#!/usr/bin/sh

. /etc/control.d/functions

CONFIG1=/etc/pam.d/system-auth
CONFIG2=/etc/pam.d/password-auth

new_subst yescrypt8 \
	'^password\s+[a-z]{8,10}\s+pam_unix\.so.* yescrypt rounds=8' \
	's/^\(password\s\+[a-z]\{8,10\}\s\+pam_unix\.so.* \)\(sha512\|yescrypt\)/\1yescrypt/; T; s/\srounds=\S*//g; s/\(\syescrypt\)/\1 rounds=8/'

new_subst yescrypt \
	'^password\s+[a-z]{8,10}\s+pam_unix\.so.* yescrypt' \
	's/^\(password\s\+[a-z]\{8,10\}\s\+pam_unix\.so.* \)\(sha512\|yescrypt\)/\1yescrypt/; T; s/\srounds=\S*//g'

new_subst sha512crypt \
	'^password\s+[a-z]{8,10}\s+pam_unix\.so.* sha512' \
	's/^\(password\s\+[a-z]\{8,10\}\s\+pam_unix\.so.* \)yescrypt/\1sha512/; T; s/\srounds=\S*//g'

new_help yescrypt8 'The new yescrypt password hashing is in use with rounds=8 (128 MiB)'
new_help yescrypt 'The new yescrypt password hashing is in use (by default uses 16 MiB)'
new_help sha512crypt 'The old sha512crypt password hashing is in use'

new_summary 'Password hashing scheme in use by PAM-aware programs'

if is_builtin_mode "$*"; then
	case "$*" in
	status|'')
		STATUS1="`control_subst "$CONFIG1" status`" || exit 1
		STATUS2="`control_subst "$CONFIG2" status`" || exit 1
		if [ -n "$STATUS1" -a "$STATUS1" = "$STATUS2" ]; then
			echo "$STATUS1"
		else
			echo "unknown"
		fi
		;;
	*)
		control_subst "$CONFIG1" "$*" || exit 1
		;;
	esac
else
	control_subst "$CONFIG1" "$*" || exit 1
	control_subst "$CONFIG2" "$*" || exit 1
fi
