/*
   SSHSecure - a program to harden OpenSSH from defaults
   Copyright (C) 2020  Brent Saner

   This program is free software: you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation, either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <https://www.gnu.org/licenses/>.
*/

package moduli

import (
	"bytes"
	"encoding/hex"
	"errors"
	"fmt"
	"net/http"

	"golang.org/x/crypto/sha3"
)

// getPregen gets the pregenerated moduli from upstream mirror.
func getPregen() (Moduli, error) {
	m := Moduli{}
	// get the pregenerated moduli
	resp, err := http.Get(pregenURL)
	if err != nil {
		return m, err
	}
	if resp.StatusCode != http.StatusOK {
		return m, errors.New(fmt.Sprintf("returned status code %v: %v", resp.StatusCode, resp.Status))
	}
	defer resp.Body.Close()
	b := make([]byte, resp.ContentLength)
	if _, err = resp.Body.Read(b); err != nil {
		return m, err
	}
	// and compare the SHA3-512 (NIST) checksum.
	s := sha3.New512()
	if _, err = s.Write(b); err != nil {
		// TODO: return nil instead of b?
		return m, err
	}
	goodCksum, err := hex.DecodeString(pregenCksum)
	if err != nil {
		return m, err
	}
	// We just compare the bytestrings.
	if bytes.Compare(s.Sum(nil), goodCksum) != 0 {
		return m, errors.New("checksums do not match")
	}
	if err := Unmarshal(b, m); err != nil {
		return m, err
	}
	return m, nil
}