Use curl instead of wget

README.mdown

@@ -26,19 +26,19 @@ rm unencrypted_keyfile
 3. Install the keyscript and initramfs hooks.
 
 ```
-wget https://github.com/stupidpupil/https-keyscript/releases/download/v1.0.1/https-keyscript_1.0.3_all.deb
+curl https://github.com/stupidpupil/https-keyscript/releases/download/v1.0.1/https-keyscript_1.0.3_all.deb
 sudo dpkg -i https-keyscript_1.0.3_all.deb
 ```
 
 4. Add keyfile to LUKS slots.
 
 ```
-busybox sh /lib/cryptsetup/scripts/wget_or_ask "somepassphrase:https://example.org/encrypted_keyfile" > unencrypted_keyfile
+busybox sh /lib/cryptsetup/scripts/fetch_or_ask "somepassphrase:https://example.org/encrypted_keyfile" > unencrypted_keyfile
 sudo cryptsetup luksAddKey /dev/someDevice unencrypted_keyfile
 rm unencrypted_keyfile
 ```
 
-5. Update the `/dev/someDevice` entry in `/etc/crypttab` with the option `keyscript=wget_or_ask` and with a 'key file' field like `somepassphrase:https://example.org/encrypted_keyfile`. 
+5. Update the `/dev/someDevice` entry in `/etc/crypttab` with the option `keyscript=fetch_or_ask` and with a 'key file' field like `somepassphrase:https://example.org/encrypted_keyfile`. 
 6. `sudo update-initramfs -u`
 
 (You might also need to add the `initramfs` option to the `crypttab` in step 5 due to _systemd_'s [lack of support for keyscripts](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618862); see the [crypttab man page](http://manpages.ubuntu.com/manpages/cosmic/man5/crypttab.5.html).)

build-deb.sh

@@ -2,10 +2,10 @@
 
 chmod u=rwx src/etc/initramfs-tools/hooks/*.sh
 chmod u=rwx src/etc/initramfs-tools/scripts/init-premount/*.sh
-chmod u=rwx src/lib/cryptsetup/scripts/wget_or_ask
+chmod u=rwx src/lib/cryptsetup/scripts/fetch_or_ask
 
 chmod og=rx src/etc/initramfs-tools/hooks/*.sh
 chmod og=rx src/etc/initramfs-tools/scripts/init-premount/*.sh
-chmod og=rx src/lib/cryptsetup/scripts/wget_or_ask
+chmod og=rx src/lib/cryptsetup/scripts/fetch_or_ask
 
-dpkg-deb -b src dist
+dpkg-deb -b src dist

src/DEBIAN/control

@@ -6,6 +6,6 @@ Homepage: https://github.com/stupidpupil/https-keyscript
 Architecture: all
 Priority: optional
 Section: admin
-Depends: cryptsetup (>= 2), wget (>= 1.15)
+Depends: cryptsetup (>= 2), curl (>= 7.64.0), openssl (>= 1.1.1n)
 Recommends: keyutils (>= 1.5)
 Installed-Size: 5

src/etc/initramfs-tools/hooks/curl.sh

@@ -0,0 +1,20 @@
+#!/bin/sh -e
+PREREQS=""
+case $1 in
+        prereqs) echo "${PREREQS}"; exit 0;;
+esac
+. /usr/share/initramfs-tools/hook-functions
+
+# To find out what library are needed do
+# strace curl https://badssl.com 2>&1 | grep open
+for needed_lib in "libnss_dns*.so*" "libnss_files*.so*" "libresolv*.so*" "ld-linux*.so*" "libc-*.so" "libc.so.*"
+do
+	lib=$(find /lib/ -name "$needed_lib" -type f)
+	if [ ! -z $lib ]
+	then
+		copy_exec "$lib"
+	fi
+done
+
+copy_exec /etc/ssl/certs/ca-certificates.crt
+copy_exec /usr/bin/curl

src/lib/cryptsetup/scripts/wget_or_ask → src/lib/cryptsetup/scripts/fetch_or_ask

@@ -34,14 +34,6 @@ if  [ -z "$url" ] || [ -z "$openssl_passphrase" ]; then
   use_https=0
 fi
 
-if [ -x /usr/bin/real_wget ]; then
-  wget_path="/usr/bin/real_wget"
-elif [ -x /usr/bin/wget ]; then
-  wget_path="/usr/bin/wget"
-else
-  wget_path="wget"
-fi
-
 #
 # Plymouth helper functions
 #
@@ -149,7 +141,7 @@ https_try_fetch ()
 
   message "Fetching remote keyfile for $CRYPTTAB_NAME..."
 
-  encrypted_keyfile=$($wget_path --secure-protocol=PFS -q -O - "$url")
+  encrypted_keyfile=$(curl -s "$url")
 
   if [ $? -eq 0 ]; then
     decrypted_keyfile=$(echo "$encrypted_keyfile" | openssl enc -base64 -aes-256-cbc -md sha256 -d -salt -k "$openssl_passphrase")

tests/initramfs.sh

@@ -47,15 +47,15 @@ if [ -z "$TEST_INSTALLED" ]; then
   echo "initramfs hooks run"
 
   mkdir -p "$INITRAMFS_ROOT/lib/cryptsetup/scripts"
-  cp "src/lib/cryptsetup/scripts/wget_or_ask" "$INITRAMFS_ROOT/lib/cryptsetup/scripts/wget_or_ask"
+  cp "src/lib/cryptsetup/scripts/fetch_or_ask" "$INITRAMFS_ROOT/lib/cryptsetup/scripts/fetch_or_ask"
 
   echo "keyscript copied"
 else
 
   # If there's no reference to the keyscript in the crypttab it won't be installed in the initramfs
-  if ! [ -x "$INITRAMFS_ROOT/lib/cryptsetup/scripts/wget_or_ask" ]; then
+  if ! [ -x "$INITRAMFS_ROOT/lib/cryptsetup/scripts/fetch_or_ask" ]; then
     mkdir -p "$INITRAMFS_ROOT/lib/cryptsetup/scripts"
-    cp "/lib/cryptsetup/scripts/wget_or_ask" "$INITRAMFS_ROOT/lib/cryptsetup/scripts/wget_or_ask"
+    cp "/lib/cryptsetup/scripts/fetch_or_ask" "$INITRAMFS_ROOT/lib/cryptsetup/scripts/fetch_or_ask"
   fi
 
 fi
@@ -101,4 +101,4 @@ if [ $? -eq 0 ]; then
   rm -r "$INITRAMFS_ROOT"
 fi
 
-exit "$exitCode"
+exit "$exitCode"

tests/keyscript.sh

@@ -12,9 +12,9 @@ export HTTPSKEYSCRIPT_TESTING=1
 
 # Run the test against the src version of the keyscript if its available
 # or else against the installed version (which is useful for the initramfs test)
-keyscriptPath="src/lib/cryptsetup/scripts/wget_or_ask"
+keyscriptPath="src/lib/cryptsetup/scripts/fetch_or_ask"
 if [ ! -f "$keyscriptPath" ]; then
-  keyscriptPath="/lib/cryptsetup/scripts/wget_or_ask"
+  keyscriptPath="/lib/cryptsetup/scripts/fetch_or_ask"
 fi
 
 cExitCode=0
@@ -124,4 +124,4 @@ export CRYPTTAB_TRIED=1
 runTest
 assertExitedWithAskpass
 
-exit "$cExitCode"
+exit "$cExitCode"

tests/shellcheck.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 SC_EXCLUDE="SC2181,SC2162,SC1091,SC2129"
 
-shellcheck -s sh --exclude="$SC_EXCLUDE" src/lib/cryptsetup/scripts/wget_or_ask \
+shellcheck -s sh --exclude="$SC_EXCLUDE" src/lib/cryptsetup/scripts/fetch_or_ask \
   src/etc/initramfs-tools/hooks/*.sh \
-  src/etc/initramfs-tools/scripts/init-premount/networking.sh
+  src/etc/initramfs-tools/scripts/init-premount/networking.sh