diff --git a/testssl.sh b/testssl.sh index aa6311e..f9cd6d0 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env bash +#!@TERMUX_PREFIX@/bin/env bash # # vim:ts=5:sw=5:expandtab # we have a spaces softtab, that ensures readability with other editors too @@ -103,11 +103,11 @@ DEBUG_ALLINONE=${SETX:-false} # SETX as a shortcut for old s if [[ "$SHELLOPTS" =~ xtrace ]]; then if "$DEBUGTIME"; then # separate debugging, doesn't mess up the screen, $DEBUGTIME determines whether we also do performance analysis - exec 42>&2 2> >(tee /tmp/testssl-$$.log | sed -u 's/^.*$/now/' | date -f - +%s.%N >/tmp/testssl-$$.time) + exec 42>&2 2> >(tee @TERMUX_PREFIX@/tmp/testssl-$$.log | sed -u 's/^.*$/now/' | date -f - +%s.%N >@TERMUX_PREFIX@/tmp/testssl-$$.time) # BASH_XTRACEFD=42 else if ! "$DEBUG_ALLINONE"; then - exec 42>| /tmp/testssl-$$.log + exec 42>| @TERMUX_PREFIX@/tmp/testssl-$$.log BASH_XTRACEFD=42 fi fi @@ -166,7 +166,7 @@ BASICAUTH=${BASICAUTH:-""} # HTTP basic auth credentials can be set REQHEADER=${REQHEADER:-""} # HTTP custom request header can be set here like Header: content. Can be used multiple times. BUGS=${BUGS:-""} # -bugs option from openssl, needed for some BIG IP F5 WARNINGS=${WARNINGS:-""} # can be either off or batch -DEBUG=${DEBUG:-0} # 1: normal output the files in /tmp/ are kept for further debugging purposes +DEBUG=${DEBUG:-0} # 1: normal output the files in @TERMUX_PREFIX@/tmp/ are kept for further debugging purposes # 2: list more what's going on , also lists some errors of connections # 3: slight hexdumps + other info, # 4: display bytes sent via sockets @@ -193,8 +193,8 @@ ADDTL_CA_FILES="${ADDTL_CA_FILES:-""}" # single file with a CA in PEM format or ########### Tuning vars which cannot be set by a cmd line switch. Use instead e.g "HEADER_MAXSLEEP=10 ./testssl.sh " # -TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-""}" # If you run testssl.sh and it doesn't find it necessary file automagically set TESTSSL_INSTALL_DIR -CA_BUNDLES_PATH="${CA_BUNDLES_PATH:-""}" # You can have your CA stores some place else +TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-"@TERMUX_PREFIX@"}" # If you run testssl.sh and it doesn't find it necessary file automagically set TESTSSL_INSTALL_DIR +CA_BUNDLES_PATH="${CA_BUNDLES_PATH:-"@TERMUX_PREFIX@/etc/tls"}" # You can have your CA stores some place else EXPERIMENTAL=${EXPERIMENTAL:-false} # a development hook which allows us to disable code PROXY_WAIT=${PROXY_WAIT:-20} # waiting at max 20 seconds for socket reply through proxy DNS_VIA_PROXY=${DNS_VIA_PROXY:-false} # do DNS lookups via proxy. --ip=proxy reverses this @@ -221,7 +221,7 @@ VULN_THRESHLD=${VULN_THRESHLD:-1} # if vulnerabilities to check >$VULN_THR UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo) don't support [bracketed] IPv6 addresses NO_ENGINE=${NO_ENGINE:-false} # if there are problems finding the (external) openssl engine set this to true declare -r CLIENT_MIN_FS=5 # number of ciphers needed to run a test for FS -CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d) +CAPATH="${CAPATH:-@TERMUX_PREFIX@/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d) SOCAT="${SOCAT:-}" # For now we would need this for STARTTLS injection MEASURE_TIME_FILE=${MEASURE_TIME_FILE:-""} @@ -245,7 +245,7 @@ PRINTF="" # which external printf to use. Empty pr CIPHERS_BY_STRENGTH_FILE="" TLS_DATA_FILE="" # mandatory file for socket-based handshakes OPENSSL="" # ~/bin/openssl.$(uname).$(uname -m) if you run this from GitHub. Linux otherwise probably /usr/bin/openssl -OPENSSL2=${OPENSSL2:-/usr/bin/openssl} # This will be openssl version >=1.1.1 (auto determined) as opposed to openssl-bad (OPENSSL) +OPENSSL2=${OPENSSL2:-@TERMUX_PREFIX@/bin/openssl} # This will be openssl version >=1.1.1 (auto determined) as opposed to openssl-bad (OPENSSL) OPENSSL2_HAS_TLS_1_3=false # If we run with supplied binary AND $OPENSSL2 supports TLS 1.3 this will be set to true OPENSSL2_HAS_CHACHA20=false OPENSSL2_HAS_AES128_GCM=false @@ -2873,7 +2873,7 @@ run_hpkp() { local -i i nrsaved local first_hpkp_header local spki - local ca_hashes="$TESTSSL_INSTALL_DIR/etc/ca_hashes.txt" + local ca_hashes="$TESTSSL_INSTALL_DIR/etc/testssl/ca_hashes.txt" if [[ ! -s $HEADERFILE ]]; then run_http_header "$1" || return 1 @@ -5119,9 +5119,9 @@ run_client_simulation() { local client_service="" # source the external file - . "$TESTSSL_INSTALL_DIR/etc/client-simulation.txt" 2>/dev/null + . "$TESTSSL_INSTALL_DIR/etc/testssl/client-simulation.txt" 2>/dev/null if [[ $? -ne 0 ]]; then - prln_local_problem "couldn't find client simulation data in $TESTSSL_INSTALL_DIR/etc/client-simulation.txt" + prln_local_problem "couldn't find client simulation data in $TESTSSL_INSTALL_DIR/etc/testssl/client-simulation.txt" return 1 fi @@ -7760,7 +7760,7 @@ determine_trust() { # if you run testssl.sh from a different path /you can set either TESTSSL_INSTALL_DIR or CA_BUNDLES_PATH to find the CA BUNDLES if [[ -z "$CA_BUNDLES_PATH" ]]; then - ca_bundles="$TESTSSL_INSTALL_DIR/etc/*.pem" + ca_bundles="$TESTSSL_INSTALL_DIR/etc/testssl/*.pem" else ca_bundles="$CA_BUNDLES_PATH/*.pem" fi @@ -9071,7 +9071,7 @@ certificate_info() { local certificate_list_ordering_problem="${13}" local cert_sig_algo cert_sig_hash_algo cert_key_algo cert_spki_info local hostcert="" - local common_primes_file="$TESTSSL_INSTALL_DIR/etc/common-primes.txt" + local common_primes_file="$TESTSSL_INSTALL_DIR/etc/testssl/common-primes.txt" local -i lineno_matched=0 local cert_keyusage cert_ext_keyusage short_keyAlgo local outok=true @@ -18634,7 +18634,7 @@ get_common_prime() { local spaces="$3" local pubkey dh_p="" local -i subret=0 - local common_primes_file="$TESTSSL_INSTALL_DIR/etc/common-primes.txt" + local common_primes_file="$TESTSSL_INSTALL_DIR/etc/testssl/common-primes.txt" local -i lineno_matched=0 "$HAS_PKEY" || return 2 @@ -20587,12 +20587,12 @@ old_fart() { get_install_dir() { [[ -z "$TESTSSL_INSTALL_DIR" ]] && TESTSSL_INSTALL_DIR="$(dirname "${BASH_SOURCE[0]}")" - if [[ -r "$RUN_DIR/etc/cipher-mapping.txt" ]]; then - CIPHERS_BY_STRENGTH_FILE="$RUN_DIR/etc/cipher-mapping.txt" + if [[ -r "$RUN_DIR/etc/testssl/cipher-mapping.txt" ]]; then + CIPHERS_BY_STRENGTH_FILE="$RUN_DIR/etc/testssl/cipher-mapping.txt" [[ -z "$TESTSSL_INSTALL_DIR" ]] && TESTSSL_INSTALL_DIR="$RUN_DIR" # probably TESTSSL_INSTALL_DIR fi - [[ -r "$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt" + [[ -r "$TESTSSL_INSTALL_DIR/etc/testssl/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/testssl/cipher-mapping.txt" if [[ ! -r "$CIPHERS_BY_STRENGTH_FILE" ]]; then [[ -r "$RUN_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$RUN_DIR/cipher-mapping.txt" [[ -r "$TESTSSL_INSTALL_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/cipher-mapping.txt" @@ -20606,13 +20606,13 @@ get_install_dir() { # not sure whether Darwin has -f TESTSSL_INSTALL_DIR="$(dirname "$TESTSSL_INSTALL_DIR" 2>/dev/null)" [[ -r "$TESTSSL_INSTALL_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/cipher-mapping.txt" - [[ -r "$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt" + [[ -r "$TESTSSL_INSTALL_DIR/etc/testssl/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/testssl/cipher-mapping.txt" fi # still no cipher mapping file: if [[ ! -r "$CIPHERS_BY_STRENGTH_FILE" ]] && type -p realpath &>/dev/null ; then TESTSSL_INSTALL_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")" - CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt" + CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/testssl/cipher-mapping.txt" [[ -r "$TESTSSL_INSTALL_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/cipher-mapping.txt" fi @@ -20622,7 +20622,7 @@ get_install_dir() { TESTSSL_INSTALL_DIR="$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")" || \ TESTSSL_INSTALL_DIR="$(dirname "$(readlink "${BASH_SOURCE[0]}")")" # not sure whether Darwin has -f - CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt" + CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/testssl/cipher-mapping.txt" [[ -r "$TESTSSL_INSTALL_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/cipher-mapping.txt" fi @@ -20630,16 +20630,16 @@ get_install_dir() { DISPLAY_CIPHERNAMES="openssl-only" debugme echo "$CIPHERS_BY_STRENGTH_FILE" prln_warning "\nATTENTION: No cipher mapping file found!" - outln "Please note from 2.9 on $PROG_NAME needs files in \"\$TESTSSL_INSTALL_DIR/etc/\" to function correctly." + outln "Please note from 2.9 on $PROG_NAME needs files in \"\$TESTSSL_INSTALL_DIR/etc/testssl/\" to function correctly." outln ignore_no_or_lame "Type \"yes\" to ignore this warning and proceed at your own risk" "yes" [[ $? -ne 0 ]] && exit $ERR_RESOURCE fi - TLS_DATA_FILE="$TESTSSL_INSTALL_DIR/etc/tls_data.txt" + TLS_DATA_FILE="$TESTSSL_INSTALL_DIR/etc/testssl/tls_data.txt" if [[ ! -r "$TLS_DATA_FILE" ]]; then prln_warning "\nATTENTION: No TLS data file found -- needed for socket-based handshakes" - outln "Please note from 2.9 on $PROG_NAME needs files in \"\$TESTSSL_INSTALL_DIR/etc/\" to function correctly." + outln "Please note from 2.9 on $PROG_NAME needs files in \"\$TESTSSL_INSTALL_DIR/etc/testssl/\" to function correctly." outln ignore_no_or_lame "Type \"yes\" to ignore this warning and proceed at your own risk" "yes" [[ $? -ne 0 ]] && exit $ERR_RESOURCE @@ -20714,7 +20714,7 @@ find_openssl_binary() { # couldn't be parsed by our openssl it bailed out here with a misleading error, see #1982. # Now we try with another version of the config file and if it still fails we bail out. if ! $OPENSSL version -d >/dev/null 2>&1 ; then - export OPENSSL_CONF="$TESTSSL_INSTALL_DIR/etc/openssl.cnf" + export OPENSSL_CONF="$TESTSSL_INSTALL_DIR/etc/testssl/openssl.cnf" if ! $OPENSSL version -d >/dev/null 2>&1 ; then fatal "cannot exec or find any openssl binary" $ERR_OSSLBIN else @@ -21231,7 +21231,7 @@ output options (can also be preset via environment variables): no-iana|no-rfc> -> don't display the IANA/(RFC) cipher suite name, display OpenSSL names only --color <0|1|2|3> 0: no escape or other codes, 1: b/w escape codes, 2: color (default), 3: extra color (color all ciphers) --colorblind swap green and blue in the output - --debug <0-6> 1: screen output normal but keeps debug output in /tmp/. 2-6: see "grep -A 5 '^DEBUG=' testssl.sh" + --debug <0-6> 1: screen output normal but keeps debug output in @TERMUX_PREFIX@/tmp/. 2-6: see "grep -A 5 '^DEBUG=' testssl.sh" --disable-rating Explicitly disables the rating output file output options (can also be preset via environment variables) @@ -21254,7 +21254,7 @@ file output options (can also be preset via environment variables) --outprefix before '\${NODE}.' above prepend -Options requiring a value can also be called with '=' e.g. testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl . +Options requiring a value can also be called with '=' e.g. testssl.sh -t=smtp --wide --openssl=@TERMUX_PREFIX@/bin/openssl . always needs to be the last parameter. EOF @@ -21268,7 +21268,7 @@ EOF } maketempf() { - TEMPDIR=$(mktemp -d /tmp/testssl.XXXXXX 2>/dev/null) + TEMPDIR=$(mktemp -d @TERMUX_PREFIX@/tmp/testssl.XXXXXX 2>/dev/null) if [[ $? -ne 0 ]]; then # For e.g. devices where we can't write to /tmp we chose $PWD but we can't # allow every char as we haven't quoted all strings depending on it, see #1445 @@ -21651,7 +21651,7 @@ initialize_engine(){ # check for openssl 1.1.1 config -- not this may not be reliable. We only use this # to suppress the warning (confuses users), see #1119 # https://github.com/openssl/openssl/commit/b524b808a1d1ba204dbdcbb42de4e3bddb3472ac - if ! grep -q 'using the .include directive' /etc/ssl/openssl.cnf; then + if ! grep -q 'using the .include directive' @TERMUX_PREFIX@/etc/ssl/openssl.cnf; then [[ "$DEBUG" -ge 1 ]] && outln && pr_warning "No engine or GOST support via engine with your $OPENSSL"; outln fi fileout_insert_warning "engine_problem" "WARN" "No engine or GOST support via engine with your $OPENSSL" @@ -21661,7 +21661,7 @@ initialize_engine(){ else # we have engine support. But we want to check whether an external OPENSSL_CONF was supplied. # $TESTSSL_INSTALL_DIR/etc/openssl.cnf is an internal presetting, see #1982 - if [[ -n "$OPENSSL_CONF" ]] && [[ "$OPENSSL_CONF" != "$TESTSSL_INSTALL_DIR/etc/openssl.cnf" ]]; then + if [[ -n "$OPENSSL_CONF" ]] && [[ "$OPENSSL_CONF" != "$TESTSSL_INSTALL_DIR/etc/testssl/openssl.cnf" ]]; then prln_warning "For now I am providing the config file to have GOST support" else OPENSSL_CONF=$TEMPDIR/gost.conf @@ -21827,7 +21827,7 @@ filter_ip4_address() { # arg1 is the entry we want to look up in the host file get_local_aaaa() { local ip6="" - local etchosts="/etc/hosts /c/Windows/System32/drivers/etc/hosts" + local etchosts="@TERMUX_PREFIX@/etc/hosts /c/Windows/System32/drivers/etc/hosts" [[ -z "$1" ]] && echo "" && return 1 # Also multiple records should work fine @@ -21840,7 +21840,7 @@ get_local_aaaa() { } get_local_a() { local ip4="" - local etchosts="/etc/hosts /c/Windows/System32/drivers/etc/hosts" + local etchosts="@TERMUX_PREFIX@/etc/hosts /c/Windows/System32/drivers/etc/hosts" ip4=$(grep -wih "$1" $etchosts 2>/dev/null | grep -Ev ':|^#|\.local' | grep -Ei "[[:space:]]$1" | awk '{ print $1 }') if is_ipv4addr "$ip4"; then @@ -23016,9 +23016,9 @@ display_rdns_etc() { outln "$(out_row_aligned_max_width "$further_ip_addrs" " $CORRECT_SPACES" $TERM_WIDTH)" fi if "$LOCAL_A"; then - outln " A record via: $CORRECT_SPACES /etc/hosts " + outln " A record via: $CORRECT_SPACES @TERMUX_PREFIX@/etc/hosts " elif "$LOCAL_AAAA"; then - outln " AAAA record via: $CORRECT_SPACES /etc/hosts " + outln " AAAA record via: $CORRECT_SPACES @TERMUX_PREFIX@/etc/hosts " elif [[ -n "$CMDLINE_IP" ]]; then if is_ipv6addr $"$CMDLINE_IP"; then outln " AAAA record via: $CORRECT_SPACES supplied IP \"$CMDLINE_IP\""