#!/bin/bash
set -euo pipefail

# Portable root detection
ROOT="${PRUVA_ROOT:-$(cd "$(dirname "$0")/.." && pwd)}"
LOGS="$ROOT/logs"
REPRO="$ROOT/repro"
mkdir -p "$LOGS"
mkdir -p "$REPRO"

cd "$ROOT"

# Clean up previous builds
rm -rf /tmp/wolfssl-vuln /tmp/wolfssl-fixed /tmp/forge-vuln /tmp/forge-fixed

# Clone wolfSSL if not already present
WOLFSSL_DIR="$ROOT/external/wolfssl"
if [ ! -d "$WOLFSSL_DIR/.git" ]; then
    mkdir -p "$ROOT/external"
    git clone --depth=100 https://github.com/wolfSSL/wolfssl.git "$WOLFSSL_DIR"
fi

echo "=== Building vulnerable wolfSSL v5.9.0-stable ==="
cd "$WOLFSSL_DIR"
git clean -fdx || true
git checkout v5.9.0-stable
./autogen.sh >/dev/null 2>&1
./configure --enable-eccsi --enable-ecc --enable-sha256 \
    --disable-shared --enable-static --enable-debug \
    --prefix=/tmp/wolfssl-vuln >/dev/null 2>&1
make -j"$(nproc)" >/dev/null 2>&1
make install >/dev/null 2>&1

echo "=== Building fixed wolfSSL v5.9.1-stable ==="
cd "$WOLFSSL_DIR"
git clean -fdx || true
git checkout v5.9.1-stable
./autogen.sh >/dev/null 2>&1
./configure --enable-eccsi --enable-ecc --enable-sha256 \
    --disable-shared --enable-static --enable-debug \
    --prefix=/tmp/wolfssl-fixed >/dev/null 2>&1
make -j"$(nproc)" >/dev/null 2>&1
make install >/dev/null 2>&1

echo "=== Compiling forgery harness against vulnerable lib ==="
gcc -o /tmp/forge-vuln "$REPRO/eccsi_forge.c" \
    -I/tmp/wolfssl-vuln/include -L/tmp/wolfssl-vuln/lib \
    -lwolfssl -lm -Wl,-rpath,/tmp/wolfssl-vuln/lib

echo "=== Compiling forgery harness against fixed lib ==="
gcc -o /tmp/forge-fixed "$REPRO/eccsi_forge.c" \
    -I/tmp/wolfssl-fixed/include -L/tmp/wolfssl-fixed/lib \
    -lwolfssl -lm -Wl,-rpath,/tmp/wolfssl-fixed/lib

echo "=== Running against vulnerable wolfSSL ==="
/tmp/forge-vuln > "$LOGS/vulnerable_forge.txt" 2>&1 || true

echo "=== Running against fixed wolfSSL ==="
/tmp/forge-fixed > "$LOGS/fixed_forge.txt" 2>&1 || true

echo "=== Analyzing results ==="
VULN_ACCEPTED=0
FIXED_REJECTED=0

if grep -q "FORGERY ACCEPTED" "$LOGS/vulnerable_forge.txt"; then
    VULN_ACCEPTED=1
    echo "Vulnerable: forgery ACCEPTED (CONFIRMED)"
else
    echo "Vulnerable: forgery NOT accepted"
fi

if grep -q "FORGERY ACCEPTED" "$LOGS/fixed_forge.txt"; then
    echo "Fixed: forgery ACCEPTED (BUG NOT FIXED)"
else
    FIXED_REJECTED=1
    echo "Fixed: forgery REJECTED (fix working)"
fi

# Write validation verdict
if [ "$VULN_ACCEPTED" -eq 1 ] && [ "$FIXED_REJECTED" -eq 1 ]; then
    VERDICT="confirmed"
    EXIT_CODE=0
else
    VERDICT="not_confirmed"
    EXIT_CODE=1
fi

cat > "$REPRO/validation_verdict.json" <<EOF
{
  "verdict": "$VERDICT",
  "vulnerable_accepted_forgery": $VULN_ACCEPTED,
  "fixed_rejected_forgery": $FIXED_REJECTED,
  "cve": "CVE-2026-5466",
  "details": "ECCSI universal signature forgery via trivial r=0/s=0 scalars"
}
EOF

echo "=== Verdict: $VERDICT ==="
exit $EXIT_CODE