In cipherscan line 851:
local selected=($result)
^-- SC2128: Expanding an array without an index only gives the first element.
In cipherscan line 852:
if [[ $selected == "$prefered" ]]; then
^-- SC2128: Expanding an array without an index only gives the first element.
In cipherscan line 469:
if [[ ${known_certs[$cksum]} == $cert ]]; then
^-- SC2053: Quote the rhs of == in [[ ]] to prevent glob matching.
In cipherscan line 852:
if [[ $selected == $prefered ]]; then
^-- SC2053: Quote the rhs of == in [[ ]] to prevent glob matching.
In cipherscan line 915:
if [[ "$cname" == ${curves[$id]} ]]; then
^-- SC2053: Quote the rhs of == in [[ ]] to prevent glob matching.
In cipherscan line 294:
echo $identifier
^-- SC2086: Double quote to prevent globbing and word splitting.
In cipherscan line 587:
current_curves="$(get_curve_name $(echo $pfs|cut -d ',' -f2))"
^-- SC2046: Quote this to prevent word splitting.
In cipherscan line 603:
debug Connection $i
^-- SC2086: Double quote to prevent globbing and word splitting.
In cipherscan line 715:
echo $header
^-- SC2086: Double quote to prevent globbing and word splitting.
In cipherscan line 719:
echo $result|grep -v '(NONE)'
^-- SC2086: Double quote to prevent globbing and word splitting.
In cipherscan line 897:
local tmp=$(echo Q | $sslcommand -curves $test_curves 2>/dev/null)
^-- SC2086: Double quote to prevent globbing and word splitting.
In cipherscan line 910:
cname="$(get_curve_name ${ephem_data[1]})"
^-- SC2086: Double quote to prevent globbing and word splitting.
In cipherscan line 953:
local tmp=$(echo Q | $sslcommand -curves $test_curves 2>/dev/null)
^-- SC2086: Double quote to prevent globbing and word splitting.
In cipherscan line 967:
local cname="$(get_curve_name ${ephem_data[1]})"
^-- SC2086: Double quote to prevent globbing and word splitting.
In cipherscan line 1017:
local tmp=$(echo Q | $sslcommand -curves $test_curves 2>/dev/null)
^-- SC2086: Double quote to prevent globbing and word splitting.
In cipherscan line 1030:
local cname="$(get_curve_name ${ephem_data[1]})"
^-- SC2086: Double quote to prevent globbing and word splitting.
This more accurately reflects that "non-zero exit status indicates
failure"; while > 0 will no doubt work as well, != 0 avoids the question
of whether $? is signed or unsigned in bash and more accurately
represents the documentation ("non-zero", != 0).
This patch implements two structural changes.
First, OS-level detection routines are broken out into a case statement.
Darwin doesn't need to test for readlink/timeout nor Busybox, so this
noticeably improves performance over multiple runs on Darwin.
Linux suffers no additional penalty, since we already ran if $(uname)
every time anyways, and continues to use the more complex
timeout/gtimeout/busybox logic at the (preexisting, unaffected) cost to
performance over multiple runs.
Second, if NOAUTODETECT is set, then the script assumes (and verifies)
that you're providing TIMEOUTBIN and OPENSSLBIN values. If both of those
values are executable files, then the script will proceed, else it will
abort. In this scenario, readlink is unnecessary and is thus unused.
The combination of these two changes will improve performance over
multiple runs both on Darwin and when NOAUTODETECT is set for top1m.
This takes advantage of the new --cafile logic to avoid running CACERTS
autodetection when a file is provided on the command line.
It then ensures the readability of that file, whether provided or
autodetected.
This also adds an undocumented CAPATH environment variable alternative
to --capath, to go along with the existing undocumented CACERTS
environment variable alternative to --cafile, to provide legacy support
for preexisting users.
Prior to this commit, the code accepts both the --cafile and the
--capath options, as that's how it's always behaved. This patch corrects
that, refusing to proceed if the options are provided.
Technically, openssl permits the use of both the -CAfile and -CApath
options. However, cipherscan itself can only make use of one of the two
options, and does not currently support "one or both" scenarios.
So this patch ensures that users are not caught unaware when they
specify --capath and --cafile and the script refuses to honor the
latter.
The HOST[:PORT] extraction routine was written using several calls to
sed and a bunch of regex post-processing of the bash $@ array.
This replaces that with bash-native array commands, copying $@ into
a $PARAMS array, removing the last element into $TARGET, and then
passing the remainder to openssl s_client.
This adds validation of the TARGET to ensure that it matches what we
expect for a HOST[:PORT]; if a ':' is present, it must be preceded by a
hostname and followed by a port number, otherwise :443 is appended.
The check to ensure that HOST is not an -option is merged into this as
well, since we already test for : at the beginning of the HOST
(indicating that only a port was provided).
Additionally, this now defends against an empty string "" being passed
as the final option, which could occur if a script calling cipherscan
goes awry and starts passing empty values as the target.
top1m may see a slight speed improvement from this commit, as 4 calls to
sed are replaced with native bash functions.
Fixes one "SC2086: Double quote to prevent globbing and word splitting.":
In cipherscan line 1402:
SCLIENTARGS=$(sed -e s,${TEMPTARGET},,<<<"${@}")
^-- SC2086: Double quote to prevent globbing and
word splitting.
Julien Vehent
Richard Soderberg