emdee/proxy_role
1
0
Fork 0
Code Issues Pull requests Wiki Activity

first

Browse source
This commit is contained in:
emdee 2024-01-06 01:57:28 +00:00
commit 757ca483f0
115 changed files with 13170 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

138
overlay/Linux/usr/local/Whonix-Host.rc Executable file
View file

@ -0,0 +1,138 @@
#!/bin/sh
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
. /usr/local/etc/local.d/local.bash
chmod 775 /usr/local/sbin/*sh /usr/local/bin/*sh
export PATH=$PATH:/usr/local/bin:/usr/local/sbin
grep -q root=/dev/vda /proc/cmdline
PROXY_IS_VDA=$?
if [ $PROXY_IS_VDA -eq 0 ] ; then
/usr/local/sbin/proxy_whonix_lib.bash proxy_vda_config
fi
# Host and Vda
[ -d /etc/apt ] && \
local_manual_stop_services openvpn exim4 apt-daily-upgrade udisks2 \
sdwdate tb-updater-first-boot lvm2-monitor
# BEGIN ANSIBLE MANAGED BLOCK base initctl
if [ ! -e /dev/initctl -a -e /run/initctl ] ; then
ln -s /run/initctl /dev/initctl
elif [ ! -e /dev/initctl ] ; then
mknod -m=0600 /dev/initctl p
fi
# END ANSIBLE MANAGED BLOCK base initctl
# BEGIN ANSIBLE MANAGED BLOCK base
( cd /var/tmp && rm -rf ansible-local-* Temp-* ssh-* pulse-* .xfsm-ICE-* )
# END ANSIBLE MANAGED BLOCK base
# sh "/var/local/etc/local.d/testforge.start"
# redis
# WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.
#? echo never > /sys/kernel/mm/transparent_hugepage/enabled
if false;then
# failsafe but independent of whether wlan exists
[ -f /usr/local/sbin/proxy_whonix_host_libvirt.bash ] && \
sh /usr/local/sbin/proxy_whonix_host_libvirt.bash proxy_whonix_libvirt_start
if ! /usr/local/sbin/proxy_whonix_host.bash config ; then
echo WARN: Whonix-Host.rc proxy_whonix_host.bash config failed $?
fi
if ! /usr/local/sbin/proxy_whonix_host.bash start ; then
echo WARN: Whonix-Host.rc proxy_whonix_host.bash start failed $?
fi
if ! /usr/local/sbin/proxy_whonix_host.bash test ; then
echo WARN: Whonix-Host.rc proxy_whonix_host.bash test failed $?
fi
fi
exit 0
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml text
local_systemd_stop_services display-manager
# END ANSIBLE MANAGED BLOCK update lati_unix.yml text
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
for eltin h i j o q v q w l ; do
[ -d /mnt/$elt/tmp ] || mount /mnt/$elt
done
exit 0
# END ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml mask
# local_manual_stop_services
SYSTEMD_STOP_AND_MASK="
debug-shell.service
systemd-backlight@.service
phpsessionclean.service
phpsessionclean.timer
apt-daily-upgrade.service
apt-daily-upgrade.timer
dbus-org.freedesktop.nm-dispatcher.service
tb-updater-first-boot.service
openvpn.service
systemd-backlight@.service
systemd-backlight@backlight.service
vboxadd-service.service
vboxautostart-service.service
vboxballoonctrl-service.service
vboxdrv.service
vboxweb-service.service
"
# /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask $SYSTEMD_STOP_AND_MASK
for file in /usr/local/etc/systemd/*.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK update lati_unix.yml mask
/var/local/bin/harden_dbus_neuter.bash
which brightnessctl 2>/dev/null >/dev/null && brightnessctl set 90%
# BEGIN ANSIBLE MANAGED BLOCK update
/usr/local/etc/local.d/local.bash local_disable_lid
# END ANSIBLE MANAGED BLOCK update
# BEGIN ANSIBLE MANAGED BLOCK update local_disable_lid
/usr/local/etc/local.d/local.bash local_disable_lid
# END ANSIBLE MANAGED BLOCK update local_disable_lid
# BEGIN ANSIBLE MANAGED BLOCK base lati_unix.yml mask
ROLE=base
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK base lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK gpgkey lati_unix.yml mask
ROLE=gpgkey
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK gpgkey lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK hostvms lati_unix.yml mask
ROLE=hostvms
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK hostvms lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK privacy lati_unix.yml mask
ROLE=privacy
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK privacy lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK proxy lati_unix.yml mask
ROLE=proxy
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK proxy lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK testforge lati_unix.yml mask
ROLE=testforge
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK testforge lati_unix.yml mask

45
overlay/Linux/usr/local/bin/curl.bash Executable file
View file

@ -0,0 +1,45 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
ROLE=proxy
ip route | grep -q ^def || {
WARN we are not connected
}
[ -f $HOME/.curlrc ] || touch $HOME/.curlrc
declare -a CURL_OPTS
if [[ "$socks_proxy" =~ socks5://.* ]] ; then
export socks_proxy="$( echo $socks_proxy | sed -e 's@socks5://@socks5h://@' )"
CURL_OPTS+=( --proxy $socks_proxy )
[ -n "$https_proxy" ] && export https_proxy= && unset https_proxy
[ -n "$http_proxy" ] && export http_proxy= && unset http_proxy
elif [ -n "$https_proxy" ] ; then
CURL_OPTS+=( --proxy $https_proxy )
[ -n "$http_proxy" ] && export http_proxy= && unset http_proxy
elif [ -n "$http_proxy" ] ; then
CURL_OPTS+=( --proxy $http_proxy )
fi
export CURL_OPTS+=( -L --remote-time )
if ! uname -a | grep -q 'Devuan\|Debian' && [ -s $HOME/.local/alt.svc ] ; then
export CURL_OPTS+=( --alt-svc $HOME/.local/alt.svc )
# #define CURLALTSVC_H2 (1<<4)
export CURLOPT_ALTSVC_CTRL=16
fi
[[ ! "$*" =~ --config ]] && [ -s "$HOME/.curlrc" ] && \
export CURL_OPTS+=( --config $HOME/.curlrc )
[[ ! "$*" =~ --cookie-jar ]] && [ -s $HOME/.local/jar.cookie ] && \
export CURL_OPTS+=( --cookie-jar $HOME/.local/jar.cookie )
if [[ ! "$*" =~ --capath ]] && \
[[ ! "$*" =~ --cacert ]] && \
[ -s /usr/local/etc/ssl/cacert-testforge.pem ] ; then
# --capath /usr/local/etc/:/etc/ssl/certs
export CURL_OPTS+=( --cacert /usr/local/etc/ssl/cacert-testforge.pem )
export CURL_CA_BUNDLE=/usr/local/etc/ssl/cacert-testforge.pem
fi
echo INFO: curl $CURL_OPTS "$@"
exec curl $CURL_OPTS "$@"

63
overlay/Linux/usr/local/bin/dirmngr.bash Executable file
View file

@ -0,0 +1,63 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/usr_local_base.bash || exit 2
if [ "$#" -eq 1 -a "$1" = '--version' ] ; then
exec /usr/bin/dirmngr.bin --version
return 0
fi
# echo "DEBUG: $0 GNUPGHOME=$GNUPGHOME $*" >> /tmp/$$.out
PROXY_GPG_KEYSERVER=keys.openpgp.org
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash >/dev/null
[ -z "$PROXY_GPG_KEYERVER_URL" ] && PROXY_GPG_KEYERVER_URL=hkps://$PROXY_GPG_KEYSERVER
# ONLY disabling on the command line or
[ -e /proc/sys/net/ipv6/conf/default/disable_ipv6 ] && \
[ `cat /proc/sys/net/ipv6/conf/default/disable_ipv6` -eq 0 ] && \
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
PROXY_WLAN=$( /usr/local/bin/proxy_ping_lib.bash proxy_set_if ) # || return 1$?
if [ -n "$PROXY_WLAN" ] ; then
wlan7=$PROXY_WLAN
[ -e /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6 ] && \
[ `cat /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6` -eq 0 ] && \
echo 1 > /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6
fi
route | grep -q ^default || { ERROR no route ; exit 1; }
[ ! -x /usr/bin/netstat ] || \
netstat -nlp | grep -q 127.0.0.1:53 || { ERROR no nameserver ; exit 4; }
[ -z "$USER" ] && USER=$(id -un )
if [ $USER = root ] ; then
[ -x /usr/bin/dirmngr -a ! -x /usr/bin/dirmngr.bin ] && \
mv /usr/bin/dirmngr /usr/bin/dirmngr.bin
[ -x /usr/bin/dirmngr.bin -a ! -x /usr/bin/dirmngr ] && \
ln -s /usr/local/bin/proxy_dirmngr.bash /usr/bin/dirmngr
fi
[ ! -x /usr/bin/dirmngr -o ! -x /usr/bin/dirmngr.bin ] && exit 2
[ -f /etc/dirmngr/dirmngr.conf ] || exit 3
# This is not enough: --disable-ipv6
# --keyserver hkps://keys.gentoo.org is required
# --http-proxy http://127.0.0.1:3128
# --keyserver $PROXY_GPG_KEYERVER_URL
# --no-use-tor is REQUIRED if you are running tor
# EVEN IF YOU DOT USE use-tor - silent dns failure
exec /usr/bin/dirmngr.bin --server -vvv --debug-all \
--options /etc/dirmngr/dirmngr.conf \
--nameserver 127.0.0.1 \
--disable-ipv6 \
--disable-ldap \
--no-use-tor \
--log-file /var/log/dirmngr.log --debug-level 4 \
"$@"

10
overlay/Linux/usr/local/bin/gitproxy.bash Executable file
View file

@ -0,0 +1,10 @@
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
# BEGIN ANSIBLE MANAGED BLOCK proxy
exec corkscrew $1 $2
# $1 %h $2 %p
#? exec connect -4 -S : $(tor-resolve $1 :) $2
# END ANSIBLE MANAGED BLOCK proxy

89
overlay/Linux/usr/local/bin/ping2.py Executable file
View file

@ -0,0 +1,89 @@
#!/usr/local/bin/python2.sh
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# Simple ICMP ping.
#
# This implementation of ping uses the ICMP echo and echo-reply packets
# to check the status of a host. If the remote host is up, it should reply
# to the echo probe with an echo-reply packet.
# Note that this isn't a definite test, as in the case the remote host is up
# but refuses to reply the probes.
# Also note that the user must have special access to be able to open a raw
# socket, which this program requires.
#
# Authors:
# Gerardo Richarte <gera@coresecurity.com>
# Javier Kohen <jkohen@coresecurity.com>
#
# Reference for:
# ImpactPacket: IP, ICMP, DATA.
# ImpactDecoder.
import select
import socket
import time
import sys
from impacket import ImpactDecoder, ImpactPacket
if len(sys.argv) < 3:
print("Use: %s <src ip> <dst ip>" % sys.argv[0])
sys.exit(1)
src = sys.argv[1]
dst = sys.argv[2]
# Create a new IP packet and set its source and destination addresses.
ip = ImpactPacket.IP()
ip.set_ip_src(src)
ip.set_ip_dst(dst)
# Create a new ICMP packet of type ECHO.
icmp = ImpactPacket.ICMP()
icmp.set_icmp_type(icmp.ICMP_ECHO)
# Include a 156-character long payload inside the ICMP packet.
icmp.contains(ImpactPacket.Data("A"*156))
# Have the IP packet contain the ICMP packet (along with its payload).
ip.contains(icmp)
# Open a raw socket. Special permissions are usually required.
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP)
s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
seq_id = 0
i = 0
while i < 10:
i += 1
# Give the ICMP packet the next ID in the sequence.
seq_id += 1
icmp.set_icmp_id(seq_id)
# Calculate its checksum.
icmp.set_icmp_cksum(0)
icmp.auto_checksum = 1
# Send it to the target host.
s.sendto(ip.get_packet(), (dst, 0))
# Wait for incoming replies.
if s in select.select([s],[],[],1)[0]:
reply = s.recvfrom(2000)[0]
# Use ImpactDecoder to reconstruct the packet hierarchy.
rip = ImpactDecoder.IPDecoder().decode(reply)
# Extract the ICMP packet from its container (the IP packet).
ricmp = rip.child()
# If the packet matches, report it to the user.
if rip.get_ip_dst() == src and rip.get_ip_src() == dst and icmp.ICMP_ECHOREPLY == ricmp.get_icmp_type():
print("Ping reply for sequence #%d" % ricmp.get_icmp_id())
time.sleep(1)

89
overlay/Linux/usr/local/bin/ping3.py Executable file
View file

@ -0,0 +1,89 @@
#!/usr/local/bin/python3.sh
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# Simple ICMP ping.
#
# This implementation of ping uses the ICMP echo and echo-reply packets
# to check the status of a host. If the remote host is up, it should reply
# to the echo probe with an echo-reply packet.
# Note that this isn't a definite test, as in the case the remote host is up
# but refuses to reply the probes.
# Also note that the user must have special access to be able to open a raw
# socket, which this program requires.
#
# Authors:
# Gerardo Richarte <gera@coresecurity.com>
# Javier Kohen <jkohen@coresecurity.com>
#
# Reference for:
# ImpactPacket: IP, ICMP, DATA.
# ImpactDecoder.
import select
import socket
import time
import sys
from impacket import ImpactDecoder, ImpactPacket
if len(sys.argv) < 3:
print("Use: %s <src ip> <dst ip>" % sys.argv[0])
sys.exit(1)
src = sys.argv[1]
dst = sys.argv[2]
# Create a new IP packet and set its source and destination addresses.
ip = ImpactPacket.IP()
ip.set_ip_src(src)
ip.set_ip_dst(dst)
# Create a new ICMP packet of type ECHO.
icmp = ImpactPacket.ICMP()
icmp.set_icmp_type(icmp.ICMP_ECHO)
# Include a 156-character long payload inside the ICMP packet.
icmp.contains(ImpactPacket.Data(b"A"*156))
# Have the IP packet contain the ICMP packet (along with its payload).
ip.contains(icmp)
# Open a raw socket. Special permissions are usually required.
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP)
s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
seq_id = 0
i = 0
while i < 10:
i += 1
# Give the ICMP packet the next ID in the sequence.
seq_id += 1
icmp.set_icmp_id(seq_id)
# Calculate its checksum.
icmp.set_icmp_cksum(0)
icmp.auto_checksum = 1
# Send it to the target host.
s.sendto(ip.get_packet(), (dst, 0))
# Wait for incoming replies.
if s in select.select([s],[],[],1)[0]:
reply = s.recvfrom(2000)[0]
# Use ImpactDecoder to reconstruct the packet hierarchy.
rip = ImpactDecoder.IPDecoder().decode(reply)
# Extract the ICMP packet from its container (the IP packet).
ricmp = rip.child()
# If the packet matches, report it to the user.
if rip.get_ip_dst() == src and rip.get_ip_src() == dst and icmp.ICMP_ECHOREPLY == ricmp.get_icmp_type():
print("Ping reply for sequence #%d" % ricmp.get_icmp_id())
time.sleep(1)

82
overlay/Linux/usr/local/bin/ping62.py Executable file
View file

@ -0,0 +1,82 @@
#!/usr/local/bin/python2.sh
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# Simple ICMP6 ping.
#
# This implementation of ping uses the ICMP echo and echo-reply packets
# to check the status of a host. If the remote host is up, it should reply
# to the echo probe with an echo-reply packet.
# Note that this isn't a definite test, as in the case the remote host is up
# but refuses to reply the probes.
# Also note that the user must have special access to be able to open a raw
# socket, which this program requires.
#
# Authors:
# Alberto Solino (@agsolino)
#
# Reference for:
# ImpactPacket: ICMP6
# ImpactDecoder.
import select
import socket
import time
import sys
from impacket import ImpactDecoder, IP6, ICMP6, version
print(version.BANNER)
if len(sys.argv) < 3:
print("Use: %s <src ip> <dst ip>" % sys.argv[0])
sys.exit(1)
src = sys.argv[1]
dst = sys.argv[2]
# Create a new IP packet and set its source and destination addresses.
ip = IP6.IP6()
ip.set_ip_src(src)
ip.set_ip_dst(dst)
ip.set_traffic_class(0)
ip.set_flow_label(0)
ip.set_hop_limit(64)
# Open a raw socket. Special permissions are usually required.
s = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_ICMPV6)
payload = "A"*156
print("PING %s %d data bytes" % (dst, len(payload)))
seq_id = 0
while 1:
# Give the ICMP packet the next ID in the sequence.
seq_id += 1
icmp = ICMP6.ICMP6.Echo_Request(1, seq_id, payload)
# Have the IP packet contain the ICMP packet (along with its payload).
ip.contains(icmp)
ip.set_next_header(ip.child().get_ip_protocol_number())
ip.set_payload_length(ip.child().get_size())
icmp.calculate_checksum()
# Send it to the target host.
s.sendto(icmp.get_packet(), (dst, 0))
# Wait for incoming replies.
if s in select.select([s],[],[],1)[0]:
reply = s.recvfrom(2000)[0]
# Use ImpactDecoder to reconstruct the packet hierarchy.
rip = ImpactDecoder.ICMP6Decoder().decode(reply)
# If the packet matches, report it to the user.
if ICMP6.ICMP6.ECHO_REPLY == rip.get_type():
print("%d bytes from %s: icmp_seq=%d " % (rip.child().get_size()-4,dst,rip.get_echo_sequence_number()))
time.sleep(1)

344
overlay/Linux/usr/local/bin/pr$ Executable file
View file

@ -0,0 +1,344 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
. /usr/local/bin/usr_local_tput.bash || exit 2
## proxy_ami_cloudflared
proxy_ami_cloudflared() {
[ $# -gt 0 ] || return 1
local ip=$1
# https://netaddr.readthedocs.io/en/latest/tutorial_01.html
# a=`python3 -c "import netaddr; print(netaddr.IPAddress('$ip') in list(netaddr.IPNetwork('$no')))"`
# https://stackoverflow.com/questions/819355/how-can-i-check-if-an-ip-is-in-a-network-in-python
for no in "${CLOUDF[@]}" ; do
nopat=`sed -e 's/\.0.*//' <<< $no`
[[ $ip =~ ${nopat}.* ]] && {
# WARN $url cloudflared $ip $no
echo True
return 0
}
done
echo False
return 0
}
## proxy_ami_cloudflared_py
proxy_ami_cloudflared_py() {
[ $# -gt 0 ] || return 1
local ip=$1
a=`proxy_ami_cloudflared $ip`
if [ $? -eq 0 -a "$a" = True ] ; then
echo $a
return 0
fi
for no in "${CLOUDF[@]}" ; do
a=`python3 -c "import ipaddress; print(ipaddress.IPv4Address('$ip') in list(ipaddress.IPv4Network('$no')))"`
if [ $? -eq 0 -a "$a" = True ] ; then
echo $a
return 0
fi
done
echo False
return 0
}
# /usr/include/openssl/x509_vfy.h
declare -A OPENSSL_X509_V
OPENSSL_X509_V=(
[0]=OK
[1]=ERR_UNSPECIFIED
[2]=ERR_UNABLE_TO_GET_ISSUER_CERT
[3]=ERR_UNABLE_TO_GET_CRL
[4]=ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
[5]=ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
[6]=ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
[7]=ERR_CERT_SIGNATURE_FAILURE
[8]=ERR_CRL_SIGNATURE_FAILURE
[9]=ERR_CERT_NOT_YET_VALID
[10]=ERR_CERT_HAS_EXPIRED
[11]=ERR_CRL_NOT_YET_VALID
[12]=ERR_CRL_HAS_EXPIRED
[13]=ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
[14]=ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
[15]=ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
[16]=ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
[17]=ERR_OUT_OF_MEM
[18]=ERR_DEPTH_ZERO_SELF_SIGNED_CERT
[19]=ERR_SELF_SIGNED_CERT_IN_CHAIN
[20]=ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
[21]=ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
[22]=ERR_CERT_CHAIN_TOO_LONG
[23]=ERR_CERT_REVOKED
[24]=ERR_INVALID_CA
[25]=ERR_PATH_LENGTH_EXCEEDED
[26]=ERR_INVALID_PURPOSE
[27]=ERR_CERT_UNTRUSTED
[28]=ERR_CERT_REJECTED
# These are 'informational' when looking for issuer cert
[29]=ERR_SUBJECT_ISSUER_MISMATCH
[30]=ERR_AKID_SKID_MISMATCH
[31]=ERR_AKID_ISSUER_SERIAL_MISMATCH
[32]=ERR_KEYUSAGE_NO_CERTSIGN
[33]=ERR_UNABLE_TO_GET_CRL_ISSUER
[34]=ERR_UNHANDLED_CRITICAL_EXTENSION
[35]=ERR_KEYUSAGE_NO_CRL_SIGN
[36]=ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
[37]=ERR_INVALID_NON_CA
[38]=ERR_PROXY_PATH_LENGTH_EXCEEDED
[39]=ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
[40]=ERR_PROXY_CERTIFICATES_NOT_ALLOWED
[41]=ERR_INVALID_EXTENSION
[42]=ERR_INVALID_POLICY_EXTENSION
[43]=ERR_NO_EXPLICIT_POLICY
[44]=ERR_DIFFERENT_CRL_SCOPE
[45]=ERR_UNSUPPORTED_EXTENSION_FEATURE
[46]=ERR_UNNESTED_RESOURCE
[47]=ERR_PERMITTED_VIOLATION
[48]=ERR_EXCLUDED_VIOLATION
[49]=ERR_SUBTREE_MINMAX
# The application is not happy
[50]=ERR_APPLICATION_VERIFICATION
[51]=ERR_UNSUPPORTED_CONSTRAINT_TYPE
[52]=ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
[53]=ERR_UNSUPPORTED_NAME_SYNTAX
[54]=ERR_CRL_PATH_VALIDATION_ERROR
# Another issuer check debug option
[55]=ERR_PATH_LOOP
# Suite B mode algorithm violation
[56]=ERR_SUITE_B_INVALID_VERSION
[57]=ERR_SUITE_B_INVALID_ALGORITHM
[58]=ERR_SUITE_B_INVALID_CURVE
[59]=ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
[60]=ERR_SUITE_B_LOS_NOT_ALLOWED
[61]=ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
# Host, email and IP check errors
[62]=ERR_HOSTNAME_MISMATCH
[63]=ERR_EMAIL_MISMATCH
[64]=ERR_IP_ADDRESS_MISMATCH
# DANE TLSA errors
[65]=ERR_DANE_NO_MATCH
# security level errors
[66]=ERR_EE_KEY_TOO_SMALL
[67]=ERR_CA_KEY_TOO_SMALL
[68]=ERR_CA_MD_TOO_WEAK
# Caller error
[69]=ERR_INVALID_CALL
# Issuer lookup error
[70]=ERR_STORE_LOOKUP
# Certificate transparency
[71]=ERR_NO_VALID_SCTS
[72]=ERR_PROXY_SUBJECT_NAME_VIOLATION
# OCSP status errors
[73]=ERR_OCSP_VERIFY_NEEDED # Need OCSP verification
[74]=ERR_OCSP_VERIFY_FAILED # Couldn't verify cert through OCSP
[75]=ERR_OCSP_CERT_UNKNOWN # Certificate wasn't recognized by the OCSP responder
[76]=ERR_SIGNATURE_ALGORITHM_MISMATCH
[77]=ERR_NO_ISSUER_PUBLIC_KEY
[78]=ERR_UNSUPPORTED_SIGNATURE_ALGORITHM
[79]=ERR_EC_KEY_EXPLICIT_PARAMS
)
# man 3 libcurl-errors
declare -A CURLE
CURLE=(
[0]=CURLE_OK
[1]=CURLE_UNSUPPORTED_PROTOCOL
[2]=CURLE_FAILED_INIT
[3]=CURLE_URL_MALFORMAT
[4]=CURLE_NOT_BUILT_IN
[5]=CURLE_COULDNT_RESOLVE_PROXY
[6]=CURLE_COULDNT_RESOLVE_HOST
[7]=CURLE_COULDNT_CONNECT
[8]=CURLE_WEIRD_SERVER_REPLY
[9]=CURLE_REMOTE_ACCESS_DENIED
[10]=CURLE_FTP_ACCEPT_FAILED
[11]=CURLE_FTP_WEIRD_PASS_REPLY
[12]=CURLE_FTP_ACCEPT_TIMEOUT
[13]=CURLE_FTP_WEIRD_PASV_REPLY
[14]=CURLE_FTP_WEIRD_227_FORMAT
[15]=CURLE_FTP_CANT_GET_HOST
[16]=CURLE_HTTP2
[17]=CURLE_FTP_COULDNT_SET_TYPE
[18]=CURLE_PARTIAL_FILE
[19]=CURLE_FTP_COULDNT_RETR_FILE
[21]=CURLE_QUOTE_ERROR
[22]=CURLE_HTTP_RETURNED_ERROR
[23]=CURLE_WRITE_ERROR
[25]=CURLE_UPLOAD_FAILED
[26]=CURLE_READ_ERROR
[27]=CURLE_OUT_OF_MEMORY
[28]=CURLE_OPERATION_TIMEDOUT
[30]=CURLE_FTP_PORT_FAILED
[31]=CURLE_FTP_COULDNT_USE_REST
[33]=CURLE_RANGE_ERROR
[34]=CURLE_HTTP_POST_ERROR
[35]=CURLE_SSL_CONNECT_ERROR
[36]=CURLE_BAD_DOWNLOAD_RESUME
[37]=CURLE_FILE_COULDNT_READ_FILE
[38]=CURLE_LDAP_CANNOT_BIND
[39]=CURLE_LDAP_SEARCH_FAILED
[41]=CURLE_FUNCTION_NOT_FOUND
[42]=CURLE_ABORTED_BY_CALLBACK
[43]=CURLE_BAD_FUNCTION_ARGUMENT
[45]=CURLE_INTERFACE_FAILED
[47]=CURLE_TOO_MANY_REDIRECTS
[48]=CURLE_UNKNOWN_OPTION
[49]=CURLE_SETOPT_OPTION_SYNTAX
[52]=CURLE_GOT_NOTHING
[53]=CURLE_SSL_ENGINE_NOTFOUND
[54]=CURLE_SSL_ENGINE_SETFAILED
[55]=CURLE_SEND_ERROR
[56]=CURLE_RECV_ERROR
[58]=CURLE_SSL_CERTPROBLEM
[59]=CURLE_SSL_CIPHER
[60]=CURLE_PEER_FAILED_VERIFICATION
[61]=CURLE_BAD_CONTENT_ENCODING
[62]=CURLE_LDAP_INVALID_URL
[63]=CURLE_FILESIZE_EXCEEDED
[64]=CURLE_USE_SSL_FAILED
[65]=CURLE_SEND_FAIL_REWIND
[66]=CURLE_SSL_ENGINE_INITFAILED
[67]=CURLE_LOGIN_DENIED
[68]=CURLE_TFTP_NOTFOUND
[69]=CURLE_TFTP_PERM
[70]=CURLE_REMOTE_DISK_FULL
[71]=CURLE_TFTP_ILLEGAL
[72]=CURLE_TFTP_UNKNOWNID
[73]=CURLE_REMOTE_FILE_EXISTS
[74]=CURLE_TFTP_NOSUCHUSER
[75]=CURLE_CONV_FAILED
[76]=CURLE_CONV_REQD
[77]=CURLE_SSL_CACERT_BADFILE
[78]=CURLE_REMOTE_FILE_NOT_FOUND
[79]=CURLE_SSH
[80]=CURLE_SSL_SHUTDOWN_FAILED
[81]=CURLE_AGAIN
[82]=CURLE_SSL_CRL_BADFILE
[83]=CURLE_SSL_ISSUER_ERROR
[84]=CURLE_FTP_PRET_FAILED
[85]=CURLE_RTSP_CSEQ_ERROR
[86]=CURLE_RTSP_SESSION_ERROR
[87]=CURLE_FTP_BAD_FILE_LIST
[88]=CURLE_CHUNK_FAILED
[89]=CURLE_NO_CONNECTION_AVAILABLE
[90]=CURLE_SSL_PINNEDPUBKEYNOTMATCH
[91]=CURLE_SSL_INVALIDCERTSTATUS
[92]=CURLE_HTTP2_STREAM
[93]=CURLE_RECURSIVE_API_CALL
[94]=CURLE_AUTH_ERROR
[95]=CURLE_HTTP3
[96]=CURLE_QUIC_CONNECT_ERROR
[98]=CURLE_SSL_CLIENTCERT
[99]=CURLE_UNRECOVERABLE_POLL
)
# 20 HTTP response status codes
declare -A HTTP_RESPONSE
HTTP_RESPONSE=(
[100]="Continue"
[101]="Switching Protocols"
[103]="Early Hints"
[200]="OK"
[201]="Created"
[202]="Accepted"
[203]="Non-Authoritative Information"
[204]="No Content"
[205]="Reset Content"
[206]="Partial Content"
[300]="Multiple Choices"
[301]="Moved Permanently"
[302]="Found"
[303]="See Other"
[304]="Not Modified"
[307]="Temporary Redirect"
[308]="Permanent Redirect"
[400]="Bad Request"
[401]="Unauthorized"
[402]="Payment Required"
[403]="Forbidden"
[404]="Not Found"
[405]="Method Not Allowed"
[406]="Not Acceptable"
[407]="Proxy Authentication Required"
[408]="Request Timeout"
[409]="Conflict"
[410]="Gone"
[411]="Length Required"
[412]="Precondition Failed"
[413]="Payload Too Large"
[414]="URI Too Long"
[415]="Unsupported Media Type"
[416]="Range Not Satisfiable"
[417]="Expectation Failed"
[418]="Im a teapot"
[422]="Unprocessable Entity"
[425]="Too Early"
[426]="Upgrade Required"
[428]="Precondition Required"
[429]="Too Many Requests"
[431]="Request Header Fields Too Large"
[451]="Unavailable For Legal Reasons"
[500]="Internal Server Error"
[501]="Not Implemented"
[502]="Bad Gateway"
[503]="Service Unavailable"
[504]="Gateway Timeout"
[505]="HTTP Version Not Supported"
[506]="Variant Also Negotiates"
[507]="Insufficient Storage"
[508]="Loop Detected"
[510]="Not Extended"
[511]="Network Authentication Required"
)
# https://curl.se/docs/ssl-ciphers.html
# openssl
# https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html
# https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
openssl=openssl
# CURLOPT_TLS13_CIPHERS --tls13-ciphers
if [ $openssl = openssl ] ; then
export CURLOPT_TLS13_CIPHERS="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256"
elif [ $openssl = nss ] ; then
export CURLOPT_TLS13_CIPHERS="aes_128_gcm_sha_256,aes_256_gcm_sha_384,chacha20_poly1305_sha_256"
fi
declare -a NOTLSV3
NOTLSV3=(
# connection refused
www.mirrorservice.org
# no ipv3
files.pythonhosted.org
)
# https://web.archive.org/web/20220722104744/https://www.cloudflare.com/ips-v4
declare -a CLOUDFN
CLOUDFN=(
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22
)
#for no in "${CLOUDF[@]}" ; do
# # https://netaddr.readthedocs.io/en/latest/tutorial_01.html
# a=`python3 -c "import netaddr; print('\n'.join(map(str,list(netaddr.IPNetwork('$no')))))"`
#done

23
overlay/Linux/usr/local/bin/pro Executable file
View file

@ -0,0 +1,23 @@
#!/bin/sh
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
# https://unix.stackexchange.com/questions/293304/using-netcat-for-port-forwarding
. /usr/local/bin/usr_local_tput.bash || exit 2
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
netstat -nlpe4 | grep -q 127.0.0.1:53 && {
ERROR 127.0.0.1:53 already bound
exit 1
}
MODE=$( /usr/local/bin/proxy_ping_lib.bash proxy_whonix_mode )
if [ "$MODE" = tor -o "$MODE" = tor -o "$MODE" = gateway -o "$MODE" = selektor ] ; then
socat udp-l:53,bind=127.0.0.1,fork,reuseaddr udp:127.0.0.1:9053
elif [ "$MODE" = whonix -o "$MODE" = ws -o "$MODE" = tor -o "$MODE" = selektor ] ; then
socat udp-l:53,bind=127.0.0.1,fork,reuseaddr udp:10.0.2.2:9053
fi

12
overlay/Linux/usr/local/bin/proxy_ansible.bash Executable file
View file

@ -0,0 +1,12 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
. /usr/local/etc/testforge/testforge.bash
PREFIX=$PROXY_VAR_LOCAL
[ "$#" -eq 0 ] && set -- proxy
exec bash $PREFIX/bin/testforge_ansible.bash "$@"
ROLE=proxy

401
overlay/Linux/usr/local/bin/proxy_curl_lib.bash Executable file
View file

@ -0,0 +1,401 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
. /usr/local/bin/usr_local_tput.bash || exit 2
## proxy_ami_cloudflared
proxy_ami_cloudflared() {
[ $# -gt 0 ] || return 1
local ip=$1
for no in "${CLOUDFN[@]}" ; do
nopat=`sed -e 's@[.0]*/[0-9][0-9]@@' <<< $no`
[[ $ip =~ ${nopat}.* ]] && {
# WARN $url cloudflared $ip $no
echo True
return 0
}
done
echo False
return 0
}
## proxy_ami_cloudflared_py
proxy_ami_cloudflared_py() {
[ $# -gt 0 ] || return 1
local ip=$1
a=`proxy_ami_cloudflared $ip`
if [ $? -eq 0 -a "$a" = True ] ; then
echo $a
return 0
fi
# https://netaddr.readthedocs.io/en/latest/tutorial_01.html
# a=`python3 -c "import netaddr; print(netaddr.IPAddress('$ip') in list(netaddr.IPNetwork('$no')))"`
# https://stackoverflow.com/questions/819355/how-can-i-check-if-an-ip-is-in-a-network-in-python
for no in "${CLOUDFN[@]}" ; do
a=`python3 -c "import ipaddress; print(ipaddress.IPv4Address('$ip') in list(ipaddress.IPv4Network('$no')))"`
if [ $? -eq 0 -a "$a" = True ] ; then
echo $a
return 0
fi
done
echo False
return 0
}
## proxy_ami_nottlsv3
proxy_ami_nottlsv3() {
[ $# -gt 0 ] || return 1
local site=$1
for no in "${NOTLSV3[@]}" ; do
[[ $site =~ $no ]] && echo True && return 0
done
echo False
return 0
}
declare -a NOTLSV3
NOTLSV3=(
# connection refused
www.mirrorservice.org
# no ipv3
files.pythonhosted.org
# forbidden
download.nvidia.com
# 500
www.x.org
)
# https://web.archive.org/web/20220722104744/https://www.cloudflare.com/ips-v4
declare -a CLOUDFN
CLOUDFN=(
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
104.16.0.0/13
104.24.0.0/14
108.162.192.0/18
131.0.72.0/22
141.101.64.0/18
162.158.0.0/15
172.64.0.0/13
188.114.96.0/20
190.93.240.0/20
197.234.240.0/22
198.41.128.0/17
)
#for no in "${CLOUDFN[@]}" ; do
# # https://netaddr.readthedocs.io/en/latest/tutorial_01.html
# a=`python3 -c "import netaddr; print('\n'.join(map(str,list(netaddr.IPNetwork('$no')))))"`
#done
# /usr/include/openssl/x509_vfy.h
declare -A OPENSSL_X509_V
OPENSSL_X509_V=(
[0]=OK
[1]=ERR_UNSPECIFIED
[2]=ERR_UNABLE_TO_GET_ISSUER_CERT
[3]=ERR_UNABLE_TO_GET_CRL
[4]=ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
[5]=ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
[6]=ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
[7]=ERR_CERT_SIGNATURE_FAILURE
[8]=ERR_CRL_SIGNATURE_FAILURE
[9]=ERR_CERT_NOT_YET_VALID
[10]=ERR_CERT_HAS_EXPIRED
[11]=ERR_CRL_NOT_YET_VALID
[12]=ERR_CRL_HAS_EXPIRED
[13]=ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
[14]=ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
[15]=ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
[16]=ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
[17]=ERR_OUT_OF_MEM
[18]=ERR_DEPTH_ZERO_SELF_SIGNED_CERT
[19]=ERR_SELF_SIGNED_CERT_IN_CHAIN
[20]=ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
[21]=ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
[22]=ERR_CERT_CHAIN_TOO_LONG
[23]=ERR_CERT_REVOKED
[24]=ERR_INVALID_CA
[25]=ERR_PATH_LENGTH_EXCEEDED
[26]=ERR_INVALID_PURPOSE
[27]=ERR_CERT_UNTRUSTED
[28]=ERR_CERT_REJECTED
# These are 'informational' when looking for issuer cert
[29]=ERR_SUBJECT_ISSUER_MISMATCH
[30]=ERR_AKID_SKID_MISMATCH
[31]=ERR_AKID_ISSUER_SERIAL_MISMATCH
[32]=ERR_KEYUSAGE_NO_CERTSIGN
[33]=ERR_UNABLE_TO_GET_CRL_ISSUER
[34]=ERR_UNHANDLED_CRITICAL_EXTENSION
[35]=ERR_KEYUSAGE_NO_CRL_SIGN
[36]=ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
[37]=ERR_INVALID_NON_CA
[38]=ERR_PROXY_PATH_LENGTH_EXCEEDED
[39]=ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
[40]=ERR_PROXY_CERTIFICATES_NOT_ALLOWED
[41]=ERR_INVALID_EXTENSION
[42]=ERR_INVALID_POLICY_EXTENSION
[43]=ERR_NO_EXPLICIT_POLICY
[44]=ERR_DIFFERENT_CRL_SCOPE
[45]=ERR_UNSUPPORTED_EXTENSION_FEATURE
[46]=ERR_UNNESTED_RESOURCE
[47]=ERR_PERMITTED_VIOLATION
[48]=ERR_EXCLUDED_VIOLATION
[49]=ERR_SUBTREE_MINMAX
# The application is not happy
[50]=ERR_APPLICATION_VERIFICATION
[51]=ERR_UNSUPPORTED_CONSTRAINT_TYPE
[52]=ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
[53]=ERR_UNSUPPORTED_NAME_SYNTAX
[54]=ERR_CRL_PATH_VALIDATION_ERROR
# Another issuer check debug option
[55]=ERR_PATH_LOOP
# Suite B mode algorithm violation
[56]=ERR_SUITE_B_INVALID_VERSION
[57]=ERR_SUITE_B_INVALID_ALGORITHM
[58]=ERR_SUITE_B_INVALID_CURVE
[59]=ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
[60]=ERR_SUITE_B_LOS_NOT_ALLOWED
[61]=ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
# Host, email and IP check errors
[62]=ERR_HOSTNAME_MISMATCH
[63]=ERR_EMAIL_MISMATCH
[64]=ERR_IP_ADDRESS_MISMATCH
# DANE TLSA errors
[65]=ERR_DANE_NO_MATCH
# security level errors
[66]=ERR_EE_KEY_TOO_SMALL
[67]=ERR_CA_KEY_TOO_SMALL
[68]=ERR_CA_MD_TOO_WEAK
# Caller error
[69]=ERR_INVALID_CALL
# Issuer lookup error
[70]=ERR_STORE_LOOKUP
# Certificate transparency
[71]=ERR_NO_VALID_SCTS
[72]=ERR_PROXY_SUBJECT_NAME_VIOLATION
# OCSP status errors
[73]=ERR_OCSP_VERIFY_NEEDED # Need OCSP verification
[74]=ERR_OCSP_VERIFY_FAILED # Couldn't verify cert through OCSP
[75]=ERR_OCSP_CERT_UNKNOWN # Certificate wasn't recognized by the OCSP responder
[76]=ERR_SIGNATURE_ALGORITHM_MISMATCH
[77]=ERR_NO_ISSUER_PUBLIC_KEY
[78]=ERR_UNSUPPORTED_SIGNATURE_ALGORITHM
[79]=ERR_EC_KEY_EXPLICIT_PARAMS
)
# man 3 libcurl-errors
declare -A CURLE
CURLE=(
[0]=CURLE_OK
[1]=CURLE_UNSUPPORTED_PROTOCOL
[2]=CURLE_FAILED_INIT
[3]=CURLE_URL_MALFORMAT
[4]=CURLE_NOT_BUILT_IN
[5]=CURLE_COULDNT_RESOLVE_PROXY
[6]=CURLE_COULDNT_RESOLVE_HOST
[7]=CURLE_COULDNT_CONNECT
[8]=CURLE_WEIRD_SERVER_REPLY
[9]=CURLE_REMOTE_ACCESS_DENIED
[10]=CURLE_FTP_ACCEPT_FAILED
[11]=CURLE_FTP_WEIRD_PASS_REPLY
[12]=CURLE_FTP_ACCEPT_TIMEOUT
[13]=CURLE_FTP_WEIRD_PASV_REPLY
[14]=CURLE_FTP_WEIRD_227_FORMAT
[15]=CURLE_FTP_CANT_GET_HOST
[16]=CURLE_HTTP2
[17]=CURLE_FTP_COULDNT_SET_TYPE
[18]=CURLE_PARTIAL_FILE
[19]=CURLE_FTP_COULDNT_RETR_FILE
[21]=CURLE_QUOTE_ERROR
[22]=CURLE_HTTP_RETURNED_ERROR
[23]=CURLE_WRITE_ERROR
[25]=CURLE_UPLOAD_FAILED
[26]=CURLE_READ_ERROR
[27]=CURLE_OUT_OF_MEMORY
[28]=CURLE_OPERATION_TIMEDOUT
[30]=CURLE_FTP_PORT_FAILED
[31]=CURLE_FTP_COULDNT_USE_REST
[33]=CURLE_RANGE_ERROR
[34]=CURLE_HTTP_POST_ERROR
[35]=CURLE_SSL_CONNECT_ERROR
[36]=CURLE_BAD_DOWNLOAD_RESUME
[37]=CURLE_FILE_COULDNT_READ_FILE
[38]=CURLE_LDAP_CANNOT_BIND
[39]=CURLE_LDAP_SEARCH_FAILED
[41]=CURLE_FUNCTION_NOT_FOUND
[42]=CURLE_ABORTED_BY_CALLBACK
[43]=CURLE_BAD_FUNCTION_ARGUMENT
[45]=CURLE_INTERFACE_FAILED
[47]=CURLE_TOO_MANY_REDIRECTS
[48]=CURLE_UNKNOWN_OPTION
[49]=CURLE_SETOPT_OPTION_SYNTAX
[52]=CURLE_GOT_NOTHING
[53]=CURLE_SSL_ENGINE_NOTFOUND
[54]=CURLE_SSL_ENGINE_SETFAILED
[55]=CURLE_SEND_ERROR
[56]=CURLE_RECV_ERROR
[58]=CURLE_SSL_CERTPROBLEM
[59]=CURLE_SSL_CIPHER
[60]=CURLE_PEER_FAILED_VERIFICATION
[61]=CURLE_BAD_CONTENT_ENCODING
[62]=CURLE_LDAP_INVALID_URL
[63]=CURLE_FILESIZE_EXCEEDED
[64]=CURLE_USE_SSL_FAILED
[65]=CURLE_SEND_FAIL_REWIND
[66]=CURLE_SSL_ENGINE_INITFAILED
[67]=CURLE_LOGIN_DENIED
[68]=CURLE_TFTP_NOTFOUND
[69]=CURLE_TFTP_PERM
[70]=CURLE_REMOTE_DISK_FULL
[71]=CURLE_TFTP_ILLEGAL
[72]=CURLE_TFTP_UNKNOWNID
[73]=CURLE_REMOTE_FILE_EXISTS
[74]=CURLE_TFTP_NOSUCHUSER
[75]=CURLE_CONV_FAILED
[76]=CURLE_CONV_REQD
[77]=CURLE_SSL_CACERT_BADFILE
[78]=CURLE_REMOTE_FILE_NOT_FOUND
[79]=CURLE_SSH
[80]=CURLE_SSL_SHUTDOWN_FAILED
[81]=CURLE_AGAIN
[82]=CURLE_SSL_CRL_BADFILE
[83]=CURLE_SSL_ISSUER_ERROR
[84]=CURLE_FTP_PRET_FAILED
[85]=CURLE_RTSP_CSEQ_ERROR
[86]=CURLE_RTSP_SESSION_ERROR
[87]=CURLE_FTP_BAD_FILE_LIST
[88]=CURLE_CHUNK_FAILED
[89]=CURLE_NO_CONNECTION_AVAILABLE
[90]=CURLE_SSL_PINNEDPUBKEYNOTMATCH
[91]=CURLE_SSL_INVALIDCERTSTATUS
[92]=CURLE_HTTP2_STREAM
[93]=CURLE_RECURSIVE_API_CALL
[94]=CURLE_AUTH_ERROR
[95]=CURLE_HTTP3
[96]=CURLE_QUIC_CONNECT_ERROR
[98]=CURLE_SSL_CLIENTCERT
[99]=CURLE_UNRECOVERABLE_POLL
)
# 20 HTTP response status codes
declare -A HTTP_RESPONSE
HTTP_RESPONSE=(
[100]="Continue"
[101]="Switching Protocols"
[103]="Early Hints"
[200]="OK"
[201]="Created"
[202]="Accepted"
[203]="Non-Authoritative Information"
[204]="No Content"
[205]="Reset Content"
[206]="Partial Content"
[300]="Multiple Choices"
[301]="Moved Permanently"
[302]="Found"
[303]="See Other"
[304]="Not Modified"
[307]="Temporary Redirect"
[308]="Permanent Redirect"
[400]="Bad Request"
[401]="Unauthorized"
[402]="Payment Required"
[403]="Forbidden"
[404]="Not Found"
[405]="Method Not Allowed"
[406]="Not Acceptable"
[407]="Proxy Authentication Required"
[408]="Request Timeout"
[409]="Conflict"
[410]="Gone"
[411]="Length Required"
[412]="Precondition Failed"
[413]="Payload Too Large"
[414]="URI Too Long"
[415]="Unsupported Media Type"
[416]="Range Not Satisfiable"
[417]="Expectation Failed"
[418]="Im a teapot"
[422]="Unprocessable Entity"
[425]="Too Early"
[426]="Upgrade Required"
[428]="Precondition Required"
[429]="Too Many Requests"
[431]="Request Header Fields Too Large"
[451]="Unavailable For Legal Reasons"
[500]="Internal Server Error"
[501]="Not Implemented"
[502]="Bad Gateway"
[503]="Service Unavailable"
[504]="Gateway Timeout"
[505]="HTTP Version Not Supported"
[506]="Variant Also Negotiates"
[507]="Insufficient Storage"
[508]="Loop Detected"
[510]="Not Extended"
[511]="Network Authentication Required"
)
# https://techcommunity.microsoft.com/t5/iis-support-blog/ssl-tls-alert-protocol-and-the-alert-codes/ba-p/377132
declare -a SSL_ALERT_CODES
# B.2. Alert Messages
SSL_ALERT_CODES=(
[0]="close_notify"
[10]="unexpected_message"
[20]="bad_record_mac"
[21]="decryption_failed_RESERVED"
[22]="record_overflow"
[30]="decompression_failure_RESERVED"
[40]="handshake_failure"
[41]="no_certificate_RESERVED"
[42]="bad_certificate"
[43]="unsupported_certificate"
[44]="certificate_revoked"
[45]="certificate_expired"
[46]="certificate_unknown"
[47]="illegal_parameter"
[48]="unknown_ca"
[49]="access_denied"
[50]="decode_error"
[51]="decrypt_error"
[60]="export_restriction_RESERVED"
[70]="protocol_version"
[71]="insufficient_security"
[80]="internal_error"
[86]="inappropriate_fallback"
[90]="user_canceled"
[100]="no_renegotiation_RESERVED"
[109]="missing_extension"
[110]="unsupported_extension"
[111]="certificate_unobtainable_RESERVED"
[112]="unrecognized_name"
[113]="bad_certificate_status_response"
[114]="bad_certificate_hash_value_RESERVED"
[115]="unknown_psk_identity"
[116]="certificate_required"
[120]="no_application_protocol"
)
# https://curl.se/docs/ssl-ciphers.html
# openssl
# https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html
# https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
openssl=openssl
# CURLOPT_TLS13_CIPHERS --tls13-ciphers
if [ $openssl = openssl ] ; then
export CURLOPT_TLS13_CIPHERS="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256"
elif [ $openssl = nss ] ; then
export CURLOPT_TLS13_CIPHERS="aes_128_gcm_sha_256,aes_256_gcm_sha_384,chacha20_poly1305_sha_256"
fi

55
overlay/Linux/usr/local/bin/proxy_daily.bash Executable file
View file

@ -0,0 +1,55 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
# The idea here is to run ansible_local.bash --tags daily
# and then use this to do the parsing and throwing errors based on the output.
# This was the ansible run can be free from erroring and this can be
# run repeatedly anytime outside of ansible to deal with the issues raised.
# It is also run at the end of ansible_local.bash --tags daily to raise the issues.
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
MYID=$( id -u )
[ $MYID -eq 0 ] || { ERROR $prog must be run as root $MYID ; exit 1 ; }
# . $PREFIX/src/var_local_src.bash
which ansifilter >/dev/null 2>&1 && ansifilter=ansifilter || ansifilter=cat
ly=daily
errs=0
warns=0
elt=proxy
LOG_DIR=/usr/local/tmp
ELOG=$LOG_DIR/E${prog}_${ly}$$.log
WLOG=$LOG_DIR/W${prog}_${ly}$$.log
OUT=$LOG_DIR/O${prog}_${ly}$$.log
rm -f $LOG_DIR/*${prog}_${ly}*.log
elt=doctest3
if [ $MYID -ne 0 ] && [ -f /var/local/bin/testforge_python_doctest3.bash ] ; then
/var/local/bin/testforge_python_doctest3.bash \
/var/local/share/doc/txt/proxy3.txt \
> "$LOG_DIR"/$ly/$elt$$.log 2>> $ELOG || ERROR $elt >> $ELOG
fi
[ -f $WLOG ] && warns=$( wc -l $WLOG | cut -f 1 -d ' ' )
[ $? -eq 0 -a $warns -ne 0 ] && \
WARN "$prog $warns $ly $prog warnings in $WLOG"
[ -f $ELOG ] && errs=$( wc -l $ELOG | cut -f 1 -d ' ' )
[ $? -eq 0 -a $errs -ne 0 ] && \
ERROR "$prog $errs $ly $prog errors in $ELOG" && cat $ELOG
[ $errs -eq 0 ] && \
[ $warns -eq 0 ] && \
INFO "$prog No $ly errors" && \
rm -f $WLOG $ELOG $OUT
exit $errs

64
overlay/Linux/usr/local/bin/proxy_dirmngr.bash Executable file
View file

@ -0,0 +1,64 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/usr_local_base.bash || exit 2
# NO allow-version-check CALLS ANYWAY versions.gnupg.org
# echo "DEBUG: $0 GNUPGHOME=$GNUPGHOME $*" >> /tmp/$$.out
PROXY_GPG_KEYSERVER=keys.openpgp.org
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash >/dev/null
[ -z "$PROXY_GPG_KEYERVER_URL" ] && PROXY_GPG_KEYERVER_URL=hkps://$PROXY_GPG_KEYSERVER
# ONLY disabling on the command line or
[ -e /proc/sys/net/ipv6/conf/default/disable_ipv6 ] && \
[ `cat /proc/sys/net/ipv6/conf/default/disable_ipv6` -eq 0 ] && \
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
PROXY_WLAN=$( /usr/local/bin/proxy_ping_lib.bash proxy_set_if ) # || return 1$?
if [ -n "$PROXY_WLAN" ] ; then
wlan7=$PROXY_WLAN
[ -e /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6 ] && \
[ `cat /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6` -eq 0 ] && \
echo 1 > /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6
fi
route | grep -q ^default || { ERROR no route ; exit 1; }
[ -z "$USER" ] && USER=$(id -un )
if [ $USER = root ] ; then
[ -x /usr/bin/dirmngr -a ! -x /usr/bin/dirmngr.bin ] && \
mv /usr/bin/dirmngr /usr/bin/dirmngr.bin
[ -x /usr/bin/dirmngr.bin -a ! -x /usr/bin/dirmngr ] && \
ln -s /usr/local/bin/proxy_dirmngr.bash /usr/bin/dirmngr
fi
[ ! -x /usr/bin/dirmngr -o ! -x /usr/bin/dirmngr.bin ] && exit 2
[ -f /etc/dirmngr/dirmngr.conf ] || exit 3
[ -x /usr/bin/dirmngr.bin ] || exit 4
[ ! -x /usr/bin/netstat ] || \
netstat -nlp|grep -q 127.0.0.1:53 || { ERROR no nameserver ; exit 5; }
[ ! -x /usr/bin/netstat ] || \
netstat -nlp|grep -q 127.0.0.1:3128 || { ERROR no proxy 3128 ; exit 6; }
# This is not enough: --disable-ipv6
# --keyserver hkps://keys.gentoo.org is required
# --http-proxy http://127.0.0.1:3128
# --keyserver $PROXY_GPG_KEYERVER_URL
# --no-use-tor is REQUIRED if you are running tor
# EVEN IF YOU DOT USE use-tor - silent dns failure
exec /usr/bin/dirmngr.bin --server -vvv --debug-all \
--options /etc/dirmngr/dirmngr.conf \
--nameserver 127.0.0.1 \
--disable-ipv6 \
--disable-ldap \
--no-use-tor \
--log-file /var/log/dirmngr.log --debug-level 4 \
"$@"

63
overlay/Linux/usr/local/bin/proxy_dirmngr_test.bash Executable file
View file

@ -0,0 +1,63 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
# Dual Linux or msys64
prog=$( basename $0 .bash )
ROLE=proxy
PREFIX=/usr/local
[ -n "$MSYSTEM" ] && EXET=msys || EXET=sh
[ -f $PREFIX/etc/testforge/testforge.bash ] \
&& . /usr/local/etc/testforge/testforge.bash
# Dual Linux or msys64
PROXIES=""
if [ -d /etc/pacman.d/gnupg ] ; then
ROLE=msys64
HOMEDIR=/etc/pacman.d/gnupg
# proxy or striaght through
PROXIES="10.152.152.12"
elif [ -d /q/Pg64/Msys64/etc/pacman.d/gnupg ] ; then
ROLE=q
HOMEDIR=/q/Pg64/Msys64/etc/pacman.d/gnupg
ppl=/usr/local/bin/proxy_ping_lib.bash
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
[ "$USER" != root ] && export PATH=/sbin:$PATH
[ -z "$MODE" ] && MODE=$( $ppl proxy_ping_mode )
if [ "$MODE" = tor ] ; then
PROXIES="127.0.0.1:3128"
elif [ "$MODE" = whonix ] ; then
PROXIES="10.0.2.15:9128"
elif [ "$MODE" = gateway ] ; then
PROXIES="10.0.2.15:9128"
elif ps ax | grep -q polipo ; then
PROXIES="127.0.0.1:3128"
else
echo ERROR: unknown proxy
exit 2
fi
fi
GPG="gpg --verbose --home $HOMEDIR"
[ -f /etc/dirmngr/dirmngr.conf ] || { echo ERROR: no ^keyserver in /etc/dirmngr/dirmngr.conf ; exit 1 ; }
$GPG --refresh-keys --verbose
ps ax | grep /usr/bin/dirmngr.bin|grep -v grep|sed -e 's/ .*//'|xargs kill
grep '^keyserver hkp' /etc/dirmngr/dirmngr.conf| \
sed -e 's@keyserver hkp://@@' | \
while read elt;do
for proxy in $PROXIES; do
echo 1 | http_proxy=$proxy $GPG --yes \
--debug-level guru \
--keyserver hkp://$elt \
--search-keys abcdefghij || exit 3$?
echo INFO: $proxy $elt
done
done

42
overlay/Linux/usr/local/bin/proxy_dirmngr_test.exp Executable file
View file

@ -0,0 +1,42 @@
#!/usr/bin/expect --
# -*- mode: tcl; tab-width: 8; encoding: utf-8-unix -*-
set timeout 60
set elt $env(keyserver)
spawn gpg --verbose \
--homedir $env(HOMEDIR) \
--debug-level guru \
--keyserver hkp://$elt \
--search-keys $env(KEY_ID)
# keyserver search failed: Not found
# 0x6923CE7991ABF7338DB1C9AA5F0142A080E4A9A0
expect "1-1*"
send_user "Sending 1\r"
send "1\r"
expect -re .+ {
exp_continue
} 0x6923CE7991ABF7338DB1C9AA5F0142A080E4A9A0 {
send_user "Quitting 0x6923CE7991ABF7338DB1C9AA5F0142A080E4A9A0\r"
exit 0
} AbCdEfGhIj {
send_user "Quitting AbCdEfGhIj\r"
exit 0
} BYE {
send_user "Quitting BYE\r"
exit 0
} "6923 CE79 91AB F733 8DB1 C9AA 5F01 42A0 80E4 A9A0" {
send_user "Quitting FP\r"
exit 0
} timeout {
exit 1
} eof {
exit 0
}
# expect -r .+ {send "\r"}

22
overlay/Linux/usr/local/bin/proxy_dns_forward.bash Executable file
View file

@ -0,0 +1,22 @@
#!/bin/sh
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
# https://unix.stackexchange.com/questions/293304/using-netcat-for-port-forwarding
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/usr_local_tput.bash || exit 2
netstat -nlpe4 | grep -q 127.0.0.1:53 && {
ERROR 127.0.0.1:53 already bound
exit 1
}
MODE=$( /usr/local/bin/proxy_ping_lib.bash proxy_ping_mode )
if [ "$MODE" = tor -o "$MODE" = gateway -o "$MODE" = selektor ] ; then
socat -L/run/socat.lck udp-l:53,bind=127.0.0.1,fork,reuseaddr udp:127.0.0.1:9053 >/dev/null
elif a[ "$MODE" = whonix ] ; then
socat -L/run/socat.lck udp-l:53,bind=127.0.0.1,fork,reuseaddr udp:10.0.2.2:9053 >/dev/null
fi

166
overlay/Linux/usr/local/bin/proxy_export.bash Executable file
View file

@ -0,0 +1,166 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
#NO prog=proxy_export
. /usr/local/bin/usr_local_tput.bash || exit 2
[ -f /usr/local/bin/proxy_ping_lib.bash ] || \
{ ERROR missing /usr/local/bin/proxy_ping_lib.bash ; exit 1; }
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
# [ "$USER" != root ] && export PATH=/sbin:$PATH
## proxy_to_virbr1_15
proxy_to_virbr1_15 () {
if ifconfig | grep -q virbr1 ; then
PROXY_VIREXT_IP=$( ifconfig virbr1 | grep inet | sed -e 's/.*inet //' -e 's/ .*//' )
[ $? -eq 0 -a -n "$PROXY_VIREXT_IP" ] && \
PROXY_VIREXT_HOST=$( echo $PROXY_VIREXT_IP | sed -e 's/2$/15/' ) && \
[ -n "$PROXY_VIREXT_HOST" ] && \
export no_proxy="localhost,127.0.0.1,$PROXY_VIREXT_HOST" && \
export https_proxy=http://$PROXY_VIREXT_HOST:9128 && \
export socks_proxy=socks5://$PROXY_VIREXT_HOST:9050 && \
export TOR_SOCKS_HOST=$PROXY_VIREXT_HOST && \
export TOR_SOCKS_PORT=9050
fi
return 0
}
## proxy_http_host_httpproxy
proxy_http_host_httpproxy () {
if netstat -nle4 | grep -q 127.0.0.1:3128 >/dev/null ; then
export http_proxy=http://127.0.0.1:3128
export https_proxy=http://127.0.0.1:3128
export RSYNC_PROXY=127.0.0.1:3128
fi
return 0
}
proxy_https_host_selektor () { proxy_https_host_tor $* ; }
proxy_https_host_tor () {
if netstat -nle4 | grep -q 127.0.0.1:9128 >/dev/null ; then
export https_proxy=http://127.0.0.1:9128
fi
return 0
}
proxy_socks_host_tor () {
local file=/etc/tor/torrc
if [ -f $file ] ; then
port=`grep -hi ^socksport /etc/tor/torrc /etc/tor/torrc-defaults | sed -e 's/SocksPort //' -e 's/.*://'`
[ -z "$port" ] && port=9050
export socks_proxy=socks5://127.0.0.1:$port
return 0
else
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
echo >&2 WARN: $prog $file not found
return 1
fi
if netstat -nle4 | grep -q 127.0.0.1:$port >/dev/null ; then
export socks_proxy=socks5://127.0.0.1:$port
fi
return 0
}
proxy_socks_host_selektor () {
local file=/var/lib/tor/.SelekTOR/3xx/SelekTOR.xml
if [ -f $file ] ; then
port=`grep PREF_LISTENPORT $file | sed -e 's/.*">//' -e 's/<.*//'`
[ -z "$port" ] && port=9050
export socks_proxy=socks5://127.0.0.1:$port
return 0
else
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
echo >&2 WARN: $prog $file not found
fi
return 0
}
# proxy_export_mode
proxy_export_mode () {
ppl=/usr/local/bin/proxy_ping_lib.bash
[ -z "$MODE" ] && MODE=$( $ppl proxy_ping_mode )
[ -z "$MODE" ] && MODE=host
# $0=bash
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
debug $prog MODE=$MODE ONE=$MODE 0=$0 "$#" "$@"
if [ "$MODE" = from -o "$MODE" = whonix ] ; then
export no_proxy="localhost,127.0.0.1,10.0.2.15"
proxy_http_host_httpproxy
proxy_to_virbr1_15
elif [ "$MODE" = client ] ; then
# inherit the environment
proxy_http_host_httpproxy
proxy_https_host_tor
proxy_socks_host_tor
elif [ "$MODE" = nat ] ; then
export no_proxy="localhost,127.0.0.1,10.0.2.2,10.0.2.0/24"
# get external
external=`grep external$ /etc/hosts|sed -e 's/ .*//'`
if [ $? -eq 0 ] && [ -n "$external" ] ; then
# get the ports and PROXY_MODE of the host
export socks_proxy=socks5://$external:9050
export http_proxy=http://$external:3128
export https_proxy=http://$external:9128
fi
elif [ "$MODE" = vda -o "$MODE" = workstation ] ; then
export no_proxy="localhost,127.0.0.1,10.152.152.10"
export socks_proxy=socks5://10.152.152.10:9050
proxy_http_host_httpproxy
export https_proxy=http://10.152.152.10:9128
elif [ "$MODE" = gateway ] ; then
export no_proxy="localhost,127.0.0.1,10.0.2.2,10.0.2.15"
export socks_proxy=socks5://10.0.2.15:9050
proxy_http_host_httpproxy
export https_proxy=http://10.0.2.15:9128
elif [ "$MODE" = selektor ] ; then
export http_proxy=http://127.0.0.1:3128
export https_proxy=http://127.0.0.1:9128
export no_proxy="localhost,127.0.0.1"
proxy_http_host_httpproxy
proxy_https_host_selektor
proxy_socks_host_selektor
elif true || [ "$MODE" = to -o "$MODE" = to_tor -o "$MODE" = tor ] ; then
export http_proxy=http://127.0.0.1:3128
export https_proxy=http://127.0.0.1:9128
export socks_proxy=http://127.0.0.1:9050
export no_proxy="localhost,127.0.0.1"
proxy_http_host_httpproxy
proxy_https_host_tor
proxy_socks_host_tor
fi
}
# echo $0 $* "$0" = 'tostop' -o
if [ "$0" = '-bash' -o "$0" = '/bin/bash' -o "$0" = 'bash' ] ; then
proxy_export_mode
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
env | grep proxy | while read line ; do debug $line ; done
elif [ -x /usr/bin/basename ] && \
[ `basename -- "$0"` = 'proxy_export.bash' -o \
"$( basename -- "`readlink $0`" )" = 'proxy_export.bash' ] ; then
if [ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] ; then
echo USAGE: $0 && grep '^## ' $0 | sed -e 's/^## //'|sort
elif [ "$#" -eq 0 ] || [ "$#" -eq 1 -a $1 = mode ]; then
set -- proxy_export_mode
fi
eval "$@"
exit $?
fi

8
overlay/Linux/usr/local/bin/proxy_firewall_start.bash Executable file
View file

@ -0,0 +1,8 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/proxy_ping_lib.bash || { echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 3; }
proxy_ping_firewall_restart $*

16
overlay/Linux/usr/local/bin/proxy_get_if.bash Executable file
View file

@ -0,0 +1,16 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
# on stdout - messages on stderr
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
export PATH=$PATH:/usr/local/bin
PROXY_WLAN=$( /usr/local/bin/proxy_ping_lib.bash proxy_get_if )
retval=$?
echo -n $PROXY_WLAN
exit $retval

25
overlay/Linux/usr/local/bin/proxy_hosts_test.bash Executable file
View file

@ -0,0 +1,25 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
# Dual Linux or msys64
prog=$( basename $0 .bash )
ROLE=proxy
PREFIX=/usr/local
[ -n "$MSYSTEM" ] && EXET=msys || EXET=sh
. /usr/local/bin/usr_local_tput.bash
[ -f $PREFIX/etc/testforge/testforge.bash ] \
&& . /usr/local/etc/testforge/testforge.bash
grep -v '#\|127.0.0.1' /etc/hosts | while read ip b ; do
[ -z "$ip" ] && continue
[ -z "$b" ] && continue
dig -x $ip | grep "$b" && \
INFO $ip $b || \
WARN $ip $b `dig -x $ip | grep 'IN.*\.'`
dig $b | grep 'IN.*\.'
dig @8.8.8.8 $b | grep 'IN.*\.'
done

192
overlay/Linux/usr/local/bin/proxy_hourly.bash Executable file
View file

@ -0,0 +1,192 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
DEBUG=1
# The idea here is to run ansible_local.bash --tags daily
# and then use this to do the parsing and throwing errors based on the output.
# This was the ansible run can be free from erroring and this can be
# run repeatedly anytime outside of ansible to deal with the issues raised.
# It is also run at the end of ansible_local.bash --tags daily to raise the issues.
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash || exit 2
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[ -f /usr/local/etc/testforge/testforge.bash ] && \
. /usr/local/etc/testforge/testforge.bash >/dev/null
PL=/usr/local/bin/proxy_ping_lib.bash
. $PL
PL=
[ -z "$USER" ] && USER=$(id -un )
MYID=$( id -u )
[ $MYID -eq 0 ] || { ERROR $prog must be run as root $MYID ; exit 1 ; }
# . $PREFIX/src/var_local_src.bash
which ansifilter >/dev/null 2>&1 && ansifilter=ansifilter || ansifilter=cat
[ -d /dev/virtio-ports ] && ONE_GUEST=1 || ONE_GUEST=0
ly=hourly
errs=0
warns=0
elt=proxy
LOG_DIR=/usr/local/tmp
ELOG=$LOG_DIR/E${prog}_${ly}$$.log
WLOG=$LOG_DIR/W${prog}_${ly}$$.log
OUT=$LOG_DIR/O${prog}_${ly}$$.log
[ -f /usr/local/etc/testforge/testforge.bash ] && \
. /usr/local/etc/testforge/testforge.bash
export PATH=$PATH:/usr/local/bin
[ -z "$MODE" ] && MODE=$( $PL proxy_ping_mode )
[ -n "$DEBUG" ] && echo >&2 DEBUG: $prog $ly MODE=$MODE 0=$0 "$#" "$@"
[ -z "$MODE" ] && exit 2
# ubuntu / devuan oddball
route | grep -q 'lo$' || \
ip route add 127.0.0.0/8 dev lo scope host
/usr/local/bin/proxy_ping_test.bash $MODE 2> $ELOG
if [ $ONE_GUEST -eq 0 ] ; then
IP=`ifconfig |grep -A1 wlan|grep inet|sed -e 's/.*inet //' -e 's/ .*//'`
# 10.24.216.64
if [ -n "$IP" ] ; then
grep -q " external" /etc/hosts && \
sed -e "s/.* external/$IP external/" -i /etc/hosts || \
echo "$IP external" >> /etc/hosts
fi
a=`grep nameserver /etc/resolv.conf | grep -v 'nameserver 127.0.0.1'| wc -l`
if [ $? -eq 0 -a -n "$a" -a "$a" -gt 0 ] ; then
/usr/local/bin/base_wall.bash "CRIT: $prog /etc/resolv.conf" `grep nameserver /etc/resolv.conf`
echo 'nameserver 127.0.0.1' > /etc/resolv.conf
fi
[ -d $LOG_DIR/ ] || mkdir -p $LOG_DIR/ || true
find $LOG_DIR/*${prog}_${ly}*.log -ctime +2 -delete || true
if [ -d /etc/ssl/certs/ ] ; then
find -L /etc/ssl/certs/ -type l >> $WLOG
find -L /etc/ssl/certs/ -type l -delete
else
WARN /etc/ssl/certs/ missing
fi
if [ "$MODE" = whonix ] ; then
[ -n "$BASE_SRC_ANSIBLE" ] || BASE_SRC_ANSIBLE=/g/TestForge/src/ansible
BOX_WHONIX_PROXY_HOST=$( /usr/local/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST )
if [ -n "$BOX_WHONIX_PROXY_HOST" ] && \
which virsh 2>/dev/null >/dev/null && \
virsh list | grep -q "$BOX_WHONIX_PROXY_HOST" ; then
# sh proxy_whonix_host_tor.bash whonix
/usr/local/sbin/proxy_whonix_host.bash proxy_whonix_host_add_block >>$OUT 2>>$ELOG
fi
$PL proxy_libvirt_test >$OUT 2>&1
retval=$?
[ $retval -gt 1 ] && ERROR $prog proxy_libvirt_test retval=$retval >> $ELOG
fi
[ -f /etc/firewall.conf ] || {
ERROR $prog NO FIREWALL /etc/firewall.conf | tee -a $ELOG | \
xargs /usr/local/bin/base_wall.bash
}
ifconfig | grep -q ^wlan
if [ $? -eq 0 ] ; then
wlan7=`ifconfig|grep ^wlan|tail -1| sed -e 's/:.*//'`
grep -q $wlan7 /etc/firewall.conf || {
ERROR $prog NO $wlan7 in /etc/firewall.conf | tee -a $ELOG | \
xargs /usr/local/bin/base_wall.bash
/usr/local/bin/firewall.bash
}
fi
[ -f /var/log/privoxy/logfile ] && \
grep -i fatal /var/log/privoxy/logfile >> $WLOG && \
echo ERROR: Fatal in /var/log/privoxy/logfile |tee -a $ELOG
if route | grep -q ^def ; then
$PL proxy_ping_gw_check || {
ERROR proxy_ping_gw_check >> $ELOG
}
$PL proxy_ping_dnsmasq_check || {
x ERROR proxy_ping_dnsmasq_check >> $ELOG
}
$PL proxy_ping_firewall_check || {
ERROR proxy_ping_firewall_check >> $ELOG
}
$PL proxy_iptables_save >$OUT 2>&1
if [ $? -ne 0 ] || ! grep -q DROP $OUT ; then
ERROR $prog NO FIREWALL - DROP `cat $OUT` | tee -a $ELOG
/usr/local/bin/base_wall.bash ERROR $prog NO FIREWALL - DROP
#? /usr/local/bin/proxy_firewall_restore_iptable.bash /etc/firewall.conf
fi
$PL proxy_test_dirmngr $OUT || \
{ retval=$? ; ERROR proxy_test_dirmngr $retval >> $ELOG ; }
if dmesg | grep --text -A 1 'martian' ; then
dmesg | grep --text -A 1 'martian' | \
xargs echo WARN: martians >> $WLOG
dmesg | grep --text -A 1 'martian' | \
sed -e 's/DST=.*//' -e 's/.*martian_//' -e 's/ OUT=.*SRC=/ /' >> $WLOG
fi
/usr/local/bin/proxy_ping_test.bash dns || {
ERROR $prog no dns >> $ELOG ;
}
/usr/local/bin/proxy_ping_test.bash 3128 || {
# can be false
WARN $prog no 3128 >> $WLOG
}
PROXY_WLAN=$( $PL proxy_get_if )
[ -n "$PROXY_WLAN" -a -f /etc/wicd/wireless-settings.conf ] && \
ps ax | grep -q wpa_supplicant && \
grep -A 1 bad$ /etc/wicd/wireless-settings.conf | \
grep bssid | sed -e 's/.*= //' | \
while read elt ; do \
wpa_cli -i "$PROXY_WLAN" blacklist $elt
done
$PL proxy_ping_firewall_check || \
/usr/local/bin/base_wall.bash $prog 'CRIT: proxy_ping_firewall_check' retval=$?
fi
fi
[ -s $OUT ] && grep WARN: $OUT >> $WLOG
if [ -s $ELOG ] ; then
errs=$( wc -l $ELOG | cut -f 1 -d ' ' )
if [ $? -eq 0 -a $errs -ne 0 ] ; then
ERROR $prog $errs $ly $prog errors in $ELOG
cat $ELOG
/usr/local/bin/base_wall.bash "ERROR: $prog $errs errors in $ELOG"
exit $errs
fi
fi
[ -f $WLOG ] && warns=`wc -l $WLOG | cut -f 1 -d ' '`
[ $? -eq 0 -a $warns -ne 0 ] && \
WARN "$warns $ly $prog warnings in $WLOG"
[ -f $ELOG ] && errs=`wc -l $ELOG | cut -f 1 -d ' '`
if [ $? -eq 0 -a $errs -ne 0 ] ; then
ERROR "$errs $ly $prog errors in $ELOG"
cat $ELOG
exit $errs
fi
[ $errs -eq 0 ] && \
ols_clean_testforge_logs $HARDEN_LOG_DIR && \
[ $warns -eq 0 ] && \
INFO "$prog No $ly errors in $HARDEN_LOG_DIR"
exit 0

35
overlay/Linux/usr/local/bin/proxy_jnettop.bash Executable file
View file

@ -0,0 +1,35 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
route | grep -q ^default || exit 0
[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash \
|| { echo >&2 ERROR: $prog "$PREFIX/etc/testforge/testforge.bash" ; exit 1 ; }
error () { retval=$1 ; shift; echo "ERROR: $prog" $* ; exit $retval ; }
warn () { WARN "$prog " $* ; }
info () { echo "INFO: $prog " $* ; }
usage () { echo "USAGE: $prog chroot-dir [command args] -" $* ; exit 1 ; }
# must be run as root
[ "$( id -u )" -ne "0" ] && error 1 "must be run as root"
PROXY_WLAN=$( /usr/local/bin/proxy_get_if.bash )
[ $? -eq 0 ] || error 2 " error getting device $?"
PROXY_WLAN_IP=$( proxy_ping_lib.bash proxy_get_wlan_ip )
LARGS="-i $PROXY_WLAN"
CONF=/usr/local/etc/jnettop.conf
if [ -f $CONF ] ; then
LARGS="$LARGS --config-file $CONF"
# sed -e 's/^#* *interface.*/interface "'$PROXY_WLAN'"/' -i $CONF
[ -n "$PROXY_WLAN_IP" ] && sed -e 's/"me"\t.*/"me" "net '$PROXY_WLAN_IP'"/' -i $CONF && grep -q $PROXY_WLAN_IP $CONF
fi
exec jnettop $LARGS $* # 2>/dev/null

35
overlay/Linux/usr/local/bin/proxy_libvirt_forward.bash Normal file
View file

@ -0,0 +1,35 @@
#!/bin/sh
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
# https://unix.stackexchange.com/questions/293304/using-netcat-for-port-forwarding
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/usr_local_tput.bash || exit 2
if [ ! -d /run/tmp ] ; then
sudo mkdir /run/tmp
sudo chown 1777 /run/tmp
fi
[ -z "$MODE" ] && MODE=$(/usr/local/bin/proxy_ping_lib.bash proxy_ping_mode )
IP=`grep ' external$' /etc/hosts|sed -e 's/ .*//'`
retval=$?
if [ $retval -ne 0 ] || [ -z "$IP" ] ; then
exit $retval
fi
if [ "$MODE" = tor -o "$MODE" = gateway -o "$MODE" = selektor ] ; then
socat -L/run/socat.lck udp-l:53,bind=$IP,fork,reuseaddr udp:127.0.0.1:9053 >/dev/null || \
WARN 53,bind=$IP in use
for elt in 9050 9128 ; do
netstat -nle4 | grep -q $IP:$elt && {
ERROR $IP:$elt already bound
continue # exit 1
}
DBUG socat -L/run/tmp/socat$elt.lck tcp-l:$elt,bind=${IP},fork,reuseaddr tcp:127.0.0.1:$elt
socat -L/run/tmp/socat$elt.lck tcp-l:$elt,bind=${IP},fork,reuseaddr tcp:127.0.0.1:$elt &
done
#else
# WARN $MODE
#fi

64
overlay/Linux/usr/local/bin/proxy_libvirt_ga_test.bash Executable file
View file

@ -0,0 +1,64 @@
#!/bin/bash
ROLE=proxy
MODE=host
#[ $# -eq 0 ] && set -- Whonix-Gateway /bin/cat /proc/cmdline
[ $# -eq 0 ] && set -- Whonix-Gateway /bin/netstat -lnp4
[ $# -lt 2 ] && echo USAGE: $0 domain command arguments
HOST=$1
shift
CMD=$1
shift
# FixMe
if [ $? -gt 1 ] ; then
ARGS=""
elif [ $? -gt 1 ] ; then
ARGS=`sed -e 's/ /","/g' <<< $@`
else
ARGS="$1"
fi
[ "$HOST" = WWork106 ] && HOST=Whonix-Workstation || true
[ "$HOST" = WGate106 ] && HOST=Whonix-Gateway || true
echo INFO: $0 $HOST $CMD $ARGS
false && echo DEBUG: virsh qemu-agent-command $HOST \
'{"execute":"guest-exec", "arguments": {"capture-output": true,"path":"'$CMD'","arg":["'$ARGS'"]}}'
virsh qemu-agent-command $HOST \
'{"execute":"guest-exec", "arguments": {"capture-output": true,"path":"'$CMD'","arg":["'$ARGS'"]}}' \
>/tmp/Q$$.out || exit 1$?
grep -q return /tmp/Q$$.out || exit 2
pid=`sed -e 's/.*://' -e 's/}.*//' /tmp/Q$$.out`
[ $? -eq 0 ] || exit 3
# echo DEBUG: virsh qemu-agent-command $HOST \
# '{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}'
virsh qemu-agent-command $HOST \
'{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}' \
>/tmp/R$$.out || exit 4$?
TRIES=10
i=0
while [ $i -lt $TRIES ] ; do
i=`expr $i + 1`
virsh qemu-agent-command $HOST \
'{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}' \
>/tmp/R$$.out || exit 4$i$?
grep -q '"exitcode":0' /tmp/R$$.out && break
sleep 5
echo DEBUG: $i
done
[ $i -lt $TRIES ] || \
{ echo ERROR: $i no exitcode in /tmp/R$$.out; exit 5 ; }
b64=`sed -e 's/{"return":{"exitcode":0,"out-data":"//' -e 's/",".*//' /tmp/R$$.out`
[ $? -eq 0 ] || exit 6
[ -n "$b64" ] || exit 7
echo $b64 | base64 -d -
rm -f /tmp/{Q,R}$$.out
exit 0

42
overlay/Linux/usr/local/bin/proxy_libvirt_hook_network.bash Executable file
View file

@ -0,0 +1,42 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
# Aruments ignored: dom plugged begin
# so must be idempotemt - as its called by things it calls?
prog=$( basename $0 .bash )
[ -z "$TERM" ] || . /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
[ -z "$USER" ] && USER=$(id -un )
[ -n "$USER" -a "$USER" = root ] && \
for file in /usr/local/etc/modules-load.d/vda*.conf ; do
base=$( basename $file )
[ -e /etc/modules-load.d/$base ] && continue
cp -p $file /etc/modules-load.d/$base
done
/etc/init.d/virtlogd status || /etc/init.d/virtlogd start
/etc/init.d/libvirtd status
retval=$?
[ $retval -eq 32 ] && WARN libvirtd crashed - zapping && /etc/init.d/libvirtd zap
[ $retval -eq 0 ] || /etc/init.d/libvirtd start
grep "`date +%Y-%m-%d`.* error :" /var/log/libvirt/libvirtd.log
. /usr/local/bin/proxy_ping_lib.bash
proxy_ping_firewall_restart
retval=$?
if [ $retval -eq 0 ] ; then
[ "$DEBUG" = 1 ] && logger INFO: $prog proxy_ping_firewall_restart $*
else
logger ERROR: $prog proxy_ping_firewall_restart retval=$retval $*
exit $retval
fi
[ -n "$HTTPPROXY" ] || HTTPPROXY=privoxy
/etc/init.d/$HTTPPROXY status || /etc/init.d/$HTTPPROXY start
/etc/init.d/dnsmasq status || /etc/init.d/dnsmasq start
# clean
exit 0

11
overlay/Linux/usr/local/bin/proxy_libvirt_hook_qemu.bash Executable file
View file

@ -0,0 +1,11 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
logger INFO: $0 $PWD $*
exit 0

285
overlay/Linux/usr/local/bin/proxy_libvirt_lib.bash Executable file
View file

@ -0,0 +1,285 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
base=proxy_libvirt_lib
# shellcheck disable=SC2154
[ -z "$USER" ] && USER=$(id -un )
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
. /usr/local/bin/usr_local_tput.bash || exit 2
. /usr/local/bin/proxy_ping_lib.bash || exit 2
## proxy_libvirt_test_dnsmasq
proxy_libvirt_test_dnsmasq () { DBUG proxy_libvirt_test_dnsmasq $* ;
proxy_rc_service libvirtd status </dev/null >/dev/null || {
DBUG $prog libvirtd not running ; return 0
}
if ls /var/lib/libvirt/dnsmasq/*conf >/dev/null 2>/dev/null ; then
dbug $prog checking libvirtd dnsmasq conf
PROXY_WLAN=$( proxy_get_if )
retval=$?
[ $retval -eq 0 -a -n "$PROXY_WLAN" ] || {
ERROR proxy_get_if empty wlan7 retval=$retval
return 2$retval
}
for elt in bind-interfaces except-interface=$PROXY_WLAN no-dhcp-interface=$PROXY_WLAN ; do
for file in /var/lib/libvirt/dnsmasq/*conf ; do
if ! grep -q $elt $file ; then
[ -f $file.$$ ] || cp -p $file $file.$$
echo $elt >> $file
fi
done
done
if ls /var/lib/libvirt/dnsmasq/*conf.$$ >/dev/null 2>/dev/null ; then
dbug $prog restarting libvirtd dnsmasq conf
# FixMe: use virsh net-update net-edit
# ps ax | grep dnsmasq|grep -v grep|while read pid rest ; do kill -HUP $pid; done
for file in /var/lib/libvirt/dnsmasq/*conf.$$ ; do
pid=$( grep ^pid-file= $file|sed -e 's/.*=//' )
[ $? -ne 0 -o -z "$pid" ] && WARN $prog not pid-file in $file && continue
[ -f $pid ] || dbug $prog no pid-file in $file && continue
pid=$( cat $pid )
dbug $prog HUPing libvirtd dnsmasq $pid
kill -HUP $pid || WARN $prog error killing $file $pid && continue
done
fi
fi
return 0
}
## proxy_libvirt_clean_virbr1_rules
proxy_libvirt_clean_virbr1_rules () {
local line
proxy_iptables_save | \
grep -e '-A LIBVIRT_[OUTINP]* -i virbr[12] .* --dport [56][378] -j ACCEPT' | \
sed -e 's/-A/-D/' | while read line ; do
proxy_iptables $line
done
return 0
}
## proxy_libvirt_no_autostart
proxy_libvirt_no_autostart () { DBUG proxy_libvirt_no_autostart $* ;
proxy_libvirt_hung || return 1
proxy_virsh net-list --autostart | while read n s a p ; do
[ "$a" = yes ] || continue
virsh net-autostart $n --disable || { ERROR $prog net-autostart $n --disable ; return 1 ; }
dbug $prog net-autostart $n --disable
[ "$s" = active ] || continue
virsh net-destroy $n || { dbug $prog net-destroy $n ; return 2 ; }
dbug $prog net-destroy $n
done
return 0
}
## proxy_libvirt_status tests and checks logs - noisy
proxy_libvirt_status () { proxy_libvirt_status_host $* ; return $? ; }
proxy_libvirt_status_host () { DBUG proxy_libvirt_status $* ;
/etc/init.d/virtlogd status >/dev/null || /etc/init.d/virtlogd start || return 1$?
/etc/init.d/libvirtd status >/dev/null || /etc/init.d/libvirtd start || return 2$?
if ! proxy_rc_service libvirtd status >/dev/null ; then
DBUG proxy_libvirt_status proxy_rc_service libvirtd start
proxy_rc_service libvirtd start || return 3$?
fi
if ! proxy_rc_service libvirtd status >/dev/null ; then
ERROR proxy_libvirt_status proxy_rc_service libvirtd not started
return 4
fi
if [ ! -e /run/libvirt/libvirt-sock ] ; then
WARN proxy_libvirt_status no /run/libvirt/libvirt-sock
fi
if [ ! -e /run/libvirt/virtlogd-sock ] ; then
WARN proxy_libvirt_status no /run/libvirt/virtlogd-sock
fi
# virtlockd-sock
# shellcheck disable=SC2154
[ -z "$GATEW_DOM" ] && GATEW_DOM="$( proxy_testforge_get_gateway_dom )"
if [ -n "$GATEW_DOM" ] ; then
proxy_libvirt_list | grep -q $GATEW_DOM
[ $? -ne 0 ] && DBUG proxy_libvirt_status $GATEW_DOM not in virsh list
#? && return 3
else
WARN proxy_libvirt_status null GATEW_DOM
fi
return 0
}
## proxy_libvirt_restart
proxy_libvirt_restart () { DBUG proxy_libvirt_restart $* ;
# tests restarts
proxy_libvirt_start || return 3$?
proxy_libvirt_test || return 4$?
[ -x /etc/libvirt/hooks/network ] || return 7$?
/etc/libvirt/hooks/network || return 8$?
proxy_ping_firewall_restart
# /etc/modules-load.d/firewall.conf
return 0
}
## proxy_libvirt_start_guest
proxy_libvirt_start_guest () {
local dire=$1
[ ! -f /etc/init.d/qemu-guest-agent ] && return 0
proxy_rc_service qemu-guest-agent status >/dev/null \
|| proxy_rc_service qemu-guest-agent start || return 2$?
return $?
}
# proxy_libvirt_test_host
proxy_libvirt_test_host () {
local dire=$1
[ -z "$dire" ] && MODE="$( proxy_whonix_mode )" && dire=$MODE
[ -n "$MODE" ] || MODE=host
if [ $MODE = tor ] ; then
proxy_rc_service tor status >/dev/null || \
{ echo ERROR: $prog tor is not running ; return 2 ; }
# different for selector
fi
$PREFIX/bin/proxy_ping_test.bash to_tor || return 6$?
return $?
}
# proxy_libvirt_test_guest
proxy_libvirt_test_guest () {
[ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] || \
echo WARN: /dev/virtio-ports/org.qemu.guest_agent.0 not created
proxy_rc_service qemu-guest-agent status
return $?
}
## proxy_libvirt_status tests and checks logs - noisy
proxy_libvirt_test () { DBUG proxy_libvirt_test $* ;
[ -e /dev/virtio-ports ] && proxy_libvirt_test_guest || \
proxy_libvirt_test_host
return $?
}
## proxy_libvirt_status tests and checks logs - noisy
proxy_libvirt_test_host () { DBUG proxy_libvirt_test_host $* ;
proxy_libvirt_status || return 1$?
[ -f /var/log/libvirt/libvirtd.log ] && \
INFO proxy_libvirt_test /var/log/libvirt/libvirtd.log && \
tail /var/log/libvirt/libvirtd.log
# shellcheck disable=SC2154
[ -z "$GATEW_DOM" ] && GATEW_DOM="$( proxy_testforge_get_gateway_dom )"
if [ -n "$GATEW_DOM" ] ; then
if [ -f /var/log/libvirt/qemu/$GATEW_DOM.log ] ; then
INFO proxy_libvirt_test /var/log/libvirt/qemu/$GATEW_DOM.log
tail /var/log/libvirt/qemu/$GATEW_DOM.log
else
WARN proxy_libvirt_test missing /var/log/libvirt/qemu/$GATEW_DOM.log
fi
else
WARN proxy_libvirt_test null GATEW_DOM
fi
proxy_libvirt_test_dnsmasq || return 6$?
return 0
}
## proxy_libvirt_start
proxy_libvirt_start () { DBUG proxy_libvirt_start $* ;
proxy_ping_firewall_modules
proxy_libvirt_hung || return 2
proxy_rc_service libvirtd status >/dev/null 2>/dev/null || \
proxy_rc_service libvirtd start || return 3$?
return 0
}
## proxy_libvirt_hung
proxy_libvirt_hung () { DBUG proxy_libvirt_hung $* ;
# 1 means hung
[ -f /etc/init.d/libvirtd ] || return 0
if [ ! -e /run/libvirt/libvirt-sock ] || ! proxy_rc_service libvirtd status >/dev/null ; then
INFO proxy_libvirt_hung proxy_rc_service libvirtd start
proxy_rc_service libvirtd start || return 1
sleep $DELAY
fi
/etc/init.d/libvirtd status 2>/dev/null >/dev/null || return 1
a=$( /etc/init.d/libvirtd status |grep '├─' |grep -c -v '/usr/s.*bin' )
# hung processes will hang proxy_virsh list
[ $? -eq 0 -a $a -gt 1 ] && {
WARN proxy_libvirt_hung - too many subprocesses $a
return 1
}
# ├─ 820 /usr/sbin/libvirtd
# ├─ 2221 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/Whonix-External.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
# ├─28153 /bin/sh /etc/libvirt/hooks/network Whonix-External plugged begin -
# ├─28154 bash /usr/local/bin/proxy_libvirt_hook_network.bash Whonix-External plugged begin -
return 0
}
## proxy_libvirt_list
proxy_libvirt_list () { DBUG proxy_libvirt_list $* ;
local a
proxy_libvirt_hung || return 10
proxy_virsh list
return $?
}
## proxy_libvirt_clean_iptables
proxy_libvirt_clean_iptables () {
local i int dir dcp prot port
for dir in i ; do
for int in virbr2 virbr1; do
dcp=67
[ $dir = i ] || dcp=68
for port in 53 $dcp ; do
[ $dir = i ] && table=INP || table=OUT
for prot in udp tcp; do
proxy_iptables_save | grep -q -e "-A LIBVIRT_$table -i $int -p $prot -m $prot --dport $port -j ACCEPT" || continue
iptables -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT || \
echo WARN: $? -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT
done
done
done
done
for dir in o ; do
for int in virbr2 virbr1; do
dcp=68
[ $dir = o ] || dcp=67
for port in 53 68 ; do
table=OUT
[ $dir = i ] && table=INP
for prot in udp tcp; do
proxy_iptables_save | grep -q -e "-A LIBVIRT_$table -i $int -p $prot -m $prot --dport $port -j ACCEPT" || continue
iptables -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT || \
echo WARN: $? -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT
done
done
done
done
return 0
}
# DBUG 0=$0
base=proxy_libvirt_lib
if [ -x /usr/bin/basename ] && \
[ $( basename -- "$0" .bash ) = $base \
-o $( basename -- "$0" .sh ) = $base ] ; then
[ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \
echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//' && exit 0
"$@"
exit $?
fi

51
overlay/Linux/usr/local/bin/proxy_nm_wireless_clean.bash Executable file
View file

@ -0,0 +1,51 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash
PREFIX=/usr/local
[ $( id -u ) -eq 0 ] || { ERROR "this must be run as root" ; exit 1 ; }
LOG=/tmp/I$$.log
JSON=/tmp/I$$.json
. /usr/local/bin/proxy_ping_lib.bash || \
{ echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 3; }
. /usr/local/bin/usr_local_base.bash || exit 2
PROXY_WLAN=$(route |grep ^def |sed -e 's/.* //') || { echo ERROR: " no route $?" ; exit 4 ; }
if [ -z "$PROXY_WLAN" ] ; then
PROXY_WLAN=$( proxy_get_if )
[ $? -eq 0 ] || { echo ERROR: " error getting device $?" ; exit 5 ; }
fi
[ -d /etc/NetworkManager/system-connections ] || exit 0
cd /etc/NetworkManager/system-connections/ || exit 6
pgrep NetworkManager >/dev/null || \
/etc/init.d/network-manager start # || exit 7
iwlist $PROXY_WLAN scan > $LOG 2>&1 || { echo ERROR: failed iwlist scan ; exit 2 ; }
which yq 2>/dev/null >/dev/null && \
for file in *.nmconnection; do
elt=$( basename "$file" .nmconnection )
grep -q "$elt" "$LOG" || continue
L=$( cat $LOG | grep -B 5 "$elt" | sed -e 's@/.*@@' -e 's@[=:]@: @' -e 's/.*Addre/- Addre/' -e '/^--\|Frequency:\|Encryption/d' -e 's/^ */ /' | yq 'sort_by(.Quality)|reverse|map(del(.Channel))|.[0:4]'|grep Address|sed -e 's/,/;/' -e 's/ *.Address.: //'|xargs echo|sed -e 's/ //g' )
[ -z "$L" ] && continue
sed -e "s@^seen-bssids=.*@seen-bssids=$L@" -i "$file"
grep -q lldp=0 "$file" || echo WARN: nmcli con modify $elt connection.lldp 0
grep -q llmnr=0 "$file" || echo WARN: nmcli con modify $elt connection.llmnr 0
grep -q mdns=0 "$file" || echo WARN: nmcli con modify $elt connection.mdns 0
INFO $prog $PWD/$file
done
rm -f /tmp/I$$.log
[ "$#" -eq 0 ] && exit 0
[ $1 = connect ] && nmtui-connect
[ $1 = edit ] && nmtui-edit

55
overlay/Linux/usr/local/bin/proxy_pacman_gpg_test.bash Executable file
View file

@ -0,0 +1,55 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
# Dual Linux or msys64
prog=$( basename $0 .bash )
ROLE=proxy
PREFIX=/usr/local
[ -n "$MSYSTEM" ] && EXET=msys || EXET=sh
[ -f $PREFIX/etc/testforge/testforge.bash ] \
&& . /usr/local/etc/testforge/testforge.bash
. /usr/local/bin/usr_local_tput.bash || exit 2
PROXIES=""
if [ -d /etc/pacman.d/gnupg ] ; then
ROLE=msys64
HOMEDIR=/etc/pacman.d/gnupg
# proxy or striaght through
PROXIES="10.152.152.12"
elif [ -d /q/Pg64/Msys64/etc/pacman.d/gnupg ] ; then
ROLE=q
HOMEDIR=/q/Pg64/Msys64/etc/pacman.d/gnupg
ppl=/usr/local/bin/proxy_ping_lib.bash
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
[ "$USER" != root ] && export PATH=/sbin:$PATH
[ -z "$MODE" ] && MODE=$( $ppl proxy_ping_mode )
if [ "$MODE" = tor ] ; then
PROXIES="127.0.0.1:3128"
elif [ "$MODE" = whonix ] ; then
PROXIES="10.0.2.15:9128"
elif [ "$MODE" = gateway ] ; then
PROXIES="10.0.2.15:9128"
elif ps ax | grep -q polipo ; then
PROXIES="127.0.0.1:3128"
else
echo ERROR: unknown proxy
exit 2
fi
fi
GPG="gpg --verbose --home $HOMEDIR"
a=`ls $HOMEDIR/private-keys-v1.d/|wc -l`
if [ $? -ne 0 -o "$a" -eq 0 ] ; then
ERROR you need a private kepair with $GPG --quick-gen-key
exit 3
fi
# shellcheck disable=SC2154
$GPG --list-keys | grep -B 1 unknown && \
WARN un-signed keys in pacman && \
DBUG "$GPG --list-keys 2>/dev/null |grep -B1 unknown|grep '^ ' |while read elt;do \$GPG --edit-key $elt ;done"

1500
overlay/Linux/usr/local/bin/proxy_ping_lib.bash Executable file
View file

File diff suppressed because it is too large Load diff

974
overlay/Linux/usr/local/bin/proxy_ping_test.bash Executable file
View file

@ -0,0 +1,974 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
. /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
PYVER=3
# DEBUG=1
. /usr/local/bin/proxy_ping_lib.bash || \
{ ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 6; }
PL=/usr/local/bin/proxy_libvirt_lib.bash
declare -a tests
which traceroute 2>/dev/null >/dev/null && HAVE_TRACEROUTE=1 || HAVE_TRACEROUTE=0
which dig 2>/dev/null >/dev/null && HAVE_DIG=1 || HAVE_DIG=0
which nslookup 2>/dev/null >/dev/null && HAVE_NSLOOKUP=1 || HAVE_NSLOOKUP=0
which tor-resolve 2>/dev/null >/dev/null && HAVE_TOR_RESOLVE=1 || HAVE_TOR_RESOLVE=0
[ -z "$prog" ] || prog=proxy_ping_test
proxy_ping_get_socks
[ -z "$SOCKS_HOST" ] && SOCKS_HOST=127.0.0.1
[ -z "$SOCKS_PORT" ] && SOCKS_PORT=9050
[ -z "$SOCKS_DNS" ] && SOCKS_DNS=9053
HTTPS_PORT=9128
HTTPS_HOST=127.0.0.1
proxy_ping_get_https
[ -z "$HTTPS_HOST" ] && HTTPS_HOST=127.0.0.1
HTTP_PORT=3128
HTTP_PROXY_HOST=127.0.0.1
proxy_ping_get_http
[ -z "$HTTP_HOST" ] && HTTP_HOST=127.0.0.1
[ -f $PREFIX/etc/testforge/testforge.bash ] && \
. /usr/local/etc/testforge/testforge.bash >/dev/null || exit 1
P="BASE_PYTHON${PYVER}_MINOR"
PYTHON_MINOR="$(eval echo \$$P)"
[ -n "$PYTHON_MINOR" ] || \
PYTHON_MINOR=$( python$PYVER --version 2>&1| sed -e 's@^.* @@' -e 's@\.[0-9]*$@@' )
[ -n "$PYTHON_MINOR" ] || exit 4
if [ -z "$LIB" -a -d /usr/lib/python$PYTHON_MINOR ] ; then
LIB=lib
elif [ -z "$LIB" -a -d /usr/lib64/python$PYTHON_MINOR ] ; then
LIB=lib64
elif [ -n "$LIB" -a ! -d /usr/$LIB/python$PYTHON_MINOR ] ; then
#? ERROR LIB=$LIB but no /usr/$LIB/python$PYTHON_MINOR
exit 5
fi
THOPS=40
NEEDED_BINS="ping traceroute nmap dig nslookup tor-resolve"
NEEDED_SCRIPTS="
/usr/local/bin/proxy_ping_lib.bash
/usr/local/bin/proxy_ping_test.bash
"
grep -q Debian /etc/os-release
DEBIAN=$?
TIMEOUT=30
[ -n "$GATEW_DOM" ] || GATEW_DOM="$( proxy_testforge_get_gateway_dom )"
[ -n "$GATEW_DOM" ] || GATEW_DOM="Whonix-Gateway"
DNS_HOST1="208.67.220.220"
DNS_HOST2="8.8.8.8"ggggg
[ -n "$DNS_TARGET" ] || DNS_TARGET=www.whatismypublicip.com # 108.160.151.39
[ -n "$HTTP_TARGET" ] || HTTP_TARGET=www.whatismypublicip.com # 108.160.151.39
HTTP_TARGET=www.whatismypublicip.com
# time.nist.gov 132.163.97.3
NTP_HOST1=132.163.97.3
# pool.ntp.org 78.46.53.2
NTP_HOST2=78.46.53.2
# --no-check-certificate
WGET="wget --tries=1 --max-redirect=0 --timeout=$TIMEOUT -O /dev/null"
CURL="curl -o /dev/null $CURL_ARGS"
SCURL="/usr/local/bin/scurl.bash --output /dev/null"
NSL='nslookup -querytype=A -debug'
NETS='netstat -nl4e'
ALL=""
[ -z "$USER" ] && USER=$(id -un )
[ $USER = root ] && DMESG_LINES=1 || DMESG_LINES=0
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=`proxy_ping_get_wlan`
# fixme - required
PROXY_WLAN=$( echo $PROXY_WLAN | grep ^wlan |sed -e 's/:.*//' )
[ -n "$PROXY_WLAN_GW" ] || PROXY_WLAN_GW=`proxy_ping_get_wlan_gw`
# fixme - required
PROXY_WLAN_GW=$( echo $PROXY_WLAN_GW | grep ^wlan |sed -e 's/:.*//' )
MODE=$( proxy_ping_mode )
USAGE="$prog without arguments tests the current MODE=$MODE,
or 0 to list the tests by number,
or one or more of the groups:
"
DNS_HOST=$SOCKS_HOST
[ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin
[ -z "$PRIV_BIN_GID" ] && PRIV_BIN_GID=$( grep ^$PRIV_BIN_OWNER /etc/passwd|cut -d: -f 4 )
## proxy_test_netstat_dns
proxy_test_netstat_dns () { DBUG proxy_test_netstat_dns $* ;
$NETS | grep -q ":53"
retval=$?
[ $retval -eq 0 ] && return 0
ERROR $prog test=$ARG "${tests[$ARG]}" dns not running
[ -z "$ALL" ] && exit $ARG$retval || return 1
}
## proxy_test_traceroute_icmp_gw
proxy_test_traceroute_icmp_gw () { DBUG proxy_test_traceroute_icmp_gw $* ;
[ -n "$PROXY_WLAN_GW" ] || PROXY_WLAN_GW=`proxy_ping_get_wlan_gw` || return 1
traceroute --icmp $PROXY_WLAN_GW
retval=$?
[ $retval -eq 0 ] && return 0
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval traceroute --icmp $PROXY_WLAN_GW
[ -z "$ALL" ] && exit $ARG$retval || return 1
# works
GREP="-i icmp"
return 0
}
## proxy_test_dig_direct
proxy_test_dig_direct () { DBUG proxy_test_dig_direct $* ;
dig @$DNS_HOST1 pool.ntp.org +timeout=$TIMEOUT >/dev/null
retval=$?
[ $retval -eq 0 ] && return 0
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @$DNS_HOST1
[ -z "$ALL" ] && exit $ARG$retval || return 1
INFO $prog test=$ARG "${tests[$ARG]}" dig @$DNS_HOST1
# works
GREP="53"
return 0
}
## proxy_test_curl_firewall_bin
proxy_test_curl_firewall_bin () { DBUG proxy_test_curl_firewall_bin $* ;
su -c "$CURL -k --noproxy '*' https://$HTTP_TARGET" -s /bin/sh $PRIV_BIN_OWNER >/dev/null
retval=$?
[ $retval -eq 0 ] && return 0
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval \
su -c "$CURL -k --noproxy '*' https://$HTTP_TARGET" -s /bin/sh $PRIV_BIN_OWNER
proxy_iptables_save|tail|grep PTABLES_filter_DROP-o
[ -z "$ALL" ] && exit $ARG$retval || return $retval
}
## proxy_ping_curl
proxy_ping_curl () { DBUG proxy_ping_curl $* ;
local retval
timeout -k $TIMEOUT $TIMEOUT $CURL "$@"
retval=$?
# "DEBUG: wierd failure curl: (35) Encountered end of file"
[ $retval -eq 0 -o $retval -eq 35 ] && return 0
return $retval
}
## proxy_ping_make_help
proxy_ping_make_help () {
grep 'tests\[[0-9][0-9]*\]=' /usr/local/bin/proxy_ping_test.bash \
> /tmp/proxy_ping_test.hlp
return 0
}
## proxy_ping_test_virbr
proxy_ping_test_virbr () {
local n=$1
[ -z "$n" ] && n=1
[ -z "$CONN" ] || proxy_whonix_get_conn
[ "$CONN" = guest ] && return 0
[ -e /proc/sys/net/ipv4/conf/virbr$n ] || return 0
proxy_ifconfig virbr$n >/dev/null && return 0
return 0
}
## proxy_ping_broken
proxy_ping_broken () { DBUG proxy_ping_broken PROXY_WLAN=$PROXY_WLAN $* ;
# 0 is true
local a=$MODE
if [ "$a" = vda -o "$a" = ws ]; then
# grep 10.152.152.10 /etc/resolv.conf &&
PING_BROKEN=0
return 0
elif [ "$a" = gateway ]; then
PING_BROKEN=0
return 0
elif [ -z "$PROXY_WLAN_GW" ] ; then
PING_BROKEN=0
return 0
fi
[ -n "$PING_BROKEN" ] && return $PING_BROKEN
DBUG $prog proxy_ping_mode=$a PROXY_WLAN=$PROXY_WLAN PROXY_WLAN_GW=$PROXY_WLAN_GW
ping -4 -I $PROXY_WLAN -c 1 -W $TIMEOUT $PROXY_WLAN_GW # 10.16.238.1
if [ $? -ne 0 ] ; then
PING_BROKEN=0
else
PING_BROKEN=1
fi
return $PING_BROKEN
}
## proxy_do_ping
proxy_do_ping () { DBUG proxy_do_ping $* ;
proxy_route_check || { ERROR $prog route not connected ; return 1$? ; }
proxy_ping_broken && return 0
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=`proxy_get_if` || {
ERROR $prog unable to get wlan $? ; return 2 ;
}
ping -4 -I $PROXY_WLAN -c 1 -W $TIMEOUT $DNS_HOST2 >/tmp/P$$.log 2>&1
retval=$?
if [ $retval -eq 1 ] ; then
# false negatives
sleep 4
ping -4 -I $PROXY_WLAN -c 1 -W $TIMEOUT $DNS_HOST2 >/tmp/P$$.log 2>&1
retval=$?
fi
[ $retval -lt 1 ] || {
ERROR $prog do_ping $PROXY_WLAN retval=$retval
rm /tmp/P$$.log
PING_BROKEN=0
return 3$retval
}
grep -q ' 0% ' /tmp/P$$.log || \
{ ERROR $prog retval=$? test=$1 ping retval=$retval ; rm /tmp/P$$.log ; return 4 ; }
PING=1
grep 'packet\|bytes from' /tmp/P$$.log
rm /tmp/P$$.log
return 0
}
proxy_run_as_root () { DBUG proxy_run_as_root $* ;
[ $( id -u ) -eq 0 ] && return 0
ERROR must be root
[ -z "$ALL" ] && exit 9
return 1
}
## proxy_test_pretests
proxy_test_pretests () {
if [ "$1" = panic ] ; then
: dont ping on panic
proxy_ping_broken || proxy_do_ping || \
{ WARN ping failed for panic so skipping ; exit 0 ; }
elif [ "$1" = direct -o "$1" = gateway -o "$1" = vda -o "$1" = kick ] ; then
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
proxy_ping_broken || proxy_do_ping || exit 3$?
proxy_ping_test_resolv $MODE ||\
{ WARN $prog proxy_ping_test_resolv=$? 'echo nameserver 127.0.0.1 > /etc/resolv.conf' ; exit 4 ; }
proxy_ping_firewall_start || { ERROR "proxy_ping_firewall_start ret=$?" ; exit 5 ; }
elif [ "$1" = nat ] ; then
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
else
proxy_do_ping || exit 4$?
proxy_ping_test_resolv $MODE || \
{ WARN "$prog proxy_ping_test_resolv=$? /etc/resolv.conf.$dire" MODE=$MODE
exit 4 ; }
fi
return 0
}
## proxy_test_help_args
proxy_test_help_args () {
declare -a ret=()
ret=( $(grep " -.* $1 " /tmp/proxy_ping_test.hlp | \
sed -e 's/.=.*//' -e 's/.*tests.//') )
echo "${ret[@]}"
return 0
}
ALL=0
## proxy_ping_test_set_args
proxy_ping_test_set_args () {
local args="$@"
local val="$@"
declare -a aret=()
rm -f /tmp/proxy_ping_test.hlp
[ -f /tmp/proxy_ping_test.hlp ] || proxy_ping_make_help
## to_tor - tor with the firewall host side client setup tor server - call tor,dns,ntp in addition
[ "$1" = to_tor -o "$1" = test_tor -o "$1" = test_to ] &&
aret=( 6 13 16 ) && \
! proxy_ping_test_env && WARN to_tor and no proxy in env - use noenv
## vda - through the Gateway with the firewall - also polipo,panic - uses env
[ "$1" = vda ] &&
aret=( 35 3 20 ) #
## tor - tor with the firewall to test the host side tor server - call to_tor,dns,ntp in addition
[ "$1" = tor ] &&
aret=( 21 30 20 4 5 36 3 )
## kick - open firewall with tor running - call dns,polipo +tor in addition
[ "$1" = kick -o "$1" = host ] &&
aret=( 24 31 13 16 6 )# 30 24 31 6 13 16
## gateway - on the Gateway, trans firewall with tor running - call dns in addition
[ "$1" = gateway ] &&
aret=( 23 25 4 5 30 24 17 3 21 ) # 31 6 16
# aliases
[ "$1" = "$SOCKS_PORT" ] && set -- socks
[ "$1" = "$HTTP_PORT" ] && set -- http
[ "$1" = "$HTTPS_PORT" ] && set -- https
[ "$1" = "53" ] && set -- dns
[ "$1" = "9053" ] && set -- tordns
[ "$1" = scan ] && set -- iwlist
[ "$1" = panic ] && set -- firewall
[ "$1" = tor ] && set -- torhost
[ "$1" = to_gateway ] && set -- whonix
[ "$1" = from_tor ] && set -- whonix
[ "$1" = from_gateway ] && set -- gateway
[ "$1" = traceroute ] && set -- = trace
[ "$1" = connected ] && set -- wifi
[ "$1" = clear ] && set -- direct
# scenarios - modes: nat selektor
## nat - through the Gateway via the nat
[ "$1" = nat ] && \
set -- ping dns socks http https tordns firefail libvirtguest
# wifi?
[ "$1" = whonix ] && \
set -- ping tordns dns socks http https torhost tordns firefail gw
[ "$1" = tor ] && \
set -- ping tordns dns trace socks http https torhost tordns firefail nmap gw
[ "$1" = selektor ] && \
set -- ping tordns dns trace socks http https torhost tordns firefail nmap gw
[ "$1" = direct -o "$1" = '' ] && \
set -- ping dns trace nmap gw
## all - all tests not stopping on the first error
[ "$1" = all ] && ALL=1
# aret="${#tests[@]}"
## gw - test if we are connected to the gateway
## torhost - running tor with the firewall
## env - from the cmdline with a properly setup env
## firefail - test the proxy without env vars to expect failure
## http - assumes torhost or whonix and env setup
## https - assumes torhost or whonix and env setup
## socks - assumes torhost or whonix and env setup
## ping - connected routed test the ping to DNS hosts
## ntp - ntpdate through the firewall
## nmap - nmap sgid through the firewall - does not assume env
## iwlist - wlan scan
## firewall - test that the firewall blocks
## virbr1 - assumes tor or whonix
## gateway - ssh to the whonix gateway
## trace - traceroute to DNSHOST - icmp is allowed by the firewall, except on vda
## wifi - test if we are connected - call scan in addition
## libvirthost - hosting a libvirt container
## libvirtguest - in a libvirt container
## tordns - test 9053 for dns using tor-resolve
## dns - dns using tor or the gateway, with the firewall - does not assume env
## whonix - whonix to the Gateway with the firewall - also panic - not assume env
## whonix - whonix gateway host side client setup with the firewall was from_to## direct - assume no firewall and no proxy - but may work depend on env
r
for elt in "$@" ; do
if [ "$elt" = gw -o "$elt" = '' -o "$elt" = env -o \
"$elt" = https -o "$elt" = http -o "$elt" = socks -o "$elt" = dns -o \
"$elt" = torhost -o "$elt" = tordns -o "$elt" = whonix -o \
"$elt" = libvirthost -o "$elt" = libvirtguest -o "$elt" = virbr1 -o \
"$elt" = ping -o "$elt" = trace -o "$elt" = ntp -o "$elt" = nmap -o \
"$elt" = iwlist -o "$elt" = firefail -o "$elt" = direct -o \
"$elt" = trace -o "$elt" = wifi -o "$elt" = '' -o "$elt" = '' \
] ; then
aret+=( `proxy_test_help_args $elt` )
else
WARN unrecognized: $elt >&2
fi
done
DBUG "${aret[@]}" >&2
echo "${aret[@]}"
return 0
}
# -I $PROXY_WLAN -c 1 $DNS_HOST2
if [ "$#" = 0 ] ; then
# default to mode
set -- $MODE
fi
if [ $1 = '-h' -o $1 = '--help' ] ; then
echo USAGE: $USAGE | sed -e 's/[0-9][0-9]*)/\n&/g'
grep '^## [a-oq-z]' $0 | sed -e 's/^## / /'
exit 0
elif [ "$1" = 0 ] ; then
INFO $prog PROXY_WLAN=$PROXY_WLAN MODE=$MODE
echo 0 help /tmp/proxy_ping_test.hlp
[ -f /tmp/proxy_ping_test.hlp ] || proxy_ping_make_help
. /tmp/proxy_ping_test.hlp
for elt in "${!tests[@]}" ; do
echo $elt "${tests[$elt]}"
done
exit 0
elif [[ $1 =~ ^[0-9] ]] ; then
: passthrough
else
set -- `proxy_ping_test_set_args "$@"`
DBUG running tests numbered "$@"
fi
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
proxy_test_pretests "$1"
# https://stackoverflow.com/questions/8290046/icmp-sockets-linux/20105379#20105379
if [ $( id -u ) -eq 0 ] ; then
proxy_ping_chattr
fi
DBUG $prog PROXY_WLAN=$PROXY_WLAN MODE=$MODE $*
# $( sysctl net.ipv4.ping_group_range )
# proxy_iptables_save|grep 216
while [ "$#" -gt 0 ] ; do
# DBUG $prog $1
ARG=$1 ; shift
GREP=""
if [ -z "$ARG" ] ; then
continue
elif ! [ "$ARG" -ge 0 ] ; then
ERROR $prog called with an unrecognized argument $ARG from $0
exit 9
elif [ $ARG -le 0 ] ; then
# do the ping and resov.conf
true
elif [ $ARG -eq 1 ] ; then
tests[1]="wget_https_as_user wget ${HTTPS_PORT} - https "
[ -n "$https_proxy" ] && LARGS="" || \
LARGS="env https_proxy=https://${HTTPS_HOST}:${HTTPS_PORT}"
$LARGS $WGET https://$HTTP_TARGET
retval=$?
if [ $retval -eq 8 -o $retval -eq 0 ] ; then
INFO $prog test=$ARG "${tests[$ARG]}"
else
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval test=$ARG
[ -z "$ALL" ] && continue
fi
# works with fix
GREP="${HTTPS_PORT}"
elif [ $ARG -eq 2 ] ; then
[ -n "$https_proxy" ] && LARGS="--proxy $https_proxy" || \
LARGS="--proxy https://${HTTPS_HOST}:${HTTPS_PORT}"
tests[2]="curl_https_as_user curl $LARGS https://$HTTP_TARGET - https "
proxy_ping_curl $LARGS https://$HTTP_TARGET >/dev/null || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $LARGS https://$HTTP_TARGET
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works with fix
GREP="${HTTPS_PORT}"
elif [ $ARG -eq 3 ] ; then
tests[3]="curl_socks_virbr1_as_user $SOCKS_HOST $SOCKS_PORT - torhost "
# proxy_dest_port_wlan_config || { ERROR DEST=$DEST ; continue ; }
# curl: (4) A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision
[ $DEBIAN -eq 0 ] && continue
[ -z "$socks_proxy" ] && socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
if [ $MODE = whonix ] ; then
ssh -o ForwardX11=no user@10.0.2.15 netstat -nl4e| grep 15:$SOCKS_PORT || {
retval=$?
ERROR ssh -o ForwardX11=no user@10.0.2.15 netstat
[ -z "$ALL" ] && exit $ARG$retval || continue ;
}
socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
proxy_ping_curl -x $socks_proxy \
--interface virbr1 n--dns-interface virbr1 https://$HTTP_TARGET >/dev/null || {
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl -x $socks_proxy --interface virbr1 --dns-interface virbr1 https://$HTTP_TARGET
[ -z "$ALL" ] && exit $ARG$retval || continue
}
else
socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
proxy_ping_curl -x $socks_proxy https://$HTTP_TARGET >/dev/null \
|| { retval=$? ; ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl ${SOCKS_HOST} $SOCKS_PORT
[ -z "$ALL" ] && exit $ARG$retval || continue ; }
fi
INFO $prog test=$ARG "${tests[$ARG]}"
# works with user/pass
GREP="$SOCKS_PORT"
elif [ $ARG -eq 4 ] ; then
tests[4]="dig_socks_through_as_user @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com - tordns "
[ $HAVE_DIG = 1 ] || continue
if [ $MODE = whonix ] ; then
ssh -o ForwardX11=no user@10.0.2.15 netstat -nl4e | grep 15:$SOCKS_DNS
fi
dig @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works with fix
GREP="$SOCKS_DNS"
elif [ $ARG -eq 5 ] ; then
tests[5]="nslookup_socks_as_user - tordns "
[ $HAVE_NSLOOKUP = 1 ] || continue
desc="$NSL -port=$SOCKS_DNS www.whatismypublicip.com ${DNS_HOST}"
$desc >/dev/null || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval $desc
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}" $desc
# works with fix
GREP="$SOCKS_DNS"
elif [ $ARG -eq 6 ] ; then
proxy=`proxy_ping_get_https`
desc="curl --proxy http://${proxy}"
tests[6]="curl_https_as_user - https "
proxy_ping_curl --proxy http://${proxy} \
--proxy-insecure https://$HTTP_TARGET || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval $desc
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}" $desc
# works
GREP="$HTTP_PORT"
elif [ $ARG -eq 7 ] ; then
tests[8]="traceroute_icmp_dns_as_root --icmp - trace "
[ $USER = root ] || continue
[ -n "$PROXY_WLAN" ] || proxy_get_if || continue
[ $HAVE_TRACEROUTE = 1 ] || continue
traceroute -i $PROXY_WLAN --icmp $DNS_TARGET -m $THOPS || { \
retval=$?
ERROR $retval traceroute --icmp -m $THOPS
[ -z "$ALL" ] && exit 7$retval
}
INFO $prog test=$ARG "${tests[$ARG]}"
GREP="-i icmp"
elif [ $ARG -eq 8 ] ; then
tests[8]="traceroute_tcp_dns_as_root -i $PROXY_WLAN -p 53 -T4 - trace "
[ $USER = root ] || continue
[ -n "$PROXY_WLAN" ] || proxy_get_if || continue
[ $HAVE_TRACEROUTE = 1 ] || continue
traceroute -i $PROXY_WLAN -p 53 -T4 $DNS_TARGET -m $THOPS || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval traceroute -T4 -p 53 -m $THOPS
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
GREP="53"
elif [ $ARG -eq 9 ] ; then
tests[9]="traceroute_icmp_dns_as_user -p 53 - trace "
[ $USER = root ] || continue
[ -n "$PROXY_WLAN" ] || proxy_get_if || continue
[ $HAVE_TRACEROUTE = 1 ] || continue
traceroute -i $PROXY_WLAN --icmp $DNS_TARGET -p 53 -m $THOPS || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval traceroute -i $PROXY_WLAN --icmp -m $THOPS
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
GREP="53"
elif [ $ARG -eq 10 ] ; then
tests[10]="wget_http_as_user $HTTP_PORT - http "
proxy=`proxy_ping_get_http`
env http_proxy=http://${proxy} \
$WGET -S http://$HTTP_TARGET 2>/dev/null
retval=$?
# 8 is an oddball
if [ $retval -eq 8 -o $retval -eq 0 ] ; then
INFO $prog test=$ARG "${tests[$ARG]}" wget $HTTP_PORT
else
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval wget $HTTP_PORT
[ -z "$ALL" ] && exit $ARG$retval || continue
fi
GREP="$HTTP_PORT"
elif [ $ARG -eq 11 ] ; then
tests[11]="curl_https_as_user - https "
proxy=`proxy_ping_get_https`
proxy_ping_curl --proxy http://${proxy} \
--proxy-insecure https://$HTTP_TARGET || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $HTTP_PORT
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
GREP="$HTTP_PORT"
elif [ $ARG -eq 12 ] ; then
tests[12]="nmap_dns_as_root --privileged --send-eth -Pn -sU -p U:53 $DNS_HOST1 - nmap direct "
[ $USER = root ] || continue
which nmap 2>/dev/null >/dev/null || continue
[ -z "$DNS_HOST1" ] && DNS_HOST1="208.67.220.220"
nmap --privileged --send-eth -Pn -sU -p U:53 "$DNS_HOST1" || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval nmap 53
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works
GREP="53"
elif [ $ARG -eq 13 ] ; then
tests[13]="curl_firewall_bin - wifi "
[ $USER = root ] || continue
proxy_test_curl_firewall_bin || continue
INFO $prog test=$ARG "${tests[$ARG]}" curl bin
# works
GREP="443"
elif [ $ARG -eq 14 ] ; then
tests[14]="traceroute_icmp_gw_as_root --icmp $PROXY_WLAN_GW - gw wifi "
[ $USER = root ] || continue
[ $HAVE_TRACEROUTE = 1 ] || continue
proxy_test_traceroute_icmp_gw || continue
# works
INFO $prog test=$ARG "${tests[$ARG]}"
GREP="-i icmp"
elif [ $ARG -eq 15 ] ; then
tests[15]="test_dig_direct - direct "
[ $HAVE_DIG = 1 ] || continue
proxy_test_dig_direct || continue
INFO $prog test=$ARG "${tests[$ARG]}" proxy_test_dig_direct
elif [ $ARG -eq 16 ] ; then
tests[16]="nslookup_as_root nslookup $PRIV_BIN_OWNER - torhost "
[ $USER = root ] || continue
[ $HAVE_NSLOOKUP = 1 ] || continue
su -c "$NSL $DNS_TARGET $DNS_HOST1" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval "$NSL $DNS_TARGET $DNS_HOST1" -s /bin/sh $PRIV_BIN_OWNER
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works /fails but maybe a noop
GREP="53"
elif [ $ARG -eq 17 ] ; then
tests[17]="ntpdate_as_root ntpdate without service - ntp "
proxy_run_as_root || exit 9
[ -x /usr/sbin/ntpdate ] || continue
# Curious: even though sgid 2755 ntp it fails as su ntp
# 12 Nov 23:28:35 ntpdate[17341]: bind() fails: Permission denied
/usr/sbin/ntpdate "$NTP_HOST1" || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval ntpdate
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
GREP="123"
elif [ $ARG -eq 18 ] ; then
tests[18]="ntpdate_as_root ntpdate with servie - ntp "
proxy_run_as_root || exit 9
proxy_rc_service ntpd status >/dev/null && \
proxy_rc_service ntpd stop >/dev/null && sleep 2
/usr/sbin/ntpdate $NTP_HOST1 || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval ntpdate
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works
proxy_rc_service ntpd status >/dev/null || proxy_rc_service ntpd start
GREP="123"
elif [ $ARG -eq 19 ] ; then
tests[19]="curl_noproxy_http_as_user curl raw noproxy - firefail "
proxy_ping_curl --noproxy "'*.*'" --connect-timeout $TIMEOUT \
http://$HTTP_TARGET >/dev/null && {
retval=$?
ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" curl raw --noproxy
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
GREP=80
elif [ $ARG -eq 20 ] ; then
tests[20]="curl_socksproxy_as_user curl $SOCKS_PORT - socks "
# needs dns
[ $DEBIAN -eq 0 ] && continue
socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
proxy_ping_curl -x $socks_proxy https://$HTTP_TARGET >/dev/null \
|| { retval=$? ; ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $SOCKS_PORT
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works with user/pass
GREP="$SOCKS_PORT"
elif [ $ARG -eq 21 ] ; then
tests[21]="curl_httpsproxy_as_user - https "
[ -z "$https_proxy" ] && https_proxy=http://${HTTPS_PROXY_HOST}:${HTTPS_PORT}
proxy_ping_curl -x $https_proxy https://$HTTP_TARGET >/dev/null || { \
if [ "$MODE" = gateway ] ; then
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval curl ${HTTPS_HOST} ${HTTPS_PORT}
continue
else
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl ${HTTPS_HOST} HTTPS_PORT=${HTTPS_PORT}
[ -z "$ALL" ] && exit $ARG$retval || continue
fi
}
INFO $prog test=$ARG "${tests[$ARG]}" curl ${HTTPS_HOST} ${HTTPS_PORT}
GREP="${HTTPS_PORT}"
elif [ $ARG -eq 22 ] ; then
tests[22]="iwlist_scan_as_user iwlist $PROXY_WLAN scan - iwlist "
[ $USER = root ] || continue
which iwlist 2>/dev/null || continue
[ -n "$PROXY_WLAN" ] || proxy_get_if || continue
iwlist $PROXY_WLAN scan >/dev/null || {
ERROR $prog retval=$? test=$ARG $PROXY_WLAN scan
[ -z "$ALL" ] && exit $ARG$1 || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works
elif [ $ARG -eq 23 ] ; then
tests[23]="curl_proxy_as_user - direct "
proxy_ping_curl --insecure https://$HTTP_TARGET >/dev/null || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl direct
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
elif [ $ARG -eq 24 ] ; then
tests[24]="dig_direct_or_dnsmasq dig -b $IP www.whatismypublicip.com - direct "
[ $HAVE_DIG = 1 ] || continue
[ -n "$PROXY_WLAN" -a -n "$IP" ] || proxy_ping_get_wlan_gw || continue
[ -n "$IP" ] || continue
dig -b $IP www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}" dig -b $IP
elif [ $ARG -eq 25 ] ; then
tests[25]="nslookup_as_user - direct "
[ $HAVE_NSLOOKUP = 1 ] || continue
# noenv with or without proxy
# @$DNS_HOST1 should fail for firewall unless dnsmasq is working
$NSL >/dev/null www.whatismypublicip.com || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval nslookup www.whatismypublicip.com
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}" nslookup
elif [ $ARG -eq 26 ] ; then
tests[26]="route_connected_ping_scan - direct "
[ $HAVE_DIG = 1 ] || continue
#? proxy_test_pretests
proxy_do_ping && \
INFO $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP || \
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP
elif [ $ARG -eq 27 ] ; then
tests[27]="dns_as_user dig -b 127.0.0.1 - direct "
[ $HAVE_DIG = 1 ] || continue
[ -n "$PROXY_WLAN" -a -n "$IP" ] || proxy_ping_get_wlan_gw || continue
dig -b 127.0.0.1 www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
elif [ $ARG -eq 28 ] ; then
tests[28]="wget_as_user - direct "
proxy_ping_test_env || { WARN $prog test=$ARG "${tests[$ARG]}" no proxy in env ; }
$WGET -S https://$HTTP_TARGET 2>/dev/null
retval=$?
if [ $retval -eq 8 -o $retval -eq 0 ] ; then
INFO $prog test=$ARG "${tests[$ARG]}" wget
else
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval wget
[ -z "$ALL" ] && exit $ARG$retval || continue
fi
elif [ $ARG -eq 29 ] ; then
tests[29]="curl_as_user - direct "
proxy_ping_test_env || { WARN $prog test=$ARG "${tests[$ARG]}" no proxy in env ; }
proxy_ping_curl https://$HTTP_TARGET >/dev/null || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
elif [ $ARG -eq 30 ] ; then
tests[30]="tor_bootstrap_check_as_root tor_bootstrap_check.py - torhost "
[ $MODE = tor -o $MODE = selektor ] || {
ERROR $prog MODE != tor test=$ARG
[ -z "$ALL" ] && exit $ARG$retval || continue
}
port=$SOCKS_PORT
$NETS | grep -q :$port || {
ERROR $prog retval=$? test=$ARG tor not running on $port
[ -z "$ALL" ] && exit $ARG || continue
}
[ $USER = root ] || continue
# was /usr/local/bin/tor_bootstrap_check.bash
[ -f /usr/local/src/helper-scripts/tor_bootstrap_check.py ] || return 1
python3.sh /usr/local/src/helper-scripts/tor_bootstrap_check.py
# morons 100%
retval=$?
[ $retval -eq 0 -o $retval -eq 100 ] || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval tor_bootstrap_check
}
INFO $prog test=$ARG "${tests[$ARG]}"
elif [ $ARG -eq 31 ] ; then
tests[31]="curl_noproxy_as_root polipo http pages $HTTP_PORT - direct http "
proxy_ping_curl --noproxy http://${HTTP_HOST}:$HTTP_PORT && { \
retval=$?
ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" retval=$retval polipo http pages $HTTP_PORT
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works
GREP="$HTTP_PORT"
elif [ $ARG -eq 32 ] ; then
tests[32]="ping_nmap_direct_as_root nmap 53 - direct "
[ $USER = root ] || continue
which nmap 2>/dev/null >/dev/null || continue
[ -n "$PROXY_WLAN" -a -n "$PROXY_WLAN_GW" ] || proxy_ping_get_wlan_gw || continue
proxy_ping_nmap_direct $DNS_HOST1 "$PROXY_WLAN_GW" U:67 || {
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval nmapd 53
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works
GREP="53"
elif [ $ARG -eq 33 ] ; then
tests[33]="host_virbr_as_user proxy_ping_test_virbr 1 - libvirthost "
proxy_ping_test_virbr 1 || {
retval=$?
ERROR $CONN virbr1 not running
[ -z "$ALL" ] && exit 1 || continue
}
# * Immediate connect fail for 10.0.2.15: Connection refused
INFO $prog test=$ARG "${tests[$ARG]}"
elif [ $ARG -eq 34 ] ; then
tests[34]="python_ping_as_root traceroute --icmp $PROXY_WLAN_GW - wifi "
[ $USER = root ] || continue
[ -n "$PROXY_WLAN_GW" -a -n "$IP" ] || PROXY_WLAN_GW=`proxy_ping_get_wlan_gw` || continue
[ -f /usr/local/bin/ping2.py ] || continue
/usr/local/bin/ping2.py $IP $DNS_HOST1 $PROXY_WLAN_GW || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval ping2.py $DNS_HOST1
[ -z "$ALL" ] && exit $ARG$retval || continue
}
# works
INFO $prog test=$ARG "${tests[$ARG]}"
GREP="-i icmp"
elif [ $ARG -eq 35 ] ; then
tests[35]="dig_as_root - firewall dig @$DNS_HOST1 - torhost dns "
[ $USER = root ] || continue
[ $HAVE_DIG = 1 ] || continue
# @$DNS_HOST1
su -c "dig pool.ntp.org +timeout=$TIMEOUT" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval dig pool.ntp.org $PRIV_BIN_OWNER
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works
GREP="53"
elif [ $ARG -eq 36 ] ; then
tests[36]="tor_resolve_as_user tor-resolve pool.ntp.org - tordns "
[ $HAVE_TOR_RESOLVE = 1 ] || continue
tor-resolve pool.ntp.org >/dev/null || { \
retval=$?
# dunno Failed parsing SOCKS5 response conf?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval tor-resolve pool.ntp.org
continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works
GREP="9053"
elif [ $ARG -eq 37 ] ; then
tests[37]="qemu-guest-agent and ports - libvirtguest "
ser=qemu-guest-agent
proxy_rc_service $ser status >/dev/null || proxy_rc_service $ser start
proxy_rc_service $ser status >/dev/null || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval $ser status
[ -z "$ALL" ] && exit $ARG$retval || continue
}
[ -d /dev/virtio-ports ] || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval /dev/virtio-ports
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
GREP=""
elif [ $ARG -eq 38 ] ; then
tests[38]="qemu-guest-agent and ports - libvirthost whonix "
[ $USER = root ] || continue
$PL proxy_libvirt_list
aret=$?
if [ $aret -eq 10 ] ;then
WARN proxy_libvirt_status hung
elif [ $aret -ne 10 -a $aret -ne 0 ] ; then
DBUG proxy_libvirt_status aret=$aret
else
$PL proxy_libvirt_list | grep -q "$GATEW_DOM" || {
ERROR MODE=$MODE and $GATEW_DOM not running ;
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
fi
elif false ; then
if ! grep -q '10.152.152.10\|127.0.0.1' /etc/resolv.conf ; then
$NETS | grep -q :53 || {
ERROR $prog retval=$? test=$ARG local resolv.conf but :53 not running
[ -z "$ALL" ] && exit 1 || continue
}
fi
fi
[ -n "$GREP" ] && [ $DMESG_LINES -gt 0 ] && \
DBUG `dmesg|tail|grep $GREP|tail -$DMESG_LINES`
done
exit 0
1)
env https_proxy=http://${SOCKS_HOST}:${HTTPS_PORT} wget $D -O - --no-check-certificate
2)
curl $D -k --proxy
3)
curl $D -k --proxy socks5://${SOCKS_HOST}:$SOCKS_PORT --proxy-insecure
5)
nslookup -port=$SOCKS_DNS www.whatismypublicip.com ${SOCKS_HOST} \
6)
curl -k --proxy $HTTP_PORT
16)
nslookup $PRIV_BIN_OWNER
18)
ntpdate as sroot
19)
curl raw noproxy
0)
usage

10
overlay/Linux/usr/local/bin/proxy_sdwdate.bash Executable file
View file

@ -0,0 +1,10 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
sh $PREFIX/bin/proxy_ping_test.bash wifi || exit 1
sh $PREFIX/bin/proxy_ping_test.bash tor || exit 2
exec $PREFIX/bin/python3.7.sh $PREFIX/bin/sdwdate_.py "$@"

69
overlay/Linux/usr/local/bin/proxy_ssl_certs.bash Executable file
View file

@ -0,0 +1,69 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
# https://medium.com/@appmattus/android-security-ssl-pinning-1db8acb6621e
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/proxy_ping_lib.bash || \
{ ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
. /usr/local/bin/usr_local_base.bash || exit 2
proxy_ping_mode
#? . /usr/local/bin/proxy_export.bash $MODE
. /usr/local/bin/usr_local_base.bash || exit 2
CERT=$( proxy_ping_update_cacert )
[ "$?" -ne 0 -o -n "$CERT" ] && CAFILE=$CERT || \
CAFILE=/usr/local/etc/ssl/cacert-testforge.pem
openssl=openssl
OPENSSL_ARGS="-4 --CAfile $CAFILE -bugs -showcerts"
if [ -n "$https_proxy" ] ; then
HTTPS_HOST=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/https* //' -e 's/ .*//' )
HTTPS_PORT=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
OPENSSL_ARGS="$OPENSSL_ARGS -proxy ${HTTPS_HOST}:$HTTPS_PORT"
elif [ -n "$socks_proxy" ] ; then
SOCKS_HOST=$( echo $socks_proxy|sed -e 's/.*@//' -e 's@/@@g' -e 's/:/ /g' -e 's/socks5* //' -e 's/ .*//' )
SOCKS_PORT=$( echo $socks_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
# check /etc/tor/torsocks.conf
openssl='torsocks openssl'
fi
OUTR=/tmp/$prog$$
for item in "$@" ; do
i=0
OUTRF=$OUTR.$item
INFO openssl s_client -connect ${item}:443 -servername $item $OPENSSL_ARGS
$openssl s_client -connect ${item}:443 -servername $item $OPENSSL_ARGS \
</dev/null 2>$OUTRF.err >$OUTRF.out
[ $? -eq 0 ] || {
retval=$?
ERROR $prog $retval see $OUTRF.err
cat $OUTRF.err
exit 1$retval
}
[ -s $OUTRF.out ] || { ERROR $prog empty $OUTRF.out ; exit 2 ; }
sed -n '/Certificate chain/,/Server certificate/p' $OUTRF.out >$OUTRF.chain
DBUG $prog Certificate chain:
grep '^ [0-9][0-9]* ' $OUTRF.chain
INFO $prog Base64 Certificate sha256 digests:
rest=$( cat $OUTRF.chain )
while [[ "$rest" =~ '-----BEGIN CERTIFICATE-----' ]] ; do
cert="${rest%%-----END CERTIFICATE-----*}-----END CERTIFICATE-----"
rest=${rest#*-----END CERTIFICATE-----}
echo $( echo "$cert" | grep 's:' | sed 's/.*s:\(.*\)/\1/' ) echo "$cert" |
openssl x509 -pubkey -noout |
openssl rsa -pubin -outform der 2>/dev/null |
openssl dgst -sha256 -binary | openssl enc -base64
done
# rm -f $OUTRF.chain $OUTRF.out $OUTRF.err
done
exit 0

351
overlay/Linux/usr/local/bin/proxy_test_ssl.bash Executable file
View file

@ -0,0 +1,351 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
. /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
NOW=$( date -u +%y-%m-%d_%H%m )
DEBUG=1
PROXY_WLAN=wlan4
prog=$( basename $0 .bash )
# SocksPolicy Accept in /etc/tor/torrc - required and works with sslscan
ip route | grep ^default || { ERROR "not connected" ; exit 1 ; }
PATH=$PATH:/sbin
BADSSL_SITES=(
self-signed.badssl.com
expired.badssl.com
mixed.badssl.com
rc4.badssl.com
hsts.badssl.com
)
badssl=0
[ "$#" -eq 0 ] && badssl=1
# tests="$MODE"
tests=""
nodig=1
verbosity=2
outdir=/tmp
timeout=20
#[ -f /usr/local/etc/testforge/testforge.bash ] && \
# . /usr/local/etc/testforge/testforge.bash
. /usr/local/bin/proxy_ping_lib.bash || \
{ ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
if [ -f /usr/local/etc/ssl/cacert-testforge.pem ] ; then
CAFILE=/usr/local/etc/ssl/cacert-testforge.pem
else
CERT=$( proxy_ping_update_cacert )
[ "$?" -ne 0 -o -n "$CERT" ] && CAFILE=$CERT || \
CAFILE=/usr/local/etc/ssl/cacert-testforge.pem
fi
[ -z "$MODE" ] || MODE=`proxy_ping_mode`
if [ "$MODE" = tor ] ; then
[ -z "PROXY_WLAN" ] && PROXY_WLAN=`proxy_get_if`
[ -z "PROXY_WLAN" ] && { ERROR " error getting device $?" ; exit 3 ; }
if ip route | grep ^def ; then
PROXY_WLAN_IP=$( proxy_get_wlan_ip )
[ -n "$PROXY_WLAN_IP" ] || { ERROR "no PROXY_WLAN_IP" ; exit 4 ; }
fi
fi
usage() {
echo "Usage: $0 [OPTIONS] dirs-or-files"
echo
echo " -B | --badssl - test badssl.org sites"
echo " -D | --nodig - no dig sites"
echo " -T | --tests - ping tests to run first"
echo " -o | --outdir=/tmp - output directory"
echo " -v | --verbosity=$verbosity - verbosity 0 least 5 most"
echo
echo " -V | --version - print version of this script"
echo " -h | --help - print this help"
}
SHORTOPTS="hVBDT:v:"
LONGOPTS="help,version:,badssl,nodig,tests:,verbosity:"
HOSTS=
ARGS=$(getopt --options $SHORTOPTS --longoptions $LONGOPTS -- "$@")
[ $? != 0 ] && { ERROR "error parsing getopt" ; exit 5 ; }
eval set -- "$ARGS"
while true; do
case "$1" in
# -t --tests
-o|--outdir)
shift
outdir="$1"
;;
-v|--verbosity)
shift
verbosity="$1"
;;
-B|--badssl)
badssl=1
;;
-D|--nodig)
nodig=1
;;
-T|--tests)
shift
tests="$1"
;;
-V|--version)
usage
exit 0
;;
-h|--help)
usage
exit 0
;;
'--')
shift
HOSTS="$*"
break
;;
*)
{ ERROR "unrecognized arguments $*" ; exit 6 ; }
break
;;
esac
shift
done
[ $badssl -ne 0 ] && HOSTS="${BADSSL_SITES[*]}"
[ -z "$HOSTS" ] && { ERROR "no arguments $*" ; exit 0 ; }
[ -d "$outdir" ] || mkdir -p "$outdir" || { ERROR "mkdir $outdir" ; exit 7 ; }
kill_time=$( expr $timeout + 10 )
[ -z "$tests" ] || \
for elt in $tests ; do
/usr/local/bin/proxy_ping_test.bash $elt || exit 9$?
done
if which sslscan 2>/dev/null ; then
sslscan='sslscan'
SSLSCAN_ARGS="-4 --show-client-cas --show-certificate --bugs --timeout $timeout --tlsall --show-ciphers --no-colour --verbose"
else
# no proxy support
sslscan=''
fi
# sslscan --show-client-cas - no proxy
openssl=openssl
OPENSSL_ARGS="-4 -bugs -showcerts"
if [ -e /dev/tcp ] && which testssl.bash 2>/dev/null ; then
testssl='testssl.bash'
TESTSSL_ARGS="--connect-timeout $timeout --openssl-timeout $timeout --standard --vulnerable"
#? --ssl-native
TESTSSL_ARGS="$TESTSSL_ARGS --add-ca $CAFILE --assume-http --hints --color=0 --append"
else
# no proxy support
testssl=''
fi
if [ -f /usr/local/bin/scurl.bash ] ; then
curl="/usr/local/bin/scurl.bash -- -s -S"
else
curl='curl -s -S'
fi
CURL_ARGS="-vvv --cacert $CAFILE --cert-status --connect-timeout $timeout"
if [ -f /var/local/bin/analyze-ssl.pl.bash ] ; then
analyze=/var/local/bin/analyze-ssl.pl.bash
ANALYZE_ARGS="-v --timeout $timeout --CApath $CAFILE --all-ciphers"
else
analyze=""
fi
warns=0
OUTR=$outdir/$prog-$NOW
if [ $nodig -eq 0 ] ; then
for item in $HOSTS ; do
i=0
OUTRF=$OUTR.$item
if [ $MODE = tor ] ; then
torresolve $item > $OUTRF.dig.out 2>&1
retval=$?
[ $retval -ne 0 ] && ERROR "torresolve $item $? - see $OUTRF.dig.out" && exit 1$?
elif false ; then
nslookup $item > $OUTRF.nslookup.out 2>&1
#?[ $? -eq 0 ] || WARN "nslookup $item $? - see $OUTRF.nslookup.out"
#?grep NXDOMAIN "$OUTRF.nslookup.out" && WARN "nslookup $item NXDOMAIN - see $OUTRF.nslookup.out"
else
dig $item > $OUTRF.dig.out 2>&1
[ $? -ne 0 ] && ERROR "dig $item $? - see $OUTRF.dig.out" && exit 1$?
grep 'ANSWER: 1' "$OUTRF.dig.out" || ERROR "dig $item no ANSWER - see $OUTRF.dig.out" && exit 2$?
fi
done
fi
# [ -r /etc/tor/torrc ]
# was https take precedence over socks
if [ -n "$socks_proxy" ] ; then
SOCKS_HOST=$( echo $socks_proxy|sed -e 's/.*@//' -e 's@/@@g' -e 's/:/ /g' -e 's/socks5* //' -e 's/ .*//' )
SOCKS_PORT=$( echo $socks_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
openssl='torsocks openssl'
# --interface lo --dns-interface lo
[ -n "$analyze" ] && analyze="torsocks $analyze"
[ -n "$testssl" ] && testssl="torsocks $testssl"
[ -n "$sslscan" ] && sslscan="torsocks $sslscan"
if [ $MODE = tor -o $MODE = selektor ] ; then
sudo grep -q "SocksPolicy *accept *$PROXY_WLAN_IP" /etc/tor/torrc || \
{ WARN "need SocksPolicy accept $PROXY_WLAN_IP in /etc/tor/torrc" ; }
fi
CURL_ARGS="$CURL_ARGS --proxy $socks_proxy "
if [ ${HTTPS_HOST} = 127.0.0.1 ] ; then
CURL_ARGS="$CURL_ARGS --interface"
fi
if netstat -nle4 | grep 127.0.1:53 ; then
CURL_ARGS="$CURL_ARGS --dns-interface lo"
fi
elif [ -n "$https_proxy" ] ; then
HTTPS_HOST=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/https* //' -e 's/ .*//' )
HTTPS_PORT=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
OPENSSL_ARGS="$OPENSSL_ARGS -proxy ${HTTPS_HOST}:$HTTPS_PORT"
TESTSSL_ARGS="$TESTSSL_ARGS --proxy=auto"
CURL_ARGS="$CURL_ARGS --proxy http://${HTTPS_HOST}:$HTTPS_PORT"
ANALYZE_ARGS="$ANALYZE_ARGS --starttls http_proxy:${HTTPS_HOST}:$HTTPS_PORT"
[ -n "$testssl" ] && testssl="torsocks $testssl"
[ -n "$sslscan" ] && sslscan="torsocks $sslscan"
else
: direct
fi
TENVS="DNS_VIA_PROXY=true"
errs=0
for CAFILE in /etc/ssl/certs/ca-certificates.crt /usr/local/etc/ssl/cacert-testforge.pem ; do
[ -f $CAFILE ] || { ERROR "CAfile not found $CAFILE" ; exit 8; }
for item in $HOSTS ; do
i=0
OUTRF=$OUTR.$item
if [ -n "$openssl" ] ; then
INFO "$openssl s_client -connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE"
echo $openssl s_client \
-connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE \
< /dev/null > $OUTRF.s_client.out
timeout ${kill_time}s \
$openssl s_client \
-connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE \
< /dev/null >> $OUTRF.s_client.out 2>&1
# :error:\|
if [ $? -eq 124 ] ; then
echo "DEBUG: timeout openssl s_client failed $? see $OUTRF.s_client.out"
elif [ $? -ne 0 ] ; then
WARN "openssl s_client failed $? see $OUTRF.s_client.out"
i=$( expr $i + 1 )
elif str='unable to get local issuer certificate' && \
grep "$str" $OUTRF.s_client.out; then
WARN "openssl s_client failed - $str see $OUTRF.s_client.out"
i=$( expr $i + 1 )
elif str='Cipher is (NONE)' && \
grep "$str" $OUTRF.s_client.out; then
WARN "openssl s_client failed - $str see $OUTRF.s_client.out"
i=$( expr $i + 1 )
elif str='SSL handshake has read 0 bytes' && \
grep "$str" $OUTRF.s_client.out; then
WARN "openssl s_client failed - $str see $OUTRF.s_client.out"
i=$( expr $i + 1 )
else
echo "DEBUG: openssl s_client -showcerts $OPENSSL_ARGS --CAfile $CAFILE $item"
timeout ${kill_time}s \
$openssl s_client -showcerts \
-connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE < /dev/null \
> $OUTRF.s_client.certs 2>&1
fi
fi
if [ -n "$sslscan" ] ; then
echo $sslscan $SSLSCAN_ARGS --certs $CAFILE --sni-name $item $item > $OUTRF.sslscan.out
timeout ${kill_time}s \
$sslscan $SSLSCAN_ARGS --sni-name $item $item >> $OUTRF.sslscan.out 2>&1
if [ $? -eq 124 ] ; then
echo "DEBUG: timeout sslscan failed $? see $OUTRF.sslscan.out "
elif [ $? -ne 0 ] ; then
WARN "sslscan failed $? see $OUTRF.sslscan.out "
i=$( expr $i + 1 )
elif grep 'SSL Certificate' $OUTRF.sslscan.out ; then
WARN "sslscan failed see $OUTRF.sslscan.out "
i=$( expr $i + 1 )
elif grep 'Connection failed' $OUTRF.sslscan.out ; then
# tail -1 $OUTRF.sslscan.out | grep 'Supported Server Cipher'
WARN "sslscan failed see $OUTRF.sslscan.out "
i=$( expr $i + 1 )
else
INFO "$sslscan $SSLSCAN_ARGS $item"
fi
fi
if [ -n "$testssl" -a -n "$https_proxy" ] ; then
# rDNS (140.82.114.3): lb-140-82-114-3-iad.github.com.testssl.sh: line 10330: /dev/tcp/140.82.114.3/443: No such file or directory
echo $TENVS $testssl $TESTSSL_ARGS $item > $OUTRF.testssl.out
env $TENVS $testssl $TESTSSL_ARGS $item >> $OUTRF.testssl.out 2>&1
if [ $? -ne 0 ] ; then
WARN "testssl failed $? see $OUTRF.testssl.out"
i=$( expr $i + 1 )
elif grep ': unable to\| error:\|doesn.t seem to be a TLS/SSL enabled server' $OUTRF.testssl.out; then
WARN "testssl failure see $OUTRF.testssl.out"
i=$( expr $i + 1 )
else
INFO "$testssl $TESTSSL_ARGS $item"
echo "DEBUG: $testssl $TESTSSL_ARGS --jsonfile-pretty $OUTRF.testssl.json $item"
env $TENVS $testssl $TESTSSL_ARGS --jsonfile-pretty $OUTRF.testssl.json $item > $OUTRF.testssl-json.out 2>&1
fi
fi
if [ -n "$curl" ] ; then
DBUG $TENVS $curl $CURL_ARGS -o /dev/null https://$item/
env $TENVS $curl $CURL_ARGS -o /dev/null https://$item/ > $OUTRF.curl-vvv.out 2>&1
if [ $? -eq 0 ] ; then
grep 'SSL certificate problem:' $OUTRF.curl-vvv.out && \
{ WARN "curl -vvv failed $? see $OUTRF.curl-vvv.out" ;
i=$( expr $i + 1 ) ; } || \
INFO $curl $CURL_ARGS $item
else
INFO $curl $CURL_ARGS $item
fi
fi
if [ -n "$analyze" ] ; then
timeout ${kill_time}s \
$analyze $ANALYZE_ARGS --name $item ${item}:443 \
> $OUTRF.analyze-ssl.out 2>&1
# certificate verified : ok
if [ $? -eq 124 ] ; then
echo "DEBUG: timeout $analyze $ANALYZE_ARGS $item"
elif [ $? -eq 0 ] ; then
INFO "$analyze $ANALYZE_ARGS $item"
else
WARN "$analyze failed $? see $OUTRF.analyze-ssl.out"
i=$( expr $i + 1 )
fi
fi
[ $i -eq 0 ] && continue
WARN "$i failures for $item"
errs=$(expr $errs + $i )
DBUG $OUTRF.*.out
done
done
find $OUTRF.* -type f -empty -delete
exit $errs

137
overlay/Linux/usr/local/bin/proxy_whonix.bash Executable file
View file

@ -0,0 +1,137 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
USAGE="host|to_tor|tor|from_tor|client|whonix|gateway|vda|nat|workstation|ping|ssl|status|test|refresh|update|up|down"
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
[ $( id -u ) -eq 0 ] || { ERROR $prog should be run as root ; exit 1 ; }
. /usr/local/sbin/proxy_whonix_lib.bash || \
{ ERROR loading /usr/local/sbin/proxy_whonix_host_lib.bash ; exit 2; }
#. /usr/local/bin/proxy_ping_lib.bash || \
# { ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
. /usr/local/bin/usr_local_base.bash || exit 2
proxy_whonix_mode
## proxy_whonix_test_mode - proxy_whonix_host.bash test
proxy_whonix_test_mode () { DBUG proxy_whonix_test_mode $* ;
if [ $MODE = tor -o $MODE = whonix -o $MODE = host ]; then
/usr/local/sbin/proxy_whonix_host.bash test || return 1$?
fi
return 0
}
## proxy_whonix_status - proxy_ping_test.bash "$MODE"
proxy_whonix_status () { DBUG proxy_whonix_status $* ;
$PREFIX/bin/proxy_ping_test.bash "$MODE" || return 1$?
return 0
}
## proxy_whonix_refresh
proxy_whonix_refresh () { DBUG proxy_whonix_refresh $* ;
local USAGE="python|pip"
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $USAGE
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
elif [ "$1" = 'python' ] ; then
/usr/local/bin/testforge_clean_usr_local_lib.bash
elif [ "$1" = 'pip' ] ; then
/usr/local/bin/base_pip_upgrade.bash -p 2 -i 0
/usr/local/bin/base_pip_upgrade.bash -p 3 -i 0
base_sheebang_after_pip.bash
else
:
fi
}
UPGRADE_USAGE="python|pip"
## proxy_whonix_update - $UPGRADE_USAGE
proxy_whonix_update() {
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $UPGRADE_USAGE
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
elif [ "$1" = 'python' ] ; then
:
elif [ "$1" = 'pip' ] ; then
:
else
:
fi
}
TEST_USAGE="ssl|ping|mode|libvirt|ga"
## proxy_whonix_test - test $TEST_USAGE
proxy_whonix_test () { DBUG proxy_whonix_test $* ;
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $TEST_USAGE
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
elif [ "$1" = 'ssl' ] ; then
$PREFIX/sbin/proxy_test_ssl.bash "$@" || exit 3$?
elif [ "$1" = 'mode' ] ; then
proxy_whonix_test_mode || exit 4$?
elif [ "$1" = 'ping' ] ; then
$PREFIX/sbin/proxy_ping_test.bash "$@" || exit 4$?
elif [ "$1" = 'libvirt' ] ; then
$PREFIX/bin/proxy_ping_lib.bash proxy_libvirt_test || exit 5$?
elif [ "$1" = 'ga' ] ; then
$PREFIX/bin/proxy_libvirt_ga_test.bash || exit 5$?
else
:
fi
return 0
}
WD=$PWD
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $USAGE
exit 0
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
grep '^## ' $0 | sed -e 's/^## //'
exit 0
elif [ "$1" = client ] ; then
shift
elif [ "$1" = ws -o "$1" = 'workstation' -o "$1" = 'gateway' ] ; then
[ $1 = ws ] && arg=workstation || arg=$1
shift
$PREFIX/sbin/proxy_whonix_guest_$arg.bash "$*" || exit 3$?
elif [ 'to_tor' -o "$1" = 'tor' -o "$1" = 'from_tor' -o "$1" = 'whonix' ] ; then
$PREFIX/sbin/proxy_whonix_host.bash "$@" || exit $?
elif [ "$1" = host ] ; then
shift
$PREFIX/sbin/proxy_whonix_host.bash "$@" || exit $?
elif [ "$1" = refresh -o "$1" = update -o "$1" = 'test' -o "$1" = 'status' ] ; then
arg=$1;shift
proxy_whonix_$arg "$@"
elif [ "$1" = 'down' -o "$1" = 'up' ] ; then
arg=$1;shift
proxy_whonix_$arg "$@"
elif [ "$1" = hourly -o "$1" = 'refresh' ] ; then
:
else
DBUG $prog $*
eval "$@"
exit $?
fi
exit 0

254
overlay/Linux/usr/local/bin/scurl.bash Executable file
View file

@ -0,0 +1,254 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
# must not use stdout
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
prog=scurl
umask 022
RETRIES=2
SSL_VER=3
. /usr/local/bin/proxy_ping_lib.bash
[ -f /usr/local/bin/proxy_curl_lib.bash ] && \
. /usr/local/bin/proxy_curl_lib.bash
if ! route | grep -q ^def ; then
WARN $prog we are not connected >&2
exit -1
fi
usage="curls with some wget options
Usage: $prog options -- curl-options
Options:
-P, --directory-prefix
-X, --force-directories create directories to download to
-C, --cacert CA certs in .pem
-M, --mode proxy_ping_mode
-S, --ssl ssl version 2=tls1.2 3=tls1.3
-Y, --ciphers comma sep list of ciphers
-Q, --quiet --silent --show-error
-h, --help display this help and exit
"
if [[ $? -ne 0 ]]; then
echo "$usage"
exit 2
fi
declare -a LARGS
# --location is required to follow redirects
# im not sure about --http2
LARGS+=( --remote-time --location --max-redirs 10 --continue-at - )
LARGS+=( --retry-delay 10 --show-error --fail )
# --proto-redir https --proto =https is required to prevent protocol downgrades
LARGS+=( --proto-redir https --proto-default https --proto =https )
[ -z "$MODE" ] && MODE=$( /usr/local/bin/proxy_ping_lib.bash proxy_ping_mode )
[ -z "$socks_proxy" ] && . /usr/local/bin/proxy_export.bash
SSL_LIB=openssl # nss
if [ -x /var/local/bin/curl.bash ] ; then
EXE=/var/local/bin/curl.bash
elif which scurl ; then
EXE=`which scurl`
else
EXE=curl
fi
SHORT=M:QP:XC:F:hS:
LONG=mode:,quiet,directory-prefix:,force-directories,cacert,ca-cert:,help,ssl:
#? export POSIXLY_CORRECT=1
PARSED=$(getopt --options $SHORT --longoptions $LONG --name "$prog" -- "$@")
eval set -- "$PARSED"
P="$PWD"
X="0"
# echo DEBUG: WD=$WD rest=$*
LOGF=/tmp/$prog$$.err
SSL_CIPHERS=""
while true; do
case "$1" in
-P|--directory-prefix)
shift
P="$1"
shift
# echo DEBUG: P=$WD rest=$*
;;
-X|--force-directories)
X=1
shift
;;
-S|--ssl)
shift
SSL_VER="$1"
shift
;;
-Y|--ciphers)
shift
SSL_CIPHERS="$1"
shift
;;
-C|--cacert|-Z|--ca-cert)
shift
CA_CERT="$1"
shift
;;
-M|--mode)
shift
MODE="$1"
shift
;;
-Q|--quiet)
shift
LARGS="$LARGS --silent --show-error"
;;
-h|--help)
echo USAGE: "$usage"
exit 0
;;
--)
shift
break
;;
*)
# echo ERROR: unhandled arguments $* - use -- after -P $PWD or -X ; exit 3
break
;;
esac
done
[ "$SSL_VER" -ge 2 -a "$SSL_VER" -le 3 ] || { ERROR "SSL_VER $SSL_VER" ; exit 6 ; }
LARGS+=( --tlsv1.$SSL_VER )
if [ -n "$SSL_CIPHERS" -a "$SSL_VER" = 2 ] ; then
[ $SSL_LIB = openssl ] && \
SSL_CIPHERS="ECDHE-RSA-AES256-SHA" # ECDHE-RSA-AES256-GCM-SHA384
[ $SSL_LIB = nss ] && \
SSL_CIPHERS="ecdhe_rsa_aes_256_sha"
fi
if [ -n "$SSL_CIPHERS" -a "$SSL_VER" = 3 ] ; then
[ $SSL_LIB = openssl ] && \
SSL_CIPHERS="TLS_AES_256_GCM_SHA384" # TLS_CHACHA20_POLY1305_SHA256
[ $SSL_LIB = nss ] && \
SSL_CIPHERS="aes_256_gcm_sha_384"
fi
[ -n "$SSL_CIPHERS" ] && LARGS+=( --ciphers "$SSL_CIPHERS" )
if [ "$MODE" = tor -o "$MODE" = selektor -o "$MODE" = whonix ] && \
netstat -nle4 | grep -q 127.0.0.1:53 ; then
LARGS+=( --dns-ipv4-addr 127.0.0.1 --dns-servers 127.0.0.1 )
elif [ "$MODE" = whonix ] && ifconfig virbr1 | grep -q 10.0.2.2 ; then
LARGS+=( --dns-ipv4-addr 10.0.2.15:9053 --dns-servers 10.0.2.15:9053 )
else
debug 127.0.0.1:53 not running MODE=$MODE
fi
if ! uname -a | grep -q 'Devuan\|Debian' ; then
if [ -f $HOME/.local/ ] ; then
[ -f $HOME/.local/alt.svc ] || touch $HOME/.local/alt.svc
LARGS+=( --alt-svc $HOME/.local/alt.svc )
# #define CURLALTSVC_H2 (1<<4)
fi
export CURLOPT_ALTSVC_CTRL=16
fi
declare -a RARGS
RARGS=("$@")
DBUG "$#" "${RARGS[*]}" >&2
i=0
while [ $i -le $RETRIES ] ; do
# assumes one URL
if [ "${#RARGS[@]}" -eq 1 ] ; then
the_url=`sed -e 's@http://@https://@g' -e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' -e 's@https*://gentoo.osuosl.org@https://mirror.leaseweb.com/gentoo@g' <<< "${RARGS[*]}"`
else
the_url=`sed -e 's@http://@https://@' -e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' -e 's@https*://gentoo.osuosl.org@https://mirror.leaseweb.com/gentoo@g' <<< "${RARGS[-1]}"`
fi
RARGS[-1]="$the_url"
site=`sed -e 's@https*://@@g' -e 's@/.*@@' <<< $the_url`
i=`expr $i + 1`
if [ "$X" = 1 ] ; then
rel_file=$( sed -e 's@^file://*@@' -e 's@^https*://*@@' -e 's@[&?#].*@@' <<< $the_url )
rel_dir=$( sed -e 's@/$@@' <<< $rel_file )
rel_dir=$( sed -e 's@/[^/]*$@@' <<< $rel_dir )
[ -d "$P/$rel_dir" ] || mkdir -p "$P/$rel_dir"
output=`sed -e 's/[!:?#]/_/g' <<< "$P/$rel_file"`
LARGS+=( --output "$output" --create-dirs )
fi
DBUG $EXE "${LARGS[@]}" "${RARGS[@]}" >&2
echo $EXE "${LARGS[@]}" "${RARGS[@]}" > $LOGF
$EXE "${LARGS[@]}" "${RARGS[@]}" >> $LOGF 2>&1
retval=$?
if [ "$retval" -eq 22 ] || \
tail -4 $LOGF | grep -q 'The requested URL returned error:'; then
# on 22 - change to HTTP code
code=`tail -4 $LOGF | grep 'The requested URL returned error:' | sed -e 's/.*returned error: //' -e 's/ *$//'`
if [ "$code" = 416 ] ; then
INFO "$prog retval=$retval code=$code ${HTTP_RESPONSE[416]} $the_url = $LOGF" >&2
retval=$code
elif [ "$code" = 429 ] ; then
ERROR "$prog retval=$retval code=$code ${HTTP_RESPONSE[$code]} $the_url = $LOGF" >&2
retval=$code
exit $retval
elif [ -n "$code" ] && [ "$code" -ge 400 ] ; then
# 403 Cloudflare
ERROR "$prog retval=$retval code=$code ${HTTP_RESPONSE[$code]} $the_url = $LOGF" >&2
retval=$code
elif [ -n "$code" ] && [ "$code" -lt 400 ] ; then
INFO "$prog retval=$retval code=$code ${HTTP_RESPONSE[$code]} $the_url = $LOGF" >&2
else
WARN "$prog retval=$retval \"$code\" $the_url = $LOGF" >&2
fi
elif [ "$retval" = 35 ] ; then
# 35 CURLE_SSL_CONNECT_ERROR
ERROR "$prog retval=$retval CURLE_SSL_CONNECT_ERROR $the_url = $LOGF" >&2
# feedback to scurl_urls.sh
NOTLSV3+=( $site )
elif [ "$retval" = 1 ] ; then
# retval=1 CURLE=CURLE_UNSUPPORTED_PROTOCOL - seems to be a transient error
WARN "$prog retval=$retval CURLE=${CURLE[$retval]} $the_url = $LOGF" >&2
continue
elif [ "$retval" = 92 ] ; then
# curl: (92) HTTP/2 stream 0 was not closed cleanly: INTERNAL_ERROR (err 2)
WARN "$prog retval=$retval CURLE=${CURLE[$retval]} $the_url = $LOGF" >&2
continue
elif [ "$retval" -ne 0 ] ; then
# curl: (3) URL using bad/illegal format or missing URL - worked
WARN "$prog retval=$retval CURLE=${CURLE[$retval]} $the_url = $LOGF" >&2
elif tail -3 $LOGF | grep -q "HTTP code 504 from proxy after CONNECT" ; then
WARN "$prog HTTP code 504 from proxy after CONNECT $the_url = $LOGF" >&2
continue
elif tail -3 $LOGF | grep -q "503 - Forwarding failure" ; then
WARN "$prog 503 - Forwarding failure $the_url = $LOGF" >&2
continue
else
INFO "$prog $output = $LOGF" >&2
# rm -f $LOGF
fi
break
# "$P/$rel_file"
# if [ $retval -gt 0 ] ; then
# The requested URL returned error: 416
# if [ $retval = 22 ] && [ "$code" = 416 ] && [ -f "$P/$rel_file" ] ; then
# fi
done
exit $retval

18
overlay/Linux/usr/local/bin/sdwdate.bash Executable file
View file

@ -0,0 +1,18 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
PREFIX=/usr/local
ROLE=proxy
if [ -x $PREFIX/bin/proxy_ping_test.bash ] ; then
if virsh|grep Whonix-Gateway ; then
sh $PREFIX/bin/proxy_ping_test.bash whonix || exit 1
else
sh $PREFIX/bin/proxy_ping_test.bash wifi || exit 1
sh $PREFIX/bin/proxy_ping_test.bash 30 || exit 2
fi
fi
export PYTHONPATH=$PREFIX/lib64/python3.7/site-packages
exec python3.sh $PREFIX/bin/sdwdate_.py "$@"

1
overlay/Linux/usr/local/etc/firewall.conf.gateway Symbolic link
View file

@ -0,0 +1 @@
../../../../../templates/etc/firewall.conf.gateway

1
overlay/Linux/usr/local/etc/firewall.conf.selektor Symbolic link
View file

@ -0,0 +1 @@
../../../../../templates/etc/firewall.conf.selektor

1
overlay/Linux/usr/local/etc/firewall.conf.tor Symbolic link
View file

@ -0,0 +1 @@
../../../../../templates/etc/firewall.conf.tor

1
overlay/Linux/usr/local/etc/firewall.conf.whonix Symbolic link
View file

@ -0,0 +1 @@
../../../../../templates/etc/firewall.conf.whonix

1
overlay/Linux/usr/local/etc/firewall.conf.ws Symbolic link
View file

@ -0,0 +1 @@
../../../../../templates/etc/firewall.conf.ws

20
overlay/Linux/usr/local/etc/hosts Normal file
View file

@ -0,0 +1,20 @@
151.101.122.132 deb.debian.org
216.58.204.110 google.com
151.80.211.8 pool.ntp.org
78.46.53.2 pool.ntp.org
207.34.49.172 pool.ntp.org
205.206.70.7 pool.ntp.org
206.108.0.131 pool.ntp.org
162.159.200.1 pool.ntp.org
140.82.112.4 github.com
37.58.58.140 mirror.leaseweb.com
5.79.75.37 novg.net
193.150.121.24 reseed.i2p2.no
167.71.120.31 reseed.onion.im
34.201.225.154 i2pseed.creativecowpat.net
80.74.145.70 reseed.diva.exchange
167.71.120.31 reseed.onion.im
68.183.196.133 reseed.i2pgit.org
193.150.121.24 reseed.i2p2.no
81.7.7.4 reseed.i2p-projekt.de
132.163.97.3 time.nist.gov

33
overlay/Linux/usr/local/etc/init.d/libvirtd.openrc Executable file
View file

@ -0,0 +1,33 @@
#!/sbin/openrc-run
# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
description="Virtual Machine Management daemon (libvirt)"
LIBVIRTD_OPTS=${LIBVIRTD_OPTS:-"${LIBVIRTD_OPTS}"}
LIBVIRTD_TIMEOUT=${LIBVIRTD_TERMTIMEOUT:-"TERM/25/KILL/5"}
command="/usr/sbin/libvirtd"
command_args="${LIBVIRTD_OPTS}"
start_stop_daemon_args="-b --env KRB5_KTNAME=/etc/libvirt/krb5.tab"
pidfile="/run/libvirtd.pid"
retry="${LIBVIRTD_TERMTIMEOUT}"
depend() {
need virtlogd
use ceph dbus iscsid virtlockd
after cgconfig corosync ebtables iptables ip6tables nfs nfsmount ntp-client ntpdportmap rpc.statd sanlock xenconsoled
USE_FLAG_FIREWALLD
}
start_pre() {
# Test configuration directories in /etc/libvirt/ to be either not
# present or a directory, i.e. not a regular file, bug #532892
checkpath --directory /etc/libvirt/lxc || return 1
checkpath --directory /etc/libvirt/nwfilter || return 1
[ -L /etc/libvirt/qemu ] ||
checkpath --directory /etc/libvirt/qemu || return 1
[ -L /etc/libvirt/storage ] ||
checkpath --directory /etc/libvirt/storage || return 1
}

41
overlay/Linux/usr/local/etc/jnettop.conf Normal file
View file

@ -0,0 +1,41 @@
#
# jnettop, network online traffic visualiser
# Copyright (C) 2002-2005 Jakub Skopal
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# $Header: /cvsroot/jnettop/jnettop/.jnettop,v 1.7 2006/04/11 15:59:59 merunka Exp $
#
# interface "eth1"
variable "intranet" "net 192.168.0.0/16 or 10.0.0.0/8 or 172.16.0.0/12"
variable "me" "net 10.16.238.53"
variable "lo" "net 127.0.0.1/32"
variable "virbr1" "net 10.0.2.2"
variable "whonix" "net 10.0.2.0/24"
rule "Intranet<->Extranet" "((src ${intranet}) and not (dst ${intranet})) or ((dst ${intranet}) and not (src ${intranet}))"
rule "Me<->Whonix" "((src ${me}) and ((dst ${whonix}) or (dst ${lo}))) or (((dst ${me}) or (dst ${lo})) and (src ${whonix}))"
rule "Me<->Extranet" "((src ${me}) and not (dst ${me})) or ((dst ${me}) and not (src ${me}))"
rule "Google" "host www.google.com"
rule "IPv6" "ip6"
local_aggregation none
remote_aggregation none
local_network "192.168.0.0" "255.255.0.0"
local_network "10.0.0.0" "255.0.0.0"
# select_rule "Me<->Whonix"
# resolve_rule "192.168.0.0" "255.255.0.0" normal
# resolve_rule "192.168.0.0" "255.255.0.0" external "/usr/share/jnettop/jnettop-lookup-nmb"
resolve off

42
overlay/Linux/usr/local/etc/jnettop.conf.vda Normal file
View file

@ -0,0 +1,42 @@
#
# jnettop, network online traffic visualiser
# Copyright (C) 2002-2005 Jakub Skopal
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# $Header: /cvsroot/jnettop/jnettop/.jnettop,v 1.7 2006/04/11 15:59:59 merunka Exp $
#
interface "eth0"
variable "intranet" "net 192.168.0.0/16 or 10.0.0.0/8 or 172.16.0.0/12"
variable "me" "net 10.16.238.53"
variable "vda" "net 10.152.152.11"
variable "lo" "net 127.0.0.1/32"
variable "virbr1" "net 10.0.2.2"
variable "whonix" "net 10.0.2.0/24"
rule "Intranet<->Extranet" "((src ${intranet}) and not (dst ${intranet})) or ((dst ${intranet}) and not (src ${intranet}))"
rule "Me<->Whonix" "((src ${me}) and ((dst ${whonix}) or (dst ${lo}))) or (((dst ${me}) or (dst ${lo})) and (src ${whonix}))"
rule "Vda<->Intranet" "((src ${vda}) and not (dst ${vda})) or ((dst ${vda}) and not (src ${vda}))"
rule "Google" "host www.google.com"
rule "IPv6" "ip6"
local_aggregation none
remote_aggregation none
local_network "192.168.0.0" "255.255.0.0"
local_network "10.0.0.0" "255.0.0.0"
select_rule "Vda<->Intranet"
# resolve_rule "192.168.0.0" "255.255.0.0" normal
# resolve_rule "192.168.0.0" "255.255.0.0" external "/usr/share/jnettop/jnettop-lookup-nmb"
resolve off

6
overlay/Linux/usr/local/etc/libvirt/hooks/network Executable file
View file

@ -0,0 +1,6 @@
#!/bin/sh
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
# BEGIN ANSIBLE MANAGED BLOCK proxy whonix_host.yml
[ ! -f /usr/local/sbin/proxy_libvirt_hook_network.bash ] || \
/usr/local/sbin/proxy_libvirt_hook_network.bash
# END ANSIBLE MANAGED BLOCK proxy whonix_host.yml

381
overlay/Linux/usr/local/etc/local.bash Executable file
View file

@ -0,0 +1,381 @@
#!/bin/sh
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
# prog=rc.local
PREFIX=/usr/local
ROLE=local
export PATH=$PATH:/usr/local/sbin:/usr/local/bin
if [ -x /sbin/rc-service ] ; then
local_rc_service () { rc-service "$@" ; }
local_rc_update () { rc-update "$@" ; }
elif [ -x /bin/systemctl ] ; then
local_rc_service () {
systemctl list-units --no-pager | grep -q $1 && \
echo INFO: /usr/sbin/service "$@" || \
echo WARN: /usr/sbin/service "$@"
/usr/sbin/service "$@" 2>/dev/null
return $?
}
local_rc_update () {
if [ "$#" -eq 0 ] ; then
systemctl list-units --no-pager
return $?
fi
dir=$1 ; shift ;
svc=$1 ; shift ;
if [ $dir = add ] ; then
dire=enable
elif [ $dir = del ] ; then
dire=disable
else
dire=$dir
fi
echo INFO: $prog systemctl --no-pager $dire $svc "$@"
systemctl --no-pager $dire $svc "$@"
return $?
}
elif [ -x /usr/sbin/service ] ; then
local_rc_service () {
/usr/sbin/service --status-all 2>&1 | grep -q $1 && \
echo INFO: /usr/sbin/service "$@" || \
echo WARN: /usr/sbin/service "$@"
/usr/sbin/service "$@" 2>/dev/null
return $?
}
local_rc_update () {
if [ "$#" -eq 0 ] ; then
/usr/sbin/service --status-all 2>&1 | sed -e 's/.* //'
return $?
fi
dir=$1 ; shift ;
svc=$1 ; shift ;
# disable|enable |remove
if [ $dir = add ] ; then
dire=enable
elif [ $dir = del ] ; then
dire=disable
else
dire=$dir
fi
update-rc.d $svc $dire || echo WARN: update-rc.d $svc $dir $dire
}
fi
proxy_rc_service () { local_rc_service $* ; }
proxy_rc_update () { local_rc_update $* ; }
grep -q root=/dev/vda /proc/cmdline
PROXY_IS_VDA=$?
## local_disable_lid
local_disable_lid () {
# https://bbs.archlinux.org/viewtopic.php?id=72779
echo LID0 > /proc/acpi/wakeup
# https://forums.linuxmint.com/viewtopic.php?f=208&t=106532
if [ -f /etc/UPower/UPower.conf ] ; then
[ -f /etc/UPower/UPower.conf.bak ] || \
cp -p /etc/UPower/UPower.conf /etc/UPower/UPower.conf.bak
grep -q '^IgnoreLid=true' /etc/UPower/UPower.conf || \
sed -e 's@#*IgnoreLid=.*@IgnoreLid=true@' -i /etc/UPower/UPower.conf
fi
if [ -f /etc/systemd/logind.conf ] ; then
[ -f /etc/systemd/logind.conf.bak ] || \
cp -p /etc/systemd/logind.conf /etc/systemd/logind.conf.bak
grep -q '^HandleLidSwitch=ignore' /etc/systemd/logind.conf || \
sed -e 's@^#*HandleLidSwitch=.*@HandleLidSwitch=ignore@' -i /etc/systemd/logind.conf
fi
return 0
}
## local_guest_start_services
local_guest_start_services () {
for file in /usr/local/etc/modules-load.d/vda*conf ; do
[ -s $file ] || continue
base=`basename $file`
[ -e /etc/modules-load.d/$base ] && continue
echo "# from $file" > /etc/modules-load.d/$base
grep -v '^#' $file >> /etc/modules-load.d/$base
done
grep -hv '#' /etc/modules-load.d/vda*.conf | xargs modprobe --all
local_start_services $*
exit 0
}
local_guest_add_xorg_conf () {
[ -f /etc/X11/xorg.conf.d/80_qxl.conf ] || \
grep -q Drive.*qxl /etc/X11/xorg.conf.d/*.conf || \
cat > /etc/X11/xorg.conf.d/80_qxl.conf << EOF
# BEGIN ANSIBLE MANAGED BLOCK proxy whonix_guest.yml
Section "Device"
Identifier "qxl"
Driver "qxl"
Option "DPI" "96 x 96"
Option "ENABLE_IMAGE_CACHE" "True"
Option "ENABLE_FALLBACK_CACHE" "False"
Option "ENABLE_SURFACES" "False"
EndSection
# END ANSIBLE MANAGED BLOCK proxy whonix_guest.yml
EOF
return 0
}
## local_guest_config
local_guest_config () {
[ -d /etc/qemu ] || mkdir /etc/qemu
[ -f /etc/qemu/qemu-ga.conf ] || cat > /etc/qemu/qemu-ga.conf <<EOF
[general]
daemon=false
method=virtio-serial
path=/dev/virtio-ports/org.qemu.guest_agent.0
pidfile=/run/qemu-ga.pid
statedir=/run
verbose=true
retry-path=false
blacklist=
logfile=/var/log/libvirtd/qemu-ga.log
EOF
[ -d /var/log/libvirtd/ ] || mkdir /var/log/libvirtd/
[ -f /etc/default/qemu-guest-agent.diff ] || cat > /etc/default/qemu-guest-agent.diff <<EOF
*** /etc/default/qemu-guest-agent.dst 2021-01-05 03:28:20.579117119 +0000
--- /etc/default/qemu-guest-agent 2021-08-27 20:26:36.234739996 +0000
***************
*** 1 ****
! DAEMON_ARGS="--logfile /var/log/libvirtd/qemu-ga.log"
--- 1 ----
! DAEMON_ARGS="--logfile /var/log/libvirtd/qemu-ga.log --verbose --pidfile /run/qemu-ga.pid"
EOF
[ -f /etc/default/qemu-guest-agent.dst ] || \
patch -z .st -b /etc/default/qemu-guest-agent \
< /etc/default/qemu-guest-agent.diff
return 0
}
## local_guest_status
local_guest_status () {
if [ ! -f /var/log/libvirtd/qemu-ga.log ] ; then
echo WARN: missing /var/log/libvirtd/qemu-ga.log
elif grep -q critical: /var/log/libvirtd/qemu-ga.log ; then
echo ERROR: critical /var/log/libvirtd/qemu-ga.log
fi
return 0
}
## local_guest_neutersystemd
local_guest_neutersystemd () {
[ ! -f /lib/lsb/init-functions.d/40-systemd ] || \
mv /lib/lsb/init-functions.d/40-systemd /lib/lsb/.40-systemd
return 0
}
# vda
## local_host_symlink_usr_src
local_host_symlink_etc_fstab () {
# guest
[ -h /etc/fstab ] && [ -f /etc/fstab.vda ] && \
rm -f /etc/fstab && ln -s /etc/fstab.vda /etc/fstab
return 0
}
## local_host_make_dmcrypt_swap
local_host_make_dmcrypt_swap () {
local two five
if ! grep -q '/dev/mapper\|/dev/sd\|/dev/dm' /proc/swaps ; then
blkid > ~/blkid.txt
five=`grep _05E ~/blkid.txt | head -1`
if [ $? -eq 0 -a -n "$five" ] ; then
two=`echo $five | sed -e 's/_.*//' -e 's/.*="//'`_02SWAP
if ! grep $two ~/blkid.txt ; then
dev=`echo $five | sed -e 's/:.*//' -e 's/5/2/'`
[ $? -eq 0 -a -n "$dev" ] && mkswap -L $two $dev
fi
grep $two /etc/conf.d/dmcrypt && local_rc_service dmcrypt restart || echo WARN: $two not in /etc/conf.d/dmcrypt
grep -q '/dev/mapper\|/dev/sd\|/dev/dm' /proc/swaps || local_rc_service swap restart
# if its not in fstab
grep -q '/dev/mapper\|/dev/sd\|/dev/dm' /proc/swaps || swapon /dev/mapper/cryptswap*
fi
fi
return 0
}
# all
## local_start_services
local_start_services () {
for elt in $*; do
local_rc_service $elt status >/dev/null || local_rc_service $elt start
local_rc_update | grep -q $elt || local_rc_update add $elt
done
return 0
}
# all
## nlocal_manual_stop_services
local_manual_stop_services () {
# set these to stop now and restart them manually as we configure them
# rsync on debian
for elt in $* ; do
local_rc_service $elt status >/dev/null && local_rc_service $elt stop
local_rc_update | grep -q $elt && local_rc_update del $elt
done
return 0
}
# all
## local_host_symlink_usr_src
local_host_symlink_usr_src () {
local dir
dir=`cat /proc/cmdline|sed -e 's/.*BOOT_IMAGE=kernel-pentoo-x86_64/linux/' -e 's/_.*//'`
WD=$PWD
cd /usr/src
if [ -d $dir ] ; then
rm -f linux
ln -s $dir linux || echo WARN: $PWD/$dir not found
fi
cd $WD
return 0
}
# all
## local_lightdm_on_text
local_lightdm_on_text () {
return 0
[ ! -f /usr/sbin/lightdm ] && return 0
if [ ! -f /usr/sbin/lightdm.bin ] ; then
[ -f /usr/sbin/lightdm.bad ] && mv /usr/sbin/lightdm.bad /usr/sbin/lightdm.bin
[ ! -f /usr/sbin/lightdm.bin ] && mv /usr/sbin/lightdm /usr/sbin/lightdm.bin
if [ -f /usr/sbin/lightdm.bin ] && [ -f /usr/sbin/lightdm ] ; then
cat > /usr/sbin/lightdm << EOF
#!/bin/sh
grep -q ' text ' /proc/cmdline && exit 0
exec /usr/sbin/lightdm.bin "$@"
EOF
chmod 755 /usr/sbin/lightdm
fi
fi
return 0
}
## local_host_restart_psmouse
local_host_restart_psmouse () {
local_rc_service gpm status && local_rc_service gpm stop
rmmod psmouse; sleep 1; modprobe psmouse proto=exps
local_rc_service gpm start
return 0
}
## local_host_restart_intel_sound
local_host_restart_intel_sound () {
which aplay >/dev/null 2>/dev/null || return 0
# both
if ! aplay -L | grep -q default:CARD=PCH ; then
rmmod snd_hda_intel ;
sleep 5
modprobe snd_hda_intel enable=1 ;
sleep 1
aplay -L >/dev/null || exit 2
fi
return 0
}
## local_all
local_all () {
local_disable_lid
touch /var/log/boot
chmod 775 /usr/local/*bin/*sh /var/local/*bin/*sh
# grep -q text /proc/cmdline && local_lightdm_on_text
( cd /var/tmp && rm -rf ansible-local-* Temp-* ssh-* pulse-* .xfsm-ICE-* )
return 0
}
## local_manual_mask_services
local_manual_mask_services () {
if [ -d /usr/local/etc/systemd/ ] ; then
local_systemd_stop_and_mask $* || return 1$?
elif [ -x /usr/sbin/update-rc.d ] ; then
/usr/sbin/invoke-rc.d $1 stop
/usr/sbin/update-rc.d $1 remove || return 2$?
elif [ /sbin/rc-update ] ; then
/sbin/rc-service $1 stop
/sbin/rc-update $1 del || return 3$?
fi
return 0
}
## local_systemd_stop_and_mask
local_systemd_stop_and_mask () {
[ $# -eq 0 ] && [ -d /usr/local/etc/systemd/ ] && \
set - `grep -v '@\.service' /usr/local/etc/systemd/*.mask`
for file in $* ; do
[ -e /lib/systemd/system/$file ] || continue
elt=`basename $file`
systemctl is-enabled $elt 2>/dev/null >/dev/null || continue
echo INFO: local_systemd_stop_and_mask systemctl disable $elt
systemctl disable --now $elt && systemctl mask $elt
# [ -h /etc/systemd/system/$file ]
# [ `readlink /etc/systemd/system/$file ` = /dev/null ]
done
return 0
}
## local_neuter_gvfs
local_neuter_gvfs () {
[ -d /usr/local/share/dbus-1/services ] || exit 0
cd /usr/local/share/dbus-1/services
for file in /usr/share/dbus-1/services/*vfs* ; do
sed -e 's@^Exec=.*@Exec=/bin/false@' > `basename $file`
done
}
local_link_linux () {
sed < /proc/cmdline -e 's@.*BOOT_IMAGE=vmlinuz-@linux-@' -e 's/[_ ].*//'| \
while read line ; do
[ -z "$line" ] && continue
[ -d "/usr/src/$line" ] || { echo WARN: /usr/src/$line ; continue ; }
rm -f /usr/src/linux
echo INFO: /usr/src/$line /usr/src/linux
ln -s /usr/src/$line /usr/src/linux
done
return 0
}
local_null_machineid () {
[ -s /etc/machine-id ] && cp /dev/null /etc/machine-id
return 0
}
base=local
if [ -x /usr/bin/basename ] && [ `/usr/bin/basename -- $0` = $base'.bash' ] ; then
[ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \
echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//'| sort \
&& exit 0
eval "$@"
exit $?
fi

43
overlay/Linux/usr/local/etc/local.d/Whonix-All.rc Executable file
View file

@ -0,0 +1,43 @@
#!/bin/bash -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
# run this first
ROLE=local
MODE=all
CONN=all
BIN=/usr/local/sbin
. /usr/local/etc/local.d/local.bash || exit 1
local_all
local_manual_mask_services pdnsd ntpd tor polipo dnsmasq \
NetworkManager-wait-online apt-daily-upgrade apt-daily
# support the console
local_start_services gpm
# adjust to your taste here
[ -e /dev/autofs ] && rm /dev/autofs
if false && which systemctl 2>/dev/null >/dev/null ; then
systemctl | grep -q proc-sys-fs-binfmt_misc.automount && \
systemctl mask proc-sys-fs-binfmt_misc.automount
fi
exit 0
#? systemctl unmask -- -.mount run-msgcollector.mount run-user-1000.mount

19
overlay/Linux/usr/local/etc/local.d/Whonix-Gateway.local Executable file
View file

@ -0,0 +1,19 @@
#!/bin/sh -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
sh /usr/local/etc/local.d/Whonix-All.rc
sh /usr/local/etc/local.d/Whonix-Guest.rc
sh /usr/local/etc/local.d/Whonix-Gateway.rc
[ -f /usr/local/etc/local.d/Whonix-Local.rc ] && \
sh /usr/local/etc/local.d/Whonix-Local.rc

29
overlay/Linux/usr/local/etc/local.d/Whonix-Gateway.rc Executable file
View file

@ -0,0 +1,29 @@
#!/bin/bash -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
ROLE=proxy
MODE=gateway
CONN=guest
BIN=/usr/local/sbin
. /usr/local/etc/local.d/local.bash || exit 1
local_guest || exit 3$?
# leave this for later when online
if false ; then
if ! $BIN/proxy_whonix_guest_gateway.bash config ; then
echo WARN: proxy_whonix_guest_gateway.bash config retval=$?
fi
if ! $BIN/proxy_whonix_guest_gateway.bash start ; then
echo WARN: proxy_whonix_guest_gateway.bash start retval=$?
fi
fi
exit 0

35
overlay/Linux/usr/local/etc/local.d/Whonix-Guest.rc Normal file
View file

@ -0,0 +1,35 @@
#!/bin/bash -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
ROLE=proxy
MODE=gateway
CONN=guest
. /usr/local/etc/local.d/local.bash || exit 1
local_start_services qemu-guest-agent # spice-vdagent
if ! [ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] ; then
echo WARN: $prog /dev/virtio-ports/org.qemu.guest_agent.0 not found
echo WARN: $prog Add "<channel type='unix'><target type='virtio' name='org.qemu.guest_agent.0'/></channel>"
echo 'WARN: to the /etc/libvirtd/qemu/*.xml file on the host'
fi
local_guest_config
local_guest_neutersystemd
local_guest_start_services qemu-guest-agent # spice-vdagent
# local_guest_add_xorg_conf
local_guest_status

25
overlay/Linux/usr/local/etc/local.d/Whonix-Host.local Normal file
View file

@ -0,0 +1,25 @@
#!/bin/sh -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
dmesg>/var/log/dmesg.log
[ -d /usr/local/tmp/rc ] || mkdir -p /usr/local/tmp/rc
chmod 1777 /usr/local/tmp/rc
for elt in All Host Local ; do
sh /usr/local/etc/local.d/Whonix-$elt.rc
done > /usr/local/tmp/rc/rc.local.log 2>&1
#[ -f /usr/local/etc/local.d/Whonix-Lati.rc ] && \
# sh /usr/local/etc/local.d/Whonix-Lati.rc
timeout 20s tail -f /usr/local/tmp/rc/rc.local.log
exit 0

138
overlay/Linux/usr/local/etc/local.d/Whonix-Host.rc Executable file
View file

@ -0,0 +1,138 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
. /usr/local/etc/local.d/local.bash
chmod 775 /usr/local/sbin/*sh /usr/local/bin/*sh
export PATH=$PATH:/usr/local/bin:/usr/local/sbin
grep -q root=/dev/vda /proc/cmdline
PROXY_IS_VDA=$?
if [ $PROXY_IS_VDA -eq 0 ] ; then
/usr/local/sbin/proxy_whonix_lib.bash proxy_vda_config
fi
# Host and Vda
[ -d /etc/apt ] && \
local_manual_stop_services openvpn exim4 apt-daily-upgrade udisks2 \
sdwdate tb-updater-first-boot lvm2-monitor
# BEGIN ANSIBLE MANAGED BLOCK base initctl
if [ ! -e /dev/initctl -a -e /run/initctl ] ; then
ln -s /run/initctl /dev/initctl
elif [ ! -e /dev/initctl ] ; then
mknod -m=0600 /dev/initctl p
fi
# END ANSIBLE MANAGED BLOCK base initctl
# BEGIN ANSIBLE MANAGED BLOCK base
( cd /var/tmp && rm -rf ansible-local-* Temp-* ssh-* pulse-* .xfsm-ICE-* )
# END ANSIBLE MANAGED BLOCK base
# sh "/var/local/etc/local.d/testforge.start"
# redis
# WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.
#? echo never > /sys/kernel/mm/transparent_hugepage/enabled
if false;then
# failsafe but independent of whether wlan exists
[ -f /usr/local/sbin/proxy_whonix_host_libvirt.bash ] && \
sh /usr/local/sbin/proxy_whonix_host_libvirt.bash proxy_whonix_libvirt_start
if ! /usr/local/sbin/proxy_whonix_host.bash config ; then
echo WARN: Whonix-Host.rc proxy_whonix_host.bash config failed $?
fi
if ! /usr/local/sbin/proxy_whonix_host.bash start ; then
echo WARN: Whonix-Host.rc proxy_whonix_host.bash start failed $?
fi
if ! /usr/local/sbin/proxy_whonix_host.bash test ; then
echo WARN: Whonix-Host.rc proxy_whonix_host.bash test failed $?
fi
fi
exit 0
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml text
local_systemd_stop_services display-manager
# END ANSIBLE MANAGED BLOCK update lati_unix.yml text
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
for eltin h i j o q v q w l ; do
[ -d /mnt/$elt/tmp ] || mount /mnt/$elt
done
exit 0
# END ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml mask
# local_manual_stop_services
SYSTEMD_STOP_AND_MASK="
debug-shell.service
systemd-backlight@.service
phpsessionclean.service
phpsessionclean.timer
apt-daily-upgrade.service
apt-daily-upgrade.timer
dbus-org.freedesktop.nm-dispatcher.service
tb-updater-first-boot.service
openvpn.service
systemd-backlight@.service
systemd-backlight@backlight.service
vboxadd-service.service
vboxautostart-service.service
vboxballoonctrl-service.service
vboxdrv.service
vboxweb-service.service
"
# /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask $SYSTEMD_STOP_AND_MASK
for file in /usr/local/etc/systemd/*.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK update lati_unix.yml mask
/var/local/bin/harden_dbus_neuter.bash
which brightnessctl 2>/dev/null >/dev/null && brightnessctl set 90%
# BEGIN ANSIBLE MANAGED BLOCK update
/usr/local/etc/local.d/local.bash local_disable_lid
# END ANSIBLE MANAGED BLOCK update
# BEGIN ANSIBLE MANAGED BLOCK update local_disable_lid
/usr/local/etc/local.d/local.bash local_disable_lid
# END ANSIBLE MANAGED BLOCK update local_disable_lid
# BEGIN ANSIBLE MANAGED BLOCK base lati_unix.yml mask
ROLE=base
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK base lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK gpgkey lati_unix.yml mask
ROLE=gpgkey
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK gpgkey lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK hostvms lati_unix.yml mask
ROLE=hostvms
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK hostvms lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK privacy lati_unix.yml mask
ROLE=privacy
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK privacy lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK proxy lati_unix.yml mask
ROLE=proxy
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK proxy lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK testforge lati_unix.yml mask
ROLE=testforge
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK testforge lati_unix.yml mask

19
overlay/Linux/usr/local/etc/local.d/Whonix-Kicksecure.local Normal file
View file

@ -0,0 +1,19 @@
#!/bin/sh -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
sh /usr/local/etc/local.d/Whonix-All.rc
sh /usr/local/etc/local.d/Whonix-Host.rc
sh /usr/local/etc/local.d/Whonix-Kicksecure.rc
#[ -f /usr/local/etc/local.d/Whonix-Local.rc ] && \
# sh /usr/local/etc/local.d/Whonix-Local.rc

19
overlay/Linux/usr/local/etc/local.d/Whonix-Kicksecure.rc Executable file
View file

@ -0,0 +1,19 @@
#!/bin/bash -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
ROLE=proxy
CONN=guest
BIN=/usr/local/sbin
. /usr/local/etc/local.d/local.bash || exit 1
local_kicksecure || exit 3$?
exit 0

140
overlay/Linux/usr/local/etc/local.d/Whonix-Lati.rc Executable file
View file

@ -0,0 +1,140 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
# local_host_sys_scaling
ROLE=local
MODE=all
CONN=all
BIN=/usr/local/sbin
. /usr/local/etc/local.d/local.bash || exit 1
loadkeys /etc/keymaps/us.map
# BEGIN ANSIBLE MANAGED BLOCK proxy main.yml start
grep -q root=/dev/vda /proc/cmdline
PROXY_IS_VDA=$?
# END ANSIBLE MANAGED BLOCK proxy main.yml start
if [ $PROXY_IS_VDA -eq 0 ] ; then
:
elif [ -n "$CHROOT" ] ; then
:
else
# host
:
fi
local_host_sys_scaling () {
local file
if [ $PROXY_IS_VDA -ne 0 -a -z "$CHROOT" ] ; then
for file in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor ; do
echo performance >>$file
done
for file in /sys/devices/system/cpu/cpu*/cpufreq/scaling_min_freq ; do
echo 1600000 >>$file
done
fi
return 0
}
# BEGIN ANSIBLE MANAGED BLOCK proxy whonix_host.yml
local_host_sys_scaling
# END ANSIBLE MANAGED BLOCK proxy whonix_host.yml
# BEGIN ANSIBLE MANAGED BLOCK base Debian
[ -f /etc/init.d/console-setup.sh ] && \
/etc/init.d/console-setup.sh start
# END ANSIBLE MANAGED BLOCK base Debian
local_host_restart_psmouse
local_host_restart_intel_sound
if [ "$PROXY_IS_VDA" -ne 0 ] ; then
local_manual_stop_services redis postgresql-11
fi
# BEGIN ANSIBLE MANAGED BLOCK base Debian
/etc/init.d/console-setup.sh start
# END ANSIBLE MANAGED BLOCK base Debian
mount /mnt/o
mount /mnt/i
mount /mnt/j
mount /mnt/e
mount /mnt/q
mount /mnt/w
exit 0
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml sound
( cd /var/tmp && rm -rf ansible-local-* Temp-* ssh-* pulse-* .xfsm-ICE-* )
ls /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor 2>/dev/null >/dev/null && \
for file in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor ; do
echo performance >>$file
done
for file in /sys/devices/system/cpu/cpu*/cpufreq/scaling_min_freq ; do
echo 1600000 >>$file
done
[ -e /usr/share/netsurf/DejaVuSans.ttf ] || \
sudo ln -s /usr/share/fonts/truetype/dejavu/DejaVuSans.ttf /usr/share/netsurf
true
# END ANSIBLE MANAGED BLOCK update lati_unix.yml sound
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml sysrq
# On x86 - You press the key combo ALT-SysRq-<command key>.
# Some keyboards may not have a key labeled ?SysRq?. The ?SysRq? key is also known as the ?Print Screen? key.
# Also some keyboards cannot handle so many keys being pressed at the same time, so you might have better
# luck with press Alt, press SysRq, release SysRq, press <command key>, release everything.
echo 1> /proc/sys/kernel/sysrq 2>/dev/null
# END ANSIBLE MANAGED BLOCK update lati_unix.yml sysrq
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml dmcrypt
grep -q root=/dev/vda /proc/cmdline ; PROXY_IS_VDA=$?
if [ "$PROXY_IS_VDA" -ne 0 ] ; then
local_host_make_dmcrypt_swap
fi
exit 0
# END ANSIBLE MANAGED BLOCK update lati_unix.yml dmcrypt
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
for elt in h i j o q w l ; do
[ -d /mnt/$elt/tmp ] || mount /mnt/$elt
done
# END ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml scheduler
for elt in b c ; do
[ -d /sys/block/sd$elt ] || continue
echo deadline > /sys/block/sd$elt/queue/scheduler
done
# END ANSIBLE MANAGED BLOCK update lati_unix.yml scheduler
# BEGIN ANSIBLE MANAGED BLOCK base initctl
[ ! -e /dev/initctl -a -e /run/initctl ] && ln -s /run/initctl /dev/initctl && exit 0
[ ! -e /dev/initctl ] || mknod -m=0600 /dev/initctl p
# END ANSIBLE MANAGED BLOCK base initctl
# BEGIN ANSIBLE MANAGED BLOCK testforge npm
[ -f /usr/lib/node_modules/npm/node_modules/update-notifier/check.js ] && \
chmod 000 /usr/lib/node_modules/npm/node_modules/update-notifier/check.js
# END ANSIBLE MANAGED BLOCK testforge npm
# BEGIN ANSIBLE MANAGED BLOCK update Pentoo linux
dir=`cat /proc/cmdline|sed -e 's/BOOT_IMAGE=kernel-pentoo-x86_64/linux/' -e 's/_.*//'`
pushd /usr/src
rm -f linux
[ -d $dir ] && ln -s $dir linux || echo WARN: $PWD/$dir not found
popd
# END ANSIBLE MANAGED BLOCK update Pentoo linux
which brightnessctl 2>/dev/null >/dev/null && brightnessctl -c backlight set 95%
local_neuter_gvfs
local_link_linux
local_null_machineid
pkill gvfs
loadkeys /etc/keymaps/us.map

110
overlay/Linux/usr/local/etc/local.d/Whonix-Local.rc Executable file
View file

@ -0,0 +1,110 @@
#!/bin/bash -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
ROLE=local
MODE=all
CONN=all
BIN=/usr/local/sbin
. /usr/local/etc/local.d/local.bash || exit 1
# run this last
# BEGIN ANSIBLE MANAGED BLOCK update lati dmcrypt
if [ "$PROXY_IS_VDA" -ne 0 ] ; then
local_host_make_dmcrypt_swap
fi
# END ANSIBLE MANAGED BLOCK update lati dmcrypt
# BEGIN ANSIBLE MANAGED BLOCK update lati scheduler
## local_host_sys_set_scheduler
local_host_sys_set_scheduler () {
local elt
if [ "$PROXY_IS_VDA" -ne 0 ] ; then
for elt in b c ; do
[ -d /sys/block/sd$elt ] || continue
echo deadline > /sys/block/sd$elt/queue/scheduler
done
fi
return 0
}
local_host_sys_set_scheduler
# END ANSIBLE MANAGED BLOCK update lati scheduler
# BEGIN ANSIBLE MANAGED BLOCK update lati sysrq
# On x86 - You press the key combo ALT-SysRq-<command key>.
# Some keyboards may not have a key labeled ?SysRq?. The ?SysRq? key is also known as the ?Print Screen? key.
# Also some keyboards cannot handle so many keys being pressed at the same time, so you might have better
# luck with press Alt, press SysRq, release SysRq, press <command key>, release everything.
echo 1> /proc/sys/kernel/sysrq 2>/dev/null
# END ANSIBLE MANAGED BLOCK update lati sysrq
# BEGIN ANSIBLE MANAGED BLOCK update Pentoo linux
if [ "$PROXY_IS_VDA" -ne 0 ] ; then
local_host_symlink_usr_src
fi
# END ANSIBLE MANAGED BLOCK update Pentoo linux
## local_host_restart_intel_sound
local_host_restart_intel_sound () {
which aplay >/dev/null 2>/dev/null || return 0
# both
if ! aplay -L | grep -q default:CARD=PCH ; then
rmmod snd_hda_intel ;
sleep 5
modprobe snd_hda_intel enable=1 ;
sleep 1
aplay -L ;
fi
return 0
}
# BEGIN ANSIBLE MANAGED BLOCK update lati
#? rmmod pata_pcmcia pcmcia pcmcia_core 2>/dev/null
local_host_restart_intel_sound
# END ANSIBLE MANAGED BLOCK update lati
# BEGIN ANSIBLE MANAGED BLOCK testforge npm
[ -f /usr/lib64/node_modules/npm/node_modules/update-notifier/check.js ] && \
chmod 000 /usr/lib64/node_modules/npm/node_modules/update-notifier/check.js
# END ANSIBLE MANAGED BLOCK testforge npm
# BEGIN ANSIBLE MANAGED BLOCK update lati fstab
# END ANSIBLE MANAGED BLOCK update lati fstab
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml sysrq
# On x86 - You press the key combo ALT-SysRq-<command key>.
# Some keyboards may not have a key labeled ?SysRq?. The ?SysRq? key is also known as the ?Print Screen? key.
# Also some keyboards cannot handle so many keys being pressed at the same time, so you might have better
# luck with press Alt, press SysRq, release SysRq, press <command key>, release everything.
echo 1> /proc/sys/kernel/sysrq 2>/dev/null
# END ANSIBLE MANAGED BLOCK update lati_unix.yml sysrq
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
grep '/mnt/[a-z][ ]' /etc/fstab| \
sed -e 's@.*/mnt/@/mnt/@' -e 's/[ ].*//' | \
while read elt ;do
[ -d $elt/tmp ] || mount $elt
done
exit 0
# END ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml stop
local_systemd_stop_services display-manager
# END ANSIBLE MANAGED BLOCK update lati_unix.yml stop
# BEGIN ANSIBLE MANAGED BLOCK hostvms libvirt.yml libvirtd.log
cp /dev/null /var/local/var/log/libvirtd.log
# END ANSIBLE MANAGED BLOCK hostvms libvirt.yml libvirtd.log

23
overlay/Linux/usr/local/etc/local.d/Whonix-Vda.local Normal file
View file

@ -0,0 +1,23 @@
#!/bin/sh -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
for elt in All Guest Vda ; do
sh /usr/local/etc/local.d/Whonix-$elt.rc
done > /usr/local/tmp/rc.local.log 2>&1 &
#[ -f /usr/local/etc/local.d/Whonix-Local.rc ] && \
# sh /usr/local/etc/local.d/Whonix-Local.rc
#[ -f /usr/local/etc/local.d/Whonix-Lati.rc ] && \
# sh /usr/local/etc/local.d/Whonix-Lati.rc
timeout 20s tail -f /usr/local/tmp/rc.local.log
exit 0

42
overlay/Linux/usr/local/etc/local.d/Whonix-Vda.rc Executable file
View file

@ -0,0 +1,42 @@
#!/bin/bash -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
ROLE=local
MODE=vda
CONN=guest
. /usr/local/etc/local.d/local.bash || exit 1
if [ $PROXY_IS_VDA -ne 0 ] ; then
exit 1
fi
if [ $PROXY_IS_VDA -eq 0 ] ; then
:
else
:
fi
chmod 775 /usr/local/sbin/*sh /usr/local/bin/*sh
export PATH=$PATH:/usr/local/sbin
if ! proxy_whonix_vda.bash config ; then
echo WARN: proxy_whonix_vda.bash config retval=$?
elif ! proxy_whonix_vda.bash install ; then
echo WARN: proxy_whonix_vda.bash install retval=$?
elif ! proxy_whonix_vda.bash start ; then
echo WARN: proxy_whonix_vda.bash start retval=$?
fi
exit 0

19
overlay/Linux/usr/local/etc/local.d/Whonix-Workstation.local Normal file
View file

@ -0,0 +1,19 @@
#!/bin/sh -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
sh /usr/local/etc/local.d/Whonix-All.rc
sh /usr/local/etc/local.d/Whonix-Guest.rc
sh /usr/local/etc/local.d/Whonix-Workstation.rc
[ -f /usr/local/etc/local.d/Whonix-Local.rc ] && \
sh /usr/local/etc/local.d/Whonix-Local.rc

20
overlay/Linux/usr/local/etc/local.d/Whonix-Workstation.rc Normal file
View file

@ -0,0 +1,20 @@
#!/bin/bash -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
ROLE=local
MODE=workstation
CONN=guest
. /usr/local/etc/local.d/local.bash || exit 1

19
overlay/Linux/usr/local/etc/local.d/rc.local.start Executable file
View file

@ -0,0 +1,19 @@
# On some systems (openrc) the /etc/local.d directory should contain programs
# or scripts which are to be run when the local service is started or stopped.
#
# If a file in this directory is executable and it has a .start extension,
# it will be run when the local service is started. If a file is
# executable and it has a .stop extension, it will be run when the local
# service is stopped.
#
# All files are processed in lexical order.
#
# Keep in mind that files in this directory are processed sequentially,
# and the local service is not considered started or stopped until
# everything is processed, so if you have a process which takes a long
# time to run, it can delay your boot or shutdown processing.
# copying this file to /etc/local.d/ will run the /etc/rc.local file on startup
# On systemd systems you must add the rc.local service with systemctl.
sh /etc/rc.local

25
overlay/Linux/usr/local/etc/modules-load.d/firewall.conf Normal file
View file

@ -0,0 +1,25 @@
# BEGIN ANSIBLE MANAGED BLOCK proxy whonix_host.yml
#modprobe: FATAL: Module xt_MASQUERADE not found in directory /lib/modules/4.19.0-10-amd64
ip_tables
ipt_REJECT
iptable_filter
iptable_nat
xt_LOG
xt_conntrack
xt_nat
xt_owner
xt_state
xt_tcpudp
nf_conntrack
nf_defrag_ipv4
nf_log_common
nf_log_ipv4
nf_nat
#5 nf_nat_ipv4
#5 nf_reject_ipv4
#5 x_tables
xt_MASQUERADE
nft_masq
iptable_mangle
bridge
# END ANSIBLE MANAGED BLOCK proxy whonix_host.yml

5
overlay/Linux/usr/local/etc/modules-load.d/not_on_5.txt Normal file
View file

@ -0,0 +1,5 @@
# not with a 5 kernel
fscrypto
nf-nat0ipv4
ntf-chain-nat-ipv4
nft-chain-toute-ipv4

12
overlay/Linux/usr/local/etc/modules-load.d/vda_crypto.conf Normal file
View file

@ -0,0 +1,12 @@
aes_x86_64
algif_skcipher
crc16
crc32c_generic
crc32c_intel
cryptd
crypto_simd
dm_crypt
dm_mod
ecb
ghash_clmulni_intel
jitterentropy_rng

25
overlay/Linux/usr/local/etc/modules-load.d/vda_mods.conf Executable file
View file

@ -0,0 +1,25 @@
af_alg
ata_generic
ata_piix
autofs4
ext4
failover
## floppy
fscache
#5? fscrypto
glue_helper
i2c_piix4
libata
libcrc32c
loop
mbcache
net_failover
#5? nf_nat_ipv4
rng_core
scsi_mod
ttm
uhci_hcd
uinput
usb_common
usbcore

4
overlay/Linux/usr/local/etc/modules-load.d/vda_mods.err Normal file
View file

@ -0,0 +1,4 @@
modprobe: WARNING: Module aes_x86_64 not found in directory /lib/modules/5.8.12-pentoo_2020-09-30
modprobe: WARNING: Module nf_nat_ipv4 not found in directory /lib/modules/5.8.12-pentoo_2020-09-30
modprobe: WARNING: Module nft_chain_nat_ipv4 not found in directory /lib/modules/5.8.12-pentoo_2020-09-30
modprobe: WARNING: Module nft_chain_route_ipv4 not found in directory /lib/modules/5.8.12-pentoo_2020-09-30

4
overlay/Linux/usr/local/etc/modules-load.d/vda_net.conf Normal file
View file

@ -0,0 +1,4 @@
nft_chain_nat_ipv4
nft_chain_route_ipv4
nft_compat
nft_counter

12
overlay/Linux/usr/local/etc/modules-load.d/vda_virtio.conf Normal file
View file

@ -0,0 +1,12 @@
9p
9pnet
9pnet_virtio
qemu_fw_cfg
virtio_blk
virtio_gpu
virtio_net
virtio_pci
virtio_ring
virtio_rng

113
overlay/Linux/usr/local/etc/modules_load.sh Normal file
View file

@ -0,0 +1,113 @@
#!/bin/sh
TEMP=/c/tmp
cd $TEMP
[ -f $TEMP/lsmod ] || cat > $TEMP/lsmod <<EOF
Module Size Used by
joydev 24576 0
dm_crypt 40960 1
dm_mod 155648 3 dm_crypt
ip6t_REJECT 16384 1
nf_reject_ipv6 16384 1 ip6t_REJECT
nft_chain_route_ipv6 16384 1
ipt_REJECT 16384 12
nf_reject_ipv4 16384 1 ipt_REJECT
xt_tcpudp 16384 13
xt_state 16384 0
kvm_intel 233472 0
nft_counter 16384 33
xt_conntrack 16384 5
algif_skcipher 16384 0
kvm 757760 1 kvm_intel
nft_compat 20480 31
af_alg 28672 1 algif_skcipher
snd_hda_codec_generic 86016 1
nft_chain_route_ipv4 16384 1
irqbypass 16384 1 kvm
snd_hda_intel 49152 3
crct10dif_pclmul 16384 0
crc32_pclmul 16384 0
snd_hda_codec 151552 2 snd_hda_codec_generic,snd_hda_intel
snd_hda_core 94208 3 snd_hda_codec_generic,snd_hda_intel,snd_hda_codec
nft_chain_nat_ipv4 16384 4
snd_hwdep 16384 1 snd_hda_codec
nf_nat_ipv4 16384 1 nft_chain_nat_ipv4
ghash_clmulni_intel 16384 0
virtio_gpu 61440 7
nf_nat 36864 1 nf_nat_ipv4
snd_pcm 114688 3 snd_hda_intel,snd_hda_codec,snd_hda_core
nf_conntrack 172032 4 xt_conntrack,nf_nat,xt_state,nf_nat_ipv4
9p 65536 2
ttm 131072 1 virtio_gpu
pcspkr 16384 0
serio_raw 16384 0
uinput 20480 2
nf_defrag_ipv6 20480 1 nf_conntrack
snd_timer 36864 1 snd_pcm
drm_kms_helper 208896 1 virtio_gpu
loop 36864 2
fscache 385024 1 9p
nf_defrag_ipv4 16384 1 nf_conntrack
9pnet_virtio 20480 2
snd 94208 12 snd_hda_codec_generic,snd_hwdep,snd_hda_intel,snd_hda_codec,snd_timer,snd_pcm
drm 495616 10 drm_kms_helper,virtio_gpu,ttm
9pnet 86016 2 9p,9pnet_virtio
virtio_console 32768 2
libcrc32c 16384 2 nf_conntrack,nf_nat
soundcore 16384 1 snd
qemu_fw_cfg 16384 0
evdev 28672 9
nf_tables 143360 75 nft_chain_route_ipv4,nft_compat,nft_chain_nat_ipv4,nft_counter,nft_chain_route_ipv6
nfnetlink 16384 2 nft_compat,nf_tables
tirdad 16384 0
jitterentropy_rng 16384 0
virtio_rng 16384 0
rng_core 16384 1 virtio_rng
ip_tables 28672 0
x_tables 45056 7 xt_conntrack,nft_compat,xt_state,xt_tcpudp,ipt_REJECT,ip_tables,ip6t_REJECT
autofs4 49152 2
ext4 741376 1
crc16 16384 1 ext4
mbcache 16384 1 ext4
jbd2 122880 1 ext4
crc32c_generic 16384 0
fscrypto 32768 1 ext4
ecb 16384 0
crc32c_intel 24576 3
aesni_intel 200704 2
virtio_net 53248 0
aes_x86_64 20480 1 aesni_intel
net_failover 20480 1 virtio_net
crypto_simd 16384 1 aesni_intel
virtio_blk 20480 2
failover 16384 1 net_failover
cryptd 28672 4 crypto_simd,ghash_clmulni_intel,aesni_intel
psmouse 172032 0
glue_helper 16384 1 aesni_intel
ata_generic 16384 0
uhci_hcd 49152 0
ata_piix 36864 0
ehci_hcd 94208 0
libata 270336 2 ata_piix,ata_generic
usbcore 294912 2 ehci_hcd,uhci_hcd
virtio_pci 28672 0
scsi_mod 249856 1 libata
virtio_ring 28672 7 virtio_rng,virtio_console,9pnet_virtio,virtio_gpu,virtio_pci,virtio_blk,virtio_net
i2c_piix4 24576 0
usb_common 16384 1 usbcore
virtio 16384 7 virtio_rng,virtio_console,9pnet_virtio,virtio_gpu,virtio_pci,virtio_blk,virtio_net
floppy 86016 0
button 16384 0
EOF
cp /dev/null vda_mods.errs
cp /dev/null vda_mods.elts
cp /dev/null vda_mods.modinfo
grep -v 'tirdad\|pcspkr\|v6\|ip6' $TEMP/lsmod |sort| \
| sed -e 's/ .*//'|while read elt; do
lsmod | grep -q ^$elt && continue
modinfo $elt >> vda_mods.modinfo 2>>vda_mods.errs
echo $elt>>vda_mods.elts
done
exit 0

116
overlay/Linux/usr/local/etc/sdwdate.d/30_default.conf Normal file
View file

@ -0,0 +1,116 @@
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Please use "/etc/sdwdate.d/50_user.conf" for your custom
## configuration, which will override the defaults found here.
## When sdwdate is updated, this file may be overwritten.
## Proxy settings for non anonymous distributions.
## Uncomment for standard tor configuration (no stream isolation).
#PROXY_IP=127.0.0.1
#PROXY_PORT=9050
## Allowed percentage of url failures common to every pool.
## If sdwdate frequently stops with "Maximum allowed number of failures" error,
## create a file "/etc/sdwdate.d/50_user.conf" overriding MAX_FAILURE_RATIO
## with a higher figure.
MAX_FAILURE_RATIO=0.34
## pool syntax
## "url.onion[:port]#comment"
## "
## url.onion[:port]#comment
## [url.onion[:port]#comment]
## [url.onion[:port]#comment]
## [...]
## "
## "url.onion[:port]#comment"
## ...
## pool one.
## SecureDrop List
SDWDATE_POOL_ONE=(
"secrdrop5wyphb5x.onion#https://securedrop.org https://web.archive.org/web/20170403043247/https://securedrop.org"
"gmg7jl25ony5g7ws.onion#Gizmodo Media Group https://specialprojectsdesk.com/securedrop/ https://web.archive.org/web/20170215221547/https://specialprojectsdesk.com/securedrop/"
"33y6fjyhs3phzfjj.onion#The Guardian https://securedrop.theguardian.com https://web.archive.org/web/20170408213324/https://securedrop.theguardian.com"
"intrcept32ncblef.onion#The Intercept https://theintercept.com/source/ https://web.archive.org/web/20190502234252/https://theintercept.com/source/"
"qn4qfeeslglmwxgb.onion#Lucy Parsons Labs https://lucyparsonslabs.com/securedrop https://web.archive.org/web/20170322113502/https://lucyparsonslabs.com/securedrop/"
"usatodayw7vu5egc.onion#USA Today https://newstips.usatoday.com/securedrop.html https://web.archive.org/web/20170419183541/https://newstips.usatoday.com/securedrop.html"
"mprt35sjunnxfa76.onion#https://informant.taz.de https://web.archive.org/web/20170329061908/https://informant.taz.de"
"p53lf57qovyuvwsc6xnrppyply3vtqm7l6pcobkmyqsiofyeznfu5uqd.onion#https://securityheaders.com/?q=https%3A%2F%2Fwww.propublica.org&followRedirects=off https://web.archive.org/web/20200905091808/https://securityheaders.com/?q=https%3A%2F%2Fwww.propublica.org&followRedirects=off"
"nrkvarslekidu2uz.onion#NRKbeta https://www.nrk.no/varsle/ https://web.archive.org/web/20170329103137/https://www.nrk.no/varsle/"
)
## pool two.
##
## GlobaLeaks List
## info:
## https://www.globaleaks.org/implementations/ https://web.archive.org/web/20170421150421/https://www.globaleaks.org/implementations/
## Project Name Year Category HTTPS URL Country
## individual websites
## WikiLeaks List
SDWDATE_POOL_TWO=(
"ak2uqfavwgmjrvtu.onion#MagyarLeaks 2013 Investigative Journalism https://atlatszo.hu/magyarleaks/ Hungary https://web.archive.org/web/20170128142348/https://atlatszo.hu/magyarleaks/"
"zvldz46bbxqlw4od.onion#Transparencia https://www.transparencia.click"
"eljwdzi4pgrrlwwq.onion#https://citizen-cam.de https://github.com/asciimoo/searx/wiki/Searx-instances https://web.archive.org/web/20170519171857/https://github.com/asciimoo/searx/wiki/Searx-instances"
"nxhhwbbxc4khvvlw.onion#https://searx.gotrust.de https://web.archive.org/web/20170519171857/https://github.com/asciimoo/searx/wiki/Searx-instances"
"o2jdk5mdsijm2b7l.onion#https://search.gibberfish.org https://gibberfish.org/community-resources/ https://web.archive.org/web/20170512060744/https://gibberfish.org/community-resources/"
"ic6au7wa3f6naxjq.onion#https://lists.gnupg.org/pipermail/gnupg-users/2014-April/049578.html https://web.archive.org/web/20140617045518/https://lists.gnupg.org/pipermail/gnupg-users/2014-April/049578.html"
"gnjtzu5c2lv4zasv.onion#https://pgp.key-server.io https://web.archive.org/web/20170421212020/https://pgp.key-server.io"
"qdigse2yzvuglcix.onion#https://keys.mayfirst.org https://archive.fo/FC1lg"
"clgs64523yi2bkhz.onion#https://www.mailpile.is https://web.archive.org/web/20170409064457/https://www.mailpile.is"
"bitlox2twvzwbzpk.onion#https://bitlox.io https://archive.fo/0zcqz"
"ltcpool5brio2gaj.onion#https://www.litecoinpool.org/help https://web.archive.org/web/20161114095946/https://www.litecoinpool.org/help"
"wlchatc3pjwpli5r.onion#https://wikileaks.org/talk/ https://twitter.com/wikileaks/status/590907709387624450 https://web.archive.org/web/20150423160622/https:/twitter.com/wikileaks/status/590907709387624450"
"cyphdbyhiddenbhs.onion#Cyph - Encrypted Messenger https://www.cyph.com https://web.archive.org/web/20160827040234/https://www.cyph.com/"
[
"wooprzddebtxfhnq.onion#https://keys.void.gr https://sks-keyservers.net/status/info/keys.void.gr"
"xogxzfyhwmgfvmlr.onion#http://keyserver.c3l.lu https://sks-keyservers.net/status/info/keyserver.c3l.lu"
"pgpkeysximvxiazm.onion#https://pgpkeys.urown.net https://web.archive.org/web/20170421213557/https://pgpkeys.urown.net"
]
)
## pool three.
## info:
## individual websites
## Devuan List
## Void Linux List
## CryptoParty List
## systemli.org List
## Riseup List
## https://riseup.net/en/tor#riseups-tor-hidden-services https://web.archive.org/web/20170421215906/https://riseup.net/en/tor#riseups-tor-hidden-services
SDWDATE_POOL_THREE=(
"cheettyiapsyciew.onion#http://secushare.org https://archive.fo/vsFJS"
"7tm2lzezyjwtpn2s.onion#https://mascherari.press https://web.archive.org/web/20170210154832/https://mascherari.press"
"3kyl4i7bfdgwelmf.onion#http://www.wefightcensorship.org https://archive.fo/GhgMU"
"privacyintyqcroe.onion#https://www.privacyinternational.org https://twitter.com/privacyint/status/762656779272593408 https://web.archive.org/web/20170421233214/https:/twitter.com/privacyint/status/762656779272593408"
"grrmailb3fxpjbwm.onion#https://www.guerrillamail.com https://twitter.com/GuerrillaMail/status/751015957770801152 https://web.archive.org/web/20170421233232/https://twitter.com/GuerrillaMail/status/751015957770801152"
"t3qi4hdmvqo752lhyglhyb5ysoutggsdocmkxhuojfn62ntpcyydwmqd.onion#https://torstatus.rueckgr.at https://web.archive.org/web/20200904001100/https://torstatus.rueckgr.at/"
"expressobutiolem.onion#https://www.expressvpn.com https://web.archive.org/web/20170420065743/https://www.expressvpn.com"
"tinhat233xymse34.onion#https://thetinhat.com https://web.archive.org/web/20170421233308/https://thetinhat.com"
"rvy6qmlqfstv6rlz.onion#https://www.c3d2.de/news/20160106-c3d2-as-onionservice.html https://web.archive.org/web/20160807015616/https://www.c3d2.de/news/20160106-c3d2-as-onionservice.html"
"6zwctlqtpilbkl47.onion#https://piratenpartij.nl/contact/ https://web.archive.org/web/20170315154213/https://piratenpartij.nl/contact/"
[
"devuanzuwu3xoqwp.onion#www.devuan.org https://www.devuan.org https://web.archive.org/web/20170421215927/https://www.devuan.org/"
"devuanfwojg73k6r.onion#auto.mirror.devuan.org https://www.devuan.org https://web.archive.org/web/20170421215927/https://www.devuan.org/"
]
"crypty22ijtotell.onion#https://cryptoparty.is https://web.archive.org/web/20161015004023/https://www.cryptoparty.is/"
[
"llqiiswupgezsco4ux47cco3bxsaihbss5c3piefv6bhvpgfofyk7kad.onion#https://mail.systemli.org https://www.systemli.org/en/service/mail.html https://web.archive.org/web/20200825072459/https://www.systemli.org/en/service/mail.html"
"mjrkrqnlf26etelsi7zpkqc3dzlrzyurvmd3jksmndarzzbugz5xctid.onion#https://pad.systemli.org https://www.systemli.org/en/service/etherpad.html https://web.archive.org/web/20191025120405/https://www.systemli.org/en/service/etherpad.html"
]
[
"2h3xkc7wmxthijqb.onion#https://www.privacyfoundation.ch/de/kontakt.html https://web.archive.org/web/20151210044252/http://www.privacyfoundation.ch/de/kontakt.html"
"qcdbc7vspedojrr7.onion#https://www.digitale-gesellschaft.ch/uber-uns/ https://web.archive.org/web/20170415183758/https://www.digitale-gesellschaft.ch/uber-uns/"
]
[
"vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion#https://riseup.net https://riseup.net/en/security/network-security/tor https://web.archive.org/web/20200717041213/https://riseup.net/en/security/network-security/tor"
"7sbw6jufrirhyltzkslhcmkik4z7yrsmbpnptyritvz5nhbk35hncsqd.onion#https://lists.riseup.net https://riseup.net/en/security/network-security/tor https://web.archive.org/web/20200717041213/https://riseup.net/en/security/network-security/tor"
"5gdvpfoh6kb2iqbizb37lzk2ddzrwa47m6rpdueg2m656fovmbhoptqd.onion#https://mail.riseup.net https://riseup.net/en/security/network-security/tor https://web.archive.org/web/20200717041213/https://riseup.net/en/security/network-security/tor"
"kfahv6wfkbezjyg4r6mlhpmieydbebr5vkok5r34ya464gqz6c44bnyd.onion#https://pad.riseup.net https://riseup.net/en/security/network-security/tor https://web.archive.org/web/20200717041213/https://riseup.net/en/security/network-security/tor"
"zs7xwvcspvnnrqhvyxyxpjkihc4lva3yustfr75j6giy24mdfg3rcwqd.onion#https://share.riseup.net https://riseup.net/en/security/network-security/tor https://web.archive.org/web/20200717041213/https://riseup.net/en/security/network-security/tor"
"3xeiol2bnhrsqhcsaifwtnlqkylrerdspzua7bcjrh26qlrrrctfobid.onion#https://account.riseup.net https://riseup.net/en/security/network-security/tor https://web.archive.org/web/20200717041213/https://riseup.net/en/security/network-security/tor"
"zkdppoahhqu5ihjqd4qqvyfd2bm4wejrhjosim67t6yopl77jitg2nad.onion#https://we.riseup.net https://riseup.net/en/security/network-security/tor https://web.archive.org/web/20200717041213/https://riseup.net/en/security/network-security/tor"
"wmj5kiic7b6kjplpbvwadnht2nh2qnkbnqtcv3dyvpqtz7ssbssftxid.onion#https://about.0xacab.org https://web.archive.org/web/20200629165325/https://about.0xacab.org/"
]
)

3281
overlay/Linux/usr/local/etc/ssl/cacert-curl.se_ca_cacert.pem Normal file
View file

File diff suppressed because it is too large Load diff

1
overlay/Linux/usr/local/etc/ssl/cacert-testforge.pem Symbolic link
View file

@ -0,0 +1 @@
cacert-curl.se_ca_cacert.pem