shellcheck improvements

Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech · Aug 13, 2021 · a92dd3d · a92dd3d
1 parent c46bdb2
commit a92dd3d
Show file tree

Hide file tree

Showing 6 changed files with 55 additions and 37 deletions.
diff --git a/easytls b/easytls
@@ -2584,6 +2584,7 @@ inline_file_verify_hash ()
 
 	# Should not have this HASH, that is the reason to do this check
 	# If we already have a HASH then something else is wrong
+	# shellcheck disable=SC2154
 	[ -n "${inline_hash}" ] && \
 		die "inline_file_verify_hash: Found value: inline_hash ${inline_hash}"
 
@@ -2691,13 +2692,13 @@ openssl_crt_common_name ()
 {
 	# This is ONLY use to import a certificate and importing is DISABLED
 	die "openssl_crt_common_name DISABLED"
-	temp_name="$(get_openssl_crt_common_name "${crt_file}")" || {
-		error_msg ""
-		return 1
-		}
-	temp_name="${temp_name##*, CN = }"
-	temp_name="${temp_name%%, emailAddress = *}"
-	"${EASYTLS_PRINTF}" "%s" "${temp_name}"
+	#temp_name="$(get_openssl_crt_common_name "${crt_file}")" || {
+	#	error_msg ""
+	#	return 1
+	#	}
+	#temp_name="${temp_name##*, CN = }"
+	#temp_name="${temp_name%%, emailAddress = *}"
+	#"${EASYTLS_PRINTF}" "%s" "${temp_name}"
 } # => openssl_crt_common_name ()
 
 # Extract the CommonName from OpenSSL -subject

diff --git a/easytls-client-connect.sh b/easytls-client-connect.sh
@@ -111,7 +111,9 @@ fail_and_exit ()
 {
 	conn_trac_record="${c_tlskey_serial:-${g_tlskey_serial}}"
 	conn_trac_record="${conn_trac_record}=${c_md_serial:-${g_md_serial}}"
+	# shellcheck disable=SC2154
 	conn_trac_record="${conn_trac_record}=${untrusted_ip}"
+	# shellcheck disable=SC2154
 	conn_trac_record="${conn_trac_record}=${untrusted_port}"
 	conn_trac_disconnect "${conn_trac_record}"
 
@@ -253,7 +255,7 @@ client_metadata_string_to_vars ()
 	c_md_seed="${metadata_string#*-}"
 	#md_padding="${md_seed%%--*}"
 	c_md_easytls_ver="${1#*--}"
-	c_md_easytls="${md_easytls_ver%-*.*}"
+	c_md_easytls="${c_md_easytls_ver%-*.*}"
 
 	c_md_identity="${2%%-*}"
 	#md_srv_name="${2##*-}"
@@ -383,6 +385,7 @@ fi
 update_status "CN:${X509_0_CN}"
 
 # Set Client certificate serial number from Openvpn env
+# shellcheck disable=SC2154
 client_serial="$(format_number "${tls_serial_hex_0}")"
 
 # Verify Client certificate serial number

diff --git a/easytls-client-disconnect.sh b/easytls-client-disconnect.sh
@@ -238,7 +238,7 @@ client_metadata_string_to_vars ()
 	c_md_seed="${metadata_string#*-}"
 	#md_padding="${md_seed%%--*}"
 	c_md_easytls_ver="${1#*--}"
-	c_md_easytls="${md_easytls_ver%-*.*}"
+	c_md_easytls="${c_md_easytls_ver%-*.*}"
 
 	c_md_identity="${2%%-*}"
 	#md_srv_name="${2##*-}"
@@ -277,26 +277,6 @@ do
 		empty_ok=1
 		EASYTLS_VERBOSE=1
 	;;
-	-a|--allow-no-check)
-		empty_ok=1
-		allow_no_check=1
-	;;
-	-m|ignore-mismatch) # tlskey-x509 does not match openvpn-x509
-		empty_ok=1
-		ignore_x509_mismatch=1
-	;;
-	-p|--push-hwaddr-required)
-		empty_ok=1
-		push_hwaddr_required=1
-	;;
-	-c|--crypt-v2-required)
-		empty_ok=1
-		crypt_v2_required=1
-	;;
-	-k|--key-hwaddr-required)
-		empty_ok=1
-		key_hwaddr_required=1
-	;;
 	-b|--base-dir)
 		EASYTLS_base_dir="${val}"
 	;;
@@ -368,6 +348,7 @@ fi
 update_status "CN:${X509_0_CN}"
 
 # Set Client certificate serial number from Openvpn env
+# shellcheck disable=SC2154
 client_serial="$(format_number "${tls_serial_hex_0}")"
 
 # Verify Client certificate serial number
@@ -381,6 +362,7 @@ generic_metadata_file="${temp_stub}-gmd"
 client_metadata_file="${temp_stub}-cmd-${client_serial}"
 
 # --tls-verify output to --client-connect
+# shellcheck disable=SC2154
 generic_ext_md_file="${generic_metadata_file}-${untrusted_ip}-${untrusted_port}"
 client_ext_md_file="${client_metadata_file}-${untrusted_ip}-${untrusted_port}"
 
@@ -401,7 +383,7 @@ then
 	update_status "client_ext_md_file loaded"
 else
 	# cert serial does not match - ALWAYS fail
-	[ $ignore_x509_mismatch ] || fail_and_exit "CLIENT X509 SERIAL MISMATCH" 7
+	die "CLIENT X509 SERIAL MISMATCH" 7
 fi
 
 # Any failure_msg means fail_and_exit

diff --git a/easytls-cryptv2-verify.sh b/easytls-cryptv2-verify.sh
@@ -459,6 +459,7 @@ init ()
 	EASYTLS_srv_pid=$PPID
 
 	# metadata file
+	# shellcheck disable=SC2154
 	OPENVPN_METADATA_FILE="${metadata_file}"
 
 	# Log message
@@ -537,7 +538,7 @@ deps ()
 	EASYTLS_WLOG="${temp_stub}-cryptv2-verify.log"
 
 	# Conn track
-	EASYTLS_CONN_TRAC="${temp_stub}-conn-trac"
+	#EASYTLS_CONN_TRAC="${temp_stub}-conn-trac"
 
 	# Kill client file
 	EASYTLS_KILL_FILE="${temp_stub}-kill-client"

diff --git a/easytls-shellcheck.sh b/easytls-shellcheck.sh
@@ -8,7 +8,10 @@ shellcheck_bin='shellcheck'
 	}
 
 "${shellcheck_bin}" --version
-export SHELLCHECK_OPTS="-S warning -e 1090"
+export SHELLCHECK_OPTS="--shell=sh -S warning -e 1090 $*"
+
+# SC1090 - Can't follow non-constant source
+# Recommend -e 2034
 
 foo='========================='
 
@@ -18,21 +21,45 @@ printf '\n\n%s\n%s\n' "$foo" '*** shellcheck easytls'
 printf '\n\n%s\n%s\n' "$foo" '*** shellcheck easytls-cryptv2-verify.sh'
 "${shellcheck_bin}" easytls-cryptv2-verify.sh && sc_easytls_cryptv2_verify=$?
 
+printf '\n\n%s\n%s\n' "$foo" '*** shellcheck easytls-cryptv2-verify.vars'
+"${shellcheck_bin}" easytls-cryptv2-verify.vars && sc_easytls_cryptv2_verify_vars=$?
+
 printf '\n\n%s\n%s\n' "$foo" '*** shellcheck easytls-verify.sh'
 "${shellcheck_bin}" easytls-verify.sh && sc_easytls_verify=$?
 
+printf '\n\n%s\n%s\n' "$foo" '*** shellcheck easytls-verify.vars'
+"${shellcheck_bin}" easytls-verify.vars && sc_easytls_verify_vars=$?
+
 printf '\n\n%s\n%s\n' "$foo" '*** shellcheck easytls-client-connect.sh'
 "${shellcheck_bin}" easytls-client-connect.sh && sc_easytls_client_connect=$?
 
+printf '\n\n%s\n%s\n' "$foo" '*** shellcheck easytls-client-connect.vars'
+"${shellcheck_bin}" easytls-client-connect.vars && sc_easytls_client_connect_vars=$?
+
 printf '\n\n%s\n%s\n' "$foo" '*** shellcheck easytls-client-disconnect.sh'
 "${shellcheck_bin}" easytls-client-disconnect.sh && sc_easytls_client_disconnect=$?
 
+printf '\n\n%s\n%s\n' "$foo" '*** shellcheck easytls-client-disconnect.vars'
+"${shellcheck_bin}" easytls-client-disconnect.vars && sc_easytls_client_disconnect_vars=$?
+
+printf '\n\n%s\n%s\n' "$foo" '*** shellcheck easytls-client-disconnect.sh'
+"${shellcheck_bin}" easytls-conn-trac.lib && sc_easytls_conn_trac=$?
+
+printf '\n\n%s\n%s\n' "$foo" '*** shellcheck easytls-shellcheck.sh'
+"${shellcheck_bin}" easytls-shellcheck.sh && sc_easytls_shellcheck=$?
+
 exit_status=$(( \
 					sc_easytls + \
 					sc_easytls_cryptv2_verify + \
 					sc_easytls_verify + \
 					sc_easytls_client_connect + \
-					sc_easytls_client_disconnect \
+					sc_easytls_client_disconnect + \
+					sc_easytls_cryptv2_verify_vars + \
+					sc_easytls_verify_vars + \
+					sc_easytls_client_connect_vars + \
+					sc_easytls_client_disconnect_vars + \
+					sc_easytls_conn_trac + \
+					sc_easytls_shellcheck \
 			 ))
 
 # dirty trick to fool my CI and still record a fail

diff --git a/easytls-verify.sh b/easytls-verify.sh
@@ -117,7 +117,9 @@ fail_and_exit ()
 {
 	conn_trac_record="${c_tlskey_serial:-${g_tlskey_serial}}"
 	conn_trac_record="${conn_trac_record}=${c_md_serial:-${g_md_serial}}"
+	# shellcheck disable=SC2154
 	conn_trac_record="${conn_trac_record}=${untrusted_ip}"
+	# shellcheck disable=SC2154
 	conn_trac_record="${conn_trac_record}=${untrusted_port}"
 	conn_trac_disconnect "${conn_trac_record}"
 	delete_metadata_files
@@ -331,6 +333,7 @@ deps ()
 	fi
 
 	# Check for peer_cert
+	# shellcheck disable=SC2154
 	[ -f "${peer_cert}" ] || {
 		help_note="This script requires Openvpn --tls-export-cert"
 		die "Missing peer_cert variable or file: ${peer_cert}" 15
@@ -344,7 +347,7 @@ generic_metadata_string_to_vars ()
 	g_md_seed="${metadata_string#*-}"
 	#md_padding="${md_seed%%--*}"
 	g_md_easytls_ver="${1#*--}"
-	g_md_easytls="${md_easytls_ver%-*.*}"
+	g_md_easytls="${g_md_easytls_ver%-*.*}"
 
 	g_md_identity="${2%%-*}"
 	#md_srv_name="${2##*-}"
@@ -365,7 +368,7 @@ client_metadata_string_to_vars ()
 	c_md_seed="${metadata_string#*-}"
 	#md_padding="${md_seed%%--*}"
 	c_md_easytls_ver="${1#*--}"
-	c_md_easytls="${md_easytls_ver%-*.*}"
+	c_md_easytls="${c_md_easytls_ver%-*.*}"
 
 	c_md_identity="${2%%-*}"
 	#md_srv_name="${2##*-}"
@@ -529,6 +532,7 @@ then
 	delete_stage1_file || die "Failed to remove stage-1 file" 252
 
 	# Set Client certificate serial number from Openvpn env
+	# shellcheck disable=SC2154
 	client_serial="$(format_number "${tls_serial_hex_0}")"
 
 	# Verify Client certificate serial number
@@ -545,9 +549,10 @@ then
 	generic_metadata_file="${temp_stub}-gmd"
 
 	# extended generic metadata file
+	# shellcheck disable=SC2154
 	generic_ext_md_file="${temp_stub}-gmd-${untrusted_ip}-${untrusted_port}"
-
 	# generic trusted file - For reneg - This changes every float
+	# shellcheck disable=SC2154
 	generic_trusted_md_file="${temp_stub}-gmd-${trusted_ip}-${trusted_port}"
 
 	# TLS-Crypt-V2 key flag
@@ -829,7 +834,6 @@ then
 else
 	# Create stage-1 file
 	create_stage1_file || die "Failed to create stage-1 file" 251
-	stage1=1
 fi # stage1_file
 
 # Allow this connection