summaryrefslogtreecommitdiffstats
path: root/debian/scripts
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 17:44:13 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 17:44:13 +0000
commit1103cc2d299a0f29631f9f5322d93efcca8098c7 (patch)
tree656763a55c9de10b1de70761e3d0b8d44056af1d /debian/scripts
parentAdding upstream version 2:2.3.7. (diff)
downloadcryptsetup-debian.tar.xz
cryptsetup-debian.zip
Adding debian version 2:2.3.7-1+deb11u1.debian/2%2.3.7-1+deb11u1debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--debian/scripts/cryptdisks_start63
-rw-r--r--debian/scripts/cryptdisks_stop38
-rw-r--r--debian/scripts/decrypt_derived32
-rw-r--r--debian/scripts/decrypt_gnupg26
-rw-r--r--debian/scripts/decrypt_gnupg-sc44
-rw-r--r--debian/scripts/decrypt_keyctl55
-rw-r--r--debian/scripts/decrypt_opensc46
-rw-r--r--debian/scripts/decrypt_ssl17
-rw-r--r--debian/scripts/gen-ssl-key22
-rw-r--r--debian/scripts/luksformat133
-rw-r--r--debian/scripts/passdev.c286
-rw-r--r--debian/scripts/po/Makefile39
-rw-r--r--debian/scripts/po/de.po76
-rw-r--r--debian/scripts/po/luksformat.pot69
14 files changed, 946 insertions, 0 deletions
diff --git a/debian/scripts/cryptdisks_start b/debian/scripts/cryptdisks_start
new file mode 100644
index 0000000..623423f
--- /dev/null
+++ b/debian/scripts/cryptdisks_start
@@ -0,0 +1,63 @@
+#!/bin/sh
+
+# cryptdisks_start - wrapper around cryptsetup which parses
+# /etc/crypttab, just like mount parses /etc/fstab.
+
+# Initial code and (c) 2007 Jon Dowland <jon@alcopop.org>
+# License: GNU General Public License, v2 or any later
+# (https://www.gnu.org/copyleft/gpl.html)
+
+set -e
+
+. /lib/cryptsetup/cryptdisks-functions
+
+INITSTATE="manual"
+DEFAULT_LOUD="yes"
+FORCE_START="yes"
+
+usage() {
+ local rv="${1:-1}"
+ echo "Usage: $0 [-r|--readonly] <name> [.. <name>]" >&2
+ echo >&2
+ echo "reads $TABFILE and starts the mapping corresponding to <name>" >&2
+ exit $rv
+}
+
+CRYPTTAB_EXTRA_OPTIONS=
+while [ $# -gt 0 ]; do
+ case "$1" in
+ -r|--readonly) CRYPTTAB_EXTRA_OPTIONS="${CRYPTTAB_EXTRA_OPTIONS:+$CRYPTTAB_EXTRA_OPTIONS,}readonly";;
+ -h|--help|-\?) usage 0;;
+ --) shift; break;;
+ -*) echo "Error: unknown option '$1'" >&2; usage 1;;
+ *) break;;
+ esac
+ shift
+done
+[ $# -gt 0 ] || usage 1
+
+if [ $(id -u) -ne 0 ]; then
+ log_warning_msg "$0 needs root privileges"
+ exit 1
+fi
+
+log_action_begin_msg "Starting crypto disk"
+mount_fs
+
+rv=0
+for name in "$@"; do
+ if ! crypttab_find_entry --quiet "$name"; then
+ device_msg "$name" "failed, not found in crypttab"
+ rv=1
+ else
+ if [ -n "$CRYPTTAB_EXTRA_OPTIONS" ]; then
+ CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS,$CRYPTTAB_EXTRA_OPTIONS"
+ _CRYPTTAB_OPTIONS="$_CRYPTTAB_OPTIONS,$CRYPTTAB_EXTRA_OPTIONS"
+ fi
+ setup_mapping || rv=$?
+ fi
+done
+umount_fs
+
+log_action_end_msg $rv
+exit $rv
diff --git a/debian/scripts/cryptdisks_stop b/debian/scripts/cryptdisks_stop
new file mode 100644
index 0000000..ea0faaf
--- /dev/null
+++ b/debian/scripts/cryptdisks_stop
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+# cryptdisks_stop - wrapper around cryptsetup which parses
+# /etc/crypttab, just like mount parses /etc/fstab.
+
+# Initial code stolen from cryptdisks_start by Jon Dowland <jon@alcopop.org>
+# Copyright (C) 2008 by Jonas Meurer <jonas@freesources.org>
+# License: GNU General Public License, v2 or any later
+# (https://www.gnu.org/copyleft/gpl.html)
+
+set -e
+
+if [ $# -lt 1 ]; then
+ echo "usage: $0 <name>" >&2
+ echo >&2
+ echo "reads /etc/crypttab and stops the mapping corresponding to <name>" >&2
+ exit 1
+fi
+
+. /lib/cryptsetup/cryptdisks-functions
+
+INITSTATE="manual"
+DEFAULT_LOUD="yes"
+
+if [ $(id -u) -ne 0 ]; then
+ log_warning_msg "$0 needs root privileges"
+ exit 1
+fi
+
+log_action_begin_msg "Stopping crypto disk"
+
+rv=0
+for name in "$@"; do
+ remove_mapping "$name" || rv=$?
+done
+
+log_action_end_msg $rv
+exit $rv
diff --git a/debian/scripts/decrypt_derived b/debian/scripts/decrypt_derived
new file mode 100644
index 0000000..0e1e418
--- /dev/null
+++ b/debian/scripts/decrypt_derived
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+# WARNING: If you use the decrypt_derived keyscript for devices with
+# persistent data (i.e. not swap or temp devices), then you will lose
+# access to that data permanently if something damages the LUKS header
+# of the LUKS device you derive from. The same applies if you luksFormat
+# the device, even if you use the same passphrase(s). A LUKS header
+# backup, or better a backup of the data on the derived device may be
+# a good idea. See the Cryptsetup FAQ on how to do this right.
+
+if [ -z "$1" ]; then
+ echo "$0: must be executed with a crypto device as argument" >&2
+ exit 1
+fi
+
+unset -v keys count
+keys="$(dmsetup table --target crypt --showkeys -- "$1" 2>/dev/null | cut -s -d' ' -f5)"
+count="$(printf '%s' "$keys" | wc -l)"
+
+if [ -n "$keys" ] && [ $count -le 1 ]; then
+ if [ "${keys#:}" = "$keys" ]; then
+ printf '%s' "$keys"
+ exit 0
+ else
+ echo "$0: device $1 uses the kernel keyring" >&2
+ fi
+elif [ $count -eq 0 ]; then
+ echo "$0: device $1 doesn't exist or isn't a crypto device" >&2
+else
+ echo "$0: more than one device match" >&2
+fi
+exit 1
diff --git a/debian/scripts/decrypt_gnupg b/debian/scripts/decrypt_gnupg
new file mode 100644
index 0000000..18ab575
--- /dev/null
+++ b/debian/scripts/decrypt_gnupg
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+decrypt_gpg () {
+ echo "Performing GPG symmetric decryption ..." >&2
+ if ! /lib/cryptsetup/askpass "Enter passphrase for key $1: " | \
+ /usr/bin/gpg -q --batch --no-options \
+ --no-random-seed-file --no-default-keyring \
+ --keyring /dev/null --secret-keyring /dev/null \
+ --trustdb-name /dev/null --passphrase-fd 0 --decrypt -- "$1"; then
+ return 1
+ fi
+ return 0
+}
+
+if [ ! -x /usr/bin/gpg ]; then
+ echo "$0: /usr/bin/gpg is not available" >&2
+ exit 1
+fi
+
+if [ -z "$1" ]; then
+ echo "$0: missing key as argument" >&2
+ exit 1
+fi
+
+decrypt_gpg "$1"
+exit $?
diff --git a/debian/scripts/decrypt_gnupg-sc b/debian/scripts/decrypt_gnupg-sc
new file mode 100644
index 0000000..84eb62c
--- /dev/null
+++ b/debian/scripts/decrypt_gnupg-sc
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+if [ -d "/cryptroot/gnupghome" ]; then
+ export GNUPGHOME="/cryptroot/gnupghome"
+fi
+
+run_gpg() {
+ gpg --no-options --trust-model=always "$@"
+}
+decrypt_gpg () {
+ local console _
+ if ! GPG_TTY="$(tty)"; then
+ read console _ </proc/consoles
+ GPG_TTY="/dev/$console"
+ fi
+ export GPG_TTY
+
+ if ! run_gpg --decrypt -- "$1"; then
+ return 1
+ fi
+ return 0
+}
+
+# `gpg-connect-agent LEARN /bye` is another (lighter) way, but it's
+# harder to retrieve the return code
+if ! run_gpg --batch --quiet --no-tty --card-status >/dev/null; then
+ echo "Please insert OpenPGP SmartCard..." >&2
+ until run_gpg --batch --quiet --no-tty --card-status; do
+ sleep 1
+ done >/dev/null 2>&1
+fi
+
+if [ ! -x /usr/bin/gpg ]; then
+ echo "$0: /usr/bin/gpg is not available" >&2
+ exit 1
+fi
+
+if [ -z "$1" ] || [ ! -f "$1" ]; then
+ echo "$0: missing key as argument" >&2
+ exit 1
+fi
+
+decrypt_gpg "$1"
+exit $?
diff --git a/debian/scripts/decrypt_keyctl b/debian/scripts/decrypt_keyctl
new file mode 100644
index 0000000..6032db0
--- /dev/null
+++ b/debian/scripts/decrypt_keyctl
@@ -0,0 +1,55 @@
+#!/bin/sh
+# decrypt_keyctl - to use in /etc/crypttab as keyscript
+# Allows to cache passwords for cryptdevices for 60s
+# The same password is used for for cryptdevices with the same identifier.
+# The keyfile parameter, which is the third field from /etc/crypttab, is
+# used as identifier in this keyscript.
+#
+# sample crypttab entries:
+# test1 /dev/sda1 test_pw luks,keyscript=decrypt_keyctl
+# test2 /dev/sda2 test_pw luks,keyscript=decrypt_keyctl
+# test3 /dev/sda3 test_other_pw luks,keyscript=decrypt_keyctl
+#
+# test1 and test2 have the same identifier thus test2 does not need a password
+# typed in manually
+
+die()
+{
+ echo "$@" >&2
+ exit 1
+}
+
+if [ -z "${CRYPTTAB_KEY:-}" ] || [ "$CRYPTTAB_KEY" = "none" ]; then
+ # store the passphrase in the key name used by systemd-ask-password
+ ID_="cryptsetup"
+else
+ # the keyfile given from crypttab is used as identifier in the keyring
+ # including the prefix "cryptsetup:"
+ ID_="cryptsetup:$CRYPTTAB_KEY"
+fi
+TIMEOUT_='60'
+ASKPASS_='/lib/cryptsetup/askpass'
+PROMPT_="Caching passphrase for ${CRYPTTAB_NAME}: "
+
+
+if ! KID_="$(keyctl search @u user "$ID_" 2>/dev/null)" || \
+ [ -z "$KID_" ] || [ "$CRYPTTAB_TRIED" -gt 0 ]; then
+ # key not found or wrong, ask the user
+ KEY_="$($ASKPASS_ "$PROMPT_")" || die "Error executing $ASKPASS_"
+ if [ -n "$KID_" ]; then
+ # I have cached wrong password and now i may use either `keyctl update`
+ # to update $KID_ or just unlink old key, and add new. With `update` i
+ # may hit "Key has expired", though. So i'll go "unlink and add" way.
+ keyctl unlink "$KID_" @u
+ KID_=""
+ fi
+ KID_="$(printf "%s" "$KEY_" | keyctl padd user "$ID_" @u)"
+ [ -n "$KID_" ] || die "Error adding passphrase to kernel keyring"
+ if ! keyctl timeout "$KID_" "$TIMEOUT_"; then
+ keyctl unlink "$KID_" @u
+ die "Error setting timeout on key ($KID_), removing"
+ fi
+else
+ echo "Using cached passphrase for ${CRYPTTAB_NAME}." >&2
+fi
+keyctl pipe "$KID_"
diff --git a/debian/scripts/decrypt_opensc b/debian/scripts/decrypt_opensc
new file mode 100644
index 0000000..b06fc98
--- /dev/null
+++ b/debian/scripts/decrypt_opensc
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# Why not use "openct-tool rwait" instead of polling opensc-tool exit status?
+# Well openct daemon has to be running which interferes with pcscd since both
+# implement reader drivers, my particular CCID reader (SCM SCR331-LC1) doesn't
+# work with the CCID driver in openct, however it does work with pcscd.
+
+# Why not use "opensc-tool --wait" instead of polling opensc-tool exit status?
+# Although opensc-tool --help reports that there is a --wait option, it doesn't
+# seem to be implemented.
+
+check_card() {
+ cardfound=0
+
+ if /usr/bin/opensc-tool -n >/dev/null 2>&1; then
+ cardfound=1
+ fi
+}
+
+wait_card() {
+ check_card
+ if [ $cardfound = 0 ] ; then
+ echo "Waiting for Smart Card..." >&2
+ tries=0
+ while [ $cardfound = 0 ] && [ $tries -lt 60 ] ; do
+ sleep 1
+ check_card
+ tries=$(($tries + 1))
+ done
+ if [ $cardfound = 0 ] ; then
+ echo 'Failed to find Smart Card card!' >&2
+ exit 1
+ fi
+ fi
+}
+
+wait_card
+if [ -x /bin/plymouth ] && plymouth --ping; then
+ # Get pin number from plymouth
+ /usr/bin/pkcs15-crypt --decipher --input "$1" --pkcs1 --raw \
+ --pin "$(plymouth ask-for-password --prompt "Enter pin for $CRYPTTAB_NAME: ")"
+else
+ # Get pin number from console
+ /usr/bin/pkcs15-crypt --decipher --input "$1" --pkcs1 --raw </dev/console 2>/dev/console
+fi
+exit $?
diff --git a/debian/scripts/decrypt_ssl b/debian/scripts/decrypt_ssl
new file mode 100644
index 0000000..6664001
--- /dev/null
+++ b/debian/scripts/decrypt_ssl
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Script to decrypt the key which is encrypted with openssl.
+# See /usr/share/doc/cryptsetup/examples/gen-ssl-key to create such a key.
+#
+
+decrypt_ssl () {
+ echo "" >&2
+ echo "Decrypting ssl key $1..." >&2
+ if ! /usr/bin/openssl enc -aes-256-cbc -d -salt -in "$1" 2>/dev/null; then
+ return 1
+ fi
+ return 0
+}
+
+decrypt_ssl "$1"
+exit $?
diff --git a/debian/scripts/gen-ssl-key b/debian/scripts/gen-ssl-key
new file mode 100644
index 0000000..70a6fb3
--- /dev/null
+++ b/debian/scripts/gen-ssl-key
@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# script to generate a keyfile that is encrypted with openssl
+#
+# Written 2005 by Markus Nass <generalstone@gmx.net>
+# Improved 2006 by Jonas Meurer <jonas@freesources.org>
+# Further improved 2006 by Markus Nass <generalstone@gmx.net>
+
+usage() {
+ echo "Usage: $0 <key>"
+ exit 1
+}
+
+if [ -z "${1-}" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
+ usage
+fi
+
+if [ -x /usr/bin/openssl ]; then
+ dd if=/dev/random bs=1c count=256 | openssl enc -aes-256-cbc -e -salt >"$1"
+else
+ echo "/usr/bin/openssl is not available" && exit 1
+fi
diff --git a/debian/scripts/luksformat b/debian/scripts/luksformat
new file mode 100644
index 0000000..ae17f79
--- /dev/null
+++ b/debian/scripts/luksformat
@@ -0,0 +1,133 @@
+#!/usr/bin/perl -w
+
+# luksformat - wrapper around LUKS-capable cryptsetup and mkfs for easy
+# creation of an encrypted device.
+#
+# (C) 2005 Canonical Ltd.
+# Author: Martin Pitt <martin.pitt@ubuntu.com>
+# License: GNU General Public License, v2 or any later
+# (https://www.gnu.org/copyleft/gpl.html)
+
+use Getopt::Long qw(:config pass_through);
+
+BEGIN {
+ eval 'use Locale::gettext';
+ if ($@) {
+ *gettext = sub { shift };
+ *textdomain = sub { "" };
+ *LC_MESSAGES = sub { 5 };
+ }
+ eval {
+ require POSIX;
+ import POSIX qw(setlocale);
+ };
+ if ($@) {
+ *setlocale = sub { return 1 };
+ }
+}
+
+setlocale(LC_MESSAGES, "");
+textdomain("luksformat");
+
+if ($> != 0) {
+ print STDERR gettext("This program needs to be started as root\n");
+ exit 1;
+}
+
+sub usage() {
+ print gettext("luksformat - Create and format an encrypted LUKS device
+Usage: luksformat [-t <file system>] <device> [ mkfs options ]\n\n");
+ exit 1;
+}
+
+# default file system
+$fs = 'vfat';
+exit 1 unless GetOptions ('t|type=s' => \$fs);
+
+GetOptions ('help', \$help);
+if (($#ARGV < 0) || ($help)) {
+ usage();
+}
+
+$device = shift(@ARGV);
+
+open(MOUNTS, "/proc/mounts");
+while (<MOUNTS>) {
+ die sprintf(gettext("Error: device mounted: %s\n"), $device) if (/\Q$device\E/)
+}
+
+if (-x "/usr/sbin/mkfs.$fs") {
+ $mkfs = "/usr/sbin/mkfs.$fs";
+}
+elsif (-x "/usr/bin/mkfs.$fs") {
+ $mkfs = "/usr/bin/mkfs.$fs";
+}
+elsif (-x "/sbin/mkfs.$fs") {
+ $mkfs = "/sbin/mkfs.$fs";
+}
+elsif (-x "/bin/mkfs.$fs") {
+ $mkfs = "/bin/mkfs.$fs";
+}
+else {
+ printf STDERR (gettext("Error: invalid file system: %s\n"), $fs);
+ exit 1;
+}
+
+# generate temporary mapped device name which is not yet used
+$name = "";
+for ($i = 1; $i < 100; $i++) {
+ if (! -e "/dev/mapper/luksformat$i") {
+ $name = "luksformat$i";
+ last;
+ }
+}
+
+$name or die sprintf(gettext("Error: could not generate temporary mapped device name"));
+
+# we do not need to be overly concerned with race conditions here, cryptsetup
+# will just fail if the name already exists now.
+printf (gettext("Creating encrypted device on %s...\n"), $device);
+if ((system 'cryptsetup', 'luksFormat', $device)) {
+ die sprintf(gettext("Could not create LUKS device %s"), $device);
+}
+
+print gettext("Please enter your passphrase again to verify it\n");
+if ((system 'cryptsetup', 'open', '--type', 'luks', $device, $name) != 0) {
+ print STDERR gettext("The passphrases you entered were not identical\n");
+ exit 1;
+}
+
+$result = system $mkfs, "/dev/mapper/$name", @ARGV;
+print "\n";
+system 'udevadm', 'settle', '--timeout=30';
+system 'cryptsetup', 'luksClose', $name;
+
+die sprintf(gettext("Could not format device with file system %s"), $fs) if $result;
+
+__END__
+
+=head1 NAME
+
+luksformat - Create and format an encrypted LUKS device
+
+=head1 SYNOPSIS
+
+B<luksformat> [B<-t> I<fstype>] I<device> [ mkfs options ]
+
+=head1 DESCRIPTION
+
+B<luksformat> is a wrapper around B<cryptsetup> and B<mkfs> which provides an
+easy interface for creating an encrypted device that follows the LUKS standard
+and for putting a file system onto the encrypted device.
+
+The default file system is B<vfat> since that is most commonly used on
+removable devices. However, you can specify any available file system with the
+B<-t> option.
+
+=head1 SEE ALSO
+
+L<cryptsetup(8)>, L<mkfs(8)>
+
+=head1 AUTHOR
+
+This program was written by Martin Pitt <martin.pitt@ubuntu.com>.
diff --git a/debian/scripts/passdev.c b/debian/scripts/passdev.c
new file mode 100644
index 0000000..845ccae
--- /dev/null
+++ b/debian/scripts/passdev.c
@@ -0,0 +1,286 @@
+/*
+ * passdev.c - waits for a given device to appear, mounts it and reads a
+ * key from it which is piped to stdout.
+ *
+ * Copyright (C) 2008 David Härdeman <david@hardeman.nu>
+ *
+ * This package is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This package is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this package; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+
+#define _DEFAULT_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <string.h>
+#include <fcntl.h>
+#include <sys/mount.h>
+
+static bool do_debug = false;
+
+static void
+debug(const char *fmt, ...)
+{
+ va_list ap;
+
+ if (!do_debug)
+ return;
+ va_start(ap, fmt);
+ vfprintf(stderr, fmt, ap);
+ va_end(ap);
+}
+
+static bool
+do_mount(const char *device, const char *dir)
+{
+ pid_t pid;
+ int status;
+ char *fstypes[] = { "ext4", "ext3", "ext2", "vfat", "btrfs", "reiserfs", "xfs", "jfs", "ntfs", "iso9660", "udf" };
+ int fsindex;
+
+ if (!device || !dir)
+ return false;
+
+ for (fsindex = 0;
+ fsindex < (sizeof(fstypes) / sizeof(fstypes[0]));
+ fsindex++)
+ {
+ pid = fork();
+ if (pid < 0) {
+ /* Error */
+ return false;
+ } else if (pid > 0) {
+ /* We're in the parent process */
+ do {
+ waitpid(pid, &status, 0);
+ } while (!WIFEXITED(status) && !WIFSIGNALED(status));
+ if (WIFEXITED(status) && WEXITSTATUS(status) == EXIT_SUCCESS)
+ return true;
+
+ /* Let's try another fstype */
+ continue;
+ } else {
+ /* We're in the child process */
+ debug("Mounting %s at %s\n", device, dir);
+ close(STDIN_FILENO);
+ close(STDOUT_FILENO);
+ close(STDERR_FILENO);
+ open("/dev/null", O_RDONLY, 0);
+ open("/dev/null", O_WRONLY, 0);
+ open("/dev/null", O_WRONLY, 0);
+ execl("/bin/mount", "/bin/mount", "-n", "-t",
+ fstypes[fsindex],
+ /*"ext4,ext3,ext2,vfat,btrfs,reiserfs,xfs,jfs,ntfs,iso9660,udf",*/
+ "-o", "noatime,nodiratime,nodev,noexec,nosuid,ro",
+ device, dir, (char *)NULL);
+
+ /* If execl works, we won't end up here */
+ exit(EXIT_FAILURE);
+ }
+ }
+
+ /* We've tried all fstypes with no luck */
+ return false;
+}
+
+int
+main(int argc, char **argv, char **envp)
+{
+ char *debugval;
+ char *devpath;
+ char *filepath;
+ struct stat st;
+ char *tmppath;
+ char tpath[] = "/tmp/passdev.XXXXXX";
+ char *keypath;
+ int fd;
+ size_t toread;
+ size_t bytesread;
+ char *keybuffer;
+ size_t towrite;
+ size_t byteswritten;
+ ssize_t bytes;
+ char *to;
+ int timeout = 0;
+ bool do_timeout = false;
+
+ /* We only take one argument */
+ if (argc != 2) {
+ fprintf(stderr, "Incorrect number of arguments\n");
+ goto error;
+ }
+
+ /* If DEBUG=1 is in the environment, enable debug messages */
+ debugval = getenv("DEBUG");
+ if (debugval && atoi(debugval) > 0)
+ do_debug = true;
+
+ /* Split string into device and path (and timeout) */
+ devpath = argv[1];
+ filepath = strchr(devpath, ':');
+ if (!filepath || !(*filepath) || !(*(filepath + 1))) {
+ fprintf(stderr, "Invalid key path\n");
+ goto error;
+ }
+ *filepath = '\0';
+ filepath++;
+ to = strchr(filepath, ':');
+ if (to && (*to) && (*(to + 1))) {
+ *to = '\0';
+ to++;
+ timeout = atoi(to);
+ if (timeout > 0)
+ do_timeout = true;
+ }
+ debug("Path is %p and filepath is %p\n", devpath, filepath);
+ if (do_timeout)
+ debug("Timeout is %i\n",timeout);
+
+ /* Wait until device is available */
+ if (access(devpath, F_OK)) {
+ debug("Waiting for %s\n", devpath);
+ while(access(devpath, F_OK)) {
+ sleep(1);
+ if (do_timeout) {
+ if (timeout <= 0)
+ break;
+ timeout--;
+ }
+ }
+ }
+
+ /* Make sure device is a blockdev */
+ if (stat(devpath, &st)) {
+ fprintf(stderr, "Unable to stat %s\n", devpath);
+ goto error;
+ } else if (!S_ISBLK(st.st_mode)) {
+ fprintf(stderr, "%s is no block device\n", devpath);
+ goto error;
+ }
+
+ /* Create a tmp dir where we mount the device */
+ tmppath = mkdtemp(tpath);
+ if (!tmppath) {
+ fprintf(stderr, "Failed to create temporary directory\n");
+ goto error;
+ }
+
+ /* Ok, mount it */
+ if (!do_mount(devpath, tmppath)) {
+ fprintf(stderr, "Failed to mount %s\n", devpath);
+ goto error_rmdir;
+ }
+
+ /* Generate the full path to the keyfile */
+ keypath = malloc(strlen(tmppath) + 1 + strlen(filepath) + 1);
+ if (!keypath) {
+ fprintf(stderr, "Failed to allocate memory\n");
+ goto error_umount;
+ }
+ sprintf(keypath, "%s/%s", tmppath, filepath);
+
+ /* Check that the keyfile exists */
+ if (access(keypath, F_OK)) {
+ fprintf(stderr, "Keyfile doesn't exist\n");
+ goto error_free;
+ }
+
+ /* Get the size of the keyfile */
+ if (stat(keypath, &st)) {
+ fprintf(stderr, "Unable to stat keyfile\n");
+ goto error_free;
+ }
+
+ /* Check the size of the keyfile */
+ if (st.st_size < 0) {
+ fprintf(stderr, "Invalid keyfile size\n");
+ goto error_free;
+ }
+ toread = (size_t)st.st_size;
+
+ /* Open the keyfile */
+ if ((fd = open(keypath, O_RDONLY)) < 0) {
+ fprintf(stderr, "Failed to open keyfile\n");
+ goto error_free;
+ }
+
+ /* Allocate a buffer for the keyfile contents */
+ keybuffer = malloc(toread);
+ if (!keybuffer) {
+ fprintf(stderr, "Failed to allocate memory\n");
+ goto error_close;
+ exit(EXIT_FAILURE);
+ }
+
+ /* Read the keyfile */
+ bytesread = 0;
+ while (bytesread < toread) {
+ bytes = read(fd, keybuffer + bytesread, toread - bytesread);
+ if (bytes <= 0) {
+ fprintf(stderr, "Failed to read entire key\n");
+ goto error_keybuffer;
+ }
+ bytesread += bytes;
+ }
+
+ /* Clean up */
+ close(fd);
+ free(keypath);
+ umount(tmppath);
+ rmdir(tmppath);
+
+ /* Write result */
+ byteswritten = 0;
+ towrite = toread;
+ while (byteswritten < towrite) {
+ bytes = write(STDOUT_FILENO, keybuffer + byteswritten,
+ towrite - byteswritten);
+ if (bytes <= 0) {
+ fprintf(stderr, "Failed to write entire key\n");
+ memset(keybuffer, 0, toread);
+ free(keybuffer);
+ goto error;
+ }
+ byteswritten += bytes;
+ }
+
+ /* Clean up */
+ memset(keybuffer, 0, toread);
+ free(keybuffer);
+
+ /* Done */
+ exit(EXIT_SUCCESS);
+
+ /* Error handling */
+error_keybuffer:
+ memset(keybuffer, 0, toread);
+ free(keybuffer);
+error_close:
+ close(fd);
+error_free:
+ free(keypath);
+error_umount:
+ umount(tmppath);
+error_rmdir:
+ rmdir(tmppath);
+error:
+ exit(EXIT_FAILURE);
+}
+
diff --git a/debian/scripts/po/Makefile b/debian/scripts/po/Makefile
new file mode 100644
index 0000000..9eb8acf
--- /dev/null
+++ b/debian/scripts/po/Makefile
@@ -0,0 +1,39 @@
+XGETTEXT = xgettext
+MSGFMT = msgfmt
+MSGMERGE = msgmerge
+
+LOCALEDIR = /usr/share/locale
+
+.SUFFIXES: .po .mo .pot
+
+%.mo: %.po
+ $(MSGFMT) -o $@ $<
+
+PO = $(wildcard *.po)
+LANG = $(basename $(PO))
+MO = $(addsuffix .mo,$(LANG))
+SOURCES = ../luksformat
+
+all: update $(MO)
+update: luksformat.pot
+ -@for po in $(PO); do \
+ echo -n "Updating $$po"; \
+ $(MSGMERGE) -U $$po luksformat.pot; \
+ done;
+
+luksformat.pot: $(SOURCES)
+ $(XGETTEXT) -c -L Perl -kgtx \
+ --msgid-bugs-address=pkg-cryptsetup-devel@alioth-lists.debian.net \
+ -o $@ $(SOURCES)
+
+install: all
+ for i in $(MO) ; do \
+ t=$(DESTDIR)/$(LOCALEDIR)/`basename $$i .mo`/LC_MESSAGES ;\
+ install -d $$t ;\
+ install -m 644 $$i $$t/luksformat.mo ;\
+ done
+
+clean:
+ $(RM) $(MO) *~
+
+.PHONY: update
diff --git a/debian/scripts/po/de.po b/debian/scripts/po/de.po
new file mode 100644
index 0000000..76c7f2f
--- /dev/null
+++ b/debian/scripts/po/de.po
@@ -0,0 +1,76 @@
+# German translations for cryptsetup package
+# German messages for luksformat in cryptsetup.
+# Copyright (C) 2011 THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the cryptsetup package.
+# Jonas Meurer <jonas@freesources.org>, 2011.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 2:1.3.0-1\n"
+"Report-Msgid-Bugs-To: pkg-cryptsetup-devel@alioth-lists.debian.net\n"
+"POT-Creation-Date: 2015-12-09 13:09+0100\n"
+"PO-Revision-Date: 2011-03-08 19:40+0100\n"
+"Last-Translator: Jonas Meurer <jonas@freesources.org>\n"
+"Language-Team: German\n"
+"Language: de\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+
+#: ../luksformat:33
+msgid "This program needs to be started as root\n"
+msgstr "Dieses Programm muss als Benutzer root gestartet werden\n"
+
+#: ../luksformat:38
+msgid ""
+"luksformat - Create and format an encrypted LUKS device\n"
+"Usage: luksformat [-t <file system>] <device> [ mkfs options ]\n"
+"\n"
+msgstr ""
+"luksformat - LUKS-verschlüsselte Partition erstellen und formatieren\n"
+"Verwendung: luksformat [-t <Dateisystem>] <Partition> [ mkfs Optionen ]\n"
+"\n"
+
+#: ../luksformat:56
+#, perl-format
+msgid "Error: device mounted: %s\n"
+msgstr "Fehler: Partition ist eingebunden: %s\n"
+
+#: ../luksformat:72
+#, perl-format
+msgid "Error: invalid file system: %s\n"
+msgstr "Fehler: Ungültiges Dateisystem: %s\n"
+
+#: ../luksformat:85
+#, perl-format
+msgid "Error: could not generate temporary mapped device name"
+msgstr "Fehler: Erstellen einer temporären Partition schlug fehl"
+
+#. we do not need to be overly concerned with race conditions here, cryptsetup
+#. will just fail if the name already exists now.
+#: ../luksformat:89
+#, perl-format
+msgid "Creating encrypted device on %s...\n"
+msgstr "Erstelle verschlüsselte Partition auf %s...\n"
+
+#: ../luksformat:91
+#, perl-format
+msgid "Could not create LUKS device %s"
+msgstr "Erstellen der LUKS-Partition %s schlug fehl"
+
+#: ../luksformat:94
+msgid "Please enter your passphrase again to verify it\n"
+msgstr "Bitte zum verifizieren das Passwort erneut eingeben\n"
+
+#: ../luksformat:96
+msgid "The passphrases you entered were not identical\n"
+msgstr "Die eingegebenen Passwörter waren nicht identisch\n"
+
+#: ../luksformat:105
+#, perl-format
+msgid "Could not format device with file system %s"
+msgstr "Formatieren der Partition mit dem Dateisystem %s schlug fehl"
+
+#~ msgid "%s: %s"
+#~ msgstr "%s: %s"
diff --git a/debian/scripts/po/luksformat.pot b/debian/scripts/po/luksformat.pot
new file mode 100644
index 0000000..f6c1e56
--- /dev/null
+++ b/debian/scripts/po/luksformat.pot
@@ -0,0 +1,69 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: pkg-cryptsetup-devel@alioth-lists.debian.net\n"
+"POT-Creation-Date: 2015-12-09 13:09+0100\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: ../luksformat:33
+msgid "This program needs to be started as root\n"
+msgstr ""
+
+#: ../luksformat:38
+msgid ""
+"luksformat - Create and format an encrypted LUKS device\n"
+"Usage: luksformat [-t <file system>] <device> [ mkfs options ]\n"
+"\n"
+msgstr ""
+
+#: ../luksformat:56
+#, perl-format
+msgid "Error: device mounted: %s\n"
+msgstr ""
+
+#: ../luksformat:72
+#, perl-format
+msgid "Error: invalid file system: %s\n"
+msgstr ""
+
+#: ../luksformat:85
+#, perl-format
+msgid "Error: could not generate temporary mapped device name"
+msgstr ""
+
+#. we do not need to be overly concerned with race conditions here, cryptsetup
+#. will just fail if the name already exists now.
+#: ../luksformat:89
+#, perl-format
+msgid "Creating encrypted device on %s...\n"
+msgstr ""
+
+#: ../luksformat:91
+#, perl-format
+msgid "Could not create LUKS device %s"
+msgstr ""
+
+#: ../luksformat:94
+msgid "Please enter your passphrase again to verify it\n"
+msgstr ""
+
+#: ../luksformat:96
+msgid "The passphrases you entered were not identical\n"
+msgstr ""
+
+#: ../luksformat:105
+#, perl-format
+msgid "Could not format device with file system %s"
+msgstr ""