9 files changed, 899 insertions, 0 deletions
diff --git a/misc/11-dm-crypt.rules b/misc/11-dm-crypt.rules
new file mode 100644
index 0000000..dfbb3a0
--- /dev/null
+++ b/misc/11-dm-crypt.rules
@@ -0,0 +1,17 @@
+# Old udev rules historically used in device-mapper.
+# No need to install these until you have some weird configuration.
+# (Code internally set the same flags.)
+
+ACTION!="add|change", GOTO="crypt_end"
+ENV{DM_UDEV_RULES_VSN}!="?*", GOTO="crypt_end"
+
+ENV{DM_UUID}=="CRYPT-TEMP-?*", GOTO="crypt_disable"
+ENV{DM_UUID}!="?*", ENV{DM_NAME}=="temporary-cryptsetup-?*", GOTO="crypt_disable"
+GOTO="crypt_end"
+
+LABEL="crypt_disable"
+ENV{DM_UDEV_DISABLE_SUBSYSTEM_RULES_FLAG}="1"
+ENV{DM_UDEV_DISABLE_DISK_RULES_FLAG}="1"
+ENV{DM_UDEV_DISABLE_OTHER_RULES_FLAG}="1"
+
+LABEL="crypt_end"
diff --git a/misc/dict_search/Makefile b/misc/dict_search/Makefile
new file mode 100644
index 0000000..0226c98
--- /dev/null
+++ b/misc/dict_search/Makefile
@@ -0,0 +1,17 @@
+TARGET=crypt_dict
+CFLAGS=-O2 -g -Wall -D_GNU_SOURCE
+LDLIBS=-lcryptsetup
+CC=gcc
+
+SOURCES=$(wildcard *.c)
+OBJECTS=$(SOURCES:.c=.o)
+
+all: $(TARGET)
+
+$(TARGET): $(OBJECTS)
+	$(CC) -o $@ $^ $(LDLIBS)
+
+clean:
+	rm -f *.o *~ core $(TARGET)
+
+.PHONY: clean
diff --git a/misc/dict_search/README b/misc/dict_search/README
new file mode 100644
index 0000000..fc6aa44
--- /dev/null
+++ b/misc/dict_search/README
@@ -0,0 +1,22 @@
+Simple example how to use libcryptsetup
+for password search.
+
+Run: crypt_dict luks|tcrypt <device|image> <dictionary> [cpus]
+
+luks|tcrypt specified device type (LUKS or TrueCrypt)
+
+<device|image> is LUKS or TrueCrypt device or image
+
+<dictionary> is list of passphrases to try
+(note trailing EOL is stripped)
+
+cpus - number of processes to start in parallel
+
+Format of dictionary file is simple one password per line,
+if first char on line is # it is skipped as comment.
+
+For LUKS, you have it run as root (device-mapper cannot
+create dmcrypt devices as nrmal user. Code need
+to map keyslots as temporary dmcrypt device.)
+
+For TrueCrypt devices root privilege is not required.
diff --git a/misc/dict_search/crypt_dict.c b/misc/dict_search/crypt_dict.c
new file mode 100644
index 0000000..c80d502
--- /dev/null
+++ b/misc/dict_search/crypt_dict.c
@@ -0,0 +1,158 @@
+/*
+ * Example of LUKS/TrueCrypt password dictionary search
+ *
+ * Copyright (C) 2012 Milan Broz <gmazyland@gmail.com>
+ *
+ * Run this (for LUKS as root),
+ * e.g. ./crypt_dict test.img /usr/share/john/password.lst 4
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/prctl.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+#include <libcryptsetup.h>
+
+#define MAX_LEN 512
+
+static enum { LUKS, TCRYPT } device_type;
+
+static void check(struct crypt_device *cd, const char *pwd_file, unsigned my_id, unsigned max_id)
+{
+	FILE *f;
+	int len, r = -1;
+	unsigned long line = 0;
+	char pwd[MAX_LEN];
+
+	if (fork())
+		return;
+
+	/* open password file, now in separate process */
+	f = fopen(pwd_file, "r");
+	if (!f) {
+		printf("Cannot open %s.\n", pwd_file);
+		exit(EXIT_FAILURE);
+	}
+
+	while (fgets(pwd, MAX_LEN, f)) {
+
+		/* every process tries N-th line, skip others */
+		if (line++ % max_id != my_id)
+			continue;
+
+		len = strlen(pwd);
+
+		/* strip EOL - this is like a input from tty */
+		if (len && pwd[len - 1] == '\n') {
+			pwd[len - 1] = '\0';
+			len--;
+		}
+
+		/* lines starting "#!comment" are comments */
+		if (len >= 9 && !strncmp(pwd, "#!comment", 9)) {
+			/* printf("skipping %s\n", pwd); */
+			continue;
+		}
+
+		/* printf("%d: checking %s\n", my_id, pwd); */
+		if (device_type == LUKS)
+			r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT, pwd, len, 0);
+		else if (device_type == TCRYPT) {
+			struct crypt_params_tcrypt params = {
+				.flags = CRYPT_TCRYPT_LEGACY_MODES,
+				.passphrase = pwd,
+				.passphrase_size = len,
+			};
+			r = crypt_load(cd, CRYPT_TCRYPT, &params);
+		}
+		if (r >= 0) {
+			printf("Found passphrase for slot %d: \"%s\"\n", r, pwd);
+			break;
+		}
+	}
+
+	fclose(f);
+	crypt_free(cd);
+	exit(r >= 0 ? 2 : EXIT_SUCCESS);
+}
+
+int main(int argc, char *argv[])
+{
+	int i, status, procs = 4;
+	struct crypt_device *cd;
+
+	if (argc < 4 || argc > 5) {
+		printf("Use: %s luks|tcrypt <device|file> <password file> [#processes] %d\n", argv[0], argc);
+		exit(EXIT_FAILURE);
+	}
+
+	if (argc == 5 && (sscanf(argv[4], "%i", &procs) != 1 || procs < 1)) {
+		printf("Wrong number of processes.\n");
+		exit(EXIT_FAILURE);
+	}
+
+	if (!strcmp(argv[1], "luks"))
+		device_type = LUKS;
+	else if (!strcmp(argv[1], "tcrypt"))
+		device_type = TCRYPT;
+	else {
+		printf("Wrong device type %s.\n", argv[1]);
+		exit(EXIT_FAILURE);
+	}
+
+	/* crypt_set_debug_level(CRYPT_DEBUG_ALL); */
+
+	/*
+	 * Need to create temporary keyslot device-mapper devices and allocate loop if needed,
+	 * so root is required here.
+	 */
+	if (getuid() != 0) {
+		printf("You must be root to run this program.\n");
+                exit(EXIT_FAILURE);
+	}
+
+	/* signal all children if anything happens */
+	prctl(PR_SET_PDEATHSIG, SIGHUP);
+	setpriority(PRIO_PROCESS, 0, -5);
+
+	/* we are not going to modify anything, so common init is ok */
+	if (crypt_init(&cd, argv[2]) ||
+	    (device_type == LUKS && crypt_load(cd, CRYPT_LUKS1, NULL))) {
+		printf("Cannot open %s.\n", argv[2]);
+		exit(EXIT_FAILURE);
+	}
+
+	/* run scan in separate processes, it is up to scheduler to assign CPUs inteligently */
+	for (i = 0; i < procs; i++)
+		check(cd, argv[3], i, procs);
+
+	/* wait until at least one finishes with error or status 2 (key found) */
+	while (wait(&status) != -1 && WIFEXITED(status)) {
+		if (WEXITSTATUS(status) == EXIT_SUCCESS)
+			continue;
+		/* kill rest of processes */
+		kill(0, SIGHUP);
+		/* not reached */
+		break;
+	}
+	exit(0);
+}
diff --git a/misc/fedora/cryptsetup.spec b/misc/fedora/cryptsetup.spec
new file mode 100644
index 0000000..d635d45
--- /dev/null
+++ b/misc/fedora/cryptsetup.spec
@@ -0,0 +1,121 @@
+# Simplified version of RPM spec for Fedora
+
+Summary: Utility for setting up encrypted disks
+Name: cryptsetup
+Version: 2.5.0
+Release: 1%{?dist}
+License: GPLv2+ and LGPLv2+
+URL: https://gitlab.com/cryptsetup/cryptsetup
+BuildRequires: autoconf, automake, libtool, gettext-devel,
+BuildRequires: openssl-devel, popt-devel, device-mapper-devel
+BuildRequires: libuuid-devel, gcc, json-c-devel, libargon2-devel
+BuildRequires: libpwquality-devel, libblkid-devel
+BuildRequires: make libssh-devel
+BuildRequires: asciidoctor
+Requires: cryptsetup-libs = %{version}-%{release}
+Requires: libpwquality >= 1.2.0
+Obsoletes: %{name}-reencrypt <= %{version}
+Provides: %{name}-reencrypt = %{version}
+
+%global upstream_version %{version_no_tilde}
+Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/cryptsetup-%{upstream_version}.tar.xz
+
+%description
+The cryptsetup package contains a utility for setting up
+disk encryption using dm-crypt kernel module.
+
+%package devel
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Requires: pkgconfig
+Summary: Headers and libraries for using encrypted file systems
+
+%description devel
+The cryptsetup-devel package contains libraries and header files
+used for writing code that makes use of disk encryption.
+
+%package libs
+Summary: Cryptsetup shared library
+
+%description libs
+This package contains the cryptsetup shared library, libcryptsetup.
+
+%package ssh-token
+Summary: Cryptsetup LUKS2 SSH token
+Requires: cryptsetup-libs = %{version}-%{release}
+
+%description ssh-token
+This package contains the LUKS2 SSH token.
+
+%package -n veritysetup
+Summary: A utility for setting up dm-verity volumes
+Requires: cryptsetup-libs = %{version}-%{release}
+
+%description -n veritysetup
+The veritysetup package contains a utility for setting up
+disk verification using dm-verity kernel module.
+
+%package -n integritysetup
+Summary: A utility for setting up dm-integrity volumes
+Requires: cryptsetup-libs = %{version}-%{release}
+
+%description -n integritysetup
+The integritysetup package contains a utility for setting up
+disk integrity protection using dm-integrity kernel module.
+
+%prep
+%autosetup -n cryptsetup-%{upstream_version} -p 1
+
+%build
+# force regeneration of manual pages from AsciiDoc
+rm -f man/*.8
+
+./autogen.sh
+%configure --enable-fips --enable-pwquality --enable-libargon2 --enable-asciidoc
+%make_build
+
+%install
+%make_install
+rm -rf %{buildroot}%{_libdir}/*.la
+rm -rf %{buildroot}%{_libdir}/%{name}/*.la
+
+%find_lang cryptsetup
+
+%ldconfig_scriptlets -n cryptsetup-libs
+
+%files
+%license COPYING
+%doc AUTHORS FAQ.md docs/*ReleaseNotes
+%{_mandir}/man8/cryptsetup.8.gz
+%{_mandir}/man8/cryptsetup-*.8.gz
+%{_sbindir}/cryptsetup
+
+%files -n veritysetup
+%license COPYING
+%{_mandir}/man8/veritysetup.8.gz
+%{_sbindir}/veritysetup
+
+%files -n integritysetup
+%license COPYING
+%{_mandir}/man8/integritysetup.8.gz
+%{_sbindir}/integritysetup
+
+%files devel
+%doc docs/examples/*
+%{_includedir}/libcryptsetup.h
+%{_libdir}/libcryptsetup.so
+%{_libdir}/pkgconfig/libcryptsetup.pc
+
+%files libs -f cryptsetup.lang
+%license COPYING COPYING.LGPL
+%{_libdir}/libcryptsetup.so.*
+%dir %{_libdir}/%{name}/
+%{_tmpfilesdir}/cryptsetup.conf
+%ghost %attr(700, -, -) %dir /run/cryptsetup
+
+%files ssh-token
+%license COPYING COPYING.LGPL
+%{_libdir}/%{name}/libcryptsetup-token-ssh.so
+%{_mandir}/man8/cryptsetup-ssh.8.gz
+%{_sbindir}/cryptsetup-ssh
+
+%changelog
diff --git a/misc/keyslot_checker/Makefile b/misc/keyslot_checker/Makefile
new file mode 100644
index 0000000..3b159fd
--- /dev/null
+++ b/misc/keyslot_checker/Makefile
@@ -0,0 +1,14 @@
+TARGETS=chk_luks_keyslots
+CFLAGS=-O0 -g -Wall -D_GNU_SOURCE
+LDLIBS=-lcryptsetup -lm
+CC=gcc
+
+all: $(TARGETS)
+
+chk_luks_keyslots: chk_luks_keyslots.o
+	$(CC) -o $@ $^ $(LDLIBS)
+
+clean:
+	rm -f *.o *~ core $(TARGETS)
+
+.PHONY: clean
diff --git a/misc/keyslot_checker/README b/misc/keyslot_checker/README
new file mode 100644
index 0000000..cd5bf81
--- /dev/null
+++ b/misc/keyslot_checker/README
@@ -0,0 +1,120 @@
+Purpose
+=======
+
+chk_luks_keyslots is a tool that searches the keyslot area of a
+LUKS container for positions where entropy is low and hence
+there is a high probability of damage from overwrites of parts
+of the key-slot with data such as a RAID superblock or a partition
+table.
+
+
+Installation
+============
+
+1. Install the version of cryptsetup the tool came with.
+2. Compile with "make"
+   
+Manual compile can be done with
+   gcc -lm -lcryptsetup chk_luks_keyslots.c -o chk_luks_keyslots
+
+Usage
+=====
+
+Call chk_luks_keyslots without arguments for an option summary.
+
+
+Example of a good keyslot area with keys 0 and 2 in use:
+--------------------------------------------------------
+
+root> ./chk_luks_keyslots /dev/loop0
+
+parameters (commandline and LUKS header):
+  sector size: 512
+  threshold:   0.900000
+
+- processing keyslot 0:  start: 0x001000   end: 0x020400
+- processing keyslot 1:  keyslot not in use
+- processing keyslot 2:  start: 0x041000   end: 0x060400
+- processing keyslot 3:  keyslot not in use
+- processing keyslot 4:  keyslot not in use
+- processing keyslot 5:  keyslot not in use
+- processing keyslot 6:  keyslot not in use
+- processing keyslot 7:  keyslot not in use
+
+
+Same example of a fault in slot 2 at offset 0x50000:
+----------------------------------------------------
+
+root>./chk_luks_keyslots /dev/loop2
+
+parameters (commandline and LUKS header):
+  sector size: 512
+  threshold:   0.900000
+
+- processing keyslot 0:  start: 0x001000   end: 0x020400
+- processing keyslot 1:  keyslot not in use
+- processing keyslot 2:  start: 0x041000   end: 0x060400
+  low entropy at: 0x050000    entropy: 0.549165
+- processing keyslot 3:  keyslot not in use
+- processing keyslot 4:  keyslot not in use
+- processing keyslot 5:  keyslot not in use
+- processing keyslot 6:  keyslot not in use
+- processing keyslot 7:  keyslot not in use
+
+
+Same as last, but verbose:
+--------------------------
+root>./chk_luks_keyslots  -v /dev/loop2
+
+parameters (commandline and LUKS header):
+  sector size: 512
+  threshold:   0.900000
+
+- processing keyslot 0:  start: 0x001000   end: 0x020400
+- processing keyslot 1:  keyslot not in use
+- processing keyslot 2:  start: 0x041000   end: 0x060400
+  low entropy at: 0x050000    entropy: 0.549165
+  Binary dump:
+  0x050000  54 68 69 73 20 69 73 20  61 20 74 65 73 74 2D 73  This is a test-s
+  0x050010  65 63 74 6F 72 20 66 6F  72 20 63 68 6B 5F 6C 75  ector for chk_lu
+  0x050020  6B 73 5F 6B 65 79 73 6C  6F 74 73 20 74 68 65 20  ks_keyslots the
+  0x050030  71 75 69 63 6B 20 62 72  6F 77 6E 20 66 6F 78 20  quick brown fox
+  0x050040  6A 75 6D 70 73 20 6F 76  65 72 20 74 68 65 20 6C  jumps over the l
+  0x050050  61 7A 79 20 64 6F 67 20  74 68 65 20 71 75 69 63  azy dog the quic
+  0x050060  6B 20 62 72 6F 77 6E 20  66 6F 78 20 6A 75 6D 70  k brown fox jump
+  0x050070  73 20 6F 76 65 72 20 74  68 65 20 6C 61 7A 79 20  s over the lazy
+  0x050080  64 6F 67 20 74 68 65 20  71 75 69 63 6B 20 62 72  dog the quick br
+  0x050090  6F 77 6E 20 66 6F 78 20  6A 75 6D 70 73 20 6F 76  own fox jumps ov
+  0x0500a0  65 72 20 74 68 65 20 6C  61 7A 79 20 64 6F 67 20  er the lazy dog
+  0x0500b0  74 68 65 20 71 75 69 63  6B 20 62 72 6F 77 6E 20  the quick brown
+  0x0500c0  66 6F 78 20 6A 75 6D 70  73 20 6F 76 65 72 20 74  fox jumps over t
+  0x0500d0  68 65 20 6C 61 7A 79 20  64 6F 67 20 74 68 65 20  he lazy dog the
+  0x0500e0  71 75 69 63 6B 20 62 72  6F 77 6E 20 66 6F 78 20  quick brown fox
+  0x0500f0  6A 75 6D 70 73 20 6F 76  65 72 20 74 68 65 20 6C  jumps over the l
+  0x050100  61 7A 79 20 64 6F 67 20  74 68 65 20 71 75 69 63  azy dog the quic
+  0x050110  6B 20 62 72 6F 77 6E 20  66 6F 78 20 6A 75 6D 70  k brown fox jump
+  0x050120  73 20 6F 76 65 72 20 74  68 65 20 6C 61 7A 79 20  s over the lazy
+  0x050130  64 6F 67 20 74 68 65 20  71 75 69 63 6B 20 62 72  dog the quick br
+  0x050140  6F 77 6E 20 66 6F 78 20  6A 75 6D 70 73 20 6F 76  own fox jumps ov
+  0x050150  65 72 20 74 68 65 20 6C  61 7A 79 20 64 6F 67 20  er the lazy dog
+  0x050160  74 68 65 20 71 75 69 63  6B 20 62 72 6F 77 6E 20  the quick brown
+  0x050170  66 6F 78 20 6A 75 6D 70  73 20 6F 76 65 72 20 74  fox jumps over t
+  0x050180  68 65 20 6C 61 7A 79 20  64 6F 67 20 74 68 65 20  he lazy dog the
+  0x050190  71 75 69 63 6B 20 62 72  6F 77 6E 20 66 6F 78 20  quick brown fox
+  0x0501a0  6A 75 6D 70 73 20 6F 76  65 72 20 74 68 65 20 6C  jumps over the l
+  0x0501b0  61 7A 79 20 64 6F 67 20  74 68 65 20 71 75 69 63  azy dog the quic
+  0x0501c0  6B 20 62 72 6F 77 6E 20  66 6F 78 20 6A 75 6D 70  k brown fox jump
+  0x0501d0  73 20 6F 76 65 72 20 74  68 65 20 6C 61 7A 79 20  s over the lazy
+  0x0501e0  64 6F 67 20 74 68 65 20  71 75 69 63 6B 20 62 72  dog the quick br
+  0x0501f0  6F 77 6E 20 66 6F 78 20  6A 75 6D 70 73 20 6F 76  own fox jumps ov
+
+- processing keyslot 3:  keyslot not in use
+- processing keyslot 4:  keyslot not in use
+- processing keyslot 5:  keyslot not in use
+- processing keyslot 6:  keyslot not in use
+- processing keyslot 7:  keyslot not in use
+
+----
+Copyright (C) 2012, Arno Wagner <arno@wagner.name>
+This file is free documentation; the author gives
+unlimited permission to copy, distribute and modify it.
diff --git a/misc/keyslot_checker/chk_luks_keyslots.c b/misc/keyslot_checker/chk_luks_keyslots.c
new file mode 100644
index 0000000..308b002
--- /dev/null
+++ b/misc/keyslot_checker/chk_luks_keyslots.c
@@ -0,0 +1,371 @@
+/*
+ * LUKS keyslot entropy tester. Works only for header version 1.
+ *
+ * Functionality: Determines sample entropy (symbols: bytes) for
+ * each (by default) 512B sector in each used keyslot. If it
+ * is lower than a threshold, the sector address is printed
+ * as it is suspected of having non-"random" data in it, indicating
+ * damage by overwriting. This can obviously not find overwriting
+ * with random or random-like data (encrypted, compressed).
+ *
+ * Version history:
+ *    v0.1: 09.09.2012 Initial release
+ *    v0.2: 08.10.2012 Converted to use libcryptsetup
+ *
+ * Copyright (C) 2012, Arno Wagner <arno@wagner.name>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <ctype.h>
+#include <math.h>
+#include <fcntl.h>
+#include <inttypes.h>
+#include <libcryptsetup.h>
+
+const char *help =
+"Version 0.2 [8.10.2012]\n"
+"\n"
+"    chk_luks_keyslots [options] luks-device \n"
+"\n"
+"This tool checks all keyslots of a LUKS device for \n"
+"low entropy sections. If any are found, they are reported. \n"
+"This allows one to find areas damaged by things like filesystem \n"
+"creation or RAID superblocks. \n"
+"\n"
+"Options: \n"
+"  -t <num>  Entropy threshold. Possible values 0.0 ... 1.0 \n"
+"            Default: 0.90, which works well for 512B sectors.\n"
+"            For 512B sectors, you will get frequent misdetections\n"
+"            at thresholds around 0.94\n"
+"            Higher value: more sensitive but more false detections.\n"
+"  -s <num>  Sector size. Must divide keyslot-size.\n"
+"            Default: 512 Bytes.\n"
+"            Values smaller than 128 are generally not very useful.\n"
+"            For values smaller than the default, you need to adjust\n"
+"            the threshold down to reduce misdetection. For values\n"
+"            larger than the default you need to adjust the threshold\n"
+"            up to retain sensitivity.\n"
+"  -v        Print found suspicious sectors verbosely. \n"
+"  -d        Print decimal addresses instead of hex ones.\n"
+"\n";
+
+
+/* Config defaults */
+
+static int sector_size = 512;
+static double threshold = 0.90;
+static int print_decimal = 0;
+static int verbose = 0;
+
+/* tools */
+
+/* Calculates and returns sample entropy on byte level for
+ * The argument.
+ */
+static double ent_samp(unsigned char * buf, int len)
+{
+	int freq[256];   /* stores symbol frequencies */
+	int i;
+	double e, f;
+
+	/* 0. Plausibility checks */
+	if (len <= 0)
+		return 0.0;
+
+	/* 1. count all frequencies */
+	for (i = 0; i < 256; i++) {
+		freq[i] = 0.0;
+	}
+
+	for (i = 0; i < len; i ++)
+		freq[buf[i]]++;
+
+	/* 2. calculate sample entropy */
+	e = 0.0;
+	for (i = 0; i < 256; i++) {
+		f = freq[i];
+		if (f > 0) {
+			f =  f / (double)len;
+			e += f * log2(f);
+		}
+	}
+
+	if (e != 0.0)
+		e = -1.0 * e;
+
+	e = e / 8.0;
+	return e;
+}
+
+static void print_address(FILE *out, uint64_t value)
+{
+	if (print_decimal) {
+		fprintf(out,"%08" PRIu64 " ", value);
+	} else {
+		fprintf(out,"%#08" PRIx64 " ", value);
+	}
+}
+
+/* uses default "hd" style, i.e. 16 bytes followed by ASCII */
+static void hexdump_line(FILE *out, uint64_t address, unsigned char *buf) {
+	int i;
+	static char tbl[16] = "0123456789ABCDEF";
+
+	fprintf(out,"  ");
+	print_address(out, address);
+	fprintf(out," ");
+
+	/* hex */
+	for (i = 0; i < 16; i++) {
+		fprintf(out, "%c%c",
+			tbl[(unsigned char)buf[i]>> 4],
+			tbl[(unsigned char)buf[i] & 0x0f]);
+		fprintf(out," ");
+		if (i == 7)
+			fprintf(out," ");
+	}
+
+	fprintf(out," ");
+
+	/* ascii */
+	for (i = 0; i < 16; i++) {
+		if (isprint(buf[i])) {
+			fprintf(out, "%c", buf[i]);
+		} else {
+			fprintf(out, ".");
+		}
+	}
+	fprintf(out, "\n");
+}
+
+static void hexdump_sector(FILE *out, unsigned char *buf, uint64_t address, int len)
+{
+	int done;
+
+	done = 0;
+	while (len - done >= 16) {
+		hexdump_line(out, address + done, buf + done);
+		done += 16;
+	}
+}
+
+static int check_keyslots(FILE *out, struct crypt_device *cd, int f_luks)
+{
+	int i;
+	double ent;
+	off_t ofs;
+	uint64_t start, length, end;
+	crypt_keyslot_info ki;
+	unsigned char buffer[sector_size];
+
+	for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1) ; i++) {
+		fprintf(out, "- processing keyslot %d:", i);
+		ki = crypt_keyslot_status(cd, i);
+		if (ki == CRYPT_SLOT_INACTIVE) {
+			fprintf(out, "  keyslot not in use\n");
+			continue;
+		}
+
+		if (ki == CRYPT_SLOT_INVALID) {
+			fprintf(out, "\nError: keyslot invalid.\n");
+			return EXIT_FAILURE;
+		}
+
+		if (crypt_keyslot_area(cd, i, &start, &length) < 0) {
+			fprintf(stderr,"\nError: querying keyslot area failed for slot %d\n", i);
+			perror(NULL);
+			return EXIT_FAILURE;
+		}
+		end = start + length;
+
+		fprintf(out, "  start: ");
+		print_address(out, start);
+		fprintf(out, "  end: ");
+		print_address(out, end);
+		fprintf(out, "\n");
+
+		/* check whether sector-size divides size */
+		if (length % sector_size != 0) {
+			fprintf(stderr,"\nError: Argument to -s does not divide keyslot size\n");
+			return EXIT_FAILURE;
+		}
+
+		for (ofs = start; (uint64_t)ofs < end; ofs += sector_size) {
+			if (lseek(f_luks, ofs, SEEK_SET) != ofs) {
+				fprintf(stderr,"\nCannot seek to keyslot area.\n");
+				return EXIT_FAILURE;
+			}
+			if (read(f_luks, buffer, sector_size) != sector_size) {
+				fprintf(stderr,"\nCannot read keyslot area.\n");
+				return EXIT_FAILURE;
+			}
+			ent = ent_samp(buffer, sector_size);
+			if (ent < threshold) {
+				fprintf(out, "  low entropy at: ");
+				print_address(out, ofs);
+				fprintf(out, "   entropy: %f\n", ent);
+				if (verbose) {
+					fprintf(out, "  Binary dump:\n");
+					hexdump_sector(out, buffer, (uint64_t)ofs, sector_size);
+					fprintf(out,"\n");
+				}
+			}
+		}
+	}
+
+	return EXIT_SUCCESS;
+}
+
+/* Main */
+int main(int argc, char **argv)
+{
+	/* for option processing */
+	int c, r;
+	char *device;
+
+	/* for use of libcryptsetup */
+	struct crypt_device *cd;
+
+	/* Other vars */
+	int f_luks;   /* device file for the luks device */
+	FILE *out;
+
+	/* temporary helper vars */
+	int res;
+
+	/* getopt values */
+	char *s, *end;
+	double tvalue;
+	int svalue;
+
+	/* global initializations */
+	out = stdout;
+
+	/* get commandline parameters */
+	while ((c = getopt (argc, argv, "t:s:vd")) != -1) {
+		switch (c) {
+		case 't':
+			s = optarg;
+			tvalue = strtod(s, &end);
+			if (s == end) {
+				fprintf(stderr, "\nError: Parsing of argument to -t failed.\n");
+				exit(EXIT_FAILURE);
+			}
+
+			if (tvalue < 0.0 || tvalue > 1.0) {
+				fprintf(stderr,"\nError: Argument to -t must be in 0.0 ... 1.0\n");
+				exit(EXIT_FAILURE);
+			}
+			threshold = tvalue;
+			break;
+		case 's':
+			s = optarg;
+			svalue = strtol(s, &end, 10);
+			if (s == end) {
+				fprintf(stderr, "\nError: Parsing of argument to -s failed.\n");
+				exit(EXIT_FAILURE);
+			}
+
+			if (svalue < 1) {
+				fprintf(stderr,"\nError: Argument to -s must be >= 1 \n");
+				exit(EXIT_FAILURE);
+			}
+			sector_size = svalue;
+			break;
+		case 'v':
+			verbose = 1;
+			break;
+		case 'd':
+			print_decimal = 1;
+			break;
+		case '?':
+			if (optopt == 't' || optopt == 's')
+				fprintf (stderr,"\nError: Option -%c requires an argument.\n",
+					 optopt);
+			else if (isprint (optopt)) {
+				fprintf(stderr,"\nError: Unknown option `-%c'.\n", optopt);
+				fprintf(stderr,"\n\n%s", help);
+			} else {
+				fprintf (stderr, "\nError: Unknown option character `\\x%x'.\n",
+					 optopt);
+				fprintf(stderr,"\n\n%s", help);
+			}
+			exit(EXIT_SUCCESS);
+		default:
+			exit(EXIT_FAILURE);
+		}
+	}
+
+	/* parse non-option stuff. Should be exactly one, the device. */
+	if (optind+1 != argc) {
+		fprintf(stderr,"\nError: exactly one non-option argument expected!\n");
+		fprintf(stderr,"\n\n%s", help);
+		exit(EXIT_FAILURE);
+	}
+	device = argv[optind];
+
+	/* test whether we can open and read device */
+	/* This is needed as we are reading the actual data
+	* in the keyslots directly from the LUKS container.
+	*/
+	f_luks = open(device, O_RDONLY);
+	if (f_luks == -1) {
+		fprintf(stderr,"\nError: Opening of device %s failed:\n", device);
+		perror(NULL);
+		exit(EXIT_FAILURE);
+	}
+
+	/* now get the parameters we need via libcryptsetup */
+	/* Basically we need all active keyslots and their placement on disk */
+
+	/* first init. This does the following:
+	 *   - gets us a crypt_device struct with some values filled in
+	 *     Note: This does some init stuff we do not need, but that
+	 *     should not cause trouble.
+	 */
+
+	res = crypt_init(&cd, device);
+	if (res < 0) {
+		fprintf(stderr, "crypt_init() failed. Maybe not running as root?\n");
+		close(f_luks);
+		exit(EXIT_FAILURE);
+	}
+
+	/* now load LUKS header into the crypt_device
+	 * This should also make sure a valid LUKS1 header is on disk
+	 * and hence we should be able to skip magic and version checks.
+	 */
+	res = crypt_load(cd, CRYPT_LUKS1, NULL);
+	if (res < 0) {
+		fprintf(stderr, "crypt_load() failed. LUKS header too broken/absent?\n");
+		crypt_free(cd);
+		close(f_luks);
+		exit(EXIT_FAILURE);
+	}
+
+	fprintf(out, "\nparameters (commandline and LUKS header):\n");
+	fprintf(out, "  sector size: %d\n", sector_size);
+	fprintf(out, "  threshold:   %0f\n\n", threshold);
+
+	r = check_keyslots(out, cd, f_luks);
+
+	crypt_free(cd);
+	close(f_luks);
+	return r;
+}
diff --git a/misc/luks-header-from-active b/misc/luks-header-from-active
new file mode 100755
index 0000000..a94ad33
--- /dev/null
+++ b/misc/luks-header-from-active
@@ -0,0 +1,59 @@
+#!/bin/bash
+
+# Try to get LUKS info and master key from active mapping and prepare parameters for cryptsetup.
+#
+# Copyright (C) 2010,2011,2012 Milan Broz <gmazyland@gmail.com>
+#
+# This copyrighted material is made available to anyone wishing to use,
+# modify, copy, or redistribute it subject to the terms and conditions
+# of the GNU General Public License v.2.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+umask 0077
+
+fail() { echo -e $1 ; exit 1 ; }
+field() { echo $(dmsetup table --target crypt --showkeys $DEVICE | sed 's/.*: //' | cut -d' ' -f$1) ; }
+field_uuid() { echo $(dmsetup info $1 --noheadings -c -o uuid) ; }
+field_device() {
+	TEMP=$(readlink /sys/dev/block/$1 | sed -e 's/.*\///')
+	if [  ${TEMP:0:3} = "dm-" -a -e /sys/block/$TEMP/dm/name ] ; then
+		TEMP=/dev/mapper/$(cat /sys/block/$TEMP/dm/name)
+	else
+		TEMP=/dev/$TEMP
+	fi
+	echo $TEMP
+}
+
+which readlink >/dev/null || fail "You need readlink (part of coreutils package)."
+which xxd >/dev/null || fail "You need xxd (part of vim package) installed to convert key."
+
+[ -z "$2" ] && fail "Recover LUKS header from active mapping, use:\n $0 crypt_mapped_device mk_file_name"
+
+DEVICE=$1
+MK_FILE=$2
+
+[ -z "$(field 4)" ] && fail "Mapping $1 not active or it is not crypt target."
+
+CIPHER=$(field 4)
+OFFSET=$(field 8)
+SYS_DEVICE=$(field 7)
+REAL_DEVICE=$(field_device $SYS_DEVICE)
+KEY=$(field 5)
+KEY_SIZE=$(( ${#KEY} / 2 * 8 ))
+SYS_UUID=$(field_uuid $DEVICE)
+UUID="${SYS_UUID:12:8}-${SYS_UUID:20:4}-${SYS_UUID:24:4}-${SYS_UUID:28:4}-${SYS_UUID:32:12}"
+
+#echo "CIPHER=$CIPHER OFFSET=$OFFSET SYS_DEVICE=$SYS_DEVICE REAL_DEVICE=$REAL_DEVICE KEY_SIZE=$KEY_SIZE KEY=$KEY UUID=$UUID SYS_UUID=$SYS_UUID"
+
+[ -z "$CIPHER" -o -z "$OFFSET" -o "$OFFSET" -le 383 -o \
+-z "$KEY" -o -z "$UUID" -o -z "$REAL_DEVICE" -o "${SYS_UUID:0:12}" != "CRYPT-LUKS1-" ] && \
+fail "Incompatible device, sorry."
+
+echo "Generating master key to file $MK_FILE."
+echo -E -n $KEY| xxd -r -p >$MK_FILE
+
+echo "You can now try to reformat LUKS device using:"
+echo "  cryptsetup luksFormat -c $CIPHER -s $KEY_SIZE --align-payload=$OFFSET --master-key-file=$MK_FILE --uuid=$UUID $REAL_DEVICE"