new directory layout (trunk, tags and branches)

cryptobox.conf.d/etc/cryptobox/cryptobox.conf

@@ -0,0 +1,45 @@
+# this file is directly sourced by some bash scripts
+# so there should be no space around the "="
+
+LANGUAGE=de
+NET_IFACE=eth0
+SAMBA_USER=nobody
+SCAN_DEVICES="/dev/hda /dev/hdb /dev/hdc /dev/hde /dev/hdf /dev/hdg /dev/scd0 /dev/scd1 /dev/scd2 /dev/scd3"
+
+# directories
+LANGUAGE_DIR=/usr/share/cryptobox/lang
+TEMPLATE_DIR=/usr/share/cryptobox/templates
+DOC_DIR=/usr/share/doc/cryptobox/html
+CONFIG_DEFAULTS_DIR=/usr/share/cryptobox/defaults
+REPORT_DIR=/var/www/report
+CONFIG_DIR=/mnt/cb-etc
+CRYPTO_DIR=/mnt/crypto
+TEST_CASES_DIR=/usr/share/cryptobox/test-cases
+SUMMARY_TEMPLATE_DIR=/usr/share/cryptobox/templates/test-summary
+
+# some files
+CB_SCRIPT=/scripts/cryptobox.sh
+VALIDATE_SCRIPT=/usr/lib/cryptobox/validate.sh
+LOG_FILE=/var/log/cryptobox.log
+DEVELOPMENT_MARKER=/DEVELOPMENT_CRYPTOBOX
+CERT_FILE=/mnt/cb-etc/stunnel.pem
+OPENSSL_CONF_FILE=/etc/cryptobox/openssl.cnf
+
+# crypto settings
+HASH=sha512
+ALGO=aes
+CRYPTMAPPER_DEV=/dev/mapper/cryptobox-data
+
+# some programs
+SFDISK=/sbin/sfdisk
+WIPE=/usr/bin/wipe
+MKFS_DATA=/sbin/mkfs.ext3
+MKFS_CONFIG=/sbin/mkfs.ext2
+CRYPTSETUP=/sbin/cryptsetup
+
+# firewall setings
+# do not use multiports (iptables) as the timeout-script depends on
+# single port rules
+# ssh is allowed too, but the server is not started automatically
+ALLOW_TCP_PORTS="22 80 139 443 445"
+ALLOW_UDP_PORTS="137 138"

cryptobox.conf.d/etc/cryptobox/openssl.cnf

@@ -0,0 +1,65 @@
+#
+# OpenSSL configuration file.
+#
+
+# Establish working directory.
+
+dir = . 
+
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+default_days = 3650
+default_md = md5
+policy = policy_match
+#serial = $dir/serial
+#database = $dir/index.txt
+#new_certs_dir = $dir/newcert
+#certificate = $dir/cacert.pem
+#private_key = $dir/private/cakey.pem
+#preserve = no
+#email_in_dn = no
+#nameopt = default_ca
+#certopt = default_ca
+
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = match
+commonName = supplied
+emailAddress = optional
+
+[ req ]
+default_bits = 1024 # Size of keys
+default_keyfile = stunnel.pem # name of generated keys
+default_md = md5 # message digest algorithm
+distinguished_name = req_distinguished_name
+
+[ req_distinguished_name ]
+# Variable name   Prompt string
+#----------------------   ----------------------------------
+0.organizationName = Organization Name (company)
+organizationalUnitName = Organizational Unit Name (department, division)
+emailAddress = Email Address
+emailAddress_max = 40
+localityName = Locality Name (city, district)
+stateOrProvinceName = State or Province Name (full name)
+#countryName = Country Name (2 letter code)
+#countryName_min = 2
+#countryName_max = 2
+#commonName = Common Name (hostname, IP, or your name)
+#commonName_max = 64
+
+# Default values for the above, for consistency and less typing.
+# Variable name   Value
+#------------------------------   ------------------------------
+0.organizationName_default = CryptoBox
+organizationalUnitName_default = s.l.
+localityName_default = Kugelmugel
+stateOrProvinceName_default = Metropolis
+emailAddress_default = info@systemausfall.org
+
+
+

cryptobox.conf.d/etc/rc2.d/S98cryptobox.sh

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+set -eu
+
+ACTION=help
+[ $# -gt 0 ] && ACTION="$1"
+
+case "$ACTION" in
+	start )
+		/scripts/cryptobox.sh services-up
+		;;
+	stop )
+		/scripts/cryptobox.sh services-down
+		;;
+	restart )
+		$0 stop
+		$0 start
+		;;
+	* )
+		echo "Syntax: `basename $0` { start | stop | restart }"
+		;;
+  esac

cryptobox.conf.d/etc/rc2.d/S99cryptobox-devel-features.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# this script looks for the file /DEVELOPMENT_CRYPTOBOX
+#  if it exists, the script $DEVEL_SCRIPT be executed - this is
+#  ONLY FOR DEVELOPMENT CDs!
+#  for production CD the file /DEVELOPMENT_CRYPTOBOX should never exist!
+#
+
+set -eu
+
+MARKER=/DEVELOPMENT_CRYPTOBOX
+
+# return, if it does not exist
+[ ! -e "$MARKER" ] && exit 0
+
+echo
+echo "#---------------------------------------------------------------#"
+echo "| WARNING: developers features are enabled                      |"
+echo "|  This definitely should NOT happen for production CDs!        |"
+echo "|  If you are not a developer, then this CD is DANGEROUS, as it |"
+echo "|  offers no security at all!                                   |"
+echo "#---------------------------------------------------------------#"
+echo 
+
+/scripts/devel-features.sh "$@"

cryptobox.conf.d/etc/rcS.d/S22mount-cb-config.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -eu
+
+ACTION=help
+[ $# -gt 0 ] && ACTION="$1"
+
+case "$ACTION" in
+	start )
+		/scripts/cryptobox.sh config-up
+		;;
+	stop )
+		/scripts/cryptobox.sh config-down
+		;;
+	restart )
+		$0 stop
+		$0 start
+		;;
+	* )
+		echo "Syntax: `basename $0` { start | stop | restart }"
+		echo
+		;;
+  esac

cryptobox.conf.d/etc/rcS.d/S37cb-network.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -eu
+
+ACTION=help
+[ $# -gt 0 ] && ACTION="$1"
+
+case "$ACTION" in
+	start )
+		/scripts/cryptobox.sh network-up
+		;;
+	stop )
+		/scripts/cryptobox.sh network-down
+		;;
+	restart )
+		$0 stop
+		$0 start
+		;;
+	* )
+		echo "Syntax: `basename $0` { start | stop | restart }"
+		echo
+		;;
+  esac

cryptobox.conf.d/etc/samba/smb.conf

@@ -0,0 +1,237 @@
+#
+# Sample configuration file for the Samba suite for Debian GNU/Linux.
+#
+#
+# This is the main Samba configuration file. You should read the
+# smb.conf(5) manual page in order to understand the options listed
+# here. Samba has a huge number of configurable options most of which 
+# are not shown in this example
+#
+# Any line which starts with a ; (semi-colon) or a # (hash) 
+# is a comment and is ignored. In this example we will use a #
+# for commentary and a ; for parts of the config file that you
+# may wish to enable
+#
+# NOTE: Whenever you modify this file you should run the command
+# "testparm" to check that you have not many any basic syntactic 
+# errors. 
+#
+
+#======================= Global Settings =======================
+
+[global]
+
+## Browsing/Identification ###
+
+# Change this to the workgroup/NT-domain name your Samba server will part of
+   workgroup = CryptoBoxGroup
+
+# server string is the equivalent of the NT Description field
+   server string = %h cryptobox (Samba %v)
+
+# Windows Internet Name Serving Support Section:
+# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
+;   wins support = no
+
+# WINS Server - Tells the NMBD components of Samba to be a WINS Client
+# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
+;   wins server = w.x.y.z
+
+# This will prevent nmbd to search for NetBIOS names through DNS.
+   dns proxy = no
+
+# What naming service and in what order should we use to resolve host names
+# to IP addresses
+;   name resolve order = lmhosts host wins bcast
+
+
+#### Debugging/Accounting ####
+
+# This tells Samba to use a separate log file for each machine
+# that connects
+   log file = /var/log/samba/log.%m
+
+# Put a capping on the size of the log files (in Kb).
+   max log size = 1000
+
+# If you want Samba to only log through syslog then set the following
+# parameter to 'yes'.
+;   syslog only = no
+
+# We want Samba to log a minimum amount of information to syslog. Everything
+# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
+# through syslog you should set the following parameter to something higher.
+   syslog = 0
+
+# Do something sensible when Samba crashes: mail the admin a backtrace
+   panic action = /usr/share/samba/panic-action %d
+
+
+####### Authentication #######
+
+# "security = user" is always a good idea. This will require a Unix account
+# in this server for every user accessing the server. See
+# /usr/share/doc/samba-doc/htmldocs/ServerType.html in the samba-doc
+# package for details.
+   security = share
+
+# You may wish to use password encryption.  See the section on
+# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
+   encrypt passwords = true
+
+# If you are using encrypted passwords, Samba will need to know what
+# password database type you are using.  
+   passdb backend = tdbsam guest
+
+   obey pam restrictions = yes
+
+   guest account = nobody
+;   invalid users = root
+
+# This boolean parameter controls whether Samba attempts to sync the Unix
+# password with the SMB password when the encrypted SMB password in the
+# passdb is changed.
+;   unix password sync = no
+
+# For Unix password sync to work on a Debian GNU/Linux system, the following
+# parameters must be set (thanks to Augustin Luton <aluton@hybrigenics.fr> for
+# sending the correct chat script for the passwd program in Debian Potato).
+   passwd program = /usr/bin/passwd %u
+   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
+
+# This boolean controls whether PAM will be used for password changes
+# when requested by an SMB client instead of the program listed in
+# 'passwd program'. The default is 'no'.
+;   pam password change = no
+
+
+########## Printing ##########
+
+# If you want to automatically load your printer list rather
+# than setting them up individually then you'll need this
+;   load printers = yes
+
+# lpr(ng) printing. You may wish to override the location of the
+# printcap file
+;   printing = bsd
+;   printcap name = /etc/printcap
+
+# CUPS printing.  See also the cupsaddsmb(8) manpage in the
+# cupsys-client package.
+;   printing = cups
+;   printcap name = cups
+
+# When using [print$], root is implicitly a 'printer admin', but you can
+# also give this right to other users to add drivers and set printer
+# properties
+;   printer admin = @ntadmin
+
+
+######## File sharing ########
+
+# Name mangling options
+   preserve case = yes
+   short preserve case = yes
+
+
+############ Misc ############
+
+# Using the following line enables you to customise your configuration
+# on a per machine basis. The %m gets replaced with the netbios name
+# of the machine that is connecting
+;   include = /home/samba/etc/smb.conf.%m
+
+# Most people will find that this option gives better performance.
+# See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/speed.html
+# for details
+# You may want to add the following on a Linux system:
+#         SO_RCVBUF=8192 SO_SNDBUF=8192
+   socket options = TCP_NODELAY
+
+# The following parameter is useful only if you have the linpopup package
+# installed. The samba maintainer and the linpopup maintainer are
+# working to ease installation and configuration of linpopup and samba.
+;   message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &
+
+# Domain Master specifies Samba to be the Domain Master Browser. If this
+# machine will be configured as a BDC (a secondary logon server), you
+# must set this to 'no'; otherwise, the default behavior is recommended.
+domain master = no
+local master = no
+preferred master = no
+
+# Some defaults for winbind (make sure you're not using the ranges
+# for something else.)
+;   idmap uid = 10000-20000
+;   idmap gid = 10000-20000
+;   template shell = /bin/bash
+
+#======================= Share Definitions =======================
+
+;[homes]
+;   comment = Home Directories
+;   browseable = no
+
+[public]
+    comment = public share
+    path = /mnt/crypto
+    public = yes
+    guest ok = yes
+
+# By default, the home directories are exported read-only. Change next
+# parameter to 'yes' if you want to be able to write to them.
+   writable = yes
+
+# File creation mask is set to 0700 for security reasons. If you want to
+# create files with group=rw permissions, set next parameter to 0775.
+   create mask = 0700
+
+# Directory creation mask is set to 0700 for security reasons. If you want to
+# create dirs. with group=rw permissions, set next parameter to 0775.
+   directory mask = 0700
+
+# Un-comment the following and create the netlogon directory for Domain Logons
+# (you need to configure Samba to act as a domain controller too.)
+;[netlogon]
+;   comment = Network Logon Service
+;   path = /home/samba/netlogon
+;   guest ok = yes
+;   writable = no
+;   share modes = no
+
+;[printers]
+;   comment = All Printers
+;   browseable = no
+;   path = /tmp
+;   printable = yes
+;   public = no
+;   writable = no
+;   create mode = 0700
+
+# Windows clients look for this share name as a source of downloadable
+# printer drivers
+#[print$]
+#   comment = Printer Drivers
+#   path = /var/lib/samba/printers
+#   browseable = yes
+#   read only = yes
+#   guest ok = no
+# Uncomment to allow remote administration of Windows print drivers.
+# Replace 'ntadmin' with the name of the group your admin users are
+# members of.
+;   write list = root, @ntadmin
+
+# The next two parameters show how to auto-mount a CD-ROM when the
+#	cdrom share is accesed. For this to work /etc/fstab must contain
+#	an entry like this:
+#
+#       /dev/scd0   /cdrom  iso9660 defaults,noauto,ro,user   0 0
+#
+# The CD-ROM gets unmounted automatically after the connection to the
+#
+# If you don't want to use auto-mounting/unmounting make sure the CD
+#	is mounted on /cdrom
+#
+;   preexec = /bin/mount /cdrom
+;   postexec = /bin/umount /cdrom
+

cryptobox.conf.d/mnt/crypto/info.txt

@@ -0,0 +1 @@
+Hallo

cryptobox.conf.d/scripts/check_smb_idle.sh

@@ -0,0 +1,51 @@
+#!/bin/sh
+#
+# a simple script to check, if there was smb traffic since the last test
+#
+# you may want to adjust the function "filter_ipt_rules" according to your setup
+#
+# any Parameter are ignored
+# 
+# this script has to run as root - as it invokes iptables
+#
+# possible deployment in crontab:
+#   smb_timeout.sh && (/etc/init.d/samba stop; umount /mnt/crypto)
+#
+# the iptables rules you need to detect smb traffic could look like the following:
+#   iptables -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT
+#   iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT
+#
+
+set -eu
+
+# parse config file
+. /etc/cryptobox/cryptobox.conf
+
+
+filter_ipt_rules()
+# get the input rules for smb datagram traffic
+{
+	iptables -L INPUT -vnx | grep -E "tcp upt:138|udp dpt:139"
+}
+
+
+function count_traffic()
+{
+	local sum=0
+	# fallback if no rules were found
+	echo "$sum"
+	# extract the number of packets and calculate the sum
+	filter_ipt_rules | sed 's/  */ /g' | cut -d " " -f 3 | while read a
+		do	sum=$((sum+a))
+			echo "$sum"
+	  done | tail -1
+	# sorry for the echo-tail-voodoo - i did not know it better :)
+	iptables -Z INPUT
+}
+
+# config test
+[ -z "`filter_ipt_rules`" ] && echo "[`basename $0`]: Could not find a matching iptables rule!" >&2 && exit 1
+
+# return true if it was idle
+test "`count_traffic`" -eq 0
+exit $?

cryptobox.conf.d/scripts/chroot-start.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -eu
+
+TMPDIRS="var/run tmp root dev var/log"
+TMPROOT="/opt/dfsruntime/runtimemnt"
+
+
+for a in $TMPDIRS
+	do	mkdir -p "$TMPROOT/$a"
+  done
+
+[ ! -e /dev/null ] && mknod "/dev/null" c 1 3 && chmod 666 "/dev/null"
+[ ! -e /dev/urandom ] && mknod "/dev/urandom" c 1 9 && chmod 444 "/dev/urandom"
+[ ! -e /dev/console ] && mknod "/dev/console" c 1 5 && chmod 660 "/dev/console"
+
+[ ! -e /proc/mounts ] && mount -t proc proc /proc
+
+bash
+
+umount proc
+rm -r "$TMPROOT"
+mkdir "$TMPROOT"

cryptobox.conf.d/scripts/configure-cryptobox.sh

@@ -0,0 +1,44 @@
+#!/bin/sh
+#
+# this script is only called during the making of the cryptobox cd
+#
+
+set -eu
+
+# parse config file
+. /etc/cryptobox/cryptobox.conf
+
+RUNTIMEDIR=/opt/dfsruntime/runtimerd
+TUNDEV=$RUNTIMEDIR/dev/net/tun
+
+[ ! -e "/proc/mounts" ] && mount -t proc proc /proc
+
+######### devices ##########
+# create tun device for running under qemu
+if [ ! -e "$TUNDEV" ]
+	then	mkdir -p `dirname "$TUNDEV"`
+		mknod "$TUNDEV" c 10 200
+  fi
+
+######### thttpd ###########
+# change thttpd's config from 'chroot' to 'nochroot' - otherwise no perl script will run
+sed -i "s/^chroot$/nochroot/" /etc/thttpd/thttpd.conf
+# change thttpd-user from www-data to root (permissions for mount, cryptsetup, ...)
+sed -i "s/^user=.*/user=root/" /etc/thttpd/thttpd.conf
+
+######### bashrc ###########
+# remove dfshints from bashrc
+sed -i "/^dfshints$/d" $RUNTIMEDIR/root/.bashrc
+
+########## sshd ############
+# allow empty passwords for ssh
+#  the daemon is NOT started automatically, so you have to start it
+#  manually in case of need - as the root pw is empty and passwd is ro, you
+#  have to allow empty passwords for this rare case
+sed -i 's/^PermitEmptyPass.*$/PermitEmptyPasswords yes/' /etc/ssh/sshd_config
+# turn off PAM for ssh, as it prevents the use of empty passwords (stange behaviour)
+sed -i 's/^UsePAM.*$/UsePAM no/' /etc/ssh/sshd_config
+# allow nput of password
+sed -i 's/^PasswordAuthentication.*$/PasswordAuthentication yes/' /etc/ssh/sshd_config
+
+umount /proc

cryptobox.conf.d/scripts/cryptobox.sh

@@ -0,0 +1,362 @@
+#!/bin/sh
+#
+# this script does EVERYTHING
+# all other scripts are only frontends :)
+#
+
+set -eu
+
+# parse config file
+. /etc/cryptobox/cryptobox.conf
+
+## configuration
+MARKER="$CONFIG_DIR/cryptobox.marker"
+CERT_TEMP=/tmp/stunnel.pem
+
+#####
+
+function error_msg()
+# parameters: ExitCode ErrorMessage
+{
+	echo "[`date`] - $2" | tee -a "$LOG_FILE" >&2
+	# print the execution stack - not usable with busybox
+	#caller | sed 's/^/\t/' >&2
+	exit "$1"
+}
+
+
+function initial_checks()
+# Parameter: device
+{
+	local device="$1"
+	[ ! -b "$device" ] && echo "blockdevice $device does not exist" && return 1
+	## check if we have an existing configpartition
+	## TODO: why this config_mount_test?
+	# config_mount_test "$device"
+	[ ! -x "$WIPE" ] && echo "$WIPE not found" && return 1
+	[ ! -x "$SFDISK" ] && echo "$SFDISK not found" && return 1
+	for a in $ALGO $HASH
+		do	grep -q "^name *: $a$" /proc/crypto || modprobe "$a"
+			grep -q "^name *: $a$" /proc/crypto || { echo "$a is not supported by kernel" && return 1; }
+	  done
+	mount | grep -q "^$device[ 1-9] " && echo "$device is mounted" && return 1
+	return 0
+}
+
+
+function create_partitions()
+# Parameter: device
+{
+	local device="$1"
+	# first partition size is 1 sector, second goes til end
+	# sfdisk -n doesn't actually write (for testing purpose)
+	echo -e "0,1,L \n,,L\n" | $SFDISK "$device"
+}
+
+
+function config_set_value()
+# parameters: SettingName SettingValue
+{
+	mount -o rw,remount "$CONFIG_DIR"
+	echo "$2" > "$CONFIG_DIR/$1"
+	mount -o ro,remount "$CONFIG_DIR"
+}
+
+
+function config_get_value()
+# parameters: SettingName
+{
+	# use mounted config, if it exists - otherwise use defaults
+	local conf_dir
+	if is_config_mounted
+		then	conf_dir=$CONFIG_DIR
+		else	conf_dir=$CONFIG_DEFAULTS_DIR
+	  fi
+	[ -z "$1" ] && error_msg 1 "empty setting name"
+	[ ! -e "$conf_dir/$1" ] && error_msg 2 "unknown configuration value ($1)"
+	cat "$conf_dir/$1"
+}
+
+
+function create_config()
+# Parameter: device
+{
+	local device="${1}1"
+	$MKFS_CONFIG "$device"
+	# mount the config partition rw
+	mount "$device" "$CONFIG_DIR"
+	# create a marker to recognize a cryptobox partition
+	date -I >"$MARKER" 
+	## write (network) interfaces 
+	cp -a "$CONFIG_DEFAULTS_DIR/." "$CONFIG_DIR"
+
+	# copy stunnel cert
+	cp -p "$CERT_TEMP" "$CERT_FILE"
+
+	# beware: config_set_value remounts the config partition read-only
+	config_set_value "device" "$1"
+
+	config_set_value "ip" "$(get_current_ip)"
+
+	# reinitialise configuration
+	umount "$CONFIG_DIR"
+	mount_config
+}
+
+
+function get_current_ip()
+# not necessarily the same as configured (necessary for validation)
+{
+	ifconfig $NET_IFACE | grep "inet" | cut -d ":" -f2 | cut -d " " -f1
+}
+
+
+function create_crypto()
+# Parameter: device
+{
+	local device="$1"
+	# flood the crypto partition with noise
+	# - not needed -
+	#$WIPE -kq -R /dev/urandom "${device}2"
+
+	# passphrase may be passed via command line
+	$CRYPTSETUP -h "$HASH" -c "$ALGO" create "$CRYPTMAPPER_DEV" "${device}2"
+}
+
+
+function mkfs_crypto()
+# split from create_crypto to allow background execution via web interface
+{
+	$MKFS_DATA "$CRYPTMAPPER_DEV"
+}
+
+
+function config_mount_test()
+# Parameter: device
+{
+	local device="${1}"
+	local STATUS=0
+	mount "${device}1" "$CONFIG_DIR" &>/dev/null || true
+	is_config_mounted && STATUS=1
+	umount "$CONFIG_DIR" &>/dev/null || true
+	# return code is the result of this expression
+	[ 1 -eq "$STATUS" ] && return 0
+	return 1
+}
+
+
+function is_config_mounted()
+{
+	mount | grep -q " ${CONFIG_DIR} " && [ -f "$MARKER" ]
+}
+
+
+function is_crypto_mounted()
+{
+	mount | grep -q " ${CRYPTO_DIR} "
+}
+
+
+function is_init_running()
+{
+	ps -e | grep -q -E "$MKFS_DATA|$WIPE"
+}
+
+
+function find_harddisk()
+# look for the harddisk to be partitioned
+{
+	local dev=$(
+		if is_config_mounted
+		  then	config_get_value "device"
+		  else	for a in $SCAN_DEVICES
+			do	grep -q " `basename $a`$" /proc/partitions && echo "$a" && break
+			    done
+		fi )
+	[ -z "$dev" ] && error_msg 4 "no valid partition for initialisation found!"
+	echo -n "$dev"
+}
+
+
+function mount_config()
+{
+	is_config_mounted && error_msg 3 "configuration directory ($CONFIG_DIR) is already mounted!"
+	local device=$(
+	    for a in $SCAN_DEVICES
+		do	echo "Trying to load configuration from $a ..." >&2
+			config_mount_test "$a" && echo "$a" && break
+		  done )
+	if [ -n "$device" ] && mount "${device}1" "$CONFIG_DIR"
+		then	echo "configuraton found on $device" >&2
+			config_set_value "device" "$device"
+			return 0
+		else	echo "failed to locate harddisk" >&2
+			return 1
+	fi
+}
+
+
+function mount_crypto()
+{
+	is_crypto_mounted && echo "Das Crypto-Dateisystem ist bereits aktiv!"
+	local device=`find_harddisk`
+	# passphrase is read from stdin
+	$CRYPTSETUP -h "$HASH" -c "$ALGO" create "$CRYPTMAPPER_DEV" "${device}2"
+	if mount "$CRYPTMAPPER_DEV" "$CRYPTO_DIR"
+		then	/etc/init.d/samba start
+		else	dmsetup remove "$CRYPTMAPPER_DEV"
+			return 1
+	fi
+}
+
+
+function umount_crypto()
+{
+	# do not break on error
+	set +e
+	# thttpd removes PATH for cgis
+	/etc/init.d/samba stop
+	ps -e | grep -q " samba$" && killall samba
+	ps -e | grep -q " samba$" && killall -9 samba
+	umount "$CRYPTO_DIR"
+	$CRYPTSETUP remove "$CRYPTMAPPER_DEV"
+	set -e
+}
+
+		
+function init_cryptobox_part1()
+# this is only the first part of initialisation that takes no time - good for a smooth web interface
+{
+	umount_crypto || true
+	umount "$CONFIG_DIR" || true
+	local device=`find_harddisk`
+	initial_checks "$device" || error_msg 5 "Failure during initialisation - bye, bye"
+	create_partitions "$device"
+	create_config "$device"
+	create_crypto "$device"
+}
+
+
+function init_cryptobox_part2()
+# some things to be done in the background
+# these are the final steps of initialisation
+# thuid must be changed at the first time, therfore it needs to be
+# mounted
+{
+	mkfs_crypto
+	mount "$CRYPTMAPPER_DEV" "$CRYPTO_DIR"
+	chown $SAMBA_USER "$CRYPTO_DIR"
+	umount_crypto
+}
+
+
+function init_cryptobox_complete()
+{
+	init_cryptobox_part1
+	init_cryptobox_part2
+}
+
+### main ###
+
+# set PATH because thttpd removes /sbin and /usr/sbin for cgis
+export PATH=/usr/sbin:/usr/bin:/sbin:/bin
+
+
+ACTION=help
+[ $# -gt 0 ] && ACTION="$1"
+
+case "$ACTION" in
+	config-up )
+		# die cruft option hilft vielleicht bei dem Fehler "interleaved files not (yet) supported"
+		mount -o remount,cruft /
+		if mount_config
+		  then	echo "Cryptobox configuration successfully loaded"
+		  else	error_msg 3 "Could not find a configuration partition!"
+		 fi
+		;;
+	config-down )
+		umount "$CONFIG_DIR"
+		;;
+	network-up )
+		kudzu -s -q --class network
+		conf_ip=$(config_get_value "ip")
+		ifconfig $NET_IFACE "$conf_ip"
+		echo "Configured network interface for $NET_IFACE: $conf_ip"
+		/scripts/firewall.sh start
+		# start stunnel
+		if [ -f "$CERT_FILE" ] 
+		   then	USE_CERT=$CERT_FILE
+		   else USE_CERT=$CERT_TEMP
+			/scripts/make_stunnel_cert.sh "$CERT_TEMP" >>"$LOG_FILE" 2>&1
+		  fi
+		stunnel -p "$USE_CERT" -r localhost:80 -d 443 \
+			|| echo "$USE_CERT not found - not starting stunnel"
+		# this ping allows other hosts to get the IP of
+		# the box, in case of misconfiguration
+		ping -b -c 1 $(ifconfig $NET_IFACE | grep Bcast | cut -d ":" -f 3 | cut -d " " -f 1) &>/dev/null
+		;;
+	network-down )
+		/scripts/firewall.sh stop
+		killall stunnel
+		ifconfig $NET_IFACE down
+		;;
+	services-up )
+		/etc/init.d/thttpd start
+		;;
+	services-down )
+		/etc/init.d/samba stop
+		/etc/init.d/thttpd stop
+		;;
+	box-init )
+		# this is good for commandline only, as it takes a lot of time
+		init_cryptobox_complete >>"$LOG_FILE" 2>&1
+		;;
+	box-init-fg )
+		# only partitioning and configuration
+		# this is nice for the web interface, as it is fast
+		# output redirection does not work, as it prevents cryptsetup from asking
+		# for a password
+		init_cryptobox_part1 >>"$LOG_FILE" 2>&1
+		;;
+	box-init-bg )
+		# do it in the background to provide a smoother web interface
+		# messages and errors get written to $LOG_FILE
+		# the 'exec' output redirection does not work, if called by a cgi, so
+		# redirect it as usual
+		init_cryptobox_part2 </dev/null >>"$LOG_FILE" 2>&1 &
+		;;
+	is_crypto_mounted )
+		is_crypto_mounted
+		;;
+	is_config_mounted )
+		is_config_mounted
+		;;
+	is_init_running )
+		is_init_running
+		;;
+	crypto-mount )
+		mount_crypto
+		;;
+	crypto-umount )
+		umount_crypto
+		;;
+	set_config )
+		[ $# -ne 3 ] && error_msg 7 "'set_config' requires two parameters"
+		config_set_value "$2" "$3"
+		;;
+	get_config )
+		[ $# -ne 2 ] && error_msg 6 "'get_config' requires exactly one parameter"
+		config_get_value "$2"
+		;;
+	diskinfo )
+		$SFDISK -L -q -l `find_harddisk`
+		;;
+	get_current_ip )
+		get_current_ip
+		;;
+	* )
+		# TODO: update this!
+		echo "Syntax: `basename $0` { mount_config | umount_config | init }"
+		echo
+		;;
+  esac

cryptobox.conf.d/scripts/devel-features.sh

@@ -0,0 +1,62 @@
+#!/bin/sh
+#
+# this script is part of the boot process of a developer's cryptobox
+#
+# it should really NEVER be executed on a production system
+# 
+
+set -eu
+
+# parse config file
+. /etc/cryptobox/cryptobox.conf
+
+MIRROR_DIR=/tmp/mirror
+MIRROR_ORIG_DIR=/tmp/mirror.orig
+WRITE_DIRS="/usr/share/cryptobox /var/www /scripts /usr/lib/cryptobox"
+
+ACTION="--help"
+[ $# -gt 0 ] && ACTION="$1"
+
+case "$ACTION" in
+	start )
+		# start ssh daemon
+		/etc/init.d/ssh start
+
+		# copy cryptobox files to tmpfs
+		for a in $WRITE_DIRS
+			do	mkdir -p "$MIRROR_DIR/$a"
+				cp -a "$a/." "$MIRROR_DIR/$a"
+				mount --bind "$MIRROR_DIR/$a" "$a"
+		  done
+		$0 set_diff_base
+
+		# thttpd needs to be restarted to reopen its files
+		/etc/init.d/thttpd restart
+		;;
+	set_diff_base )
+		# the present content of the tmpfs mirror get copied to
+		# MIRROR_ORIG_DIR for later diffs
+		# whenever you merged a diff, you should call this function
+		[ -e "$MIRROR_ORIG_DIR" ] && rm -rf "$MIRROR_ORIG_DIR"
+		cp -a "$MIRROR_DIR" "$MIRROR_ORIG_DIR"
+		;;
+	diff )
+		cd "`dirname \"$MIRROR_ORIG_DIR\"`" 
+		# diff and remove "binary files differ"-warnings (vi-swap-files)
+		diff -ruN "`basename \"$MIRROR_ORIG_DIR\"`" "`basename \"$MIRROR_DIR\"`" | grep -v "^Binary files"
+		;;
+	stop )
+		/etc/init.d/ssh stop
+		for a in $WRITE_DIRS
+			do	umount "$MIRROR_DIR/$a"
+		  done
+		rm -rf "$MIRROR_DIR"
+		;;
+	restart )
+		$0 stop
+		$0 start
+		;;
+	* )
+		echo "Syntax: `basename $0` { start | stop | restart }"
+		;;
+  esac

cryptobox.conf.d/scripts/firewall.sh

@@ -0,0 +1,52 @@
+#!/bin/sh
+#
+# set up the firewall of the cryptobox
+#
+
+set -u
+
+# parse config file
+. /etc/cryptobox/cryptobox.conf
+
+
+ACTION="help"
+[ $# -gt 0 ] && ACTION=$1
+
+case "$ACTION" in 
+	start)
+		iptables -P INPUT DROP
+		iptables -P FORWARD DROP
+		iptables -P OUTPUT ACCEPT
+
+		OFILE=/proc/sys/net/ipv4/tcp_syncookies
+		[ -e "$OFILE" ] && echo 1 >"$OFILE"
+
+		iptables -F
+		iptables -X 
+		iptables -Z
+
+		iptables -A INPUT -i lo -j ACCEPT
+
+		for a in $ALLOW_TCP_PORTS
+		    do	iptables -A INPUT -i $NET_IFACE -p tcp --dport $a -j ACCEPT
+		  done
+		
+		for a in $ALLOW_UDP_PORTS
+		    do	iptables -A INPUT -i $NET_IFACE -p udp --dport $a -j ACCEPT
+		  done
+		
+		iptables -A INPUT -i $NET_IFACE -p icmp -j ACCEPT
+	;;
+	stop)
+		iptables -P INPUT ACCEPT
+		iptables -P FORWARD ACCEPT
+		iptables -P OUTPUT ACCEPT
+		iptables -F
+		iptables -X 
+		iptables -Z
+	;;
+	*)
+		echo "usage $0 start | stop"
+	;;
+esac
+

cryptobox.conf.d/scripts/make_stunnel_cert.sh

@@ -0,0 +1,32 @@
+#!/bin/sh
+#
+# this script creates the stunnel certificate for https
+#
+# parameter: "destination file"
+#
+
+set -eu
+
+# parse config file
+. /etc/cryptobox/cryptobox.conf
+
+
+## vcert values are in openssl.conf
+CERTFILE="$1"
+TMP_FILE=/tmp/cryptobox-cert.tmp
+
+[ ! -f "$CONF_FILE" ] && echo "`basename $0`: $CONF_FILE not found" && exit 2
+# this command creates the certificate
+# this is required, because the certbuilding asks for 5 returns
+echo -ne "\n\n\n\n\n" | openssl req -new -x509 -nodes -days 3650 -config "$OPENSSL_CONF_FILE" -out "$CERTFILE" -keyout "$CERTFILE"
+chmod 600 "$CERTFILE"
+
+# next step needs a lot of randomdata
+dd if=/dev/urandom of="$TMP_FILE" bs=1024 count=1024
+openssl dhparam -rand "$TMP_FILE" 512 >> "$CERTFILE"
+rm "$TMP_FILE"
+
+#ln -sf ${CERTPATH}stunnel.pem ${CERTPATH}`openssl x509 -noout -hash < "${CERTPATH}stunnel.pem"`.0
+
+## print out cert values
+#openssl x509 -subject -dates -fingerprint -in stunnel.pem

cryptobox.conf.d/usr/lib/cryptobox/validate.sh

@@ -0,0 +1,93 @@
+#!/bin/sh
+#
+# do a validation
+#
+# use "--help" for a list of possible actions
+#
+
+set -eu
+
+# parse config file
+. /etc/cryptobox/cryptobox.conf
+
+
+function error_die()
+{
+	echo "$2" >&2
+	exit $1
+}
+
+
+function do_single()
+# Parameter: "test case dir" "output directory for results"
+{
+	local TESTNAME=$(basename $1)
+	curl --insecure --silent --output "${2}/${TESTNAME}.html" --config "$1/input.curl"
+	[ -e "${2}/${TESTNAME}.html" ] && sed "1,/CBOX-STATUS-begin/d; /CBOX-STATUS-end/,\$d" "${2}/${TESTNAME}.html" >"${2}/${TESTNAME}.status"
+	# the diff option "-B" is required, because the status output of 
+	# the cryptobox.pl script contains some blank lines
+	diff -NB "${2}/${TESTNAME}.status" "$1/output" >"${2}/${TESTNAME}.diff" || true
+	rm "${2}/${TESTNAME}.status"
+	cp "$1/description" "${2}/${TESTNAME}.desc"
+}
+
+
+function do_series()
+# parameter: name of the test case
+{
+	[ -d "$REPORT_DIR/$1" ] && rm -r "$REPORT_DIR/$1"
+	mkdir -p "$REPORT_DIR/$1"
+	find "$TEST_CASES_DIR/$1" -type d -maxdepth 1 -mindepth 1 | grep -v "/\.\.*$" | sort | while read a
+		do	do_single "$a" "$REPORT_DIR/$1"
+	  done
+	create_summary "$REPORT_DIR/$1" >"$REPORT_DIR/$1/summary.html"
+	tar czf "$REPORT_DIR/${1}-results.tar.gz" -C "$REPORT_DIR" "$1"
+	echo "$REPORT_DIR/${1}-results.tar.gz"
+}
+
+
+create_summary()
+# parameter: directory of results
+{
+	cat "$SUMMARY_TEMPLATE_DIR/header"
+	find "$1" -type f -name \*.desc -maxdepth 1 | sort | while read a
+	    do	TESTNAME=$(basename ${a%.desc})
+		TESTDESCRIPTION=$(cat $a)
+	    	sed "s#_TESTNAME_#$TESTNAME#g; s/_TESTDESCRIPTION_/$TESTDESCRIPTION/" "$SUMMARY_TEMPLATE_DIR/single_header"
+		local DIFF_FILE=${a%.desc}.diff
+		if [ -s "$DIFF_FILE" ]
+		   then	cat "$SUMMARY_TEMPLATE_DIR/result-error"
+			cat "$DIFF_FILE"
+		   else	cat "$SUMMARY_TEMPLATE_DIR/result-ok"
+			echo "no differences found"
+		 fi
+		cat "$SUMMARY_TEMPLATE_DIR/single_footer"
+		rm "$DIFF_FILE" "$a"
+	  done
+	cat "$SUMMARY_TEMPLATE_DIR/footer"
+}
+
+
+ACTION="--help"
+[ $# -gt 0 ] && ACTION=$1
+
+case "$ACTION" in
+	list )
+		find "$TEST_CASES_DIR" -type d -maxdepth 1 -mindepth 1 | grep -v "/\.\.*$" | sort | while read a
+			do	echo $(basename "$a")
+		  done
+		;;
+	check )
+		[ $# -ne 2 ] && error_die 1 "Syntax: $(basename $0) check NAME"
+		CASE_DIR="$TEST_CASES_DIR/$2"
+		[ ! -d "$CASE_DIR" ] && error_die 2 "the test case was not found ($CASE_DIR)!"
+		do_series "$2"
+		;;
+	* )
+		echo "Syntax of $(basename $0)"
+		echo -e "\t list \t\t - show a list of available test cases"
+		echo -e "\t check NAME \t - execute a test case - if successful the filename of the report is printed"
+		echo -e "\t help \t\t - this syntax information"
+		echo
+		;;
+  esac

cryptobox.conf.d/usr/lib/perl5/ClearSilver.pm

@@ -0,0 +1,68 @@
+package ClearSilver;
+
+use 5.006;
+use strict;
+use warnings;
+
+require Exporter;
+require DynaLoader;
+
+our @ISA = qw(Exporter DynaLoader);
+
+# Items to export into callers namespace by default. Note: do not export
+# names by default without a very good reason. Use EXPORT_OK instead.
+# Do not simply export all your public functions/methods/constants.
+
+# This allows declaration	use ClearSilver ':all';
+# If you do not need this, moving things directly into @EXPORT or @EXPORT_OK
+# will save memory.
+our %EXPORT_TAGS = ( 'all' => [ qw(
+	
+) ] );
+
+our @EXPORT_OK = ( @{ $EXPORT_TAGS{'all'} } );
+
+our @EXPORT = qw(
+	
+);
+our $VERSION = '0.01';
+
+bootstrap ClearSilver $VERSION;
+
+# Preloaded methods go here.
+
+1;
+__END__
+# Below is stub documentation for your module. You better edit it!
+
+=head1 NAME
+
+ClearSilver - Perl extension for blah blah blah
+
+=head1 SYNOPSIS
+
+  use ClearSilver;
+  blah blah blah
+
+=head1 DESCRIPTION
+
+Stub documentation for ClearSilver, created by h2xs. It looks like the
+author of the extension was negligent enough to leave the stub
+unedited.
+
+Blah blah blah.
+
+=head2 EXPORT
+
+None by default.
+
+
+=head1 AUTHOR
+
+A. U. Thor, E<lt>a.u.thor@a.galaxy.far.far.awayE<gt>
+
+=head1 SEE ALSO
+
+L<perl>.
+
+=cut

cryptobox.conf.d/usr/lib/perl5/auto/ClearSilver/.packlist

@@ -0,0 +1,4 @@
+/tmp/clearsilver-perl/local/lib/perl/5.8.7/ClearSilver.pm
+/tmp/clearsilver-perl/local/lib/perl/5.8.7/auto/ClearSilver/ClearSilver.bs
+/tmp/clearsilver-perl/local/lib/perl/5.8.7/auto/ClearSilver/ClearSilver.so
+/tmp/clearsilver-perl/local/man/man3/ClearSilver.3pm

cryptobox.conf.d/usr/share/cryptobox/defaults/ip

@@ -0,0 +1 @@
+192.168.0.23

cryptobox.conf.d/usr/share/cryptobox/defaults/language

@@ -0,0 +1 @@
+de

cryptobox.conf.d/usr/share/cryptobox/defaults/timeout

@@ -0,0 +1 @@
+30

cryptobox.conf.d/usr/share/cryptobox/lang/de.hdf

@@ -0,0 +1,113 @@
+Lang {
+
+  Menu {
+
+  }
+
+
+  Title {
+  	Init		= Initialisierung der CryptoBox
+	Mount		= Aktivierung der Cryptodaten
+	Umount		= Deaktivierung der Cryptodaten
+	Config		= Konfiguration der CryptoBox
+	Log		= Protokoll der CryptoBox
+  }
+
+
+  Text {
+	EnterNewPassword	= Das neue Passwort eingeben:
+	EnterSamePassword	= Das neue Passwort wiederholen:
+  	InitWarning		= Bei der Initialisierung werden ALLE DATEN auf der Festplatte GELÖSCHT!
+	InitDescription		= Schritt ist nur einmalig vor der ersten Nutzung notwendig.<br>F&uuml;r den t&auml;glichen Gebrauch musst du das verschl&uuml;sselte Dateisystem lediglich aktivieren und deaktivieren
+	ConfirmInitHint		= Um zu best&auml;tigen, dass du weisst, was du tust, tippe hier bitte exakt Folgendes ein:
+  	ConfirmInit		= ja, loesche alle Daten!
+	PartitionInfo		= Derzeitige Partitionierung der Festplatte:
+	IPAddress		= Netwerk-Adresse (IP) der CryptoBox:
+	TimeOut			= Zeitabschaltung des Crypto-Dateisystems (in Minuten):
+	EmptyLog		= Das Logbuch der CryptoBox ist leer.
+	SelectLanguage		= Spracheinstellung:
+  }
+
+
+  Button {
+  	DoInit		= CryptoBox initialisieren
+	SaveConfig	= Speichere Konfiguration
+	Update		= Aktualisieren
+	Mount		= CryptoDaten aktivieren
+	Umount		= CryptoDaten deaktivieren
+  }
+
+
+  Warning {
+    InitNotConfirmed {
+    	Title =	Best&auml;tigung schlug fehl
+	Text =	Der Best&auml;tigungssatz muss exakt eingegeben werden!
+    }
+
+    EmptyPassword {
+    	Title =	Ung&uuml;ltige Eingabe
+	Text =	Das Passwort darf nicht leer sein!
+    }
+
+    DifferentPasswords {
+    	Title =	Ungleiche Passworte
+	Text =	Die beiden Passworte m&uuml;ssen identisch sein, um sicherzustellen, dass dies das gew&uuml;nschte Passwort ist.
+    }
+
+    MountFailed {
+	Title =	Aktivierung schlug fehl
+	Text =	Das verschl&uuml;sselte Dateisystem konnte nicht aktiviert werden. Wahrscheinlich war das Passwort falsch.
+    }
+
+    UmountFailed {
+	Title =	Deaktivierung schlug fehl
+	Text =	Das verschl&uuml;sselte Dateisystem konnte nicht abgeschaltet werden. Wahrscheinlich sind noch Dateien ge&ouml;ffnet. Also schlie&szlig;e alle potentiell unsauberen Programme (beispielsweise die weitverbreitete Textverarbeitung). Notfalls ziehe einfach den Stromstecker!
+	}
+
+    NotConfigured {
+    	Title = Keine Konfiguration gefunden
+	Text = Die CryptoBox wurde noch nicht eingerichtet.
+	}
+
+    InitNotFinished {
+    	Title = Initalisierung noch nicht abgeschlossen
+	Text = Die Initialisierung wird in wenigen Minuten beendet sein. Erst danach ist diese Aktion m&ouml;glich.
+	}
+
+    IsMounted {
+    	Title = Bereits aktiv
+	Text = Das verschl&uuml;sselte Dateisystem ist bereits aktiv.
+	}
+
+    NotMounted {
+    	Title = Nicht aktiv
+	Text = Das verschl&uuml;sselte Dateisystem ist derzeit nicht aktiv.
+	}
+
+    AlreadyConfigured {
+    	Title = Konfiguration gefunden
+	Text = Die CryptoBox wurde bereits eingerichtet. Bei einer erneuten Initialisierung werden alle Daten gel&ouml;scht!
+	}
+    }
+
+
+  Error {
+
+    UnknownAction {
+    	Title =	Unbekannte Aktion
+	Text =	Du hast eine undefinierte Aktion angefordert. Falls du dies nicht bewusst getan hast, solltest du es deinem Administrator mitteilen, damit er das Problem an die Entwickler der CryptoBox weiterleiten kann.
+    }
+
+    MountUnavailableInitRunning {
+	Title =	Die Initialisierung der CryptoBox l&auml;uft noch ...
+	Text =	Solange die Einrichtung der Crypto-Partition nicht abgeschlossen ist, kannst du die CryptoBox nicht aktivieren. Versuche es in ein paar Minuten noch einmal</a>.
+    }
+
+    MountUnavailableNotInitialized {
+	Title =	Die CryptoBox wurde noch nicht initialisiert
+    	Text =	Nach dem Abschluss der einmaligen <a href="/cgi-bin/init-cryptobox.pl" title="Initialisierung">Neueinrichtung</a> kannst du die Crypto-Partition nutzen.
+    }
+
+  }
+
+}

cryptobox.conf.d/usr/share/cryptobox/templates/config_form.cs

@@ -0,0 +1,23 @@
+<div id="config">
+    <h1><?cs var:Lang.Title.Config ?></h1>
+
+    <form action="<?cs var:ScriptName ?>" method="post"
+	    enctype="application/x-www-form-urlencoded">
+	<table class="form">
+	    <tr><td><?cs var:Lang.Text.IPAddress ?></td><td>
+		<input type="text" size="16" maxsize="15" name="ip"
+		    value="<?cs var:Data.Config.IP ?>" /></td></tr>
+	    <tr><td><?cs var:Lang.Text.TimeOut ?></td><td>
+		<input type="text" size="16" maxsize="5" name="timeout"
+		    value="<?cs var:Data.Config.TimeOut ?>" /></td></tr>
+	    <tr><td><?cs var:Lang.Text.SelectLanguage ?></td><td>
+		<select name="language">
+			<option value="de">Deutsch</option>
+			<option value="en">English</option>
+		</select></td></tr>
+	    <tr><td colspan="2">
+		<button type="submit" name="action" value="config_do">
+		    <?cs var:Lang.Button.SaveConfig ?></button></td></tr>
+	</table>
+    </form>
+</div>

cryptobox.conf.d/usr/share/cryptobox/templates/doc.cs

@@ -0,0 +1,5 @@
+<div class="doc">
+
+<?cs include:DocDir + '/' + Data.Doc.Page ?>
+
+</div>

cryptobox.conf.d/usr/share/cryptobox/templates/error.cs

@@ -0,0 +1 @@
+<?cs call:error(Data.Error) ?>

cryptobox.conf.d/usr/share/cryptobox/templates/footer.cs

@@ -0,0 +1,21 @@
+    </div><!-- end of 'words' -->
+
+    <div id="footer">
+	<a href="https://systemausfall.org/prj/cryptobox" title="Projekt-Seite">CryptoBox-Home</a>&nbsp;&nbsp;Die CryptoBox ist ein Projekt von <a href="https://systemausfall.org/senselab" title="systemausfall.org">sense.lab</a>
+    </div>
+
+  </div>
+</div>
+
+<!-- CBOX-STATUS-begin - necessary for validation - do not touch!
+Data.Config.IP=<?cs var:Data.Config.IP ?>
+Data.Config.Language=<?cs var:Data.Config.Language ?>
+Data.Config.TimeOut=<?cs var:Data.Config.TimeOut ?>
+Data.Status.Config=<?cs var:Data.Status.Config ?>
+Data.Status.InitRunning=<?cs var:Data.Status.InitRunning ?>
+Data.Status.IP=<?cs var:Data.Status.IP ?>
+Data.Status.Mounted=<?cs var:Data.Status.Mounted ?>
+CBOX-STATUS-end -->
+
+</body>
+</html>

cryptobox.conf.d/usr/share/cryptobox/templates/header.cs

@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+	<title>CryptoBox</title>
+	<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+	<meta http-equiv="pragma" content="no-cache" />
+	<meta http-equiv="cache-control" content="no-cache" />
+	<meta http-equiv="expires" content="0" />
+	<link rel="stylesheet" media="screen" href="/cryptobox.css" type="text/css" />
+</head>
+<body>
+
+<div id="main">
+  <div id="head">
+	<h1>Die CryptoBox</h1>
+	<h2>und zwar umsonst!</h2>
+  </div>
+
+  <div id="content">
+    <div id="menu">
+ 	<?cs include:TemplateDir + '/nav.cs' ?>
+    </div>
+  
+    <div id="words">

cryptobox.conf.d/usr/share/cryptobox/templates/init_form.cs

@@ -0,0 +1,37 @@
+<h1><?cs var:Lang.Title.Init ?></h1>
+
+  <div class="init">
+	<form action="<?cs var:ScriptName ?>" method="post" enctype="application/x-www-form-urlencoded">
+
+	    <table class="form">
+	        <!-- TODO: replace colgroup by css? -->
+		<colgroup><col align="right" width="50%"/><col align="left" width="50%"/></colgroup>
+		<caption style="caption-side:top; text-align:center; font-weight:bold; color:red">
+		<?cs var:Lang.Text.InitWarning ?></caption>
+		<tr><td colspan="2" style="text-align:center"></td></tr>
+		<tr><td align="right"><?cs var:Lang.Text.EnterNewPassword ?></td><td>
+		  <input type="password" name="password" size="20" tabindex="1" maxlength="40" />
+		</td></tr>
+		<tr><td align="right"><?cs var:Lang.Text.EnterSamePassword ?> </td><td>
+		  <input type="password" name="password2" size="20" tabindex="2" maxlength="40" />
+		</td></tr>
+		<tr><td colspan="2" align="center">
+		  <?cs var:Lang.Text.ConfirmInitHint ?> <span id="confirmtext"><?cs var:Lang.Text.ConfirmInit ?></span></td></tr>
+		<tr><td colspan="2" align="center">
+		  <input type="text" name="confirm" size="30" tabindex="3" maxlength="50" />
+		</td></tr>
+		<tr><td colspan="2" align="center" style="padding:3%">
+		  <button type="submit" name="action" value="init_do"><?cs var:Lang.Button.DoInit ?></button>
+		</td></tr>
+	    </table>
+	</form>
+  </div>
+
+  <div class="partition_info">
+	<hr/>
+	<h2><?cs var:Lang.Text.PartitionInfo ?></h2>
+	<!-- TODO: CSS! -->
+	<p style="margin-left:10%; margin-right:10%; font-family:monospace">
+	  <?cs var:Data.PartitionInfo ?>
+	</p>
+  </div>

cryptobox.conf.d/usr/share/cryptobox/templates/intro.cs

@@ -0,0 +1 @@
+this is the cryptobox!

cryptobox.conf.d/usr/share/cryptobox/templates/macros.cs

@@ -0,0 +1,33 @@
+<?cs def:warning(warnname) ?><?cs
+    each:item = Lang.Warning ?><?cs 
+      if:(name(item) == warnname)
+        ?><div class="warning">
+		<h1><?cs var:item.Title ?></h1>
+		<p><?cs var:item.Text ?></p></div>
+	<?cs
+      /if ?><?cs
+    /each ?><?cs
+/def ?>
+
+
+<?cs def:error(errname) ?><?cs
+    each:item = Lang.Error ?><?cs 
+      if:(name(item) == errname)
+        ?><div class="error">
+		<h1><?cs var:item.Title ?></h1>
+		<p><?cs var:item.Text ?></p>
+	<?cs
+      /if ?><?cs
+    /each ?><?cs
+/def ?>
+
+
+<?cs def:parseTree(root) ?>
+<!-- the output looks quite ugly and is not very helpful as there are only a few values -->
+    <!-- data tree
+    <?cs each:item = root ?><?cs
+	name:item ?>: <?cs var:item ?><?cs
+	each:subitem = item ?> / <?cs name:subitem ?>=<?cs var:subitem ?><?cs /each ?>
+    <?cs /each ?>
+    -->
+<?cs /def ?>

cryptobox.conf.d/usr/share/cryptobox/templates/main.cs

@@ -0,0 +1,11 @@
+<?cs include:TemplateDir + '/macros.cs' ?>
+<?cs include:TemplateDir + '/header.cs' ?>
+
+<?cs if:Data.Error ?>
+	<?cs include:TemplateDir + '/error.cs' ?>
+<?cs else ?>
+	<?cs if:Data.Warning ?><?cs call:warning(Data.Warning) ?><?cs /if ?>
+	<?cs include:TemplateDir + '/' + Data.Action + '.cs' ?>
+<?cs /if ?>
+
+<?cs include:TemplateDir + '/footer.cs' ?>

cryptobox.conf.d/usr/share/cryptobox/templates/mount_form.cs

@@ -0,0 +1,15 @@
+<h1>Aktivierung des verschl&uuml;sselten Dateisystems</h1>
+
+<div align="center">
+  <table border="0">
+    <form action="<?cs var:ScriptName ?>" method="post"
+	    enctype="application/x-www-form-urlencoded">