database: https://gitlab.com/cryptsetup/cryptsetup/-/issues
++Bug-Submit: https://gitlab.com/cryptsetup/cryptsetup/-/issues/new
  Repository: https://gitlab.com/cryptsetup/cryptsetup.git
  Repository-Browse: https://gitlab.com/cryptsetup/cryptsetup
  FAQ: https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions
++Security-Contact: https://gitlab.com/cryptsetup/cryptsetup/-/blob/HEAD/SECURITY.md
 diff --git a/docs/examples/crypt_log_usage.c b/docs/examples/crypt_log_usage.c
 index aced85c..3d08c34 100644
 --- a/docs/examples/crypt_log_usage.c
 +++ b/docs/examples/crypt_log_usage.c
@@ -1,7 +1,7 @@
  /*
   * libcryptsetup API log example
+  *
-- * Copyright (C) 2011-2022 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2011-2023 Red Hat, Inc. All rights reserved.
+  *
   * This file is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
 diff --git a/docs/examples/crypt_luks_usage.c b/docs/examples/crypt_luks_usage.c
 index acde553..d7779bd 100644
 --- a/docs/examples/crypt_luks_usage.c
 +++ b/docs/examples/crypt_luks_usage.c
@@ -1,7 +1,7 @@
  /*
   *  libcryptsetup API - using LUKS device example
+  *
-- * Copyright (C) 2011-2022 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2011-2023 Red Hat, Inc. All rights reserved.
+  *
   * This file is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
 diff --git a/docs/v2.6.0-ReleaseNotes b/docs/v2.6.0-ReleaseNotes
 new file mode 100644
 index 0000000..6303945
 --- /dev/null
 +++ b/docs/v2.6.0-ReleaseNotes
@@ -0,0 +1,236 @@
++Cryptsetup 2.6.0 Release Notes
++==============================
++Stable release with new features and bug fixes.
++
++Changes since version 2.5.0
++~~~~~~~~~~~~~~~~~~~~~~~~~~~
++
++* Introduce support for handling macOS FileVault2 devices (FVAULT2).
++
++  Cryptsetup now supports the mapping of FileVault2 full-disk encryption
++  by Apple for the macOS operating system using a native Linux kernel.
++  You can open an existing USB FileVault portable device and (with
++  the hfsplus filesystem driver) access the native data read/write.
++
++  Cryptsetup supports only (legacy) FileVault2 based on Core Storage
++  and HFS+ filesystem (introduced in MacOS X 10.7 Lion).
++  It does NOT support the new version of FileVault based on the APFS
++  filesystem used in recent macOS versions.
++
++  Header formatting and changes are not supported; cryptsetup never
++  changes the metadata on the device.
++
++  FVAULT2 extension requires kernel userspace crypto API and kernel
++  driver for HFS+ (hfsplus) filesystem (available on most systems today).
++
++  Example of using FileVault2 formatted USB device:
++
++  A typical encrypted device contains three partitions; the FileVault
++  encrypted partition is here sda2:
++
++  $ lsblk -o NAME,FSTYPE,LABEL /dev/sda
++    NAME   FSTYPE  LABEL
++    sda
++    |-sda1 vfat    EFI
++    |-sda2
++    `-sda3 hfsplus Boot OS X
++
++  Note: blkid does not recognize FileVault2 format yet.
++
++  To dump metadata information about the device, you can use
++  the fvault2Dump command:
++
++  $ cryptsetup fvault2Dump /dev/sda2
++    Header information for FVAULT2 device /dev/sda2.
++    Physical volume UUID:   6f353c05-daae-4e76-a0ee-6a9569a22d81
++    Family UUID:            f82cceb0-a788-4815-945a-53d57fcd55a8
++    Logical volume offset:  67108864 [bytes]
++    Logical volume size:    3288334336 [bytes]
++    Cipher:                 aes
++    Cipher mode:            xts-plain64
++    PBKDF2 iterations:      97962
++    PBKDF2 salt:            173a4ec7447662ec79ca7a47df6c2a01
++
++ To activate the device, use open --type fvault2 option:
++
++ $ cryptsetup open --type fvault2 /dev/sda2 test
++   Enter passphrase for /dev/sda2: ...
++
++ And check the status of the active device:
++
++ $ cryptsetup status test
++   /dev/mapper/test is active.
++   type:    FVAULT2
++   cipher:  aes-xts-plain64
++   keysize: 256 bits
++   key location: dm-crypt
++   device:  /dev/sda2
++   sector size:  512
++   offset:  131072 sectors
++   size:    6422528 sectors
++   mode:    read/write
++
++ Now, if the kernel contains hfsplus filesystem driver, you can mount
++ decrypted content:
++
++ $ mount /dev/mapper/test /mnt/test
++
++ For more info about implementation, please refer to the master thesis
++ by Pavel Tobias, which was the source for this extension.
++ https://is.muni.cz/th/p0aok/?lang=en
++
++* libcryptsetup: no longer use global memory locking through mlockall()
++
++  For many years, libcryptsetup locked all memory (including dependent
++  library address space) to prevent swapping sensitive content outside
++  of RAM.
++
++  This strategy no longer works as the locking of basic libraries exceeds
++  the memory locking limit if running as a non-root user.
++
++  Libcryptsetup now locks only memory ranges containing sensitive
++  material (keys) through crypt_safe_alloc() calls.
++
++  This change solves many reported mysterious problems of unexpected
++  failures. If the initial lock was still under the limit and succeeded,
++  some following memory allocation could fail later as it exceeded
++  the locking limit. If the initial locking fails,  memory locking
++  was quietly ignored completely.
++
++  The whole crypt_memory_lock() API call is deprecated; it no longer
++  calls memlockall().
++
++* libcryptsetup: process priority is increased only for key derivation
++  (PBKDF) calls.
++
++  Increasing priority was tight to memory locking and works only if
++  running under superuser.
++  Only PBKDF calls and benchmarking now increase the process priority.
++
++* Add new LUKS keyslot context handling functions and API.
++
++  In practice, the luksAddKey action does two operations.
++  It unlocks the existing device volume key and stores the unlocked
++  volume key in a new keyslot.
++  Previously the options were limited to key files and passphrases.
++
++  Newly available methods (keyslot contexts) are passphrase, keyfile,
++  key (binary representation), and LUKS2 token.
++
++  To unlock a keyslot user may:
++    - provide existing passphrase via interactive prompt (default method)
++    - use --key-file option to provide a file with a valid passphrase
++    - provide volume key directly via --volume-key-file
++    - unlock keyslot via all available LUKS2 tokens by --token-only
++    - unlock keyslot via specific token with --token-id
++    - unlock keyslot via specific token type by --token-type
++
++  To provide the passphrase for a new keyslot, a user may:
++    - provide existing passphrase via interactive prompt (default method)
++    - use --new-keyfile to read the passphrase from the file
++    - use --new-token-id to select LUKS2 token to get passphrase
++      for new keyslot. The new keyslot is assigned to the selected token
++      id if the operation is successful.
++
++* The volume key may now be extracted using a passphrase, keyfile, or
++  token. For LUKS devices, it also returns the volume key after
++  a successful crypt_format call.
++
++* Fix --disable-luks2-reencryption configuration option.
++
++* cryptsetup: Print a better error message and warning if the format
++  produces an image without space available for data.
++
++  Activation now fails early with a more descriptive message.
++
++* Print error if anti-forensic LUKS2 hash setting is not available.
++  If the specified hash was not available, activation quietly failed.
++
++* Fix internal crypt segment compare routine if the user
++  specified cipher in kernel format (capi: prefix).
++
++* cryptsetup: Add token unassign action.
++
++  This action allows removing token binding on specific keyslot.
++
++* veritysetup: add support for --use-tasklets option.
++
++  This option sets try_verify_in_tasklet kernel dm-verity option
++  (available since Linux kernel 6.0) to allow some performance
++  improvement on specific systems.
++
++* Provide pkgconfig Require.private settings.
++
++  While we do not completely provide static build on udev systems,
++  it helps produce statically linked binaries in certain situations.
++
++* Always update automake library files if autogen.sh is run.
++
++  For several releases, we distributed older automake scripts by mistake.
++
++* reencryption: Fix user defined moved segment size in LUKS2 decryption.
++
++  The --hotzone-size argument was ignored in cases where the actual data
++  size was less than the original LUKS2 data offset.
++
++* Delegate FIPS mode detection to configured crypto backend.
++  System FIPS mode check no longer depends on /etc/system-fips file.
++
++* tests: externally provided systemd plugin is now optionally compiled
++  from systemd git and tested with cryptsetup
++
++* tests: initial integration to OSS-fuzz project with basic crypt_load()
++  test for LUKS2 and JSON mutated fuzzing.
++
++  For more info, see README in tests/fuzz directory.
++
++* Update documentation, including FAQ and man pages.
++
++Libcryptsetup API extensions
++~~~~~~~~~~~~~~~~~~~~~~~~~~~~
++The libcryptsetup API is backward compatible with existing symbols.
++
++New symbols:
++  crypt_keyslot_context_init_by_passphrase
++  crypt_keyslot_context_init_by_keyfile
++  crypt_keyslot_context_init_by_token
++  crypt_keyslot_context_init_by_volume_key
++  crypt_keyslot_context_get_error
++  crypt_keyslot_context_set_pin
++  crypt_keyslot_context_get_type
++  crypt_keyslot_context_free
++  crypt_keyslot_add_by_keyslot_context
++  crypt_volume_key_get_by_keyslot_context
++
++New defines:
++  CRYPT_FVAULT2 "FVAULT2" (FileVault2 compatible mode)
++
++Keyslot context types:
++  CRYPT_KC_TYPE_PASSPHRASE
++  CRYPT_KC_TYPE_KEYFILE
++  CRYPT_KC_TYPE_TOKEN
++  CRYPT_KC_TYPE_KEY
++
++  CRYPT_ACTIVATE_TASKLETS (dm-verity: use tasklets activation flag)
++
++WARNING!
++~~~~~~~~
++The next version of cryptsetup will change the encryption mode and key
++derivation option for the PLAIN format.
++
++This change will cause backward incompatibility.
++For this reason, the user will have to specify the exact parameters
++for cipher, key size, and key derivation parameters for plain format.
++
++The default encryption mode will be AES-XTS with 512bit key (AES-256).
++The CBC mode is no longer considered the best default, as it allows easy
++bit-flipped ciphertext modification attacks and performance problems.
++
++For the passphrase hashing in plain mode, the encryption key is directly
++derived through iterative hashing from a user-provided passphrase
++(except a keyfile that is not hashed).
++
++The default hash is RIPEMD160, which is no longer the best default
++option. The exact change will be yet discussed but should include
++the possibility of using a password-based key derivation function
++instead of iterative hashing.
 diff --git a/docs/v2.6.1-ReleaseNotes b/docs/v2.6.1-ReleaseNotes
 new file mode 100644
 index 0000000..82012b9
 --- /dev/null
 +++ b/docs/v2.6.1-ReleaseNotes
@@ -0,0 +1,50 @@
++Cryptsetup 2.6.1 Release Notes
++==============================
++Stable bug-fix release with minor extensions.
++
++All users of cryptsetup 2.6.0 should upgrade to this version.
++
++Changes since version 2.6.0
++~~~~~~~~~~~~~~~~~~~~~~~~~~~
++
++* bitlk: Fixes for BitLocker-compatible on-disk metadata parser
++  (found by new cryptsetup OSS-Fuzz fuzzers).
++  - Fix a possible memory leak if the metadata contains more than
++    one description field.
++  - Harden parsing of metadata entries for key and description entries.
++  - Fix broken metadata parsing that can cause a crash or out of memory.
++
++* Fix possible iteration overflow in OpenSSL2 PBKDF2 crypto backend.
++  OpenSSL2 uses a signed integer for PBKDF2 iteration count.
++  As cryptsetup uses an unsigned value, this can lead to overflow and
++  a decrease in the actual iteration count.
++  This situation can happen only if the user specifies
++  --pbkdf-force-iterations option.
++  OpenSSL3 (and other supported crypto backends) are not affected.
++
++* Fix compilation for new ISO C standards (gcc with -std=c11 and higher).
++
++* fvault2: Fix compilation with very old uuid.h.
++
++* verity: Fix possible hash offset setting overflow.
++
++* bitlk: Fix use of startup BEK key on big-endian platforms.
++
++* Fix compilation with latest musl library.
++  Recent musl no longer implements lseek64() in some configurations.
++  Use lseek() as 64-bit offset is mandatory for cryptsetup.
++
++* Do not initiate encryption (reencryption command) when the header and
++  data devices are the same.
++  If data device reduction is not requsted, this leads to data corruption
++  since LUKS metadata was written over the data device.
++
++* Fix possible memory leak if crypt_load() fails.
++
++* Always use passphrases with a minimal 8 chars length for benchmarking.
++  Some enterprise distributions decided to set an unconditional check
++  for PBKDF2 password length when running in FIPS mode.
++  This questionable change led to unexpected failures during LUKS format
++  and keyslot operations, where short passwords were used for
++  benchmarking PBKDF2 speed.
++  PBKDF2 benchmark calculations should not be affected by this change.
 diff --git a/lib/Makemodule.am b/lib/Makemodule.am
 index 2ebbae1..2e60a90 100644
 --- a/lib/Makemodule.am
 +++ b/lib/Makemodule.am
@@ -53,8 +53,6 @@ libcryptsetup_la_SOURCES = \
  	lib/utils_loop.h		\
  	lib/utils_devpath.c		\
  	lib/utils_wipe.c		\
--	lib/utils_fips.c		\
--	lib/utils_fips.h		\
  	lib/utils_device.c		\
  	lib/utils_keyring.c		\
  	lib/utils_keyring.h		\
@@ -75,6 +73,8 @@ libcryptsetup_la_SOURCES = \
  	lib/loopaes/loopaes.c		\
  	lib/tcrypt/tcrypt.h		\
  	lib/tcrypt/tcrypt.c		\
++	lib/keyslot_context.h		\
++	lib/keyslot_context.c		\
  	lib/luks1/af.h			\
  	lib/luks1/af.c			\
  	lib/luks1/keyencryption.c	\
@@ -106,4 +106,6 @@ libcryptsetup_la_SOURCES = \
  	lib/utils_blkid.c		\
  	lib/utils_blkid.h		\
  	lib/bitlk/bitlk.h		\
--	lib/bitlk/bitlk.c
++	lib/bitlk/bitlk.c		\
++	lib/fvault2/fvault2.h		\
++	lib/fvault2/fvault2.c
 diff --git a/lib/bitlk/bitlk.c b/lib/bitlk/bitlk.c
 index 3548d10..de7bcea 100644
 --- a/lib/bitlk/bitlk.c
 +++ b/lib/bitlk/bitlk.c
@@ -1,9 +1,9 @@
  /*
   * BITLK (BitLocker-compatible) volume handling
+  *
-- * Copyright (C) 2019-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2019-2022 Milan Broz
-- * Copyright (C) 2019-2022 Vojtech Trefny
++ * Copyright (C) 2019-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2019-2023 Milan Broz
++ * Copyright (C) 2019-2023 Vojtech Trefny
+  *
   * This file is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
@@ -255,13 +255,16 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
  		    (*vmk)->protection == BITLK_PROTECTION_RECOVERY_PASSPHRASE ||
  		    (*vmk)->protection == BITLK_PROTECTION_STARTUP_KEY;
--	while (end - start > 2) {
++	while ((end - start) >= (ssize_t)(sizeof(key_entry_size) + sizeof(key_entry_type) + sizeof(key_entry_value))) {
  		/* size of this entry */
  		memcpy(&key_entry_size, data + start, sizeof(key_entry_size));
  		key_entry_size = le16_to_cpu(key_entry_size);
  		if (key_entry_size == 0)
  			break;
++		if (key_entry_size > (end - start))
++			return -EINVAL;
++
  		/* type and value of this entry */
  		memcpy(&key_entry_type, data + start + sizeof(key_entry_size), sizeof(key_entry_type));
  		memcpy(&key_entry_value,
@@ -280,20 +283,24 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
+ 		}
  		/* stretch key with salt, skip 4 B (encryption method of the stretch key) */
--		if (key_entry_value == BITLK_ENTRY_VALUE_STRETCH_KEY)
++		if (key_entry_value == BITLK_ENTRY_VALUE_STRETCH_KEY) {
++			if ((end - start) < (BITLK_ENTRY_HEADER_LEN + BITLK_SALT_SIZE + 4))
++				return -EINVAL;
  			memcpy((*vmk)->salt,
  			       data + start + BITLK_ENTRY_HEADER_LEN + 4,
--			       sizeof((*vmk)->salt));
++			       BITLK_SALT_SIZE);
  		/* AES-CCM encrypted key */
--		else if (key_entry_value == BITLK_ENTRY_VALUE_ENCRYPTED_KEY) {
++		} else if (key_entry_value == BITLK_ENTRY_VALUE_ENCRYPTED_KEY) {
++			if (key_entry_size < (BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE))
++				return -EINVAL;
  			/* nonce */
  			memcpy((*vmk)->nonce,
  			       data + start + BITLK_ENTRY_HEADER_LEN,
--			       sizeof((*vmk)->nonce));
++			       BITLK_NONCE_SIZE);
  			/* MAC tag */
  			memcpy((*vmk)->mac_tag,
  			       data + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE,
--			       sizeof((*vmk)->mac_tag));
++			       BITLK_VMK_MAC_TAG_SIZE);
  			/* AES-CCM encrypted key */
  			key_size = key_entry_size - (BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE);
  			key = (const char *) data + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE;
@@ -318,6 +325,8 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
  		} else if (key_entry_value == BITLK_ENTRY_VALUE_RECOVERY_TIME) {
+ 			;
  		} else if (key_entry_value == BITLK_ENTRY_VALUE_STRING) {
++			if (key_entry_size < BITLK_ENTRY_HEADER_LEN)
++				return -EINVAL;
  			string = malloc((key_entry_size - BITLK_ENTRY_HEADER_LEN) * 2 + 1);
  			if (!string)
  				return -ENOMEM;
@@ -405,6 +414,7 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
  	struct bitlk_fve_metadata fve = {};
  	struct bitlk_entry_vmk entry_vmk = {};
  	uint8_t *fve_entries = NULL;
++	size_t fve_entries_size = 0;
  	uint32_t fve_metadata_size = 0;
  	int fve_offset = 0;
  	char guid_buf[UUID_STR_LEN] = {0};
@@ -413,7 +423,6 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
  	int i = 0;
  	int r = 0;
  	int start = 0;
--	int end = 0;
  	size_t key_size = 0;
  	const char *key = NULL;
  	char *description = NULL;
@@ -514,7 +523,6 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
  	params->volume_size = le64_to_cpu(fve.volume_size);
  	params->metadata_version = le16_to_cpu(fve.fve_version);
--	fve_metadata_size = le32_to_cpu(fve.metadata_size);
  	switch (le16_to_cpu(fve.encryption)) {
  	/* AES-CBC with Elephant difuser */
@@ -569,40 +577,56 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
  	params->creation_time = filetime_to_unixtime(le64_to_cpu(fve.creation_time));
++	fve_metadata_size = le32_to_cpu(fve.metadata_size);
++	if (fve_metadata_size < (BITLK_FVE_METADATA_HEADER_LEN + sizeof(entry_size) + sizeof(entry_type)) ||
++	    fve_metadata_size > BITLK_FVE_METADATA_SIZE) {
++		r = -EINVAL;
++		goto out;
++	}
++	fve_entries_size = fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN;
++
  	/* read and parse all FVE metadata entries */
--	fve_entries = malloc(fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN);
++	fve_entries = malloc(fve_entries_size);
  	if (!fve_entries) {
  		r = -ENOMEM;
  		goto out;
+ 	}
--	memset(fve_entries, 0, (fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN));
++	memset(fve_entries, 0, fve_entries_size);
--	log_dbg(cd, "Reading BITLK FVE metadata entries of size %" PRIu32 " on device %s, offset %" PRIu64 ".",
--		fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN, device_path(device),
--		params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN);
++	log_dbg(cd, "Reading BITLK FVE metadata entries of size %zu on device %s, offset %" PRIu64 ".",
++		fve_entries_size, device_path(device), params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN);
  	if (read_lseek_blockwise(devfd, device_block_size(cd, device),
--		device_alignment(device), fve_entries, fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN,
--		params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN) != (ssize_t)(fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN)) {
++		device_alignment(device), fve_entries, fve_entries_size,
++		params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN) != (ssize_t)fve_entries_size) {
  		log_err(cd, _("Failed to read BITLK metadata entries from %s."), device_path(device));
  		r = -EINVAL;
  		goto out;
+ 	}
--	end = fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN;
--	while (end - start > 2) {
++	while ((fve_entries_size - start) >= (sizeof(entry_size) + sizeof(entry_type))) {
++
  		/* size of this entry */
  		memcpy(&entry_size, fve_entries + start, sizeof(entry_size));
  		entry_size = le16_to_cpu(entry_size);
  		if (entry_size == 0)
  			break;
++		if (entry_size > (fve_entries_size - start)) {
++			r = -EINVAL;
++			goto out;
++		}
++
  		/* type of this entry */
  		memcpy(&entry_type, fve_entries + start + sizeof(entry_size), sizeof(entry_type));
  		entry_type = le16_to_cpu(entry_type);
  		/* VMK */
  		if (entry_type == BITLK_ENTRY_TYPE_VMK) {
++			if (entry_size < (BITLK_ENTRY_HEADER_LEN + sizeof(entry_vmk))) {
++				r = -EINVAL;
++				goto out;
++			}
  			/* skip first four variables in the entry (entry size, type, value and version) */
  			memcpy(&entry_vmk,
  			       fve_entries + start + BITLK_ENTRY_HEADER_LEN,
@@ -639,7 +663,11 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
  			vmk_p = vmk;
  			vmk = vmk->next;
  		/* FVEK */
--		} else if (entry_type == BITLK_ENTRY_TYPE_FVEK) {
++		} else if (entry_type == BITLK_ENTRY_TYPE_FVEK && !params->fvek) {
++			if (entry_size < (BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE)) {
++				r = -EINVAL;
++				goto out;
++			}
  			params->fvek = malloc(sizeof(struct bitlk_fvek));
  			if (!params->fvek) {
  				r = -ENOMEM;
@@ -647,11 +675,11 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
+ 			}
  			memcpy(params->fvek->nonce,
  			       fve_entries + start + BITLK_ENTRY_HEADER_LEN,
--			       sizeof(params->fvek->nonce));
++			       BITLK_NONCE_SIZE);
  			/* MAC tag */
  			memcpy(params->fvek->mac_tag,
  			       fve_entries + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE,
--			       sizeof(params->fvek->mac_tag));
++			       BITLK_VMK_MAC_TAG_SIZE);
  			/* AES-CCM encrypted key */
  			key_size = entry_size - (BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE);
  			key = (const char *) fve_entries + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE;
@@ -663,19 +691,29 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
  		/* volume header info (location and size) */
  		} else if (entry_type == BITLK_ENTRY_TYPE_VOLUME_HEADER) {
  			struct bitlk_entry_header_block entry_header;
++			if ((fve_entries_size - start) < (BITLK_ENTRY_HEADER_LEN + sizeof(entry_header))) {
++				r = -EINVAL;
++				goto out;
++			}
  			memcpy(&entry_header,
  			       fve_entries + start + BITLK_ENTRY_HEADER_LEN,
  			       sizeof(entry_header));
  			params->volume_header_offset = le64_to_cpu(entry_header.offset);
  			params->volume_header_size = le64_to_cpu(entry_header.size);
  		/* volume description (utf-16 string) */
--		} else if (entry_type == BITLK_ENTRY_TYPE_DESCRIPTION) {
--			description = malloc((entry_size - BITLK_ENTRY_HEADER_LEN - BITLK_ENTRY_HEADER_LEN) * 2 + 1);
--			if (!description)
--				return -ENOMEM;
++		} else if (entry_type == BITLK_ENTRY_TYPE_DESCRIPTION && !params->description) {
++			if (entry_size < BITLK_ENTRY_HEADER_LEN) {
++				r = -EINVAL;
++				goto out;
++			}
++			description = malloc((entry_size - BITLK_ENTRY_HEADER_LEN) * 2 + 1);
++			if (!description) {
++				r = -ENOMEM;
++				goto out;
++			}
  			r = crypt_utf16_to_utf8(&description, CONST_CAST(char16_t *)(fve_entries + start + BITLK_ENTRY_HEADER_LEN),
  					                  entry_size - BITLK_ENTRY_HEADER_LEN);
--			if (r < 0 || !description) {
++			if (r < 0) {
  				free(description);
  				BITLK_bitlk_vmk_free(vmk);
  				log_err(cd, _("Failed to convert BITLK volume description"));
@@ -773,13 +811,13 @@ static int get_recovery_key(struct crypt_device *cd,
  	    - each part is a number dividable by 11
  	*/
  	if (passwordLen != BITLK_RECOVERY_KEY_LEN) {
--                if (passwordLen == BITLK_RECOVERY_KEY_LEN + 1 && password[passwordLen - 1] == '\n') {
--                        /* looks like a recovery key with an extra newline, possibly from a key file */
--                        passwordLen--;
--                        log_dbg(cd, "Possible extra EOL stripped from the recovery key.");
--                } else
--                        return 0;
--        }
++		if (passwordLen == BITLK_RECOVERY_KEY_LEN + 1 && password[passwordLen - 1] == '\n') {
++			/* looks like a recovery key with an extra newline, possibly from a key file */
++			passwordLen--;
++			log_dbg(cd, "Possible extra EOL stripped from the recovery key.");
++		} else
++			return 0;
++	}
  	for (i = BITLK_RECOVERY_PART_LEN; i < passwordLen; i += BITLK_RECOVERY_PART_LEN + 1) {
  		if (password[i] != '-')
@@ -822,13 +860,16 @@ static int parse_external_key_entry(struct crypt_device *cd,
  	struct bitlk_guid guid;
  	char guid_buf[UUID_STR_LEN] = {0};
--	while (end - start > 2) {
++	while ((end - start) >= (ssize_t)(sizeof(key_entry_size) + sizeof(key_entry_type) + sizeof(key_entry_value))) {
  		/* size of this entry */
  		memcpy(&key_entry_size, data + start, sizeof(key_entry_size));
  		key_entry_size = le16_to_cpu(key_entry_size);
  		if (key_entry_size == 0)
  			break;
++		if (key_entry_size > (end - start))
++			return -EINVAL;
++
  		/* type and value of this entry */
  		memcpy(&key_entry_type, data + start + sizeof(key_entry_size), sizeof(key_entry_type));
  		memcpy(&key_entry_value,
@@ -843,6 +884,8 @@ static int parse_external_key_entry(struct crypt_device *cd,
+ 		}
  		if (key_entry_value == BITLK_ENTRY_VALUE_KEY) {
++			if (key_entry_size < (BITLK_ENTRY_HEADER_LEN + 4))
++				return -EINVAL;
  			key_size = key_entry_size - (BITLK_ENTRY_HEADER_LEN + 4);
  			key = (const char *) data + start + BITLK_ENTRY_HEADER_LEN + 4;
  			*vk = crypt_alloc_volume_key(key_size, key);
@@ -854,6 +897,8 @@ static int parse_external_key_entry(struct crypt_device *cd,
+ 			;
  		/* GUID of the BitLocker device we are trying to open with this key */
  		else if (key_entry_value == BITLK_ENTRY_VALUE_GUID) {
++			if ((end - start) < (ssize_t)(BITLK_ENTRY_HEADER_LEN + sizeof(struct bitlk_guid)))
++				return -EINVAL;
  			memcpy(&guid, data + start + BITLK_ENTRY_HEADER_LEN, sizeof(struct bitlk_guid));
  			guid_to_string(&guid, guid_buf);
  			if (strcmp(guid_buf, params->guid) != 0) {
@@ -887,7 +932,7 @@ static int get_startup_key(struct crypt_device *cd,
  	uint16_t key_entry_type = 0;
  	uint16_t key_entry_value = 0;
--	if (passwordLen < BITLK_BEK_FILE_HEADER_LEN)
++	if (passwordLen < (BITLK_BEK_FILE_HEADER_LEN + sizeof(key_entry_size) + sizeof(key_entry_type) + sizeof(key_entry_value)))
  		return -EPERM;
  	memcpy(&bek_header, password, BITLK_BEK_FILE_HEADER_LEN);
@@ -899,13 +944,14 @@ static int get_startup_key(struct crypt_device *cd,
  	else
  		return -EPERM;
--	if (bek_header.metadata_version != 1) {
--		log_err(cd, _("Unsupported BEK metadata version %" PRIu32), bek_header.metadata_version);
++	if (le32_to_cpu(bek_header.metadata_version) != 1) {
++		log_err(cd, _("Unsupported BEK metadata version %" PRIu32), le32_to_cpu(bek_header.metadata_version));
  		return -ENOTSUP;
+ 	}
--	if (bek_header.metadata_size != passwordLen) {
--		log_err(cd, _("Unexpected BEK metadata size %" PRIu32 " does not match BEK file length"), bek_header.metadata_size);
++	if (le32_to_cpu(bek_header.metadata_size) != passwordLen) {
++		log_err(cd, _("Unexpected BEK metadata size %" PRIu32 " does not match BEK file length"),
++			le32_to_cpu(bek_header.metadata_size));
  		return -EINVAL;
+ 	}
 diff --git a/lib/bitlk/bitlk.h b/lib/bitlk/bitlk.h
 index 5b54271..54d3dc7 100644
 --- a/lib/bitlk/bitlk.h
 +++ b/lib/bitlk/bitlk.h
@@ -1,9 +1,9 @@
  /*
   * BITLK (BitLocker-compatible) header definition
+  *
-- * Copyright (C) 2019-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2019-2022 Milan Broz
-- * Copyright (C) 2019-2022 Vojtech Trefny
++ * Copyright (C) 2019-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2019-2023 Milan Broz
++ * Copyright (C) 2019-2023 Vojtech Trefny
+  *
   * This file is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
 diff --git a/lib/crypt_plain.c b/lib/crypt_plain.c
 index fc4873b..c839b09 100644
 --- a/lib/crypt_plain.c
 +++ b/lib/crypt_plain.c
@@ -2,8 +2,8 @@
   * cryptsetup plain device helper functions
+  *
   * Copyright (C) 2004 Jana Saout <jana@saout.de>
-- * Copyright (C) 2010-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2010-2022 Milan Broz
++ * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2010-2023 Milan Broz
+  *
   * This program is free software; you can redistribute it and/or
   * modify it under the terms of the GNU General Public License
 diff --git a/lib/crypto_backend/argon2_generic.c b/lib/crypto_backend/argon2_generic.c
 index 663dd71..0ce67da 100644
 --- a/lib/crypto_backend/argon2_generic.c
 +++ b/lib/crypto_backend/argon2_generic.c
@@ -1,8 +1,8 @@
  /*
   * Argon2 PBKDF2 library wrapper
+  *
-- * Copyright (C) 2016-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2016-2022 Milan Broz
++ * Copyright (C) 2016-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2016-2023 Milan Broz
+  *
   * This file is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
 diff --git a/lib/crypto_backend/base64.c b/lib/crypto_backend/base64.c
 index af5e927..42f70cb 100644
 --- a/lib/crypto_backend/base64.c
 +++ b/lib/crypto_backend/base64.c
@@ -4,7 +4,7 @@
   * Copyright (C) 2010 Lennart Poettering
+  *
   * cryptsetup related changes
-- * Copyright (C) 2021-2022 Milan Broz
++ * Copyright (C) 2021-2023 Milan Broz
+  *
   * This file is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
@@ -24,7 +24,6 @@
  #include <errno.h>
  #include <stdlib.h>
  #include <limits.h>
--#include <assert.h>
  #include "crypto_backend.h"
 diff --git a/lib/crypto_backend/cipher_check.c b/lib/crypto_backend/cipher_check.c
 index 9a972f5..98ec1a5 100644
 --- a/lib/crypto_backend/cipher_check.c
 +++ b/lib/crypto_backend/cipher_check.c
@@ -1,8 +1,8 @@
  /*
   * Cipher performance check
+  *
-- * Copyright (C) 2018-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2018-2022 Milan Broz
++ * Copyright (C) 2018-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2018-2023 Milan Broz
+  *
   * This file is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
 diff --git a/lib/crypto_backend/cipher_generic.c b/lib/crypto_backend/cipher_generic.c
 index 0623a78..b3a4407 100644
 --- a/lib/crypto_backend/cipher_generic.c
 +++ b/lib/crypto_backend/cipher_generic.c
@@ -1,8 +1,8 @@
  /*
   * Linux kernel cipher generic utilities
+  *
-- * Copyright (C) 2018-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2018-2022 Milan Broz
++ * Copyright (C) 2018-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2018-2023 Milan Broz
+  *
   * This file is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
 diff --git a/lib/crypto_backend/crc32.c b/lib/crypto_backend/crc32.c
 index 9d43623..9009b02 100644
 --- a/lib/crypto_backend/crc32.c
 +++ b/lib/crypto_backend/crc32.c
@@ -97,12 +97,71 @@ static const uint32_t crc32_tab[] = {
 x2d02ef8dL
  };
++static const uint32_t crc32c_tab[] = {
++	0x00000000L, 0xF26B8303L, 0xE13B70F7L, 0x1350F3F4L, 0xC79A971FL,
++	0x35F1141CL, 0x26A1E7E8L, 0xD4CA64EBL, 0x8AD958CFL, 0x78B2DBCCL,
++	0x6BE22838L, 0x9989AB3BL, 0x4D43CFD0L, 0xBF284CD3L, 0xAC78BF27L,
++	0x5E133C24L, 0x105EC76FL, 0xE235446CL, 0xF165B798L, 0x030E349BL,
++	0xD7C45070L, 0x25AFD373L, 0x36FF2087L, 0xC494A384L, 0x9A879FA0L,
++	0x68EC1CA3L, 0x7BBCEF57L, 0x89D76C54L, 0x5D1D08BFL, 0xAF768BBCL,
++	0xBC267848L, 0x4E4DFB4BL, 0x20BD8EDEL, 0xD2D60DDDL, 0xC186FE29L,
++	0x33ED7D2AL, 0xE72719C1L, 0x154C9AC2L, 0x061C6936L, 0xF477EA35L,
++	0xAA64D611L, 0x580F5512L, 0x4B5FA6E6L, 0xB93425E5L, 0x6DFE410EL,
++	0x9F95C20DL, 0x8CC531F9L, 0x7EAEB2FAL, 0x30E349B1L, 0xC288CAB2L,
++	0xD1D83946L, 0x23B3BA45L, 0xF779DEAEL, 0x05125DADL, 0x1642AE59L,
++	0xE4292D5AL, 0xBA3A117EL, 0x4851927DL, 0x5B016189L, 0xA96AE28AL,
++	0x7DA08661L, 0x8FCB0562L, 0x9C9BF696L, 0x6EF07595L, 0x417B1DBCL,
++	0xB3109EBFL, 0xA0406D4BL, 0x522BEE48L, 0x86E18AA3L, 0x748A09A0L,
++	0x67DAFA54L, 0x95B17957L, 0xCBA24573L, 0x39C9C670L, 0x2A993584L,
++	0xD8F2B687L, 0x0C38D26CL, 0xFE53516FL, 0xED03A29BL, 0x1F682198L,
++	0x5125DAD3L, 0xA34E59D0L, 0xB01EAA24L, 0x42752927L, 0x96BF4DCCL,
++	0x64D4CECFL, 0x77843D3BL, 0x85EFBE38L, 0xDBFC821CL, 0x2997011FL,
++	0x3AC7F2EBL, 0xC8AC71E8L, 0x1C661503L, 0xEE0D9600L, 0xFD5D65F4L,
++	0x0F36E6F7L, 0x61C69362L, 0x93AD1061L, 0x80FDE395L, 0x72966096L,
++	0xA65C047DL, 0x5437877EL, 0x4767748AL, 0xB50CF789L, 0xEB1FCBADL,
++	0x197448AEL, 0x0A24BB5AL, 0xF84F3859L, 0x2C855CB2L, 0xDEEEDFB1L,
++	0xCDBE2C45L, 0x3FD5AF46L, 0x7198540DL, 0x83F3D70EL, 0x90A324FAL,
++	0x62C8A7F9L, 0xB602C312L, 0x44694011L, 0x5739B3E5L, 0xA55230E6L,
++	0xFB410CC2L, 0x092A8FC1L, 0x1A7A7C35L, 0xE811FF36L, 0x3CDB9BDDL,
++	0xCEB018DEL, 0xDDE0EB2AL, 0x2F8B6829L, 0x82F63B78L, 0x709DB87BL,
++	0x63CD4B8FL, 0x91A6C88CL, 0x456CAC67L, 0xB7072F64L, 0xA457DC90L,
++	0x563C5F93L, 0x082F63B7L, 0xFA44E0B4L, 0xE9141340L, 0x1B7F9043L,
++	0xCFB5F4A8L, 0x3DDE77ABL, 0x2E8E845FL, 0xDCE5075CL, 0x92A8FC17L,
++	0x60C37F14L, 0x73938CE0L, 0x81F80FE3L, 0x55326B08L, 0xA759E80BL,
++	0xB4091BFFL, 0x466298FCL, 0x1871A4D8L, 0xEA1A27DBL, 0xF94AD42FL,
++	0x0B21572CL, 0xDFEB33C7L, 0x2D80B0C4L, 0x3ED04330L, 0xCCBBC033L,
++	0xA24BB5A6L, 0x502036A5L, 0x4370C551L, 0xB11B4652L, 0x65D122B9L,
++	0x97BAA1BAL, 0x84EA524EL, 0x7681D14DL, 0x2892ED69L, 0xDAF96E6AL,
++	0xC9A99D9EL, 0x3BC21E9DL, 0xEF087A76L, 0x1D63F975L, 0x0E330A81L,
++	0xFC588982L, 0xB21572C9L, 0x407EF1CAL, 0x532E023EL, 0xA145813DL,
++	0x758FE5D6L, 0x87E466D5L, 0x94B49521L, 0x66DF1622L, 0x38CC2A06L,
++	0xCAA7A905L, 0xD9F75AF1L, 0x2B9CD9F2L, 0xFF56BD19L, 0x0D3D3E1AL,
++	0x1E6DCDEEL, 0xEC064EEDL, 0xC38D26C4L, 0x31E6A5C7L, 0x22B65633L,
++	0xD0DDD530L, 0x0417B1DBL, 0xF67C32D8L, 0xE52CC12CL, 0x1747422FL,
++	0x49547E0BL, 0xBB3FFD08L, 0xA86F0EFCL, 0x5A048DFFL, 0x8ECEE914L,
++	0x7CA56A17L, 0x6FF599E3L, 0x9D9E1AE0L, 0xD3D3E1ABL, 0x21B862A8L,
++	0x32E8915CL, 0xC083125FL, 0x144976B4L, 0xE622F5B7L, 0xF5720643L,
++	0x07198540L, 0x590AB964L, 0xAB613A67L, 0xB831C993L, 0x4A5A4A90L,
++	0x9E902E7BL, 0x6CFBAD78L, 0x7FAB5E8CL, 0x8DC0DD8FL, 0xE330A81AL,
++	0x115B2B19L, 0x020BD8EDL, 0xF0605BEEL, 0x24AA3F05L, 0xD6C1BC06L,
++	0xC5914FF2L, 0x37FACCF1L, 0x69E9F0D5L, 0x9B8273D6L, 0x88D28022L,
++	0x7AB90321L, 0xAE7367CAL, 0x5C18E4C9L, 0x4F48173DL, 0xBD23943EL,
++	0xF36E6F75L, 0x0105EC76L, 0x12551F82L, 0xE03E9C81L, 0x34F4F86AL,
++	0xC69F7B69L, 0xD5CF889DL, 0x27A40B9EL, 0x79B737BAL, 0x8BDCB4B9L,
++	0x988C474DL, 0x6AE7C44EL, 0xBE2DA0A5L, 0x4C4623A6L, 0x5F16D052L,
++	0xAD7D5351L
++};
++
  /*
   * This a generic crc32() function, it takes seed as an argument,
   * and does __not__ xor at the end. Then individual users can do
   * whatever they need.
   */
--uint32_t crypt_crc32(uint32_t seed, const unsigned char *buf, size_t len)
++static uint32_t compute_crc32(
++	const uint32_t *crc32_tab,
++	uint32_t seed,
++	const unsigned char *buf,
++	size_t len)
+ {
  	uint32_t crc = seed;
  	const unsigned char *p = buf;
@@ -112,3 +171,13 @@ uint32_t crypt_crc32(uint32_t seed, const unsigned char *buf, size_t len)
  	return crc;
+ }
++
++uint32_t crypt_crc32(uint32_t seed, const unsigned char *buf, size_t len)
++{
++	return compute_crc32(crc32_tab, seed, buf, len);
++}
++
++uint32_t crypt_crc32c(uint32_t seed, const unsigned char *buf, size_t len)
++{
++	return compute_crc32(crc32c_tab, seed, buf, len);
++}
 diff --git a/lib/crypto_backend/crypto_backend.h b/lib/crypto_backend/crypto_backend.h
 index 9bfa65a..88562e9 100644
 --- a/lib/crypto_backend/crypto_backend.h
 +++ b/lib/crypto_backend/crypto_backend.h
@@ -1,8 +1,8 @@
  /*
   * crypto backend implementation
+  *
-- * Copyright (C) 2010-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2010-2022 Milan Broz
++ * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2010-2023 Milan Broz
+  *
   * This file is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
@@ -21,6 +21,7 @@
  #ifndef _CRYPTO_BACKEND_H
  #define _CRYPTO_BACKEND_H
++#include <assert.h>
  #include <stdint.h>
  #include <stdbool.h>
  #include <stddef.h>
@@ -40,7 +41,8 @@ struct crypt_storage;
  int crypt_backend_init(bool fips);
  void crypt_backend_destroy(void);
--#define CRYPT_BACKEND_KERNEL (1 << 0)	/* Crypto uses kernel part, for benchmark */
++#define CRYPT_BACKEND_KERNEL     (1 << 0) /* Crypto uses kernel part, for benchmark */
++#define CRYPT_BACKEND_PBKDF2_INT (1 << 1) /* Iteration in PBKDF2 is signed int and can overflow */
  uint32_t crypt_backend_flags(void);
  const char *crypt_backend_version(void);
@@ -88,6 +90,7 @@ int crypt_pbkdf_perf(const char *kdf, const char *hash,
  /* CRC32 */
  uint32_t crypt_crc32(uint32_t seed, const unsigned char *buf, size_t len);
++uint32_t crypt_crc32c(uint32_t seed, const unsigned char *buf, size_t len);
  /* Base64 */
  int crypt_base64_encode(char **out, size_t *out_length, const char *in, size_t in_length);
@@ -152,4 +155,7 @@ static inline void crypt_backend_memzero(void *s, size_t n)
  /* Memcmp helper (memcmp in constant time) */
  int crypt_backend_memeq(const void *m1, const void *m2, size_t n);
++/* crypto backend running in FIPS mode */
++bool crypt_fips_mode(void);
++
  #endif /* _CRYPTO_BACKEND_H */
 diff --git a/lib/crypto_backend/crypto_backend_internal.h b/lib/crypto_backend/crypto_backend_internal.h
 index ce40d3c..9b1cc69 100644
 --- a/lib/crypto_backend/crypto_backend_internal.h
 +++ b/lib/crypto_backend/crypto_backend_internal.h
@@ -1,8 +1,8 @@
  /*
   * crypto backend implementation
+  *
-- * Copyright (C) 2010-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2010-2022 Milan Broz
++ * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2010-2023 Milan Broz
+  *
   * This file is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
 diff --git a/lib/crypto_backend/crypto_cipher_kernel.c b/lib/crypto_backend/crypto_cipher_kernel.c
 index e11c158..3460717 100644
 --- a/lib/crypto_backend/crypto_cipher_kernel.c
 +++ b/lib/crypto_backend/crypto_cipher_kernel.c
@@ -1,8 +1,8 @@
  /*
   * Linux kernel userspace API crypto backend implementation (skcipher)
+  *
-- * Copyright (C) 2012-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2012-2022 Milan Broz
++ * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2012-2023 Milan Broz
+  *
   * This file is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
 diff --git a/lib/crypto_backend/crypto_gcrypt.c b/lib/crypto_backend/crypto_gcrypt.c
 index 8d9767d..e974aa8 100644
 --- a/lib/crypto_backend/crypto_gcrypt.c
 +++ b/lib/crypto_backend/crypto_gcrypt.c
@@ -1,8 +1,8 @@
  /*
   * GCRYPT crypto backend implementation
+  *
-- * Copyright (C) 2010-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2010-2022 Milan Broz
++ * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2010-2023 Milan Broz
+  *
   * This file is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
@@ -22,7 +22,6 @@
  #include <string.h>
  #include <stdio.h>
  #include <errno.h>
--#include <assert.h>
  #include <gcrypt.h>
  #include "crypto_backend_internal.h"
@@ -555,3 +554,20 @@ int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
+ {
  	return crypt_internal_memeq(m1, m2, n);
+ }
++
++#if !ENABLE_FIPS
++bool crypt_fips_mode(void) { return false; }
++#else
++bool crypt_fips_mode(void)
++{
++	static bool fips_mode = false, fips_checked = false;
++
++	if (fips_checked)
++		return fips_mode;
++
++	fips_mode = gcry_fips_mode_active();
++	fips_checked = true;
++
++	return fips_mode;
++}
++#endif /* ENABLE FIPS */
 diff --git a/lib/crypto_backend/crypto_kernel.c b/lib/crypto_backend/crypto_kernel.c
 index 98f7477..8493c0a 100644
 --- a/lib/crypto_backend/crypto_kernel.c
 +++ b/lib/crypto_backend/crypto_kernel.c
@@ -1,8 +1,8 @@
  /*
   * Linux kernel userspace API crypto backend implementation
+  *
-- * Copyright (C) 2010-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2010-2022 Milan Broz
++ * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2010-2023 Milan Broz
+  *
   * This file is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
@@ -421,3 +421,8 @@ int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
+ {
  	return crypt_internal_memeq(m1, m2, n);
+ }
++
++bool crypt_fips_mode(void)
++{
++	return false;
++}
 diff --git a/lib/crypto_backend/crypto_nettle.c b/lib/crypto_backend/crypto_nettle.c
 index f74b15b..086e4fc 100644
 --- a/lib/crypto_backend/crypto_nettle.c
 +++ b/lib/crypto_backend/crypto_nettle.c
@@ -1,8 +1,8 @@
  /*
   * Nettle crypto backend implementation
+  *
-- * Copyright (C) 2011-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2011-2022 Milan Broz
++ * Copyright (C) 2011-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2011-2023 Milan Broz
+  *
   * This file is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
@@ -453,3 +453,8 @@ int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
  	/* The logic is inverse to memcmp... */
  	return !memeql_sec(m1, m2, n);
+ }
++
++bool crypt_fips_mode(void)
++{
++	return false;
++}
 diff --git a/lib/crypto_backend/crypto_nss.c b/lib/crypto_backend/crypto_nss.c
 index ffeba38..c154812 100644
 --- a/lib/crypto_backend/crypto_nss.c
 +++ b/lib/crypto_backend/crypto_nss.c
@@ -1,8 +1,8 @@
  /*
   * NSS crypto backend implementation
+  *
-- * Copyright (C) 2010-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2010-2022 Milan Broz
++ * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2010-2023 Milan Broz
+  *
   * This file is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
@@ -400,3 +400,8 @@ int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
+ {
  	return NSS_SecureMemcmp(m1, m2, n);
+ }
++
++bool crypt_fips_mode(void)
++{
++	return false;
++}
 diff --git a/lib/crypto_backend/crypto_openssl.c b/lib/crypto_backend/crypto_openssl.c
 index 006c20f..607ec38 100644
 --- a/lib/crypto_backend/crypto_openssl.c
 +++ b/lib/crypto_backend/crypto_openssl.c
@@ -1,8 +1,8 @@
  /*
   * OPENSSL crypto backend implementation
+  *
-- * Copyright (C) 2010-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2010-2022 Milan Broz
++ * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2010-2023 Milan Broz
+  *
   * This file is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
@@ -30,6 +30,7 @@
  #include <string.h>
  #include <errno.h>
++#include <limits.h>
  #include <openssl/crypto.h>
  #include <openssl/evp.h>
  #include <openssl/hmac.h>
@@ -231,7 +232,11 @@ void crypt_backend_destroy(void)
  uint32_t crypt_backend_flags(void)
+ {
++#if OPENSSL_VERSION_MAJOR >= 3
  	return 0;
++#else
++	return CRYPT_BACKEND_PBKDF2_INT;
++#endif
+ }
  const char *crypt_backend_version(void)
@@ -574,6 +579,10 @@ static int openssl_pbkdf2(const char *password, size_t password_length,
  	if (!hash_id)
  		return -EINVAL;
++	/* OpenSSL2 has iteration as signed int, avoid overflow */
++	if (iterations > INT_MAX)
++		return -EINVAL;
++
  	r = PKCS5_PBKDF2_HMAC(password, (int)password_length, (const unsigned char *)salt,
  		(int)salt_length, iterations, hash_id, (int)key_length, (unsigned char*) key);
  #endif
@@ -812,3 +821,29 @@ int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
+ {
  	return CRYPTO_memcmp(m1, m2, n);
+ }
++
++#if !ENABLE_FIPS
++bool crypt_fips_mode(void) { return false; }
++#else
++static bool openssl_fips_mode(void)
++{
++#if OPENSSL_VERSION_MAJOR >= 3
++	return EVP_default_properties_is_fips_enabled(NULL);
++#else
++	return FIPS_mode();
++#endif
++}
++
++bool crypt_fips_mode(void)
++{
++	static bool fips_mode = false, fips_checked = false;
++
++	if (fips_checked)
++		return fips_mode;
++
++	fips_mode = openssl_fips_mode();
++	fips_checked = true;
++
++	return fips_mode;
++}
++#endif /* ENABLE FIPS */
 diff --git a/lib/crypto_backend/crypto_storage.c b/lib/crypto_backend/crypto_storage.c
 index 4e9aec5..13479dd 100644
 --- a/lib/crypto_backend/crypto_storage.c
 +++ b/lib/crypto_backend/crypto_storage.c
@@ -2,7 +2,7 @@
   * Generic wrapper for storage encryption modes and Initial Vectors
   * (reimplementation of some functions from Linux dm-crypt kernel)
+  *
-- * Copyright (C) 2014-2022 Milan Broz
++ * Copyright (C) 2014-2023 Milan Broz
+  *
   * This file is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
 diff --git a/lib/crypto_backend/pbkdf2_generic.c b/lib/crypto_backend/pbkdf2_generic.c
 index a0afbdf..9e87e19 100644
 --- a/lib/crypto_backend/pbkdf2_generic.c
 +++ b/lib/crypto_backend/pbkdf2_generic.c
@@ -4,8 +4,8 @@
   * Copyright (C) 2004 Free Software Foundation
+  *
   * cryptsetup related changes
-- * Copyright (C) 2012-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2012-2022 Milan Broz
++ * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2012-2023 Milan Broz
+  *
   * This file is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
 diff --git a/lib/crypto_backend/pbkdf_check.c b/lib/crypto_backend/pbkdf_check.c
 index 428ca2d..53a2da9 100644
 --- a/lib/crypto_backend/pbkdf_check.c
 +++ b/lib/crypto_backend/pbkdf_check.c
@@ -1,7 +1,7 @@
  /*
   * PBKDF performance check
-- * Copyright (C) 2012-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2012-2022 Milan Broz
++ * Copyright (C) 2012-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2012-2023 Milan Broz
   * Copyright (C) 2016-2020 Ondrej Mosnacek
+  *
   * This file is free software; you can redistribute it and/or
 diff --git a/lib/crypto_backend/utf8.c b/lib/crypto_backend/utf8.c
 index cba5033..24e0d8d 100644
 --- a/lib/crypto_backend/utf8.c
 +++ b/lib/crypto_backend/utf8.c
@@ -4,7 +4,7 @@
   * Copyright (C) 2010 Lennart Poettering
+  *
   * cryptsetup related changes
-- * Copyright (C) 2021-2022 Vojtech Trefny
++ * Copyright (C) 2021-2023 Vojtech Trefny
   * Parts of the original systemd implementation are based on the GLIB utf8
   * validation functions.
@@ -28,7 +28,6 @@
   * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
   */
--#include <assert.h>
  #include <errno.h>
  #include <endian.h>
 diff --git a/lib/fvault2/fvault2.c b/lib/fvault2/fvault2.c
 new file mode 100644
 index 0000000..0b0c9ce
 --- /dev/null
 +++ b/lib/fvault2/fvault2.c
@@ -0,0 +1,1057 @@
++/*
++ * FVAULT2 (FileVault2-compatible) volume handling
++ *
++ * Copyright (C) 2021-2022 Pavel Tobias
++ *
++ * This file is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Lesser General Public
++ * License as published by the Free Software Foundation; either
++ * version 2.1 of the License, or (at your option) any later version.
++ *
++ * This file is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this file; if not, write to the Free Software
++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++ */
++
++#include <errno.h>
++#include <regex.h>
++#include <stdio.h>
++#include <uuid/uuid.h>
++
++#include "internal.h"
++#include "fvault2.h"
++
++/* Core Storage signature/magic; "CS" big-endian */
++#define FVAULT2_CORE_STORAGE_MAGIC 0x4353
++
++/* size of the physical volume header in bytes */
++#define FVAULT2_VOL_HEADER_SIZE 512
++
++/* size of a single metadata block in bytes */
++#define FVAULT2_MD_BLOCK_SIZE 8192
++
++/* maximal offset to read metadata block */
++#define FVAULT2_MAX_OFF 1024*1024*1024
++
++/* encrypted metadata parsing progress flags (see _read_encrypted_metadata) */
++#define FVAULT2_ENC_MD_PARSED_0x0019 0b001
++#define FVAULT2_ENC_MD_PARSED_0x001A 0b010
++#define FVAULT2_ENC_MD_PARSED_0x0305 0b100
++#define FVAULT2_ENC_MD_PARSED_NONE 0b000
++#define FVAULT2_ENC_MD_PARSED_ALL 0b111
++
++/* sizes of decoded PassphraseWrappedKEKStruct and KEKWrappedVolumeKeyStruct */
++#define FVAULT2_PWK_SIZE 284
++#define FVAULT2_KWVK_SIZE 256
++
++/* size of an AES-128 key */
++#define FVAULT2_AES_KEY_SIZE 16
++
++/* size of the volume key and the encrypted metadata decryption key */
++#define FVAULT2_XTS_KEY_SIZE (FVAULT2_AES_KEY_SIZE * 2)
++
++/* size of an XTS tweak value */
++#define FVAULT2_XTS_TWEAK_SIZE 16
++
++/* size of a binary representation of a UUID */
++#define FVAULT2_UUID_BIN_SIZE 16
++
++struct crc32_checksum {
++	uint32_t value;
++	uint32_t seed;
++} __attribute__((packed));
++
++struct volume_header {
++	struct crc32_checksum checksum;
++	uint16_t version;
++	uint16_t block_type;
++	uint8_t unknown1[52];
++	uint64_t ph_vol_size;
++	uint8_t unknown2[16];
++	uint16_t magic;
++	uint32_t checksum_algo;
++	uint8_t unknown3[2];
++	uint32_t block_size;
++	uint32_t metadata_size;
++	uint64_t disklbl_blkoff;
++	uint64_t other_md_blkoffs[3];
++	uint8_t unknown4[32];
++	uint32_t key_data_size;
++	uint32_t cipher;
++	uint8_t key_data[FVAULT2_AES_KEY_SIZE];
++	uint8_t unknown5[112];
++	uint8_t ph_vol_uuid[FVAULT2_UUID_BIN_SIZE];
++	uint8_t unknown6[192];
++} __attribute__((packed));
++
++struct volume_groups_descriptor {
++	uint8_t unknown1[8];
++	uint64_t enc_md_blocks_n;
++	uint8_t unknown2[16];
++	uint64_t enc_md_blkoff;
++} __attribute__((packed));
++
++struct metadata_block_header {
++	struct crc32_checksum checksum;
++	uint16_t version;
++	uint16_t block_type;
++	uint8_t unknown1[20];
++	uint64_t block_num;
++	uint8_t unknown2[8];
++	uint32_t block_size;
++	uint8_t unknown3[12];
++} __attribute__((packed));
++
++struct metadata_block_0x0011 {
++	struct metadata_block_header header;
++	uint32_t md_size;
++	uint8_t unknown1[4];
++	struct crc32_checksum checksum;
++	uint8_t unknown2[140];
++	uint32_t vol_gr_des_off;
++} __attribute__((packed));
++
++struct metadata_block_0x0019 {
++	struct metadata_block_header header;
++	uint8_t unknown1[40];
++	uint32_t xml_comp_size;
++	uint32_t xml_uncomp_size;
++	uint32_t xml_off;
++	uint32_t xml_size;
++} __attribute__((packed));
++
++struct metadata_block_0x001a {
++	struct metadata_block_header header;
++	uint8_t unknown1[64];
++	uint32_t xml_off;
++	uint32_t xml_size;
++} __attribute__((packed));
++
++struct metadata_block_0x0305 {
++	struct metadata_block_header header;
++	uint32_t entries_n;
++	uint8_t unknown1[36];
++	uint32_t log_vol_blkoff;
++} __attribute__((packed));
++
++struct passphrase_wrapped_kek {
++	uint32_t pbkdf2_salt_type;
++	uint32_t pbkdf2_salt_size;
++	uint8_t pbkdf2_salt[FVAULT2_PBKDF2_SALT_SIZE];
++	uint32_t wrapped_kek_type;
++	uint32_t wrapped_kek_size;
++	uint8_t wrapped_kek[FVAULT2_WRAPPED_KEY_SIZE];
++	uint8_t unknown1[112];
++	uint32_t pbkdf2_iters;
++} __attribute__((packed));
++
++struct kek_wrapped_volume_key {
++	uint32_t wrapped_vk_type;
++	uint32_t wrapped_vk_size;
++	uint8_t wrapped_vk[FVAULT2_WRAPPED_KEY_SIZE];
++} __attribute__((packed));
++
++/**
++ * Test whether all bytes of a chunk of memory are equal to a constant value.
++ * @param[in] value the value all bytes should be equal to
++ * @param[in] data the tested chunk of memory
++ * @param[in] data_size byte-size of the chunk of memory
++ */
++static bool _filled_with(
++	uint8_t value,
++	const void *data,
++	size_t data_size)
++{
++	const uint8_t *data_bytes = data;
++	size_t i;
++
++	for (i = 0; i < data_size; i++)
++		if (data_bytes[i] != value)
++			return false;
++
++	return true;
++}
++
++/**
++ * Assert the validity of the CRC checksum of a chunk of memory.
++ * @param[in] data a chunk of memory starting with a crc32_checksum struct
++ * @param[in] data_size the size of the chunk of memory in bytes
++ */
++static int _check_crc(
++	const void *data,
++	size_t data_size)
++{
++	const size_t crc_size = sizeof(struct crc32_checksum);
++	uint32_t seed;
++	uint32_t value;
++
++	assert(data_size >= crc_size);
++
++	value = le32_to_cpu(((const struct crc32_checksum *)data)->value);
++	seed = le32_to_cpu(((const struct crc32_checksum *)data)->seed);
++	if (seed != 0xffffffff)
++		return -EINVAL;
++
++	if (crypt_crc32c(seed, (const uint8_t *)data + crc_size,
++			data_size - crc_size) != value)
++		return -EINVAL;
++
++	return 0;
++}
++
++/**
++ * Unwrap an AES-wrapped key.
++ * @param[in] kek the KEK with which the key has been wrapped
++ * @param[in] kek_size the size of the KEK in bytes
++ * @param[in] key_wrapped the wrapped key
++ * @param[in] key_wrapped_size the size of the wrapped key in bytes
++ * @param[out] key_buf key an output buffer for the unwrapped key
++ * @param[in] key_buf_size the size of the output buffer in bytes
++ */
++static int _unwrap_key(
++	const void *kek,
++	size_t kek_size,
++	const void *key_wrapped,
++	size_t key_wrapped_size,
++	void *key_buf,
++	size_t key_buf_size)
++{
++	/* Algorithm and notation taken from NIST Special Publication 800-38F:
++	https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
++
++	This implementation supports only 128-bit KEKs and wrapped keys. */
++
++	int r = 0;
++	struct crypt_cipher *cipher = NULL;
++	void *cipher_in = NULL;
++	void *cipher_out = NULL;
++	uint64_t a;
++	uint64_t r2;
++	uint64_t r3;
++	uint64_t t;
++	uint64_t r2_prev;
++
++	assert(kek_size == 16 && key_wrapped_size == 24 && key_buf_size == 16);
++
++	r = crypt_cipher_init(&cipher, "aes", "ecb", kek, kek_size);
++	if (r < 0)
++		goto out;
++
++	cipher_in = malloc(16);
++	if (cipher_in == NULL) {
++		r = -ENOMEM;
++		goto out;
++	}
++
++	cipher_out = malloc(16);
++	if (cipher_out == NULL) {
++		r = -ENOMEM;
++		goto out;
++	}
++
++	/* CHAPTER 6.1, ALGORITHM 2: W^-1(C) */
++
++	/* initialize variables */
++	a = ((const uint64_t *)key_wrapped)[0]; /* A = C_1 (see step 1c) */
++	r2 = ((const uint64_t *)key_wrapped)[1]; /* R_1 = C_2 (see step 1d) */
++	r3 = ((const uint64_t *)key_wrapped)[2]; /* R_2 = C_3 (see step 1d) */
++
++	/* calculate intermediate values for each t = s, ..., 1 (see step 2),
++	where s = 6 * (n - 1) (see step 1a) */
++	for (t = 6 * (3 - 1); t > 0; t--) {
++		/* store current R2 for later assignment (see step 2c) */
++		r2_prev = r2;
++
++		/* prepare input for CIPH^{-1}_K (see steps 2a, 2b) */
++		((uint64_t *)cipher_in)[0] = a ^ cpu_to_be64(t);
++		((uint64_t *)cipher_in)[1] = r3;
++
++		/* A||R2 = CIPH^{-1}_K(...) (see steps 2a, 2b) */
++		r = crypt_cipher_decrypt(cipher, cipher_in, cipher_out, 16, NULL, 0);
++		if (r < 0)
++			goto out;
++		a = ((uint64_t *)cipher_out)[0];
++		r2 = ((uint64_t *)cipher_out)[1];
++
++		/* assign previous R2 (see step 2c) */
++		r3 = r2_prev;
++	}
++
++	/* note that A||R_1||R_2 holds the result S (see step 3) */
++
++	/* CHAPTER 6.2, ALGORITHM 4: KW-AD(C) */
++
++	/* check whether MSB_{64}(S) (= A) matches ICV1 (see step 3) */
++	if (a != 0xA6A6A6A6A6A6A6A6) {
++		r = -EPERM;
++		goto out;
++	}
++
++	/* return LSB_{128}(S) (= R_1||R_2) (see step 4) */
++	((uint64_t *)key_buf)[0] = r2;
++	((uint64_t *)key_buf)[1] = r3;
++out:
++	free(cipher_in);
++	free(cipher_out);
++	if (cipher != NULL)
++		crypt_cipher_destroy(cipher);
++	return r;
++}
++
++/**
++ * Search XML plist data for a property and return its value.
++ * @param[in] xml a 0-terminated string containing the XML plist data
++ * @param[in] prop_key a 0-terminated string with the seeked property's key
++ * @param[in] prop_type a 0-terminated string with the seeked property's type
++ * @param[out] value a 0-terminated string with the found property's value
++ */
++static int _search_xml(
++	const char *xml,
++	const char *prop_key,
++	const char *prop_type,
++	char **value)
++{
++	int r = 0;
++	char *pattern = NULL;
++	bool regex_ready = false;
++	regex_t regex;
++	regmatch_t match[2];
++	const char *value_start;
++	size_t value_len;
++
++	if (asprintf(&pattern, "<key>%s</key><%s[^>]*>([^<]+)</%s>",
++			prop_key, prop_type, prop_type) < 0) {
++		r = -ENOMEM;
++		goto out;
++	}
++
++	if (regcomp(&regex, pattern, REG_EXTENDED) != 0) {
++		r = -EINVAL;
++		goto out;
++	}
++
++	regex_ready = true;
++
++	if (regexec(&regex, xml, 2, match, 0) != 0) {
++		r = -EINVAL;
++		goto out;
++	}
++
++	value_start = xml + match[1].rm_so;
++	value_len = match[1].rm_eo - match[1].rm_so;
++
++	*value = calloc(value_len + 1, 1);
++	if (*value == NULL) {
++		r = -ENOMEM;
++		goto out;
++	}
++
++	memcpy(*value, value_start, value_len);
++out:
++	free(pattern);
++	if (regex_ready)
++		regfree(&regex);
++	return r;
++}
++
++/**
++ * Extract relevant info from a metadata block of type 0x0019.
++ * @param[in] md_block the pre-read and decrypted metadata block
++ * @param[out] pbkdf2_iters number of PBKDF2 iterations
++ * @param[out] pbkdf2_salt PBKDF2 salt (intermt. key derivation from passphrase)
++ * @param[out] wrapped_kek KEK AES-wrapped with passphrase-derived key
++ * @param[out] wrapped_vk volume key AES-wrapped with KEK
++ */
++static int _parse_metadata_block_0x0019(
++	const struct metadata_block_0x0019 *md_block,
++	uint32_t *pbkdf2_iters,
++	uint8_t *pbkdf2_salt,
++	uint8_t *wrapped_kek,
++	uint8_t *wrapped_vk)
++{
++	int r = 0;
++	char *xml = NULL;
++	char *pwk_base64 = NULL;
++	char *kwvk_base64 = NULL;
++	struct passphrase_wrapped_kek *pwk = NULL;
++	struct kek_wrapped_volume_key *kwvk = NULL;
++	size_t decoded_size;
++	uint32_t xml_off = le32_to_cpu(md_block->xml_off);
++	uint32_t xml_size = le32_to_cpu(md_block->xml_size);
++
++	if (xml_off + xml_size > FVAULT2_MD_BLOCK_SIZE)
++		return -EINVAL;
++
++	xml = strndup((const char *)md_block + xml_off, xml_size);
++	if (xml == NULL)
++		return -ENOMEM;
++
++	r = _search_xml(xml, "PassphraseWrappedKEKStruct", "data", &pwk_base64);
++	if (r < 0)
++		goto out;
++	r = crypt_base64_decode((char **)&pwk, &decoded_size, pwk_base64, strlen(pwk_base64));
++	if (r < 0)
++		goto out;
++	if (decoded_size != FVAULT2_PWK_SIZE) {
++		r = -EINVAL;
++		goto out;
++	}
++
++	r = _search_xml(xml, "KEKWrappedVolumeKeyStruct", "data", &kwvk_base64);
++	if (r < 0)
++		goto out;
++	r = crypt_base64_decode((char **)&kwvk, &decoded_size, kwvk_base64, strlen(kwvk_base64));
++	if (r < 0)
++		goto out;
++	if (decoded_size != FVAULT2_KWVK_SIZE) {
++		r = -EINVAL;
++		goto out;
++	}
++
++	*pbkdf2_iters = le32_to_cpu(pwk->pbkdf2_iters);
++	memcpy(pbkdf2_salt, pwk->pbkdf2_salt, FVAULT2_PBKDF2_SALT_SIZE);
++	memcpy(wrapped_kek, pwk->wrapped_kek, FVAULT2_WRAPPED_KEY_SIZE);
++	memcpy(wrapped_vk, kwvk->wrapped_vk, FVAULT2_WRAPPED_KEY_SIZE);
++out:
++	free(xml);
++	free(pwk_base64);
++	free(kwvk_base64);
++	free(pwk);
++	free(kwvk);
++	return r;
++}
++
++/**
++ * Validate a UUID string and reformat it to match system defaults.
++ * @param[in] uuid_in the original UUID string
++ * @param[out] uuid_out the reformatted UUID string
++ */
++static int _reformat_uuid(
++	const char *uuid_in,
++	char *uuid_out)
++{
++	uint8_t uuid_bin[FVAULT2_UUID_LEN];
++	int r;
++
++	r = uuid_parse(uuid_in, uuid_bin);
++	if (r < 0)
++		return -EINVAL;
++
++	uuid_unparse(uuid_bin, uuid_out);
++	return 0;
++}
++
++/**
++ * Extract relevant info from a metadata block of type 0x001A.
++ * @param[in] md_block the pre-read and decrypted metadata block
++ * @param[out] log_vol_size encrypted logical volume size in bytes
++ * @param[out] family_uuid logical volume family UUID
++ */
++static int _parse_metadata_block_0x001a(
++	const struct metadata_block_0x001a *md_block,
++	uint64_t *log_vol_size,
++	char *family_uuid)
++{
++	int r = 0;
++	char *xml = NULL;
++	char *log_vol_size_str = NULL;
++	char *family_uuid_str = NULL;
++	uint32_t xml_off = le32_to_cpu(md_block->xml_off);
++	uint32_t xml_size = le32_to_cpu(md_block->xml_size);
++
++	if (xml_off + xml_size > FVAULT2_MD_BLOCK_SIZE)
++		return -EINVAL;
++
++	xml = strndup((const char *)md_block + xml_off, xml_size);
++	if (xml == NULL)
++		return -ENOMEM;
++
++	r = _search_xml(xml, "com.apple.corestorage.lv.size", "integer", &log_vol_size_str);
++	if (r < 0)
++		goto out;
++	*log_vol_size = strtoull(log_vol_size_str, NULL, 16);
++	if (*log_vol_size == 0 || *log_vol_size == ULLONG_MAX) {
++		r = -EINVAL;
++		goto out;
++	}
++
++	r = _search_xml(xml, "com.apple.corestorage.lv.familyUUID", "string", &family_uuid_str);
++	if (r < 0)
++		goto out;
++	r = _reformat_uuid(family_uuid_str, family_uuid);
++	if (r < 0)
++		goto out;
++out:
++	free(xml);
++	free(log_vol_size_str);
++	free(family_uuid_str);
++	return r;
++}
++
++/**
++ * Extract relevant info from a metadata block of type 0x0305.
++ * @param[in] md_block the pre-read and decrypted metadata block
++ * @param[out] log_vol_blkoff block-offset of the encrypted logical volume
++ */
++static int _parse_metadata_block_0x0305(
++	const struct metadata_block_0x0305 *md_block,
++	uint32_t *log_vol_blkoff)
++{
++	*log_vol_blkoff = le32_to_cpu(md_block->log_vol_blkoff);
++	return 0;
++}
++
++/**
++ * Extract relevant info from the physical volume header.
++ * @param[in] devfd opened device file descriptor
++ * @param[in] cd crypt_device passed into FVAULT2_read_metadata
++ * @param[out] block_size used to compute byte-offsets from block-offsets
++ * @param[out] disklbl_blkoff block-offset of the disk label block
++ * @param[out] ph_vol_uuid physical volume UUID
++ * @param[out] enc_md_key AES-XTS key used to decrypt the encrypted metadata
++ */
++static int _read_volume_header(
++	int devfd,
++	struct crypt_device *cd,
++	uint64_t *block_size,
++	uint64_t *disklbl_blkoff,
++	char *ph_vol_uuid,
++	struct volume_key **enc_md_key)
++{
++	int r = 0;
++	struct device *dev = crypt_metadata_device(cd);
++	struct volume_header *vol_header = NULL;
++
++	assert(sizeof(*vol_header) == FVAULT2_VOL_HEADER_SIZE);
++
++	vol_header = malloc(FVAULT2_VOL_HEADER_SIZE);
++	if (vol_header == NULL) {
++		r = -ENOMEM;
++		goto out;
++	}
++
++	log_dbg(cd, "Reading FVAULT2 volume header of size %u bytes.", FVAULT2_VOL_HEADER_SIZE);
++	if (read_blockwise(devfd, device_block_size(cd, dev),
++			device_alignment(dev), vol_header,
++			FVAULT2_VOL_HEADER_SIZE) != FVAULT2_VOL_HEADER_SIZE) {
++		log_err(cd, _("Could not read %u bytes of volume header."), FVAULT2_VOL_HEADER_SIZE);
++		r = -EIO;
++		goto out;
++	}
++
++	r = _check_crc(vol_header, FVAULT2_VOL_HEADER_SIZE);
++	if (r < 0) {
++		log_dbg(cd, "CRC mismatch.");
++		goto out;
++	}
++
++	if (le16_to_cpu(vol_header->version) != 1) {
++		log_err(cd, _("Unsupported FVAULT2 version %" PRIu16 "."),
++			le16_to_cpu(vol_header->version));
++		r = -EINVAL;
++		goto out;
++	}
++
++	if (be16_to_cpu(vol_header->magic) != FVAULT2_CORE_STORAGE_MAGIC) {
++		log_dbg(cd, "Invalid Core Storage magic bytes.");
++		r = -EINVAL;
++		goto out;
++	}
++
++	if (le32_to_cpu(vol_header->key_data_size) != FVAULT2_AES_KEY_SIZE) {
++		log_dbg(cd, "Unsupported AES key size: %" PRIu32 " bytes.",
++			le32_to_cpu(vol_header->key_data_size));
++		r = -EINVAL;
++		goto out;
++	}
++
++	*enc_md_key = crypt_alloc_volume_key(FVAULT2_XTS_KEY_SIZE, NULL);
++	if (*enc_md_key == NULL) {
++		r = -ENOMEM;
++		goto out;
++	}
++
++	*block_size = le32_to_cpu(vol_header->block_size);
++	*disklbl_blkoff = le64_to_cpu(vol_header->disklbl_blkoff);
++	uuid_unparse(vol_header->ph_vol_uuid, ph_vol_uuid);
++	memcpy((*enc_md_key)->key, vol_header->key_data, FVAULT2_AES_KEY_SIZE);
++	memcpy((*enc_md_key)->key + FVAULT2_AES_KEY_SIZE,
++		vol_header->ph_vol_uuid, FVAULT2_AES_KEY_SIZE);
++out:
++	free(vol_header);
++	return r;
++}
++
++/**
++ * Extract info from the disk label block and the volume groups descriptor.
++ * @param[in] devfd opened device file descriptor
++ * @param[in] cd crypt_device passed into FVAULT2_read_metadata
++ * @param[in] block_size used to compute byte-offsets from block-offsets
++ * @param[in] disklbl_blkoff block-offset of the disk label block
++ * @param[out] enc_md_blkoff block-offset of the encrypted metadata
++ * @param[out] enc_md_blocks_n total count of encrypted metadata blocks
++ */
++static int _read_disklabel(
++	int devfd,
++	struct crypt_device *cd,
++	uint64_t block_size,
++	uint64_t disklbl_blkoff,
++	uint64_t *enc_md_blkoff,
++	uint64_t *enc_md_blocks_n)
++{
++	int r = 0;
++	uint64_t off;
++	ssize_t size;
++	void *md_block = NULL;
++	struct metadata_block_0x0011 *md_block_11;
++	struct volume_groups_descriptor *vol_gr_des = NULL;
++	struct device *dev = crypt_metadata_device(cd);
++
++	md_block = malloc(FVAULT2_MD_BLOCK_SIZE);
++	if (md_block == NULL) {
++		r = -ENOMEM;
++		goto out;
++	}
++
++	if (uint64_mult_overflow(&off, disklbl_blkoff, block_size) ||
++	    off > FVAULT2_MAX_OFF) {
++		log_dbg(cd, "Device offset overflow.");
++		r = -EINVAL;
++		goto out;
++	}
++	size = FVAULT2_MD_BLOCK_SIZE;
++	log_dbg(cd, "Reading FVAULT2 disk label header of size %zu bytes.", size);
++	if (read_lseek_blockwise(devfd, device_block_size(cd, dev),
++			device_alignment(dev), md_block, size, off) != size) {
++		r = -EIO;
++		goto out;
++	}
++
++	r = _check_crc(md_block, FVAULT2_MD_BLOCK_SIZE);
++	if (r < 0) {
++		log_dbg(cd, "CRC mismatch.");
++		goto out;
++	}
++
++	vol_gr_des = malloc(sizeof(*vol_gr_des));
++	if (vol_gr_des == NULL) {
++		r = -ENOMEM;
++		goto out;
++	}
++
++	md_block_11 = md_block;
++	off += le32_to_cpu(md_block_11->vol_gr_des_off);
++	if (off > FVAULT2_MAX_OFF) {
++		log_dbg(cd, "Device offset overflow.");
++		r = -EINVAL;
++		goto out;
++	}
++	size = sizeof(struct volume_groups_descriptor);
++	log_dbg(cd, "Reading FVAULT2 volume groups descriptor of size %zu bytes.", size);
++	if (read_lseek_blockwise(devfd, device_block_size(cd, dev),
++			device_alignment(dev), vol_gr_des, size, off) != size) {
++		r = -EIO;
++		goto out;
++	}
++
++	*enc_md_blkoff = le64_to_cpu(vol_gr_des->enc_md_blkoff);
++	*enc_md_blocks_n = le64_to_cpu(vol_gr_des->enc_md_blocks_n);
++out:
++	free(md_block);
++	free(vol_gr_des);
++	return r;
++}
++
++/**
++ * Extract info from relevant encrypted metadata blocks.
++ * @param[in] devfd opened device file descriptor
++ * @param[in] cd crypt_device passed into FVAULT2_read_metadata
++ * @param[in] block_size used to compute byte-offsets from block-offsets
++ * @param[in] start_blkoff block-offset of the start of the encrypted metadata
++ * @param[in] blocks_n total count of encrypted metadata blocks
++ * @param[in] key AES-XTS key for decryption
++ * @param[out] params decryption parameters struct to fill
++ */
++static int _read_encrypted_metadata(
++	int devfd,
++	struct crypt_device *cd,
++	uint64_t block_size,
++	uint64_t start_blkoff,
++	uint64_t blocks_n,
++	const struct volume_key *key,
++	struct fvault2_params *params)
++{
++	int r = 0;
++	int status = FVAULT2_ENC_MD_PARSED_NONE;
++	struct device *dev = crypt_metadata_device(cd);
++	struct crypt_cipher *cipher = NULL;
++	void *tweak;
++	void *md_block_enc = NULL;
++	void *md_block = NULL;
++	struct metadata_block_header *md_block_header;
++	uint32_t log_vol_blkoff;
++	uint64_t i, start_off;
++	off_t off;
++	unsigned int block_type;
++
++	tweak = calloc(FVAULT2_XTS_TWEAK_SIZE, 1);
++	if (tweak == NULL) {
++		r = -ENOMEM;
++		goto out;
++	}
++
++	md_block_enc = malloc(FVAULT2_MD_BLOCK_SIZE);
++	if (md_block_enc == NULL) {
++		r = -ENOMEM;
++		goto out;
++	}
++
++	md_block = malloc(FVAULT2_MD_BLOCK_SIZE);
++	if (md_block == NULL) {
++		r = -ENOMEM;
++		goto out;
++	}
++
++	r = crypt_cipher_init(&cipher, "aes", "xts", key->key, FVAULT2_XTS_KEY_SIZE);
++	if (r < 0)
++		goto out;
++
++	if (uint64_mult_overflow(&start_off, start_blkoff, block_size) ||
++	    start_off > FVAULT2_MAX_OFF) {
++		log_dbg(cd, "Device offset overflow.");
++		r = -EINVAL;
++		goto out;
++	}
++
++	log_dbg(cd, "Reading FVAULT2 encrypted metadata blocks.");
++	for (i = 0; i < blocks_n; i++) {
++		off = start_off + i * FVAULT2_MD_BLOCK_SIZE;
++		if (off > FVAULT2_MAX_OFF) {
++			log_dbg(cd, "Device offset overflow.");
++			r = -EINVAL;
++			goto out;
++		}
++		if (read_lseek_blockwise(devfd, device_block_size(cd, dev),
++				device_alignment(dev), md_block_enc,
++				FVAULT2_MD_BLOCK_SIZE, off)
++				!= FVAULT2_MD_BLOCK_SIZE) {
++			r = -EIO;
++			goto out;
++		}
++
++		if (_filled_with(0, md_block_enc, FVAULT2_MD_BLOCK_SIZE))
++			break;
++
++		*(uint64_t *)tweak = cpu_to_le64(i);
++		r = crypt_cipher_decrypt(cipher, md_block_enc, md_block,
++			FVAULT2_MD_BLOCK_SIZE, tweak, FVAULT2_XTS_TWEAK_SIZE);
++		if (r < 0)
++			goto out;
++
++		r = _check_crc(md_block, FVAULT2_MD_BLOCK_SIZE);
++		if (r < 0) {
++			log_dbg(cd, "CRC mismatch.");
++			goto out;
++		}
++
++		md_block_header = md_block;
++		block_type = le16_to_cpu(md_block_header->block_type);
++		switch (block_type) {
++		case 0x0019:
++			log_dbg(cd, "Get FVAULT2 metadata block %" PRIu64 " type 0x0019.", i);
++			r = _parse_metadata_block_0x0019(md_block,
++				&params->pbkdf2_iters,
++				(uint8_t *)params->pbkdf2_salt,
++				(uint8_t *)params->wrapped_kek,
++				(uint8_t *)params->wrapped_vk);
++			if (r < 0)
++				goto out;
++			status |= FVAULT2_ENC_MD_PARSED_0x0019;
++			break;
++
++		case 0x001A:
++			log_dbg(cd, "Get FVAULT2 metadata block %" PRIu64 " type 0x001A.", i);
++			r = _parse_metadata_block_0x001a(md_block,
++				&params->log_vol_size,
++				params->family_uuid);
++			if (r < 0)
++				goto out;
++			status |= FVAULT2_ENC_MD_PARSED_0x001A;
++			break;
++
++		case 0x0305:
++			log_dbg(cd, "Get FVAULT2 metadata block %" PRIu64 " type 0x0305.", i);
++			r = _parse_metadata_block_0x0305(md_block,
++				&log_vol_blkoff);
++			if (r < 0)
++				goto out;
++			if (uint64_mult_overflow(&params->log_vol_off,
++			    log_vol_blkoff, block_size)) {
++				log_dbg(cd, "Device offset overflow.");
++				r = -EINVAL;
++				goto out;
++			}
++			status |= FVAULT2_ENC_MD_PARSED_0x0305;
++			break;
++		}
++	}
++
++	if (status != FVAULT2_ENC_MD_PARSED_ALL) {
++		log_dbg(cd, "Necessary FVAULT2 metadata blocks not found.");
++		r = -EINVAL;
++		goto out;
++	}
++out:
++	free(tweak);
++	free(md_block_enc);
++	free(md_block);
++	if (cipher != NULL)
++		crypt_cipher_destroy(cipher);
++	return r;
++}
++
++/**
++ * Activate device.
++ * @param[in] cd crypt_device struct passed into FVAULT2_activate_by_*
++ * @param[in] name name of the mapped device
++ * @param[in] vol_key the pre-derived AES-XTS volume key
++ * @param[in] params logical volume decryption parameters
++ * @param[in] flags flags assigned to the crypt_dm_active_device struct
++ */
++static int _activate(
++	struct crypt_device *cd,
++	const char *name,
++	struct volume_key *vol_key,
++	const struct fvault2_params *params,
++	uint32_t flags)
++{
++	int r = 0;
++	char *cipher = NULL;
++	struct crypt_dm_active_device dm_dev = {
++		.flags = flags,
++		.size = params->log_vol_size / SECTOR_SIZE
++	};
++
++	r = device_block_adjust(cd, crypt_data_device(cd), DEV_EXCL,
++		crypt_get_data_offset(cd), &dm_dev.size, &dm_dev.flags);
++	if (r)
++		return r;
++
++	if (asprintf(&cipher, "%s-%s", params->cipher, params->cipher_mode) < 0)
++		return -ENOMEM;
++
++	r = dm_crypt_target_set(&dm_dev.segment, 0, dm_dev.size,
++		crypt_data_device(cd), vol_key, cipher,
++		crypt_get_iv_offset(cd), crypt_get_data_offset(cd),
++		crypt_get_integrity(cd), crypt_get_integrity_tag_size(cd),
++		crypt_get_sector_size(cd));
++
++	if (!r)
++		r = dm_create_device(cd, name, CRYPT_FVAULT2, &dm_dev);
++
++	dm_targets_free(cd, &dm_dev);
++	free(cipher);
++	return r;
++}
++
++int FVAULT2_read_metadata(
++	struct crypt_device *cd,
++	struct fvault2_params *params)
++{
++	int r = 0;
++	int devfd;
++	uint64_t block_size;
++	uint64_t disklbl_blkoff;
++	uint64_t enc_md_blkoff;
++	uint64_t enc_md_blocks_n;
++	struct volume_key *enc_md_key = NULL;
++	struct device *device = crypt_metadata_device(cd);
++
++	devfd = device_open(cd, device, O_RDONLY);
++	if (devfd < 0) {
++		log_err(cd, _("Cannot open device %s."), device_path(device));
++		return -EIO;
++	}
++
++	r = _read_volume_header(devfd, cd, &block_size, &disklbl_blkoff,
++		params->ph_vol_uuid, &enc_md_key);
++	if (r < 0)
++		goto out;
++
++	r = _read_disklabel(devfd, cd, block_size, disklbl_blkoff,
++		&enc_md_blkoff, &enc_md_blocks_n);
++	if (r < 0)
++		goto out;
++
++	r = _read_encrypted_metadata(devfd, cd, block_size, enc_md_blkoff,
++		enc_md_blocks_n, enc_md_key, params);
++	if (r < 0)
++		goto out;
++
++	params->cipher = "aes";
++	params->cipher_mode = "xts-plain64";
++	params->key_size = FVAULT2_XTS_KEY_SIZE;
++out:
++	crypt_free_volume_key(enc_md_key);
++	return r;
++}
++
++int FVAULT2_get_volume_key(
++	struct crypt_device *cd,
++	const char *passphrase,
++	size_t passphrase_len,
++	const struct fvault2_params *params,
++	struct volume_key **vol_key)
++{
++	int r = 0;
++	uint8_t family_uuid_bin[FVAULT2_UUID_BIN_SIZE];
++	struct volume_key *passphrase_key = NULL;
++	struct volume_key *kek = NULL;
++	struct crypt_hash *hash = NULL;
++
++	*vol_key = NULL;
++
++	if (uuid_parse(params->family_uuid, family_uuid_bin) < 0) {
++		log_dbg(cd, "Could not parse logical volume family UUID: %s.",
++			params->family_uuid);
++		r = -EINVAL;
++		goto out;
++	}
++
++	passphrase_key = crypt_alloc_volume_key(FVAULT2_AES_KEY_SIZE, NULL);
++	if (passphrase_key == NULL) {
++		r = -ENOMEM;
++		goto out;
++	}
++
++	r = crypt_pbkdf("pbkdf2", "sha256", passphrase, passphrase_len,
++		params->pbkdf2_salt, FVAULT2_PBKDF2_SALT_SIZE, passphrase_key->key,
++		FVAULT2_AES_KEY_SIZE, params->pbkdf2_iters, 0, 0);
++	if (r < 0)
++		goto out;
++
++	kek = crypt_alloc_volume_key(FVAULT2_AES_KEY_SIZE, NULL);
++	if (kek == NULL) {
++		r = -ENOMEM;
++		goto out;
++	}
++
++	r = _unwrap_key(passphrase_key->key, FVAULT2_AES_KEY_SIZE, params->wrapped_kek,
++			FVAULT2_WRAPPED_KEY_SIZE, kek->key, FVAULT2_AES_KEY_SIZE);
++	if (r < 0)
++		goto out;
++
++	*vol_key = crypt_alloc_volume_key(FVAULT2_XTS_KEY_SIZE, NULL);
++	if (*vol_key == NULL) {
++		r = -ENOMEM;
++		goto out;
++	}
++
++	r = _unwrap_key(kek->key, FVAULT2_AES_KEY_SIZE, params->wrapped_vk,
++		FVAULT2_WRAPPED_KEY_SIZE, (*vol_key)->key, FVAULT2_AES_KEY_SIZE);
++	if (r < 0)
++		goto out;
++
++	r = crypt_hash_init(&hash, "sha256");
++	if (r < 0)
++		goto out;
++	r = crypt_hash_write(hash, (*vol_key)->key, FVAULT2_AES_KEY_SIZE);
++	if (r < 0)
++		goto out;
++	r = crypt_hash_write(hash, (char *)family_uuid_bin,
++		FVAULT2_UUID_BIN_SIZE);
++	if (r < 0)
++		goto out;
++	r = crypt_hash_final(hash, (*vol_key)->key + FVAULT2_AES_KEY_SIZE,
++		FVAULT2_AES_KEY_SIZE);
++	if (r < 0)
++		goto out;
++out:
++	crypt_free_volume_key(passphrase_key);
++	crypt_free_volume_key(kek);
++	if (r < 0) {
++		crypt_free_volume_key(*vol_key);
++		*vol_key = NULL;
++	}
++	if (hash != NULL)
++		crypt_hash_destroy(hash);
++	return r;
++}
++
++int FVAULT2_dump(
++	struct crypt_device *cd,
++	struct device *device,
++	const struct fvault2_params *params)
++{
++	log_std(cd, "Header information for FVAULT2 device %s.\n", device_path(device));
++
++	log_std(cd, "Physical volume UUID: \t%s\n", params->ph_vol_uuid);
++	log_std(cd, "Family UUID:          \t%s\n", params->family_uuid);
++
++	log_std(cd, "Logical volume offset:\t%" PRIu64 " [bytes]\n", params->log_vol_off);
++
++	log_std(cd, "Logical volume size:  \t%" PRIu64 " [bytes]\n",
++		params->log_vol_size);
++
++	log_std(cd, "Cipher:               \t%s\n", params->cipher);
++	log_std(cd, "Cipher mode:          \t%s\n", params->cipher_mode);
++
++	log_std(cd, "PBKDF2 iterations:    \t%" PRIu32 "\n", params->pbkdf2_iters);
++
++	log_std(cd, "PBKDF2 salt:          \t");
++	crypt_log_hex(cd, params->pbkdf2_salt, FVAULT2_PBKDF2_SALT_SIZE, " ", 0, NULL);
++	log_std(cd, "\n");
++
++	return 0;
++}
++
++int FVAULT2_activate_by_passphrase(
++	struct crypt_device *cd,
++	const char *name,
++	const char *passphrase,
++	size_t passphrase_len,
++	const struct fvault2_params *params,
++	uint32_t flags)
++{
++	int r;
++	struct volume_key *vol_key = NULL;
++
++	r = FVAULT2_get_volume_key(cd, passphrase, passphrase_len, params, &vol_key);
++	if (r < 0)
++		return r;
++
++	if (name)
++	    r = _activate(cd, name, vol_key, params, flags);
++
++	crypt_free_volume_key(vol_key);
++	return r;
++}
++
++int FVAULT2_activate_by_volume_key(
++	struct crypt_device *cd,
++	const char *name,
++	const char *key,
++	size_t key_size,
++	const struct fvault2_params *params,
++	uint32_t flags)
++{
++	int r = 0;
++	struct volume_key *vol_key = NULL;
++
++	if (key_size != FVAULT2_XTS_KEY_SIZE)
++		return -EINVAL;
++
++	vol_key = crypt_alloc_volume_key(FVAULT2_XTS_KEY_SIZE, key);
++	if (vol_key == NULL)
++		return -ENOMEM;
++
++	r = _activate(cd, name, vol_key, params, flags);
++
++	crypt_free_volume_key(vol_key);
++	return r;
++}
 diff --git a/lib/fvault2/fvault2.h b/lib/fvault2/fvault2.h
 new file mode 100644
 index 0000000..ce50ee3
 --- /dev/null
 +++ b/lib/fvault2/fvault2.h
@@ -0,0 +1,80 @@
++/*
++ * FVAULT2 (FileVault2-compatible) volume handling
++ *
++ * Copyright (C) 2021-2022 Pavel Tobias
++ *
++ * This file is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Lesser General Public
++ * License as published by the Free Software Foundation; either
++ * version 2.1 of the License, or (at your option) any later version.
++ *
++ * This file is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this file; if not, write to the Free Software
++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++ */
++
++#ifndef _CRYPTSETUP_FVAULT2_H
++#define _CRYPTSETUP_FVAULT2_H
++
++#include <stddef.h>
++#include <stdint.h>
++
++#define FVAULT2_WRAPPED_KEY_SIZE 24
++#define FVAULT2_PBKDF2_SALT_SIZE 16
++#define FVAULT2_UUID_LEN 37
++
++struct crypt_device;
++struct volume_key;
++
++struct fvault2_params {
++	const char *cipher;
++	const char *cipher_mode;
++	uint16_t key_size;
++	uint32_t pbkdf2_iters;
++	char pbkdf2_salt[FVAULT2_PBKDF2_SALT_SIZE];
++	char wrapped_kek[FVAULT2_WRAPPED_KEY_SIZE];
++	char wrapped_vk[FVAULT2_WRAPPED_KEY_SIZE];
++	char family_uuid[FVAULT2_UUID_LEN];
++	char ph_vol_uuid[FVAULT2_UUID_LEN];
++	uint64_t log_vol_off;
++	uint64_t log_vol_size;
++};
++
++int FVAULT2_read_metadata(
++	struct crypt_device *cd,
++	struct fvault2_params *params);
++
++int FVAULT2_get_volume_key(
++	struct crypt_device *cd,
++	const char *passphrase,
++	size_t passphrase_len,
++	const struct fvault2_params *params,
++	struct volume_key **vol_key);
++
++int FVAULT2_dump(
++	struct crypt_device *cd,
++	struct device *device,
++	const struct fvault2_params *params);
++
++int FVAULT2_activate_by_passphrase(
++	struct crypt_device *cd,
++	const char *name,
++	const char *passphrase,
++	size_t passphrase_len,
++	const struct fvault2_params *params,
++	uint32_t flags);
++
++int FVAULT2_activate_by_volume_key(
++	struct crypt_device *cd,
++	const char *name,
++	const char *key,
++	size_t key_size,
++	const struct fvault2_params *params,
++	uint32_t flags);
++
++#endif
 diff --git a/lib/integrity/integrity.c b/lib/integrity/integrity.c
 index 83ee89d..aeadc82 100644
 --- a/lib/integrity/integrity.c
 +++ b/lib/integrity/integrity.c
@@ -1,7 +1,7 @@
  /*
   * Integrity volume handling
+  *
-- * Copyright (C) 2016-2022 Milan Broz
++ * Copyright (C) 2016-2023 Milan Broz
+  *
   * This file is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
 diff --git a/lib/integrity/integrity.h b/lib/integrity/integrity.h
 index 5eee821..2883ef8 100644
 --- a/lib/integrity/integrity.h
 +++ b/lib/integrity/integrity.h
@@ -1,7 +1,7 @@
  /*
   * Integrity header definition
+  *
-- * Copyright (C) 2016-2022 Milan Broz
++ * Copyright (C) 2016-2023 Milan Broz
+  *
   * This file is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
 diff --git a/lib/internal.h b/lib/internal.h
 index 7c94a38..b5cb4e3 100644
 --- a/lib/internal.h
 +++ b/lib/internal.h
@@ -3,8 +3,8 @@
+  *
   * Copyright (C) 2004 Jana Saout <jana@saout.de>
   * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
-- * Copyright (C) 2009-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2009-2022 Milan Broz
++ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2009-2023 Milan Broz
+  *
   * This program is free software; you can redistribute it and/or
   * modify it under the terms of the GNU General Public License
@@ -31,6 +31,7 @@
  #include <unistd.h>
  #include <inttypes.h>
  #include <fcntl.h>
++#include <assert.h>
  #include "nls.h"
  #include "bitops.h"
@@ -38,7 +39,6 @@
  #include "utils_crypt.h"
  #include "utils_loop.h"
  #include "utils_dm.h"
--#include "utils_fips.h"
  #include "utils_keyring.h"
  #include "utils_io.h"
  #include "crypto_backend/crypto_backend.h"
@@ -178,8 +178,7 @@ int init_crypto(struct crypt_device *ctx);
  int crypt_get_debug_level(void);
--int crypt_memlock_inc(struct crypt_device *ctx);
--int crypt_memlock_dec(struct crypt_device *ctx);
++void crypt_process_priority(struct crypt_device *cd, int *priority, bool raise);
  int crypt_metadata_locking_enabled(void);
 diff --git a/lib/keyslot_context.c b/lib/keyslot_context.c
 new file mode 100644
 index 0000000..89bd433
 --- /dev/null
 +++ b/lib/keyslot_context.c
@@ -0,0 +1,488 @@
++/*
++ * LUKS - Linux Unified Key Setup, keyslot unlock helpers
++ *
++ * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2022-2023 Ondrej Kozina
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License
++ * as published by the Free Software Foundation; either version 2
++ * of the License, or (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, write to the Free Software
++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++ */
++
++#include <errno.h>
++
++#include "luks1/luks.h"
++#include "luks2/luks2.h"
++#include "keyslot_context.h"
++
++static int get_luks2_key_by_passphrase(struct crypt_device *cd,
++	struct crypt_keyslot_context *kc,
++	int keyslot,
++	int segment,
++	struct volume_key **r_vk)
++{
++	int r;
++
++	assert(cd);
++	assert(kc && kc->type == CRYPT_KC_TYPE_PASSPHRASE);
++	assert(r_vk);
++
++	r = LUKS2_keyslot_open(cd, keyslot, segment, kc->u.p.passphrase, kc->u.p.passphrase_size, r_vk);
++	if (r < 0)
++		kc->error = r;
++
++	return r;
++}
++
++static int get_luks1_volume_key_by_passphrase(struct crypt_device *cd,
++	struct crypt_keyslot_context *kc,
++	int keyslot,
++	struct volume_key **r_vk)
++{
++	int r;
++
++	assert(cd);
++	assert(kc && kc->type == CRYPT_KC_TYPE_PASSPHRASE);
++	assert(r_vk);
++
++	r = LUKS_open_key_with_hdr(keyslot, kc->u.p.passphrase, kc->u.p.passphrase_size,
++				   crypt_get_hdr(cd, CRYPT_LUKS1), r_vk, cd);
++	if (r < 0)
++		kc->error = r;
++
++	return r;
++}
++
++static int get_luks2_volume_key_by_passphrase(struct crypt_device *cd,
++	struct crypt_keyslot_context *kc,
++	int keyslot,
++	struct volume_key **r_vk)
++{
++	return get_luks2_key_by_passphrase(cd, kc, keyslot, CRYPT_DEFAULT_SEGMENT, r_vk);
++}
++
++static int get_passphrase_by_passphrase(struct crypt_device *cd,
++	struct crypt_keyslot_context *kc,
++	const char **r_passphrase,
++	size_t *r_passphrase_size)
++{
++	assert(cd);
++	assert(kc && kc->type == CRYPT_KC_TYPE_PASSPHRASE);
++	assert(r_passphrase);
++	assert(r_passphrase_size);
++
++	*r_passphrase = kc->u.p.passphrase;
++	*r_passphrase_size = kc->u.p.passphrase_size;
++
++	return 0;
++}
++
++static int get_passphrase_by_keyfile(struct crypt_device *cd,
++	struct crypt_keyslot_context *kc,
++	const char **r_passphrase,
++	size_t *r_passphrase_size)
++{
++	int r;
++
++	assert(cd);
++	assert(kc && kc->type == CRYPT_KC_TYPE_KEYFILE);
++	assert(r_passphrase);
++	assert(r_passphrase_size);
++
++	if (!kc->i_passphrase) {
++		r = crypt_keyfile_device_read(cd, kc->u.kf.keyfile,
++				       &kc->i_passphrase, &kc->i_passphrase_size,
++				       kc->u.kf.keyfile_offset, kc->u.kf.keyfile_size, 0);
++		if (r < 0) {
++			kc->error = r;
++			return r;
++		}
++	}
++
++	*r_passphrase = kc->i_passphrase;
++	*r_passphrase_size = kc->i_passphrase_size;
++
++	return 0;
++}
++
++static int get_luks2_key_by_keyfile(struct crypt_device *cd,
++	struct crypt_keyslot_context *kc,
++	int keyslot,
++	int segment,
++	struct volume_key **r_vk)
++{
++	int r;
++	const char *passphrase;
++	size_t passphrase_size;
++
++	assert(cd);
++	assert(kc && kc->type == CRYPT_KC_TYPE_KEYFILE);
++	assert(r_vk);
++
++	r = get_passphrase_by_keyfile(cd, kc, &passphrase, &passphrase_size);
++	if (r)
++		return r;
++
++	r = LUKS2_keyslot_open(cd, keyslot, segment, passphrase, passphrase_size, r_vk);
++	if (r < 0)
++		kc->error = r;
++
++	return r;
++}
++
++static int get_luks2_volume_key_by_keyfile(struct crypt_device *cd,
++	struct crypt_keyslot_context *kc,
++	int keyslot,
++	struct volume_key **r_vk)
++{
++	return get_luks2_key_by_keyfile(cd, kc, keyslot, CRYPT_DEFAULT_SEGMENT, r_vk);
++}
++
++static int get_luks1_volume_key_by_keyfile(struct crypt_device *cd,
++	struct crypt_keyslot_context *kc,
++	int keyslot,
++	struct volume_key **r_vk)
++{
++	int r;
++	const char *passphrase;
++	size_t passphrase_size;
++
++	assert(cd);
++	assert(kc && kc->type == CRYPT_KC_TYPE_KEYFILE);
++	assert(r_vk);
++
++	r = get_passphrase_by_keyfile(cd, kc, &passphrase, &passphrase_size);
++	if (r)
++		return r;
++
++	r = LUKS_open_key_with_hdr(keyslot, passphrase, passphrase_size,
++				   crypt_get_hdr(cd, CRYPT_LUKS1), r_vk, cd);
++	if (r < 0)
++		kc->error = r;
++
++	return r;
++}
++
++static int get_key_by_key(struct crypt_device *cd,
++	struct crypt_keyslot_context *kc,
++	int keyslot __attribute__((unused)),
++	int segment __attribute__((unused)),
++	struct volume_key **r_vk)
++{
++	assert(kc && kc->type == CRYPT_KC_TYPE_KEY);
++	assert(r_vk);
++
++	if (!kc->u.k.volume_key) {
++		kc->error = -ENOENT;
++		return kc->error;
++	}
++
++	*r_vk = crypt_alloc_volume_key(kc->u.k.volume_key_size, kc->u.k.volume_key);
++	if (!*r_vk) {
++		kc->error = -ENOMEM;
++		return kc->error;
++	}
++
++	return 0;
++}
++
++static int get_volume_key_by_key(struct crypt_device *cd,
++	struct crypt_keyslot_context *kc,
++	int keyslot __attribute__((unused)),
++	struct volume_key **r_vk)
++{
++	return get_key_by_key(cd, kc, -2 /* unused */, -2 /* unused */, r_vk);
++}
++
++static int get_luks2_key_by_token(struct crypt_device *cd,
++	struct crypt_keyslot_context *kc,
++	int keyslot __attribute__((unused)),
++	int segment,
++	struct volume_key **r_vk)
++{
++	int r;
++
++	assert(cd);
++	assert(kc && kc->type == CRYPT_KC_TYPE_TOKEN);
++	assert(r_vk);
++
++	r = LUKS2_token_unlock_key(cd, crypt_get_hdr(cd, CRYPT_LUKS2), kc->u.t.id, kc->u.t.type,
++				   kc->u.t.pin, kc->u.t.pin_size, segment, kc->u.t.usrptr, r_vk);
++	if (r < 0)
++		kc->error = r;
++
++	return r;
++}
++
++static int get_luks2_volume_key_by_token(struct crypt_device *cd,
++	struct crypt_keyslot_context *kc,
++	int keyslot __attribute__((unused)),
++	struct volume_key **r_vk)
++{
++	return get_luks2_key_by_token(cd, kc, -2 /* unused */, CRYPT_DEFAULT_SEGMENT, r_vk);
++}
++
++static int get_passphrase_by_token(struct crypt_device *cd,
++	struct crypt_keyslot_context *kc,
++	const char **r_passphrase,
++	size_t *r_passphrase_size)
++{
++	int r;
++
++	assert(cd);
++	assert(kc && kc->type == CRYPT_KC_TYPE_TOKEN);
++	assert(r_passphrase);
++	assert(r_passphrase_size);
++
++	if (!kc->i_passphrase) {
++		r = LUKS2_token_unlock_passphrase(cd, crypt_get_hdr(cd, CRYPT_LUKS2), kc->u.t.id,
++				kc->u.t.type, kc->u.t.pin, kc->u.t.pin_size,
++				kc->u.t.usrptr, &kc->i_passphrase, &kc->i_passphrase_size);
++		if (r < 0) {
++			kc->error = r;
++			return r;
++		}
++		kc->u.t.id = r;
++	}
++
++	*r_passphrase = kc->i_passphrase;
++	*r_passphrase_size = kc->i_passphrase_size;
++
++	return kc->u.t.id;
++}
++
++static void unlock_method_init_internal(struct crypt_keyslot_context *kc)
++{
++	assert(kc);
++
++	kc->error = 0;
++	kc->i_passphrase = NULL;
++	kc->i_passphrase_size = 0;
++}
++
++void crypt_keyslot_unlock_by_key_init_internal(struct crypt_keyslot_context *kc,
++	const char *volume_key,
++	size_t volume_key_size)
++{
++	assert(kc);
++
++	kc->type = CRYPT_KC_TYPE_KEY;
++	kc->u.k.volume_key = volume_key;
++	kc->u.k.volume_key_size = volume_key_size;
++	kc->get_luks2_key = get_key_by_key;
++	kc->get_luks2_volume_key = get_volume_key_by_key;
++	kc->get_luks1_volume_key = get_volume_key_by_key;
++	kc->get_passphrase = NULL; /* keyslot key context does not provide passphrase */
++	unlock_method_init_internal(kc);
++}
++
++void crypt_keyslot_unlock_by_passphrase_init_internal(struct crypt_keyslot_context *kc,
++	const char *passphrase,
++	size_t passphrase_size)
++{
++	assert(kc);
++
++	kc->type = CRYPT_KC_TYPE_PASSPHRASE;
++	kc->u.p.passphrase = passphrase;
++	kc->u.p.passphrase_size = passphrase_size;
++	kc->get_luks2_key = get_luks2_key_by_passphrase;
++	kc->get_luks2_volume_key = get_luks2_volume_key_by_passphrase;
++	kc->get_luks1_volume_key = get_luks1_volume_key_by_passphrase;
++	kc->get_passphrase = get_passphrase_by_passphrase;
++	unlock_method_init_internal(kc);
++}
++
++void crypt_keyslot_unlock_by_keyfile_init_internal(struct crypt_keyslot_context *kc,
++	const char *keyfile,
++	size_t keyfile_size,
++	uint64_t keyfile_offset)
++{
++	assert(kc);
++
++	kc->type = CRYPT_KC_TYPE_KEYFILE;
++	kc->u.kf.keyfile = keyfile;
++	kc->u.kf.keyfile_size = keyfile_size;
++	kc->u.kf.keyfile_offset = keyfile_offset;
++	kc->get_luks2_key = get_luks2_key_by_keyfile;
++	kc->get_luks2_volume_key = get_luks2_volume_key_by_keyfile;
++	kc->get_luks1_volume_key = get_luks1_volume_key_by_keyfile;
++	kc->get_passphrase = get_passphrase_by_keyfile;
++	unlock_method_init_internal(kc);
++}
++
++void crypt_keyslot_unlock_by_token_init_internal(struct crypt_keyslot_context *kc,
++	int token,
++	const char *type,
++	const char *pin,
++	size_t pin_size,
++	void *usrptr)
++{
++	assert(kc);
++
++	kc->type = CRYPT_KC_TYPE_TOKEN;
++	kc->u.t.id = token;
++	kc->u.t.type = type;
++	kc->u.t.pin = pin;
++	kc->u.t.pin_size = pin_size;
++	kc->u.t.usrptr = usrptr;
++	kc->get_luks2_key = get_luks2_key_by_token;
++	kc->get_luks2_volume_key = get_luks2_volume_key_by_token;
++	kc->get_luks1_volume_key = NULL; /* LUKS1 is not supported */
++	kc->get_passphrase = get_passphrase_by_token;
++	unlock_method_init_internal(kc);
++}
++
++void crypt_keyslot_context_destroy_internal(struct crypt_keyslot_context *kc)
++{
++	if (!kc)
++		return;
++
++	crypt_safe_free(kc->i_passphrase);
++	kc->i_passphrase = NULL;
++	kc->i_passphrase_size = 0;
++}
++
++void crypt_keyslot_context_free(struct crypt_keyslot_context *kc)
++{
++	crypt_keyslot_context_destroy_internal(kc);
++	free(kc);
++}
++
++int crypt_keyslot_context_init_by_passphrase(struct crypt_device *cd,
++	const char *passphrase,
++	size_t passphrase_size,
++	struct crypt_keyslot_context **kc)
++{
++	struct crypt_keyslot_context *tmp;
++
++	if (!kc || !passphrase)
++		return -EINVAL;
++
++	tmp = malloc(sizeof(*tmp));
++	if (!tmp)
++		return -ENOMEM;
++
++	crypt_keyslot_unlock_by_passphrase_init_internal(tmp, passphrase, passphrase_size);
++
++	*kc = tmp;
++
++	return 0;
++}
++
++int crypt_keyslot_context_init_by_keyfile(struct crypt_device *cd,
++	const char *keyfile,
++	size_t keyfile_size,
++	uint64_t keyfile_offset,
++	struct crypt_keyslot_context **kc)
++{
++	struct crypt_keyslot_context *tmp;
++
++	if (!kc || !keyfile)
++		return -EINVAL;
++
++	tmp = malloc(sizeof(*tmp));
++	if (!tmp)
++		return -ENOMEM;
++
++	crypt_keyslot_unlock_by_keyfile_init_internal(tmp, keyfile, keyfile_size, keyfile_offset);
++
++	*kc = tmp;
++
++	return 0;
++}
++
++int crypt_keyslot_context_init_by_token(struct crypt_device *cd,
++	int token,
++	const char *type,
++	const char *pin, size_t pin_size,
++	void *usrptr,
++	struct crypt_keyslot_context **kc)
++{
++	struct crypt_keyslot_context *tmp;
++
++	if (!kc || (token < 0 && token != CRYPT_ANY_TOKEN))
++		return -EINVAL;
++
++	tmp = malloc(sizeof(*tmp));
++	if (!tmp)
++		return -ENOMEM;
++
++	crypt_keyslot_unlock_by_token_init_internal(tmp, token, type, pin, pin_size, usrptr);
++
++	*kc = tmp;
++
++	return 0;
++}
++
++int crypt_keyslot_context_init_by_volume_key(struct crypt_device *cd,
++	const char *volume_key,
++	size_t volume_key_size,
++	struct crypt_keyslot_context **kc)
++{
++	struct crypt_keyslot_context *tmp;
++
++	if (!kc)
++		return -EINVAL;
++
++	tmp = malloc(sizeof(*tmp));
++	if (!tmp)
++		return -ENOMEM;
++
++	crypt_keyslot_unlock_by_key_init_internal(tmp, volume_key, volume_key_size);
++
++	*kc = tmp;
++
++	return 0;
++}
++
++int crypt_keyslot_context_get_error(struct crypt_keyslot_context *kc)
++{
++	return kc ? kc->error : -EINVAL;
++}
++
++int crypt_keyslot_context_set_pin(struct crypt_device *cd,
++	const char *pin, size_t pin_size,
++	struct crypt_keyslot_context *kc)
++{
++	if (!kc || kc->type != CRYPT_KC_TYPE_TOKEN)
++		return -EINVAL;
++
++	kc->u.t.pin = pin;
++	kc->u.t.pin_size = pin_size;
++	kc->error = 0;
++
++	return 0;
++}
++
++int crypt_keyslot_context_get_type(const struct crypt_keyslot_context *kc)
++{
++	return kc ? kc->type : -EINVAL;
++}
++
++const char *keyslot_context_type_string(const struct crypt_keyslot_context *kc)
++{
++	assert(kc);
++
++	switch (kc->type) {
++	case CRYPT_KC_TYPE_PASSPHRASE:
++		return "passphrase";
++	case CRYPT_KC_TYPE_KEYFILE:
++		return "keyfile";
++	case CRYPT_KC_TYPE_TOKEN:
++		return "token";
++	case CRYPT_KC_TYPE_KEY:
++		return "key";
++	default:
++		return "<unknown>";
++	}
++}
 diff --git a/lib/keyslot_context.h b/lib/keyslot_context.h
 new file mode 100644
 index 0000000..7ca7428
 --- /dev/null
 +++ b/lib/keyslot_context.h
@@ -0,0 +1,111 @@
++/*
++ * LUKS - Linux Unified Key Setup, keyslot unlock helpers
++ *
++ * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2022-2023 Ondrej Kozina
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License
++ * as published by the Free Software Foundation; either version 2
++ * of the License, or (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, write to the Free Software
++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++ */
++
++#ifndef KEYSLOT_CONTEXT_H
++#define KEYSLOT_CONTEXT_H
++
++#include <stdbool.h>
++#include <stdint.h>
++
++#include "internal.h"
++
++typedef int (*keyslot_context_get_key) (
++	struct crypt_device *cd,
++	struct crypt_keyslot_context *kc,
++	int keyslot,
++	int segment,
++	struct volume_key **r_vk);
++
++typedef int (*keyslot_context_get_volume_key) (
++	struct crypt_device *cd,
++	struct crypt_keyslot_context *kc,
++	int keyslot,
++	struct volume_key **r_vk);
++
++typedef int (*keyslot_context_get_passphrase) (
++	struct crypt_device *cd,
++	struct crypt_keyslot_context *kc,
++	const char **r_passphrase,
++	size_t *r_passphrase_size);
++
++/* crypt_keyslot_context */
++struct crypt_keyslot_context {
++	int type;
++
++	union {
++	struct {
++		const char *passphrase;
++		size_t passphrase_size;
++	} p;
++	struct {
++		const char *keyfile;
++		uint64_t keyfile_offset;
++		size_t keyfile_size;
++	} kf;
++	struct {
++		int id;
++		const char *type;
++		const char *pin;
++		size_t pin_size;
++		void *usrptr;
++	} t;
++	struct {
++		const char *volume_key;
++		size_t volume_key_size;
++	} k;
++	} u;
++
++	int error;
++
++	char *i_passphrase;
++	size_t i_passphrase_size;
++
++	keyslot_context_get_key		get_luks2_key;
++	keyslot_context_get_volume_key	get_luks1_volume_key;
++	keyslot_context_get_volume_key	get_luks2_volume_key;
++	keyslot_context_get_passphrase	get_passphrase;
++};
++
++void crypt_keyslot_context_destroy_internal(struct crypt_keyslot_context *method);
++
++void crypt_keyslot_unlock_by_key_init_internal(struct crypt_keyslot_context *kc,
++	const char *volume_key,
++	size_t volume_key_size);
++
++void crypt_keyslot_unlock_by_passphrase_init_internal(struct crypt_keyslot_context *kc,
++	const char *passphrase,
++	size_t passphrase_size);
++
++void crypt_keyslot_unlock_by_keyfile_init_internal(struct crypt_keyslot_context *kc,
++	const char *keyfile,
++	size_t keyfile_size,
++	uint64_t keyfile_offset);
++
++void crypt_keyslot_unlock_by_token_init_internal(struct crypt_keyslot_context *kc,
++	int token,
++	const char *type,
++	const char *pin,
++	size_t pin_size,
++	void *usrptr);
++
++const char *keyslot_context_type_string(const struct crypt_keyslot_context *kc);
++
++#endif /* KEYSLOT_CONTEXT_H */
 diff --git a/lib/libcryptsetup.h b/lib/libcryptsetup.h
 index edb3078..e899829 100644
 --- a/lib/libcryptsetup.h
 +++ b/lib/libcryptsetup.h
@@ -3,8 +3,8 @@
+  *
   * Copyright (C) 2004 Jana Saout <jana@saout.de>
   * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
-- * Copyright (C) 2009-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2009-2022 Milan Broz
++ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2009-2023 Milan Broz
+  *
   * This program is free software; you can redistribute it and/or
   * modify it under the terms of the GNU General Public License
@@ -46,6 +46,7 @@ extern "C" {
   */
  struct crypt_device; /* crypt device handle */
++struct crypt_keyslot_context;
  /**
   * Initialize crypt device handle and check if the provided device exists.
@@ -344,6 +345,7 @@ void crypt_set_iteration_time(struct crypt_device *cd, uint64_t iteration_time_m
  /**
   * Helper to lock/unlock memory to avoid swap sensitive data to disk.
++ * \b Deprecated, only for backward compatibility. Memory with keys are locked automatically.
+  *
   * @param cd crypt device handle, can be @e NULL
   * @param lock 0 to unlock otherwise lock memory
@@ -353,7 +355,7 @@ void crypt_set_iteration_time(struct crypt_device *cd, uint64_t iteration_time_m
   * @note Only root can do this.
   * @note It locks/unlocks all process memory, not only crypt context.
   */
--int crypt_memory_lock(struct crypt_device *cd, int lock);
++int crypt_memory_lock(struct crypt_device *cd, int lock) __attribute__((deprecated));
  /**
   * Set global lock protection for on-disk metadata (file-based locking).
@@ -427,6 +429,8 @@ int crypt_get_metadata_size(struct crypt_device *cd,
  #define CRYPT_INTEGRITY "INTEGRITY"
  /** BITLK (BitLocker-compatible mode) */
  #define CRYPT_BITLK "BITLK"
++/** FVAULT2 (FileVault2-compatible mode) */
++#define CRYPT_FVAULT2 "FVAULT2"
  /** LUKS any version */
  #define CRYPT_LUKS NULL
@@ -1107,6 +1111,187 @@ int crypt_keyslot_add_by_key(struct crypt_device *cd,
  	uint32_t flags);
  /**
++ * @defgroup crypt-keyslot-context Crypt keyslot context
++ * @addtogroup crypt-keyslot-context
++ * @{
++ */
++
++/**
++ * Release crypt keyslot context and used memory.
++ *
++ * @param kc crypt keyslot context
++ */
++void crypt_keyslot_context_free(struct crypt_keyslot_context *kc);
++
++/**
++ * Initialize keyslot context via passphrase.
++ *
++ * @param cd crypt device handle initialized to LUKS device context
++ * @param passphrase passphrase for a keyslot
++ * @param passphrase_size size of passphrase
++ * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_PASSPHRASE
++ *
++ * @return zero on success or negative errno otherwise.
++ */
++int crypt_keyslot_context_init_by_passphrase(struct crypt_device *cd,
++	const char *passphrase,
++	size_t passphrase_size,
++	struct crypt_keyslot_context **kc);
++
++/**
++ * Initialize keyslot context via key file path.
++ *
++ * @param cd crypt device handle initialized to LUKS device context
++ *
++ * @param keyfile key file with passphrase for a keyslot
++ * @param keyfile_size number of bytes to read from keyfile, @e 0 is unlimited
++ * @param keyfile_offset number of bytes to skip at start of keyfile
++ * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_KEYFILE
++ *
++ * @return zero on success or negative errno otherwise.
++ */
++int crypt_keyslot_context_init_by_keyfile(struct crypt_device *cd,
++	const char *keyfile,
++	size_t keyfile_size,
++	uint64_t keyfile_offset,
++	struct crypt_keyslot_context **kc);
++
++/**
++ * Initialize keyslot context via LUKS2 token.
++ *
++ * @param cd crypt device handle initialized to LUKS2 device context
++ *
++ * @param token token providing passphrase for a keyslot or CRYPT_ANY_TOKEN
++ * @param type restrict type of token, if @e NULL all types are allowed
++ * @param pin passphrase (or PIN) to unlock token (may be binary data)
++ * @param pin_size size of @e pin
++ * @param usrptr provided identification in callback
++ * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_TOKEN
++ *
++ * @return zero on success or negative errno otherwise.
++ */
++int crypt_keyslot_context_init_by_token(struct crypt_device *cd,
++	int token,
++	const char *type,
++	const char *pin, size_t pin_size,
++	void *usrptr,
++	struct crypt_keyslot_context **kc);
++
++/**
++ * Initialize keyslot context via key.
++ *
++ * @param cd crypt device handle initialized to LUKS device context
++ *
++ * @param volume_key provided volume key or @e NULL if used after crypt_format
++ *        or with CRYPT_VOLUME_KEY_NO_SEGMENT flag
++ * @param volume_key_size size of volume_key
++ * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_KEY
++ *
++ * @return zero on success or negative errno otherwise.
++ */
++int crypt_keyslot_context_init_by_volume_key(struct crypt_device *cd,
++	const char *volume_key,
++	size_t volume_key_size,
++	struct crypt_keyslot_context **kc);
++
++/**
++ * Get error code per keyslot context from last failed call.
++ *
++ * @note If @link crypt_keyslot_add_by_keyslot_context @endlink passed with
++ * 	 no negative return code. The return value of this function is undefined.
++ *
++ * @param kc keyslot context involved in failed @link crypt_keyslot_add_by_keyslot_context @endlink
++ *
++ * @return Negative errno if keyslot context caused a failure, zero otherwise.
++ */
++int crypt_keyslot_context_get_error(struct crypt_keyslot_context *kc);
++
++/**
++ * Set new pin to token based keyslot context.
++ *
++ * @note Use when @link crypt_keyslot_add_by_keyslot_context @endlink failed
++ *	 and token keyslot context returned -ENOANO error code via
++ *	 @link crypt_keyslot_context_get_error @endlink.
++ *
++ * @param cd crypt device handle initialized to LUKS2 device context
++ * @param pin passphrase (or PIN) to unlock token (may be binary data)
++ * @param pin_size size of @e pin
++ * @param kc LUKS2 keyslot context (only @link CRYPT_KC_TYPE_TOKEN @endlink is allowed)
++ *
++ * @return zero on success or negative errno otherwise
++ */
++int crypt_keyslot_context_set_pin(struct crypt_device *cd,
++	const char *pin, size_t pin_size,
++	struct crypt_keyslot_context *kc);
++
++/**
++ * @defgroup crypt-keyslot-context-types Crypt keyslot context
++ * @addtogroup crypt-keyslot-context-types
++ * @{
++ */
++/** keyslot context initialized by passphrase (@link crypt_keyslot_context_init_by_passphrase @endlink) */
++#define CRYPT_KC_TYPE_PASSPHRASE INT16_C(1)
++/** keyslot context initialized by keyfile (@link crypt_keyslot_context_init_by_keyfile @endlink) */
++#define CRYPT_KC_TYPE_KEYFILE    INT16_C(2)
++/** keyslot context initialized by token (@link crypt_keyslot_context_init_by_token @endlink) */
++#define CRYPT_KC_TYPE_TOKEN      INT16_C(3)
++/** keyslot context initialized by volume key or unbound key (@link crypt_keyslot_context_init_by_volume_key @endlink) */
++#define CRYPT_KC_TYPE_KEY        INT16_C(4)
++/** @} */
++
++/**
++ * Get type identifier for crypt keyslot context.
++ *
++ * @param kc keyslot context
++ *
++ * @return crypt keyslot context type id (see @link crypt-keyslot-context-types @endlink) or negative errno otherwise.
++ */
++int crypt_keyslot_context_get_type(const struct crypt_keyslot_context *kc);
++/** @} */
++
++/**
++ * Add key slot by volume key provided by keyslot context (kc). New
++ * keyslot will be protected by passphrase provided by new keyslot context (new_kc).
++ * See @link crypt-keyslot-context @endlink for context initialization routines.
++ *
++ * @pre @e cd contains initialized and formatted LUKS device context.
++ *
++ * @param cd crypt device handle
++ * @param keyslot_existing existing keyslot or CRYPT_ANY_SLOT to get volume key from.
++ * @param kc keyslot context providing volume key.
++ * @param keyslot_new new keyslot or CRYPT_ANY_SLOT (first free number is used).
++ * @param new_kc keyslot context providing passphrase for new keyslot.
++ * @param flags key flags to set
++ *
++ * @return allocated key slot number or negative errno otherwise.
++ *
++ * @note new_kc can not be @e CRYPT_KC_TYPE_KEY type keyslot context.
++ *
++ * @note For kc parameter with type @e CRYPT_KC_TYPE_KEY the keyslot_existing
++ *       parameter is ignored.
++ *
++ * @note in case there is no active LUKS keyslot to get existing volume key from, one of following must apply:
++ * 	 @li @e cd must be device handle used in crypt_format() by current process (it holds reference to generated volume key)
++ * 	 @li kc must be of @e CRYPT_KC_TYPE_KEY type with valid volume key.
++ *
++ * @note With CRYPT_VOLUME_KEY_NO_SEGMENT flag raised and kc of type @e CRYPT_KC_TYPE_KEY with @e volume_key set to @e NULL
++ *     the new volume_key will be generated and stored in new keyslot. The keyslot will become unbound (unusable to
++ *     dm-crypt device activation).
++ *
++ * @warning CRYPT_VOLUME_KEY_SET flag force updates volume key. It is @b not @b reencryption!
++ * 	    By doing so you will most probably destroy your ciphertext data device. It's supposed
++ * 	    to be used only in wrapped keys scheme for key refresh process where real (inner) volume
++ * 	    key stays untouched. It may be involed on active @e keyslot which makes the (previously
++ * 	    unbound) keyslot new regular keyslot.
++ */
++int crypt_keyslot_add_by_keyslot_context(struct crypt_device *cd,
++	int keyslot_existing,
++	struct crypt_keyslot_context *kc,
++	int keyslot_new,
++	struct crypt_keyslot_context *new_kc,
++	uint32_t flags);
++
++/**
   * Destroy (and disable) key slot.
+  *
   * @pre @e cd contains initialized and formatted LUKS device context
@@ -1182,6 +1367,8 @@ int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot);
  #define CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE (UINT32_C(1) << 25)
  /** dm-integrity: reset automatic recalculation */
  #define CRYPT_ACTIVATE_RECALCULATE_RESET (UINT32_C(1) << 26)
++/** dm-verity: try to use tasklets */
++#define CRYPT_ACTIVATE_TASKLETS (UINT32_C(1) << 27)
  /**
   * Active device runtime attributes
@@ -1471,6 +1658,9 @@ int crypt_deactivate(struct crypt_device *cd, const char *name);
   * @note For TCRYPT cipher chain is the volume key concatenated
   * 	 for all ciphers in chain.
   * @note For VERITY the volume key means root hash used for activation.
++ * @note For LUKS devices, if passphrase is @e NULL and volume key is cached in
++ * 	 device context it returns the volume key generated in preceding
++ * 	 @link crypt_format @endlink call.
   */
  int crypt_volume_key_get(struct crypt_device *cd,
  	int keyslot,
@@ -1480,6 +1670,41 @@ int crypt_volume_key_get(struct crypt_device *cd,
  	size_t passphrase_size);
  /**
++ * Get volume key from crypt device by keyslot context.
++ *
++ * @param cd crypt device handle
++ * @param keyslot use this keyslot or @e CRYPT_ANY_SLOT
++ * @param volume_key buffer for volume key
++ * @param volume_key_size on input, size of buffer @e volume_key,
++ *        on output size of @e volume_key
++ * @param kc keyslot context used to unlock volume key
++ *
++ * @return unlocked key slot number or negative errno otherwise.
++ *
++ * @note See @link crypt-keyslot-context-types @endlink for info on keyslot
++ * 	 context initialization.
++ * @note For TCRYPT cipher chain is the volume key concatenated
++ * 	 for all ciphers in chain (kc may be NULL).
++ * @note For VERITY the volume key means root hash used for activation
++ * 	 (kc may be NULL).
++ * @note For LUKS devices, if kc is @e NULL and volume key is cached in
++ * 	 device context it returns the volume key generated in preceding
++ * 	 @link crypt_format @endlink call.
++ * @note @link CRYPT_KC_TYPE_TOKEN @endlink keyslot context is usable only with LUKS2 devices.
++ * @note @link CRYPT_KC_TYPE_KEY @endlink keyslot context can not be used.
++ * @note To get LUKS2 unbound key, keyslot parameter must not be @e CRYPT_ANY_SLOT.
++ * @note EPERM errno means provided keyslot context could not unlock any (or selected)
++ * 	 keyslot.
++ * @note ENOENT errno means no LUKS keyslot is available to retrieve volume key from
++ * 	 and there's no cached volume key in device handle.
++ */
++int crypt_volume_key_get_by_keyslot_context(struct crypt_device *cd,
++	int keyslot,
++	char *volume_key,
++	size_t *volume_key_size,
++	struct crypt_keyslot_context *kc);
++
++/**
   * Verify that provided volume key is valid for crypt device.
+  *
   * @param cd crypt device handle
 diff --git a/lib/libcryptsetup.pc.in b/lib/libcryptsetup.pc.in
 index f3d3fb1..7836293 100644
 --- a/lib/libcryptsetup.pc.in
 +++ b/lib/libcryptsetup.pc.in
@@ -8,3 +8,4 @@ Description: cryptsetup library
  Version: @LIBCRYPTSETUP_VERSION@
  Cflags: -I${includedir}
  Libs: -L${libdir} -lcryptsetup
++Requires.private: @PKGMODULES@
 diff --git a/lib/libcryptsetup.sym b/lib/libcryptsetup.sym
 index b845967..d0f0d98 100644
 --- a/lib/libcryptsetup.sym
 +++ b/lib/libcryptsetup.sym
@@ -151,3 +151,17 @@ CRYPTSETUP_2.5 {
  		crypt_get_subsystem;
  		crypt_resume_by_token_pin;
  } CRYPTSETUP_2.4;
++
++CRYPTSETUP_2.6 {
++	global:
++		crypt_keyslot_context_free;
++		crypt_keyslot_context_init_by_passphrase;
++		crypt_keyslot_context_init_by_keyfile;
++		crypt_keyslot_context_init_by_token;
++		crypt_keyslot_context_init_by_volume_key;
++		crypt_keyslot_context_get_error;
++		crypt_keyslot_context_set_pin;
++		crypt_keyslot_context_get_type;
++		crypt_keyslot_add_by_keyslot_context;
++		crypt_volume_key_get_by_keyslot_context;
++} CRYPTSETUP_2.5;
 diff --git a/lib/libcryptsetup_macros.h b/lib/libcryptsetup_macros.h
 index d98adfe..55187ab 100644
 --- a/lib/libcryptsetup_macros.h
 +++ b/lib/libcryptsetup_macros.h
@@ -1,8 +1,8 @@
  /*
   * Definitions of common constant and generic macros of libcryptsetup
+  *
-- * Copyright (C) 2009-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2009-2022 Milan Broz
++ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2009-2023 Milan Broz
+  *
   * This program is free software; you can redistribute it and/or
   * modify it under the terms of the GNU General Public License
 diff --git a/lib/libcryptsetup_symver.h b/lib/libcryptsetup_symver.h
 index aa27f88..a5aa8f9 100644
 --- a/lib/libcryptsetup_symver.h
 +++ b/lib/libcryptsetup_symver.h
@@ -1,7 +1,7 @@
  /*
   * Helpers for defining versioned symbols
+  *
-- * Copyright (C) 2021-2022 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2021-2023 Red Hat, Inc. All rights reserved.
+  *
   * This program is free software; you can redistribute it and/or
   * modify it under the terms of the GNU General Public License
@@ -72,9 +72,9 @@
       __attribute__((__symver__(#_public_sym _ver_str #_maj "." #_min)))
  #endif
--#if !defined(_CRYPT_SYMVER) && defined(__GNUC__)
++#if !defined(_CRYPT_SYMVER) && (defined(__GNUC__) || defined(__clang__))
  #  define _CRYPT_SYMVER(_local_sym, _public_sym, _ver_str, _maj, _min)         \
--     asm(".symver " #_local_sym "," #_public_sym _ver_str #_maj "." #_min);
++     __asm__(".symver " #_local_sym "," #_public_sym _ver_str #_maj "." #_min);
  #endif
  #define _CRYPT_FUNC(_public_sym, _prefix_str, _maj, _min, _ret, ...)                                    \
 diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
 index a8d8c2a..9c5fc0c 100644
 --- a/lib/libdevmapper.c
 +++ b/lib/libdevmapper.c
@@ -3,8 +3,8 @@
+  *
   * Copyright (C) 2004 Jana Saout <jana@saout.de>
   * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
-- * Copyright (C) 2009-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2009-2022 Milan Broz
++ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2009-2023 Milan Broz
+  *
   * This program is free software; you can redistribute it and/or
   * modify it under the terms of the GNU General Public License
@@ -31,7 +31,6 @@
  #ifdef HAVE_SYS_SYSMACROS_H
  # include <sys/sysmacros.h>     /* for major, minor */
  #endif
--#include <assert.h>
  #include "internal.h"
  #define DM_CRYPT_TARGET		"crypt"
@@ -205,6 +204,9 @@ static void _dm_set_verity_compat(struct crypt_device *cd,
  	if (_dm_satisfies_version(1, 7, 0, verity_maj, verity_min, verity_patch))
  		_dm_flags |= DM_VERITY_PANIC_CORRUPTION_SUPPORTED;
++	if (_dm_satisfies_version(1, 9, 0, verity_maj, verity_min, verity_patch))
++		_dm_flags |= DM_VERITY_TASKLETS_SUPPORTED;
++
  	_dm_verity_checked = true;
+ }
@@ -473,27 +475,22 @@ static size_t int_log10(uint64_t x)
  	return r;
+ }
--#define CLEN    64   /* 2*MAX_CIPHER_LEN */
--#define CLENS  "63"  /* for sscanf length + '\0' */
--#define CAPIL  144   /* should be enough to fit whole capi string */
--#define CAPIS "143"  /* for sscanf of crypto API string + 16  + \0 */
--
--static int cipher_c2dm(const char *org_c, const char *org_i, unsigned tag_size,
++static int cipher_dm2c(const char *org_c, const char *org_i, unsigned tag_size,
  		       char *c_dm, int c_dm_size,
  		       char *i_dm, int i_dm_size)
+ {
  	int c_size = 0, i_size = 0, i;
--	char cipher[CLEN], mode[CLEN], iv[CLEN+1], tmp[CLEN];
--	char capi[CAPIL];
++	char cipher[MAX_CAPI_ONE_LEN], mode[MAX_CAPI_ONE_LEN], iv[MAX_CAPI_ONE_LEN+1],
++	     tmp[MAX_CAPI_ONE_LEN], capi[MAX_CAPI_LEN];
  	if (!c_dm || !c_dm_size || !i_dm || !i_dm_size)
  		return -EINVAL;
--	i = sscanf(org_c, "%" CLENS "[^-]-%" CLENS "s", cipher, tmp);
++	i = sscanf(org_c, "%" MAX_CAPI_ONE_LEN_STR "[^-]-%" MAX_CAPI_ONE_LEN_STR "s", cipher, tmp);
  	if (i != 2)
  		return -EINVAL;
--	i = sscanf(tmp, "%" CLENS "[^-]-%" CLENS "s", mode, iv);
++	i = sscanf(tmp, "%" MAX_CAPI_ONE_LEN_STR "[^-]-%" MAX_CAPI_ONE_LEN_STR "s", mode, iv);
  	if (i == 1) {
  		memset(iv, 0, sizeof(iv));
  		strncpy(iv, mode, sizeof(iv)-1);
@@ -540,75 +537,6 @@ static int cipher_c2dm(const char *org_c, const char *org_i, unsigned tag_size,
  	return 0;
+ }
--static int cipher_dm2c(char **org_c, char **org_i, const char *c_dm, const char *i_dm)
--{
--	char cipher[CLEN], mode[CLEN], iv[CLEN], auth[CLEN];
--	char tmp[CAPIL], dmcrypt_tmp[CAPIL*2], capi[CAPIL+1];
--	size_t len;
--	int i;
--
--	if (!c_dm)
--		return -EINVAL;
--
--	/* legacy mode */
--	if (strncmp(c_dm, "capi:", 4)) {
--		if (!(*org_c = strdup(c_dm)))
--			return -ENOMEM;
--		*org_i = NULL;
--		return 0;
--	}
--
--	/* modes with capi: prefix */
--	i = sscanf(c_dm, "capi:%" CAPIS "[^-]-%" CLENS "s", tmp, iv);
--	if (i != 2)
--		return -EINVAL;
--
--	len = strlen(tmp);
--	if (len < 2)
--		return -EINVAL;
--
--	if (tmp[len-1] == ')')
--		tmp[len-1] = '\0';
--
--	if (sscanf(tmp, "rfc4309(%" CAPIS "s", capi) == 1) {
--		if (!(*org_i = strdup("aead")))
--			return -ENOMEM;
--	} else if (sscanf(tmp, "rfc7539(%" CAPIS "[^,],%" CLENS "s", capi, auth) == 2) {
--		if (!(*org_i = strdup(auth)))
--			return -ENOMEM;
--	} else if (sscanf(tmp, "authenc(%" CLENS "[^,],%" CAPIS "s", auth, capi) == 2) {
--		if (!(*org_i = strdup(auth)))
--			return -ENOMEM;
--	} else {
--		if (i_dm) {
--			if (!(*org_i = strdup(i_dm)))
--				return -ENOMEM;
--		} else
--			*org_i = NULL;
--		memset(capi, 0, sizeof(capi));
--		strncpy(capi, tmp, sizeof(capi)-1);
--	}
--
--	i = sscanf(capi, "%" CLENS "[^(](%" CLENS "[^)])", mode, cipher);
--	if (i == 2)
--		i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s-%s", cipher, mode, iv);
--	else
--		i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s", capi, iv);
--	if (i < 0 || (size_t)i >= sizeof(dmcrypt_tmp)) {
--		free(*org_i);
--		*org_i = NULL;
--		return -EINVAL;
--	}
--
--	if (!(*org_c = strdup(dmcrypt_tmp))) {
--		free(*org_i);
--		*org_i = NULL;
--		return -ENOMEM;
--	}
--
--	return 0;
--}
--
  static char *_uf(char *buf, size_t buf_size, const char *s, unsigned u)
+ {
  	size_t r = snprintf(buf, buf_size, " %s:%u", s, u);
@@ -626,7 +554,7 @@ static char *get_dm_crypt_params(const struct dm_target *tgt, uint32_t flags)
  	if (!tgt)
  		return NULL;
--	r = cipher_c2dm(tgt->u.crypt.cipher, tgt->u.crypt.integrity, tgt->u.crypt.tag_size,
++	r = cipher_dm2c(tgt->u.crypt.cipher, tgt->u.crypt.integrity, tgt->u.crypt.tag_size,
  			cipher_dm, sizeof(cipher_dm), integrity_dm, sizeof(integrity_dm));
  	if (r < 0)
  		return NULL;
@@ -734,6 +662,8 @@ static char *get_dm_verity_params(const struct dm_target *tgt, uint32_t flags)
  		num_options++;
  	if (flags & CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE)
  		num_options++;
++	if (flags & CRYPT_ACTIVATE_TASKLETS)
++		num_options++;
  	max_fec_size = (tgt->u.verity.fec_device ? strlen(device_block_path(tgt->u.verity.fec_device)) : 0) + 256;
  	fec_features = crypt_safe_alloc(max_fec_size);
@@ -764,13 +694,14 @@ static char *get_dm_verity_params(const struct dm_target *tgt, uint32_t flags)
  	} else
  		*verity_verify_args = '\0';
--	if (num_options) {  /* MAX length int32 + 18 + 22 + 20 + 19 + 19 */
--		r = snprintf(features, sizeof(features), " %d%s%s%s%s%s", num_options,
++	if (num_options) {  /* MAX length int32 + 18 + 22 + 20 + 19 + 19 + 22 */
++		r = snprintf(features, sizeof(features), " %d%s%s%s%s%s%s", num_options,
  		(flags & CRYPT_ACTIVATE_IGNORE_CORRUPTION) ? " ignore_corruption" : "",
  		(flags & CRYPT_ACTIVATE_RESTART_ON_CORRUPTION) ? " restart_on_corruption" : "",
  		(flags & CRYPT_ACTIVATE_PANIC_ON_CORRUPTION) ? " panic_on_corruption" : "",
  		(flags & CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS) ? " ignore_zero_blocks" : "",
--		(flags & CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE) ? " check_at_most_once" : "");
++		(flags & CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE) ? " check_at_most_once" : "",
++		(flags & CRYPT_ACTIVATE_TASKLETS) ? " try_verify_in_tasklet" : "");
  		if (r < 0 || (size_t)r >= sizeof(features))
  			goto out;
  	} else
@@ -1705,6 +1636,12 @@ int dm_create_device(struct crypt_device *cd, const char *name,
  		r = -EINVAL;
+ 	}
++	if (dmd->flags & CRYPT_ACTIVATE_TASKLETS &&
++	    !(dmt_flags & DM_VERITY_TASKLETS_SUPPORTED)) {
++		log_err(cd, _("Requested dm-verity tasklets option is not supported."));
++		r = -EINVAL;
++	}
++
  	if (dmd->flags & CRYPT_ACTIVATE_PANIC_ON_CORRUPTION &&
  	    !(dmt_flags & DM_VERITY_PANIC_CORRUPTION_SUPPORTED)) {
  		log_err(cd, _("Requested dm-verity data corruption handling options are not supported."));
@@ -2054,9 +1991,7 @@ static int _dm_target_query_crypt(struct crypt_device *cd, uint32_t get_flags,
  	/* cipher */
  	if (get_flags & DM_ACTIVE_CRYPT_CIPHER) {
--		r = cipher_dm2c(CONST_CAST(char**)&cipher,
--				CONST_CAST(char**)&integrity,
--				rcipher, rintegrity);
++		r = crypt_capi_to_cipher(&cipher, &integrity, rcipher, rintegrity);
  		if (r < 0)
  			goto err;
+ 	}
@@ -2289,6 +2224,8 @@ static int _dm_target_query_verity(struct crypt_device *cd,
  				*act_flags |= CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS;
  			else if (!strcasecmp(arg, "check_at_most_once"))
  				*act_flags |= CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE;
++			else if (!strcasecmp(arg, "try_verify_in_tasklet"))
++				*act_flags |= CRYPT_ACTIVATE_TASKLETS;
  			else if (!strcasecmp(arg, "use_fec_from_device")) {
  				str = strsep(&params, " ");
  				str2 = crypt_lookup_dev(str);
@@ -2842,7 +2779,8 @@ int dm_query_device(struct crypt_device *cd, const char *name,
  	return r;
+ }
--static int _process_deps(struct crypt_device *cd, const char *prefix, struct dm_deps *deps, char **names, size_t names_offset, size_t names_length)
++static int _process_deps(struct crypt_device *cd, const char *prefix, struct dm_deps *deps,
++			 char **names, size_t names_offset, size_t names_length)
+ {
  #if HAVE_DECL_DM_DEVICE_GET_NAME
  	struct crypt_dm_active_device dmd;
@@ -2888,7 +2826,8 @@ static int _process_deps(struct crypt_device *cd, const char *prefix, struct dm_
  #endif
+ }
--int dm_device_deps(struct crypt_device *cd, const char *name, const char *prefix, char **names, size_t names_length)
++int dm_device_deps(struct crypt_device *cd, const char *name, const char *prefix,
++		   char **names, size_t names_length)
+ {
  	struct dm_task *dmt;
  	struct dm_info dmi;
 diff --git a/lib/loopaes/loopaes.c b/lib/loopaes/loopaes.c
 index f639670..224d3d0 100644
 --- a/lib/loopaes/loopaes.c
 +++ b/lib/loopaes/loopaes.c
@@ -1,8 +1,8 @@
  /*
   * loop-AES compatible volume handling
+  *
-- * Copyright (C) 2011-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2011-2022 Milan Broz
++ * Copyright (C) 2011-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2011-2023 Milan Broz
+  *
   * This file is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
 diff --git a/lib/loopaes/loopaes.h b/lib/loopaes/loopaes.h
 index c777483..a921694 100644
 --- a/lib/loopaes/loopaes.h
 +++ b/lib/loopaes/loopaes.h
@@ -1,8 +1,8 @@
  /*
   * loop-AES compatible volume handling
+  *
-- * Copyright (C) 2011-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2011-2022 Milan Broz
++ * Copyright (C) 2011-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2011-2023 Milan Broz
+  *
   * This file is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
 diff --git a/lib/luks1/af.c b/lib/luks1/af.c
 index 12ff78a..76afeac 100644
 --- a/lib/luks1/af.c
 +++ b/lib/luks1/af.c
@@ -2,7 +2,7 @@
   * AFsplitter - Anti forensic information splitter
+  *
   * Copyright (C) 2004 Clemens Fruhwirth <clemens@endorphin.org>
-- * Copyright (C) 2009-2022 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+  *
   * AFsplitter diffuses information over a large stripe of data,
   * therefore supporting secure data destruction.
 diff --git a/lib/luks1/af.h b/lib/luks1/af.h
 index 2db78eb..8a2bceb 100644
 --- a/lib/luks1/af.h
 +++ b/lib/luks1/af.h
@@ -2,7 +2,7 @@
   * AFsplitter - Anti forensic information splitter
+  *
   * Copyright (C) 2004 Clemens Fruhwirth <clemens@endorphin.org>
-- * Copyright (C) 2009-2022 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+  *
   * AFsplitter diffuses information over a large stripe of data,
   * therefore supporting secure data destruction.
 diff --git a/lib/luks1/keyencryption.c b/lib/luks1/keyencryption.c
 index fbbfc8a..c1c8201 100644
 --- a/lib/luks1/keyencryption.c
 +++ b/lib/luks1/keyencryption.c
@@ -2,8 +2,8 @@
   * LUKS - Linux Unified Key Setup
+  *
   * Copyright (C) 2004-2006 Clemens Fruhwirth <clemens@endorphin.org>
-- * Copyright (C) 2009-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2012-2022 Milan Broz
++ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2012-2023 Milan Broz
+  *
   * This program is free software; you can redistribute it and/or
   * modify it under the terms of the GNU General Public License
 diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c
 index f81aaef..fe49a00 100644
 --- a/lib/luks1/keymanage.c
 +++ b/lib/luks1/keymanage.c
@@ -2,8 +2,8 @@
   * LUKS - Linux Unified Key Setup
+  *
   * Copyright (C) 2004-2006 Clemens Fruhwirth <clemens@endorphin.org>
-- * Copyright (C) 2009-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2013-2022 Milan Broz
++ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2013-2023 Milan Broz
+  *
   * This program is free software; you can redistribute it and/or
   * modify it under the terms of the GNU General Public License
@@ -28,8 +28,8 @@
  #include <stdlib.h>
  #include <string.h>
  #include <ctype.h>
--#include <assert.h>
  #include <uuid/uuid.h>
++#include <limits.h>
  #include "luks.h"
  #include "af.h"
@@ -232,11 +232,12 @@ int LUKS_hdr_backup(const char *backup_file, struct crypt_device *ctx)
  	hdr_size = LUKS_device_sectors(&hdr) << SECTOR_SHIFT;
  	buffer_size = size_round_up(hdr_size, crypt_getpagesize());
--	buffer = crypt_safe_alloc(buffer_size);
++	buffer = malloc(buffer_size);
  	if (!buffer || hdr_size < LUKS_ALIGN_KEYSLOTS || hdr_size > buffer_size) {
  		r = -ENOMEM;
  		goto out;
+ 	}
++	memset(buffer, 0, buffer_size);
  	log_dbg(ctx, "Storing backup of header (%zu bytes) and keyslot area (%zu bytes).",
  		sizeof(hdr), hdr_size - LUKS_ALIGN_KEYSLOTS);
@@ -280,7 +281,8 @@ int LUKS_hdr_backup(const char *backup_file, struct crypt_device *ctx)
  	r = 0;
  out:
  	crypt_safe_memzero(&hdr, sizeof(hdr));
--	crypt_safe_free(buffer);
++	crypt_safe_memzero(buffer, buffer_size);
++	free(buffer);
  	return r;
+ }
@@ -308,7 +310,7 @@ int LUKS_hdr_restore(
  		goto out;
+ 	}
--	buffer = crypt_safe_alloc(buffer_size);
++	buffer = malloc(buffer_size);
  	if (!buffer) {
  		r = -ENOMEM;
  		goto out;
@@ -379,7 +381,8 @@ int LUKS_hdr_restore(
  	r = LUKS_read_phdr(hdr, 1, 0, ctx);
  out:
  	device_sync(ctx, device);
--	crypt_safe_free(buffer);
++	crypt_safe_memzero(buffer, buffer_size);
++	free(buffer);
  	return r;
+ }
@@ -922,8 +925,12 @@ int LUKS_set_key(unsigned int keyIndex,
  			hdr->keyblock[keyIndex].passwordSalt, LUKS_SALTSIZE,
  			derived_key->key, hdr->keyBytes,
  			hdr->keyblock[keyIndex].passwordIterations, 0, 0);
--	if (r < 0)
++	if (r < 0) {
++		if ((crypt_backend_flags() & CRYPT_BACKEND_PBKDF2_INT) &&
++		     hdr->keyblock[keyIndex].passwordIterations > INT_MAX)
++			log_err(ctx, _("PBKDF2 iteration value overflow."));
  		goto out;
++	}
  	/*
  	 * AF splitting, the volume key stored in vk->key is split to AfKey
@@ -1227,6 +1234,10 @@ int LUKS_wipe_header_areas(struct luks_phdr *hdr,
  	uint64_t offset, length;
  	size_t wipe_block;
++	r = LUKS_check_device_size(ctx, hdr, 1);
++	if (r)
++		return r;
++
  	/* Wipe complete header, keyslots and padding areas with zeroes. */
  	offset = 0;
  	length = (uint64_t)hdr->payloadOffset * SECTOR_SIZE;
 diff --git a/lib/luks1/luks.h b/lib/luks1/luks.h
 index a5a1b7b..9c3f386 100644
 --- a/lib/luks1/luks.h
 +++ b/lib/luks1/luks.h
@@ -2,7 +2,7 @@
   * LUKS - Linux Unified Key Setup
+  *
   * Copyright (C) 2004-2006 Clemens Fruhwirth <clemens@endorphin.org>
-- * Copyright (C) 2009-2022 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+  *
   * This program is free software; you can redistribute it and/or
   * modify it under the terms of the GNU General Public License
 diff --git a/lib/luks2/luks2.h b/lib/luks2/luks2.h
 index 3e61993..dfccf02 100644
 --- a/lib/luks2/luks2.h
 +++ b/lib/luks2/luks2.h
@@ -1,8 +1,8 @@
  /*
   * LUKS - Linux Unified Key Setup v2
+  *
-- * Copyright (C) 2015-2022 Red Hat, Inc. All rights reserved.
-- * Copyright (C) 2015-2022 Milan Broz
++ * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2015-2023 Milan Broz
+  *
   * This program is free software; you can redistribute it and/or
   * modify it under the terms of the GNU General Public License
@@ -121,6 +121,7 @@ struct luks2_hdr {
  	uint8_t		salt2[LUKS2_SALT_L];
  	char		uuid[LUKS2_UUID_L];
  	void		*jobj;
++	void		*jobj_rollback;
  };
  struct luks2_keyslot_params {
@@ -167,6 +168,7 @@ int LUKS2_hdr_version_unlocked(struct crypt_device *cd,

Ubuntucryptsetup package