#!/bin/sh

#  Copyright (c) 2017, 2018 Taylor R. Campbell
#  All rights reserved.
#
#  Redistribution and use in source and binary forms, with or without
#  modification, are permitted provided that the following conditions
#  are met:
#  1. Redistributions of source code must retain the above copyright
#     notice, this list of conditions and the following disclaimer.
#  2. Redistributions in binary form must reproduce the above copyright
#     notice, this list of conditions and the following disclaimer in the
#     documentation and/or other materials provided with the distribution.
#
#  THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
#  ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
#  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
#  ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
#  FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
#  DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
#  OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
#  HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
#  LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
#  OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
#  SUCH DAMAGE.

set -Ceu

replycont ()
{
  local code fmt
  code=$1
  fmt=$2
  shift 2
  printf '%s-'"$fmt"'\r\n' "$code" "$@"
}

reply ()
{
  local code fmt
  code=$1
  fmt=$2
  shift 2
  printf '%s '"$fmt"'\r\n' "$code" ${1+"$@"}
}

err ()
{
  reply "$@"
}

rsa1024_onion_name ()
{
  # XXX Not actually the onion name!
  printf '%s' "$1" \
    | openssl rsa -outform DER -pubout 2>>/dev/null \
    | openssl dgst -sha1 -binary 2>>/dev/null \
    | hexdump -ve '/1 "%02x"'
}

ed25519v3_onion_name ()
{
  # XXX Not actually the onion name!
  printf '%s.onion' "`openssl rand -hex 28`"
}

add_onion ()
{
  local key
  [ $# -gt 1 ] || { err 512 'Missing argument to ADD_ONION'; return; }
  key=$1
  shift
  case $key in
  NEW:*)
    case ${key##NEW:} in
    BEST|RSA1024)
      pem_priv="$(openssl genrsa 2>>/dev/null)" \
        || { err 551 'Internal error'; return; }
      unfold_awk='
        /-----BEGIN RSA PRIVATE KEY----/,/-----END RSA PRIVATE KEY-----/ {
          if ($0 !~ /-/) printf("%s", $0)
        }
      '
      b64_priv="$(printf '%s' "$pem_priv" | awk "$unfold_awk")"
      priv="$b64_priv"
      onion=$(rsa1024_onion_name "$b64_priv")
      ;;
    ED25519-V3)
      priv="ED25519-V3:$(openssl rand -base64 64 | tr -d '\n')"
      onion=$(ed25519v3_onion_name "$priv")
      ;;
    *)
      err 513 'Invalid key type'
      return
    esac
    discardpk=no
    for option; do
      case $option in
      Flags=*)
        (
          set -Ceu
          IFS=","
          set -- ${option#Flags=}
          for flag; do
            case $flag in
            DiscardPK|Detach|BasicAuth|NonAnonymous);;
            *) err 512 "Invalid 'Flags' argument: \"%s\"" "$flag"; exit 1;;
            esac
          done
        ) || return;
        case $option in *DiscardPK*) discardpk=yes;; *);; esac
        ;;
      Port=*)
        (
          set -Ceu
          IFS=","
          set -- ${option#Port=}
          case $# in 1|2);; *) err 512 'Invalid VIRTPORT/TARGET'; exit 1;; esac
          expr "$1" : '[0-9]*$' >>/dev/null 2>&1 \
            || { err 512 'Invalid VIRTPORT/TARGET'; exit 1; }
          [ "$1" -le 65535 ] || { err 512 'Invalid VIRTPORT/TARGET'; exit 1; }
          case $2 in
          unix:*);;
          *)
            expr "$1" : '[0-9]*$' >>/dev/null 2>&1 \
              || { err 512 'Invalid VIRTPORT/TARGET'; exit 1; }
            [ "$1" -le 65535 ] \
              || { err 512 'Invalid VIRTPORT/TARGET'; exit 1; }
            ;;
          esac
        ) || return;
        ;;
      esac
    done
    ;;
  RSA1024:*)
    [ ${#key} -eq 820 ] || { err 512 'Failed to decode RSA key'; return; }
    b64_priv=${key#RSA1024:}
    folded_priv="$(printf '%s' "$b64_priv" | fold -bw 64)"
    pem_head='-----BEGIN RSA PRIVATE KEY-----'
    pem_foot='-----END RSA PRIVATE KEY-----'
    pem_priv="$(printf '%s\n%s\n%s\n' "$pem_head" "$folded_priv" "$pem_foot")"
    if ! printf '%s' "$pem_priv" | openssl rsa -check >>/dev/null 2>&1; then
      err 512 'Failed to decode RSA key'
      return
    fi
    priv="$b64_priv"
    onion=$(rsa1024_onion_name "$priv")
    ;;
  ED25519-V3:*)
    [ ${#key} -eq 99 ] || \
      { err 512 'Failed to decoded ED25519-V3 key'; return; }
    priv="$key"
    onion=$(ed25519v3_onion_name "$priv")
    ;;
  *)
    err 513 'Invalid key type'
    return
    ;;
  esac
  replycont 250 'ServiceID=%s' "$onion"
  [ "x$discardpk" = xyes ] || replycont 250 'PrivateKey=%s' "$priv"
  reply 250 OK
}

loop ()
{
  local cmd args
  # Wait for authentication.
  while read cmd args; do
    set -- $args
    ok=no
    case $cmd in
    AUTHENTICATE) case ${1-} in 6d6f636b746f72746c650a) break;; *);; esac;;
    *);;
    esac
    err 551 'Bad authentication'
  done
  reply 250 OK
  while read cmd args; do
    set -- $args
    case $cmd in
    ADD_ONION)    add_onion ${1+"$@"};;
    *)            err 510 'Unrecognized command: "%s"' "$cmd";;
    esac
  done
}

loop