mirror of
https://github.com/termux-pacman/termux-packages.git
synced 2026-01-27 21:22:29 +00:00
256 lines
16 KiB
Diff
256 lines
16 KiB
Diff
diff --git a/testssl.sh b/testssl.sh
|
|
index aa6311e..f9cd6d0 100755
|
|
--- a/testssl.sh
|
|
+++ b/testssl.sh
|
|
@@ -1,4 +1,4 @@
|
|
-#!/usr/bin/env bash
|
|
+#!@TERMUX_PREFIX@/bin/env bash
|
|
#
|
|
# vim:ts=5:sw=5:expandtab
|
|
# we have a spaces softtab, that ensures readability with other editors too
|
|
@@ -103,11 +103,11 @@ DEBUG_ALLINONE=${SETX:-false} # SETX as a shortcut for old s
|
|
if [[ "$SHELLOPTS" =~ xtrace ]]; then
|
|
if "$DEBUGTIME"; then
|
|
# separate debugging, doesn't mess up the screen, $DEBUGTIME determines whether we also do performance analysis
|
|
- exec 42>&2 2> >(tee /tmp/testssl-$$.log | sed -u 's/^.*$/now/' | date -f - +%s.%N >/tmp/testssl-$$.time)
|
|
+ exec 42>&2 2> >(tee @TERMUX_PREFIX@/tmp/testssl-$$.log | sed -u 's/^.*$/now/' | date -f - +%s.%N >@TERMUX_PREFIX@/tmp/testssl-$$.time)
|
|
# BASH_XTRACEFD=42
|
|
else
|
|
if ! "$DEBUG_ALLINONE"; then
|
|
- exec 42>| /tmp/testssl-$$.log
|
|
+ exec 42>| @TERMUX_PREFIX@/tmp/testssl-$$.log
|
|
BASH_XTRACEFD=42
|
|
fi
|
|
fi
|
|
@@ -166,7 +166,7 @@ BASICAUTH=${BASICAUTH:-""} # HTTP basic auth credentials can be set
|
|
REQHEADER=${REQHEADER:-""} # HTTP custom request header can be set here like Header: content. Can be used multiple times.
|
|
BUGS=${BUGS:-""} # -bugs option from openssl, needed for some BIG IP F5
|
|
WARNINGS=${WARNINGS:-""} # can be either off or batch
|
|
-DEBUG=${DEBUG:-0} # 1: normal output the files in /tmp/ are kept for further debugging purposes
|
|
+DEBUG=${DEBUG:-0} # 1: normal output the files in @TERMUX_PREFIX@/tmp/ are kept for further debugging purposes
|
|
# 2: list more what's going on , also lists some errors of connections
|
|
# 3: slight hexdumps + other info,
|
|
# 4: display bytes sent via sockets
|
|
@@ -193,8 +193,8 @@ ADDTL_CA_FILES="${ADDTL_CA_FILES:-""}" # single file with a CA in PEM format or
|
|
|
|
########### Tuning vars which cannot be set by a cmd line switch. Use instead e.g "HEADER_MAXSLEEP=10 ./testssl.sh <your_args_here>"
|
|
#
|
|
-TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-""}" # If you run testssl.sh and it doesn't find it necessary file automagically set TESTSSL_INSTALL_DIR
|
|
-CA_BUNDLES_PATH="${CA_BUNDLES_PATH:-""}" # You can have your CA stores some place else
|
|
+TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-"@TERMUX_PREFIX@"}" # If you run testssl.sh and it doesn't find it necessary file automagically set TESTSSL_INSTALL_DIR
|
|
+CA_BUNDLES_PATH="${CA_BUNDLES_PATH:-"@TERMUX_PREFIX@/etc/tls"}" # You can have your CA stores some place else
|
|
EXPERIMENTAL=${EXPERIMENTAL:-false} # a development hook which allows us to disable code
|
|
PROXY_WAIT=${PROXY_WAIT:-20} # waiting at max 20 seconds for socket reply through proxy
|
|
DNS_VIA_PROXY=${DNS_VIA_PROXY:-false} # do DNS lookups via proxy. --ip=proxy reverses this
|
|
@@ -221,7 +221,7 @@ VULN_THRESHLD=${VULN_THRESHLD:-1} # if vulnerabilities to check >$VULN_THR
|
|
UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo) don't support [bracketed] IPv6 addresses
|
|
NO_ENGINE=${NO_ENGINE:-false} # if there are problems finding the (external) openssl engine set this to true
|
|
declare -r CLIENT_MIN_FS=5 # number of ciphers needed to run a test for FS
|
|
-CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d)
|
|
+CAPATH="${CAPATH:-@TERMUX_PREFIX@/etc/ssl/certs/}" # Does nothing yet (FC has only a CA bundle per default, ==> openssl version -d)
|
|
SOCAT="${SOCAT:-}" # For now we would need this for STARTTLS injection
|
|
|
|
MEASURE_TIME_FILE=${MEASURE_TIME_FILE:-""}
|
|
@@ -245,7 +245,7 @@ PRINTF="" # which external printf to use. Empty pr
|
|
CIPHERS_BY_STRENGTH_FILE=""
|
|
TLS_DATA_FILE="" # mandatory file for socket-based handshakes
|
|
OPENSSL="" # ~/bin/openssl.$(uname).$(uname -m) if you run this from GitHub. Linux otherwise probably /usr/bin/openssl
|
|
-OPENSSL2=${OPENSSL2:-/usr/bin/openssl} # This will be openssl version >=1.1.1 (auto determined) as opposed to openssl-bad (OPENSSL)
|
|
+OPENSSL2=${OPENSSL2:-@TERMUX_PREFIX@/bin/openssl} # This will be openssl version >=1.1.1 (auto determined) as opposed to openssl-bad (OPENSSL)
|
|
OPENSSL2_HAS_TLS_1_3=false # If we run with supplied binary AND $OPENSSL2 supports TLS 1.3 this will be set to true
|
|
OPENSSL2_HAS_CHACHA20=false
|
|
OPENSSL2_HAS_AES128_GCM=false
|
|
@@ -2873,7 +2873,7 @@ run_hpkp() {
|
|
local -i i nrsaved
|
|
local first_hpkp_header
|
|
local spki
|
|
- local ca_hashes="$TESTSSL_INSTALL_DIR/etc/ca_hashes.txt"
|
|
+ local ca_hashes="$TESTSSL_INSTALL_DIR/etc/testssl/ca_hashes.txt"
|
|
|
|
if [[ ! -s $HEADERFILE ]]; then
|
|
run_http_header "$1" || return 1
|
|
@@ -5119,9 +5119,9 @@ run_client_simulation() {
|
|
local client_service=""
|
|
|
|
# source the external file
|
|
- . "$TESTSSL_INSTALL_DIR/etc/client-simulation.txt" 2>/dev/null
|
|
+ . "$TESTSSL_INSTALL_DIR/etc/testssl/client-simulation.txt" 2>/dev/null
|
|
if [[ $? -ne 0 ]]; then
|
|
- prln_local_problem "couldn't find client simulation data in $TESTSSL_INSTALL_DIR/etc/client-simulation.txt"
|
|
+ prln_local_problem "couldn't find client simulation data in $TESTSSL_INSTALL_DIR/etc/testssl/client-simulation.txt"
|
|
return 1
|
|
fi
|
|
|
|
@@ -7760,7 +7760,7 @@ determine_trust() {
|
|
|
|
# if you run testssl.sh from a different path /you can set either TESTSSL_INSTALL_DIR or CA_BUNDLES_PATH to find the CA BUNDLES
|
|
if [[ -z "$CA_BUNDLES_PATH" ]]; then
|
|
- ca_bundles="$TESTSSL_INSTALL_DIR/etc/*.pem"
|
|
+ ca_bundles="$TESTSSL_INSTALL_DIR/etc/testssl/*.pem"
|
|
else
|
|
ca_bundles="$CA_BUNDLES_PATH/*.pem"
|
|
fi
|
|
@@ -9071,7 +9071,7 @@ certificate_info() {
|
|
local certificate_list_ordering_problem="${13}"
|
|
local cert_sig_algo cert_sig_hash_algo cert_key_algo cert_spki_info
|
|
local hostcert=""
|
|
- local common_primes_file="$TESTSSL_INSTALL_DIR/etc/common-primes.txt"
|
|
+ local common_primes_file="$TESTSSL_INSTALL_DIR/etc/testssl/common-primes.txt"
|
|
local -i lineno_matched=0
|
|
local cert_keyusage cert_ext_keyusage short_keyAlgo
|
|
local outok=true
|
|
@@ -18634,7 +18634,7 @@ get_common_prime() {
|
|
local spaces="$3"
|
|
local pubkey dh_p=""
|
|
local -i subret=0
|
|
- local common_primes_file="$TESTSSL_INSTALL_DIR/etc/common-primes.txt"
|
|
+ local common_primes_file="$TESTSSL_INSTALL_DIR/etc/testssl/common-primes.txt"
|
|
local -i lineno_matched=0
|
|
|
|
"$HAS_PKEY" || return 2
|
|
@@ -20587,12 +20587,12 @@ old_fart() {
|
|
get_install_dir() {
|
|
[[ -z "$TESTSSL_INSTALL_DIR" ]] && TESTSSL_INSTALL_DIR="$(dirname "${BASH_SOURCE[0]}")"
|
|
|
|
- if [[ -r "$RUN_DIR/etc/cipher-mapping.txt" ]]; then
|
|
- CIPHERS_BY_STRENGTH_FILE="$RUN_DIR/etc/cipher-mapping.txt"
|
|
+ if [[ -r "$RUN_DIR/etc/testssl/cipher-mapping.txt" ]]; then
|
|
+ CIPHERS_BY_STRENGTH_FILE="$RUN_DIR/etc/testssl/cipher-mapping.txt"
|
|
[[ -z "$TESTSSL_INSTALL_DIR" ]] && TESTSSL_INSTALL_DIR="$RUN_DIR" # probably TESTSSL_INSTALL_DIR
|
|
fi
|
|
|
|
- [[ -r "$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt"
|
|
+ [[ -r "$TESTSSL_INSTALL_DIR/etc/testssl/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/testssl/cipher-mapping.txt"
|
|
if [[ ! -r "$CIPHERS_BY_STRENGTH_FILE" ]]; then
|
|
[[ -r "$RUN_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$RUN_DIR/cipher-mapping.txt"
|
|
[[ -r "$TESTSSL_INSTALL_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/cipher-mapping.txt"
|
|
@@ -20606,13 +20606,13 @@ get_install_dir() {
|
|
# not sure whether Darwin has -f
|
|
TESTSSL_INSTALL_DIR="$(dirname "$TESTSSL_INSTALL_DIR" 2>/dev/null)"
|
|
[[ -r "$TESTSSL_INSTALL_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/cipher-mapping.txt"
|
|
- [[ -r "$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt"
|
|
+ [[ -r "$TESTSSL_INSTALL_DIR/etc/testssl/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/testssl/cipher-mapping.txt"
|
|
fi
|
|
|
|
# still no cipher mapping file:
|
|
if [[ ! -r "$CIPHERS_BY_STRENGTH_FILE" ]] && type -p realpath &>/dev/null ; then
|
|
TESTSSL_INSTALL_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
|
|
- CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt"
|
|
+ CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/testssl/cipher-mapping.txt"
|
|
[[ -r "$TESTSSL_INSTALL_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/cipher-mapping.txt"
|
|
fi
|
|
|
|
@@ -20622,7 +20622,7 @@ get_install_dir() {
|
|
TESTSSL_INSTALL_DIR="$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")" || \
|
|
TESTSSL_INSTALL_DIR="$(dirname "$(readlink "${BASH_SOURCE[0]}")")"
|
|
# not sure whether Darwin has -f
|
|
- CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt"
|
|
+ CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/testssl/cipher-mapping.txt"
|
|
[[ -r "$TESTSSL_INSTALL_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/cipher-mapping.txt"
|
|
fi
|
|
|
|
@@ -20630,16 +20630,16 @@ get_install_dir() {
|
|
DISPLAY_CIPHERNAMES="openssl-only"
|
|
debugme echo "$CIPHERS_BY_STRENGTH_FILE"
|
|
prln_warning "\nATTENTION: No cipher mapping file found!"
|
|
- outln "Please note from 2.9 on $PROG_NAME needs files in \"\$TESTSSL_INSTALL_DIR/etc/\" to function correctly."
|
|
+ outln "Please note from 2.9 on $PROG_NAME needs files in \"\$TESTSSL_INSTALL_DIR/etc/testssl/\" to function correctly."
|
|
outln
|
|
ignore_no_or_lame "Type \"yes\" to ignore this warning and proceed at your own risk" "yes"
|
|
[[ $? -ne 0 ]] && exit $ERR_RESOURCE
|
|
fi
|
|
|
|
- TLS_DATA_FILE="$TESTSSL_INSTALL_DIR/etc/tls_data.txt"
|
|
+ TLS_DATA_FILE="$TESTSSL_INSTALL_DIR/etc/testssl/tls_data.txt"
|
|
if [[ ! -r "$TLS_DATA_FILE" ]]; then
|
|
prln_warning "\nATTENTION: No TLS data file found -- needed for socket-based handshakes"
|
|
- outln "Please note from 2.9 on $PROG_NAME needs files in \"\$TESTSSL_INSTALL_DIR/etc/\" to function correctly."
|
|
+ outln "Please note from 2.9 on $PROG_NAME needs files in \"\$TESTSSL_INSTALL_DIR/etc/testssl/\" to function correctly."
|
|
outln
|
|
ignore_no_or_lame "Type \"yes\" to ignore this warning and proceed at your own risk" "yes"
|
|
[[ $? -ne 0 ]] && exit $ERR_RESOURCE
|
|
@@ -20714,7 +20714,7 @@ find_openssl_binary() {
|
|
# couldn't be parsed by our openssl it bailed out here with a misleading error, see #1982.
|
|
# Now we try with another version of the config file and if it still fails we bail out.
|
|
if ! $OPENSSL version -d >/dev/null 2>&1 ; then
|
|
- export OPENSSL_CONF="$TESTSSL_INSTALL_DIR/etc/openssl.cnf"
|
|
+ export OPENSSL_CONF="$TESTSSL_INSTALL_DIR/etc/testssl/openssl.cnf"
|
|
if ! $OPENSSL version -d >/dev/null 2>&1 ; then
|
|
fatal "cannot exec or find any openssl binary" $ERR_OSSLBIN
|
|
else
|
|
@@ -21231,7 +21231,7 @@ output options (can also be preset via environment variables):
|
|
no-iana|no-rfc> -> don't display the IANA/(RFC) cipher suite name, display OpenSSL names only
|
|
--color <0|1|2|3> 0: no escape or other codes, 1: b/w escape codes, 2: color (default), 3: extra color (color all ciphers)
|
|
--colorblind swap green and blue in the output
|
|
- --debug <0-6> 1: screen output normal but keeps debug output in /tmp/. 2-6: see "grep -A 5 '^DEBUG=' testssl.sh"
|
|
+ --debug <0-6> 1: screen output normal but keeps debug output in @TERMUX_PREFIX@/tmp/. 2-6: see "grep -A 5 '^DEBUG=' testssl.sh"
|
|
--disable-rating Explicitly disables the rating output
|
|
|
|
file output options (can also be preset via environment variables)
|
|
@@ -21254,7 +21254,7 @@ file output options (can also be preset via environment variables)
|
|
--outprefix <fname_prefix> before '\${NODE}.' above prepend <fname_prefix>
|
|
|
|
|
|
-Options requiring a value can also be called with '=' e.g. testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl <URI>.
|
|
+Options requiring a value can also be called with '=' e.g. testssl.sh -t=smtp --wide --openssl=@TERMUX_PREFIX@/bin/openssl <URI>.
|
|
<URI> always needs to be the last parameter.
|
|
|
|
EOF
|
|
@@ -21268,7 +21268,7 @@ EOF
|
|
}
|
|
|
|
maketempf() {
|
|
- TEMPDIR=$(mktemp -d /tmp/testssl.XXXXXX 2>/dev/null)
|
|
+ TEMPDIR=$(mktemp -d @TERMUX_PREFIX@/tmp/testssl.XXXXXX 2>/dev/null)
|
|
if [[ $? -ne 0 ]]; then
|
|
# For e.g. devices where we can't write to /tmp we chose $PWD but we can't
|
|
# allow every char as we haven't quoted all strings depending on it, see #1445
|
|
@@ -21651,7 +21651,7 @@ initialize_engine(){
|
|
# check for openssl 1.1.1 config -- not this may not be reliable. We only use this
|
|
# to suppress the warning (confuses users), see #1119
|
|
# https://github.com/openssl/openssl/commit/b524b808a1d1ba204dbdcbb42de4e3bddb3472ac
|
|
- if ! grep -q 'using the .include directive' /etc/ssl/openssl.cnf; then
|
|
+ if ! grep -q 'using the .include directive' @TERMUX_PREFIX@/etc/ssl/openssl.cnf; then
|
|
[[ "$DEBUG" -ge 1 ]] && outln && pr_warning "No engine or GOST support via engine with your $OPENSSL"; outln
|
|
fi
|
|
fileout_insert_warning "engine_problem" "WARN" "No engine or GOST support via engine with your $OPENSSL"
|
|
@@ -21661,7 +21661,7 @@ initialize_engine(){
|
|
else
|
|
# we have engine support. But we want to check whether an external OPENSSL_CONF was supplied.
|
|
# $TESTSSL_INSTALL_DIR/etc/openssl.cnf is an internal presetting, see #1982
|
|
- if [[ -n "$OPENSSL_CONF" ]] && [[ "$OPENSSL_CONF" != "$TESTSSL_INSTALL_DIR/etc/openssl.cnf" ]]; then
|
|
+ if [[ -n "$OPENSSL_CONF" ]] && [[ "$OPENSSL_CONF" != "$TESTSSL_INSTALL_DIR/etc/testssl/openssl.cnf" ]]; then
|
|
prln_warning "For now I am providing the config file to have GOST support"
|
|
else
|
|
OPENSSL_CONF=$TEMPDIR/gost.conf
|
|
@@ -21827,7 +21827,7 @@ filter_ip4_address() {
|
|
# arg1 is the entry we want to look up in the host file
|
|
get_local_aaaa() {
|
|
local ip6=""
|
|
- local etchosts="/etc/hosts /c/Windows/System32/drivers/etc/hosts"
|
|
+ local etchosts="@TERMUX_PREFIX@/etc/hosts /c/Windows/System32/drivers/etc/hosts"
|
|
|
|
[[ -z "$1" ]] && echo "" && return 1
|
|
# Also multiple records should work fine
|
|
@@ -21840,7 +21840,7 @@ get_local_aaaa() {
|
|
}
|
|
get_local_a() {
|
|
local ip4=""
|
|
- local etchosts="/etc/hosts /c/Windows/System32/drivers/etc/hosts"
|
|
+ local etchosts="@TERMUX_PREFIX@/etc/hosts /c/Windows/System32/drivers/etc/hosts"
|
|
|
|
ip4=$(grep -wih "$1" $etchosts 2>/dev/null | grep -Ev ':|^#|\.local' | grep -Ei "[[:space:]]$1" | awk '{ print $1 }')
|
|
if is_ipv4addr "$ip4"; then
|
|
@@ -23016,9 +23016,9 @@ display_rdns_etc() {
|
|
outln "$(out_row_aligned_max_width "$further_ip_addrs" " $CORRECT_SPACES" $TERM_WIDTH)"
|
|
fi
|
|
if "$LOCAL_A"; then
|
|
- outln " A record via: $CORRECT_SPACES /etc/hosts "
|
|
+ outln " A record via: $CORRECT_SPACES @TERMUX_PREFIX@/etc/hosts "
|
|
elif "$LOCAL_AAAA"; then
|
|
- outln " AAAA record via: $CORRECT_SPACES /etc/hosts "
|
|
+ outln " AAAA record via: $CORRECT_SPACES @TERMUX_PREFIX@/etc/hosts "
|
|
elif [[ -n "$CMDLINE_IP" ]]; then
|
|
if is_ipv6addr $"$CMDLINE_IP"; then
|
|
outln " AAAA record via: $CORRECT_SPACES supplied IP \"$CMDLINE_IP\""
|