# Tests using Google's badssl.com Web service
#
# Copyright (C) 2019  Libiquity LLC
#
# This file is part of wolfutil.
#
# wolfutil is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.
#
# wolfutil is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with wolfutil.  If not, see <http://www.gnu.org/licenses/>.

set -eu

. "${TOP_SRCDIR}/tests/aux/tap-functions.sh"

do_test()
{
	local directive="${1}"
	local ok="${2}"
	local host="${3}"
	local port="${4}"
	shift 4
	local out=
	local result=

	if out="$(${ok} "${TOP_BUILDDIR}/wolfutil" s_client \
		-connect "${host}.badssl.com:${port}" \
		-servername "${host}.badssl.com" 2>&1 \
		<<-EOF
			GET / HTTP/1.1
			Host: ${host}.badssl.com:${port}
			Connection: close

			EOF
			)"
	then
		result='ok'
	else
		result='not ok'
	fi
	printf '%s\n' "${out}" | sed 's/^/  | /'
	result_ "${result}" -D "${directive}" -- "${ok} ${host}"
}

plan_ 38

# Certificate

do_test  ''      'not'  'expired'                443
do_test  ''      'not'  'wrong.host'             443
do_test  ''      'not'  'self-signed'            443
do_test  ''      'not'  'untrusted-root'         443
do_test  ''      'not'  'revoked'                443

do_test  'TODO'  '   '  'no-common-name'         443
diag_ 'no-common-name fails since 2020-06-23 due to an expired certificate:'
diag_ 'https://github.com/chromium/badssl.com/issues/447'
do_test  'TODO'  '   '  'no-subject'             443
diag_ 'no-subject fails since 2020-06-23 due to an expired certificate:'
diag_ 'https://github.com/chromium/badssl.com/issues/447'
do_test  ''      'not'  'incomplete-chain'       443

do_test  ''      '   '  'sha256'                 443
do_test  ''      '   '  'sha384'                 443
do_test  ''      '   '  'sha512'                 443

do_test  ''      'not'  '1000-sans'              443
do_test  ''      'not'  '10000-sans'             443

do_test  ''      '   '  'ecc256'                 443
do_test  ''      '   '  'ecc384'                 443

do_test  ''      '   '  'rsa2048'                443
do_test  ''      '   '  'rsa4096'                443
do_test  ''      'not'  'rsa8192'                443

do_test  ''      '   '  'extended-validation'    443

# HTTP

do_test  ''      'not'  'http'                    80

# Cipher Suite

do_test  ''      'not'  'cbc'                    443
do_test  ''      'not'  'rc4-md5'                443
do_test  ''      'not'  'rc4'                    443
do_test  ''      'not'  '3des'                   443
do_test  ''      'not'  'null'                   443

do_test  'TODO'  'not'  'mozilla-old'            443
do_test  ''      '   '  'mozilla-intermediate'   443
do_test  ''      '   '  'mozilla-modern'         443

# Key Exchange

do_test  ''      'not'  'dh480'                  443
do_test  ''      'not'  'dh512'                  443
do_test  ''      'not'  'dh1024'                 443
do_test  ''      '   '  'dh2048'                 443

do_test  'TODO'  'not'  'dh-small-subgroup'      443
do_test  ''      'not'  'dh-compsite'            443

do_test  ''      'not'  'static-rsa'             443

# Protocol

do_test  ''      'not'  'tls-v1-0'              1010
do_test  ''      'not'  'tls-v1-1'              1011
do_test  ''      '   '  'tls-v1-2'              1012