#! /bin/sh
#
# This is /sbin/ykluks-keyscript, which gets called when unlocking the disk
#
YUBIKEY_LUKS_SLOT=2 #Set this in case the value is missing in /etc/ykluks.cfg

. /etc/ykluks.cfg

if [ -z "$WELCOME_TEXT" ]; then
    WELCOME_TEXT="Please insert yubikey and press enter or enter a valid passphrase"
fi

message()
{
    if [ -x /bin/plymouth ] && plymouth --ping; then
        plymouth message --text="$*"
    else
        echo "$@" >&2
    fi
    return 0
}

check_yubikey_present="$(ykinfo -q -"$YUBIKEY_LUKS_SLOT")"

if [ -z "$YUBIKEY_CHALLENGE" ] || [ "$check_yubikey_present" != "1" ] ; then
  if [ -z "$cryptkeyscript" ]; then
      if [ -x /bin/plymouth ] && plymouth --ping; then
          cryptkeyscript="plymouth ask-for-password --prompt"
      else
          cryptkeyscript="/lib/cryptsetup/askpass"
      fi
  fi
  PW="$($cryptkeyscript "$WELCOME_TEXT")"
else
  PW="$YUBIKEY_CHALLENGE"
fi

# Check if YubiKey has been inserted during promt
check_yubikey_present="$(ykinfo -q -"$YUBIKEY_LUKS_SLOT")"

if [ "$check_yubikey_present" = "1" ]; then
    message "Accessing yubikey..."
    if [ "$HASH" = "1" ]; then
        PW=$(printf %s "$PW" | sha256sum | awk '{print $1}')
    fi
    R="$(printf %s "$PW" | ykchalresp -"$YUBIKEY_LUKS_SLOT" -i- 2>/dev/null || true)"
    if [ "$R" ]; then
        message "Retrieved the response from the Yubikey"
        if [ "$CONCATENATE" = "1" ]; then
            printf '%s' "$PW$R"
        else
            printf '%s' "$R"
        fi
    else
        message "Failed to retrieve the response from the Yubikey"
    fi
else
        printf '%s' "$PW"
fi

exit 0