From 6adda69af5b406ecc1041d0dd9433e5bd0851b36 Mon Sep 17 00:00:00 2001
From: Richard Soderberg <rsoderberg@gmail.com>
Date: Sat, 5 Sep 2015 00:37:44 -0700
Subject: [PATCH] Revise CACERTS autodetection logic, ensure that
 CACERTS/CAPATH is readable/directory, add undocumented CAPATH env override.

This takes advantage of the new --cafile logic to avoid running CACERTS
autodetection when a file is provided on the command line.

It then ensures the readability of that file, whether provided or
autodetected.

This also adds an undocumented CAPATH environment variable alternative
to --capath, to go along with the existing undocumented CACERTS
environment variable alternative to --cafile, to provide legacy support
for preexisting users.
---
 cipherscan | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/cipherscan b/cipherscan
index 429561d..52e88d1 100755
--- a/cipherscan
+++ b/cipherscan
@@ -54,7 +54,6 @@ if [[ -e $DIRNAMEPATH/openssl.cnf ]]; then
     export OPENSSL_CONF="$DIRNAMEPATH/openssl.cnf"
 fi
 
-CACERTS=""
 # RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers
 # (probably a result of a workaround for the bug in Apple implementation of ECDSA)
 CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA"
@@ -132,7 +131,6 @@ OUTPUTFORMAT="terminal"
 TIMEOUT=30
 # place where to put the found intermediate CA certificates and where
 # trust anchors are stored
-CAPATH=""
 SAVECRT=""
 TEST_CURVES="False"
 has_curves="False"
@@ -1304,6 +1302,8 @@ do
         --cafile)
             CACERTS="$2"
             shift 2
+            # We need to bypass autodetection if this is provided.
+            CACERTS_ARG_SET=1
             ;;
         --capath)
             CAPATH="$2"
@@ -1377,17 +1377,26 @@ if [[ $TEST_CURVES == "True" ]]; then
     fi
 fi
 
-# find a list of trusted CAs on the local system, or use the provided list
-if [[ -z "$CACERTS" ]]; then
+if [[ -z $CACERTS ]] && ! [[ -n $CACERTS_ARG_SET ]]; then
+    # find a list of trusted CAs on the local system, or use the provided list
     for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do
         if [[ -e "$f" ]]; then
             CACERTS="$f"
             break
         fi
     done
+    if [[ ! -e "$CACERTS" ]]; then
+        CACERTS="$DIRNAMEPATH/ca-bundle.crt"
+    fi
 fi
-if [[ ! -e "$CACERTS" ]]; then
-    CACERTS="$DIRNAMEPATH/ca-bundle.crt"
+if ! [[ -e $CACERTS && -r $CACERTS ]]; then
+    echo "--cafile $CACERTS is not a readable file, aborting." 1>&2
+    exit 1
+fi
+
+if [[ -n $CAPATH ]] && ! [[ -d $CAPATH ]]; then
+    echo "--capath $CAPATH is not a directory, aborting." 1>&2
+    exit 1
 fi
 
 if [[ $VERBOSE != 0 ]] ; then