#!/bin/sh

set -x

PREFIX=""
CONFIG_DIR="$PREFIX/etc/qubes/yk-keys"
key=`cat $CONFIG_DIR/yk-secret-key.hex | grep -v '^#' | tr -d ' \n'`
if [ -r "$CONFIG_DIR/yk-login-pass-hashed.hex" ]; then
    pass_hash=`cat $CONFIG_DIR/yk-login-pass-hashed.hex | grep -v '^#' | tr -d '\n'`
fi
if [ -z "$pass_hash" -a -r "$CONFIG_DIR/yk-login-pass" ]; then
    # do it in one line (without any intermediate variable, to not leak
    # password to logs, even with set -x
    pass_hash_clear=`cat $CONFIG_DIR/yk-login-pass | grep -v '^#' | tr -d '\n' |
        openssl dgst -sha1 -r | cut -f1 -d ' '`
    # check if not hash of empty string
    if [ "$pass_hash_clear" != "da39a3ee5e6b4b0d3255bfef95601890afd80709" ]; then
        pass_hash="$pass_hash_clear"
    fi
fi
ykvm=`cat $CONFIG_DIR/yk-vm | grep -v '^#' | tr -d '\n'`

# if password was given, verify it
if [ -n "$pass_hash" ]; then
    # PAM appends \0 at the end
    hash=`head -c -1 | openssl dgst -sha1 -r | cut -f1 -d ' '`
    if [ "x$pass_hash" != "x$hash" ]; then
        exit 1
    fi
fi

challenge=`head -c64 /dev/urandom | xxd -c 64 -ps`
# You may need to adjust slot number and USB VM name here
response=`qvm-run -u root --nogui -p $ykvm "ykchalresp -2 -x $challenge"`

correct_response=`echo $challenge | xxd -r -ps | openssl dgst -sha1 -macopt hexkey:$key -mac HMAC -r | cut -f1 -d ' '`

test "x$correct_response" = "x$response"
exit $?
