From a92dd3d2492cc8460ccf101e7b673bd4ae793cf3 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 13 Aug 2021 16:02:27 +0100 Subject: [PATCH] shellcheck improvements Signed-off-by: Richard T Bonhomme --- easytls | 15 ++++++++------- easytls-client-connect.sh | 5 ++++- easytls-client-disconnect.sh | 26 ++++---------------------- easytls-cryptv2-verify.sh | 3 ++- easytls-shellcheck.sh | 31 +++++++++++++++++++++++++++++-- easytls-verify.sh | 12 ++++++++---- 6 files changed, 55 insertions(+), 37 deletions(-) diff --git a/easytls b/easytls index 3ea5da8..ad2f4df 100755 --- a/easytls +++ b/easytls @@ -2584,6 +2584,7 @@ inline_file_verify_hash () # Should not have this HASH, that is the reason to do this check # If we already have a HASH then something else is wrong + # shellcheck disable=SC2154 [ -n "${inline_hash}" ] && \ die "inline_file_verify_hash: Found value: inline_hash ${inline_hash}" @@ -2691,13 +2692,13 @@ openssl_crt_common_name () { # This is ONLY use to import a certificate and importing is DISABLED die "openssl_crt_common_name DISABLED" - temp_name="$(get_openssl_crt_common_name "${crt_file}")" || { - error_msg "" - return 1 - } - temp_name="${temp_name##*, CN = }" - temp_name="${temp_name%%, emailAddress = *}" - "${EASYTLS_PRINTF}" "%s" "${temp_name}" + #temp_name="$(get_openssl_crt_common_name "${crt_file}")" || { + # error_msg "" + # return 1 + # } + #temp_name="${temp_name##*, CN = }" + #temp_name="${temp_name%%, emailAddress = *}" + #"${EASYTLS_PRINTF}" "%s" "${temp_name}" } # => openssl_crt_common_name () # Extract the CommonName from OpenSSL -subject diff --git a/easytls-client-connect.sh b/easytls-client-connect.sh index a157b5e..493be7a 100755 --- a/easytls-client-connect.sh +++ b/easytls-client-connect.sh @@ -111,7 +111,9 @@ fail_and_exit () { conn_trac_record="${c_tlskey_serial:-${g_tlskey_serial}}" conn_trac_record="${conn_trac_record}=${c_md_serial:-${g_md_serial}}" + # shellcheck disable=SC2154 conn_trac_record="${conn_trac_record}=${untrusted_ip}" + # shellcheck disable=SC2154 conn_trac_record="${conn_trac_record}=${untrusted_port}" conn_trac_disconnect "${conn_trac_record}" @@ -253,7 +255,7 @@ client_metadata_string_to_vars () c_md_seed="${metadata_string#*-}" #md_padding="${md_seed%%--*}" c_md_easytls_ver="${1#*--}" - c_md_easytls="${md_easytls_ver%-*.*}" + c_md_easytls="${c_md_easytls_ver%-*.*}" c_md_identity="${2%%-*}" #md_srv_name="${2##*-}" @@ -383,6 +385,7 @@ fi update_status "CN:${X509_0_CN}" # Set Client certificate serial number from Openvpn env +# shellcheck disable=SC2154 client_serial="$(format_number "${tls_serial_hex_0}")" # Verify Client certificate serial number diff --git a/easytls-client-disconnect.sh b/easytls-client-disconnect.sh index 546f7a2..370fa54 100755 --- a/easytls-client-disconnect.sh +++ b/easytls-client-disconnect.sh @@ -238,7 +238,7 @@ client_metadata_string_to_vars () c_md_seed="${metadata_string#*-}" #md_padding="${md_seed%%--*}" c_md_easytls_ver="${1#*--}" - c_md_easytls="${md_easytls_ver%-*.*}" + c_md_easytls="${c_md_easytls_ver%-*.*}" c_md_identity="${2%%-*}" #md_srv_name="${2##*-}" @@ -277,26 +277,6 @@ do empty_ok=1 EASYTLS_VERBOSE=1 ;; - -a|--allow-no-check) - empty_ok=1 - allow_no_check=1 - ;; - -m|ignore-mismatch) # tlskey-x509 does not match openvpn-x509 - empty_ok=1 - ignore_x509_mismatch=1 - ;; - -p|--push-hwaddr-required) - empty_ok=1 - push_hwaddr_required=1 - ;; - -c|--crypt-v2-required) - empty_ok=1 - crypt_v2_required=1 - ;; - -k|--key-hwaddr-required) - empty_ok=1 - key_hwaddr_required=1 - ;; -b|--base-dir) EASYTLS_base_dir="${val}" ;; @@ -368,6 +348,7 @@ fi update_status "CN:${X509_0_CN}" # Set Client certificate serial number from Openvpn env +# shellcheck disable=SC2154 client_serial="$(format_number "${tls_serial_hex_0}")" # Verify Client certificate serial number @@ -381,6 +362,7 @@ generic_metadata_file="${temp_stub}-gmd" client_metadata_file="${temp_stub}-cmd-${client_serial}" # --tls-verify output to --client-connect +# shellcheck disable=SC2154 generic_ext_md_file="${generic_metadata_file}-${untrusted_ip}-${untrusted_port}" client_ext_md_file="${client_metadata_file}-${untrusted_ip}-${untrusted_port}" @@ -401,7 +383,7 @@ then update_status "client_ext_md_file loaded" else # cert serial does not match - ALWAYS fail - [ $ignore_x509_mismatch ] || fail_and_exit "CLIENT X509 SERIAL MISMATCH" 7 + die "CLIENT X509 SERIAL MISMATCH" 7 fi # Any failure_msg means fail_and_exit diff --git a/easytls-cryptv2-verify.sh b/easytls-cryptv2-verify.sh index cb8ddd7..f04c2f8 100755 --- a/easytls-cryptv2-verify.sh +++ b/easytls-cryptv2-verify.sh @@ -459,6 +459,7 @@ init () EASYTLS_srv_pid=$PPID # metadata file + # shellcheck disable=SC2154 OPENVPN_METADATA_FILE="${metadata_file}" # Log message @@ -537,7 +538,7 @@ deps () EASYTLS_WLOG="${temp_stub}-cryptv2-verify.log" # Conn track - EASYTLS_CONN_TRAC="${temp_stub}-conn-trac" + #EASYTLS_CONN_TRAC="${temp_stub}-conn-trac" # Kill client file EASYTLS_KILL_FILE="${temp_stub}-kill-client" diff --git a/easytls-shellcheck.sh b/easytls-shellcheck.sh index b61fc17..28d30c0 100755 --- a/easytls-shellcheck.sh +++ b/easytls-shellcheck.sh @@ -8,7 +8,10 @@ shellcheck_bin='shellcheck' } "${shellcheck_bin}" --version -export SHELLCHECK_OPTS="-S warning -e 1090" +export SHELLCHECK_OPTS="--shell=sh -S warning -e 1090 $*" + +# SC1090 - Can't follow non-constant source +# Recommend -e 2034 foo='=========================' @@ -18,21 +21,45 @@ printf '\n\n%s\n%s\n' "$foo" '*** shellcheck easytls' printf '\n\n%s\n%s\n' "$foo" '*** shellcheck easytls-cryptv2-verify.sh' "${shellcheck_bin}" easytls-cryptv2-verify.sh && sc_easytls_cryptv2_verify=$? +printf '\n\n%s\n%s\n' "$foo" '*** shellcheck easytls-cryptv2-verify.vars' +"${shellcheck_bin}" easytls-cryptv2-verify.vars && sc_easytls_cryptv2_verify_vars=$? + printf '\n\n%s\n%s\n' "$foo" '*** shellcheck easytls-verify.sh' "${shellcheck_bin}" easytls-verify.sh && sc_easytls_verify=$? +printf '\n\n%s\n%s\n' "$foo" '*** shellcheck easytls-verify.vars' +"${shellcheck_bin}" easytls-verify.vars && sc_easytls_verify_vars=$? + printf '\n\n%s\n%s\n' "$foo" '*** shellcheck easytls-client-connect.sh' "${shellcheck_bin}" easytls-client-connect.sh && sc_easytls_client_connect=$? +printf '\n\n%s\n%s\n' "$foo" '*** shellcheck easytls-client-connect.vars' +"${shellcheck_bin}" easytls-client-connect.vars && sc_easytls_client_connect_vars=$? + printf '\n\n%s\n%s\n' "$foo" '*** shellcheck easytls-client-disconnect.sh' "${shellcheck_bin}" easytls-client-disconnect.sh && sc_easytls_client_disconnect=$? +printf '\n\n%s\n%s\n' "$foo" '*** shellcheck easytls-client-disconnect.vars' +"${shellcheck_bin}" easytls-client-disconnect.vars && sc_easytls_client_disconnect_vars=$? + +printf '\n\n%s\n%s\n' "$foo" '*** shellcheck easytls-client-disconnect.sh' +"${shellcheck_bin}" easytls-conn-trac.lib && sc_easytls_conn_trac=$? + +printf '\n\n%s\n%s\n' "$foo" '*** shellcheck easytls-shellcheck.sh' +"${shellcheck_bin}" easytls-shellcheck.sh && sc_easytls_shellcheck=$? + exit_status=$(( \ sc_easytls + \ sc_easytls_cryptv2_verify + \ sc_easytls_verify + \ sc_easytls_client_connect + \ - sc_easytls_client_disconnect \ + sc_easytls_client_disconnect + \ + sc_easytls_cryptv2_verify_vars + \ + sc_easytls_verify_vars + \ + sc_easytls_client_connect_vars + \ + sc_easytls_client_disconnect_vars + \ + sc_easytls_conn_trac + \ + sc_easytls_shellcheck \ )) # dirty trick to fool my CI and still record a fail diff --git a/easytls-verify.sh b/easytls-verify.sh index b44258a..ebc9192 100755 --- a/easytls-verify.sh +++ b/easytls-verify.sh @@ -117,7 +117,9 @@ fail_and_exit () { conn_trac_record="${c_tlskey_serial:-${g_tlskey_serial}}" conn_trac_record="${conn_trac_record}=${c_md_serial:-${g_md_serial}}" + # shellcheck disable=SC2154 conn_trac_record="${conn_trac_record}=${untrusted_ip}" + # shellcheck disable=SC2154 conn_trac_record="${conn_trac_record}=${untrusted_port}" conn_trac_disconnect "${conn_trac_record}" delete_metadata_files @@ -331,6 +333,7 @@ deps () fi # Check for peer_cert + # shellcheck disable=SC2154 [ -f "${peer_cert}" ] || { help_note="This script requires Openvpn --tls-export-cert" die "Missing peer_cert variable or file: ${peer_cert}" 15 @@ -344,7 +347,7 @@ generic_metadata_string_to_vars () g_md_seed="${metadata_string#*-}" #md_padding="${md_seed%%--*}" g_md_easytls_ver="${1#*--}" - g_md_easytls="${md_easytls_ver%-*.*}" + g_md_easytls="${g_md_easytls_ver%-*.*}" g_md_identity="${2%%-*}" #md_srv_name="${2##*-}" @@ -365,7 +368,7 @@ client_metadata_string_to_vars () c_md_seed="${metadata_string#*-}" #md_padding="${md_seed%%--*}" c_md_easytls_ver="${1#*--}" - c_md_easytls="${md_easytls_ver%-*.*}" + c_md_easytls="${c_md_easytls_ver%-*.*}" c_md_identity="${2%%-*}" #md_srv_name="${2##*-}" @@ -529,6 +532,7 @@ then delete_stage1_file || die "Failed to remove stage-1 file" 252 # Set Client certificate serial number from Openvpn env + # shellcheck disable=SC2154 client_serial="$(format_number "${tls_serial_hex_0}")" # Verify Client certificate serial number @@ -545,9 +549,10 @@ then generic_metadata_file="${temp_stub}-gmd" # extended generic metadata file + # shellcheck disable=SC2154 generic_ext_md_file="${temp_stub}-gmd-${untrusted_ip}-${untrusted_port}" - # generic trusted file - For reneg - This changes every float + # shellcheck disable=SC2154 generic_trusted_md_file="${temp_stub}-gmd-${trusted_ip}-${trusted_port}" # TLS-Crypt-V2 key flag @@ -829,7 +834,6 @@ then else # Create stage-1 file create_stage1_file || die "Failed to create stage-1 file" 251 - stage1=1 fi # stage1_file # Allow this connection