#!/bin/sh
# decrypt_keyctl - to use in /etc/crypttab as keyscript
#  Allows to cache passwords for cryptdevices for 60s
#  The same password is used for for cryptdevices with the same identifier.
#  The keyfile parameter, which is the third field from /etc/crypttab, is
#  used as identifier in this keyscript.
#
# sample crypttab entries:
# test1   /dev/sda1    test_pw         luks,keyscript=decrypt_keyctl
# test2   /dev/sda2    test_pw         luks,keyscript=decrypt_keyctl
# test3   /dev/sda3    test_other_pw   luks,keyscript=decrypt_keyctl
#
#  test1 and test2 have the same identifier thus test2 does not need a password
#  typed in manually

die()
{
    echo "$@" >&2
    exit 1
}

if [ -z "${CRYPTTAB_KEY:-}" ] || [ "$CRYPTTAB_KEY" = "none" ]; then
    # store the passphrase in the key name used by systemd-ask-password
    ID_="cryptsetup"
else
    # the keyfile given from crypttab is used as identifier in the keyring
    # including the prefix "cryptsetup:"
    ID_="cryptsetup:$CRYPTTAB_KEY"
fi
TIMEOUT_='60'
ASKPASS_='/lib/cryptsetup/askpass'
lang_is_zh=false
lang_is_zhHk=false
lang_is_boCN=false
lang_is_mnMN=false
if [ -f /scripts/lang_is_zhHK ]; then
    lang_is_zhHK=true
elif [ -f /scripts/lang_is_boCN ]; then
    lang_is_boCN=true
elif [ -f /scripts/lang_is_mnMN ]; then
    lang_is_mnMN=true
elif [ -f /scripts/lang_is_zh ]; then
    lang_is_zh=true
fi

if [ x"${lang_is_zh}" = x'true' ]; then
    PROMPT_="请解锁磁盘 ${CRYPTTAB_NAME}： "
elif [ x"${lang_is_zhHK}" = x'true' ]; then
    PROMPT_="請解鎖磁碟 ${CRYPTTAB_NAME}： "
elif [ x"${lang_is_boCN}" = x'true' ]; then
    PROMPT_="ཁབ་ལེན་འཁོར་ལོ་ཟྭ་ཞིག་རྒྱག་རོགས། ${CRYPTTAB_NAME}： " 
elif [ x"${lang_is_mnMN}" = x'true' ]; then
    PROMPT_="ᠰᠤᠷᠢᠨᠵᠢᠨ ᠫᠠᠨᠰᠠ ᠶᠢ ᠣᠨᠢᠰᠤᠯᠠᠬᠤ ${CRYPTTAB_NAME}： "
else
    PROMPT_="Please unlock disk ${CRYPTTAB_NAME}: "
fi
if ! KID_="$(keyctl search @u user "$ID_" 2>/dev/null)" || \
        [ -z "$KID_" ] || [ "$CRYPTTAB_TRIED" -gt 0 ]; then
    # key not found or wrong, ask the user
    KEY_="$($ASKPASS_ "$PROMPT_")" || die "Error executing $ASKPASS_"
    if [ -n "$KID_" ]; then
        # I have cached wrong password and now i may use either `keyctl update`
        # to update $KID_ or just unlink old key, and add new. With `update` i
        # may hit "Key has expired", though. So i'll go "unlink and add" way.
        keyctl unlink "$KID_" @u
        KID_=""
    fi
    KID_="$(printf "%s" "$KEY_" | keyctl padd user "$ID_" @u)"
    [ -n "$KID_" ] || die "Error adding passphrase to kernel keyring"
    if ! keyctl timeout "$KID_" "$TIMEOUT_"; then
        keyctl unlink "$KID_" @u
        die "Error setting timeout on key ($KID_), removing"
    fi
else
    echo "Using cached passphrase for ${CRYPTTAB_NAME}." >&2
fi
keyctl pipe "$KID_"
