diff -rupN cryptsetup-2.4.3.old/tests/api-test.c cryptsetup-2.4.3/tests/api-test.c
--- cryptsetup-2.4.3.old/tests/api-test.c	2022-02-17 16:37:09.535345938 +0100
+++ cryptsetup-2.4.3/tests/api-test.c	2022-02-17 16:37:29.156459763 +0100
@@ -312,7 +312,7 @@ static int _setup(void)
 static void AddDevicePlain(void)
 {
 	struct crypt_params_plain params = {
-		.hash = "sha1",
+		.hash = "sha256",
 		.skip = 0,
 		.offset = 0,
 		.size = 0
@@ -322,7 +322,7 @@ static void AddDevicePlain(void)
 
 	const char *passphrase = PASSPHRASE;
 	// hashed hex version of PASSPHRASE
-	const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+	const char *mk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea";
 	size_t key_size = strlen(mk_hex) / 2;
 	const char *cipher = "aes";
 	const char *cipher_mode = "cbc-essiv:sha256";
@@ -438,7 +438,7 @@ static void AddDevicePlain(void)
 	OK_(crypt_deactivate(cd,CDEVICE_1));
 
 	CRYPT_FREE(cd);
-	params.hash = "sha1";
+	params.hash = "sha256";
 	params.offset = 0;
 	params.size = 0;
 	params.skip = 0;
@@ -620,7 +620,7 @@ static void new_log(int level, const cha
 static void CallbacksTest(void)
 {
 	struct crypt_params_plain params = {
-		.hash = "sha1",
+		.hash = "sha256",
 		.skip = 0,
 		.offset = 0,
 	};
@@ -1116,7 +1116,7 @@ static void LuksHeaderRestore(void)
 		.data_alignment = 2048, // 4M, data offset will be 4096
 	};
 	struct crypt_params_plain pl_params = {
-		.hash = "sha1",
+		.hash = "sha256",
 		.skip = 0,
 		.offset = 0,
 		.size = 0
@@ -1203,7 +1203,7 @@ static void LuksHeaderLoad(void)
 		.data_alignment = 2048,
 	};
 	struct crypt_params_plain pl_params = {
-		.hash = "sha1",
+		.hash = "sha256",
 		.skip = 0,
 		.offset = 0,
 		.size = 0
diff -rupN cryptsetup-2.4.3.old/tests/api-test-2.c cryptsetup-2.4.3/tests/api-test-2.c
--- cryptsetup-2.4.3.old/tests/api-test-2.c	2022-02-17 16:37:09.535345938 +0100
+++ cryptsetup-2.4.3/tests/api-test-2.c	2022-02-17 16:37:29.155459758 +0100
@@ -1232,7 +1232,7 @@ static void Luks2HeaderRestore(void)
 		.sector_size = 512
 	};
 	struct crypt_params_plain pl_params = {
-		.hash = "sha1",
+		.hash = "sha256",
 		.skip = 0,
 		.offset = 0,
 		.size = 0
@@ -1242,7 +1242,7 @@ static void Luks2HeaderRestore(void)
 	};
 	uint32_t flags = 0;
 
-	const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
+	const char *mk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea";
 	size_t key_size = strlen(mk_hex) / 2;
 	const char *cipher = "aes";
 	const char *cipher_mode = "cbc-essiv:sha256";
@@ -1337,7 +1337,7 @@ static void Luks2HeaderLoad(void)
 		.sector_size = 512
 	};
 	struct crypt_params_plain pl_params = {
-		.hash = "sha1",
+		.hash = "sha256",
 		.skip = 0,
 		.offset = 0,
 		.size = 0
@@ -2142,7 +2142,7 @@ static void LuksConvert(void)
 		.parallel_threads = 1
 	}, pbkdf2 = {
 		.type = CRYPT_KDF_PBKDF2,
-		.hash = "sha1",
+		.hash = "sha256",
 		.time_ms = 1
 	};
 
@@ -2675,7 +2675,7 @@ static void Pbkdf(void)
 		.hash = default_luks1_hash
 	};
 	struct crypt_params_plain params = {
-		.hash = "sha1",
+		.hash = "sha256",
 		.skip = 0,
 		.offset = 0,
 		.size = 0
@@ -2874,11 +2874,11 @@ static void Pbkdf(void)
 	pbkdf2.time_ms = 9;
 	pbkdf2.hash = NULL;
 	FAIL_(crypt_set_pbkdf_type(cd, &pbkdf2), "Hash is mandatory for pbkdf2");
-	pbkdf2.hash = "sha1";
+	pbkdf2.hash = "sha256";
 	OK_(crypt_set_pbkdf_type(cd, &pbkdf2));
 
 	argon2.time_ms = 9;
-	argon2.hash = "sha1"; // will be ignored
+	argon2.hash = "sha256"; // will be ignored
 	OK_(crypt_set_pbkdf_type(cd, &argon2));
 	argon2.hash = NULL;
 	OK_(crypt_set_pbkdf_type(cd, &argon2));
@@ -3839,7 +3839,7 @@ static void Luks2Reencryption(void)
 	struct crypt_params_reencrypt retparams = {}, rparams = {
 		.direction = CRYPT_REENCRYPT_FORWARD,
 		.resilience = "checksum",
-		.hash = "sha1",
+		.hash = "sha256",
 		.luks2 = &params2,
 	};
 	dev_t devno;
@@ -3983,7 +3983,7 @@ static void Luks2Reencryption(void)
 	rparams.hash = "hamSter";
 	FAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 21, 9, "aes", "xts-plain64", &rparams), "Invalid resilience hash.");
 
-	rparams.hash = "sha1";
+	rparams.hash = "sha256";
 	OK_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 21, 9, "aes", "xts-plain64", &rparams));
 	OK_(crypt_reencrypt_run(cd, NULL, NULL));
 
diff -rupN cryptsetup-2.4.3.old/tests/compat-test cryptsetup-2.4.3/tests/compat-test
--- cryptsetup-2.4.3.old/tests/compat-test	2022-02-17 16:37:09.541345973 +0100
+++ cryptsetup-2.4.3/tests/compat-test	2022-02-17 16:37:29.157459769 +0100
@@ -302,8 +302,8 @@ $CRYPTSETUP -q luksUUID $IMG | grep -q $
 prepare	"[1] open - compat image - acceptance check" new
 echo $PWD0 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
 check_exists
-ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
-[ "$ORG_SHA1" = 676062b66ebf36669dab705442ea0762dfc091b0 ] || fail
+ORG_SHA256=$(sha256sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
+[ "$ORG_SHA256" = 7428e8f2436882a07eb32765086f5c899474c08b5576f556b573d2aabdf923e8 ] || fail
 $CRYPTSETUP -q luksClose  $DEV_NAME || fail
 
 # Check it can be opened from header backup as well
@@ -315,6 +315,7 @@ $CRYPTSETUP -q luksClose  $DEV_NAME || f
 $CRYPTSETUP luksHeaderRestore -q $IMG --header-backup-file $HEADER_IMG || fail
 
 # Repeat for V1.0 header - not aligned first keyslot
+if [ ! fips_mode ] ; then
 echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME || fail
 check_exists
 ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ')
@@ -326,6 +327,7 @@ $CRYPTSETUP luksHeaderBackup $IMG10 --he
 echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME --header $HEADER_IMG || fail
 check_exists
 $CRYPTSETUP -q luksClose  $DEV_NAME || fail
+fi
 
 prepare "[2] open - compat image - denial check" new
 echo $PWDW | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
@@ -526,7 +528,7 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q
 
 prepare "[19] create & status & resize" wipe
 echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash xxx 2>/dev/null && fail
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail
 $CRYPTSETUP -q status  $DEV_NAME | grep "offset:" | grep -q "3 sectors" || fail
 $CRYPTSETUP -q status  $DEV_NAME | grep "skipped:" | grep -q "4 sectors" || fail
 $CRYPTSETUP -q status  $DEV_NAME | grep "mode:" | grep -q "readonly" || fail
@@ -546,15 +548,15 @@ $CRYPTSETUP -q resize  $DEV_NAME || fail
 $CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "32765 sectors" || fail
 $CRYPTSETUP -q remove  $DEV_NAME || fail
 $CRYPTSETUP -q status  $DEV_NAME >/dev/null && fail
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail
 $CRYPTSETUP -q remove  $DEV_NAME || fail
-echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 $LOOPDEV || fail
 $CRYPTSETUP -q remove  $DEV_NAME || fail
-echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 --size 100 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 --size 100 $LOOPDEV || fail
 $CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
 $CRYPTSETUP -q remove  $DEV_NAME || fail
 # 4k sector resize (if kernel supports it)
-echo $PWD1 | $CRYPTSETUP -q open --type plain $LOOPDEV $DEV_NAME --sector-size 4096 --size 8  >/dev/null 2>&1
+echo $PWD1 | $CRYPTSETUP -q open --type plain --hash sha256 $LOOPDEV $DEV_NAME --sector-size 4096 --size 8  >/dev/null 2>&1
 if [ $? -eq 0 ] ; then
 	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "8 sectors" || fail
 	$CRYPTSETUP -q resize  $DEV_NAME --size 16 || fail
@@ -567,7 +569,7 @@ if [ $? -eq 0 ] ; then
 fi
 # Resize not aligned to logical block size
 add_scsi_device dev_size_mb=32 sector_size=4096
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV || fail
 OLD_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/')
 $CRYPTSETUP resize $DEV_NAME -b 7 2> /dev/null && fail
 dmsetup info $DEV_NAME | grep -q SUSPENDED && fail
@@ -575,10 +577,10 @@ NEW_SIZE=$($CRYPTSETUP status $DEV_NAME
 test $OLD_SIZE -eq $NEW_SIZE || fail
 $CRYPTSETUP close $DEV_NAME || fail
 # Add check for unaligned plain crypt activation
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV -b 7 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV -b 7 2>/dev/null && fail
 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
 # verify is ignored on non-tty input
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --verify-passphrase 2>/dev/null || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --verify-passphrase 2>/dev/null || fail
 $CRYPTSETUP -q remove  $DEV_NAME || fail
 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size 255 2>/dev/null && fail
 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size -1 2>/dev/null && fail
@@ -695,15 +697,15 @@ $CRYPTSETUP luksChangeKey $LOOPDEV $FAST
 dmsetup remove --retry $DEV_NAME2
 
 prepare "[25] Create shared segments" wipe
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV  --hash sha1 --offset   0 --size 256 || fail
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 2>/dev/null && fail
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 --shared || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV  --hash sha256 --offset   0 --size 256 || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 --shared || fail
 $CRYPTSETUP -q remove  $DEV_NAME2 || fail
 $CRYPTSETUP -q remove  $DEV_NAME || fail
 
 prepare "[26] Suspend/Resume" wipe
 # only LUKS is supported
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail
 $CRYPTSETUP luksSuspend $DEV_NAME 2>/dev/null && fail
 $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
 $CRYPTSETUP -q remove  $DEV_NAME || fail
diff -rupN cryptsetup-2.4.3.old/tests/compat-test2 cryptsetup-2.4.3/tests/compat-test2
--- cryptsetup-2.4.3.old/tests/compat-test2	2022-02-17 16:37:09.541345973 +0100
+++ cryptsetup-2.4.3/tests/compat-test2	2022-02-17 16:37:29.158459775 +0100
@@ -774,7 +774,7 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q
 $CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail
 $CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail
 # hash test
-$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha1 || fail
+$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha512 || fail
 $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 --hash sha256 || fail
 $CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail
 $CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail
diff -rupN cryptsetup-2.4.3.old/tests/discards-test cryptsetup-2.4.3/tests/discards-test
--- cryptsetup-2.4.3.old/tests/discards-test	2022-02-17 16:37:09.541345973 +0100
+++ cryptsetup-2.4.3/tests/discards-test	2022-02-17 16:37:29.158459775 +0100
@@ -80,7 +80,7 @@ dmsetup table $DEV_NAME | grep allow_dis
 $CRYPTSETUP luksClose $DEV_NAME || fail
 
 echo "[2] Allowing discards for plain device"
-echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha1 --allow-discards || fail
+echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha256 --allow-discards || fail
 $CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail
 $CRYPTSETUP resize $DEV_NAME --size 100 || fail
 $CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail
diff -rupN cryptsetup-2.4.3.old/tests/integrity-compat-test cryptsetup-2.4.3/tests/integrity-compat-test
--- cryptsetup-2.4.3.old/tests/integrity-compat-test	2022-02-17 16:37:09.542345979 +0100
+++ cryptsetup-2.4.3/tests/integrity-compat-test	2022-02-17 16:37:29.159459781 +0100
@@ -168,7 +168,7 @@ intformat() # alg alg_out tagsize outtag
 	echo -n "[FORMAT]"
 	$INTSETUP format --integrity-legacy-padding -q --integrity $1 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV >/dev/null 2>&1
 	if [ $? -ne 0 ] ; then
-		if [[ $1 =~ "sha" || $1 =~ "crc" ]] ; then
+		if [[ $1 =~ "sha2" || $1 =~ "crc" ]] ; then
 			fail "Cannot format device."
 		fi
 		echo "[N/A]"
@@ -214,7 +214,14 @@ int_error_detection() # mode alg tagsize
 
 	echo -n "[INTEGRITY:$1:$2:$4:$5]"
 	echo -n "[FORMAT]"
-	$INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null || fail "Cannot format device."
+	$INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null 2>&1
+	if [ $? -ne 0 ] ; then
+		if [[ $2 =~ "sha2" || $2 =~ "crc" ]] ; then
+			fail "Cannot format device."
+		fi
+		echo "[N/A]"
+		return
+	fi
 	echo -n "[ACTIVATE]"
 	$INTSETUP open $DEV $DEV_NAME --integrity $2 --integrity-no-journal $KEY_PARAMS $INT_MODE || fail "Cannot activate device."
 
diff -rupN cryptsetup-2.4.3.old/tests/keyring-compat-test cryptsetup-2.4.3/tests/keyring-compat-test
--- cryptsetup-2.4.3.old/tests/keyring-compat-test	2022-02-17 16:37:09.542345979 +0100
+++ cryptsetup-2.4.3/tests/keyring-compat-test	2022-02-17 16:39:07.132028140 +0100
@@ -119,7 +119,7 @@ add_device() {
 which dmsetup >/dev/null 2>&1 || skip "Cannot find dmsetup, test skipped"
 which keyctl >/dev/null 2>&1 || skip "Cannot find keyctl, test skipped"
 which xxd >/dev/null 2>&1 || skip "Cannot find xxd, test skipped"
-which sha1sum > /dev/null 2>&1 || skip "Cannot find sha1sum, test skipped"
+which sha256sum >/dev/null 2>&1 || skip "Cannot find sha256sum, test skipped"
 modprobe dm-crypt >/dev/null 2>&1 || fail "dm-crypt failed to load"
 dm_crypt_keyring_support || skip "dm-crypt doesn't support kernel keyring, test skipped."
 
@@ -132,23 +132,23 @@ dd if=/dev/urandom of=$DEV bs=1M count=$
 #test aes cipher with xts mode, plain IV
 echo -n "Testing $CIPHER_XTS_PLAIN..."
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
 dmsetup remove --retry $NAME || fail
 load_key "$HEXKEY_32" logon  $LOGON_KEY_32_OK "$TEST_KEYRING" || fail "Cannot load 32 byte logon key type"
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN :32:logon:$LOGON_KEY_32_OK 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
 dmsetup remove --retry $NAME || fail
 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
 # same test using message
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
 dmsetup remove --retry $NAME || fail
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail
 dmsetup suspend $NAME || fail
 dmsetup message $NAME 0 key wipe || fail
 dmsetup message $NAME 0 "key set :32:logon:$LOGON_KEY_32_OK" || fail
 dmsetup resume $NAME || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
 dmsetup remove --retry $NAME || fail
 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
 echo "OK"
@@ -156,23 +156,23 @@ echo "OK"
 #test aes cipher, xts mode, essiv IV
 echo -n "Testing $CIPHER_CBC_ESSIV..."
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
 dmsetup remove --retry $NAME || fail
 load_key "$HEXKEY_16" logon  $LOGON_KEY_16_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type"
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV :16:logon:$LOGON_KEY_16_OK 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
 dmsetup remove --retry $NAME || fail
 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
 # same test using message
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
 dmsetup remove --retry $NAME || fail
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail
 dmsetup suspend $NAME || fail
 dmsetup message $NAME 0 key wipe || fail
 dmsetup message $NAME 0 "key set :16:logon:$LOGON_KEY_16_OK" || fail
 dmsetup resume $NAME || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
 dmsetup remove --retry $NAME || fail
 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
 echo "OK"
@@ -181,23 +181,23 @@ echo "OK"
 fips_mode || {
 echo -n "Testing $CIPHER_CBC_TCW..."
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
 dmsetup remove --retry $NAME || fail
 load_key "$HEXKEY_64" logon  $LOGON_KEY_64_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type"
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW :64:logon:$LOGON_KEY_64_OK 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
 dmsetup remove --retry $NAME || fail
 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)"
 # same test using message
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
 dmsetup remove --retry $NAME || fail
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
 dmsetup suspend $NAME || fail
 dmsetup message $NAME 0 key wipe || fail
 dmsetup message $NAME 0 "key set :64:logon:$LOGON_KEY_64_OK" || fail
 dmsetup resume $NAME || fail
-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail
 dmsetup remove --retry $NAME || fail
 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)"
 echo "OK"
@@ -207,10 +207,10 @@ echo -n "Test LUKS2 key refresh..."
 echo $PWD | $CRYPTSETUP luksFormat --type luks2 --luks2-metadata-size 16k --luks2-keyslots-size 4064k --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --force-password $DEV || fail
 echo $PWD | $CRYPTSETUP open $DEV $NAME || fail
 $CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" || skip "LUKS2 can't use keyring. Test skipped."
-dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_KEYRING || fail
+dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha256sum > $CHKS_KEYRING || fail
 echo $PWD | $CRYPTSETUP refresh $NAME --disable-keyring || fail
 $CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" && fail "Key is still in keyring"
-dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_DMCRYPT || fail
+dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha256sum > $CHKS_DMCRYPT || fail
 diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)"
 echo "OK"
 
diff -rupN cryptsetup-2.4.3.old/tests/password-hash-test cryptsetup-2.4.3/tests/password-hash-test
--- cryptsetup-2.4.3.old/tests/password-hash-test	2022-02-17 16:37:09.541345973 +0100
+++ cryptsetup-2.4.3/tests/password-hash-test	2022-02-17 16:37:29.160459787 +0100
@@ -75,7 +75,7 @@ crypt_key() # hash keysize pwd/file name
 	esac
 
 	# ignore these cases, not all libs/kernel supports it
-	if [ "$1" != "sha1" -a "$1" != "sha256" ] || [ $2 -gt 256 ] ; then
+	if [ "$1" != "sha256" ] || [ $2 -gt 256 ] ; then
 		if [ $ret -ne 0 ] ; then
 			echo " [N/A] ($ret, SKIPPED)"
 			return
diff -rupN cryptsetup-2.4.3.old/tests/reencryption-compat-test cryptsetup-2.4.3/tests/reencryption-compat-test
--- cryptsetup-2.4.3.old/tests/reencryption-compat-test	2022-02-17 16:37:09.541345973 +0100
+++ cryptsetup-2.4.3/tests/reencryption-compat-test	2022-02-17 16:37:29.160459787 +0100
@@ -338,7 +338,7 @@ simple_scsi_reenc "[4096/512 sector]"
 echo "[OK]"
 
 echo "[8] Header only reencryption (hash and iteration time)"
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --hash sha1 $FAST_PBKDF $LOOPDEV1 || fail
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --hash sha512 $FAST_PBKDF $LOOPDEV1 || fail
 wipe $PWD1
 check_hash $PWD1 $HASH1
 echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key || fail
diff -rupN cryptsetup-2.4.3.old/tests/verity-compat-test cryptsetup-2.4.3/tests/verity-compat-test
--- cryptsetup-2.4.3.old/tests/verity-compat-test	2022-02-17 16:37:09.541345973 +0100
+++ cryptsetup-2.4.3/tests/verity-compat-test	2022-02-17 16:37:29.161459793 +0100
@@ -148,7 +148,13 @@ function check_root_hash() # $1 size, $2
 	for fail in data hash; do
 	wipe
 	echo -n "V$4(sb=$sb root_hash_as_file=$root_hash_as_file) $5 block size $1: "
-	$VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >$DEV_OUT || fail
+	$VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >$DEV_OUT
+	if [ $? -ne 0 ] ; then
+		if [[ $1 =~ "sha2" ]] ; then
+			fail "Cannot format device."
+		fi
+		return
+	fi
 
 	echo -n "[root hash]"
 	compare_out "root hash" $2