#!/bin/bash
set -euo pipefail

# Portable root detection
ROOT="${PRUVA_ROOT:-$(cd "$(dirname "$0")/.." && pwd)}"
LOGS="$ROOT/logs"
VULN_DIR="$ROOT/vuln_variant"
mkdir -p "$LOGS"
mkdir -p "$VULN_DIR"

cd "$ROOT"

# Clean up previous variant builds
rm -f /tmp/variant-vuln /tmp/variant-fixed

WOLFSSL_DIR="$ROOT/external/wolfssl"
if [ ! -d "$WOLFSSL_DIR/.git" ]; then
    echo "ERROR: wolfSSL repo not found at $WOLFSSL_DIR"
    exit 1
fi

# Save current state
ORIGINAL_HEAD=$(cd "$WOLFSSL_DIR" && git rev-parse HEAD)
restore_head() {
    cd "$WOLFSSL_DIR"
    git checkout "$ORIGINAL_HEAD" >/dev/null 2>&1 || true
}
trap restore_head EXIT

echo "=== Building vulnerable wolfSSL v5.9.0-stable ==="
cd "$WOLFSSL_DIR"
git clean -fdx || true
git checkout v5.9.0-stable
./autogen.sh >/dev/null 2>&1
./configure --enable-eccsi --enable-ecc --enable-sha256 \
    --disable-shared --enable-static --enable-debug \
    --prefix=/tmp/wolfssl-vuln >/dev/null 2>&1
make -j"$(nproc)" >/dev/null 2>&1
make install >/dev/null 2>&1

echo "=== Building fixed wolfSSL v5.9.1-stable ==="
cd "$WOLFSSL_DIR"
git clean -fdx || true
git checkout v5.9.1-stable
./autogen.sh >/dev/null 2>&1
./configure --enable-eccsi --enable-ecc --enable-sha256 \
    --disable-shared --enable-static --enable-debug \
    --prefix=/tmp/wolfssl-fixed >/dev/null 2>&1
make -j"$(nproc)" >/dev/null 2>&1
make install >/dev/null 2>&1

echo "=== Compiling variant harness against vulnerable lib ==="
gcc -o /tmp/variant-vuln "$VULN_DIR/eccsi_variant.c" \
    -I/tmp/wolfssl-vuln/include -L/tmp/wolfssl-vuln/lib \
    -lwolfssl -lm -Wl,-rpath,/tmp/wolfssl-vuln/lib

echo "=== Compiling variant harness against fixed lib ==="
gcc -o /tmp/variant-fixed "$VULN_DIR/eccsi_variant.c" \
    -I/tmp/wolfssl-fixed/include -L/tmp/wolfssl-fixed/lib \
    -lwolfssl -lm -Wl,-rpath,/tmp/wolfssl-fixed/lib

echo "=== Running variant tests against vulnerable wolfSSL ==="
/tmp/variant-vuln > "$LOGS/variant_vulnerable.txt" 2>&1 || true

echo "=== Running variant tests against fixed wolfSSL ==="
/tmp/variant-fixed > "$LOGS/variant_fixed.txt" 2>&1 || true

echo "=== Analyzing results ==="
VULN_ACCEPTED=0
FIXED_ACCEPTED=0

if grep -q "FORGERY ACCEPTED" "$LOGS/variant_vulnerable.txt"; then
    VULN_ACCEPTED=1
fi

if grep -q "FORGERY ACCEPTED" "$LOGS/variant_fixed.txt"; then
    FIXED_ACCEPTED=1
fi

if grep -q "BYPASS CONFIRMED" "$LOGS/variant_fixed.txt"; then
    FIXED_ACCEPTED=1
fi

echo "Vulnerable version accepted forgery: $VULN_ACCEPTED"
echo "Fixed version accepted forgery (bypass): $FIXED_ACCEPTED"

if [ "$FIXED_ACCEPTED" -eq 1 ]; then
    echo "VARIANT/BYPASS CONFIRMED: fixed version still accepts forged signature"
    exit 0
else
    echo "NO BYPASS: fixed version correctly rejects all variant attempts"
    exit 1
fi