From bcfe0dbae11a5eda6fd0e69c35925ec2672c5fad Mon Sep 17 00:00:00 2001
From: Hubert Kario <hkario@redhat.com>
Date: Sat, 12 Jul 2014 14:17:52 +0200
Subject: [PATCH] don't calculate sha sums for the certificates over and over

we can use cksum to calculate simple checksum much faster than
with using openssl, so we can compute sums only once
---
 cipherscan | 30 +++++++++++++++++++++++-------
 1 file changed, 23 insertions(+), 7 deletions(-)

diff --git a/cipherscan b/cipherscan
index fabff8d..feb19ae 100755
--- a/cipherscan
+++ b/cipherscan
@@ -35,6 +35,10 @@ CAPATH=""
 SAVECRT=""
 unset ok_protocols
 declare -A ok_protocols
+unset known_certs
+declare -A known_certs
+unset cert_checksums
+declare -A cert_checksums
 
 usage() {
     echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [--capath directory] [-d|--delay seconds] [-D|--debug] [-j|--json] [--savecrt directory] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
@@ -165,15 +169,25 @@ test_cipher_on_target() {
         for ((i=0; i<$certificate_count; i=i+1 )); do
 
             # extract i'th certificate
-            local cert=$(awk -v i=$i 'split_after == 1 {n++;split_after=0}
-            /-----END CERTIFICATE-----/ {split_after=1}
-            {if (n == i) print }
-            ' <<<"$tmp")
-            # clean up the cert from junk before BEGIN CERTIFICATE
-            cert=$(${OPENSSLBIN} x509 <<<"$cert" 2>/dev/null)
+            local cert=$(awk -v i=$i 'BEGIN { output=0;n=0 }
+            /-----BEGIN CERTIFICATE-----/ { output=1 }
+            output==1 { if (n==i) print }
+            /-----END CERTIFICATE-----/ { output=0; n++ }' <<<"$tmp")
+            # put the output to an array instead awk '{print $1}'
+            local cksum=($(cksum <<<"$cert"))
+            # compare the values not just checksums so that eventual collision
+            # doesn't mess up results
+            if [[ ${known_certs[$cksum]} == $cert ]]; then
+                if [ -n "${current_certificates}" ]; then
+                    current_certificates+=","
+                fi
+                current_certificates+="\"${cert_checksums[$cksum]}\""
+                continue
+            fi
 
             # compute sha256 fingerprint of the certificate
-            local sha256sum=$(${OPENSSLBIN} x509 -outform DER <<<"$cert" 2>/dev/null |\
+            local sha256sum=$(${OPENSSLBIN} x509 -outform DER\
+                <<<"$cert" 2>/dev/null |\
                 ${OPENSSLBIN} dgst -sha256 -r 2>/dev/null| awk '{print $1}')
 
             # check if it is a CA certificate
@@ -219,6 +233,8 @@ test_cipher_on_target() {
                 current_certificates+=","
             fi
             current_certificates+="\"${sha256sum}\""
+            known_certs[$cksum]="$cert"
+            cert_checksums[$cksum]="$sha256sum"
         done
         debug "current_certificates: $current_certificates"