server/keymgmt.c: Track and find keys by their 32-bit IDs.

[tripe] / server / tests.at

### -*-autotest-*-
###
### Test script for the main server
###
### (c) 2008 Straylight/Edgeware
###

###----- Licensing notice ---------------------------------------------------
###
### This file is part of Trivial IP Encryption (TrIPE).
###
### TrIPE is free software: you can redistribute it and/or modify it under
### the terms of the GNU General Public License as published by the Free
### Software Foundation; either version 3 of the License, or (at your
### option) any later version.
###
### TrIPE is distributed in the hope that it will be useful, but WITHOUT
### ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
### FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
### for more details.
###
### You should have received a copy of the GNU General Public License
### along with TrIPE.  If not, see <https://www.gnu.org/licenses/>.

m4_define([nl], [
])

## Configure a directory ready for use by tripe.
m4_define([SETUPDIR], [
  cp $abs_top_srcdir/t/keyring-$1 ./keyring
  key extract -f-secret keyring.pub
])

## Running standard programs with useful options.
m4_define([TRIPE],
  [env TRIPE_PRIVHELPER=$abs_top_builddir/priv/tripe-privhelper \
     $abs_top_builddir/server/tripe -F -d. -aadmin -p0 -b127.0.0.1 \
        ${TRIPE_TEST_TRACEOPTS+-T$TRIPE_TEST_TRACEOPTS}])
m4_define([TRIPECTL], [$abs_top_builddir/client/tripectl -d. -aadmin])
m4_define([USLIP], [$abs_top_builddir/uslip/tripe-uslip])
m4_define([MITM], [$abs_top_builddir/proxy/tripe-mitm])

## WITH_STRACE(tag, cmd)
##
## There's an awful hack here.  If a process running under strace exits with
## a signal, then strace will kill itself with the same signal -- and
## therefore clobber the original process's core file.  So we arrange to run
## strace in one directory and have the child process run in another.
m4_define([WITH_STRACE],
[case "${TRIPE_TEST_STRACE-nil}" in
  nil)
    $2
    ;;
  *)
    mkdir -p strace-hack.$1/
    (ulimit -c hard >/dev/null 2>&1
     sh -c 'cd strace-hack.$1; exec "$[]@"' - \
        strace -ff -tt -v -s1024 -o../$1.trace \
        sh -c 'cd ..; exec "$[]@"' - \
        $2)
    ;;
 esac])

## Sequences.  (These are used for testing the replay protection machinery.)
m4_define([R32], [ 0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15   dnl
                  16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31])
m4_define([P32], [21 26 14 12 25 18  2 27 10 31 24 29  0 20 17 11   dnl
                   8  3  7 23 19  1 13 30  6  9  5 22 15 28 16  4])

###--------------------------------------------------------------------------
### Scaffolding for running a TrIPE server.

## WITH_TRIPEX(dir, args, body)
m4_define([WITH_TRIPEX], [

## If this directory doesn't exist then Bad Things will happen.
if test ! -d $1; then
  echo >&2 "server directory \`$1' doesn't exist"
  exit 99
fi

## Remove the status file.  This is how we notice that the server's died.
rm -f $1/server-status
> $1/expected-server-output
> $1/expected-server-errors

## Autotest writes crap to standard output, which we don't want going to the
## server.  So keep a copy of the standard output, do the pipe, and recover
## the old stdout inside the group.
exec 3>&1
{ (
exec 1>&3 3>&-

## Wait for the socket to appear.  Watch for the server crashing during
## initialization.  Busy waiting is evil, but it's the best I can do and
## not sleep for ages.  (Yes, a second on each test group is a long time.)
while test ! -r $1/server-status && test ! -S $1/admin; do :; done

## Make the port number availale.
AT_CHECK([TRIPECTL -d$1 PORT],, [stdout])
mv stdout $1/port

## Test body...
$3

## End of the test, now run the server.
) && :; } | {
  cd $1
  echo TRIPE $2 >&2
  WITH_STRACE([tripe], [TRIPE $2 >server-output.full 2>server-errors.full])
  stat=$?
  echo $stat >server-status
  if test $stat -ne 0; then
    echo "exit status: $stat" >>server-errors.full
  fi
  grep -v '^+ tripe: ' server-errors.full >server-errors

  ## We interrupt this relatively sensible macro for an especially awful
  ## hack.  The tripe server emits warnings which are often caused by lack of
  ## synchronization between two peers.  These are harmless and shouldn't
  ## cause test failures.  But we shouldn't just trim out all messages that
  ## look like the spurious ones: if they appear when we're not expecting
  ## them, that's bad and they should properly cause a test failure.
  ##
  ## So we use the WARN command to insert magic directives into the server's
  ## message stream.  The directives begin with `WARN USER test'; remaining
  ## tokens may be as follows.
  ##
  ## PUSH               Introduce a new layer of nesting.  Settings between
  ##                    this PUSH and the matching POP will be forgotten
  ##                    following the POP.
  ##
  ## POP                End a layer of nesting.  See PUSH above.
  ##
  ## IGNORE tokens      Ignore lines which begin with the tokens.
  ##
  ## Token comparison isn't done very well, but it's good enough for these
  ## purposes.
  ##
  ## We also trim out trace lines here, since it's useful to produce them for
  ## debugging purposes and changing or introducing more of them shouldn't
  ## cause failures.
  awk '
        BEGIN {
          sp = 0;
          npat = 0;
        }
        $[]1 == "TRACE" { next; }
        $[]1 == "WARN" && $[]2 == "USER" && $[]3 == "test" {
          if ($[]4 == "PUSH")
            npatstk[[sp++]] = npat;
          else if ($[]4 == "IGNORE") {
            s = "";
            p = "";
            for (i = 5; i <= NF; i++) {
              p = p s $[]i;
              s = " ";
            }
            pat[[npat++]] = p;
          } else if ($[]4 == "POP")
            npat = npatstk[[--sp]];
          next;
        }
        {
          for (i = 0; i < npat; i++) {
            n = length(pat[[i]]);
            if (substr($[]0, 1, n) == pat[[i]])
              next;
          }
          print $[]0;
        }
  ' server-output.full >server-output
}
exec 3>&-

## Now check that the server's output matches our expectations.
mv $1/expected-server-output expout
mv $1/expected-server-errors experr
AT_CHECK([cat $1/server-output; cat >&2 $1/server-errors],,
         [expout], [experr])
])

## WITH_TRIPE(args, body)
m4_define([WITH_TRIPE], [WITH_TRIPEX([.], [$1], [$2])])

## WITH_2TRIPES(adir, bdir, bothargs, aargs, bargs, body)
m4_define([WITH_2TRIPES],
          [WITH_TRIPEX([$1], [$3 $4], [WITH_TRIPEX([$2], [$3 $5], [$6])])])

## WITH_3TRIPES(adir, bdir, cdir, allargs, aargs, bargs, cargs, body)
m4_define([WITH_3TRIPES],
          [WITH_TRIPEX([$1], [$4 $5],
          [WITH_TRIPEX([$2], [$4 $6],
          [WITH_TRIPEX([$3], [$4 $7],
          [$8])])])])

## RETRY(n, body)
m4_define([RETRY], [
  n=0 rc=1
  while test $n -lt $1; do
    if $2
    then rc=0; break
    fi
    n=$(( $n + 1 ))
  done
  exit $rc
])

## COMMS_EPING(adir, aname, bdir, bname, [n])
m4_define([COMMS_EPING], [
  AT_CHECK([RETRY([m4_default([$5], [1])],
    [TRIPECTL -d$1 EPING $4])],, [ignore])
  AT_CHECK([RETRY([m4_default([$5], [1])],
    [TRIPECTL -d$3 EPING $2])],, [ignore])
])

## COMMS_SLIP(adir, aname, bdir, bname)
m4_define([COMMS_SLIP], [
  AT_CHECK([echo "from $1" | USLIP -p $1/$4])
  AT_CHECK([USLIP -g $3/$2],, [from $1[]nl])
  AT_CHECK([echo "from $3" | USLIP -p $3/$2])
  AT_CHECK([USLIP -g $1/$4],, [from $3[]nl])
])

## AWAIT_KXDONE(adir, aname, bdir, bname, body)
m4_define([AWAIT_KXDONE], [

  ## Ignore some reports caused by races.
  for i in $1!$4 $3!$2; do
    d=${i%!*} o=${i#*!}
    TRIPECTL -d$d WARN test PUSH
    TRIPECTL -d$d WARN test IGNORE WARN KX $o incorrect cookie
    TRIPECTL -d$d WARN test IGNORE WARN KX $o unexpected pre-challenge
    TRIPECTL -d$d WARN test IGNORE WARN KX $o unexpected challenge
  done

  ## Watch for the key-exchange completion announcement in the background.
  COPROCESSES([wait-$1], [
    echo WATCH +n
    while read line; do
      set x $line; shift
      echo >&2 ">>> $line"
      case "$[]1:$[]2:$[]3" in
        OK::) ;;
        NOTE:KXDONE:$4) break ;;
        NOTE:* | TRACE:* | WARN:*) ;;
        *) exit 63 ;;
      esac
    done
  ], [
    TRIPECTL -d$1
  ]) & waiter_$1=$!

  $5

  ## Collect the completion announcement.
  wait $waiter_$1; waitrc=$?
  AT_CHECK([echo $waitrc],, [0[]nl])

  ## Be interested in key-exchange warnings again.
  for d in $1 $3; do TRIPECTL -d$d WARN test POP; done
])

## ESTABLISH(adir, aname, aopts, bdir, bname, bopts, [aport], [bport])
m4_define([ESTABLISH], [

  ## Set up the establishment.
  AWAIT_KXDONE([$1], [$2], [$4], [$5], [
    AT_CHECK([TRIPECTL -d$1 ADD -cork $6 $5 INET 127.0.0.1 \
      m4_if([$8], [], [$(cat $4/port)], [$8])])
    AT_CHECK([TRIPECTL -d$4 ADD $3 $2 INET 127.0.0.1 \
      m4_if([$7], [], [$(cat $1/port)], [$7])])
  ])

  ## Check transport pinging.
  AT_CHECK([TRIPECTL -d$1 PING $5],, [ignore])
  AT_CHECK([TRIPECTL -d$4 PING $2],, [ignore])

  ## Check communication works.
  COMMS_EPING([$1], [$2], [$4], [$5])
  COMMS_SLIP([$1], [$2], [$4], [$5])
])

###--------------------------------------------------------------------------
### Very unpleasant coprocess handling.

## COPROCESSES(TAG, PROC-A, PROC-B)
m4_define([COPROCESSES], [dnl
rm -f pipe-$1; mknod pipe-$1 p
{ { $2 nl } <pipe-$1 | { $3 nl } >pipe-$1; } dnl
])

## TRIPECTL_INTERACT(ARGS, SHELLSTUFF)
m4_define([TRIPECTL_INTERACT], [
  exec 3>&1
  COPROCESSES([client], [exec 4>&1 1>&3 $1], [TRIPECTL $2])
])

## TRIPECTL_COMMAND(CMD, EXPECT)
m4_define([TRIPECTL_COMMAND], [
  AT_CHECK([
    m4_if([$1], [!], [:], [echo "$1" >&4])
    read line
    case "$line" in
      "$2") ;;
      *) echo 2>&1 "submitted $1: expected $2, found $line"; exit 1 ;;
    esac
  ])
  exec 3>&-
])

###--------------------------------------------------------------------------
### Make sure the thing basically works.

AT_SETUP([server basics])
SETUPDIR([alpha])
AT_CHECK([echo port | TRIPE -p54321],, [INFO 54321[]nl[]OK[]nl])
AT_CLEANUP

###--------------------------------------------------------------------------
### Challenges.

AT_SETUP([server challenges])
AT_KEYWORDS([chal])
SETUPDIR([alpha])

WITH_TRIPE(, [
  ## A simple test.
  AT_CHECK([chal=$(TRIPECTL GETCHAL); TRIPECTL checkchal $chal])

  ## A wrong challenge.  (This was valid once, but the probablity that the
  ## server chose the same key is negligible.)
  AT_CHECK([TRIPECTL checkchal AAAAAHyoOL+HMaE0Y9B3ivuszt0], [1],,
           [tripectl: invalid-challenge[]nl])
  echo WARN CHAL incorrect-tag >>expected-server-output

  ## A duplicated challenge.
  AT_CHECK([
    chal=$(TRIPECTL GETCHAL)
    TRIPECTL CHECKCHAL $chal
    TRIPECTL CHECKCHAL $chal
  ], [1],, [tripectl: invalid-challenge[]nl])
  echo WARN CHAL replay duplicated-sequence >>expected-server-output

  ## Out-of-order reception.  There should be a window of 32 challenges; we
  ## make 33 and check them in a strange order.
  rm -f experr
  echo "tripectl: invalid-challenge" >>experr
  echo "WARN CHAL replay old-sequence" >>expected-server-output
  for i in P32; do
    echo "tripectl: invalid-challenge" >>experr
    echo "WARN CHAL replay duplicated-sequence" >>expected-server-output
  done
  AT_CHECK([

    ## Make the challenges.
    for i in old R32; do TRIPECTL GETCHAL >chal-$i || exit 2; done

    ## Now check them back.
    for i in P32; do TRIPECTL CHECKCHAL $(cat chal-$i) || exit 3; done

    ## Check the one which should have fallen off the front.
    TRIPECTL CHECKCHAL $(cat chal-old) && exit 4

    ## And make sure that the others are now considered duplicates.
    for i in R32; do TRIPECTL CHECKCHAL $(cat chal-$i) && exit 5; done

    ## All done: tidy cruft away.
    rm -f chal-*
    exit 0
  ], [0],, [experr])
])

AT_CLEANUP

###--------------------------------------------------------------------------
### Communication.

AT_SETUP([server communication])
AT_KEYWORDS([comm])
export TRIPE_SLIPIF=USLIP

for k in alpha beta-new; do
  for p in alice bob; do (
    rm -rf $p; mkdir $p; cd $p; SETUPDIR([$k])
  ); done
  WITH_2TRIPES([alice], [bob], [-nslip], [-talice], [-tbob], [
    ESTABLISH([alice], [not-alice], [-key alice],
              [bob], [bob], [])
  ])
  for p in alice bob; do rm -rf $p.$k; mv $p $p.$k; done
done

AT_CLEANUP

###--------------------------------------------------------------------------
### Mobile peer tracking.

AT_SETUP([peer tracking])
AT_KEYWORDS([mobile])
export TRIPE_SLIPIF=USLIP

for p in alice bob carol; do (mkdir $p; cd $p; SETUPDIR([alpha])); done

## WITH_MITM(adir, aport, bdir, bport, body)
m4_define([WITH_MITM], [
  echo >&2 "mitm: $1 <--> :$2 <-mitm-> :$4 <--> $3"
  MITM -k$1/keyring.pub \
        peer:$1:$2:127.0.0.1:$(cat $1/port) \
        peer:$3:$4:127.0.0.1:$(cat $3/port) \
        filt:send& mitmpid_$1_$3=$!
  trap 'kill $mitmpid_$1_$3; exit 127' EXIT INT QUIT TERM HUP
  sleep 1
  $5
  kill $mitmpid_$1_$3; trap - EXIT INT QUIT TERM HUP
])

WITH_3TRIPES([alice], [bob], [carol], [-nslip],
             [-talice], [-tbob], [-tcarol], [

  ## We need an indirection layer between the two peers so that we can
  ## simulate the effects of NAT remapping.  The nearest thing we have to
  ## this is the mitm proxy, so we may as well use that.
  ##
  ## alice <--> :5311 <-mitm-> :5312 <--> bob
  ## alice <--> :5321 <-mitm-> :5322 <--> carol

  WITH_MITM([alice], [5311], [bob], [5312], [
    ESTABLISH([alice], [alice], [], [bob], [bob], [-mobile], [5312], [5311])
  ])

  WITH_MITM([alice], [5319], [bob], [5312], [
    COMMS_EPING([bob], [bob], [alice], [alice])
    COMMS_SLIP([bob], [bob], [alice], [alice])
  ])

  WITH_MITM([alice], [5321], [carol], [5322], [
    ESTABLISH([alice], [alice], [], [carol], [carol], [-mobile],
        [5322], [5321])
  ])

  WITH_MITM([alice], [5311], [bob], [5312], [
  WITH_MITM([alice], [5321], [carol], [5322], [
    COMMS_EPING([bob], [bob], [alice], [alice])
    COMMS_EPING([carol], [carol], [alice], [alice])
    COMMS_SLIP([bob], [bob], [alice], [alice])
    COMMS_SLIP([carol], [carol], [alice], [alice])
  ])])

  WITH_MITM([alice], [5321], [bob], [5312], [
  WITH_MITM([alice], [5311], [carol], [5322], [
    COMMS_EPING([bob], [bob], [alice], [alice])
    COMMS_EPING([carol], [carol], [alice], [alice])
    COMMS_SLIP([bob], [bob], [alice], [alice])
    COMMS_SLIP([carol], [carol], [alice], [alice])
  ])])
  wait
])

AT_CLEANUP

###--------------------------------------------------------------------------
### Adverse communication.

AT_SETUP([server retry])
AT_KEYWORDS([backoff])
export TRIPE_SLIPIF=USLIP

for i in alice bob; do (mkdir $i; cd $i; SETUPDIR([beta])); done

WITH_2TRIPES([alice], [bob], [-nslip], [-talice], [-tbob], [

  ## Set up the evil proxy.
  alicemitm=24516 bobmitm=14016
  mknod pipe-mitmpid p
  WITH_STRACE([mitm],
              [sh -c 'echo $$ >pipe-mitmpid; exec "$@"' - \
               MITM -kalice/keyring.pub >mitm.out 2>mitm.err \
                 peer:alice:$alicemitm:127.0.0.1:$(cat alice/port) \
                 peer:bob:$bobmitm:127.0.0.1:$(cat bob/port) \
                 filt:drop:5 filt:send])&
  read mitmpid <pipe-mitmpid
  trap 'kill $mitmpid; exit 127' EXIT INT QUIT TERM HUP
  exec 3>&-

  ## Try to establish keys anyway.
  AWAIT_KXDONE([alice], [alice], [bob], [bob], [
    AT_CHECK([TRIPECTL -dalice ADD -cork bob   INET 127.0.0.1 $alicemitm])
    AT_CHECK([TRIPECTL -dbob   ADD       alice INET 127.0.0.1 $bobmitm])
  ])

  ## Check pinging.
  COMMS_EPING([alice], [alice], [bob], [bob], [10])
  COMMS_EPING([bob], [bob], [alice], [alice], [10])

  ## Tear down the MITM proxy.
  kill $mitmpid
])

AT_CLEANUP

###--------------------------------------------------------------------------
### Key management.

AT_SETUP([server key-management])
AT_KEYWORDS([keymgmt])
export TRIPE_SLIPIF=USLIP

## Determine all of the nets and the principals.
princs=""
nets=" "
while read princ pnets; do
  princs="$princs $princ"
  for n in $pnets; do
    case " $nets " in *" $n "*) ;; *) nets="$nets$n " ;; esac
  done
done <<PRINC
alice   alpha   beta
bob     alpha   beta
carol   beta
PRINC

## Build the master keyring.  All key tags here are of the form PRINC/NET.
for n in $nets; do
  key -k$abs_top_srcdir/t/keyring-$n extract keyring-$n $princs
  for p in $princs; do key -kkeyring-$n tag $p $p/$n; done
  key merge keyring-$n
  rm keyring-$n
done
key extract -f-secret keyring.pub

## Set up the principals' directories.
for p in $princs; do
  mkdir $p
  cp keyring keyring.pub $p/
done

WITH_3TRIPES([alice], [bob], [carol], [-nslip -Tmx],
        [-talice/alpha], [-tbob/alpha], [-tcarol/beta], [

  ## Establish this little merry-go-round.
  ESTABLISH([alice], [alice], [-key alice/alpha],
        [bob], [bob], [-key bob/alpha])
  ESTABLISH([alice], [alice], [-key alice/beta],
        [carol], [carol], [-priv alice/beta -key carol/beta])
  ESTABLISH([bob], [bob], [-key bob/beta],
        [carol], [carol], [-priv bob/beta -key carol/beta])

  ## Tweak Bob's alpha key.
  for p in $princs; do
    TRIPECTL -d$p WARN test COMMENT tweak bob/alpha
  done

  key -k$abs_top_srcdir/t/keyring-alpha extract keyring-bob-new bob-new
  key merge keyring-bob-new
  key tag -r bob-new bob/alpha
  key extract -f-secret keyring.pub
  for p in alice bob; do cp keyring keyring.pub $p/; done

  ## Kick the peers to see whether they update.
  AWAIT_KXDONE([alice], [alice], [bob], [bob], [
    TRIPECTL -dalice RELOAD
    TRIPECTL -dbob RELOAD
    TRIPECTL -dalice FORCEKX bob
    TRIPECTL -dbob FORCEKX alice
  ])

  COMMS_EPING([alice], [alice], [bob], [bob])
  COMMS_EPING([bob], [bob], [alice], [alice])

  ## Update the beta ring.
  key merge $abs_top_srcdir/t/keyring-beta-new
  for p in $princs; do key tag -r $p $p/beta; done
  key extract -f-secret keyring.pub

  ## Update alice's and carol's private keys, bob's public.  This should be
  ## insufficient for them to switch, but the results could be interesting.
  for p in $princs; do
    TRIPECTL -d$p WARN test COMMENT tweak beta step 1
  done

  for p in alice carol; do cp keyring $p/; done
  cp keyring.pub bob/
  for p in $princs; do TRIPECTL -d$p RELOAD; done

  AT_DATA([algs-alpha], [dnl
kx-group=curve25519 kx-group-order-bits=252 kx-group-elt-bits=255
hash=sha256 mgf=sha256-mgf hash-sz=32
bulk-transform=naclbox bulk-overhead=20
cipher=chacha20 cipher-keysz=32
mac=poly1305 mac-tagsz=16
cipher-data-limit=2147483648
])

  AT_DATA([algs-beta-old], [dnl
kx-group=prime kx-group-order-bits=160 kx-group-elt-bits=1023
hash=rmd160 mgf=rmd160-mgf hash-sz=20
bulk-transform=v0 bulk-overhead=22
cipher=blowfish-cbc cipher-keysz=20 cipher-blksz=8
mac=rmd160-hmac mac-keysz=20 mac-tagsz=10
cipher-data-limit=67108864
])

  AT_DATA([algs-beta-new], [dnl
kx-group=ec kx-group-order-bits=161 kx-group-elt-bits=320
hash=rmd160 mgf=rmd160-mgf hash-sz=20
bulk-transform=iiv bulk-overhead=14
cipher=blowfish-cbc cipher-keysz=20 cipher-blksz=8
mac=rmd160-hmac mac-keysz=20 mac-tagsz=10
blkc=blowfish blkc-keysz=20 blkc-blksz=8
cipher-data-limit=67108864
])

  cp algs-alpha expout;    AT_CHECK([TRIPECTL -dalice ALGS],,       [expout])
  cp algs-beta-old expout; AT_CHECK([TRIPECTL -dalice ALGS carol],, [expout])
  cp algs-beta-old expout; AT_CHECK([TRIPECTL -dbob   ALGS carol],, [expout])
  cp algs-beta-new expout; AT_CHECK([TRIPECTL -dcarol ALGS],,       [expout])
  cp algs-beta-old expout; AT_CHECK([TRIPECTL -dcarol ALGS alice],, [expout])

  ## Now copy the full keys.  We expect this to provoke key exchange.
  for p in $princs; do
    TRIPECTL -d$p WARN test COMMENT tweak beta step 2
  done

  for p in $princs; do cp keyring keyring.pub $p/; done

  AWAIT_KXDONE([alice], [alice], [carol], [carol], [
    TRIPECTL -dalice RELOAD
    AWAIT_KXDONE([bob], [bob], [carol], [carol], [
      TRIPECTL -dbob RELOAD
      TRIPECTL -dcarol RELOAD
    ])
  ])

  cp algs-alpha expout;    AT_CHECK([TRIPECTL -dalice ALGS],,       [expout])
  cp algs-beta-new expout; AT_CHECK([TRIPECTL -dalice ALGS carol],, [expout])
  cp algs-beta-new expout; AT_CHECK([TRIPECTL -dbob   ALGS carol],, [expout])
  cp algs-beta-new expout; AT_CHECK([TRIPECTL -dcarol ALGS],,       [expout])
])

AT_CLEANUP

###--------------------------------------------------------------------------
### Services.

AT_SETUP([server services])
AT_KEYWORDS([svc])
SETUPDIR([alpha])

WITH_TRIPE(, [

  ## Make sure it's not running yet.
  AT_CHECK([TRIPECTL SVCENSURE test], [1],,
           [tripectl: unknown-service test[]nl])

  ## Run a simple service.
  rm -f svc-test-running tripectl-status
  COPROCESSES([svc], [
    echo SVCCLAIM test 1.0.0
    read line
    case "$line" in
      OK)
        ;;
      *)
        echo >&2 "SVCCLAIM failed: $line"
        exit 1
        ;;
    esac
    echo ok >svc-test-running
    while read line; do
      set -- $line
      case "$[]1,$[]3,$[]4" in
        SVCJOB,test,HELP)
          echo SVCINFO try not to use this service for anything useful
          echo SVCOK $[]2
          ;;
        SVCJOB,test,GOOD)
          echo SVCOK $[]2
          ;;
        SVCJOB,test,BAD)
          echo SVCFAIL $[]2 this-command-always-fails
          ;;
        SVCJOB,test,UGLY)
          tag=$2
          while read line; do
            set -- $line
            case "$[]1,$[]2,$[]3,$[]4" in
              SVCCANCEL,$tag,,) break ;;
              SVCJOB,*,test,ESCAPE)
                echo >&2 "attempt to escape from alkatraz"
                exit 1
                ;;
            esac
          done
          ;;
        SVCJOB,test,FIRST)
          firsttag=$[]2
          ;;
        SVCJOB,test,SECOND)
          echo SVCOK $firsttag
          echo SVCOK $[]2
          ;;
        SVCJOB,*)
          echo SVCFAIL $[]2 unknown-svc-command $[]4
          ;;
        SVCCLAIM,*)
          break
          ;;
        OK,* | INFO,*)
          ;;
        FAIL,*)
          echo "failure in service: $line" >&2
          ;;
      esac
    done
  ], [
    TRIPECTL; echo $? >tripectl-status
  ]) 2>tripectl-errors &

  ## Wait until it starts up.
  while test ! -r svc-test-running && test ! -r tripectl-status; do :; done

  ## Make sure it's running.
  AT_CHECK([TRIPECTL SVCQUERY test],, [name=test version=1.0.0[]nl])

  ## Try some simple commands.
  AT_CHECK([TRIPECTL SVCSUBMIT test GOOD])
  AT_CHECK([TRIPECTL SVCSUBMIT test BAD], [1],,
           [tripectl: this-command-always-fails[]nl])

  ## And now with commands in the background.
  TRIPECTL_INTERACT([
    TRIPECTL_COMMAND([SVCSUBMIT test GOOD], [OK])
    TRIPECTL_COMMAND([SVCSUBMIT -background foo test UGLY], [BGDETACH foo])
    TRIPECTL_COMMAND([BGCANCEL foo], [OK])
    TRIPECTL_COMMAND([SVCSUBMIT test ESCAPE],
                     [FAIL unknown-svc-command ESCAPE])
  ])

  ## Out-of-order completion.
  TRIPECTL_INTERACT([
    TRIPECTL_COMMAND([SVCSUBMIT -background one test FIRST], [BGDETACH one])
    TRIPECTL_COMMAND([SVCSUBMIT -background two test SECOND], [BGDETACH two])
    TRIPECTL_COMMAND([!], [BGOK one])
    TRIPECTL_COMMAND([!], [BGOK two])
  ])

  ## All done.
  exit 0
])

AT_CLEANUP

###----- That's all, folks --------------------------------------------------