cryptsetup package update

Signed-off-by: basebuilder_pel7ppc64lebuilder0 <basebuilder@powerel.org>

SOURCES/cryptsetup-2.0.4-fix-LUKS2-api-test.patch

@@ -0,0 +1,14 @@
+diff -rupN cryptsetup-2.0.3.old/tests/api-test-2.c cryptsetup-2.0.3/tests/api-test-2.c
+--- cryptsetup-2.0.3.old/tests/api-test-2.c	2019-03-27 21:31:18.684160803 +0100
++++ cryptsetup-2.0.3/tests/api-test-2.c	2019-03-27 21:32:14.762630391 +0100
+@@ -2514,8 +2514,8 @@ static void Luks2Requirements(void)
+ 	FAIL_((r = crypt_set_label(cd, "label", "subsystem")), "Unmet requirements detected");
+ 	EQ_(r, -ETXTBSY);
+ 
+-	/* crypt_repair (not implemented for luks2) */
+-	FAIL_(crypt_repair(cd, CRYPT_LUKS2, NULL), "Not implemented");
++	/* crypt_repair (with current repair capabilities it's unrestricted) */
++	OK_(crypt_repair(cd, CRYPT_LUKS2, NULL));
+ 
+ 	/* crypt_keyslot_add_passphrase (restricted) */
+ 	FAIL_((r = crypt_keyslot_add_by_passphrase(cd, CRYPT_ANY_SLOT, "aaa", 3, "bbb", 3)), "Unmet requirements detected");

SOURCES/cryptsetup-2.0.5-fix-miscalculation-of-device-alignment-offset.patch

@@ -0,0 +1,28 @@
+From dd36d56d472e1ea1db74d64d2e6a8d8ece2e7a76 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Thu, 9 Aug 2018 10:26:38 +0200
+Subject: [PATCH] Fix miscalculation of device alignment offset.
+
+device_topology_alignment routine already returns alignment offset
+in bytes. There's no need to divide it by sector size, since LUKS2
+format have all offsets and sizes stored in bytes.
+---
+ lib/setup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/setup.c b/lib/setup.c
+index ff944c9..1a78d2e 100644
+--- a/lib/setup.c
++++ b/lib/setup.c
+@@ -1602,7 +1602,7 @@ static int _crypt_format_luks2(struct crypt_device *cd,
+ 			       integrity, uuid,
+ 			       sector_size,
+ 			       required_alignment / sector_size,
+-			       alignment_offset / sector_size,
++			       alignment_offset,
+ 			       cd->metadata_device ? 1 : 0);
+ 	if (r < 0)
+ 		goto out;
+-- 
+1.8.3.1
+

SOURCES/cryptsetup-2.0.5-remove-useless-division-followed-by-multiplication-b.patch

@@ -0,0 +1,58 @@
+From d2f0773eb8482f754d9a7599d26697efcdd25cd6 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Thu, 9 Aug 2018 10:34:17 +0200
+Subject: [PATCH] Remove useless division followed by multiplication by same
+ base.
+
+---
+ lib/luks2/luks2_json_format.c | 10 +++++-----
+ lib/setup.c                   |  2 +-
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/lib/luks2/luks2_json_format.c b/lib/luks2/luks2_json_format.c
+index a0b72ab..4b50f89 100644
+--- a/lib/luks2/luks2_json_format.c
++++ b/lib/luks2/luks2_json_format.c
+@@ -122,9 +122,9 @@ int LUKS2_generate_hdr(
+ 	const char *cipherMode,
+ 	const char *integrity,
+ 	const char *uuid,
+-	unsigned int sector_size,
+-	unsigned int alignPayload,
+-	unsigned int alignOffset,
++	unsigned int sector_size,  /* in bytes */
++	unsigned int alignPayload, /* in bytes */
++	unsigned int alignOffset,  /* in bytes */
+ 	int detached_metadata_device)
+ {
+ 	struct json_object *jobj_segment, *jobj_integrity, *jobj_keyslots, *jobj_segments, *jobj_config;
+@@ -182,11 +182,11 @@ int LUKS2_generate_hdr(
+ 	jobj_segment = json_object_new_object();
+ 	json_object_object_add(jobj_segment, "type", json_object_new_string("crypt"));
+ 	if (detached_metadata_device)
+-		offset = (uint64_t)alignPayload * sector_size;
++		offset = (uint64_t)alignPayload;
+ 	else {
+ 		//FIXME
+ 		//offset = size_round_up(areas[7].offset + areas[7].length, alignPayload * SECTOR_SIZE);
+-		offset = size_round_up(LUKS2_HDR_DEFAULT_LEN, (size_t)alignPayload * sector_size);
++		offset = size_round_up(LUKS2_HDR_DEFAULT_LEN, (size_t)alignPayload);
+ 		offset += alignOffset;
+ 	}
+ 
+diff --git a/lib/setup.c b/lib/setup.c
+index 1a78d2e..61bf3da 100644
+--- a/lib/setup.c
++++ b/lib/setup.c
+@@ -1601,7 +1601,7 @@ static int _crypt_format_luks2(struct crypt_device *cd,
+ 			       cipher, cipher_mode,
+ 			       integrity, uuid,
+ 			       sector_size,
+-			       required_alignment / sector_size,
++			       required_alignment,
+ 			       alignment_offset,
+ 			       cd->metadata_device ? 1 : 0);
+ 	if (r < 0)
+-- 
+1.8.3.1
+

SOURCES/cryptsetup-2.0.6-LUKS2-metadata-variation-fixes.patch

@@ -0,0 +1,202 @@
+diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c
+--- cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c	2019-04-03 18:55:44.392182454 +0200
++++ cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c	2019-04-03 18:56:22.567106063 +0200
+@@ -429,6 +429,7 @@ int LUKS2_token_validate(json_object *hd
+ {
+ 	json_object *jarr, *jobj_keyslots;
+ 
++	/* keyslots are not yet validated, but we need to know token doesn't reference missing keyslot */
+ 	if (!json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots))
+ 		return 1;
+ 
+@@ -505,12 +506,57 @@ static int hdr_validate_tokens(json_obje
+ 	return 0;
+ }
+ 
+-static int hdr_validate_segments(json_object *hdr_jobj)
++static int hdr_validate_crypt_segment(json_object *jobj, const char *key, json_object *jobj_digests,
++	uint64_t offset, uint64_t size)
+ {
+-	json_object *jobj, *jobj_digests, *jobj_offset, *jobj_ivoffset,
+-		    *jobj_length, *jobj_sector_size, *jobj_type, *jobj_integrity;
++	json_object *jobj_ivoffset, *jobj_sector_size, *jobj_integrity;
+ 	uint32_t sector_size;
+-	uint64_t ivoffset, offset, length;
++	uint64_t ivoffset;
++
++	if (!(jobj_ivoffset = json_contains(jobj, key, "Segment", "iv_tweak", json_type_string)) ||
++	    !json_contains(jobj, key, "Segment", "encryption", json_type_string) ||
++	    !(jobj_sector_size = json_contains(jobj, key, "Segment", "sector_size", json_type_int)))
++		return 1;
++
++	/* integrity */
++	if (json_object_object_get_ex(jobj, "integrity", &jobj_integrity)) {
++		if (!json_contains(jobj, key, "Segment", "integrity", json_type_object) ||
++		    !json_contains(jobj_integrity, key, "Segment integrity", "type", json_type_string) ||
++		    !json_contains(jobj_integrity, key, "Segment integrity", "journal_encryption", json_type_string) ||
++		    !json_contains(jobj_integrity, key, "Segment integrity", "journal_integrity", json_type_string))
++			return 1;
++	}
++
++	/* enforce uint32_t type */
++	if (!validate_json_uint32(jobj_sector_size)) {
++		log_dbg("Illegal field \"sector_size\":%s.",
++			json_object_get_string(jobj_sector_size));
++		return 1;
++	}
++
++	sector_size = json_object_get_uint32(jobj_sector_size);
++	if (!sector_size || sector_size % SECTOR_SIZE) {
++		log_dbg("Illegal sector size: %" PRIu32, sector_size);
++		return 1;
++	}
++
++	if (!numbered("iv_tweak", json_object_get_string(jobj_ivoffset)) ||
++	    !json_str_to_uint64(jobj_ivoffset, &ivoffset))
++		return 1;
++
++	if (size % sector_size) {
++		log_dbg("Size field has to be aligned to sector size: %" PRIu32, sector_size);
++		return 1;
++	}
++
++	return !segment_has_digest(key, jobj_digests);
++}
++
++static int hdr_validate_segments(json_object *hdr_jobj)
++{
++	json_object *jobj, *jobj_digests, *jobj_offset, *jobj_size, *jobj_type, *jobj_flags;
++	int i;
++	uint64_t offset, size;
+ 
+ 	if (!json_object_object_get_ex(hdr_jobj, "segments", &jobj)) {
+ 		log_dbg("Missing segments section.");
+@@ -530,70 +576,46 @@ static int hdr_validate_segments(json_ob
+ 		if (!numbered("Segment", key))
+ 			return 1;
+ 
+-		if (!json_contains(val, key, "Segment", "type", json_type_string) ||
++		/* those fields are mandatory for all segment types */
++		if (!(jobj_type =   json_contains(val, key, "Segment", "type",   json_type_string)) ||
+ 		    !(jobj_offset = json_contains(val, key, "Segment", "offset", json_type_string)) ||
+-		    !(jobj_ivoffset = json_contains(val, key, "Segment", "iv_tweak", json_type_string)) ||
+-		    !(jobj_length = json_contains(val, key, "Segment", "size", json_type_string)) ||
+-		    !json_contains(val, key, "Segment", "encryption", json_type_string) ||
+-		    !(jobj_sector_size = json_contains(val, key, "Segment", "sector_size", json_type_int)))
+-			return 1;
+-
+-		/* integrity */
+-		if (json_object_object_get_ex(val, "integrity", &jobj_integrity)) {
+-			if (!json_contains(val, key, "Segment", "integrity", json_type_object) ||
+-			    !json_contains(jobj_integrity, key, "Segment integrity", "type", json_type_string) ||
+-			    !json_contains(jobj_integrity, key, "Segment integrity", "journal_encryption", json_type_string) ||
+-			    !json_contains(jobj_integrity, key, "Segment integrity", "journal_integrity", json_type_string))
+-				return 1;
+-		}
+-
+-		/* enforce uint32_t type */
+-		if (!validate_json_uint32(jobj_sector_size)) {
+-			log_dbg("Illegal field \"sector_size\":%s.",
+-				json_object_get_string(jobj_sector_size));
+-			return 1;
+-		}
+-
+-		sector_size = json_object_get_uint32(jobj_sector_size);
+-		if (!sector_size || sector_size % 512) {
+-			log_dbg("Illegal sector size: %" PRIu32, sector_size);
++		    !(jobj_size =   json_contains(val, key, "Segment", "size",   json_type_string)))
+ 			return 1;
+-		}
+ 
+ 		if (!numbered("offset", json_object_get_string(jobj_offset)) ||
+-		    !numbered("iv_tweak", json_object_get_string(jobj_ivoffset)))
++		    !json_str_to_uint64(jobj_offset, &offset))
+ 			return 1;
+ 
+-		/* rule out values > UINT64_MAX */
+-		if (!json_str_to_uint64(jobj_offset, &offset) ||
+-		    !json_str_to_uint64(jobj_ivoffset, &ivoffset))
+-			return 1;
++		/* size "dynamic" means whole device starting at 'offset' */
++		if (strcmp(json_object_get_string(jobj_size), "dynamic")) {
++			if (!numbered("size", json_object_get_string(jobj_size)) ||
++			    !json_str_to_uint64(jobj_size, &size) || !size)
++				return 1;
++		} else
++			size = 0;
+ 
+-		if (offset % sector_size) {
+-			log_dbg("Offset field has to be aligned to sector size: %" PRIu32, sector_size);
++		/* all device-mapper devices are aligned to 512 sector size */
++		if (offset % SECTOR_SIZE) {
++			log_dbg("Offset field has to be aligned to sector size: %" PRIu32, SECTOR_SIZE);
+ 			return 1;
+ 		}
+-
+-		if (ivoffset % sector_size) {
+-			log_dbg("IV offset field has to be aligned to sector size: %" PRIu32, sector_size);
++		if (size % SECTOR_SIZE) {
++			log_dbg("Size field has to be aligned to sector size: %" PRIu32, SECTOR_SIZE);
+ 			return 1;
+ 		}
+ 
+-		/* length "dynamic" means whole device starting at 'offset' */
+-		if (strcmp(json_object_get_string(jobj_length), "dynamic")) {
+-			if (!numbered("size", json_object_get_string(jobj_length)) ||
+-			    !json_str_to_uint64(jobj_length, &length))
++		/* flags array is optional and must contain strings */
++		if (json_object_object_get_ex(val, "flags", NULL)) {
++			if (!(jobj_flags = json_contains(val, key, "Segment", "flags", json_type_array)))
+ 				return 1;
+-
+-			if (length % sector_size) {
+-				log_dbg("Length field has to be aligned to sector size: %" PRIu32, sector_size);
+-				return 1;
+-			}
++			for (i = 0; i < (int) json_object_array_length(jobj_flags); i++)
++				if (!json_object_is_type(json_object_array_get_idx(jobj_flags, i), json_type_string))
++					return 1;
+ 		}
+ 
+-		json_object_object_get_ex(val, "type", &jobj_type);
++		/* crypt */
+ 		if (!strcmp(json_object_get_string(jobj_type), "crypt") &&
+-		    !segment_has_digest(key, jobj_digests))
++		    hdr_validate_crypt_segment(val, key, jobj_digests, offset, size))
+ 			return 1;
+ 	}
+ 
+@@ -610,6 +632,7 @@ static int hdr_validate_areas(json_objec
+ 	if (!json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots))
+ 		return 1;
+ 
++	/* segments are already validated */
+ 	if (!json_object_object_get_ex(hdr_jobj, "segments", &jobj_segments))
+ 		return 1;
+ 
+@@ -674,11 +697,11 @@ static int hdr_validate_digests(json_obj
+ 		return 1;
+ 	}
+ 
+-	/* keyslots should already be validated */
++	/* keyslots are not yet validated, but we need to know digest doesn't reference missing keyslot */
+ 	if (!json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots))
+ 		return 1;
+ 
+-	/* segments are not validated atm, but we need to know digest doesn't reference missing segment */
++	/* segments are not yet validated, but we need to know digest doesn't reference missing segment */
+ 	if (!json_object_object_get_ex(hdr_jobj, "segments", &jobj_segments))
+ 		return 1;
+ 
+@@ -813,10 +836,10 @@ int LUKS2_hdr_validate(json_object *hdr_
+ 	struct {
+ 		int (*validate)(json_object *);
+ 	} checks[] = {
+-		{ hdr_validate_keyslots },
+ 		{ hdr_validate_tokens   },
+ 		{ hdr_validate_digests  },
+ 		{ hdr_validate_segments },
++		{ hdr_validate_keyslots },
+ 		{ hdr_validate_areas    },
+ 		{ hdr_validate_config   },
+ 		{ NULL }

SOURCES/cryptsetup-2.0.6-check-json-size-matches-value-from-binary-LUKS2-head.patch

@@ -0,0 +1,139 @@
+diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_disk_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_disk_metadata.c
+--- cryptsetup-2.0.3.old/lib/luks2/luks2_disk_metadata.c	2019-03-27 21:06:52.048172644 +0100
++++ cryptsetup-2.0.3/lib/luks2/luks2_disk_metadata.c	2019-03-27 21:07:12.068978543 +0100
+@@ -204,6 +204,12 @@ static int hdr_disk_sanity_check_pre(str
+ 		return -EINVAL;
+ 	}
+ 
++	if (secondary && (offset != be64_to_cpu(hdr->hdr_size))) {
++		log_dbg("LUKS2 offset 0x%04x in secondary header doesn't match size 0x%04x.",
++			(unsigned)offset, (unsigned)be64_to_cpu(hdr->hdr_size));
++		return -EINVAL;
++	}
++
+ 	/* FIXME: sanity check checksum alg. */
+ 
+ 	log_dbg("LUKS2 header version %u of size %u bytes, checksum %s.",
+@@ -476,7 +482,7 @@ static int validate_json_area(const char
+ 	return 0;
+ }
+ 
+-static int validate_luks2_json_object(json_object *jobj_hdr)
++static int validate_luks2_json_object(json_object *jobj_hdr, uint64_t length)
+ {
+ 	int r;
+ 
+@@ -487,14 +493,14 @@ static int validate_luks2_json_object(js
+ 		return r;
+ 	}
+ 
+-	r = LUKS2_hdr_validate(jobj_hdr);
++	r = LUKS2_hdr_validate(jobj_hdr, length);
+ 	if (r) {
+ 		log_dbg("Repairing JSON metadata.");
+ 		/* try to correct known glitches */
+ 		LUKS2_hdr_repair(jobj_hdr);
+ 
+ 		/* run validation again */
+-		r = LUKS2_hdr_validate(jobj_hdr);
++		r = LUKS2_hdr_validate(jobj_hdr, length);
+ 	}
+ 
+ 	if (r)
+@@ -516,7 +522,7 @@ static json_object *parse_and_validate_j
+ 
+ 	r = validate_json_area(json_area, offset, length);
+ 	if (!r)
+-		r = validate_luks2_json_object(jobj);
++		r = validate_luks2_json_object(jobj, length);
+ 
+ 	if (r) {
+ 		json_object_put(jobj);
+diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_internal.h cryptsetup-2.0.3/lib/luks2/luks2_internal.h
+--- cryptsetup-2.0.3.old/lib/luks2/luks2_internal.h	2019-03-27 21:06:52.048172644 +0100
++++ cryptsetup-2.0.3/lib/luks2/luks2_internal.h	2019-03-27 21:07:12.070978524 +0100
+@@ -73,7 +73,7 @@ void JSON_DBG(json_object *jobj, const c
+ json_object *json_contains(json_object *jobj, const char *name, const char *section,
+ 		      const char *key, json_type type);
+ 
+-int LUKS2_hdr_validate(json_object *hdr_jobj);
++int LUKS2_hdr_validate(json_object *hdr_jobj, uint64_t length);
+ int LUKS2_keyslot_validate(json_object *hdr_jobj, json_object *hdr_keyslot, const char *key);
+ int LUKS2_check_json_size(const struct luks2_hdr *hdr);
+ int LUKS2_token_validate(json_object *hdr_jobj, json_object *jobj_token, const char *key);
+diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c
+--- cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c	2019-03-27 21:06:52.049172634 +0100
++++ cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c	2019-03-27 21:07:44.937659885 +0100
+@@ -446,7 +446,7 @@ int LUKS2_token_validate(json_object *hd
+ 	return 0;
+ }
+ 
+-static int hdr_validate_json_size(json_object *hdr_jobj)
++static int hdr_validate_json_size(json_object *hdr_jobj, uint64_t hdr_json_size)
+ {
+ 	json_object *jobj, *jobj1;
+ 	const char *json;
+@@ -460,12 +460,22 @@ static int hdr_validate_json_size(json_o
+ 	json_area_size = json_object_get_uint64(jobj1);
+ 	json_size = (uint64_t)strlen(json);
+ 
+-	return json_size > json_area_size ? 1 : 0;
++	if (hdr_json_size != json_area_size) {
++		log_dbg("JSON area size doesn't match value in binary header.");
++		return 1;
++	}
++
++	if (json_size > json_area_size) {
++		log_dbg("JSON doesn't fit in the designated area.");
++		return 1;
++	}
++
++	return 0;
+ }
+ 
+ int LUKS2_check_json_size(const struct luks2_hdr *hdr)
+ {
+-	return hdr_validate_json_size(hdr->jobj);
++	return hdr_validate_json_size(hdr->jobj, hdr->hdr_size - LUKS2_HDR_BIN_LEN);
+ }
+ 
+ static int hdr_validate_keyslots(json_object *hdr_jobj)
+@@ -830,7 +840,7 @@ static int hdr_validate_config(json_obje
+ 	return 0;
+ }
+ 
+-int LUKS2_hdr_validate(json_object *hdr_jobj)
++int LUKS2_hdr_validate(json_object *hdr_jobj, uint64_t json_size)
+ {
+ 	struct {
+ 		int (*validate)(json_object *);
+@@ -852,10 +862,8 @@ int LUKS2_hdr_validate(json_object *hdr_
+ 		if (checks[i].validate && checks[i].validate(hdr_jobj))
+ 			return 1;
+ 
+-	if (hdr_validate_json_size(hdr_jobj)) {
+-		log_dbg("Json header is too large.");
++	if (hdr_validate_json_size(hdr_jobj, json_size))
+ 		return 1;
+-	}
+ 
+ 	/* validate keyslot implementations */
+ 	if (LUKS2_keyslots_validate(hdr_jobj))
+@@ -903,7 +911,7 @@ int LUKS2_hdr_write(struct crypt_device
+ 	/* erase unused digests (no assigned keyslot or segment) */
+ 	LUKS2_digests_erase_unused(cd, hdr);
+ 
+-	if (LUKS2_hdr_validate(hdr->jobj))
++	if (LUKS2_hdr_validate(hdr->jobj, hdr->hdr_size - LUKS2_HDR_BIN_LEN))
+ 		return -EINVAL;
+ 
+ 	return LUKS2_disk_hdr_write(cd, hdr, crypt_metadata_device(cd));
+@@ -1650,7 +1658,7 @@ const char *LUKS2_get_cipher(struct luks
+ 		return NULL;
+ 
+ 	if (!json_object_object_get_ex(jobj2, "encryption", &jobj3))
+-		return NULL;
++		return "null";
+ 
+ 	return json_object_get_string(jobj3);
+ }

SOURCES/cryptsetup-2.0.6-do-not-validate-keyslot-areas-so-frantically.patch

@@ -0,0 +1,21 @@
+diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c
+--- cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c	2019-03-27 15:10:10.869610792 +0100
++++ cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c	2019-03-27 15:32:38.202382332 +0100
+@@ -402,7 +402,6 @@ static json_bool validate_intervals(int
+ 	return TRUE;
+ }
+ 
+-static int hdr_validate_areas(json_object *hdr_jobj);
+ int LUKS2_keyslot_validate(json_object *hdr_jobj, json_object *hdr_keyslot, const char *key)
+ {
+ 	json_object *jobj_key_size;
+@@ -419,9 +418,6 @@ int LUKS2_keyslot_validate(json_object *
+ 		return 1;
+ 	}
+ 
+-	if (hdr_validate_areas(hdr_jobj))
+-		return 1;
+-
+ 	return 0;
+ }
+ 

SOURCES/cryptsetup-2.0.6-enable-all-supported-metadata-sizes-in-LUKS2-validat.patch

@@ -0,0 +1,142 @@
+diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_disk_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_disk_metadata.c
+--- cryptsetup-2.0.3.old/lib/luks2/luks2_disk_metadata.c	2019-03-27 15:48:28.316632526 +0100
++++ cryptsetup-2.0.3/lib/luks2/luks2_disk_metadata.c	2019-03-27 15:48:48.093594565 +0100
+@@ -387,11 +387,6 @@ int LUKS2_disk_hdr_write(struct crypt_de
+ 		return -EINVAL;
+ 	}
+ 
+-	if (hdr->hdr_size != LUKS2_HDR_16K_LEN) {
+-		log_dbg("Unsupported LUKS2 header size (%zu).", hdr->hdr_size);
+-		return -EINVAL;
+-	}
+-
+ 	r = LUKS2_check_device_size(cd, crypt_metadata_device(cd), LUKS2_hdr_and_areas_size(hdr->jobj), 1);
+ 	if (r)
+ 		return r;
+diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2.h cryptsetup-2.0.3/lib/luks2/luks2.h
+--- cryptsetup-2.0.3.old/lib/luks2/luks2.h	2019-03-27 15:48:28.316632526 +0100
++++ cryptsetup-2.0.3/lib/luks2/luks2.h	2019-03-27 15:49:37.033500625 +0100
+@@ -326,6 +326,9 @@ int LUKS2_generate_hdr(
+ 	unsigned int alignOffset,
+ 	int detached_metadata_device);
+ 
++int LUKS2_check_metadata_area_size(uint64_t metadata_size);
++int LUKS2_check_keyslots_area_size(uint64_t keyslots_size);
++
+ uint64_t LUKS2_get_data_offset(struct luks2_hdr *hdr);
+ int LUKS2_get_sector_size(struct luks2_hdr *hdr);
+ const char *LUKS2_get_cipher(struct luks2_hdr *hdr, int segment);
+diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_json_format.c cryptsetup-2.0.3/lib/luks2/luks2_json_format.c
+--- cryptsetup-2.0.3.old/lib/luks2/luks2_json_format.c	2019-03-27 15:48:28.317632524 +0100
++++ cryptsetup-2.0.3/lib/luks2/luks2_json_format.c	2019-03-27 15:48:48.094594563 +0100
+@@ -114,6 +114,22 @@ int LUKS2_find_area_gap(struct crypt_dev
+ 	return 0;
+ }
+ 
++int LUKS2_check_metadata_area_size(uint64_t metadata_size)
++{
++	/* see LUKS2_HDR2_OFFSETS */
++	return (metadata_size != 0x004000 &&
++		metadata_size != 0x008000 && metadata_size != 0x010000 &&
++		metadata_size != 0x020000 && metadata_size != 0x040000 &&
++		metadata_size != 0x080000 && metadata_size != 0x100000 &&
++		metadata_size != 0x200000 && metadata_size != 0x400000);
++}
++
++int LUKS2_check_keyslots_area_size(uint64_t keyslots_size)
++{
++	return (!keyslots_size || (keyslots_size % 4096) ||
++		keyslots_size > LUKS2_MAX_KEYSLOTS_SIZE);
++}
++
+ int LUKS2_generate_hdr(
+ 	struct crypt_device *cd,
+ 	struct luks2_hdr *hdr,
+diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c
+--- cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c	2019-03-27 15:48:28.317632524 +0100
++++ cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c	2019-03-27 15:57:44.322526763 +0100
+@@ -701,30 +701,18 @@ static int hdr_validate_digests(json_obj
+ }
+ 
+ /* requires keyslots and segments sections being already validated */
+-static int validate_keyslots_size(json_object *hdr_jobj, json_object *jobj_keyslots_size)
++static int validate_keyslots_size(json_object *hdr_jobj, uint64_t metadata_size, uint64_t keyslots_size)
+ {
+ 	json_object *jobj_keyslots, *jobj, *jobj1;
+-	uint64_t keyslots_size, segment_offset, keyslots_area_sum = 0;
+-
+-	if (!json_str_to_uint64(jobj_keyslots_size, &keyslots_size))
+-		return 1;
+-
+-	if (keyslots_size % 4096) {
+-		log_dbg("keyslots_size is not 4 KiB aligned");
+-		return 1;
+-	}
+-
+-	if (keyslots_size > LUKS2_MAX_KEYSLOTS_SIZE) {
+-		log_dbg("keyslots_size is too large. The cap is %" PRIu64 " bytes", (uint64_t) LUKS2_MAX_KEYSLOTS_SIZE);
+-		return 1;
+-	}
++	uint64_t segment_offset, keyslots_area_sum = 0;
+ 
+ 	json_object_object_get_ex(hdr_jobj, "segments", &jobj);
+ 	segment_offset = get_first_data_offset(jobj, "crypt");
+ 	if (segment_offset &&
+ 	    (segment_offset < keyslots_size ||
+-	     (segment_offset - keyslots_size) < (2 * LUKS2_HDR_16K_LEN))) {
+-		log_dbg("keyslots_size is too large %" PRIu64 " (bytes). Data offset: %" PRIu64 ", keyslots offset: %d", keyslots_size, segment_offset, 2 * LUKS2_HDR_16K_LEN);
++	     (segment_offset - keyslots_size) < (2 * metadata_size))) {
++		log_dbg("keyslots_size is too large %" PRIu64 " (bytes). Data offset: %" PRIu64
++			", keyslots offset: %" PRIu64, keyslots_size, segment_offset, 2 * metadata_size);
+ 		return 1;
+ 	}
+ 
+@@ -738,7 +726,8 @@ static int validate_keyslots_size(json_o
+ 	}
+ 
+ 	if (keyslots_area_sum > keyslots_size) {
+-		log_dbg("Sum of all keyslot area sizes (%" PRIu64 ") is greater than value in config section %" PRIu64, keyslots_area_sum, keyslots_size);
++		log_dbg("Sum of all keyslot area sizes (%" PRIu64 ") is greater than value in config section %"
++			PRIu64, keyslots_area_sum, keyslots_size);
+ 		return 1;
+ 	}
+ 
+@@ -749,7 +738,7 @@ static int hdr_validate_config(json_obje
+ {
+ 	json_object *jobj_config, *jobj, *jobj1;
+ 	int i;
+-	uint64_t json_size;
++	uint64_t json_size, keyslots_size;
+ 
+ 	if (!json_object_object_get_ex(hdr_jobj, "config", &jobj_config)) {
+ 		log_dbg("Missing config section.");
+@@ -760,21 +749,21 @@ static int hdr_validate_config(json_obje
+ 	    !json_str_to_uint64(jobj, &json_size))
+ 		return 1;
+ 
+-	/* currently it's hardcoded */
+-	if (json_size != (LUKS2_HDR_16K_LEN - LUKS2_HDR_BIN_LEN)) {
+-		log_dbg("Invalid json_size %" PRIu64, json_size);
++	if (!(jobj = json_contains(jobj_config, "section", "Config", "keyslots_size", json_type_string)) ||
++	    !json_str_to_uint64(jobj, &keyslots_size))
+ 		return 1;
+-	}
+ 
+-	if (json_size % 4096) {
+-		log_dbg("Json area is not properly aligned to 4 KiB.");
++	if (LUKS2_check_metadata_area_size(json_size + LUKS2_HDR_BIN_LEN)) {
++		log_dbg("Unsupported LUKS2 header size (%" PRIu64 ").", json_size + LUKS2_HDR_BIN_LEN);
+ 		return 1;
+ 	}
+ 
+-	if (!(jobj = json_contains(jobj_config, "section", "Config", "keyslots_size", json_type_string)))
++	if (LUKS2_check_keyslots_area_size(keyslots_size)) {
++		log_dbg("Unsupported LUKS2 keyslots size (%" PRIu64 ").", keyslots_size);
+ 		return 1;
++	}
+ 
+-	if (validate_keyslots_size(hdr_jobj, jobj))
++	if (validate_keyslots_size(hdr_jobj, json_size + LUKS2_HDR_BIN_LEN, keyslots_size))
+ 		return 1;
+ 
+ 	/* Flags array is optional */

SOURCES/cryptsetup-2.0.6-fix-keyslot-areas-validation.patch

@@ -0,0 +1,94 @@
+diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c
+--- cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c	2019-03-27 16:14:49.790420791 +0100
++++ cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c	2019-03-27 16:23:50.499187212 +0100
+@@ -363,12 +363,13 @@ static json_bool segment_has_digest(cons
+ 	return FALSE;
+ }
+ 
+-static json_bool validate_intervals(int length, const struct interval *ix, uint64_t *data_offset)
++static json_bool validate_intervals(int length, const struct interval *ix,
++				    uint64_t metadata_size, uint64_t keyslots_area_end)
+ {
+ 	int j, i = 0;
+ 
+ 	while (i < length) {
+-		if (ix[i].offset < 2 * LUKS2_HDR_16K_LEN) {
++		if (ix[i].offset < 2 * metadata_size) {
+ 			log_dbg("Illegal area offset: %" PRIu64 ".", ix[i].offset);
+ 			return FALSE;
+ 		}
+@@ -378,10 +379,9 @@ static json_bool validate_intervals(int
+ 			return FALSE;
+ 		}
+ 
+-		/* first segment at offset 0 means we have detached header. Do not check then. */
+-		if (*data_offset && (ix[i].offset + ix[i].length) > *data_offset) {
+-			log_dbg("Area [%" PRIu64 ", %" PRIu64 "] intersects with segment starting at offset: %" PRIu64,
+-				ix[i].offset, ix[i].offset + ix[i].length, *data_offset);
++		if ((ix[i].offset + ix[i].length) > keyslots_area_end) {
++			log_dbg("Area [%" PRIu64 ", %" PRIu64 "] overflows binary keyslots area (ends at offset: %" PRIu64 ").",
++				ix[i].offset, ix[i].offset + ix[i].length, keyslots_area_end);
+ 			return FALSE;
+ 		}
+ 
+@@ -596,12 +596,24 @@ static int hdr_validate_segments(json_ob
+ 	return 0;
+ }
+ 
++static uint64_t LUKS2_metadata_size(json_object *jobj)
++{
++	json_object *jobj1, *jobj2;
++	uint64_t json_size;
++
++	json_object_object_get_ex(jobj, "config", &jobj1);
++	json_object_object_get_ex(jobj1, "json_size", &jobj2);
++	json_str_to_uint64(jobj2, &json_size);
++
++	return json_size + LUKS2_HDR_BIN_LEN;
++}
++
+ static int hdr_validate_areas(json_object *hdr_jobj)
+ {
+ 	struct interval *intervals;
+ 	json_object *jobj_keyslots, *jobj_offset, *jobj_length, *jobj_segments, *jobj_area;
+ 	int length, ret, i = 0;
+-	uint64_t first_offset, keyslots_size, keyslots_area_sum = 0;
++	uint64_t keyslots_size, metadata_size, keyslots_area_sum = 0;
+ 
+ 	if (!json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots))
+ 		return 1;
+@@ -611,6 +623,7 @@ static int hdr_validate_areas(json_objec
+ 
+ 	/* config is already validated */
+ 	keyslots_size = LUKS2_keyslots_size(hdr_jobj);
++	metadata_size = LUKS2_metadata_size(hdr_jobj);
+ 
+ 	length = json_object_object_length(jobj_keyslots);
+ 
+@@ -663,9 +676,7 @@ static int hdr_validate_areas(json_objec
+ 		return 1;
+ 	}
+ 
+-	first_offset = get_first_data_offset(jobj_segments, NULL);
+-
+-	ret = validate_intervals(length, intervals, &first_offset) ? 0 : 1;
++	ret = validate_intervals(length, intervals, metadata_size, LUKS2_hdr_and_areas_size(hdr_jobj)) ? 0 : 1;
+ 
+ 	free(intervals);
+ 
+@@ -918,14 +929,7 @@ uint64_t LUKS2_keyslots_size(json_object
+ 
+ uint64_t LUKS2_hdr_and_areas_size(json_object *jobj)
+ {
+-	json_object *jobj1, *jobj2;
+-	uint64_t json_size;
+-
+-	json_object_object_get_ex(jobj, "config", &jobj1);
+-	json_object_object_get_ex(jobj1, "json_size", &jobj2);
+-	json_str_to_uint64(jobj2, &json_size);
+-
+-	return 2 * (json_size + LUKS2_HDR_BIN_LEN) + LUKS2_keyslots_size(jobj);
++	return 2 * LUKS2_metadata_size(jobj) + LUKS2_keyslots_size(jobj);
+ }
+ 
+ int LUKS2_hdr_backup(struct crypt_device *cd, struct luks2_hdr *hdr,

SOURCES/cryptsetup-2.0.6-reshuffle-config-and-keyslots-areas-validation-code.patch

@@ -0,0 +1,147 @@
+diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c
+--- cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c	2019-03-28 11:32:18.850058719 +0100
++++ cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c	2019-03-28 11:33:07.610800041 +0100
+@@ -643,7 +643,7 @@ static int hdr_validate_areas(json_objec
+ 	struct interval *intervals;
+ 	json_object *jobj_keyslots, *jobj_offset, *jobj_length, *jobj_segments, *jobj_area;
+ 	int length, ret, i = 0;
+-	uint64_t first_offset;
++	uint64_t first_offset, keyslots_size, keyslots_area_sum = 0;
+ 
+ 	if (!json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots))
+ 		return 1;
+@@ -652,6 +652,9 @@ static int hdr_validate_areas(json_objec
+ 	if (!json_object_object_get_ex(hdr_jobj, "segments", &jobj_segments))
+ 		return 1;
+ 
++	/* config is already validated */
++	keyslots_size = LUKS2_keyslots_size(hdr_jobj);
++
+ 	length = json_object_object_length(jobj_keyslots);
+ 
+ 	/* Empty section */
+@@ -687,6 +690,8 @@ static int hdr_validate_areas(json_objec
+ 			return 1;
+ 		}
+ 
++		keyslots_area_sum += intervals[i].length;
++
+ 		i++;
+ 	}
+ 
+@@ -694,6 +699,13 @@ static int hdr_validate_areas(json_objec
+ 		free(intervals);
+ 		return 1;
+ 	}
++ 
++	if (keyslots_area_sum > keyslots_size) {
++		log_dbg("Sum of all keyslot area sizes (%" PRIu64 ") is greater than value in config section %"
++			PRIu64, keyslots_area_sum, keyslots_size);
++		free(intervals);
++		return 1;
++	}
+ 
+ 	first_offset = get_first_data_offset(jobj_segments, NULL);
+ 
+@@ -739,45 +751,11 @@ static int hdr_validate_digests(json_obj
+ 	return 0;
+ }
+ 
+-/* requires keyslots and segments sections being already validated */
+-static int validate_keyslots_size(json_object *hdr_jobj, uint64_t metadata_size, uint64_t keyslots_size)
+-{
+-	json_object *jobj_keyslots, *jobj, *jobj1;
+-	uint64_t segment_offset, keyslots_area_sum = 0;
+-
+-	json_object_object_get_ex(hdr_jobj, "segments", &jobj);
+-	segment_offset = get_first_data_offset(jobj, "crypt");
+-	if (segment_offset &&
+-	    (segment_offset < keyslots_size ||
+-	     (segment_offset - keyslots_size) < (2 * metadata_size))) {
+-		log_dbg("keyslots_size is too large %" PRIu64 " (bytes). Data offset: %" PRIu64
+-			", keyslots offset: %" PRIu64, keyslots_size, segment_offset, 2 * metadata_size);
+-		return 1;
+-	}
+-
+-	json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots);
+-
+-	json_object_object_foreach(jobj_keyslots, key, val) {
+-		UNUSED(key);
+-		json_object_object_get_ex(val, "area", &jobj);
+-		json_object_object_get_ex(jobj, "size", &jobj1);
+-		keyslots_area_sum += json_object_get_uint64(jobj1);
+-	}
+-
+-	if (keyslots_area_sum > keyslots_size) {
+-		log_dbg("Sum of all keyslot area sizes (%" PRIu64 ") is greater than value in config section %"
+-			PRIu64, keyslots_area_sum, keyslots_size);
+-		return 1;
+-	}
+-
+-	return 0;
+-}
+-
+ static int hdr_validate_config(json_object *hdr_jobj)
+ {
+ 	json_object *jobj_config, *jobj, *jobj1;
+ 	int i;
+-	uint64_t json_size, keyslots_size;
++	uint64_t keyslots_size, metadata_size, segment_offset;
+ 
+ 	if (!json_object_object_get_ex(hdr_jobj, "config", &jobj_config)) {
+ 		log_dbg("Missing config section.");
+@@ -785,15 +763,19 @@ static int hdr_validate_config(json_obje
+ 	}
+ 
+ 	if (!(jobj = json_contains(jobj_config, "section", "Config", "json_size", json_type_string)) ||
+-	    !json_str_to_uint64(jobj, &json_size))
++	    !json_str_to_uint64(jobj, &metadata_size))
+ 		return 1;
+ 
++	/* single metadata instance is assembled from json area size plus
++	 * binary header size */
++	metadata_size += LUKS2_HDR_BIN_LEN;
++
+ 	if (!(jobj = json_contains(jobj_config, "section", "Config", "keyslots_size", json_type_string)) ||
+ 	    !json_str_to_uint64(jobj, &keyslots_size))
+ 		return 1;
+ 
+-	if (LUKS2_check_metadata_area_size(json_size + LUKS2_HDR_BIN_LEN)) {
+-		log_dbg("Unsupported LUKS2 header size (%" PRIu64 ").", json_size + LUKS2_HDR_BIN_LEN);
++	if (LUKS2_check_metadata_area_size(metadata_size)) {
++		log_dbg("Unsupported LUKS2 header size (%" PRIu64 ").", metadata_size);
+ 		return 1;
+ 	}
+ 
+@@ -802,8 +784,19 @@ static int hdr_validate_config(json_obje
+ 		return 1;
+ 	}
+ 
+-	if (validate_keyslots_size(hdr_jobj, json_size + LUKS2_HDR_BIN_LEN, keyslots_size))
+-		return 1;
++	/*
++	 * validate keyslots_size fits in between (2 * metadata_size) and first
++	 * segment_offset (except detached header)
++	 */
++	json_object_object_get_ex(hdr_jobj, "segments", &jobj);
++	segment_offset = get_first_data_offset(jobj, "crypt");
++	if (segment_offset &&
++	    (segment_offset < keyslots_size ||
++	     (segment_offset - keyslots_size) < (2 * metadata_size))) {
++		log_dbg("keyslots_size is too large %" PRIu64 " (bytes). Data offset: %" PRIu64
++			", keyslots offset: %" PRIu64, keyslots_size, segment_offset, 2 * metadata_size);
++ 		return 1;
++	}
+ 
+ 	/* Flags array is optional */
+ 	if (json_object_object_get_ex(jobj_config, "flags", &jobj)) {
+@@ -845,8 +838,8 @@ int LUKS2_hdr_validate(json_object *hdr_
+ 		{ hdr_validate_digests  },
+ 		{ hdr_validate_segments },
+ 		{ hdr_validate_keyslots },
+-		{ hdr_validate_areas    },
+ 		{ hdr_validate_config   },
++		{ hdr_validate_areas    },
+ 		{ NULL }
+ 	};
+ 	int i;

SOURCES/cryptsetup-2.0.6-test-cryptsetup-can-handle-all-LUKS2-metadata-varian.patch

@@ -0,0 +1,39 @@
+diff -rupN cryptsetup-2.0.3.old/tests/compat-test2 cryptsetup-2.0.3/tests/compat-test2
+--- cryptsetup-2.0.3.old/tests/compat-test2	2019-03-27 17:03:58.788037100 +0100
++++ cryptsetup-2.0.3/tests/compat-test2	2019-03-27 17:14:19.432280547 +0100
+@@ -22,6 +22,7 @@ PWD0="compatkey"
+ PWD1="93R4P4pIqAH8"
+ PWD2="mymJeD8ivEhE"
+ PWD3="ocMakf3fAcQO"
++PWD4="Qx3qn46vq0v"
+ PWDW="rUkL4RUryBom"
+ TEST_KEYRING_NAME="compattest2_keyring"
+ TEST_TOKEN0="compattest2_desc0"
+@@ -46,7 +47,7 @@ function remove_mapping()
+ 	[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove $DEV_NAME2
+ 	[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME
+ 	losetup -d $LOOPDEV >/dev/null 2>&1
+-	rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE >/dev/null 2>&1
++	rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE copy_test_image* >/dev/null 2>&1
+ 
+ 	# unlink whole test keyring
+ 	[ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null
+@@ -817,5 +818,18 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q
+ $CRYPTSETUP luksKillSlot -q $LOOPDEV 3
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2 (unbound)" && fail
+ 
++prepare "[39] LUKS2 metadata variants" wipe
++for mda in 16 32 64 128 256 512 1024 2048 4096 ; do
++	cp test_image_$mda copy_test_image_$mda || fail
++	echo -n "[$mda KiB]"
++	echo $PWD4 | $CRYPTSETUP open copy_test_image_$mda $DEV_NAME || fail
++	$CRYPTSETUP close $DEV_NAME || fail
++	echo -e "$PWD4\n$PWD3" | $CRYPTSETUP luksAddKey -S9 $FAST_PBKDF_OPT copy_test_image_$mda || fail
++	echo $PWD4 | $CRYPTSETUP open --test-passphrase copy_test_image_$mda || fail
++	echo $PWD3 | $CRYPTSETUP open -S9 --test-passphrase copy_test_image_$mda || fail
++	echo -n "[OK]"
++done
++echo
++
+ remove_mapping
+ exit 0

SPECS/cryptsetup.spec

@@ -30,7 +30,7 @@ Obsoletes: python2-cryptsetup
 Summary: A utility for setting up encrypted disks
 Name: cryptsetup
 Version: 2.0.3
-Release: 3%{?dist}
+Release: 5%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: Applications/System
 URL: https://gitlab.com/cryptsetup/cryptsetup
@@ -57,6 +57,10 @@ Requires: libpwquality >= 1.2.0
 %define upstream_version_old 1.7.4
 Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{upstream_version}.tar.xz
 Source1: https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-%{upstream_version_old}.tar.xz
+# contains test images only, original commit id 5a7535c
+Source2: luks2_mda_images.tar.xz
+# contains test images only, original commit id 177cb8b
+Source3: luks2_valid_hdr.tar.xz
 # version 1.7.4 only (all of it, up to next comment)
 Patch0: %{name}-avoid-rh-kernel-bug.patch
 Patch1: %{name}-1.7.5-fix-unaligned-access-to-hidden-truecrypt.patch
@@ -82,6 +86,18 @@ Patch18: %{name}-2.0.4-allow-LUKS2-repair-with-disabled-locks.patch
 Patch19: %{name}-2.0.4-configure.patch
 Patch20: %{name}-2.0.4-update-cryptsetup-man-page-for-type-option-usage.patch
 Patch21: %{name}-2.0.4-rephrase-error-message-for-invalid-type-param-in-con.patch
+Patch22: %{name}-2.0.4-fix-LUKS2-api-test.patch
+Patch23: %{name}-2.0.5-fix-miscalculation-of-device-alignment-offset.patch
+Patch24: %{name}-2.0.5-remove-useless-division-followed-by-multiplication-b.patch
+Patch25: %{name}-2.0.6-LUKS2-metadata-variation-fixes.patch
+Patch26: %{name}-2.0.6-enable-all-supported-metadata-sizes-in-LUKS2-validat.patch
+Patch27: %{name}-2.0.6-check-json-size-matches-value-from-binary-LUKS2-head.patch
+Patch28: %{name}-2.0.6-test-cryptsetup-can-handle-all-LUKS2-metadata-varian.patch
+Patch29: %{name}-2.0.6-do-not-validate-keyslot-areas-so-frantically.patch
+Patch30: %{name}-2.0.6-reshuffle-config-and-keyslots-areas-validation-code.patch
+Patch31: %{name}-2.0.6-fix-keyslot-areas-validation.patch
+# keep validation tests up to date
+Patch32: %{name}-2.1.0-sync-LUKS2-validation-tests.patch
 
 %if 0%{?fedora} >= 19 || 0%{?rhel} >= 7
 %define configure_cipher --enable-gcrypt-pbkdf2
@@ -192,10 +208,24 @@ for setting up disk encryption using dm-crypt kernel module.
 %patch18 -p1
 %patch20 -p1
 %patch21 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1
+%patch25 -p1
+%patch26 -p1
+%patch27 -p1
+%patch28 -p1
+%patch29 -p1
+%patch30 -p1
+%patch31 -p1
+%patch32 -p1
 # the configure patch (always last)
 %patch19 -p1
 chmod -x python/pycryptsetup-test.py
 chmod -x misc/dracut_90reencrypt/*
+chmod +x tests/generators/generate-*.sh
+%setup -T -a 2 -D -n cryptsetup-%{upstream_version}/tests
+%setup -T -a 3 -D -n cryptsetup-%{upstream_version}/tests
 
 %if %{python3_enable}
 # copy the whole directory for the python3 build
@@ -319,6 +349,17 @@ install -m755 misc/dracut_90reencrypt/reencrypt-verbose.sh %{buildroot}/%{dracut
 %clean
 
 %changelog
+* Wed Apr 03 2019 Ondrej Kozina <okozina@redhat.com> - 2.0.3-5
+- patch: calculate alignment offset correctly for LUKS2 devices.
+- patch: fix memory leak in LUKS2 validation.
+- Resolves: #1613953 #1693592
+
+* Wed Mar 27 2019 Ondrej Kozina <okozina@redhat.com> - 2.0.3-4
+- patch: Fix broken LUKS2 api test.
+- patch: Allow cryptsetup to process all LUKS2 metadata variants
+  according to LUKS2 specifiation.
+- Resolves: #1653388
+
 * Tue Jul 31 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.3-3
 - Add expected permissions explicitly for locking directory.
 - Reinstate sed script removing library rpath from libtool