#!/bin/sh

DIVERTED_ASKPASS=${DIVERTED_ASKPASS:-/lib/cryptsetup/askpass.cryptsetup}
NUKE_PASSWORD_HASH_PATH=${NUKE_PASSWORD_HASH_PATH:-/etc/cryptsetup-nuke-password/password_hash}
CRYPT_HELPER=${CRYPT_HELPER:-/usr/lib/cryptsetup-nuke-password/crypt}

sanity_checks() {
    local cryptsetup="$(which cryptsetup 2>/dev/null)"
    if [ -z "$cryptsetup" ]; then
	echo "$0: WARNING: cryptsetup not found in PATH" >&2
	return 1
    fi
    if [ ! -e "$CRYPTTAB_SOURCE" ]; then
	echo "$0: WARNING: \$CRYPTTAB_SOURCE (value: $CRYPTTAB_SOURCE) does not exist" >&2
	return 1
    fi
    if [ ! -x "$CRYPT_HELPER" ]; then
	echo "$0: WARNING: $CRYPT_HELPER is not executable" >&2
	return 1
    fi
    return 0
}

hash_is_matching() {
    local pass="$1"
    local pass_hash

    if [ ! -r $NUKE_PASSWORD_HASH_PATH ]; then
	# No hash, no match
	return 1
    fi
    pass_hash=$(cat $NUKE_PASSWORD_HASH_PATH)
    if echo -n "$pass" | $CRYPT_HELPER --check "$pass_hash"; then
	# User typed the nuke password!
	return 0
    else
	return 1
    fi
}

nuke_cryptsetup_partition() {
    local partition="$1"
    cryptsetup --batch-mode erase "$partition"
}

if [ ! -x "$DIVERTED_ASKPASS" ]; then
    echo "ERROR: $DIVERTED_ASKPASS is not available/executable" >&2
    exit 1
fi

PASSWORD=$($DIVERTED_ASKPASS "$1")

if sanity_checks && hash_is_matching "$PASSWORD"; then
    nuke_cryptsetup_partition "$CRYPTTAB_SOURCE"
fi

# Forward the password
echo -n "$PASSWORD"