#!/bin/sh
# Assumptions:
#   ucspi-tcp
#   available TCP ports on ::1: 50013--50021
#   127.0.0.1 is resolved as 'localhost'
#   ::1/128 is resolved as 'ip6-loopback'
#   0.0.0.0 and ::/128 is resolved as 'localnet'
#
#  	$here is ucspi-ssl current directory
#
# Not tested:
#   setting UID or GID
#   rules
#   write timeout

echo '---> test sslserver + sslclient: four instances of sslserver (ports 50013, 50014, 50015, 50016) are used'
echo '---> sslserver @port 50015 requires client certs'
echo '++++'

sslserver -w 2 \
-s -E -c 1 -Bbanner -Vo -D -1 -3 -Xx rules.cdb -Rt5 -h -l Localserver -b 2 \
::1 50016 ./print 3< $CADIR/::1.pw > log.50016 2>&1 &
pid_50016=$! 

sslserver  -w 2 \
-s -e -c 1 -Bbanner -Vo -D -1 -3 -Xx rules.cdb -Rt5 -h -l Localserver -b 2 -m \
::1 50015 ./print 3< $CADIR/::1.pw > log.50015 2>&1 &
pid_50015=$!

CIPHERS='' sslserver -w 2 \
-s -e -c 1 -Bbanner -Vo -D -1 -3 -Xx rules.cdb -Rt5 -h -l Localserver -b 2 \
::1 50014 ./print >log.50014 3< $CADIR/::1.pw 2>&1 &
pid_50014=$! 
sleep 1

sslserver -w 2 \
-s -e -c 1 -Bbanner -Vo -D -1 -3 -Xx rules.cdb -Rt5 -h -l Localserver -b 2 \
::1 50013 cat - >log.50013 3< $CADIR/::1.pw 2>&1 &
pid_50013=$!
sleep 1 

echo '---> test sslclient/sslserver behavior with wrong parm (timeout 2 secs)'
echo '++++'

echo '--- sslclient prints usage message without enough arguments'
sslclient -T2 0 0; echo $?

echo '--- sslclient prints error message with unknown port name'
sslclient -T2 0 nonexistentport echo wrong; echo $?

echo '--- sslclient prints error message when connection fails'
sslclient -T2 0 016 echo wrong; echo $?

echo '--- sslclient -q does not print error message when connection fails'
sslclient -T2 -q 0 016 echo wrong; echo $?

echo '--- sslclient prints error message with unknown host name'
sslclient nonexistent.local. 016 echo wrong; echo $?

echo '--- sslclient prints error message with unresolvable host name'
sslclient thislabelistoolongbecausednshasalimitof63charactersinasinglelabel. 50016 echo wrong; echo $?

echo '--- sslserver prints usage message without enough arguments'
sslserver 0 0; echo $?

echo '--- sslserver prints error message with unknown port name'
sslserver 0 nonexistentport echo wrong; echo $?

echo '--- sslserver prints error message with unknown host name'
sslserver nonexistent.local. 016 echo wrong; echo $?

echo '--- sslserver prints error message with unresolvable host name'
sslserver thislabelistoolongbecausednshasalimitof63charactersinasinglelabel. 50016 echo wrong; echo $?

echo '--- sslserver prints error message with non-local host name'
( sslserver 1.2.3.4 016 echo wrong 2>&1
  echo $?
) | sed -e 's/unable to bind to: .*/unable to bind to: .../'


echo '---> test sslclient to connect to sslserver (on different port; note: cert verify will fail on localhost)'
echo '++++'

echo '--- sslclient sets basic environment variables' 
{
  sslclient -p 50017 -R -N -H -T 10 -l Local -a "$CAFILE" ::1 50016 sh -c 'cat <&6'
  echo $?
} |  sed -e 's/unable to bind to: .*/unable to bind to: .../'


echo '--- sslserver -e also sets TCP environment variables' 
{
  sslclient -p 50018 -e -S -R -N -H -T 10 -l Local -a "$CAFILE" ::1 50016 sh -c 'cat <&6'
  echo $?
}  | sanitize

echo '--- sslclient recognizes -D, -z, -r, -h, -t (with elective cipher)'
{
  sslclient -p 50019 -N -D -r -t1 -l Local -a "$CAFILE" \
    -z 'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256' \
    ::1 50016 sh -c 'cat <&6'
  echo $?
} 
#} | sanitize
 
echo '--- sslclient sets basic environment variables' 
{
  sslclient -p 50020 -R -N -H -l Local -a "$CAFILE" ::1 50016 ./print
  echo $?
}  | sanitize

echo '--- sslclient -e sets TCP environment variables' 
{
  sslclient -p 50021 -e -R -N -H -l Local -a "$CAFILE" ::1  50016 ./print
  echo $?
} | sanitize

echo '--- sslclient -s sets TLS environment variables' 
{
  sslclient -p 50022 -s -R -N -H -l Local -a "$CAFILE" ::1  50016 ./print
  echo $?
} | sanitize

echo '--- sslclient looks up host names properly (localhost. -> ip6-loopback)'
{
  sslclient -p 50023 -R -N -a "$CAFILE" localhost. 50016 ./print
  echo $?
} | sanitize

echo '--- sslclient -v works' 
sslclient -p 50024 -v -R -N -H -l Local -a "$CAFILE" ::1 50016 echo ok
echo $?

echo '--- sslserver -N does not check certificates CN' 
( exec 2>&1
  sslclient -p 50025 -v -R -H -N -l ip6-localhost -a "$CAFILE" -X ::1 50014 sh -c 'sleep 1; echo ok'
  echo $?
) | sanitize

echo '--- sslserver and sslclient print errors for incompatible cipher lists for TLS < 1.3' 
( exec 2>&1
  sslclient -p 50026 -v -R -H -N -l ip6-localhost -z 'FOOBAR' -a "$CAFILE" ::1 50014 \
	 sh -c 'sleep 1; echo ok'
  echo $?
) | sanitize

echo '--- sslclient -X ignores any server certificate' 
( exec 2>&1
  sslclient -p 50027 -v -R -H -l ip6-localhost -X  ::1 50014 \
	 sh -c 'sleep 1; echo ok'
  echo $?
)  | sanitize

echo '--- sslclient -n checks hostname with certificates SAN/CN'
( exec 2>&1
  sslclient -p 50027 -v -R -H -l ip6-localhost -a "$CAFILE"  ::1 50014 \
	 sh -c 'sleep 1; echo ok'
  echo $?
) | sanitize

echo '---> test sslclient to connect to sslserver requiring client cert'
echo '++++'

echo '--- sslserver prints error for no client certificate' 
( exec 2>&1
  sslclient -p 50028 -v -R -N -h -l ip6-localhost -a "$CAFILE" ::1 50015 \
    sh -c 'sleep 1; echo ok'
  echo $?
) | sanitize

echo '--- sslserver prints error for bad client certificate' 
( exec 2>&1
  exec 3< $CADIR/::1.pw
  sslclient -p 50029 -v -R -h -l ip6-localhost -a "$CAFILE" -c "$CERTFILE" -k "$KEYFILE" -3 \
    ::1 50015 sh -c 'sleep 1; echo ok'
  echo $?
) | sanitize
 
echo '--- sslclient uses certificates' 
( exec 2>&1
  exec 3< $CADIR/localhost.pw
  sslclient -p 50030 -v -s -R -N -h -l ip6-localhost -a "$CAFILE" -c "$CCERTFILE" -k "$CKEYFILE" -3 \
    ::1 50015 sh -c 'cat <&6; ./print'
  echo $?
) | sanitize

echo '---> test sslcat to connect to sslserver@5016'
echo '++++'

echo '--- sslcat works'
{
  sslcat ::1 50013 -N -a "$CAFILE" -N
  echo $?
} | sanitize

echo '--- sslconnect works'
{
  sslconnect ::1 50013 -N -a "$CAFILE" </dev/null
  echo $?
} | sanitize

echo '--- https@ works'
https@ ::1 somefile 50013 -X -a "$CAFILE"
echo $?


echo '---> test sslconnect to connect to sslserver@5013'
echo '++++'


echo '--- sslclient and sslserver handle larger data' 
( exec 2>&1
  exec 3< $CADIR/localhost.pw
  { for i in 0 1 2 3 4 5 6 7 8 9
    do
      for j in 0 1 2 3 4 5 6 7 8 9
      do
	for k in 0 1 2 3 4 5 6 7 8 9
	do
	  echo "abcdefghijklmnopqrstuvwxyz"
	  echo "abcdefghijklmnopqrstuvwxyz"
	  echo "abcdefghijklmnopqrstuvwxyz"
	  echo "abcdefghijklmnopqrstuvwxyz"
	done
      done
    done
  } | sslconnect ::1 50013 -v -s -N \
    -a "$CAFILE" -c "$CCERTFILE" -k "$CKEYFILE" -3 > /dev/null
  echo $?
) | sanitize

echo '--- sslserver times out' 
( exec 2>&1
  exec 3< $CADIR/localhost.pw
  ( exec echo hereur ) | sslconnect ::1 50013 -v -s -N \
    -a "$CAFILE" -c "$CCERTFILE" -k "$CKEYFILE" -3
  echo $?
) | sanitize

( exec 2>&1
  exec 3< $CADIR/localhost.pw
  ( sleep 6; exec echo hereur; ) | sslconnect ::1 50013 -v -s -N \
    -a "$CAFILE" -c "$CCERTFILE" -k "$CKEYFILE" -3
  echo $?
) | sanitize

## Kill all sslserver processes

kill -TERM $pid_50013
kill -TERM $pid_50014
kill -TERM $pid_50015
kill -TERM $pid_50016
wait $pid_50013
wait $pid_50014
wait $pid_50015
wait $pid_50016

echo '---> test sslprint@50021'
echo '++++'


sslprint \
-s -c 1 -Bsslprint -vo -D -e -1 -3 -Xx rules.cdb -Rt5 -hp -l Localserver -b 2 \
::1 50021 3< $CADIR/::1.pw > log.sslprint 2>&1 &
pid_50021=$!
sleep 2

echo '--- sslprint prints usage message without enough arguments'
sslprint 0; echo $?

echo '--- sslprint prints error message with unknown port name'
sslprint 0 nonexistentport; echo $?

echo '--- sslprint prints error message with unknown host name'
sslprint nonexistent.local. 016; echo $?

echo '--- sslprint prints error message with unresolvable host name'
sslprint thislabelistoolongbecausednshasalimitof63charactersinasinglelabel. 016; echo $?

echo '--- sslprint prints error message with non-local host name'
( sslprint 1.2.3.4 16 2>&1
  echo $?
) | sed -e 's/unable to bind to: .*/unable to bind to: .../'


echo '--- sslprint prints error message with used port'
sslprint -R -H -l Localserver ::1 50021 echo wrong
echo $?

echo '--- sslprint sets basic environment variables' 
{ sslclient -R -H -T 5 -l Local -a "$CAFILE" -N ::1 50021 sh -c 'cat <&6'
  echo $?
} | sanitize

echo '--- sslprint exits when environment changes'
{ sslclient -R -H -T 5 -l Local -a "$CAFILE" -N ::1 50021 sh -c 'cat <&6'
  echo $?
} | sanitize

echo '--- sslprint does not lose descriptors' 
{ sslclient -R -H -T 5 -l Local -a "$CAFILE" -N ::1 50021 sh -c 'cat <&6' \
  0<&- 2<&-
  echo $?
} | sanitize

sleep 1
kill -TERM $pid_50021
wait $pid_50021


echo '--- sslserver -1v prints proper messages'
cat log.50016 log.50015 log.50014 log.50013 log.sslprint | \
sed -e 's/::*/::x/' \
  -e 's} [0-9]* } x }g' \
  -e 's} ip6-loopback:::1::[0-9]*} ip6-loopback:::1::x}' \
  -e 's} :::1:[0-9]*} :::1:x}' \
  -e 's} cafile x .*/\([^/]*\)} cafile x xxx/\1}' \
  -e 's} ccafile x .*/\([^/]*\)} ccafile x xxx/\1}' \
  -e 's} cadir x .*/\([^/]*\)} cadir x xxx/\1}' \
  -e 's} cert x .*/\([^/]*\)} cert x xxx/\1}' \
  -e 's} key x .*/\([^/]*\)} key x xxx/\1}' \
  -e 's} dhparam x .*} dhparam x xxx}' \
  -e 's} speak TLS: .*} speak TLS: ...}' \
  -e 's} accept TLS: .*} accept TLS: ...}' \
  -e 's} done [0-9]*$} done ...}' \
  -e 's} Localserver:::1:[0-9]*} Localserver:::1:x}' \
  -e 's} ip6-localnet:::::[0-9]*} ip6-localnet:::::x}' \
  -e 's} valid client cert received for pid: .*} valid client cert received for pid: ...}'