Merge pull request #2652 from testssl/address_addCA_issue_3.0

Address CA file parsing problem

CHANGELOG.md

@@ -54,7 +54,7 @@
 * Renegotiation checks improved, also no false positive for Node.js anymore
 * Major update of client simulations with self-collected up-to-date data
 * Update of CA certificate stores
-* Lots of bug fixes
+* Lots of bug and security fixes
 * More travis/CI checks -- still place for improvements
 * Man page reviewed
 

testssl.sh

@@ -19681,10 +19681,10 @@ debug_globals() {
 # arg2: value (if no = provided)
 parse_opt_equal_sign() {
      if [[ "$1" == *=* ]]; then
-          echo ${1#*=}
+          safe_echo "${1#*=}"
           return 1  # = means we don't need to shift args!
      else
-          echo "$2"
+          safe_echo "$2"
           return 0  # we need to shift
      fi
 }
@@ -20254,8 +20254,11 @@ parse_cmd_line() {
      [[ $CMDLINE_IP == one ]] && ( is_ipv4addr "$URI" || is_ipv6addr "$URI" )  && fatal "\"--ip=one\" plus supplying an IP address doesn't work" $ERR_CMDLINE
      "$do_mx_all_ips" && [[ "$NODNS" == none ]] && fatal "\"--mx\" and \"--nodns=none\" don't work together" $ERR_CMDLINE
 
+     if [[ "${ADDITIONAL_CA_FILES}" =~ \  ]]; then
+          fatal "The CA file \"${ADDITIONAL_CA_FILES}\" must not contain spaces" $ERR_RESOURCE
+     fi
      ADDITIONAL_CA_FILES="${ADDITIONAL_CA_FILES//,/ }"
-     for fname in $ADDITIONAL_CA_FILES; do
+     for fname in ${ADDITIONAL_CA_FILES}; do
           [[ -s "$fname" ]] || fatal "CA file \"$fname\" does not exist" $ERR_RESOURCE
           grep -q "BEGIN CERTIFICATE" "$fname" || fatal "\"$fname\" is not CA file in PEM format" $ERR_RESOURCE
      done