From 761843165b393c4b1383acc1450e3041405f6a43 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 28 Mar 2023 08:55:57 +0000
Subject: [PATCH] import cryptsetup-2.6.0-2.el9

---
 .cryptsetup.metadata                          |   2 +
 .gitignore                                    |   2 +
 ...-when-header-and-data-devices-are-sa.patch | 161 +++++
 ...use-passphrases-with-minimal-8-chars.patch | 662 ++++++++++++++++++
 ...eader_is_detached-for-empty-contexts.patch |  55 ++
 ...ark-with-8-bytes-long-well-known-pas.patch |  58 ++
 ...ed-error-message-in-keyslot-add-code.patch |  47 ++
 .../cryptsetup-add-system-library-paths.patch |  22 +
 SPECS/cryptsetup.spec                         | 185 +++++
 9 files changed, 1194 insertions(+)
 create mode 100644 .cryptsetup.metadata
 create mode 100644 .gitignore
 create mode 100644 SOURCES/cryptsetup-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch
 create mode 100644 SOURCES/cryptsetup-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch
 create mode 100644 SOURCES/cryptsetup-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch
 create mode 100644 SOURCES/cryptsetup-2.6.1-Run-PBKDF-benchmark-with-8-bytes-long-well-known-pas.patch
 create mode 100644 SOURCES/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch
 create mode 100644 SOURCES/cryptsetup-add-system-library-paths.patch
 create mode 100644 SPECS/cryptsetup.spec

diff --git a/.cryptsetup.metadata b/.cryptsetup.metadata
new file mode 100644
index 0000000..3eba3f7
--- /dev/null
+++ b/.cryptsetup.metadata
@@ -0,0 +1,2 @@
+8098a06269c4268b0446b34f7b20e8fa6032e006 SOURCES/cryptsetup-2.6.0.tar.xz
+ae06fbc13edb47b59ba17eb8faff9959b5eefe93 SOURCES/tests.tar.xz
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..d1221a6
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+SOURCES/cryptsetup-2.6.0.tar.xz
+SOURCES/tests.tar.xz
diff --git a/SOURCES/cryptsetup-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch b/SOURCES/cryptsetup-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch
new file mode 100644
index 0000000..bc50c82
--- /dev/null
+++ b/SOURCES/cryptsetup-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch
@@ -0,0 +1,161 @@
+From c18dcfaa0b91eb48006232fbfadce9e6a9b4a790 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Fri, 2 Dec 2022 15:39:36 +0100
+Subject: [PATCH 2/2] Abort encryption when header and data devices are same.
+
+If data device reduction is not requsted this led
+to data corruption since LUKS metadata was written
+over the data device.
+---
+ src/utils_reencrypt.c          | 42 ++++++++++++++++++++++++++++++----
+ tests/luks2-reencryption-test  | 16 +++++++++++++
+ tests/reencryption-compat-test | 20 +++++++++++++---
+ 3 files changed, 70 insertions(+), 8 deletions(-)
+
+diff --git a/src/utils_reencrypt.c b/src/utils_reencrypt.c
+index 87ead680..73e0bca8 100644
+--- a/src/utils_reencrypt.c
++++ b/src/utils_reencrypt.c
+@@ -467,6 +467,26 @@ static int reencrypt_check_active_device_sb_block_size(const char *active_device
+ 	return reencrypt_check_data_sb_block_size(dm_device, new_sector_size);
+ }
+ 
++static int reencrypt_is_header_detached(const char *header_device, const char *data_device)
++{
++	int r;
++	struct stat st;
++	struct crypt_device *cd;
++
++	if (!header_device)
++		return 0;
++
++	if (header_device && stat(header_device, &st) < 0 && errno == ENOENT)
++		return 1;
++
++	if ((r = crypt_init_data_device(&cd, header_device, data_device)))
++		return r;
++
++	r = crypt_header_is_detached(cd);
++	crypt_free(cd);
++	return r;
++}
++
+ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device, const char *device_name)
+ {
+ 	int keyslot, r, fd;
+@@ -490,9 +510,14 @@ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device,
+ 
+ 	_set_reencryption_flags(&params.flags);
+ 
+-	if (!data_shift && !ARG_SET(OPT_HEADER_ID)) {
+-		log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
+-		return -ENOTSUP;
++	if (!data_shift) {
++		r = reencrypt_is_header_detached(ARG_STR(OPT_HEADER_ID), data_device);
++		if (r < 0)
++			return r;
++		if (!r) {
++			log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
++			return -ENOTSUP;
++		}
+ 	}
+ 
+ 	if (!ARG_SET(OPT_HEADER_ID) && ARG_UINT64(OPT_OFFSET_ID) &&
+@@ -1358,9 +1383,16 @@ static int _encrypt(struct crypt_device *cd, const char *type, enum device_statu
+ 	if (!type)
+ 		type = crypt_get_default_type();
+ 
+-	if (dev_st == DEVICE_LUKS1_UNUSABLE || isLUKS1(type))
++	if (dev_st == DEVICE_LUKS1_UNUSABLE || isLUKS1(type)) {
++		r = reencrypt_is_header_detached(ARG_STR(OPT_HEADER_ID), action_argv[0]);
++		if (r < 0)
++			return r;
++		if (!r && !ARG_SET(OPT_REDUCE_DEVICE_SIZE_ID)) {
++			log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
++			return -ENOTSUP;
++		}
+ 		return reencrypt_luks1(action_argv[0]);
+-	else if (dev_st == DEVICE_NOT_LUKS) {
++	} else if (dev_st == DEVICE_NOT_LUKS) {
+ 		r = encrypt_luks2_init(&encrypt_cd, action_argv[0], action_argc > 1 ? action_argv[1] : NULL);
+ 		if (r < 0 || ARG_SET(OPT_INIT_ONLY_ID)) {
+ 			crypt_free(encrypt_cd);
+diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
+index bab54353..a647a8c2 100755
+--- a/tests/luks2-reencryption-test
++++ b/tests/luks2-reencryption-test
+@@ -1080,6 +1080,22 @@ $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
+ $CRYPTSETUP close $DEV_NAME
+ echo $PWD1 | $CRYPTSETUP open --header $IMG_HDR $DEV --test-passphrase || fail
+ 
++# Encrypt without size reduction must not allow header device same as data device
++wipe_dev_head $DEV 1
++echo $PWD1 | $CRYPTSETUP reencrypt $DEV --type luks2 --encrypt --header $DEV -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $DEV 2>/dev/null && fail
++ln -s $DEV $DEV_LINK || fail
++echo $PWD1 | $CRYPTSETUP reencrypt $DEV --type luks2 --encrypt --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $DEV 2>/dev/null && fail
++rm -f $DEV_LINK || fail
++
++dd if=/dev/zero of=$IMG bs=4k count=1 >/dev/null 2>&1
++echo $PWD1 | $CRYPTSETUP reencrypt $IMG --type luks2 --encrypt --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
++ln -s $IMG $DEV_LINK || fail
++echo $PWD1 | $CRYPTSETUP reencrypt $IMG --type luks2 --encrypt --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
++
+ echo "[4] Reencryption with detached header"
+ wipe $PWD1 $IMG_HDR
+ echo $PWD1 | $CRYPTSETUP reencrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
+diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test
+index f6a84137..453831d1 100755
+--- a/tests/reencryption-compat-test
++++ b/tests/reencryption-compat-test
+@@ -15,6 +15,7 @@ IMG=reenc-data
+ IMG_HDR=$IMG.hdr
+ HEADER_LUKS2_PV=blkid-luks2-pv.img
+ ORIG_IMG=reenc-data-orig
++DEV_LINK="reenc-test-link"
+ KEY1=key1
+ PWD1="93R4P4pIqAH8"
+ PWD2="1cND4319812f"
+@@ -40,7 +41,7 @@ function remove_mapping()
+ 	[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
+ 	[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
+ 	[ ! -z "$LOOPDEV1" ] && losetup -d $LOOPDEV1 >/dev/null 2>&1
+-	rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $HEADER_LUKS2_PV >/dev/null 2>&1
++	rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $HEADER_LUKS2_PV $DEV_LINK >/dev/null 2>&1
+ 	umount $MNT_DIR > /dev/null 2>&1
+ 	rmdir $MNT_DIR > /dev/null 2>&1
+ 	LOOPDEV1=""
+@@ -302,12 +303,25 @@ check_slot 0 || fail "Only keyslot 0 expected to be enabled"
+ $REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q || fail
+ # FIXME echo $PWD1 | $REENC ...
+ 
+-if [ ! fips_mode ]; then
+ echo "[4] Encryption of not yet encrypted device"
++# Encrypt without size reduction must not allow header device same as data device
++wipe_dev $LOOPDEV1
++echo $PWD1 | $REENC $LOOPDEV1 --type luks1 --new --header $LOOPDEV1 -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $LOOPDEV1 2>/dev/null && fail
++ln -s $LOOPDEV1 $DEV_LINK || fail
++echo $PWD1 | $REENC $LOOPDEV1 --type luks1 --new --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $LOOPDEV1 2>/dev/null && fail
++rm -f $DEV_LINK || fail
++echo $PWD1 | $REENC $IMG --type luks1 --new --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
++ln -s $IMG $DEV_LINK || fail
++echo $PWD1 | $REENC $IMG --type luks1 --new --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
++$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
++
++if [ ! fips_mode ]; then
+ # well, movin' zeroes :-)
+ OFFSET=2048
+ SIZE=$(blockdev --getsz $LOOPDEV1)
+-wipe_dev $LOOPDEV1
+ dmsetup create $DEV_NAME2 --table "0 $(($SIZE - $OFFSET)) linear $LOOPDEV1 0" || fail
+ check_hash_dev /dev/mapper/$DEV_NAME2 $HASH3
+ dmsetup remove --retry $DEV_NAME2 || fail
+-- 
+2.38.1
+
diff --git a/SOURCES/cryptsetup-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch b/SOURCES/cryptsetup-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch
new file mode 100644
index 0000000..6a401f2
--- /dev/null
+++ b/SOURCES/cryptsetup-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch
@@ -0,0 +1,662 @@
+From e7a1f18d976771efc06987107da12ccae4d0b360 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Fri, 2 Dec 2022 11:40:24 +0100
+Subject: [PATCH 2/3] Change tests to use passphrases with minimal 8 chars
+ length.
+
+Skip tests that can not satisfy minimal test passphrase length:
+
+- empty passphrase
+- LUKS1 cipher_null tests (empty passphrase is mandatory)
+- LUKS1 encryption
+---
+ tests/Makefile.am              |   3 +-
+ tests/align-test               |  10 +++
+ tests/api-test-2.c             | 117 +++++++++++++++++----------------
+ tests/api-test.c               |  14 ++--
+ tests/compat-test              |   8 ++-
+ tests/compat-test2             |  16 +++--
+ tests/keyring-compat-test      |   2 +-
+ tests/reencryption-compat-test |  10 +++
+ tests/ssh-test-plugin          |   2 +-
+ 9 files changed, 110 insertions(+), 72 deletions(-)
+
+diff --git a/tests/align-test b/tests/align-test
+index eedf8b77..5941cde2 100755
+--- a/tests/align-test
++++ b/tests/align-test
+@@ -10,9 +10,16 @@ PWD1="93R4P4pIqAH8"
+ PWD2="mymJeD8ivEhE"
+ FAST_PBKDF="--pbkdf-force-iterations 1000"
+ 
++FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
++
+ CRYPTSETUP_VALGRIND=../.libs/cryptsetup
+ CRYPTSETUP_LIB_VALGRIND=../.libs
+ 
++function fips_mode()
++{
++	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
++}
++
+ cleanup() {
+ 	udevadm settle >/dev/null 2>&1
+ 	if [ -d "$MNT_DIR" ] ; then
+@@ -276,6 +283,8 @@ format_plain_fail 2048
+ format_plain_fail 4096
+ cleanup
+ 
++# skip tests using empty passphrase (LUKS1 cipher_null)
++if [ ! fips_mode ]; then
+ echo "# Offset check: 512B sector drive"
+ add_device dev_size_mb=16 sector_size=512 num_tgts=1
+ #           |k| expO reqO expected slot offsets
+@@ -314,6 +323,7 @@ format_null 512 4040    8
+ format_null 512 4096  128
+ format_null 512 4096 2048
+ cleanup
++fi
+ 
+ echo "# Create enterprise-class 4K drive with fs and LUKS images."
+ # loop device here presents 512 block but images have 4k block
+diff --git a/tests/api-test-2.c b/tests/api-test-2.c
+index b7c762d9..2c39191b 100644
+--- a/tests/api-test-2.c
++++ b/tests/api-test-2.c
+@@ -74,8 +74,8 @@ typedef int32_t key_serial_t;
+ #define KEYFILE2 "key2.file"
+ #define KEY2 "0123456789abcdef"
+ 
+-#define PASSPHRASE "blabla"
+-#define PASSPHRASE1 "albalb"
++#define PASSPHRASE "blablabl"
++#define PASSPHRASE1 "albalbal"
+ 
+ #define DEVICE_TEST_UUID "12345678-1234-1234-1234-123456789abc"
+ 
+@@ -107,15 +107,15 @@ typedef int32_t key_serial_t;
+ #define CONV_L2_512_DET_FULL "l2_512b_det_full"
+ #define CONV_L1_256_LEGACY "l1_256b_legacy_offset"
+ #define CONV_L1_256_UNMOVABLE "l1_256b_unmovable"
+-#define PASS0 "aaa"
+-#define PASS1 "hhh"
+-#define PASS2 "ccc"
+-#define PASS3 "ddd"
+-#define PASS4 "eee"
+-#define PASS5 "fff"
+-#define PASS6 "ggg"
+-#define PASS7 "bbb"
+-#define PASS8 "iii"
++#define PASS0 "aaablabl"
++#define PASS1 "hhhblabl"
++#define PASS2 "cccblabl"
++#define PASS3 "dddblabl"
++#define PASS4 "eeeblabl"
++#define PASS5 "fffblabl"
++#define PASS6 "gggblabl"
++#define PASS7 "bbbblabl"
++#define PASS8 "iiiblabl"
+ 
+ static int _fips_mode = 0;
+ 
+@@ -429,11 +429,11 @@ static int _setup(void)
+ 
+ 	_system("dd if=/dev/zero of=" IMAGE_EMPTY_SMALL_2 " bs=512 count=2050 2>/dev/null", 1);
+ 
+-	_system(" [ ! -e " NO_REQS_LUKS2_HEADER " ] && xz -dk " NO_REQS_LUKS2_HEADER ".xz", 1);
++	_system(" [ ! -e " NO_REQS_LUKS2_HEADER " ] && tar xJf " REQS_LUKS2_HEADER ".tar.xz", 1);
+ 	fd = loop_attach(&DEVICE_4, NO_REQS_LUKS2_HEADER, 0, 0, &ro);
+ 	close(fd);
+ 
+-	_system(" [ ! -e " REQS_LUKS2_HEADER " ] && xz -dk " REQS_LUKS2_HEADER ".xz", 1);
++	_system(" [ ! -e " REQS_LUKS2_HEADER " ] && tar xJf " REQS_LUKS2_HEADER ".tar.xz", 1);
+ 	fd = loop_attach(&DEVICE_5, REQS_LUKS2_HEADER, 0, 0, &ro);
+ 	close(fd);
+ 
+@@ -709,7 +709,7 @@ static void AddDeviceLuks2(void)
+ 	};
+ 	char key[128], key2[128], key3[128];
+ 
+-	const char *tmp_buf, *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
++	const char *tmp_buf, *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd";
+ 	const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ 	const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
+ 	size_t key_size = strlen(vk_hex) / 2;
+@@ -1056,7 +1056,6 @@ static void Luks2MetadataSize(void)
+ 	};
+ 	char key[128], tmp[128];
+ 
+-	const char *passphrase = "blabla";
+ 	const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ 	size_t key_size = strlen(vk_hex) / 2;
+ 	const char *cipher = "aes";
+@@ -1103,7 +1102,7 @@ static void Luks2MetadataSize(void)
+ 	OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ 	OK_(crypt_set_metadata_size(cd, 0x080000, 0x080000));
+ 	OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, key, key_size, &params));
+-	EQ_(crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, passphrase, strlen(passphrase)), 7);
++	EQ_(crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, PASSPHRASE, strlen(PASSPHRASE)), 7);
+ 	CRYPT_FREE(cd);
+ 	OK_(crypt_init(&cd, DMDIR H_DEVICE));
+ 	OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
+@@ -3306,8 +3305,8 @@ static void Luks2Requirements(void)
+ 		.key_description = KEY_DESC_TEST0
+ 	};
+ 
+-	OK_(prepare_keyfile(KEYFILE1, "aaa", 3));
+-	OK_(prepare_keyfile(KEYFILE2, "xxx", 3));
++	OK_(prepare_keyfile(KEYFILE1, PASSPHRASE, strlen(PASSPHRASE)));
++	OK_(prepare_keyfile(KEYFILE2, PASSPHRASE1, strlen(PASSPHRASE1)));
+ 
+ 	/* crypt_load (unrestricted) */
+ 	OK_(crypt_init(&cd, DEVICE_5));
+@@ -3361,11 +3360,11 @@ static void Luks2Requirements(void)
+ 	OK_(crypt_repair(cd, CRYPT_LUKS2, NULL));
+ 
+ 	/* crypt_keyslot_add_passphrase (restricted) */
+-	FAIL_((r = crypt_keyslot_add_by_passphrase(cd, CRYPT_ANY_SLOT, "aaa", 3, "bbb", 3)), "Unmet requirements detected");
++	FAIL_((r = crypt_keyslot_add_by_passphrase(cd, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), "bbb", 3)), "Unmet requirements detected");
+ 	EQ_(r, -ETXTBSY);
+ 
+ 	/* crypt_keyslot_change_by_passphrase (restricted) */
+-	FAIL_((r = crypt_keyslot_change_by_passphrase(cd, CRYPT_ANY_SLOT, 9, "aaa", 3, "bbb", 3)), "Unmet requirements detected");
++	FAIL_((r = crypt_keyslot_change_by_passphrase(cd, CRYPT_ANY_SLOT, 9, PASSPHRASE, strlen(PASSPHRASE), "bbb", 3)), "Unmet requirements detected");
+ 	EQ_(r, -ETXTBSY);
+ 
+ 	/* crypt_keyslot_add_by_keyfile (restricted) */
+@@ -3377,18 +3376,18 @@ static void Luks2Requirements(void)
+ 	EQ_(r, -ETXTBSY);
+ 
+ 	/* crypt_volume_key_get (unrestricted, but see below) */
+-	OK_(crypt_volume_key_get(cd, 0, key, &key_size, "aaa", 3));
++	OK_(crypt_volume_key_get(cd, 0, key, &key_size, PASSPHRASE, strlen(PASSPHRASE)));
+ 
+ 	/* crypt_keyslot_add_by_volume_key (restricted) */
+-	FAIL_((r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, key_size, "xxx", 3)), "Unmet requirements detected");
++	FAIL_((r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, key_size, PASSPHRASE1, strlen(PASSPHRASE1))), "Unmet requirements detected");
+ 	EQ_(r, -ETXTBSY);
+ 
+ 	/* crypt_keyslot_add_by_key (restricted) */
+-	FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, NULL, key_size, "xxx", 3, CRYPT_VOLUME_KEY_NO_SEGMENT)), "Unmet requirements detected");
++	FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, NULL, key_size, PASSPHRASE1, strlen(PASSPHRASE1), CRYPT_VOLUME_KEY_NO_SEGMENT)), "Unmet requirements detected");
+ 	EQ_(r, -ETXTBSY);
+ 
+ 	/* crypt_keyslot_add_by_key (restricted) */
+-	FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, key, key_size, "xxx", 3, 0)), "Unmet requirements detected");
++	FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, key, key_size, PASSPHRASE1, strlen(PASSPHRASE1), 0)), "Unmet requirements detected");
+ 	EQ_(r, -ETXTBSY);
+ 
+ 	/* crypt_persistent_flasgs_set (restricted) */
+@@ -3400,10 +3399,10 @@ static void Luks2Requirements(void)
+ 	EQ_(flags, CRYPT_REQUIREMENT_UNKNOWN);
+ 
+ 	/* crypt_activate_by_passphrase (restricted for activation only) */
+-	FAIL_((r = crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0)), "Unmet requirements detected");
++	FAIL_((r = crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0)), "Unmet requirements detected");
+ 	EQ_(r, -ETXTBSY);
+-	OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, 0));
+-	OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
++	OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
++	OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
+ 	EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
+ 
+ 	/* crypt_activate_by_keyfile (restricted for activation only) */
+@@ -3420,7 +3419,7 @@ static void Luks2Requirements(void)
+ 
+ #ifdef KERNEL_KEYRING
+ 	if (t_dm_crypt_keyring_support()) {
+-		kid = add_key("user", KEY_DESC_TEST0, "aaa", 3, KEY_SPEC_THREAD_KEYRING);
++		kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE, strlen(PASSPHRASE), KEY_SPEC_THREAD_KEYRING);
+ 		NOTFAIL_(kid, "Test or kernel keyring are broken.");
+ 
+ 		/* crypt_activate_by_keyring (restricted for activation only) */
+@@ -3428,6 +3427,8 @@ static void Luks2Requirements(void)
+ 		EQ_(r, t_dm_crypt_keyring_support() ? -ETXTBSY : -EINVAL);
+ 		OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, 0));
+ 		OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, CRYPT_ACTIVATE_KEYRING_KEY));
++
++		NOTFAIL_(keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING), "Test or kernel keyring are broken.");
+ 	}
+ #endif
+ 
+@@ -3513,10 +3514,15 @@ static void Luks2Requirements(void)
+ 	/* crypt_activate_by_token (restricted for activation only) */
+ #ifdef KERNEL_KEYRING
+ 	if (t_dm_crypt_keyring_support()) {
++		kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE, strlen(PASSPHRASE), KEY_SPEC_THREAD_KEYRING);
++		NOTFAIL_(kid, "Test or kernel keyring are broken.");
++
+ 		FAIL_((r = crypt_activate_by_token(cd, CDEVICE_1, 1, NULL, 0)), ""); // supposed to be silent
+ 		EQ_(r, -ETXTBSY);
+ 		OK_(crypt_activate_by_token(cd, NULL, 1, NULL, 0));
+ 		OK_(crypt_activate_by_token(cd, NULL, 1, NULL, CRYPT_ACTIVATE_KEYRING_KEY));
++
++		NOTFAIL_(keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING), "Test or kernel keyring are broken.");
+ 	}
+ #endif
+ 	OK_(get_luks2_offsets(0, 8192, 0, NULL, &r_payload_offset));
+@@ -3528,7 +3534,7 @@ static void Luks2Requirements(void)
+ 	CRYPT_FREE(cd);
+ 	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+ 	OK_(crypt_load(cd, CRYPT_LUKS, NULL));
+-	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0));
++	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
+ 	OK_(crypt_header_backup(cd, CRYPT_LUKS2, BACKUP_FILE));
+ 	/* replace header with no requirements */
+ 	OK_(_system("dd if=" REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
+@@ -3566,7 +3572,7 @@ static void Luks2Requirements(void)
+ 	OK_(crypt_init_by_name(&cd, CDEVICE_1));
+ 
+ 	/* crypt_resume_by_passphrase (restricted) */
+-	FAIL_((r = crypt_resume_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3)), "Unmet requirements detected");
++	FAIL_((r = crypt_resume_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE))), "Unmet requirements detected");
+ 	EQ_(r, -ETXTBSY);
+ 
+ 	/* crypt_resume_by_keyfile (restricted) */
+@@ -3580,13 +3586,13 @@ static void Luks2Requirements(void)
+ 
+ 	OK_(_system("dd if=" NO_REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
+ 	OK_(crypt_init_by_name(&cd, CDEVICE_1));
+-	OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3));
++	OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE)));
+ 	CRYPT_FREE(cd);
+ 	OK_(_system("dd if=" REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
+ 
+ 	OK_(crypt_init_by_name(&cd, CDEVICE_1));
+ 	/* load VK in keyring */
+-	OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
++	OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
+ 	/* crypt_resize (restricted) */
+ 	FAIL_((r = crypt_resize(cd, CDEVICE_1, 1)), "Unmet requirements detected");
+ 	EQ_(r, -ETXTBSY);
+@@ -3622,7 +3628,6 @@ static void Luks2Integrity(void)
+ 		.integrity = "hmac(sha256)"
+ 	};
+ 	size_t key_size = 32 + 32;
+-	const char *passphrase = "blabla";
+ 	const char *cipher = "aes";
+ 	const char *cipher_mode = "xts-random";
+ 	int ret;
+@@ -3636,8 +3641,8 @@ static void Luks2Integrity(void)
+ 		return;
+ 	}
+ 
+-	EQ_(crypt_keyslot_add_by_volume_key(cd, 7, NULL, key_size, passphrase, strlen(passphrase)), 7);
+-	EQ_(crypt_activate_by_passphrase(cd, CDEVICE_2, 7, passphrase, strlen(passphrase) ,0), 7);
++	EQ_(crypt_keyslot_add_by_volume_key(cd, 7, NULL, key_size, PASSPHRASE, strlen(PASSPHRASE)), 7);
++	EQ_(crypt_activate_by_passphrase(cd, CDEVICE_2, 7, PASSPHRASE, strlen(PASSPHRASE) ,0), 7);
+ 	GE_(crypt_status(cd, CDEVICE_2), CRYPT_ACTIVE);
+ 	CRYPT_FREE(cd);
+ 
+@@ -3689,36 +3694,36 @@ static void Luks2Refresh(void)
+ 	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+ 	OK_(set_fast_pbkdf(cd));
+ 	OK_(crypt_format(cd, CRYPT_LUKS2, cipher, mode, NULL, key, 32, NULL));
+-	OK_(crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, 32, "aaa", 3));
+-	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0));
++	OK_(crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
++	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
+ 
+ 	/* check we can refresh significant flags */
+ 	if (t_dm_crypt_discard_support()) {
+-		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_ALLOW_DISCARDS));
++		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_ALLOW_DISCARDS));
+ 		OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ 		OK_(check_flag(cad.flags, CRYPT_ACTIVATE_ALLOW_DISCARDS));
+ 		cad.flags = 0;
+ 	}
+ 
+ 	if (t_dm_crypt_cpu_switch_support()) {
+-		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SAME_CPU_CRYPT));
++		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SAME_CPU_CRYPT));
+ 		OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ 		OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SAME_CPU_CRYPT));
+ 		cad.flags = 0;
+ 
+-		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
++		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
+ 		OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ 		OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
+ 		cad.flags = 0;
+ 
+-		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
++		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
+ 		OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ 		OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
+ 		cad.flags = 0;
+ 	}
+ 
+ 	OK_(crypt_volume_key_keyring(cd, 0));
+-	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
++	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
+ 	OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ 	FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_KEYRING_KEY), "Unexpected flag raised.");
+ 	cad.flags = 0;
+@@ -3726,7 +3731,7 @@ static void Luks2Refresh(void)
+ #ifdef KERNEL_KEYRING
+ 	if (t_dm_crypt_keyring_support()) {
+ 		OK_(crypt_volume_key_keyring(cd, 1));
+-		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
++		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
+ 		OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ 		OK_(check_flag(cad.flags, CRYPT_ACTIVATE_KEYRING_KEY));
+ 		cad.flags = 0;
+@@ -3735,26 +3740,26 @@ static void Luks2Refresh(void)
+ 
+ 	/* multiple flags at once */
+ 	if (t_dm_crypt_discard_support() && t_dm_crypt_cpu_switch_support()) {
+-		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
++		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
+ 		OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ 		OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
+ 		cad.flags = 0;
+ 	}
+ 
+ 	/* do not allow reactivation with read-only (and drop flag silently because activation behaves exactly same) */
+-	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_READONLY));
++	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_READONLY));
+ 	OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ 	FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_READONLY), "Reactivated with read-only flag.");
+ 	cad.flags = 0;
+ 
+ 	/* reload flag is dropped silently */
+ 	OK_(crypt_deactivate(cd, CDEVICE_1));
+-	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
++	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
+ 
+ 	/* check read-only flag is not lost after reload */
+ 	OK_(crypt_deactivate(cd, CDEVICE_1));
+-	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_READONLY));
+-	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
++	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_READONLY));
++	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
+ 	OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+ 	OK_(check_flag(cad.flags, CRYPT_ACTIVATE_READONLY));
+ 	cad.flags = 0;
+@@ -3762,7 +3767,7 @@ static void Luks2Refresh(void)
+ 	/* check LUKS2 with auth. enc. reload */
+ 	OK_(crypt_init(&cd2, DMDIR L_DEVICE_WRONG));
+ 	if (!crypt_format(cd2, CRYPT_LUKS2, "aes", "gcm-random", crypt_get_uuid(cd), key, 32, &params)) {
+-		OK_(crypt_keyslot_add_by_volume_key(cd2, 0, key, 32, "aaa", 3));
++		OK_(crypt_keyslot_add_by_volume_key(cd2, 0, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
+ 		OK_(crypt_activate_by_volume_key(cd2, CDEVICE_2, key, 32, 0));
+ 		OK_(crypt_activate_by_volume_key(cd2, CDEVICE_2, key, 32, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_NO_JOURNAL));
+ 		OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
+@@ -3772,11 +3777,11 @@ static void Luks2Refresh(void)
+ 		OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
+ 		OK_(check_flag(cad.flags, CRYPT_ACTIVATE_NO_JOURNAL | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
+ 		cad.flags = 0;
+-		OK_(crypt_activate_by_passphrase(cd2, CDEVICE_2, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
++		OK_(crypt_activate_by_passphrase(cd2, CDEVICE_2, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
+ 		OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
+ 		FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_NO_JOURNAL), "");
+ 		FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS), "");
+-		FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS2/aead context");
++		FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS2/aead context");
+ 		OK_(crypt_deactivate(cd2, CDEVICE_2));
+ 	} else {
+ 		printf("WARNING: cannot format integrity device, skipping few reload tests.\n");
+@@ -3786,8 +3791,8 @@ static void Luks2Refresh(void)
+ 	/* Use LUKS1 context on LUKS2 device */
+ 	OK_(crypt_init(&cd2, DMDIR L_DEVICE_1S));
+ 	OK_(crypt_format(cd2, CRYPT_LUKS1, cipher, mode, crypt_get_uuid(cd), key, 32, NULL));
+-	OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, NULL, 32, "aaa", 3));
+-	FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS1 context");
++	OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)));
++	FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS1 context");
+ 	CRYPT_FREE(cd2);
+ 
+ 	/* Use PLAIN context on LUKS2 device */
+@@ -3803,8 +3808,8 @@ static void Luks2Refresh(void)
+ 	OK_(crypt_init(&cd2, DMDIR L_DEVICE_WRONG));
+ 	OK_(set_fast_pbkdf(cd2));
+ 	OK_(crypt_format(cd2, CRYPT_LUKS2, cipher, mode, crypt_get_uuid(cd), key, 32, NULL));
+-	OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, key, 32, "aaa", 3));
+-	FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed dm-crypt mapped over mismatching data device");
++	OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
++	FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed dm-crypt mapped over mismatching data device");
+ 
+ 	OK_(crypt_deactivate(cd, CDEVICE_1));
+ 
+@@ -4825,7 +4830,7 @@ static void LuksKeyslotAdd(void)
+ 	crypt_keyslot_context_free(um2);
+ 
+ 	// generate new unbound key
+-	OK_(crypt_keyslot_context_init_by_volume_key(cd, NULL, 1, &um1));
++	OK_(crypt_keyslot_context_init_by_volume_key(cd, NULL, 9, &um1));
+ 	OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &um2));
+ 	EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 10, um2, CRYPT_VOLUME_KEY_NO_SEGMENT), 10);
+ 	EQ_(crypt_keyslot_status(cd, 10), CRYPT_SLOT_UNBOUND);
+diff --git a/tests/api-test.c b/tests/api-test.c
+index 2b2f0813..9bb6d2f1 100644
+--- a/tests/api-test.c
++++ b/tests/api-test.c
+@@ -65,8 +65,8 @@
+ #define KEYFILE2 "key2.file"
+ #define KEY2 "0123456789abcdef"
+ 
+-#define PASSPHRASE "blabla"
+-#define PASSPHRASE1 "albalb"
++#define PASSPHRASE "blablabl"
++#define PASSPHRASE1 "albalbal"
+ 
+ #define DEVICE_TEST_UUID "12345678-1234-1234-1234-123456789abc"
+ 
+@@ -327,7 +327,7 @@ static void AddDevicePlain(void)
+ 	char key[128], key2[128], path[128];
+ 	struct crypt_keyslot_context *kc = NULL;
+ 
+-	const char *passphrase = PASSPHRASE;
++	const char *passphrase = "blabla";
+ 	// hashed hex version of PASSPHRASE
+ 	const char *vk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea";
+ 	size_t key_size = strlen(vk_hex) / 2;
+@@ -772,6 +772,10 @@ static void SuspendDevice(void)
+ 	OK_(crypt_deactivate(cd, CDEVICE_1));
+ 	CRYPT_FREE(cd);
+ 
++	/* skip tests using empty passphrase */
++	if(_fips_mode)
++		return;
++
+ 	OK_(get_luks_offsets(0, key_size, 1024*2, 0, NULL, &r_payload_offset));
+ 	OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1));
+ 
+@@ -806,7 +810,7 @@ static void AddDeviceLuks(void)
+ 	};
+ 	char key[128], key2[128], key3[128];
+ 
+-	const char *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
++	const char *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd";
+ 	const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ 	const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
+ 	size_t key_size = strlen(vk_hex) / 2;
+@@ -2105,7 +2109,7 @@ static void LuksKeyslotAdd(void)
+ 	};
+ 	char key[128], key3[128];
+ 
+-	const char *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
++	const char *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd";
+ 	const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+ 	const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
+ 	size_t key_size = strlen(vk_hex) / 2;
+diff --git a/tests/compat-test b/tests/compat-test
+index 356b7283..6dc80041 100755
+--- a/tests/compat-test
++++ b/tests/compat-test
+@@ -450,10 +450,13 @@ if [ -d /dev/disk/by-uuid ] ; then
+ 	$CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
+ 	$CRYPTSETUP -q luksClose  $DEV_NAME || fail
+ fi
++# skip tests using empty passphrase
++if [ ! fips_mode ]; then
+ # empty keyfile
+ $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEYE || fail
+ $CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
+ $CRYPTSETUP -q luksClose  $DEV_NAME || fail
++fi
+ # open by volume key
+ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT -s 256 --volume-key-file $KEY1 $LOOPDEV || fail
+ $CRYPTSETUP luksOpen --volume-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
+@@ -503,7 +506,7 @@ echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --
+ echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
+ # keyfile/passphrase
+-echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail
++echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 8 || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: ENABLED" || fail
+ 
+ prepare "[18] RemoveKey passphrase and keyfile" reuse
+@@ -728,12 +731,15 @@ echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
+ [ $? -ne 2 ] && fail "luksResume should return EPERM exit code"
+ echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME  || fail
+ $CRYPTSETUP -q luksClose $DEV_NAME || fail
++# skip tests using empty passphrase
++if [ ! fips_mode ]; then
+ echo | $CRYPTSETUP -q luksFormat -c null $FAST_PBKDF_OPT --type luks1 $LOOPDEV || fail
+ echo | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
+ $CRYPTSETUP luksSuspend $DEV_NAME || fail
+ $CRYPTSETUP -q status  $DEV_NAME | grep -q "(suspended)" || fail
+ echo | $CRYPTSETUP luksResume $DEV_NAME || fail
+ $CRYPTSETUP -q luksClose $DEV_NAME || fail
++fi
+ 
+ prepare "[27] luksOpen/luksResume with specified key slot number" wipe
+ # first, let's try passphrase option
+diff --git a/tests/compat-test2 b/tests/compat-test2
+index 2f18d7b6..c54dc7ea 100755
+--- a/tests/compat-test2
++++ b/tests/compat-test2
+@@ -427,10 +427,14 @@ if [ -d /dev/disk/by-uuid ] ; then
+ 	$CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
+ 	$CRYPTSETUP -q luksClose  $DEV_NAME || fail
+ fi
++# skip tests using empty passphrases
++if [ ! fips_mode ]; then
+ # empty keyfile
+ $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEYE || fail
+ $CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
+ $CRYPTSETUP -q luksClose  $DEV_NAME || fail
++fi
++
+ # open by volume key
+ echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT -s 256 --volume-key-file $KEY1 --type luks2 $LOOPDEV || fail
+ $CRYPTSETUP luksOpen --volume-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
+@@ -477,7 +481,7 @@ echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --
+ echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
+ # keyfile/passphrase
+-echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail
++echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 8 || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" || fail
+ 
+ prepare "[18] RemoveKey passphrase and keyfile" reuse
+@@ -1001,14 +1005,14 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail
+ echo $PWD1 | $CRYPTSETUP -q luksConvertKey $LOOPDEV -S 1 --pbkdf argon2i -i1 --pbkdf-memory 32 || can_fail_fips
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || can_fail_fips
+-echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 21 --unbound -s 16 $LOOPDEV || fail
++echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 21 --unbound -s 72 $LOOPDEV || fail
+ echo $PWD3 | $CRYPTSETUP luksConvertKey --pbkdf-force-iterations 1001 --pbkdf pbkdf2 -S 21 $LOOPDEV || fail
+ 
+ prepare "[38] luksAddKey unbound tests" wipe
+ $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY5 --key-slot 5 || fail
+ # unbound key may have arbitrary size
+-echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 16 $LOOPDEV || fail
+-echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 32 -S 2 $LOOPDEV || fail
++echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 72 $LOOPDEV || fail
++echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 72 -S 2 $LOOPDEV || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2 (unbound)" || fail
+ dd if=/dev/urandom of=$KEY_FILE0 bs=64 count=1 > /dev/null 2>&1 || fail
+ echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 512 -S 3 --volume-key-file $KEY_FILE0 $LOOPDEV || fail
+@@ -1100,10 +1104,10 @@ $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 --key-slot 2 -
+ [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher:"    | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
+ [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
+ # unbound keyslot
+-echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 21 --unbound -s 32 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
++echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 21 --unbound -s 72 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
+ [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher:"    | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
+ [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
+-echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 22 --unbound -s 32 $LOOPDEV || fail
++echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 22 --unbound -s 72 $LOOPDEV || fail
+ echo $PWD3 | $CRYPTSETUP luksConvertKey --key-slot 22 $LOOPDEV --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
+ [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher:"    | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
+ [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
+diff --git a/tests/keyring-compat-test b/tests/keyring-compat-test
+index 57c7fd98..ea88c210 100755
+--- a/tests/keyring-compat-test
++++ b/tests/keyring-compat-test
+@@ -21,7 +21,7 @@ NAME=testcryptdev
+ CHKS_DMCRYPT=vk_in_dmcrypt.chk
+ CHKS_KEYRING=vk_in_keyring.chk
+ 
+-PWD="aaa"
++PWD="aaablabl"
+ 
+ [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
+ CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
+diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test
+index 433f4d4c..f6a84137 100755
+--- a/tests/reencryption-compat-test
++++ b/tests/reencryption-compat-test
+@@ -22,6 +22,12 @@ PWD3="1-9Qu5Ejfnqv"
+ 
+ MNT_DIR=./mnt_luks
+ START_DIR=$(pwd)
++FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
++
++function fips_mode()
++{
++	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
++}
+ 
+ function del_scsi_device()
+ {
+@@ -296,6 +302,7 @@ check_slot 0 || fail "Only keyslot 0 expected to be enabled"
+ $REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q || fail
+ # FIXME echo $PWD1 | $REENC ...
+ 
++if [ ! fips_mode ]; then
+ echo "[4] Encryption of not yet encrypted device"
+ # well, movin' zeroes :-)
+ OFFSET=2048
+@@ -323,6 +330,7 @@ OFFSET=4096
+ echo fake | $REENC $LOOPDEV1 -d $KEY1 --new --type luks1 --reduce-device-size "$OFFSET"S -q $FAST_PBKDF || fail
+ $CRYPTSETUP open --test-passphrase $LOOPDEV1 -d $KEY1 || fail
+ wipe_dev $LOOPDEV1
++fi
+ 
+ echo "[5] Reencryption using specific keyslot"
+ echo $PWD2 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail
+@@ -396,6 +404,7 @@ add_scsi_device sector_size=512 dev_size_mb=32 physblk_exp=3
+ test_logging "[4096/512 sector]" || fail
+ test_logging_tmpfs || fail
+ 
++if [ ! fips_mode ]; then
+ echo "[10] Removal of encryption"
+ prepare 8192
+ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail
+@@ -460,6 +469,7 @@ if [ "$HAVE_BLKID" -gt 0 ]; then
+ 	echo $PWD1 | $REENC --header $IMG_HDR $HEADER_LUKS2_PV -q $FAST_PBKDF --new --type luks1 2>/dev/null && fail
+ 	test -f $IMG_HDR && fail
+ fi
++fi # if [ ! fips_mode ]
+ 
+ remove_mapping
+ exit 0
+diff --git a/tests/ssh-test-plugin b/tests/ssh-test-plugin
+index 0a440b93..5b3966e7 100755
+--- a/tests/ssh-test-plugin
++++ b/tests/ssh-test-plugin
+@@ -11,7 +11,7 @@ CRYPTSETUP_SSH=$CRYPTSETUP_PATH/cryptsetup-ssh
+ IMG="ssh_test.img"
+ MAP="sshtest"
+ USER="sshtest"
+-PASSWD="sshtest"
++PASSWD="sshtest1"
+ PASSWD2="sshtest2"
+ SSH_OPTIONS="-o StrictHostKeyChecking=no"
+ 
+-- 
+2.38.1
+
diff --git a/SOURCES/cryptsetup-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch b/SOURCES/cryptsetup-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch
new file mode 100644
index 0000000..cfbd36a
--- /dev/null
+++ b/SOURCES/cryptsetup-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch
@@ -0,0 +1,55 @@
+From be088b8de8d636993767a42f195ffd3bf915e567 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Mon, 12 Dec 2022 17:33:12 +0100
+Subject: [PATCH 1/2] Enable crypt_header_is_detached for empty contexts.
+
+Also changes few tests now expecting crypt_header_is_detached
+works with empty contexts.
+---
+ lib/setup.c        | 2 +-
+ tests/api-test-2.c | 2 +-
+ tests/api-test.c   | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/setup.c b/lib/setup.c
+index f169942c..3263578b 100644
+--- a/lib/setup.c
++++ b/lib/setup.c
+@@ -3242,7 +3242,7 @@ int crypt_header_is_detached(struct crypt_device *cd)
+ {
+ 	int r;
+ 
+-	if (!cd || !isLUKS(cd->type))
++	if (!cd || (cd->type && !isLUKS(cd->type)))
+ 		return -EINVAL;
+ 
+ 	r = device_is_identical(crypt_data_device(cd), crypt_metadata_device(cd));
+diff --git a/tests/api-test-2.c b/tests/api-test-2.c
+index 2c39191b..c7e930ca 100644
+--- a/tests/api-test-2.c
++++ b/tests/api-test-2.c
+@@ -889,7 +889,7 @@ static void AddDeviceLuks2(void)
+ 	FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, key, key_size, 0), "Device is active");
+ 	EQ_(crypt_status(cd, CDEVICE_2), CRYPT_INACTIVE);
+ 	OK_(crypt_deactivate(cd, CDEVICE_1));
+-	FAIL_(crypt_header_is_detached(cd), "no header for mismatched device");
++	EQ_(crypt_header_is_detached(cd), 1);
+ 	CRYPT_FREE(cd);
+ 
+ 	params.data_device = NULL;
+diff --git a/tests/api-test.c b/tests/api-test.c
+index 9bb6d2f1..f6e33a40 100644
+--- a/tests/api-test.c
++++ b/tests/api-test.c
+@@ -960,7 +960,7 @@ static void AddDeviceLuks(void)
+ 	FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, key, key_size, 0), "Device is active");
+ 	EQ_(crypt_status(cd, CDEVICE_2), CRYPT_INACTIVE);
+ 	OK_(crypt_deactivate(cd, CDEVICE_1));
+-	FAIL_(crypt_header_is_detached(cd), "no header for mismatched device");
++	EQ_(crypt_header_is_detached(cd), 1);
+ 	CRYPT_FREE(cd);
+ 
+ 	params.data_device = NULL;
+-- 
+2.38.1
+
diff --git a/SOURCES/cryptsetup-2.6.1-Run-PBKDF-benchmark-with-8-bytes-long-well-known-pas.patch b/SOURCES/cryptsetup-2.6.1-Run-PBKDF-benchmark-with-8-bytes-long-well-known-pas.patch
new file mode 100644
index 0000000..28dc504
--- /dev/null
+++ b/SOURCES/cryptsetup-2.6.1-Run-PBKDF-benchmark-with-8-bytes-long-well-known-pas.patch
@@ -0,0 +1,58 @@
+From a33f7bf5ca33587ddb05f2acac42f93068022458 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Fri, 2 Dec 2022 11:39:59 +0100
+Subject: [PATCH 1/3] Run PBKDF benchmark with 8 bytes long well-known
+ passphrase.
+
+---
+ lib/utils_benchmark.c | 4 ++--
+ src/cryptsetup.c      | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/lib/utils_benchmark.c b/lib/utils_benchmark.c
+index 0a0c438e..d8976fb2 100644
+--- a/lib/utils_benchmark.c
++++ b/lib/utils_benchmark.c
+@@ -187,7 +187,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd,
+ 		pbkdf->parallel_threads = 0; /* N/A in PBKDF2 */
+ 		pbkdf->max_memory_kb = 0; /* N/A in PBKDF2 */
+ 
+-		r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3, "01234567890abcdef", 16,
++		r = crypt_benchmark_pbkdf(cd, pbkdf, "foobarfo", 8, "01234567890abcdef", 16,
+ 					volume_key_size, &benchmark_callback, &u);
+ 		pbkdf->time_ms = ms_tmp;
+ 		if (r < 0) {
+@@ -207,7 +207,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd,
+ 			return 0;
+ 		}
+ 
+-		r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3,
++		r = crypt_benchmark_pbkdf(cd, pbkdf, "foobarfo", 8,
+ 			"0123456789abcdef0123456789abcdef", 32,
+ 			volume_key_size, &benchmark_callback, &u);
+ 		if (r < 0)
+diff --git a/src/cryptsetup.c b/src/cryptsetup.c
+index c2e23c6e..dfaf7682 100644
+--- a/src/cryptsetup.c
++++ b/src/cryptsetup.c
+@@ -997,7 +997,7 @@ static int action_benchmark_kdf(const char *kdf, const char *hash, size_t key_si
+ 			.time_ms = 1000,
+ 		};
+ 
+-		r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3, "0123456789abcdef", 16, key_size,
++		r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foobarfo", 8, "0123456789abcdef", 16, key_size,
+ 					&benchmark_callback, &pbkdf);
+ 		if (r < 0)
+ 			log_std(_("PBKDF2-%-9s     N/A\n"), hash);
+@@ -1012,7 +1012,7 @@ static int action_benchmark_kdf(const char *kdf, const char *hash, size_t key_si
+ 			.parallel_threads = ARG_UINT32(OPT_PBKDF_PARALLEL_ID)
+ 		};
+ 
+-		r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3,
++		r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foobarfo", 8,
+ 			"0123456789abcdef0123456789abcdef", 32,
+ 			key_size, &benchmark_callback, &pbkdf);
+ 		if (r < 0)
+-- 
+2.38.1
+
diff --git a/SOURCES/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch b/SOURCES/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch
new file mode 100644
index 0000000..59db57f
--- /dev/null
+++ b/SOURCES/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch
@@ -0,0 +1,47 @@
+From 293abb5435e2b4bec7f8333fb11c88d5c1f45800 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Mon, 5 Dec 2022 13:35:24 +0100
+Subject: [PATCH 3/3] Add FIPS related error message in keyslot add code.
+
+Add hints on what went wrong when creating new LUKS
+keyslots. The hint is printed only in FIPS mode and
+when pbkdf2 failed with passphrase shorter than 8
+bytes.
+---
+ lib/luks1/keymanage.c           | 5 ++++-
+ lib/luks2/luks2_keyslot_luks2.c | 2 ++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c
+index de97b73c..225e84b8 100644
+--- a/lib/luks1/keymanage.c
++++ b/lib/luks1/keymanage.c
+@@ -924,8 +924,11 @@ int LUKS_set_key(unsigned int keyIndex,
+ 			hdr->keyblock[keyIndex].passwordSalt, LUKS_SALTSIZE,
+ 			derived_key->key, hdr->keyBytes,
+ 			hdr->keyblock[keyIndex].passwordIterations, 0, 0);
+-	if (r < 0)
++	if (r < 0) {
++		if (crypt_fips_mode() && passwordLen < 8)
++			log_err(ctx, _("Invalid passphrase for PBKDF2 in FIPS mode."));
+ 		goto out;
++	}
+ 
+ 	/*
+ 	 * AF splitting, the volume key stored in vk->key is split to AfKey
+diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c
+index 78f74242..f480bcab 100644
+--- a/lib/luks2/luks2_keyslot_luks2.c
++++ b/lib/luks2/luks2_keyslot_luks2.c
+@@ -265,6 +265,8 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
+ 	free(salt);
+ 	if (r < 0) {
+ 		crypt_free_volume_key(derived_key);
++		if (crypt_fips_mode() && passwordLen < 8 && !strcmp(pbkdf.type, "pbkdf2"))
++			log_err(cd, _("Invalid passphrase for PBKDF2 in FIPS mode."));
+ 		return r;
+ 	}
+ 
+-- 
+2.38.1
+
diff --git a/SOURCES/cryptsetup-add-system-library-paths.patch b/SOURCES/cryptsetup-add-system-library-paths.patch
new file mode 100644
index 0000000..0a5d753
--- /dev/null
+++ b/SOURCES/cryptsetup-add-system-library-paths.patch
@@ -0,0 +1,22 @@
+diff -rupN cryptsetup-2.2.0.old/configure cryptsetup-2.2.0/configure
+--- cryptsetup-2.2.0.old/configure	2019-08-14 20:45:07.000000000 +0200
++++ cryptsetup-2.2.0/configure	2019-08-15 09:11:14.775184005 +0200
+@@ -12294,6 +12294,9 @@ fi
+   # before this can be enabled.
+   hardcode_into_libs=yes
+ 
++  # Add ABI-specific directories to the system library path.
++  sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
++
+   # Ideally, we could use ldconfig to report *all* directores which are
+   # searched for libraries, however this is still not possible.  Aside from not
+   # being certain /sbin/ldconfig is available, command
+@@ -12302,7 +12305,7 @@ fi
+   # appending ld.so.conf contents (and includes) to the search path.
+   if test -f /etc/ld.so.conf; then
+     lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
+-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
++    sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
+   fi
+ 
+   # We used to test for /lib/ld.so.1 and disable shared libraries on
diff --git a/SPECS/cryptsetup.spec b/SPECS/cryptsetup.spec
new file mode 100644
index 0000000..fce51de
--- /dev/null
+++ b/SPECS/cryptsetup.spec
@@ -0,0 +1,185 @@
+Summary: Utility for setting up encrypted disks
+Name: cryptsetup
+Version: 2.6.0
+Release: 2%{?dist}
+License: GPLv2+ and LGPLv2+
+URL: https://gitlab.com/cryptsetup/cryptsetup
+BuildRequires: openssl-devel, popt-devel, device-mapper-devel
+BuildRequires: libuuid-devel, gcc, json-c-devel
+BuildRequires: libpwquality-devel, libblkid-devel
+BuildRequires: make
+BuildRequires: asciidoctor
+Requires: cryptsetup-libs = %{version}-%{release}
+Requires: libpwquality >= 1.2.0
+Obsoletes: %{name}-reencrypt <= %{version}
+Provides: %{name}-reencrypt = %{version}
+
+%global upstream_version %{version}
+Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-%{upstream_version}.tar.xz
+
+# binary archive with updated tests/conversion_imgs.tar.xz and tests/luks2_header_requirements.tar.xz
+# for testing (can not be patched via rpmbuild)
+Source1: tests.tar.xz
+
+# Following patch has to applied last
+Patch0000: %{name}-2.6.1-Run-PBKDF-benchmark-with-8-bytes-long-well-known-pas.patch
+Patch0001: %{name}-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch
+Patch0002: %{name}-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch
+Patch0003: %{name}-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch
+Patch9998: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch
+Patch9999: %{name}-add-system-library-paths.patch
+
+%description
+The cryptsetup package contains a utility for setting up
+disk encryption using dm-crypt kernel module.
+
+%package devel
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Requires: pkgconfig
+Summary: Headers and libraries for using encrypted file systems
+
+%description devel
+The cryptsetup-devel package contains libraries and header files
+used for writing code that makes use of disk encryption.
+
+%package libs
+Summary: Cryptsetup shared library
+
+%description libs
+This package contains the cryptsetup shared library, libcryptsetup.
+
+%package -n veritysetup
+Summary: A utility for setting up dm-verity volumes
+Requires: cryptsetup-libs = %{version}-%{release}
+
+%description -n veritysetup
+The veritysetup package contains a utility for setting up
+disk verification using dm-verity kernel module.
+
+%package -n integritysetup
+Summary: A utility for setting up dm-integrity volumes
+Requires: cryptsetup-libs = %{version}-%{release}
+
+%description -n integritysetup
+The integritysetup package contains a utility for setting up
+disk integrity protection using dm-integrity kernel module.
+
+%prep
+%autosetup -n cryptsetup-%{upstream_version} -p 1 -a 1
+
+%build
+rm -f man/*.8
+%configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --disable-ssh-token --enable-asciidoc
+%make_build
+
+%install
+%make_install
+rm -rf %{buildroot}%{_libdir}/*.la
+
+%find_lang cryptsetup
+
+%ldconfig_scriptlets -n cryptsetup-libs
+
+%files
+%license COPYING
+%doc AUTHORS FAQ.md docs/*ReleaseNotes
+%{_mandir}/man8/cryptsetup.8.gz
+%{_mandir}/man8/cryptsetup-*.8.gz
+%{_sbindir}/cryptsetup
+
+%files -n veritysetup
+%license COPYING
+%{_mandir}/man8/veritysetup.8.gz
+%{_sbindir}/veritysetup
+
+%files -n integritysetup
+%license COPYING
+%{_mandir}/man8/integritysetup.8.gz
+%{_sbindir}/integritysetup
+
+%files devel
+%doc docs/examples/*
+%{_includedir}/libcryptsetup.h
+%{_libdir}/libcryptsetup.so
+%{_libdir}/pkgconfig/libcryptsetup.pc
+
+%files libs -f cryptsetup.lang
+%license COPYING COPYING.LGPL
+%{_libdir}/libcryptsetup.so.*
+%dir %{_libdir}/%{name}/
+%{_tmpfilesdir}/cryptsetup.conf
+%ghost %attr(700, -, -) %dir /run/cryptsetup
+
+%changelog
+* Wed Dec 14 2022 Daniel Zatovic <dzatovic@redhat.com> - 2.6.0-2
+- Fix FIPS related bugs.
+- Abort encryption when header and data devices are same.
+- Resolves: #2150251 #2148841
+
+* Wed Nov 30 2022 Daniel Zatovic <dzatovic@redhat.com> - 2.6.0-1
+- Update to cryptsetup 2.6.0.
+- Resolves: #2003748 #2108404 #1862173
+
+* Wed Aug 10 2022 Ondrej Kozina <okozina@redhat.com> - 2.4.3-5
+- patch: Delegate FIPS mode detection to crypto backend.
+- Resolves: #2080516
+
+* Thu Feb 24 2022 Ondrej Kozina <okozina@redhat.com> - 2.4.3-4
+- patch: Fix broken upstream test.
+- Resolves: #2056439
+
+* Wed Feb 23 2022 Ondrej Kozina <okozina@redhat.com> - 2.4.3-3
+- patch: Fix cryptsetup --test-passphrase when device in
+  reencryption
+- Resolves: #2056439
+
+* Thu Feb 17 2022 Ondrej Kozina <okozina@redhat.com> - 2.4.3-2
+- Various FIPS related fixes.
+- Resolves: #2051630
+
+* Fri Jan 21 2022 Ondrej Kozina <okozina@redhat.com> - 2.4.3-1
+- Update to cryptsetup 2.4.3.
+- patch: Fix typo in repair command prompt.
+  Resolves: #2022309 #2023316 #2032782
+
+* Wed Sep 29 2021 Ondrej Kozina <okozina@redhat.com> - 2.4.1-1
+- Update to cryptsetup 2.4.1.
+  Resolves: #2005035 #2005877
+
+* Thu Aug 19 2021 Ondrej Kozina <okozina@redhat.com> - 2.4.0-1
+- Update to cryptsetup 2.4.0.
+  Resolves: #1869553 #1972722 #1974271 #1975799
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.3.6-3
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Thu Jun 17 2021 Mohan Boddu <mboddu@redhat.com> - 2.3.6-2
+- Specbump for openssl 3.0
+  Related: rhbz#1971065
+
+* Wed Jun 16 2021 Ondrej Kozina <okozina@redhat.com> - 2.3.6-1
+- Update to cryptsetup 2.3.6.
+- Resolves: #1961291 #1970932
+
+* Tue Jun 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.3.5-5
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+
+Related: rhbz#1971065
+
+* Tue Apr 27 2021 Ondrej Kozina <okozina@redhat.com> - 2.3.5-4
+- Drop dependency on libargon2
+- Resolves: #1936959
+
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.3.5-3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Thu Mar 11 2021 Milan Broz <gmazyland@gmail.com> - 2.3.5-1
+- Update to cryptsetup 2.3.5.
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Thu Sep 03 2020 Milan Broz <gmazyland@gmail.com> - 2.3.4-1
+- Update to cryptsetup 2.3.4.
+- Fix for CVE-2020-14382 (#1874712)