From 0662fa61d8f04c94a2631bf144fb65d7a9e33f32 Mon Sep 17 00:00:00 2001
From: Olivier Paroz <oparoz@users.noreply.github.com>
Date: Mon, 15 Sep 2014 17:06:59 +0200
Subject: [PATCH 1/3] FreeBSD compatible

Detect the OS and use gtimeout from sysutils/coreutils
---
 cipherscan | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/cipherscan b/cipherscan
index eb91255..8196bae 100755
--- a/cipherscan
+++ b/cipherscan
@@ -4,9 +4,19 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 # Author: Julien Vehent [:ulfr] - 2013
+#
+# Modified by Olivier Paroz in September 2014
+#
+# On FreeBSD, you will need the following ports: textproc/gnugrep and sysutils/coreutils
+#
 
+OS=`uname`
 DOBENCHMARK=0
 BENCHMARKITER=30
+TIMEOUTBIN=timeout
+if [ "${OS}" = "FreeBSD" ]; then
+	TIMEOUTBIN=gtimeout
+fi
 OPENSSLBIN="$(dirname $0)/openssl"
 if [ -z "$CACERTS" ]; then
   for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do
@@ -33,10 +43,14 @@ TIMEOUT=10
 
 usage() {
     echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [-d|--delay seconds] [-D|--debug] [-j|--json] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
-    usage: $0 -h|--help
+usage: $0 -h|--help
 
 $0 attempts to connect to a target site using all the ciphersuites it knows.
-Julien Vehent [:ulfr] - https://github.com/jvehent/cipherscan
+
+Original script by Julien Vehent. [:ulfr] - https://github.com/jvehent/cipherscan
+FreeBSD version by Olivier Paroz. [:ulfr] - https://github.com/oparoz/cipherscan
+
+OpenSSL 1.0.2 is a REQUIREMENT and you will also need the following ports on FreeBSD: textproc/gnugrep and sysutils/coreutils
 
 Port defaults to 443
 
@@ -165,7 +179,7 @@ test_cipher_on_target() {
 # Calculate the average handshake time for a specific ciphersuite
 bench_cipher() {
     local ciphersuite="$1"
-    local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
+    local sslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
     local t="$(date +%s%N)"
     verbose "Benchmarking handshake on '$TARGET' with ciphersuite '$ciphersuite'"
     for i in $(seq 1 $BENCHMARKITER); do
@@ -189,9 +203,9 @@ get_cipher_pref() {
     [ "$OUTPUTFORMAT" == "terminal" ] && [ $DEBUG -lt 1 ] && echo -n '.'
     local ciphersuite="$1"
     if [ -e $CACERTS ]; then
-        local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -CAfile $CACERTS -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
+        local sslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client -CAfile $CACERTS -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
     else
-        local sslcommand="timeout $TIMEOUT $OPENSSLBIN s_client -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
+        local sslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client -status $SCLIENTARGS -connect $TARGET -cipher $ciphersuite"
     fi
     verbose "Connecting to '$TARGET' with ciphersuite '$ciphersuite'"
     test_cipher_on_target "$sslcommand"
@@ -410,7 +424,7 @@ if [ $ALLCIPHERS -gt 0 ]; then
     echo; echo "All accepted ciphersuites"
     for c in $($OPENSSLBIN ciphers -v ALL:COMPLEMENTOFALL 2>/dev/null |awk '{print $1}'|sort|uniq); do
         r="fail"
-        osslcommand="timeout $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $c"
+        osslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client $SCLIENTARGS -connect $TARGET -cipher $c"
         test_cipher_on_target "$osslcommand"
         if [ $? -eq 0 ]; then
             r="pass"

From d3b2c48e13408654f7264bbee973c2294f5360b0 Mon Sep 17 00:00:00 2001
From: Olivier Paroz <oparoz@users.noreply.github.com>
Date: Mon, 15 Sep 2014 17:31:06 +0200
Subject: [PATCH 2/3] FreeBSD + extra chacha20 repo

I've found another repository which offers 1.0.2 with chacha20
I've added some extra instructions for FreeBSD users
---
 README.md | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 3953659..48535e0 100644
--- a/README.md
+++ b/README.md
@@ -8,15 +8,18 @@ On Linux x86_64 run: ./cipherscan www.google.com:443
 On any other *nix or *tux run: ./cipherscan -o /path/to/openssl www.google.com:443
 and watch.
 
-The newer your version of openssl, the better results you'll get. Versions
-of OpenSSL below 1.0.1 don't support TLS1.2 ciphers, elliptic curves, etc... Build your own or test what your system's OpenSSL supports.
+On FreeBSD, you will need the following ports: textproc/gnugrep and sysutils/coreutils
+
+The newer your version of openssl, the better results you'll get. Versions of OpenSSL below 1.0.1 don't support TLS1.2 ciphers, elliptic curves, etc...
+Version 1.0.2 gives extra information about the ciphers used for the key exchange.
+Build your own or test what your system's OpenSSL supports.
 
 Cipherscan should work fine on Linux, Mac OS X, Solaris, Illumos, SmartOS, OpenIndiana if you specify a an openssl binary with -o.
 
 Build OpenSSL with ChaCha20-Poly1305 support (Optional)
 -------------------------------------------------------
 
-The OpenSSL binary in this repository is built for 64bit Linux. If you wish to build a version with the same features for your own platform, [the snapshot from the OpenSSL gitweb view](http://git.openssl.org/gitweb/?p=openssl.git;a=tree;h=161b23361778c155f9c174694b1db2506a2e0b52;hb=9a8646510b) and build it like this:
+The OpenSSL binary in this repository is built for 64bit Linux. If you wish to build a version with the same features for your own platform, you can use [this snapshot from the OpenSSL gitweb view](http://git.openssl.org/gitweb/?p=openssl.git;a=tree;h=161b23361778c155f9c174694b1db2506a2e0b52;hb=9a8646510b) or [this Github repository](https://github.com/PeterMosmans/openssl) and build it like this:
 
 ```
 ./config no-shared
@@ -226,3 +229,4 @@ Contributors
 * Pepi Zawodsky <git@maclemon.at>
 * Michael Zeltner <m@niij.org>
 * Simon Deziel <simon.deziel@gmail.com>
+* Olivier Paroz <opa-github@interfasys.ch>

From 9438d647622be4663a74bf4a5e051dc27cb5590f Mon Sep 17 00:00:00 2001
From: Olivier Paroz <oparoz@users.noreply.github.com>
Date: Mon, 15 Sep 2014 17:38:47 +0200
Subject: [PATCH 3/3] OpenSSL 1.0.2 is not a requirement

Back when egrep wasn't working, I tried to fix various things and 1.0.2 was allowing the script to go further without breaking. After having installed a more recent version of GNU grep, things were back to normal and 1.0.1 works fine
---
 cipherscan | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cipherscan b/cipherscan
index 8196bae..0b48c11 100755
--- a/cipherscan
+++ b/cipherscan
@@ -50,7 +50,7 @@ $0 attempts to connect to a target site using all the ciphersuites it knows.
 Original script by Julien Vehent. [:ulfr] - https://github.com/jvehent/cipherscan
 FreeBSD version by Olivier Paroz. [:ulfr] - https://github.com/oparoz/cipherscan
 
-OpenSSL 1.0.2 is a REQUIREMENT and you will also need the following ports on FreeBSD: textproc/gnugrep and sysutils/coreutils
+On FreeBSD, you will need the following ports on FreeBSD: textproc/gnugrep and sysutils/coreutils
 
 Port defaults to 443