emdee/proxy_role
1
0
Fork 0
Code Issues Pull requests Wiki Activity

first

Browse source
This commit is contained in:
emdee 2024-01-06 01:57:28 +00:00
commit 757ca483f0
115 changed files with 13170 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

45
overlay/Linux/usr/local/bin/curl.bash Executable file
View file

@ -0,0 +1,45 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
ROLE=proxy
ip route | grep -q ^def || {
WARN we are not connected
}
[ -f $HOME/.curlrc ] || touch $HOME/.curlrc
declare -a CURL_OPTS
if [[ "$socks_proxy" =~ socks5://.* ]] ; then
export socks_proxy="$( echo $socks_proxy | sed -e 's@socks5://@socks5h://@' )"
CURL_OPTS+=( --proxy $socks_proxy )
[ -n "$https_proxy" ] && export https_proxy= && unset https_proxy
[ -n "$http_proxy" ] && export http_proxy= && unset http_proxy
elif [ -n "$https_proxy" ] ; then
CURL_OPTS+=( --proxy $https_proxy )
[ -n "$http_proxy" ] && export http_proxy= && unset http_proxy
elif [ -n "$http_proxy" ] ; then
CURL_OPTS+=( --proxy $http_proxy )
fi
export CURL_OPTS+=( -L --remote-time )
if ! uname -a | grep -q 'Devuan\|Debian' && [ -s $HOME/.local/alt.svc ] ; then
export CURL_OPTS+=( --alt-svc $HOME/.local/alt.svc )
# #define CURLALTSVC_H2 (1<<4)
export CURLOPT_ALTSVC_CTRL=16
fi
[[ ! "$*" =~ --config ]] && [ -s "$HOME/.curlrc" ] && \
export CURL_OPTS+=( --config $HOME/.curlrc )
[[ ! "$*" =~ --cookie-jar ]] && [ -s $HOME/.local/jar.cookie ] && \
export CURL_OPTS+=( --cookie-jar $HOME/.local/jar.cookie )
if [[ ! "$*" =~ --capath ]] && \
[[ ! "$*" =~ --cacert ]] && \
[ -s /usr/local/etc/ssl/cacert-testforge.pem ] ; then
# --capath /usr/local/etc/:/etc/ssl/certs
export CURL_OPTS+=( --cacert /usr/local/etc/ssl/cacert-testforge.pem )
export CURL_CA_BUNDLE=/usr/local/etc/ssl/cacert-testforge.pem
fi
echo INFO: curl $CURL_OPTS "$@"
exec curl $CURL_OPTS "$@"

63
overlay/Linux/usr/local/bin/dirmngr.bash Executable file
View file

@ -0,0 +1,63 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/usr_local_base.bash || exit 2
if [ "$#" -eq 1 -a "$1" = '--version' ] ; then
exec /usr/bin/dirmngr.bin --version
return 0
fi
# echo "DEBUG: $0 GNUPGHOME=$GNUPGHOME $*" >> /tmp/$$.out
PROXY_GPG_KEYSERVER=keys.openpgp.org
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash >/dev/null
[ -z "$PROXY_GPG_KEYERVER_URL" ] && PROXY_GPG_KEYERVER_URL=hkps://$PROXY_GPG_KEYSERVER
# ONLY disabling on the command line or
[ -e /proc/sys/net/ipv6/conf/default/disable_ipv6 ] && \
[ `cat /proc/sys/net/ipv6/conf/default/disable_ipv6` -eq 0 ] && \
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
PROXY_WLAN=$( /usr/local/bin/proxy_ping_lib.bash proxy_set_if ) # || return 1$?
if [ -n "$PROXY_WLAN" ] ; then
wlan7=$PROXY_WLAN
[ -e /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6 ] && \
[ `cat /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6` -eq 0 ] && \
echo 1 > /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6
fi
route | grep -q ^default || { ERROR no route ; exit 1; }
[ ! -x /usr/bin/netstat ] || \
netstat -nlp | grep -q 127.0.0.1:53 || { ERROR no nameserver ; exit 4; }
[ -z "$USER" ] && USER=$(id -un )
if [ $USER = root ] ; then
[ -x /usr/bin/dirmngr -a ! -x /usr/bin/dirmngr.bin ] && \
mv /usr/bin/dirmngr /usr/bin/dirmngr.bin
[ -x /usr/bin/dirmngr.bin -a ! -x /usr/bin/dirmngr ] && \
ln -s /usr/local/bin/proxy_dirmngr.bash /usr/bin/dirmngr
fi
[ ! -x /usr/bin/dirmngr -o ! -x /usr/bin/dirmngr.bin ] && exit 2
[ -f /etc/dirmngr/dirmngr.conf ] || exit 3
# This is not enough: --disable-ipv6
# --keyserver hkps://keys.gentoo.org is required
# --http-proxy http://127.0.0.1:3128
# --keyserver $PROXY_GPG_KEYERVER_URL
# --no-use-tor is REQUIRED if you are running tor
# EVEN IF YOU DOT USE use-tor - silent dns failure
exec /usr/bin/dirmngr.bin --server -vvv --debug-all \
--options /etc/dirmngr/dirmngr.conf \
--nameserver 127.0.0.1 \
--disable-ipv6 \
--disable-ldap \
--no-use-tor \
--log-file /var/log/dirmngr.log --debug-level 4 \
"$@"

10
overlay/Linux/usr/local/bin/gitproxy.bash Executable file
View file

@ -0,0 +1,10 @@
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
# BEGIN ANSIBLE MANAGED BLOCK proxy
exec corkscrew $1 $2
# $1 %h $2 %p
#? exec connect -4 -S : $(tor-resolve $1 :) $2
# END ANSIBLE MANAGED BLOCK proxy

89
overlay/Linux/usr/local/bin/ping2.py Executable file
View file

@ -0,0 +1,89 @@
#!/usr/local/bin/python2.sh
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# Simple ICMP ping.
#
# This implementation of ping uses the ICMP echo and echo-reply packets
# to check the status of a host. If the remote host is up, it should reply
# to the echo probe with an echo-reply packet.
# Note that this isn't a definite test, as in the case the remote host is up
# but refuses to reply the probes.
# Also note that the user must have special access to be able to open a raw
# socket, which this program requires.
#
# Authors:
# Gerardo Richarte <gera@coresecurity.com>
# Javier Kohen <jkohen@coresecurity.com>
#
# Reference for:
# ImpactPacket: IP, ICMP, DATA.
# ImpactDecoder.
import select
import socket
import time
import sys
from impacket import ImpactDecoder, ImpactPacket
if len(sys.argv) < 3:
print("Use: %s <src ip> <dst ip>" % sys.argv[0])
sys.exit(1)
src = sys.argv[1]
dst = sys.argv[2]
# Create a new IP packet and set its source and destination addresses.
ip = ImpactPacket.IP()
ip.set_ip_src(src)
ip.set_ip_dst(dst)
# Create a new ICMP packet of type ECHO.
icmp = ImpactPacket.ICMP()
icmp.set_icmp_type(icmp.ICMP_ECHO)
# Include a 156-character long payload inside the ICMP packet.
icmp.contains(ImpactPacket.Data("A"*156))
# Have the IP packet contain the ICMP packet (along with its payload).
ip.contains(icmp)
# Open a raw socket. Special permissions are usually required.
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP)
s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
seq_id = 0
i = 0
while i < 10:
i += 1
# Give the ICMP packet the next ID in the sequence.
seq_id += 1
icmp.set_icmp_id(seq_id)
# Calculate its checksum.
icmp.set_icmp_cksum(0)
icmp.auto_checksum = 1
# Send it to the target host.
s.sendto(ip.get_packet(), (dst, 0))
# Wait for incoming replies.
if s in select.select([s],[],[],1)[0]:
reply = s.recvfrom(2000)[0]
# Use ImpactDecoder to reconstruct the packet hierarchy.
rip = ImpactDecoder.IPDecoder().decode(reply)
# Extract the ICMP packet from its container (the IP packet).
ricmp = rip.child()
# If the packet matches, report it to the user.
if rip.get_ip_dst() == src and rip.get_ip_src() == dst and icmp.ICMP_ECHOREPLY == ricmp.get_icmp_type():
print("Ping reply for sequence #%d" % ricmp.get_icmp_id())
time.sleep(1)

89
overlay/Linux/usr/local/bin/ping3.py Executable file
View file

@ -0,0 +1,89 @@
#!/usr/local/bin/python3.sh
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# Simple ICMP ping.
#
# This implementation of ping uses the ICMP echo and echo-reply packets
# to check the status of a host. If the remote host is up, it should reply
# to the echo probe with an echo-reply packet.
# Note that this isn't a definite test, as in the case the remote host is up
# but refuses to reply the probes.
# Also note that the user must have special access to be able to open a raw
# socket, which this program requires.
#
# Authors:
# Gerardo Richarte <gera@coresecurity.com>
# Javier Kohen <jkohen@coresecurity.com>
#
# Reference for:
# ImpactPacket: IP, ICMP, DATA.
# ImpactDecoder.
import select
import socket
import time
import sys
from impacket import ImpactDecoder, ImpactPacket
if len(sys.argv) < 3:
print("Use: %s <src ip> <dst ip>" % sys.argv[0])
sys.exit(1)
src = sys.argv[1]
dst = sys.argv[2]
# Create a new IP packet and set its source and destination addresses.
ip = ImpactPacket.IP()
ip.set_ip_src(src)
ip.set_ip_dst(dst)
# Create a new ICMP packet of type ECHO.
icmp = ImpactPacket.ICMP()
icmp.set_icmp_type(icmp.ICMP_ECHO)
# Include a 156-character long payload inside the ICMP packet.
icmp.contains(ImpactPacket.Data(b"A"*156))
# Have the IP packet contain the ICMP packet (along with its payload).
ip.contains(icmp)
# Open a raw socket. Special permissions are usually required.
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP)
s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
seq_id = 0
i = 0
while i < 10:
i += 1
# Give the ICMP packet the next ID in the sequence.
seq_id += 1
icmp.set_icmp_id(seq_id)
# Calculate its checksum.
icmp.set_icmp_cksum(0)
icmp.auto_checksum = 1
# Send it to the target host.
s.sendto(ip.get_packet(), (dst, 0))
# Wait for incoming replies.
if s in select.select([s],[],[],1)[0]:
reply = s.recvfrom(2000)[0]
# Use ImpactDecoder to reconstruct the packet hierarchy.
rip = ImpactDecoder.IPDecoder().decode(reply)
# Extract the ICMP packet from its container (the IP packet).
ricmp = rip.child()
# If the packet matches, report it to the user.
if rip.get_ip_dst() == src and rip.get_ip_src() == dst and icmp.ICMP_ECHOREPLY == ricmp.get_icmp_type():
print("Ping reply for sequence #%d" % ricmp.get_icmp_id())
time.sleep(1)

82
overlay/Linux/usr/local/bin/ping62.py Executable file
View file

@ -0,0 +1,82 @@
#!/usr/local/bin/python2.sh
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# Simple ICMP6 ping.
#
# This implementation of ping uses the ICMP echo and echo-reply packets
# to check the status of a host. If the remote host is up, it should reply
# to the echo probe with an echo-reply packet.
# Note that this isn't a definite test, as in the case the remote host is up
# but refuses to reply the probes.
# Also note that the user must have special access to be able to open a raw
# socket, which this program requires.
#
# Authors:
# Alberto Solino (@agsolino)
#
# Reference for:
# ImpactPacket: ICMP6
# ImpactDecoder.
import select
import socket
import time
import sys
from impacket import ImpactDecoder, IP6, ICMP6, version
print(version.BANNER)
if len(sys.argv) < 3:
print("Use: %s <src ip> <dst ip>" % sys.argv[0])
sys.exit(1)
src = sys.argv[1]
dst = sys.argv[2]
# Create a new IP packet and set its source and destination addresses.
ip = IP6.IP6()
ip.set_ip_src(src)
ip.set_ip_dst(dst)
ip.set_traffic_class(0)
ip.set_flow_label(0)
ip.set_hop_limit(64)
# Open a raw socket. Special permissions are usually required.
s = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_ICMPV6)
payload = "A"*156
print("PING %s %d data bytes" % (dst, len(payload)))
seq_id = 0
while 1:
# Give the ICMP packet the next ID in the sequence.
seq_id += 1
icmp = ICMP6.ICMP6.Echo_Request(1, seq_id, payload)
# Have the IP packet contain the ICMP packet (along with its payload).
ip.contains(icmp)
ip.set_next_header(ip.child().get_ip_protocol_number())
ip.set_payload_length(ip.child().get_size())
icmp.calculate_checksum()
# Send it to the target host.
s.sendto(icmp.get_packet(), (dst, 0))
# Wait for incoming replies.
if s in select.select([s],[],[],1)[0]:
reply = s.recvfrom(2000)[0]
# Use ImpactDecoder to reconstruct the packet hierarchy.
rip = ImpactDecoder.ICMP6Decoder().decode(reply)
# If the packet matches, report it to the user.
if ICMP6.ICMP6.ECHO_REPLY == rip.get_type():
print("%d bytes from %s: icmp_seq=%d " % (rip.child().get_size()-4,dst,rip.get_echo_sequence_number()))
time.sleep(1)

344
overlay/Linux/usr/local/bin/pr$ Executable file
View file

@ -0,0 +1,344 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
. /usr/local/bin/usr_local_tput.bash || exit 2
## proxy_ami_cloudflared
proxy_ami_cloudflared() {
[ $# -gt 0 ] || return 1
local ip=$1
# https://netaddr.readthedocs.io/en/latest/tutorial_01.html
# a=`python3 -c "import netaddr; print(netaddr.IPAddress('$ip') in list(netaddr.IPNetwork('$no')))"`
# https://stackoverflow.com/questions/819355/how-can-i-check-if-an-ip-is-in-a-network-in-python
for no in "${CLOUDF[@]}" ; do
nopat=`sed -e 's/\.0.*//' <<< $no`
[[ $ip =~ ${nopat}.* ]] && {
# WARN $url cloudflared $ip $no
echo True
return 0
}
done
echo False
return 0
}
## proxy_ami_cloudflared_py
proxy_ami_cloudflared_py() {
[ $# -gt 0 ] || return 1
local ip=$1
a=`proxy_ami_cloudflared $ip`
if [ $? -eq 0 -a "$a" = True ] ; then
echo $a
return 0
fi
for no in "${CLOUDF[@]}" ; do
a=`python3 -c "import ipaddress; print(ipaddress.IPv4Address('$ip') in list(ipaddress.IPv4Network('$no')))"`
if [ $? -eq 0 -a "$a" = True ] ; then
echo $a
return 0
fi
done
echo False
return 0
}
# /usr/include/openssl/x509_vfy.h
declare -A OPENSSL_X509_V
OPENSSL_X509_V=(
[0]=OK
[1]=ERR_UNSPECIFIED
[2]=ERR_UNABLE_TO_GET_ISSUER_CERT
[3]=ERR_UNABLE_TO_GET_CRL
[4]=ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
[5]=ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
[6]=ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
[7]=ERR_CERT_SIGNATURE_FAILURE
[8]=ERR_CRL_SIGNATURE_FAILURE
[9]=ERR_CERT_NOT_YET_VALID
[10]=ERR_CERT_HAS_EXPIRED
[11]=ERR_CRL_NOT_YET_VALID
[12]=ERR_CRL_HAS_EXPIRED
[13]=ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
[14]=ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
[15]=ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
[16]=ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
[17]=ERR_OUT_OF_MEM
[18]=ERR_DEPTH_ZERO_SELF_SIGNED_CERT
[19]=ERR_SELF_SIGNED_CERT_IN_CHAIN
[20]=ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
[21]=ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
[22]=ERR_CERT_CHAIN_TOO_LONG
[23]=ERR_CERT_REVOKED
[24]=ERR_INVALID_CA
[25]=ERR_PATH_LENGTH_EXCEEDED
[26]=ERR_INVALID_PURPOSE
[27]=ERR_CERT_UNTRUSTED
[28]=ERR_CERT_REJECTED
# These are 'informational' when looking for issuer cert
[29]=ERR_SUBJECT_ISSUER_MISMATCH
[30]=ERR_AKID_SKID_MISMATCH
[31]=ERR_AKID_ISSUER_SERIAL_MISMATCH
[32]=ERR_KEYUSAGE_NO_CERTSIGN
[33]=ERR_UNABLE_TO_GET_CRL_ISSUER
[34]=ERR_UNHANDLED_CRITICAL_EXTENSION
[35]=ERR_KEYUSAGE_NO_CRL_SIGN
[36]=ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
[37]=ERR_INVALID_NON_CA
[38]=ERR_PROXY_PATH_LENGTH_EXCEEDED
[39]=ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
[40]=ERR_PROXY_CERTIFICATES_NOT_ALLOWED
[41]=ERR_INVALID_EXTENSION
[42]=ERR_INVALID_POLICY_EXTENSION
[43]=ERR_NO_EXPLICIT_POLICY
[44]=ERR_DIFFERENT_CRL_SCOPE
[45]=ERR_UNSUPPORTED_EXTENSION_FEATURE
[46]=ERR_UNNESTED_RESOURCE
[47]=ERR_PERMITTED_VIOLATION
[48]=ERR_EXCLUDED_VIOLATION
[49]=ERR_SUBTREE_MINMAX
# The application is not happy
[50]=ERR_APPLICATION_VERIFICATION
[51]=ERR_UNSUPPORTED_CONSTRAINT_TYPE
[52]=ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
[53]=ERR_UNSUPPORTED_NAME_SYNTAX
[54]=ERR_CRL_PATH_VALIDATION_ERROR
# Another issuer check debug option
[55]=ERR_PATH_LOOP
# Suite B mode algorithm violation
[56]=ERR_SUITE_B_INVALID_VERSION
[57]=ERR_SUITE_B_INVALID_ALGORITHM
[58]=ERR_SUITE_B_INVALID_CURVE
[59]=ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
[60]=ERR_SUITE_B_LOS_NOT_ALLOWED
[61]=ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
# Host, email and IP check errors
[62]=ERR_HOSTNAME_MISMATCH
[63]=ERR_EMAIL_MISMATCH
[64]=ERR_IP_ADDRESS_MISMATCH
# DANE TLSA errors
[65]=ERR_DANE_NO_MATCH
# security level errors
[66]=ERR_EE_KEY_TOO_SMALL
[67]=ERR_CA_KEY_TOO_SMALL
[68]=ERR_CA_MD_TOO_WEAK
# Caller error
[69]=ERR_INVALID_CALL
# Issuer lookup error
[70]=ERR_STORE_LOOKUP
# Certificate transparency
[71]=ERR_NO_VALID_SCTS
[72]=ERR_PROXY_SUBJECT_NAME_VIOLATION
# OCSP status errors
[73]=ERR_OCSP_VERIFY_NEEDED # Need OCSP verification
[74]=ERR_OCSP_VERIFY_FAILED # Couldn't verify cert through OCSP
[75]=ERR_OCSP_CERT_UNKNOWN # Certificate wasn't recognized by the OCSP responder
[76]=ERR_SIGNATURE_ALGORITHM_MISMATCH
[77]=ERR_NO_ISSUER_PUBLIC_KEY
[78]=ERR_UNSUPPORTED_SIGNATURE_ALGORITHM
[79]=ERR_EC_KEY_EXPLICIT_PARAMS
)
# man 3 libcurl-errors
declare -A CURLE
CURLE=(
[0]=CURLE_OK
[1]=CURLE_UNSUPPORTED_PROTOCOL
[2]=CURLE_FAILED_INIT
[3]=CURLE_URL_MALFORMAT
[4]=CURLE_NOT_BUILT_IN
[5]=CURLE_COULDNT_RESOLVE_PROXY
[6]=CURLE_COULDNT_RESOLVE_HOST
[7]=CURLE_COULDNT_CONNECT
[8]=CURLE_WEIRD_SERVER_REPLY
[9]=CURLE_REMOTE_ACCESS_DENIED
[10]=CURLE_FTP_ACCEPT_FAILED
[11]=CURLE_FTP_WEIRD_PASS_REPLY
[12]=CURLE_FTP_ACCEPT_TIMEOUT
[13]=CURLE_FTP_WEIRD_PASV_REPLY
[14]=CURLE_FTP_WEIRD_227_FORMAT
[15]=CURLE_FTP_CANT_GET_HOST
[16]=CURLE_HTTP2
[17]=CURLE_FTP_COULDNT_SET_TYPE
[18]=CURLE_PARTIAL_FILE
[19]=CURLE_FTP_COULDNT_RETR_FILE
[21]=CURLE_QUOTE_ERROR
[22]=CURLE_HTTP_RETURNED_ERROR
[23]=CURLE_WRITE_ERROR
[25]=CURLE_UPLOAD_FAILED
[26]=CURLE_READ_ERROR
[27]=CURLE_OUT_OF_MEMORY
[28]=CURLE_OPERATION_TIMEDOUT
[30]=CURLE_FTP_PORT_FAILED
[31]=CURLE_FTP_COULDNT_USE_REST
[33]=CURLE_RANGE_ERROR
[34]=CURLE_HTTP_POST_ERROR
[35]=CURLE_SSL_CONNECT_ERROR
[36]=CURLE_BAD_DOWNLOAD_RESUME
[37]=CURLE_FILE_COULDNT_READ_FILE
[38]=CURLE_LDAP_CANNOT_BIND
[39]=CURLE_LDAP_SEARCH_FAILED
[41]=CURLE_FUNCTION_NOT_FOUND
[42]=CURLE_ABORTED_BY_CALLBACK
[43]=CURLE_BAD_FUNCTION_ARGUMENT
[45]=CURLE_INTERFACE_FAILED
[47]=CURLE_TOO_MANY_REDIRECTS
[48]=CURLE_UNKNOWN_OPTION
[49]=CURLE_SETOPT_OPTION_SYNTAX
[52]=CURLE_GOT_NOTHING
[53]=CURLE_SSL_ENGINE_NOTFOUND
[54]=CURLE_SSL_ENGINE_SETFAILED
[55]=CURLE_SEND_ERROR
[56]=CURLE_RECV_ERROR
[58]=CURLE_SSL_CERTPROBLEM
[59]=CURLE_SSL_CIPHER
[60]=CURLE_PEER_FAILED_VERIFICATION
[61]=CURLE_BAD_CONTENT_ENCODING
[62]=CURLE_LDAP_INVALID_URL
[63]=CURLE_FILESIZE_EXCEEDED
[64]=CURLE_USE_SSL_FAILED
[65]=CURLE_SEND_FAIL_REWIND
[66]=CURLE_SSL_ENGINE_INITFAILED
[67]=CURLE_LOGIN_DENIED
[68]=CURLE_TFTP_NOTFOUND
[69]=CURLE_TFTP_PERM
[70]=CURLE_REMOTE_DISK_FULL
[71]=CURLE_TFTP_ILLEGAL
[72]=CURLE_TFTP_UNKNOWNID
[73]=CURLE_REMOTE_FILE_EXISTS
[74]=CURLE_TFTP_NOSUCHUSER
[75]=CURLE_CONV_FAILED
[76]=CURLE_CONV_REQD
[77]=CURLE_SSL_CACERT_BADFILE
[78]=CURLE_REMOTE_FILE_NOT_FOUND
[79]=CURLE_SSH
[80]=CURLE_SSL_SHUTDOWN_FAILED
[81]=CURLE_AGAIN
[82]=CURLE_SSL_CRL_BADFILE
[83]=CURLE_SSL_ISSUER_ERROR
[84]=CURLE_FTP_PRET_FAILED
[85]=CURLE_RTSP_CSEQ_ERROR
[86]=CURLE_RTSP_SESSION_ERROR
[87]=CURLE_FTP_BAD_FILE_LIST
[88]=CURLE_CHUNK_FAILED
[89]=CURLE_NO_CONNECTION_AVAILABLE
[90]=CURLE_SSL_PINNEDPUBKEYNOTMATCH
[91]=CURLE_SSL_INVALIDCERTSTATUS
[92]=CURLE_HTTP2_STREAM
[93]=CURLE_RECURSIVE_API_CALL
[94]=CURLE_AUTH_ERROR
[95]=CURLE_HTTP3
[96]=CURLE_QUIC_CONNECT_ERROR
[98]=CURLE_SSL_CLIENTCERT
[99]=CURLE_UNRECOVERABLE_POLL
)
# 20 HTTP response status codes
declare -A HTTP_RESPONSE
HTTP_RESPONSE=(
[100]="Continue"
[101]="Switching Protocols"
[103]="Early Hints"
[200]="OK"
[201]="Created"
[202]="Accepted"
[203]="Non-Authoritative Information"
[204]="No Content"
[205]="Reset Content"
[206]="Partial Content"
[300]="Multiple Choices"
[301]="Moved Permanently"
[302]="Found"
[303]="See Other"
[304]="Not Modified"
[307]="Temporary Redirect"
[308]="Permanent Redirect"
[400]="Bad Request"
[401]="Unauthorized"
[402]="Payment Required"
[403]="Forbidden"
[404]="Not Found"
[405]="Method Not Allowed"
[406]="Not Acceptable"
[407]="Proxy Authentication Required"
[408]="Request Timeout"
[409]="Conflict"
[410]="Gone"
[411]="Length Required"
[412]="Precondition Failed"
[413]="Payload Too Large"
[414]="URI Too Long"
[415]="Unsupported Media Type"
[416]="Range Not Satisfiable"
[417]="Expectation Failed"
[418]="Im a teapot"
[422]="Unprocessable Entity"
[425]="Too Early"
[426]="Upgrade Required"
[428]="Precondition Required"
[429]="Too Many Requests"
[431]="Request Header Fields Too Large"
[451]="Unavailable For Legal Reasons"
[500]="Internal Server Error"
[501]="Not Implemented"
[502]="Bad Gateway"
[503]="Service Unavailable"
[504]="Gateway Timeout"
[505]="HTTP Version Not Supported"
[506]="Variant Also Negotiates"
[507]="Insufficient Storage"
[508]="Loop Detected"
[510]="Not Extended"
[511]="Network Authentication Required"
)
# https://curl.se/docs/ssl-ciphers.html
# openssl
# https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html
# https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
openssl=openssl
# CURLOPT_TLS13_CIPHERS --tls13-ciphers
if [ $openssl = openssl ] ; then
export CURLOPT_TLS13_CIPHERS="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256"
elif [ $openssl = nss ] ; then
export CURLOPT_TLS13_CIPHERS="aes_128_gcm_sha_256,aes_256_gcm_sha_384,chacha20_poly1305_sha_256"
fi
declare -a NOTLSV3
NOTLSV3=(
# connection refused
www.mirrorservice.org
# no ipv3
files.pythonhosted.org
)
# https://web.archive.org/web/20220722104744/https://www.cloudflare.com/ips-v4
declare -a CLOUDFN
CLOUDFN=(
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22
)
#for no in "${CLOUDF[@]}" ; do
# # https://netaddr.readthedocs.io/en/latest/tutorial_01.html
# a=`python3 -c "import netaddr; print('\n'.join(map(str,list(netaddr.IPNetwork('$no')))))"`
#done

23
overlay/Linux/usr/local/bin/pro Executable file
View file

@ -0,0 +1,23 @@
#!/bin/sh
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
# https://unix.stackexchange.com/questions/293304/using-netcat-for-port-forwarding
. /usr/local/bin/usr_local_tput.bash || exit 2
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
netstat -nlpe4 | grep -q 127.0.0.1:53 && {
ERROR 127.0.0.1:53 already bound
exit 1
}
MODE=$( /usr/local/bin/proxy_ping_lib.bash proxy_whonix_mode )
if [ "$MODE" = tor -o "$MODE" = tor -o "$MODE" = gateway -o "$MODE" = selektor ] ; then
socat udp-l:53,bind=127.0.0.1,fork,reuseaddr udp:127.0.0.1:9053
elif [ "$MODE" = whonix -o "$MODE" = ws -o "$MODE" = tor -o "$MODE" = selektor ] ; then
socat udp-l:53,bind=127.0.0.1,fork,reuseaddr udp:10.0.2.2:9053
fi

12
overlay/Linux/usr/local/bin/proxy_ansible.bash Executable file
View file

@ -0,0 +1,12 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
. /usr/local/etc/testforge/testforge.bash
PREFIX=$PROXY_VAR_LOCAL
[ "$#" -eq 0 ] && set -- proxy
exec bash $PREFIX/bin/testforge_ansible.bash "$@"
ROLE=proxy

401
overlay/Linux/usr/local/bin/proxy_curl_lib.bash Executable file
View file

@ -0,0 +1,401 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
. /usr/local/bin/usr_local_tput.bash || exit 2
## proxy_ami_cloudflared
proxy_ami_cloudflared() {
[ $# -gt 0 ] || return 1
local ip=$1
for no in "${CLOUDFN[@]}" ; do
nopat=`sed -e 's@[.0]*/[0-9][0-9]@@' <<< $no`
[[ $ip =~ ${nopat}.* ]] && {
# WARN $url cloudflared $ip $no
echo True
return 0
}
done
echo False
return 0
}
## proxy_ami_cloudflared_py
proxy_ami_cloudflared_py() {
[ $# -gt 0 ] || return 1
local ip=$1
a=`proxy_ami_cloudflared $ip`
if [ $? -eq 0 -a "$a" = True ] ; then
echo $a
return 0
fi
# https://netaddr.readthedocs.io/en/latest/tutorial_01.html
# a=`python3 -c "import netaddr; print(netaddr.IPAddress('$ip') in list(netaddr.IPNetwork('$no')))"`
# https://stackoverflow.com/questions/819355/how-can-i-check-if-an-ip-is-in-a-network-in-python
for no in "${CLOUDFN[@]}" ; do
a=`python3 -c "import ipaddress; print(ipaddress.IPv4Address('$ip') in list(ipaddress.IPv4Network('$no')))"`
if [ $? -eq 0 -a "$a" = True ] ; then
echo $a
return 0
fi
done
echo False
return 0
}
## proxy_ami_nottlsv3
proxy_ami_nottlsv3() {
[ $# -gt 0 ] || return 1
local site=$1
for no in "${NOTLSV3[@]}" ; do
[[ $site =~ $no ]] && echo True && return 0
done
echo False
return 0
}
declare -a NOTLSV3
NOTLSV3=(
# connection refused
www.mirrorservice.org
# no ipv3
files.pythonhosted.org
# forbidden
download.nvidia.com
# 500
www.x.org
)
# https://web.archive.org/web/20220722104744/https://www.cloudflare.com/ips-v4
declare -a CLOUDFN
CLOUDFN=(
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
104.16.0.0/13
104.24.0.0/14
108.162.192.0/18
131.0.72.0/22
141.101.64.0/18
162.158.0.0/15
172.64.0.0/13
188.114.96.0/20
190.93.240.0/20
197.234.240.0/22
198.41.128.0/17
)
#for no in "${CLOUDFN[@]}" ; do
# # https://netaddr.readthedocs.io/en/latest/tutorial_01.html
# a=`python3 -c "import netaddr; print('\n'.join(map(str,list(netaddr.IPNetwork('$no')))))"`
#done
# /usr/include/openssl/x509_vfy.h
declare -A OPENSSL_X509_V
OPENSSL_X509_V=(
[0]=OK
[1]=ERR_UNSPECIFIED
[2]=ERR_UNABLE_TO_GET_ISSUER_CERT
[3]=ERR_UNABLE_TO_GET_CRL
[4]=ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
[5]=ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
[6]=ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
[7]=ERR_CERT_SIGNATURE_FAILURE
[8]=ERR_CRL_SIGNATURE_FAILURE
[9]=ERR_CERT_NOT_YET_VALID
[10]=ERR_CERT_HAS_EXPIRED
[11]=ERR_CRL_NOT_YET_VALID
[12]=ERR_CRL_HAS_EXPIRED
[13]=ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
[14]=ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
[15]=ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
[16]=ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
[17]=ERR_OUT_OF_MEM
[18]=ERR_DEPTH_ZERO_SELF_SIGNED_CERT
[19]=ERR_SELF_SIGNED_CERT_IN_CHAIN
[20]=ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
[21]=ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
[22]=ERR_CERT_CHAIN_TOO_LONG
[23]=ERR_CERT_REVOKED
[24]=ERR_INVALID_CA
[25]=ERR_PATH_LENGTH_EXCEEDED
[26]=ERR_INVALID_PURPOSE
[27]=ERR_CERT_UNTRUSTED
[28]=ERR_CERT_REJECTED
# These are 'informational' when looking for issuer cert
[29]=ERR_SUBJECT_ISSUER_MISMATCH
[30]=ERR_AKID_SKID_MISMATCH
[31]=ERR_AKID_ISSUER_SERIAL_MISMATCH
[32]=ERR_KEYUSAGE_NO_CERTSIGN
[33]=ERR_UNABLE_TO_GET_CRL_ISSUER
[34]=ERR_UNHANDLED_CRITICAL_EXTENSION
[35]=ERR_KEYUSAGE_NO_CRL_SIGN
[36]=ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
[37]=ERR_INVALID_NON_CA
[38]=ERR_PROXY_PATH_LENGTH_EXCEEDED
[39]=ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
[40]=ERR_PROXY_CERTIFICATES_NOT_ALLOWED
[41]=ERR_INVALID_EXTENSION
[42]=ERR_INVALID_POLICY_EXTENSION
[43]=ERR_NO_EXPLICIT_POLICY
[44]=ERR_DIFFERENT_CRL_SCOPE
[45]=ERR_UNSUPPORTED_EXTENSION_FEATURE
[46]=ERR_UNNESTED_RESOURCE
[47]=ERR_PERMITTED_VIOLATION
[48]=ERR_EXCLUDED_VIOLATION
[49]=ERR_SUBTREE_MINMAX
# The application is not happy
[50]=ERR_APPLICATION_VERIFICATION
[51]=ERR_UNSUPPORTED_CONSTRAINT_TYPE
[52]=ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
[53]=ERR_UNSUPPORTED_NAME_SYNTAX
[54]=ERR_CRL_PATH_VALIDATION_ERROR
# Another issuer check debug option
[55]=ERR_PATH_LOOP
# Suite B mode algorithm violation
[56]=ERR_SUITE_B_INVALID_VERSION
[57]=ERR_SUITE_B_INVALID_ALGORITHM
[58]=ERR_SUITE_B_INVALID_CURVE
[59]=ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
[60]=ERR_SUITE_B_LOS_NOT_ALLOWED
[61]=ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
# Host, email and IP check errors
[62]=ERR_HOSTNAME_MISMATCH
[63]=ERR_EMAIL_MISMATCH
[64]=ERR_IP_ADDRESS_MISMATCH
# DANE TLSA errors
[65]=ERR_DANE_NO_MATCH
# security level errors
[66]=ERR_EE_KEY_TOO_SMALL
[67]=ERR_CA_KEY_TOO_SMALL
[68]=ERR_CA_MD_TOO_WEAK
# Caller error
[69]=ERR_INVALID_CALL
# Issuer lookup error
[70]=ERR_STORE_LOOKUP
# Certificate transparency
[71]=ERR_NO_VALID_SCTS
[72]=ERR_PROXY_SUBJECT_NAME_VIOLATION
# OCSP status errors
[73]=ERR_OCSP_VERIFY_NEEDED # Need OCSP verification
[74]=ERR_OCSP_VERIFY_FAILED # Couldn't verify cert through OCSP
[75]=ERR_OCSP_CERT_UNKNOWN # Certificate wasn't recognized by the OCSP responder
[76]=ERR_SIGNATURE_ALGORITHM_MISMATCH
[77]=ERR_NO_ISSUER_PUBLIC_KEY
[78]=ERR_UNSUPPORTED_SIGNATURE_ALGORITHM
[79]=ERR_EC_KEY_EXPLICIT_PARAMS
)
# man 3 libcurl-errors
declare -A CURLE
CURLE=(
[0]=CURLE_OK
[1]=CURLE_UNSUPPORTED_PROTOCOL
[2]=CURLE_FAILED_INIT
[3]=CURLE_URL_MALFORMAT
[4]=CURLE_NOT_BUILT_IN
[5]=CURLE_COULDNT_RESOLVE_PROXY
[6]=CURLE_COULDNT_RESOLVE_HOST
[7]=CURLE_COULDNT_CONNECT
[8]=CURLE_WEIRD_SERVER_REPLY
[9]=CURLE_REMOTE_ACCESS_DENIED
[10]=CURLE_FTP_ACCEPT_FAILED
[11]=CURLE_FTP_WEIRD_PASS_REPLY
[12]=CURLE_FTP_ACCEPT_TIMEOUT
[13]=CURLE_FTP_WEIRD_PASV_REPLY
[14]=CURLE_FTP_WEIRD_227_FORMAT
[15]=CURLE_FTP_CANT_GET_HOST
[16]=CURLE_HTTP2
[17]=CURLE_FTP_COULDNT_SET_TYPE
[18]=CURLE_PARTIAL_FILE
[19]=CURLE_FTP_COULDNT_RETR_FILE
[21]=CURLE_QUOTE_ERROR
[22]=CURLE_HTTP_RETURNED_ERROR
[23]=CURLE_WRITE_ERROR
[25]=CURLE_UPLOAD_FAILED
[26]=CURLE_READ_ERROR
[27]=CURLE_OUT_OF_MEMORY
[28]=CURLE_OPERATION_TIMEDOUT
[30]=CURLE_FTP_PORT_FAILED
[31]=CURLE_FTP_COULDNT_USE_REST
[33]=CURLE_RANGE_ERROR
[34]=CURLE_HTTP_POST_ERROR
[35]=CURLE_SSL_CONNECT_ERROR
[36]=CURLE_BAD_DOWNLOAD_RESUME
[37]=CURLE_FILE_COULDNT_READ_FILE
[38]=CURLE_LDAP_CANNOT_BIND
[39]=CURLE_LDAP_SEARCH_FAILED
[41]=CURLE_FUNCTION_NOT_FOUND
[42]=CURLE_ABORTED_BY_CALLBACK
[43]=CURLE_BAD_FUNCTION_ARGUMENT
[45]=CURLE_INTERFACE_FAILED
[47]=CURLE_TOO_MANY_REDIRECTS
[48]=CURLE_UNKNOWN_OPTION
[49]=CURLE_SETOPT_OPTION_SYNTAX
[52]=CURLE_GOT_NOTHING
[53]=CURLE_SSL_ENGINE_NOTFOUND
[54]=CURLE_SSL_ENGINE_SETFAILED
[55]=CURLE_SEND_ERROR
[56]=CURLE_RECV_ERROR
[58]=CURLE_SSL_CERTPROBLEM
[59]=CURLE_SSL_CIPHER
[60]=CURLE_PEER_FAILED_VERIFICATION
[61]=CURLE_BAD_CONTENT_ENCODING
[62]=CURLE_LDAP_INVALID_URL
[63]=CURLE_FILESIZE_EXCEEDED
[64]=CURLE_USE_SSL_FAILED
[65]=CURLE_SEND_FAIL_REWIND
[66]=CURLE_SSL_ENGINE_INITFAILED
[67]=CURLE_LOGIN_DENIED
[68]=CURLE_TFTP_NOTFOUND
[69]=CURLE_TFTP_PERM
[70]=CURLE_REMOTE_DISK_FULL
[71]=CURLE_TFTP_ILLEGAL
[72]=CURLE_TFTP_UNKNOWNID
[73]=CURLE_REMOTE_FILE_EXISTS
[74]=CURLE_TFTP_NOSUCHUSER
[75]=CURLE_CONV_FAILED
[76]=CURLE_CONV_REQD
[77]=CURLE_SSL_CACERT_BADFILE
[78]=CURLE_REMOTE_FILE_NOT_FOUND
[79]=CURLE_SSH
[80]=CURLE_SSL_SHUTDOWN_FAILED
[81]=CURLE_AGAIN
[82]=CURLE_SSL_CRL_BADFILE
[83]=CURLE_SSL_ISSUER_ERROR
[84]=CURLE_FTP_PRET_FAILED
[85]=CURLE_RTSP_CSEQ_ERROR
[86]=CURLE_RTSP_SESSION_ERROR
[87]=CURLE_FTP_BAD_FILE_LIST
[88]=CURLE_CHUNK_FAILED
[89]=CURLE_NO_CONNECTION_AVAILABLE
[90]=CURLE_SSL_PINNEDPUBKEYNOTMATCH
[91]=CURLE_SSL_INVALIDCERTSTATUS
[92]=CURLE_HTTP2_STREAM
[93]=CURLE_RECURSIVE_API_CALL
[94]=CURLE_AUTH_ERROR
[95]=CURLE_HTTP3
[96]=CURLE_QUIC_CONNECT_ERROR
[98]=CURLE_SSL_CLIENTCERT
[99]=CURLE_UNRECOVERABLE_POLL
)
# 20 HTTP response status codes
declare -A HTTP_RESPONSE
HTTP_RESPONSE=(
[100]="Continue"
[101]="Switching Protocols"
[103]="Early Hints"
[200]="OK"
[201]="Created"
[202]="Accepted"
[203]="Non-Authoritative Information"
[204]="No Content"
[205]="Reset Content"
[206]="Partial Content"
[300]="Multiple Choices"
[301]="Moved Permanently"
[302]="Found"
[303]="See Other"
[304]="Not Modified"
[307]="Temporary Redirect"
[308]="Permanent Redirect"
[400]="Bad Request"
[401]="Unauthorized"
[402]="Payment Required"
[403]="Forbidden"
[404]="Not Found"
[405]="Method Not Allowed"
[406]="Not Acceptable"
[407]="Proxy Authentication Required"
[408]="Request Timeout"
[409]="Conflict"
[410]="Gone"
[411]="Length Required"
[412]="Precondition Failed"
[413]="Payload Too Large"
[414]="URI Too Long"
[415]="Unsupported Media Type"
[416]="Range Not Satisfiable"
[417]="Expectation Failed"
[418]="Im a teapot"
[422]="Unprocessable Entity"
[425]="Too Early"
[426]="Upgrade Required"
[428]="Precondition Required"
[429]="Too Many Requests"
[431]="Request Header Fields Too Large"
[451]="Unavailable For Legal Reasons"
[500]="Internal Server Error"
[501]="Not Implemented"
[502]="Bad Gateway"
[503]="Service Unavailable"
[504]="Gateway Timeout"
[505]="HTTP Version Not Supported"
[506]="Variant Also Negotiates"
[507]="Insufficient Storage"
[508]="Loop Detected"
[510]="Not Extended"
[511]="Network Authentication Required"
)
# https://techcommunity.microsoft.com/t5/iis-support-blog/ssl-tls-alert-protocol-and-the-alert-codes/ba-p/377132
declare -a SSL_ALERT_CODES
# B.2. Alert Messages
SSL_ALERT_CODES=(
[0]="close_notify"
[10]="unexpected_message"
[20]="bad_record_mac"
[21]="decryption_failed_RESERVED"
[22]="record_overflow"
[30]="decompression_failure_RESERVED"
[40]="handshake_failure"
[41]="no_certificate_RESERVED"
[42]="bad_certificate"
[43]="unsupported_certificate"
[44]="certificate_revoked"
[45]="certificate_expired"
[46]="certificate_unknown"
[47]="illegal_parameter"
[48]="unknown_ca"
[49]="access_denied"
[50]="decode_error"
[51]="decrypt_error"
[60]="export_restriction_RESERVED"
[70]="protocol_version"
[71]="insufficient_security"
[80]="internal_error"
[86]="inappropriate_fallback"
[90]="user_canceled"
[100]="no_renegotiation_RESERVED"
[109]="missing_extension"
[110]="unsupported_extension"
[111]="certificate_unobtainable_RESERVED"
[112]="unrecognized_name"
[113]="bad_certificate_status_response"
[114]="bad_certificate_hash_value_RESERVED"
[115]="unknown_psk_identity"
[116]="certificate_required"
[120]="no_application_protocol"
)
# https://curl.se/docs/ssl-ciphers.html
# openssl
# https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html
# https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
openssl=openssl
# CURLOPT_TLS13_CIPHERS --tls13-ciphers
if [ $openssl = openssl ] ; then
export CURLOPT_TLS13_CIPHERS="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256"
elif [ $openssl = nss ] ; then
export CURLOPT_TLS13_CIPHERS="aes_128_gcm_sha_256,aes_256_gcm_sha_384,chacha20_poly1305_sha_256"
fi

55
overlay/Linux/usr/local/bin/proxy_daily.bash Executable file
View file

@ -0,0 +1,55 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
# The idea here is to run ansible_local.bash --tags daily
# and then use this to do the parsing and throwing errors based on the output.
# This was the ansible run can be free from erroring and this can be
# run repeatedly anytime outside of ansible to deal with the issues raised.
# It is also run at the end of ansible_local.bash --tags daily to raise the issues.
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
MYID=$( id -u )
[ $MYID -eq 0 ] || { ERROR $prog must be run as root $MYID ; exit 1 ; }
# . $PREFIX/src/var_local_src.bash
which ansifilter >/dev/null 2>&1 && ansifilter=ansifilter || ansifilter=cat
ly=daily
errs=0
warns=0
elt=proxy
LOG_DIR=/usr/local/tmp
ELOG=$LOG_DIR/E${prog}_${ly}$$.log
WLOG=$LOG_DIR/W${prog}_${ly}$$.log
OUT=$LOG_DIR/O${prog}_${ly}$$.log
rm -f $LOG_DIR/*${prog}_${ly}*.log
elt=doctest3
if [ $MYID -ne 0 ] && [ -f /var/local/bin/testforge_python_doctest3.bash ] ; then
/var/local/bin/testforge_python_doctest3.bash \
/var/local/share/doc/txt/proxy3.txt \
> "$LOG_DIR"/$ly/$elt$$.log 2>> $ELOG || ERROR $elt >> $ELOG
fi
[ -f $WLOG ] && warns=$( wc -l $WLOG | cut -f 1 -d ' ' )
[ $? -eq 0 -a $warns -ne 0 ] && \
WARN "$prog $warns $ly $prog warnings in $WLOG"
[ -f $ELOG ] && errs=$( wc -l $ELOG | cut -f 1 -d ' ' )
[ $? -eq 0 -a $errs -ne 0 ] && \
ERROR "$prog $errs $ly $prog errors in $ELOG" && cat $ELOG
[ $errs -eq 0 ] && \
[ $warns -eq 0 ] && \
INFO "$prog No $ly errors" && \
rm -f $WLOG $ELOG $OUT
exit $errs

64
overlay/Linux/usr/local/bin/proxy_dirmngr.bash Executable file
View file

@ -0,0 +1,64 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/usr_local_base.bash || exit 2
# NO allow-version-check CALLS ANYWAY versions.gnupg.org
# echo "DEBUG: $0 GNUPGHOME=$GNUPGHOME $*" >> /tmp/$$.out
PROXY_GPG_KEYSERVER=keys.openpgp.org
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash >/dev/null
[ -z "$PROXY_GPG_KEYERVER_URL" ] && PROXY_GPG_KEYERVER_URL=hkps://$PROXY_GPG_KEYSERVER
# ONLY disabling on the command line or
[ -e /proc/sys/net/ipv6/conf/default/disable_ipv6 ] && \
[ `cat /proc/sys/net/ipv6/conf/default/disable_ipv6` -eq 0 ] && \
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
PROXY_WLAN=$( /usr/local/bin/proxy_ping_lib.bash proxy_set_if ) # || return 1$?
if [ -n "$PROXY_WLAN" ] ; then
wlan7=$PROXY_WLAN
[ -e /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6 ] && \
[ `cat /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6` -eq 0 ] && \
echo 1 > /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6
fi
route | grep -q ^default || { ERROR no route ; exit 1; }
[ -z "$USER" ] && USER=$(id -un )
if [ $USER = root ] ; then
[ -x /usr/bin/dirmngr -a ! -x /usr/bin/dirmngr.bin ] && \
mv /usr/bin/dirmngr /usr/bin/dirmngr.bin
[ -x /usr/bin/dirmngr.bin -a ! -x /usr/bin/dirmngr ] && \
ln -s /usr/local/bin/proxy_dirmngr.bash /usr/bin/dirmngr
fi
[ ! -x /usr/bin/dirmngr -o ! -x /usr/bin/dirmngr.bin ] && exit 2
[ -f /etc/dirmngr/dirmngr.conf ] || exit 3
[ -x /usr/bin/dirmngr.bin ] || exit 4
[ ! -x /usr/bin/netstat ] || \
netstat -nlp|grep -q 127.0.0.1:53 || { ERROR no nameserver ; exit 5; }
[ ! -x /usr/bin/netstat ] || \
netstat -nlp|grep -q 127.0.0.1:3128 || { ERROR no proxy 3128 ; exit 6; }
# This is not enough: --disable-ipv6
# --keyserver hkps://keys.gentoo.org is required
# --http-proxy http://127.0.0.1:3128
# --keyserver $PROXY_GPG_KEYERVER_URL
# --no-use-tor is REQUIRED if you are running tor
# EVEN IF YOU DOT USE use-tor - silent dns failure
exec /usr/bin/dirmngr.bin --server -vvv --debug-all \
--options /etc/dirmngr/dirmngr.conf \
--nameserver 127.0.0.1 \
--disable-ipv6 \
--disable-ldap \
--no-use-tor \
--log-file /var/log/dirmngr.log --debug-level 4 \
"$@"

63
overlay/Linux/usr/local/bin/proxy_dirmngr_test.bash Executable file
View file

@ -0,0 +1,63 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
# Dual Linux or msys64
prog=$( basename $0 .bash )
ROLE=proxy
PREFIX=/usr/local
[ -n "$MSYSTEM" ] && EXET=msys || EXET=sh
[ -f $PREFIX/etc/testforge/testforge.bash ] \
&& . /usr/local/etc/testforge/testforge.bash
# Dual Linux or msys64
PROXIES=""
if [ -d /etc/pacman.d/gnupg ] ; then
ROLE=msys64
HOMEDIR=/etc/pacman.d/gnupg
# proxy or striaght through
PROXIES="10.152.152.12"
elif [ -d /q/Pg64/Msys64/etc/pacman.d/gnupg ] ; then
ROLE=q
HOMEDIR=/q/Pg64/Msys64/etc/pacman.d/gnupg
ppl=/usr/local/bin/proxy_ping_lib.bash
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
[ "$USER" != root ] && export PATH=/sbin:$PATH
[ -z "$MODE" ] && MODE=$( $ppl proxy_ping_mode )
if [ "$MODE" = tor ] ; then
PROXIES="127.0.0.1:3128"
elif [ "$MODE" = whonix ] ; then
PROXIES="10.0.2.15:9128"
elif [ "$MODE" = gateway ] ; then
PROXIES="10.0.2.15:9128"
elif ps ax | grep -q polipo ; then
PROXIES="127.0.0.1:3128"
else
echo ERROR: unknown proxy
exit 2
fi
fi
GPG="gpg --verbose --home $HOMEDIR"
[ -f /etc/dirmngr/dirmngr.conf ] || { echo ERROR: no ^keyserver in /etc/dirmngr/dirmngr.conf ; exit 1 ; }
$GPG --refresh-keys --verbose
ps ax | grep /usr/bin/dirmngr.bin|grep -v grep|sed -e 's/ .*//'|xargs kill
grep '^keyserver hkp' /etc/dirmngr/dirmngr.conf| \
sed -e 's@keyserver hkp://@@' | \
while read elt;do
for proxy in $PROXIES; do
echo 1 | http_proxy=$proxy $GPG --yes \
--debug-level guru \
--keyserver hkp://$elt \
--search-keys abcdefghij || exit 3$?
echo INFO: $proxy $elt
done
done

42
overlay/Linux/usr/local/bin/proxy_dirmngr_test.exp Executable file
View file

@ -0,0 +1,42 @@
#!/usr/bin/expect --
# -*- mode: tcl; tab-width: 8; encoding: utf-8-unix -*-
set timeout 60
set elt $env(keyserver)
spawn gpg --verbose \
--homedir $env(HOMEDIR) \
--debug-level guru \
--keyserver hkp://$elt \
--search-keys $env(KEY_ID)
# keyserver search failed: Not found
# 0x6923CE7991ABF7338DB1C9AA5F0142A080E4A9A0
expect "1-1*"
send_user "Sending 1\r"
send "1\r"
expect -re .+ {
exp_continue
} 0x6923CE7991ABF7338DB1C9AA5F0142A080E4A9A0 {
send_user "Quitting 0x6923CE7991ABF7338DB1C9AA5F0142A080E4A9A0\r"
exit 0
} AbCdEfGhIj {
send_user "Quitting AbCdEfGhIj\r"
exit 0
} BYE {
send_user "Quitting BYE\r"
exit 0
} "6923 CE79 91AB F733 8DB1 C9AA 5F01 42A0 80E4 A9A0" {
send_user "Quitting FP\r"
exit 0
} timeout {
exit 1
} eof {
exit 0
}
# expect -r .+ {send "\r"}

22
overlay/Linux/usr/local/bin/proxy_dns_forward.bash Executable file
View file

@ -0,0 +1,22 @@
#!/bin/sh
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
# https://unix.stackexchange.com/questions/293304/using-netcat-for-port-forwarding
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/usr_local_tput.bash || exit 2
netstat -nlpe4 | grep -q 127.0.0.1:53 && {
ERROR 127.0.0.1:53 already bound
exit 1
}
MODE=$( /usr/local/bin/proxy_ping_lib.bash proxy_ping_mode )
if [ "$MODE" = tor -o "$MODE" = gateway -o "$MODE" = selektor ] ; then
socat -L/run/socat.lck udp-l:53,bind=127.0.0.1,fork,reuseaddr udp:127.0.0.1:9053 >/dev/null
elif a[ "$MODE" = whonix ] ; then
socat -L/run/socat.lck udp-l:53,bind=127.0.0.1,fork,reuseaddr udp:10.0.2.2:9053 >/dev/null
fi

166
overlay/Linux/usr/local/bin/proxy_export.bash Executable file
View file

@ -0,0 +1,166 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
#NO prog=proxy_export
. /usr/local/bin/usr_local_tput.bash || exit 2
[ -f /usr/local/bin/proxy_ping_lib.bash ] || \
{ ERROR missing /usr/local/bin/proxy_ping_lib.bash ; exit 1; }
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
# [ "$USER" != root ] && export PATH=/sbin:$PATH
## proxy_to_virbr1_15
proxy_to_virbr1_15 () {
if ifconfig | grep -q virbr1 ; then
PROXY_VIREXT_IP=$( ifconfig virbr1 | grep inet | sed -e 's/.*inet //' -e 's/ .*//' )
[ $? -eq 0 -a -n "$PROXY_VIREXT_IP" ] && \
PROXY_VIREXT_HOST=$( echo $PROXY_VIREXT_IP | sed -e 's/2$/15/' ) && \
[ -n "$PROXY_VIREXT_HOST" ] && \
export no_proxy="localhost,127.0.0.1,$PROXY_VIREXT_HOST" && \
export https_proxy=http://$PROXY_VIREXT_HOST:9128 && \
export socks_proxy=socks5://$PROXY_VIREXT_HOST:9050 && \
export TOR_SOCKS_HOST=$PROXY_VIREXT_HOST && \
export TOR_SOCKS_PORT=9050
fi
return 0
}
## proxy_http_host_httpproxy
proxy_http_host_httpproxy () {
if netstat -nle4 | grep -q 127.0.0.1:3128 >/dev/null ; then
export http_proxy=http://127.0.0.1:3128
export https_proxy=http://127.0.0.1:3128
export RSYNC_PROXY=127.0.0.1:3128
fi
return 0
}
proxy_https_host_selektor () { proxy_https_host_tor $* ; }
proxy_https_host_tor () {
if netstat -nle4 | grep -q 127.0.0.1:9128 >/dev/null ; then
export https_proxy=http://127.0.0.1:9128
fi
return 0
}
proxy_socks_host_tor () {
local file=/etc/tor/torrc
if [ -f $file ] ; then
port=`grep -hi ^socksport /etc/tor/torrc /etc/tor/torrc-defaults | sed -e 's/SocksPort //' -e 's/.*://'`
[ -z "$port" ] && port=9050
export socks_proxy=socks5://127.0.0.1:$port
return 0
else
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
echo >&2 WARN: $prog $file not found
return 1
fi
if netstat -nle4 | grep -q 127.0.0.1:$port >/dev/null ; then
export socks_proxy=socks5://127.0.0.1:$port
fi
return 0
}
proxy_socks_host_selektor () {
local file=/var/lib/tor/.SelekTOR/3xx/SelekTOR.xml
if [ -f $file ] ; then
port=`grep PREF_LISTENPORT $file | sed -e 's/.*">//' -e 's/<.*//'`
[ -z "$port" ] && port=9050
export socks_proxy=socks5://127.0.0.1:$port
return 0
else
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
echo >&2 WARN: $prog $file not found
fi
return 0
}
# proxy_export_mode
proxy_export_mode () {
ppl=/usr/local/bin/proxy_ping_lib.bash
[ -z "$MODE" ] && MODE=$( $ppl proxy_ping_mode )
[ -z "$MODE" ] && MODE=host
# $0=bash
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
debug $prog MODE=$MODE ONE=$MODE 0=$0 "$#" "$@"
if [ "$MODE" = from -o "$MODE" = whonix ] ; then
export no_proxy="localhost,127.0.0.1,10.0.2.15"
proxy_http_host_httpproxy
proxy_to_virbr1_15
elif [ "$MODE" = client ] ; then
# inherit the environment
proxy_http_host_httpproxy
proxy_https_host_tor
proxy_socks_host_tor
elif [ "$MODE" = nat ] ; then
export no_proxy="localhost,127.0.0.1,10.0.2.2,10.0.2.0/24"
# get external
external=`grep external$ /etc/hosts|sed -e 's/ .*//'`
if [ $? -eq 0 ] && [ -n "$external" ] ; then
# get the ports and PROXY_MODE of the host
export socks_proxy=socks5://$external:9050
export http_proxy=http://$external:3128
export https_proxy=http://$external:9128
fi
elif [ "$MODE" = vda -o "$MODE" = workstation ] ; then
export no_proxy="localhost,127.0.0.1,10.152.152.10"
export socks_proxy=socks5://10.152.152.10:9050
proxy_http_host_httpproxy
export https_proxy=http://10.152.152.10:9128
elif [ "$MODE" = gateway ] ; then
export no_proxy="localhost,127.0.0.1,10.0.2.2,10.0.2.15"
export socks_proxy=socks5://10.0.2.15:9050
proxy_http_host_httpproxy
export https_proxy=http://10.0.2.15:9128
elif [ "$MODE" = selektor ] ; then
export http_proxy=http://127.0.0.1:3128
export https_proxy=http://127.0.0.1:9128
export no_proxy="localhost,127.0.0.1"
proxy_http_host_httpproxy
proxy_https_host_selektor
proxy_socks_host_selektor
elif true || [ "$MODE" = to -o "$MODE" = to_tor -o "$MODE" = tor ] ; then
export http_proxy=http://127.0.0.1:3128
export https_proxy=http://127.0.0.1:9128
export socks_proxy=http://127.0.0.1:9050
export no_proxy="localhost,127.0.0.1"
proxy_http_host_httpproxy
proxy_https_host_tor
proxy_socks_host_tor
fi
}
# echo $0 $* "$0" = 'tostop' -o
if [ "$0" = '-bash' -o "$0" = '/bin/bash' -o "$0" = 'bash' ] ; then
proxy_export_mode
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
env | grep proxy | while read line ; do debug $line ; done
elif [ -x /usr/bin/basename ] && \
[ `basename -- "$0"` = 'proxy_export.bash' -o \
"$( basename -- "`readlink $0`" )" = 'proxy_export.bash' ] ; then
if [ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] ; then
echo USAGE: $0 && grep '^## ' $0 | sed -e 's/^## //'|sort
elif [ "$#" -eq 0 ] || [ "$#" -eq 1 -a $1 = mode ]; then
set -- proxy_export_mode
fi
eval "$@"
exit $?
fi

8
overlay/Linux/usr/local/bin/proxy_firewall_start.bash Executable file
View file

@ -0,0 +1,8 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/proxy_ping_lib.bash || { echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 3; }
proxy_ping_firewall_restart $*

16
overlay/Linux/usr/local/bin/proxy_get_if.bash Executable file
View file

@ -0,0 +1,16 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
# on stdout - messages on stderr
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
export PATH=$PATH:/usr/local/bin
PROXY_WLAN=$( /usr/local/bin/proxy_ping_lib.bash proxy_get_if )
retval=$?
echo -n $PROXY_WLAN
exit $retval

25
overlay/Linux/usr/local/bin/proxy_hosts_test.bash Executable file
View file

@ -0,0 +1,25 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
# Dual Linux or msys64
prog=$( basename $0 .bash )
ROLE=proxy
PREFIX=/usr/local
[ -n "$MSYSTEM" ] && EXET=msys || EXET=sh
. /usr/local/bin/usr_local_tput.bash
[ -f $PREFIX/etc/testforge/testforge.bash ] \
&& . /usr/local/etc/testforge/testforge.bash
grep -v '#\|127.0.0.1' /etc/hosts | while read ip b ; do
[ -z "$ip" ] && continue
[ -z "$b" ] && continue
dig -x $ip | grep "$b" && \
INFO $ip $b || \
WARN $ip $b `dig -x $ip | grep 'IN.*\.'`
dig $b | grep 'IN.*\.'
dig @8.8.8.8 $b | grep 'IN.*\.'
done

192
overlay/Linux/usr/local/bin/proxy_hourly.bash Executable file
View file

@ -0,0 +1,192 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
DEBUG=1
# The idea here is to run ansible_local.bash --tags daily
# and then use this to do the parsing and throwing errors based on the output.
# This was the ansible run can be free from erroring and this can be
# run repeatedly anytime outside of ansible to deal with the issues raised.
# It is also run at the end of ansible_local.bash --tags daily to raise the issues.
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash || exit 2
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[ -f /usr/local/etc/testforge/testforge.bash ] && \
. /usr/local/etc/testforge/testforge.bash >/dev/null
PL=/usr/local/bin/proxy_ping_lib.bash
. $PL
PL=
[ -z "$USER" ] && USER=$(id -un )
MYID=$( id -u )
[ $MYID -eq 0 ] || { ERROR $prog must be run as root $MYID ; exit 1 ; }
# . $PREFIX/src/var_local_src.bash
which ansifilter >/dev/null 2>&1 && ansifilter=ansifilter || ansifilter=cat
[ -d /dev/virtio-ports ] && ONE_GUEST=1 || ONE_GUEST=0
ly=hourly
errs=0
warns=0
elt=proxy
LOG_DIR=/usr/local/tmp
ELOG=$LOG_DIR/E${prog}_${ly}$$.log
WLOG=$LOG_DIR/W${prog}_${ly}$$.log
OUT=$LOG_DIR/O${prog}_${ly}$$.log
[ -f /usr/local/etc/testforge/testforge.bash ] && \
. /usr/local/etc/testforge/testforge.bash
export PATH=$PATH:/usr/local/bin
[ -z "$MODE" ] && MODE=$( $PL proxy_ping_mode )
[ -n "$DEBUG" ] && echo >&2 DEBUG: $prog $ly MODE=$MODE 0=$0 "$#" "$@"
[ -z "$MODE" ] && exit 2
# ubuntu / devuan oddball
route | grep -q 'lo$' || \
ip route add 127.0.0.0/8 dev lo scope host
/usr/local/bin/proxy_ping_test.bash $MODE 2> $ELOG
if [ $ONE_GUEST -eq 0 ] ; then
IP=`ifconfig |grep -A1 wlan|grep inet|sed -e 's/.*inet //' -e 's/ .*//'`
# 10.24.216.64
if [ -n "$IP" ] ; then
grep -q " external" /etc/hosts && \
sed -e "s/.* external/$IP external/" -i /etc/hosts || \
echo "$IP external" >> /etc/hosts
fi
a=`grep nameserver /etc/resolv.conf | grep -v 'nameserver 127.0.0.1'| wc -l`
if [ $? -eq 0 -a -n "$a" -a "$a" -gt 0 ] ; then
/usr/local/bin/base_wall.bash "CRIT: $prog /etc/resolv.conf" `grep nameserver /etc/resolv.conf`
echo 'nameserver 127.0.0.1' > /etc/resolv.conf
fi
[ -d $LOG_DIR/ ] || mkdir -p $LOG_DIR/ || true
find $LOG_DIR/*${prog}_${ly}*.log -ctime +2 -delete || true
if [ -d /etc/ssl/certs/ ] ; then
find -L /etc/ssl/certs/ -type l >> $WLOG
find -L /etc/ssl/certs/ -type l -delete
else
WARN /etc/ssl/certs/ missing
fi
if [ "$MODE" = whonix ] ; then
[ -n "$BASE_SRC_ANSIBLE" ] || BASE_SRC_ANSIBLE=/g/TestForge/src/ansible
BOX_WHONIX_PROXY_HOST=$( /usr/local/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST )
if [ -n "$BOX_WHONIX_PROXY_HOST" ] && \
which virsh 2>/dev/null >/dev/null && \
virsh list | grep -q "$BOX_WHONIX_PROXY_HOST" ; then
# sh proxy_whonix_host_tor.bash whonix
/usr/local/sbin/proxy_whonix_host.bash proxy_whonix_host_add_block >>$OUT 2>>$ELOG
fi
$PL proxy_libvirt_test >$OUT 2>&1
retval=$?
[ $retval -gt 1 ] && ERROR $prog proxy_libvirt_test retval=$retval >> $ELOG
fi
[ -f /etc/firewall.conf ] || {
ERROR $prog NO FIREWALL /etc/firewall.conf | tee -a $ELOG | \
xargs /usr/local/bin/base_wall.bash
}
ifconfig | grep -q ^wlan
if [ $? -eq 0 ] ; then
wlan7=`ifconfig|grep ^wlan|tail -1| sed -e 's/:.*//'`
grep -q $wlan7 /etc/firewall.conf || {
ERROR $prog NO $wlan7 in /etc/firewall.conf | tee -a $ELOG | \
xargs /usr/local/bin/base_wall.bash
/usr/local/bin/firewall.bash
}
fi
[ -f /var/log/privoxy/logfile ] && \
grep -i fatal /var/log/privoxy/logfile >> $WLOG && \
echo ERROR: Fatal in /var/log/privoxy/logfile |tee -a $ELOG
if route | grep -q ^def ; then
$PL proxy_ping_gw_check || {
ERROR proxy_ping_gw_check >> $ELOG
}
$PL proxy_ping_dnsmasq_check || {
x ERROR proxy_ping_dnsmasq_check >> $ELOG
}
$PL proxy_ping_firewall_check || {
ERROR proxy_ping_firewall_check >> $ELOG
}
$PL proxy_iptables_save >$OUT 2>&1
if [ $? -ne 0 ] || ! grep -q DROP $OUT ; then
ERROR $prog NO FIREWALL - DROP `cat $OUT` | tee -a $ELOG
/usr/local/bin/base_wall.bash ERROR $prog NO FIREWALL - DROP
#? /usr/local/bin/proxy_firewall_restore_iptable.bash /etc/firewall.conf
fi
$PL proxy_test_dirmngr $OUT || \
{ retval=$? ; ERROR proxy_test_dirmngr $retval >> $ELOG ; }
if dmesg | grep --text -A 1 'martian' ; then
dmesg | grep --text -A 1 'martian' | \
xargs echo WARN: martians >> $WLOG
dmesg | grep --text -A 1 'martian' | \
sed -e 's/DST=.*//' -e 's/.*martian_//' -e 's/ OUT=.*SRC=/ /' >> $WLOG
fi
/usr/local/bin/proxy_ping_test.bash dns || {
ERROR $prog no dns >> $ELOG ;
}
/usr/local/bin/proxy_ping_test.bash 3128 || {
# can be false
WARN $prog no 3128 >> $WLOG
}
PROXY_WLAN=$( $PL proxy_get_if )
[ -n "$PROXY_WLAN" -a -f /etc/wicd/wireless-settings.conf ] && \
ps ax | grep -q wpa_supplicant && \
grep -A 1 bad$ /etc/wicd/wireless-settings.conf | \
grep bssid | sed -e 's/.*= //' | \
while read elt ; do \
wpa_cli -i "$PROXY_WLAN" blacklist $elt
done
$PL proxy_ping_firewall_check || \
/usr/local/bin/base_wall.bash $prog 'CRIT: proxy_ping_firewall_check' retval=$?
fi
fi
[ -s $OUT ] && grep WARN: $OUT >> $WLOG
if [ -s $ELOG ] ; then
errs=$( wc -l $ELOG | cut -f 1 -d ' ' )
if [ $? -eq 0 -a $errs -ne 0 ] ; then
ERROR $prog $errs $ly $prog errors in $ELOG
cat $ELOG
/usr/local/bin/base_wall.bash "ERROR: $prog $errs errors in $ELOG"
exit $errs
fi
fi
[ -f $WLOG ] && warns=`wc -l $WLOG | cut -f 1 -d ' '`
[ $? -eq 0 -a $warns -ne 0 ] && \
WARN "$warns $ly $prog warnings in $WLOG"
[ -f $ELOG ] && errs=`wc -l $ELOG | cut -f 1 -d ' '`
if [ $? -eq 0 -a $errs -ne 0 ] ; then
ERROR "$errs $ly $prog errors in $ELOG"
cat $ELOG
exit $errs
fi
[ $errs -eq 0 ] && \
ols_clean_testforge_logs $HARDEN_LOG_DIR && \
[ $warns -eq 0 ] && \
INFO "$prog No $ly errors in $HARDEN_LOG_DIR"
exit 0

35
overlay/Linux/usr/local/bin/proxy_jnettop.bash Executable file
View file

@ -0,0 +1,35 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
route | grep -q ^default || exit 0
[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash \
|| { echo >&2 ERROR: $prog "$PREFIX/etc/testforge/testforge.bash" ; exit 1 ; }
error () { retval=$1 ; shift; echo "ERROR: $prog" $* ; exit $retval ; }
warn () { WARN "$prog " $* ; }
info () { echo "INFO: $prog " $* ; }
usage () { echo "USAGE: $prog chroot-dir [command args] -" $* ; exit 1 ; }
# must be run as root
[ "$( id -u )" -ne "0" ] && error 1 "must be run as root"
PROXY_WLAN=$( /usr/local/bin/proxy_get_if.bash )
[ $? -eq 0 ] || error 2 " error getting device $?"
PROXY_WLAN_IP=$( proxy_ping_lib.bash proxy_get_wlan_ip )
LARGS="-i $PROXY_WLAN"
CONF=/usr/local/etc/jnettop.conf
if [ -f $CONF ] ; then
LARGS="$LARGS --config-file $CONF"
# sed -e 's/^#* *interface.*/interface "'$PROXY_WLAN'"/' -i $CONF
[ -n "$PROXY_WLAN_IP" ] && sed -e 's/"me"\t.*/"me" "net '$PROXY_WLAN_IP'"/' -i $CONF && grep -q $PROXY_WLAN_IP $CONF
fi
exec jnettop $LARGS $* # 2>/dev/null

35
overlay/Linux/usr/local/bin/proxy_libvirt_forward.bash Normal file
View file

@ -0,0 +1,35 @@
#!/bin/sh
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
# https://unix.stackexchange.com/questions/293304/using-netcat-for-port-forwarding
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/usr_local_tput.bash || exit 2
if [ ! -d /run/tmp ] ; then
sudo mkdir /run/tmp
sudo chown 1777 /run/tmp
fi
[ -z "$MODE" ] && MODE=$(/usr/local/bin/proxy_ping_lib.bash proxy_ping_mode )
IP=`grep ' external$' /etc/hosts|sed -e 's/ .*//'`
retval=$?
if [ $retval -ne 0 ] || [ -z "$IP" ] ; then
exit $retval
fi
if [ "$MODE" = tor -o "$MODE" = gateway -o "$MODE" = selektor ] ; then
socat -L/run/socat.lck udp-l:53,bind=$IP,fork,reuseaddr udp:127.0.0.1:9053 >/dev/null || \
WARN 53,bind=$IP in use
for elt in 9050 9128 ; do
netstat -nle4 | grep -q $IP:$elt && {
ERROR $IP:$elt already bound
continue # exit 1
}
DBUG socat -L/run/tmp/socat$elt.lck tcp-l:$elt,bind=${IP},fork,reuseaddr tcp:127.0.0.1:$elt
socat -L/run/tmp/socat$elt.lck tcp-l:$elt,bind=${IP},fork,reuseaddr tcp:127.0.0.1:$elt &
done
#else
# WARN $MODE
#fi

64
overlay/Linux/usr/local/bin/proxy_libvirt_ga_test.bash Executable file
View file

@ -0,0 +1,64 @@
#!/bin/bash
ROLE=proxy
MODE=host
#[ $# -eq 0 ] && set -- Whonix-Gateway /bin/cat /proc/cmdline
[ $# -eq 0 ] && set -- Whonix-Gateway /bin/netstat -lnp4
[ $# -lt 2 ] && echo USAGE: $0 domain command arguments
HOST=$1
shift
CMD=$1
shift
# FixMe
if [ $? -gt 1 ] ; then
ARGS=""
elif [ $? -gt 1 ] ; then
ARGS=`sed -e 's/ /","/g' <<< $@`
else
ARGS="$1"
fi
[ "$HOST" = WWork106 ] && HOST=Whonix-Workstation || true
[ "$HOST" = WGate106 ] && HOST=Whonix-Gateway || true
echo INFO: $0 $HOST $CMD $ARGS
false && echo DEBUG: virsh qemu-agent-command $HOST \
'{"execute":"guest-exec", "arguments": {"capture-output": true,"path":"'$CMD'","arg":["'$ARGS'"]}}'
virsh qemu-agent-command $HOST \
'{"execute":"guest-exec", "arguments": {"capture-output": true,"path":"'$CMD'","arg":["'$ARGS'"]}}' \
>/tmp/Q$$.out || exit 1$?
grep -q return /tmp/Q$$.out || exit 2
pid=`sed -e 's/.*://' -e 's/}.*//' /tmp/Q$$.out`
[ $? -eq 0 ] || exit 3
# echo DEBUG: virsh qemu-agent-command $HOST \
# '{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}'
virsh qemu-agent-command $HOST \
'{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}' \
>/tmp/R$$.out || exit 4$?
TRIES=10
i=0
while [ $i -lt $TRIES ] ; do
i=`expr $i + 1`
virsh qemu-agent-command $HOST \
'{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}' \
>/tmp/R$$.out || exit 4$i$?
grep -q '"exitcode":0' /tmp/R$$.out && break
sleep 5
echo DEBUG: $i
done
[ $i -lt $TRIES ] || \
{ echo ERROR: $i no exitcode in /tmp/R$$.out; exit 5 ; }
b64=`sed -e 's/{"return":{"exitcode":0,"out-data":"//' -e 's/",".*//' /tmp/R$$.out`
[ $? -eq 0 ] || exit 6
[ -n "$b64" ] || exit 7
echo $b64 | base64 -d -
rm -f /tmp/{Q,R}$$.out
exit 0

42
overlay/Linux/usr/local/bin/proxy_libvirt_hook_network.bash Executable file
View file

@ -0,0 +1,42 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
# Aruments ignored: dom plugged begin
# so must be idempotemt - as its called by things it calls?
prog=$( basename $0 .bash )
[ -z "$TERM" ] || . /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
[ -z "$USER" ] && USER=$(id -un )
[ -n "$USER" -a "$USER" = root ] && \
for file in /usr/local/etc/modules-load.d/vda*.conf ; do
base=$( basename $file )
[ -e /etc/modules-load.d/$base ] && continue
cp -p $file /etc/modules-load.d/$base
done
/etc/init.d/virtlogd status || /etc/init.d/virtlogd start
/etc/init.d/libvirtd status
retval=$?
[ $retval -eq 32 ] && WARN libvirtd crashed - zapping && /etc/init.d/libvirtd zap
[ $retval -eq 0 ] || /etc/init.d/libvirtd start
grep "`date +%Y-%m-%d`.* error :" /var/log/libvirt/libvirtd.log
. /usr/local/bin/proxy_ping_lib.bash
proxy_ping_firewall_restart
retval=$?
if [ $retval -eq 0 ] ; then
[ "$DEBUG" = 1 ] && logger INFO: $prog proxy_ping_firewall_restart $*
else
logger ERROR: $prog proxy_ping_firewall_restart retval=$retval $*
exit $retval
fi
[ -n "$HTTPPROXY" ] || HTTPPROXY=privoxy
/etc/init.d/$HTTPPROXY status || /etc/init.d/$HTTPPROXY start
/etc/init.d/dnsmasq status || /etc/init.d/dnsmasq start
# clean
exit 0

11
overlay/Linux/usr/local/bin/proxy_libvirt_hook_qemu.bash Executable file
View file

@ -0,0 +1,11 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
logger INFO: $0 $PWD $*
exit 0

285
overlay/Linux/usr/local/bin/proxy_libvirt_lib.bash Executable file
View file

@ -0,0 +1,285 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
base=proxy_libvirt_lib
# shellcheck disable=SC2154
[ -z "$USER" ] && USER=$(id -un )
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
. /usr/local/bin/usr_local_tput.bash || exit 2
. /usr/local/bin/proxy_ping_lib.bash || exit 2
## proxy_libvirt_test_dnsmasq
proxy_libvirt_test_dnsmasq () { DBUG proxy_libvirt_test_dnsmasq $* ;
proxy_rc_service libvirtd status </dev/null >/dev/null || {
DBUG $prog libvirtd not running ; return 0
}
if ls /var/lib/libvirt/dnsmasq/*conf >/dev/null 2>/dev/null ; then
dbug $prog checking libvirtd dnsmasq conf
PROXY_WLAN=$( proxy_get_if )
retval=$?
[ $retval -eq 0 -a -n "$PROXY_WLAN" ] || {
ERROR proxy_get_if empty wlan7 retval=$retval
return 2$retval
}
for elt in bind-interfaces except-interface=$PROXY_WLAN no-dhcp-interface=$PROXY_WLAN ; do
for file in /var/lib/libvirt/dnsmasq/*conf ; do
if ! grep -q $elt $file ; then
[ -f $file.$$ ] || cp -p $file $file.$$
echo $elt >> $file
fi
done
done
if ls /var/lib/libvirt/dnsmasq/*conf.$$ >/dev/null 2>/dev/null ; then
dbug $prog restarting libvirtd dnsmasq conf
# FixMe: use virsh net-update net-edit
# ps ax | grep dnsmasq|grep -v grep|while read pid rest ; do kill -HUP $pid; done
for file in /var/lib/libvirt/dnsmasq/*conf.$$ ; do
pid=$( grep ^pid-file= $file|sed -e 's/.*=//' )
[ $? -ne 0 -o -z "$pid" ] && WARN $prog not pid-file in $file && continue
[ -f $pid ] || dbug $prog no pid-file in $file && continue
pid=$( cat $pid )
dbug $prog HUPing libvirtd dnsmasq $pid
kill -HUP $pid || WARN $prog error killing $file $pid && continue
done
fi
fi
return 0
}
## proxy_libvirt_clean_virbr1_rules
proxy_libvirt_clean_virbr1_rules () {
local line
proxy_iptables_save | \
grep -e '-A LIBVIRT_[OUTINP]* -i virbr[12] .* --dport [56][378] -j ACCEPT' | \
sed -e 's/-A/-D/' | while read line ; do
proxy_iptables $line
done
return 0
}
## proxy_libvirt_no_autostart
proxy_libvirt_no_autostart () { DBUG proxy_libvirt_no_autostart $* ;
proxy_libvirt_hung || return 1
proxy_virsh net-list --autostart | while read n s a p ; do
[ "$a" = yes ] || continue
virsh net-autostart $n --disable || { ERROR $prog net-autostart $n --disable ; return 1 ; }
dbug $prog net-autostart $n --disable
[ "$s" = active ] || continue
virsh net-destroy $n || { dbug $prog net-destroy $n ; return 2 ; }
dbug $prog net-destroy $n
done
return 0
}
## proxy_libvirt_status tests and checks logs - noisy
proxy_libvirt_status () { proxy_libvirt_status_host $* ; return $? ; }
proxy_libvirt_status_host () { DBUG proxy_libvirt_status $* ;
/etc/init.d/virtlogd status >/dev/null || /etc/init.d/virtlogd start || return 1$?
/etc/init.d/libvirtd status >/dev/null || /etc/init.d/libvirtd start || return 2$?
if ! proxy_rc_service libvirtd status >/dev/null ; then
DBUG proxy_libvirt_status proxy_rc_service libvirtd start
proxy_rc_service libvirtd start || return 3$?
fi
if ! proxy_rc_service libvirtd status >/dev/null ; then
ERROR proxy_libvirt_status proxy_rc_service libvirtd not started
return 4
fi
if [ ! -e /run/libvirt/libvirt-sock ] ; then
WARN proxy_libvirt_status no /run/libvirt/libvirt-sock
fi
if [ ! -e /run/libvirt/virtlogd-sock ] ; then
WARN proxy_libvirt_status no /run/libvirt/virtlogd-sock
fi
# virtlockd-sock
# shellcheck disable=SC2154
[ -z "$GATEW_DOM" ] && GATEW_DOM="$( proxy_testforge_get_gateway_dom )"
if [ -n "$GATEW_DOM" ] ; then
proxy_libvirt_list | grep -q $GATEW_DOM
[ $? -ne 0 ] && DBUG proxy_libvirt_status $GATEW_DOM not in virsh list
#? && return 3
else
WARN proxy_libvirt_status null GATEW_DOM
fi
return 0
}
## proxy_libvirt_restart
proxy_libvirt_restart () { DBUG proxy_libvirt_restart $* ;
# tests restarts
proxy_libvirt_start || return 3$?
proxy_libvirt_test || return 4$?
[ -x /etc/libvirt/hooks/network ] || return 7$?
/etc/libvirt/hooks/network || return 8$?
proxy_ping_firewall_restart
# /etc/modules-load.d/firewall.conf
return 0
}
## proxy_libvirt_start_guest
proxy_libvirt_start_guest () {
local dire=$1
[ ! -f /etc/init.d/qemu-guest-agent ] && return 0
proxy_rc_service qemu-guest-agent status >/dev/null \
|| proxy_rc_service qemu-guest-agent start || return 2$?
return $?
}
# proxy_libvirt_test_host
proxy_libvirt_test_host () {
local dire=$1
[ -z "$dire" ] && MODE="$( proxy_whonix_mode )" && dire=$MODE
[ -n "$MODE" ] || MODE=host
if [ $MODE = tor ] ; then
proxy_rc_service tor status >/dev/null || \
{ echo ERROR: $prog tor is not running ; return 2 ; }
# different for selector
fi
$PREFIX/bin/proxy_ping_test.bash to_tor || return 6$?
return $?
}
# proxy_libvirt_test_guest
proxy_libvirt_test_guest () {
[ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] || \
echo WARN: /dev/virtio-ports/org.qemu.guest_agent.0 not created
proxy_rc_service qemu-guest-agent status
return $?
}
## proxy_libvirt_status tests and checks logs - noisy
proxy_libvirt_test () { DBUG proxy_libvirt_test $* ;
[ -e /dev/virtio-ports ] && proxy_libvirt_test_guest || \
proxy_libvirt_test_host
return $?
}
## proxy_libvirt_status tests and checks logs - noisy
proxy_libvirt_test_host () { DBUG proxy_libvirt_test_host $* ;
proxy_libvirt_status || return 1$?
[ -f /var/log/libvirt/libvirtd.log ] && \
INFO proxy_libvirt_test /var/log/libvirt/libvirtd.log && \
tail /var/log/libvirt/libvirtd.log
# shellcheck disable=SC2154
[ -z "$GATEW_DOM" ] && GATEW_DOM="$( proxy_testforge_get_gateway_dom )"
if [ -n "$GATEW_DOM" ] ; then
if [ -f /var/log/libvirt/qemu/$GATEW_DOM.log ] ; then
INFO proxy_libvirt_test /var/log/libvirt/qemu/$GATEW_DOM.log
tail /var/log/libvirt/qemu/$GATEW_DOM.log
else
WARN proxy_libvirt_test missing /var/log/libvirt/qemu/$GATEW_DOM.log
fi
else
WARN proxy_libvirt_test null GATEW_DOM
fi
proxy_libvirt_test_dnsmasq || return 6$?
return 0
}
## proxy_libvirt_start
proxy_libvirt_start () { DBUG proxy_libvirt_start $* ;
proxy_ping_firewall_modules
proxy_libvirt_hung || return 2
proxy_rc_service libvirtd status >/dev/null 2>/dev/null || \
proxy_rc_service libvirtd start || return 3$?
return 0
}
## proxy_libvirt_hung
proxy_libvirt_hung () { DBUG proxy_libvirt_hung $* ;
# 1 means hung
[ -f /etc/init.d/libvirtd ] || return 0
if [ ! -e /run/libvirt/libvirt-sock ] || ! proxy_rc_service libvirtd status >/dev/null ; then
INFO proxy_libvirt_hung proxy_rc_service libvirtd start
proxy_rc_service libvirtd start || return 1
sleep $DELAY
fi
/etc/init.d/libvirtd status 2>/dev/null >/dev/null || return 1
a=$( /etc/init.d/libvirtd status |grep '├─' |grep -c -v '/usr/s.*bin' )
# hung processes will hang proxy_virsh list
[ $? -eq 0 -a $a -gt 1 ] && {
WARN proxy_libvirt_hung - too many subprocesses $a
return 1
}
# ├─ 820 /usr/sbin/libvirtd
# ├─ 2221 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/Whonix-External.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
# ├─28153 /bin/sh /etc/libvirt/hooks/network Whonix-External plugged begin -
# ├─28154 bash /usr/local/bin/proxy_libvirt_hook_network.bash Whonix-External plugged begin -
return 0
}
## proxy_libvirt_list
proxy_libvirt_list () { DBUG proxy_libvirt_list $* ;
local a
proxy_libvirt_hung || return 10
proxy_virsh list
return $?
}
## proxy_libvirt_clean_iptables
proxy_libvirt_clean_iptables () {
local i int dir dcp prot port
for dir in i ; do
for int in virbr2 virbr1; do
dcp=67
[ $dir = i ] || dcp=68
for port in 53 $dcp ; do
[ $dir = i ] && table=INP || table=OUT
for prot in udp tcp; do
proxy_iptables_save | grep -q -e "-A LIBVIRT_$table -i $int -p $prot -m $prot --dport $port -j ACCEPT" || continue
iptables -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT || \
echo WARN: $? -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT
done
done
done
done
for dir in o ; do
for int in virbr2 virbr1; do
dcp=68
[ $dir = o ] || dcp=67
for port in 53 68 ; do
table=OUT
[ $dir = i ] && table=INP
for prot in udp tcp; do
proxy_iptables_save | grep -q -e "-A LIBVIRT_$table -i $int -p $prot -m $prot --dport $port -j ACCEPT" || continue
iptables -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT || \
echo WARN: $? -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT
done
done
done
done
return 0
}
# DBUG 0=$0
base=proxy_libvirt_lib
if [ -x /usr/bin/basename ] && \
[ $( basename -- "$0" .bash ) = $base \
-o $( basename -- "$0" .sh ) = $base ] ; then
[ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \
echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//' && exit 0
"$@"
exit $?
fi

51
overlay/Linux/usr/local/bin/proxy_nm_wireless_clean.bash Executable file
View file

@ -0,0 +1,51 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash
PREFIX=/usr/local
[ $( id -u ) -eq 0 ] || { ERROR "this must be run as root" ; exit 1 ; }
LOG=/tmp/I$$.log
JSON=/tmp/I$$.json
. /usr/local/bin/proxy_ping_lib.bash || \
{ echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 3; }
. /usr/local/bin/usr_local_base.bash || exit 2
PROXY_WLAN=$(route |grep ^def |sed -e 's/.* //') || { echo ERROR: " no route $?" ; exit 4 ; }
if [ -z "$PROXY_WLAN" ] ; then
PROXY_WLAN=$( proxy_get_if )
[ $? -eq 0 ] || { echo ERROR: " error getting device $?" ; exit 5 ; }
fi
[ -d /etc/NetworkManager/system-connections ] || exit 0
cd /etc/NetworkManager/system-connections/ || exit 6
pgrep NetworkManager >/dev/null || \
/etc/init.d/network-manager start # || exit 7
iwlist $PROXY_WLAN scan > $LOG 2>&1 || { echo ERROR: failed iwlist scan ; exit 2 ; }
which yq 2>/dev/null >/dev/null && \
for file in *.nmconnection; do
elt=$( basename "$file" .nmconnection )
grep -q "$elt" "$LOG" || continue
L=$( cat $LOG | grep -B 5 "$elt" | sed -e 's@/.*@@' -e 's@[=:]@: @' -e 's/.*Addre/- Addre/' -e '/^--\|Frequency:\|Encryption/d' -e 's/^ */ /' | yq 'sort_by(.Quality)|reverse|map(del(.Channel))|.[0:4]'|grep Address|sed -e 's/,/;/' -e 's/ *.Address.: //'|xargs echo|sed -e 's/ //g' )
[ -z "$L" ] && continue
sed -e "s@^seen-bssids=.*@seen-bssids=$L@" -i "$file"
grep -q lldp=0 "$file" || echo WARN: nmcli con modify $elt connection.lldp 0
grep -q llmnr=0 "$file" || echo WARN: nmcli con modify $elt connection.llmnr 0
grep -q mdns=0 "$file" || echo WARN: nmcli con modify $elt connection.mdns 0
INFO $prog $PWD/$file
done
rm -f /tmp/I$$.log
[ "$#" -eq 0 ] && exit 0
[ $1 = connect ] && nmtui-connect
[ $1 = edit ] && nmtui-edit

55
overlay/Linux/usr/local/bin/proxy_pacman_gpg_test.bash Executable file
View file

@ -0,0 +1,55 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
# Dual Linux or msys64
prog=$( basename $0 .bash )
ROLE=proxy
PREFIX=/usr/local
[ -n "$MSYSTEM" ] && EXET=msys || EXET=sh
[ -f $PREFIX/etc/testforge/testforge.bash ] \
&& . /usr/local/etc/testforge/testforge.bash
. /usr/local/bin/usr_local_tput.bash || exit 2
PROXIES=""
if [ -d /etc/pacman.d/gnupg ] ; then
ROLE=msys64
HOMEDIR=/etc/pacman.d/gnupg
# proxy or striaght through
PROXIES="10.152.152.12"
elif [ -d /q/Pg64/Msys64/etc/pacman.d/gnupg ] ; then
ROLE=q
HOMEDIR=/q/Pg64/Msys64/etc/pacman.d/gnupg
ppl=/usr/local/bin/proxy_ping_lib.bash
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
[ "$USER" != root ] && export PATH=/sbin:$PATH
[ -z "$MODE" ] && MODE=$( $ppl proxy_ping_mode )
if [ "$MODE" = tor ] ; then
PROXIES="127.0.0.1:3128"
elif [ "$MODE" = whonix ] ; then
PROXIES="10.0.2.15:9128"
elif [ "$MODE" = gateway ] ; then
PROXIES="10.0.2.15:9128"
elif ps ax | grep -q polipo ; then
PROXIES="127.0.0.1:3128"
else
echo ERROR: unknown proxy
exit 2
fi
fi
GPG="gpg --verbose --home $HOMEDIR"
a=`ls $HOMEDIR/private-keys-v1.d/|wc -l`
if [ $? -ne 0 -o "$a" -eq 0 ] ; then
ERROR you need a private kepair with $GPG --quick-gen-key
exit 3
fi
# shellcheck disable=SC2154
$GPG --list-keys | grep -B 1 unknown && \
WARN un-signed keys in pacman && \
DBUG "$GPG --list-keys 2>/dev/null |grep -B1 unknown|grep '^ ' |while read elt;do \$GPG --edit-key $elt ;done"

1500
overlay/Linux/usr/local/bin/proxy_ping_lib.bash Executable file
View file

File diff suppressed because it is too large Load diff

974
overlay/Linux/usr/local/bin/proxy_ping_test.bash Executable file
View file

@ -0,0 +1,974 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
. /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
PYVER=3
# DEBUG=1
. /usr/local/bin/proxy_ping_lib.bash || \
{ ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 6; }
PL=/usr/local/bin/proxy_libvirt_lib.bash
declare -a tests
which traceroute 2>/dev/null >/dev/null && HAVE_TRACEROUTE=1 || HAVE_TRACEROUTE=0
which dig 2>/dev/null >/dev/null && HAVE_DIG=1 || HAVE_DIG=0
which nslookup 2>/dev/null >/dev/null && HAVE_NSLOOKUP=1 || HAVE_NSLOOKUP=0
which tor-resolve 2>/dev/null >/dev/null && HAVE_TOR_RESOLVE=1 || HAVE_TOR_RESOLVE=0
[ -z "$prog" ] || prog=proxy_ping_test
proxy_ping_get_socks
[ -z "$SOCKS_HOST" ] && SOCKS_HOST=127.0.0.1
[ -z "$SOCKS_PORT" ] && SOCKS_PORT=9050
[ -z "$SOCKS_DNS" ] && SOCKS_DNS=9053
HTTPS_PORT=9128
HTTPS_HOST=127.0.0.1
proxy_ping_get_https
[ -z "$HTTPS_HOST" ] && HTTPS_HOST=127.0.0.1
HTTP_PORT=3128
HTTP_PROXY_HOST=127.0.0.1
proxy_ping_get_http
[ -z "$HTTP_HOST" ] && HTTP_HOST=127.0.0.1
[ -f $PREFIX/etc/testforge/testforge.bash ] && \
. /usr/local/etc/testforge/testforge.bash >/dev/null || exit 1
P="BASE_PYTHON${PYVER}_MINOR"
PYTHON_MINOR="$(eval echo \$$P)"
[ -n "$PYTHON_MINOR" ] || \
PYTHON_MINOR=$( python$PYVER --version 2>&1| sed -e 's@^.* @@' -e 's@\.[0-9]*$@@' )
[ -n "$PYTHON_MINOR" ] || exit 4
if [ -z "$LIB" -a -d /usr/lib/python$PYTHON_MINOR ] ; then
LIB=lib
elif [ -z "$LIB" -a -d /usr/lib64/python$PYTHON_MINOR ] ; then
LIB=lib64
elif [ -n "$LIB" -a ! -d /usr/$LIB/python$PYTHON_MINOR ] ; then
#? ERROR LIB=$LIB but no /usr/$LIB/python$PYTHON_MINOR
exit 5
fi
THOPS=40
NEEDED_BINS="ping traceroute nmap dig nslookup tor-resolve"
NEEDED_SCRIPTS="
/usr/local/bin/proxy_ping_lib.bash
/usr/local/bin/proxy_ping_test.bash
"
grep -q Debian /etc/os-release
DEBIAN=$?
TIMEOUT=30
[ -n "$GATEW_DOM" ] || GATEW_DOM="$( proxy_testforge_get_gateway_dom )"
[ -n "$GATEW_DOM" ] || GATEW_DOM="Whonix-Gateway"
DNS_HOST1="208.67.220.220"
DNS_HOST2="8.8.8.8"ggggg
[ -n "$DNS_TARGET" ] || DNS_TARGET=www.whatismypublicip.com # 108.160.151.39
[ -n "$HTTP_TARGET" ] || HTTP_TARGET=www.whatismypublicip.com # 108.160.151.39
HTTP_TARGET=www.whatismypublicip.com
# time.nist.gov 132.163.97.3
NTP_HOST1=132.163.97.3
# pool.ntp.org 78.46.53.2
NTP_HOST2=78.46.53.2
# --no-check-certificate
WGET="wget --tries=1 --max-redirect=0 --timeout=$TIMEOUT -O /dev/null"
CURL="curl -o /dev/null $CURL_ARGS"
SCURL="/usr/local/bin/scurl.bash --output /dev/null"
NSL='nslookup -querytype=A -debug'
NETS='netstat -nl4e'
ALL=""
[ -z "$USER" ] && USER=$(id -un )
[ $USER = root ] && DMESG_LINES=1 || DMESG_LINES=0
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=`proxy_ping_get_wlan`
# fixme - required
PROXY_WLAN=$( echo $PROXY_WLAN | grep ^wlan |sed -e 's/:.*//' )
[ -n "$PROXY_WLAN_GW" ] || PROXY_WLAN_GW=`proxy_ping_get_wlan_gw`
# fixme - required
PROXY_WLAN_GW=$( echo $PROXY_WLAN_GW | grep ^wlan |sed -e 's/:.*//' )
MODE=$( proxy_ping_mode )
USAGE="$prog without arguments tests the current MODE=$MODE,
or 0 to list the tests by number,
or one or more of the groups:
"
DNS_HOST=$SOCKS_HOST
[ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin
[ -z "$PRIV_BIN_GID" ] && PRIV_BIN_GID=$( grep ^$PRIV_BIN_OWNER /etc/passwd|cut -d: -f 4 )
## proxy_test_netstat_dns
proxy_test_netstat_dns () { DBUG proxy_test_netstat_dns $* ;
$NETS | grep -q ":53"
retval=$?
[ $retval -eq 0 ] && return 0
ERROR $prog test=$ARG "${tests[$ARG]}" dns not running
[ -z "$ALL" ] && exit $ARG$retval || return 1
}
## proxy_test_traceroute_icmp_gw
proxy_test_traceroute_icmp_gw () { DBUG proxy_test_traceroute_icmp_gw $* ;
[ -n "$PROXY_WLAN_GW" ] || PROXY_WLAN_GW=`proxy_ping_get_wlan_gw` || return 1
traceroute --icmp $PROXY_WLAN_GW
retval=$?
[ $retval -eq 0 ] && return 0
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval traceroute --icmp $PROXY_WLAN_GW
[ -z "$ALL" ] && exit $ARG$retval || return 1
# works
GREP="-i icmp"
return 0
}
## proxy_test_dig_direct
proxy_test_dig_direct () { DBUG proxy_test_dig_direct $* ;
dig @$DNS_HOST1 pool.ntp.org +timeout=$TIMEOUT >/dev/null
retval=$?
[ $retval -eq 0 ] && return 0
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @$DNS_HOST1
[ -z "$ALL" ] && exit $ARG$retval || return 1
INFO $prog test=$ARG "${tests[$ARG]}" dig @$DNS_HOST1
# works
GREP="53"
return 0
}
## proxy_test_curl_firewall_bin
proxy_test_curl_firewall_bin () { DBUG proxy_test_curl_firewall_bin $* ;
su -c "$CURL -k --noproxy '*' https://$HTTP_TARGET" -s /bin/sh $PRIV_BIN_OWNER >/dev/null
retval=$?
[ $retval -eq 0 ] && return 0
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval \
su -c "$CURL -k --noproxy '*' https://$HTTP_TARGET" -s /bin/sh $PRIV_BIN_OWNER
proxy_iptables_save|tail|grep PTABLES_filter_DROP-o
[ -z "$ALL" ] && exit $ARG$retval || return $retval
}
## proxy_ping_curl
proxy_ping_curl () { DBUG proxy_ping_curl $* ;
local retval
timeout -k $TIMEOUT $TIMEOUT $CURL "$@"
retval=$?
# "DEBUG: wierd failure curl: (35) Encountered end of file"
[ $retval -eq 0 -o $retval -eq 35 ] && return 0
return $retval
}
## proxy_ping_make_help
proxy_ping_make_help () {
grep 'tests\[[0-9][0-9]*\]=' /usr/local/bin/proxy_ping_test.bash \
> /tmp/proxy_ping_test.hlp
return 0
}
## proxy_ping_test_virbr
proxy_ping_test_virbr () {
local n=$1
[ -z "$n" ] && n=1
[ -z "$CONN" ] || proxy_whonix_get_conn
[ "$CONN" = guest ] && return 0
[ -e /proc/sys/net/ipv4/conf/virbr$n ] || return 0
proxy_ifconfig virbr$n >/dev/null && return 0
return 0
}
## proxy_ping_broken
proxy_ping_broken () { DBUG proxy_ping_broken PROXY_WLAN=$PROXY_WLAN $* ;
# 0 is true
local a=$MODE
if [ "$a" = vda -o "$a" = ws ]; then
# grep 10.152.152.10 /etc/resolv.conf &&
PING_BROKEN=0
return 0
elif [ "$a" = gateway ]; then
PING_BROKEN=0
return 0
elif [ -z "$PROXY_WLAN_GW" ] ; then
PING_BROKEN=0
return 0
fi
[ -n "$PING_BROKEN" ] && return $PING_BROKEN
DBUG $prog proxy_ping_mode=$a PROXY_WLAN=$PROXY_WLAN PROXY_WLAN_GW=$PROXY_WLAN_GW
ping -4 -I $PROXY_WLAN -c 1 -W $TIMEOUT $PROXY_WLAN_GW # 10.16.238.1
if [ $? -ne 0 ] ; then
PING_BROKEN=0
else
PING_BROKEN=1
fi
return $PING_BROKEN
}
## proxy_do_ping
proxy_do_ping () { DBUG proxy_do_ping $* ;
proxy_route_check || { ERROR $prog route not connected ; return 1$? ; }
proxy_ping_broken && return 0
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=`proxy_get_if` || {
ERROR $prog unable to get wlan $? ; return 2 ;
}
ping -4 -I $PROXY_WLAN -c 1 -W $TIMEOUT $DNS_HOST2 >/tmp/P$$.log 2>&1
retval=$?
if [ $retval -eq 1 ] ; then
# false negatives
sleep 4
ping -4 -I $PROXY_WLAN -c 1 -W $TIMEOUT $DNS_HOST2 >/tmp/P$$.log 2>&1
retval=$?
fi
[ $retval -lt 1 ] || {
ERROR $prog do_ping $PROXY_WLAN retval=$retval
rm /tmp/P$$.log
PING_BROKEN=0
return 3$retval
}
grep -q ' 0% ' /tmp/P$$.log || \
{ ERROR $prog retval=$? test=$1 ping retval=$retval ; rm /tmp/P$$.log ; return 4 ; }
PING=1
grep 'packet\|bytes from' /tmp/P$$.log
rm /tmp/P$$.log
return 0
}
proxy_run_as_root () { DBUG proxy_run_as_root $* ;
[ $( id -u ) -eq 0 ] && return 0
ERROR must be root
[ -z "$ALL" ] && exit 9
return 1
}
## proxy_test_pretests
proxy_test_pretests () {
if [ "$1" = panic ] ; then
: dont ping on panic
proxy_ping_broken || proxy_do_ping || \
{ WARN ping failed for panic so skipping ; exit 0 ; }
elif [ "$1" = direct -o "$1" = gateway -o "$1" = vda -o "$1" = kick ] ; then
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
proxy_ping_broken || proxy_do_ping || exit 3$?
proxy_ping_test_resolv $MODE ||\
{ WARN $prog proxy_ping_test_resolv=$? 'echo nameserver 127.0.0.1 > /etc/resolv.conf' ; exit 4 ; }
proxy_ping_firewall_start || { ERROR "proxy_ping_firewall_start ret=$?" ; exit 5 ; }
elif [ "$1" = nat ] ; then
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
else
proxy_do_ping || exit 4$?
proxy_ping_test_resolv $MODE || \
{ WARN "$prog proxy_ping_test_resolv=$? /etc/resolv.conf.$dire" MODE=$MODE
exit 4 ; }
fi
return 0
}
## proxy_test_help_args
proxy_test_help_args () {
declare -a ret=()
ret=( $(grep " -.* $1 " /tmp/proxy_ping_test.hlp | \
sed -e 's/.=.*//' -e 's/.*tests.//') )
echo "${ret[@]}"
return 0
}
ALL=0
## proxy_ping_test_set_args
proxy_ping_test_set_args () {
local args="$@"
local val="$@"
declare -a aret=()
rm -f /tmp/proxy_ping_test.hlp
[ -f /tmp/proxy_ping_test.hlp ] || proxy_ping_make_help
## to_tor - tor with the firewall host side client setup tor server - call tor,dns,ntp in addition
[ "$1" = to_tor -o "$1" = test_tor -o "$1" = test_to ] &&
aret=( 6 13 16 ) && \
! proxy_ping_test_env && WARN to_tor and no proxy in env - use noenv
## vda - through the Gateway with the firewall - also polipo,panic - uses env
[ "$1" = vda ] &&
aret=( 35 3 20 ) #
## tor - tor with the firewall to test the host side tor server - call to_tor,dns,ntp in addition
[ "$1" = tor ] &&
aret=( 21 30 20 4 5 36 3 )
## kick - open firewall with tor running - call dns,polipo +tor in addition
[ "$1" = kick -o "$1" = host ] &&
aret=( 24 31 13 16 6 )# 30 24 31 6 13 16
## gateway - on the Gateway, trans firewall with tor running - call dns in addition
[ "$1" = gateway ] &&
aret=( 23 25 4 5 30 24 17 3 21 ) # 31 6 16
# aliases
[ "$1" = "$SOCKS_PORT" ] && set -- socks
[ "$1" = "$HTTP_PORT" ] && set -- http
[ "$1" = "$HTTPS_PORT" ] && set -- https
[ "$1" = "53" ] && set -- dns
[ "$1" = "9053" ] && set -- tordns
[ "$1" = scan ] && set -- iwlist
[ "$1" = panic ] && set -- firewall
[ "$1" = tor ] && set -- torhost
[ "$1" = to_gateway ] && set -- whonix
[ "$1" = from_tor ] && set -- whonix
[ "$1" = from_gateway ] && set -- gateway
[ "$1" = traceroute ] && set -- = trace
[ "$1" = connected ] && set -- wifi
[ "$1" = clear ] && set -- direct
# scenarios - modes: nat selektor
## nat - through the Gateway via the nat
[ "$1" = nat ] && \
set -- ping dns socks http https tordns firefail libvirtguest
# wifi?
[ "$1" = whonix ] && \
set -- ping tordns dns socks http https torhost tordns firefail gw
[ "$1" = tor ] && \
set -- ping tordns dns trace socks http https torhost tordns firefail nmap gw
[ "$1" = selektor ] && \
set -- ping tordns dns trace socks http https torhost tordns firefail nmap gw
[ "$1" = direct -o "$1" = '' ] && \
set -- ping dns trace nmap gw
## all - all tests not stopping on the first error
[ "$1" = all ] && ALL=1
# aret="${#tests[@]}"
## gw - test if we are connected to the gateway
## torhost - running tor with the firewall
## env - from the cmdline with a properly setup env
## firefail - test the proxy without env vars to expect failure
## http - assumes torhost or whonix and env setup
## https - assumes torhost or whonix and env setup
## socks - assumes torhost or whonix and env setup
## ping - connected routed test the ping to DNS hosts
## ntp - ntpdate through the firewall
## nmap - nmap sgid through the firewall - does not assume env
## iwlist - wlan scan
## firewall - test that the firewall blocks
## virbr1 - assumes tor or whonix
## gateway - ssh to the whonix gateway
## trace - traceroute to DNSHOST - icmp is allowed by the firewall, except on vda
## wifi - test if we are connected - call scan in addition
## libvirthost - hosting a libvirt container
## libvirtguest - in a libvirt container
## tordns - test 9053 for dns using tor-resolve
## dns - dns using tor or the gateway, with the firewall - does not assume env
## whonix - whonix to the Gateway with the firewall - also panic - not assume env
## whonix - whonix gateway host side client setup with the firewall was from_to## direct - assume no firewall and no proxy - but may work depend on env
r
for elt in "$@" ; do
if [ "$elt" = gw -o "$elt" = '' -o "$elt" = env -o \
"$elt" = https -o "$elt" = http -o "$elt" = socks -o "$elt" = dns -o \
"$elt" = torhost -o "$elt" = tordns -o "$elt" = whonix -o \
"$elt" = libvirthost -o "$elt" = libvirtguest -o "$elt" = virbr1 -o \
"$elt" = ping -o "$elt" = trace -o "$elt" = ntp -o "$elt" = nmap -o \
"$elt" = iwlist -o "$elt" = firefail -o "$elt" = direct -o \
"$elt" = trace -o "$elt" = wifi -o "$elt" = '' -o "$elt" = '' \
] ; then
aret+=( `proxy_test_help_args $elt` )
else
WARN unrecognized: $elt >&2
fi
done
DBUG "${aret[@]}" >&2
echo "${aret[@]}"
return 0
}
# -I $PROXY_WLAN -c 1 $DNS_HOST2
if [ "$#" = 0 ] ; then
# default to mode
set -- $MODE
fi
if [ $1 = '-h' -o $1 = '--help' ] ; then
echo USAGE: $USAGE | sed -e 's/[0-9][0-9]*)/\n&/g'
grep '^## [a-oq-z]' $0 | sed -e 's/^## / /'
exit 0
elif [ "$1" = 0 ] ; then
INFO $prog PROXY_WLAN=$PROXY_WLAN MODE=$MODE
echo 0 help /tmp/proxy_ping_test.hlp
[ -f /tmp/proxy_ping_test.hlp ] || proxy_ping_make_help
. /tmp/proxy_ping_test.hlp
for elt in "${!tests[@]}" ; do
echo $elt "${tests[$elt]}"
done
exit 0
elif [[ $1 =~ ^[0-9] ]] ; then
: passthrough
else
set -- `proxy_ping_test_set_args "$@"`
DBUG running tests numbered "$@"
fi
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
proxy_test_pretests "$1"
# https://stackoverflow.com/questions/8290046/icmp-sockets-linux/20105379#20105379
if [ $( id -u ) -eq 0 ] ; then
proxy_ping_chattr
fi
DBUG $prog PROXY_WLAN=$PROXY_WLAN MODE=$MODE $*
# $( sysctl net.ipv4.ping_group_range )
# proxy_iptables_save|grep 216
while [ "$#" -gt 0 ] ; do
# DBUG $prog $1
ARG=$1 ; shift
GREP=""
if [ -z "$ARG" ] ; then
continue
elif ! [ "$ARG" -ge 0 ] ; then
ERROR $prog called with an unrecognized argument $ARG from $0
exit 9
elif [ $ARG -le 0 ] ; then
# do the ping and resov.conf
true
elif [ $ARG -eq 1 ] ; then
tests[1]="wget_https_as_user wget ${HTTPS_PORT} - https "
[ -n "$https_proxy" ] && LARGS="" || \
LARGS="env https_proxy=https://${HTTPS_HOST}:${HTTPS_PORT}"
$LARGS $WGET https://$HTTP_TARGET
retval=$?
if [ $retval -eq 8 -o $retval -eq 0 ] ; then
INFO $prog test=$ARG "${tests[$ARG]}"
else
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval test=$ARG
[ -z "$ALL" ] && continue
fi
# works with fix
GREP="${HTTPS_PORT}"
elif [ $ARG -eq 2 ] ; then
[ -n "$https_proxy" ] && LARGS="--proxy $https_proxy" || \
LARGS="--proxy https://${HTTPS_HOST}:${HTTPS_PORT}"
tests[2]="curl_https_as_user curl $LARGS https://$HTTP_TARGET - https "
proxy_ping_curl $LARGS https://$HTTP_TARGET >/dev/null || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $LARGS https://$HTTP_TARGET
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works with fix
GREP="${HTTPS_PORT}"
elif [ $ARG -eq 3 ] ; then
tests[3]="curl_socks_virbr1_as_user $SOCKS_HOST $SOCKS_PORT - torhost "
# proxy_dest_port_wlan_config || { ERROR DEST=$DEST ; continue ; }
# curl: (4) A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision
[ $DEBIAN -eq 0 ] && continue
[ -z "$socks_proxy" ] && socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
if [ $MODE = whonix ] ; then
ssh -o ForwardX11=no user@10.0.2.15 netstat -nl4e| grep 15:$SOCKS_PORT || {
retval=$?
ERROR ssh -o ForwardX11=no user@10.0.2.15 netstat
[ -z "$ALL" ] && exit $ARG$retval || continue ;
}
socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
proxy_ping_curl -x $socks_proxy \
--interface virbr1 n--dns-interface virbr1 https://$HTTP_TARGET >/dev/null || {
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl -x $socks_proxy --interface virbr1 --dns-interface virbr1 https://$HTTP_TARGET
[ -z "$ALL" ] && exit $ARG$retval || continue
}
else
socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
proxy_ping_curl -x $socks_proxy https://$HTTP_TARGET >/dev/null \
|| { retval=$? ; ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl ${SOCKS_HOST} $SOCKS_PORT
[ -z "$ALL" ] && exit $ARG$retval || continue ; }
fi
INFO $prog test=$ARG "${tests[$ARG]}"
# works with user/pass
GREP="$SOCKS_PORT"
elif [ $ARG -eq 4 ] ; then
tests[4]="dig_socks_through_as_user @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com - tordns "
[ $HAVE_DIG = 1 ] || continue
if [ $MODE = whonix ] ; then
ssh -o ForwardX11=no user@10.0.2.15 netstat -nl4e | grep 15:$SOCKS_DNS
fi
dig @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works with fix
GREP="$SOCKS_DNS"
elif [ $ARG -eq 5 ] ; then
tests[5]="nslookup_socks_as_user - tordns "
[ $HAVE_NSLOOKUP = 1 ] || continue
desc="$NSL -port=$SOCKS_DNS www.whatismypublicip.com ${DNS_HOST}"
$desc >/dev/null || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval $desc
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}" $desc
# works with fix
GREP="$SOCKS_DNS"
elif [ $ARG -eq 6 ] ; then
proxy=`proxy_ping_get_https`
desc="curl --proxy http://${proxy}"
tests[6]="curl_https_as_user - https "
proxy_ping_curl --proxy http://${proxy} \
--proxy-insecure https://$HTTP_TARGET || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval $desc
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}" $desc
# works
GREP="$HTTP_PORT"
elif [ $ARG -eq 7 ] ; then
tests[8]="traceroute_icmp_dns_as_root --icmp - trace "
[ $USER = root ] || continue
[ -n "$PROXY_WLAN" ] || proxy_get_if || continue
[ $HAVE_TRACEROUTE = 1 ] || continue
traceroute -i $PROXY_WLAN --icmp $DNS_TARGET -m $THOPS || { \
retval=$?
ERROR $retval traceroute --icmp -m $THOPS
[ -z "$ALL" ] && exit 7$retval
}
INFO $prog test=$ARG "${tests[$ARG]}"
GREP="-i icmp"
elif [ $ARG -eq 8 ] ; then
tests[8]="traceroute_tcp_dns_as_root -i $PROXY_WLAN -p 53 -T4 - trace "
[ $USER = root ] || continue
[ -n "$PROXY_WLAN" ] || proxy_get_if || continue
[ $HAVE_TRACEROUTE = 1 ] || continue
traceroute -i $PROXY_WLAN -p 53 -T4 $DNS_TARGET -m $THOPS || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval traceroute -T4 -p 53 -m $THOPS
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
GREP="53"
elif [ $ARG -eq 9 ] ; then
tests[9]="traceroute_icmp_dns_as_user -p 53 - trace "
[ $USER = root ] || continue
[ -n "$PROXY_WLAN" ] || proxy_get_if || continue
[ $HAVE_TRACEROUTE = 1 ] || continue
traceroute -i $PROXY_WLAN --icmp $DNS_TARGET -p 53 -m $THOPS || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval traceroute -i $PROXY_WLAN --icmp -m $THOPS
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
GREP="53"
elif [ $ARG -eq 10 ] ; then
tests[10]="wget_http_as_user $HTTP_PORT - http "
proxy=`proxy_ping_get_http`
env http_proxy=http://${proxy} \
$WGET -S http://$HTTP_TARGET 2>/dev/null
retval=$?
# 8 is an oddball
if [ $retval -eq 8 -o $retval -eq 0 ] ; then
INFO $prog test=$ARG "${tests[$ARG]}" wget $HTTP_PORT
else
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval wget $HTTP_PORT
[ -z "$ALL" ] && exit $ARG$retval || continue
fi
GREP="$HTTP_PORT"
elif [ $ARG -eq 11 ] ; then
tests[11]="curl_https_as_user - https "
proxy=`proxy_ping_get_https`
proxy_ping_curl --proxy http://${proxy} \
--proxy-insecure https://$HTTP_TARGET || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $HTTP_PORT
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
GREP="$HTTP_PORT"
elif [ $ARG -eq 12 ] ; then
tests[12]="nmap_dns_as_root --privileged --send-eth -Pn -sU -p U:53 $DNS_HOST1 - nmap direct "
[ $USER = root ] || continue
which nmap 2>/dev/null >/dev/null || continue
[ -z "$DNS_HOST1" ] && DNS_HOST1="208.67.220.220"
nmap --privileged --send-eth -Pn -sU -p U:53 "$DNS_HOST1" || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval nmap 53
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works
GREP="53"
elif [ $ARG -eq 13 ] ; then
tests[13]="curl_firewall_bin - wifi "
[ $USER = root ] || continue
proxy_test_curl_firewall_bin || continue
INFO $prog test=$ARG "${tests[$ARG]}" curl bin
# works
GREP="443"
elif [ $ARG -eq 14 ] ; then
tests[14]="traceroute_icmp_gw_as_root --icmp $PROXY_WLAN_GW - gw wifi "
[ $USER = root ] || continue
[ $HAVE_TRACEROUTE = 1 ] || continue
proxy_test_traceroute_icmp_gw || continue
# works
INFO $prog test=$ARG "${tests[$ARG]}"
GREP="-i icmp"
elif [ $ARG -eq 15 ] ; then
tests[15]="test_dig_direct - direct "
[ $HAVE_DIG = 1 ] || continue
proxy_test_dig_direct || continue
INFO $prog test=$ARG "${tests[$ARG]}" proxy_test_dig_direct
elif [ $ARG -eq 16 ] ; then
tests[16]="nslookup_as_root nslookup $PRIV_BIN_OWNER - torhost "
[ $USER = root ] || continue
[ $HAVE_NSLOOKUP = 1 ] || continue
su -c "$NSL $DNS_TARGET $DNS_HOST1" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval "$NSL $DNS_TARGET $DNS_HOST1" -s /bin/sh $PRIV_BIN_OWNER
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works /fails but maybe a noop
GREP="53"
elif [ $ARG -eq 17 ] ; then
tests[17]="ntpdate_as_root ntpdate without service - ntp "
proxy_run_as_root || exit 9
[ -x /usr/sbin/ntpdate ] || continue
# Curious: even though sgid 2755 ntp it fails as su ntp
# 12 Nov 23:28:35 ntpdate[17341]: bind() fails: Permission denied
/usr/sbin/ntpdate "$NTP_HOST1" || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval ntpdate
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
GREP="123"
elif [ $ARG -eq 18 ] ; then
tests[18]="ntpdate_as_root ntpdate with servie - ntp "
proxy_run_as_root || exit 9
proxy_rc_service ntpd status >/dev/null && \
proxy_rc_service ntpd stop >/dev/null && sleep 2
/usr/sbin/ntpdate $NTP_HOST1 || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval ntpdate
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works
proxy_rc_service ntpd status >/dev/null || proxy_rc_service ntpd start
GREP="123"
elif [ $ARG -eq 19 ] ; then
tests[19]="curl_noproxy_http_as_user curl raw noproxy - firefail "
proxy_ping_curl --noproxy "'*.*'" --connect-timeout $TIMEOUT \
http://$HTTP_TARGET >/dev/null && {
retval=$?
ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" curl raw --noproxy
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
GREP=80
elif [ $ARG -eq 20 ] ; then
tests[20]="curl_socksproxy_as_user curl $SOCKS_PORT - socks "
# needs dns
[ $DEBIAN -eq 0 ] && continue
socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
proxy_ping_curl -x $socks_proxy https://$HTTP_TARGET >/dev/null \
|| { retval=$? ; ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $SOCKS_PORT
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works with user/pass
GREP="$SOCKS_PORT"
elif [ $ARG -eq 21 ] ; then
tests[21]="curl_httpsproxy_as_user - https "
[ -z "$https_proxy" ] && https_proxy=http://${HTTPS_PROXY_HOST}:${HTTPS_PORT}
proxy_ping_curl -x $https_proxy https://$HTTP_TARGET >/dev/null || { \
if [ "$MODE" = gateway ] ; then
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval curl ${HTTPS_HOST} ${HTTPS_PORT}
continue
else
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl ${HTTPS_HOST} HTTPS_PORT=${HTTPS_PORT}
[ -z "$ALL" ] && exit $ARG$retval || continue
fi
}
INFO $prog test=$ARG "${tests[$ARG]}" curl ${HTTPS_HOST} ${HTTPS_PORT}
GREP="${HTTPS_PORT}"
elif [ $ARG -eq 22 ] ; then
tests[22]="iwlist_scan_as_user iwlist $PROXY_WLAN scan - iwlist "
[ $USER = root ] || continue
which iwlist 2>/dev/null || continue
[ -n "$PROXY_WLAN" ] || proxy_get_if || continue
iwlist $PROXY_WLAN scan >/dev/null || {
ERROR $prog retval=$? test=$ARG $PROXY_WLAN scan
[ -z "$ALL" ] && exit $ARG$1 || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works
elif [ $ARG -eq 23 ] ; then
tests[23]="curl_proxy_as_user - direct "
proxy_ping_curl --insecure https://$HTTP_TARGET >/dev/null || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl direct
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
elif [ $ARG -eq 24 ] ; then
tests[24]="dig_direct_or_dnsmasq dig -b $IP www.whatismypublicip.com - direct "
[ $HAVE_DIG = 1 ] || continue
[ -n "$PROXY_WLAN" -a -n "$IP" ] || proxy_ping_get_wlan_gw || continue
[ -n "$IP" ] || continue
dig -b $IP www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}" dig -b $IP
elif [ $ARG -eq 25 ] ; then
tests[25]="nslookup_as_user - direct "
[ $HAVE_NSLOOKUP = 1 ] || continue
# noenv with or without proxy
# @$DNS_HOST1 should fail for firewall unless dnsmasq is working
$NSL >/dev/null www.whatismypublicip.com || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval nslookup www.whatismypublicip.com
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}" nslookup
elif [ $ARG -eq 26 ] ; then
tests[26]="route_connected_ping_scan - direct "
[ $HAVE_DIG = 1 ] || continue
#? proxy_test_pretests
proxy_do_ping && \
INFO $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP || \
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP
elif [ $ARG -eq 27 ] ; then
tests[27]="dns_as_user dig -b 127.0.0.1 - direct "
[ $HAVE_DIG = 1 ] || continue
[ -n "$PROXY_WLAN" -a -n "$IP" ] || proxy_ping_get_wlan_gw || continue
dig -b 127.0.0.1 www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
elif [ $ARG -eq 28 ] ; then
tests[28]="wget_as_user - direct "
proxy_ping_test_env || { WARN $prog test=$ARG "${tests[$ARG]}" no proxy in env ; }
$WGET -S https://$HTTP_TARGET 2>/dev/null
retval=$?
if [ $retval -eq 8 -o $retval -eq 0 ] ; then
INFO $prog test=$ARG "${tests[$ARG]}" wget
else
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval wget
[ -z "$ALL" ] && exit $ARG$retval || continue
fi
elif [ $ARG -eq 29 ] ; then
tests[29]="curl_as_user - direct "
proxy_ping_test_env || { WARN $prog test=$ARG "${tests[$ARG]}" no proxy in env ; }
proxy_ping_curl https://$HTTP_TARGET >/dev/null || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
elif [ $ARG -eq 30 ] ; then
tests[30]="tor_bootstrap_check_as_root tor_bootstrap_check.py - torhost "
[ $MODE = tor -o $MODE = selektor ] || {
ERROR $prog MODE != tor test=$ARG
[ -z "$ALL" ] && exit $ARG$retval || continue
}
port=$SOCKS_PORT
$NETS | grep -q :$port || {
ERROR $prog retval=$? test=$ARG tor not running on $port
[ -z "$ALL" ] && exit $ARG || continue
}
[ $USER = root ] || continue
# was /usr/local/bin/tor_bootstrap_check.bash
[ -f /usr/local/src/helper-scripts/tor_bootstrap_check.py ] || return 1
python3.sh /usr/local/src/helper-scripts/tor_bootstrap_check.py
# morons 100%
retval=$?
[ $retval -eq 0 -o $retval -eq 100 ] || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval tor_bootstrap_check
}
INFO $prog test=$ARG "${tests[$ARG]}"
elif [ $ARG -eq 31 ] ; then
tests[31]="curl_noproxy_as_root polipo http pages $HTTP_PORT - direct http "
proxy_ping_curl --noproxy http://${HTTP_HOST}:$HTTP_PORT && { \
retval=$?
ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" retval=$retval polipo http pages $HTTP_PORT
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works
GREP="$HTTP_PORT"
elif [ $ARG -eq 32 ] ; then
tests[32]="ping_nmap_direct_as_root nmap 53 - direct "
[ $USER = root ] || continue
which nmap 2>/dev/null >/dev/null || continue
[ -n "$PROXY_WLAN" -a -n "$PROXY_WLAN_GW" ] || proxy_ping_get_wlan_gw || continue
proxy_ping_nmap_direct $DNS_HOST1 "$PROXY_WLAN_GW" U:67 || {
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval nmapd 53
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works
GREP="53"
elif [ $ARG -eq 33 ] ; then
tests[33]="host_virbr_as_user proxy_ping_test_virbr 1 - libvirthost "
proxy_ping_test_virbr 1 || {
retval=$?
ERROR $CONN virbr1 not running
[ -z "$ALL" ] && exit 1 || continue
}
# * Immediate connect fail for 10.0.2.15: Connection refused
INFO $prog test=$ARG "${tests[$ARG]}"
elif [ $ARG -eq 34 ] ; then
tests[34]="python_ping_as_root traceroute --icmp $PROXY_WLAN_GW - wifi "
[ $USER = root ] || continue
[ -n "$PROXY_WLAN_GW" -a -n "$IP" ] || PROXY_WLAN_GW=`proxy_ping_get_wlan_gw` || continue
[ -f /usr/local/bin/ping2.py ] || continue
/usr/local/bin/ping2.py $IP $DNS_HOST1 $PROXY_WLAN_GW || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval ping2.py $DNS_HOST1
[ -z "$ALL" ] && exit $ARG$retval || continue
}
# works
INFO $prog test=$ARG "${tests[$ARG]}"
GREP="-i icmp"
elif [ $ARG -eq 35 ] ; then
tests[35]="dig_as_root - firewall dig @$DNS_HOST1 - torhost dns "
[ $USER = root ] || continue
[ $HAVE_DIG = 1 ] || continue
# @$DNS_HOST1
su -c "dig pool.ntp.org +timeout=$TIMEOUT" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval dig pool.ntp.org $PRIV_BIN_OWNER
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works
GREP="53"
elif [ $ARG -eq 36 ] ; then
tests[36]="tor_resolve_as_user tor-resolve pool.ntp.org - tordns "
[ $HAVE_TOR_RESOLVE = 1 ] || continue
tor-resolve pool.ntp.org >/dev/null || { \
retval=$?
# dunno Failed parsing SOCKS5 response conf?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval tor-resolve pool.ntp.org
continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works
GREP="9053"
elif [ $ARG -eq 37 ] ; then
tests[37]="qemu-guest-agent and ports - libvirtguest "
ser=qemu-guest-agent
proxy_rc_service $ser status >/dev/null || proxy_rc_service $ser start
proxy_rc_service $ser status >/dev/null || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval $ser status
[ -z "$ALL" ] && exit $ARG$retval || continue
}
[ -d /dev/virtio-ports ] || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval /dev/virtio-ports
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
GREP=""
elif [ $ARG -eq 38 ] ; then
tests[38]="qemu-guest-agent and ports - libvirthost whonix "
[ $USER = root ] || continue
$PL proxy_libvirt_list
aret=$?
if [ $aret -eq 10 ] ;then
WARN proxy_libvirt_status hung
elif [ $aret -ne 10 -a $aret -ne 0 ] ; then
DBUG proxy_libvirt_status aret=$aret
else
$PL proxy_libvirt_list | grep -q "$GATEW_DOM" || {
ERROR MODE=$MODE and $GATEW_DOM not running ;
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
fi
elif false ; then
if ! grep -q '10.152.152.10\|127.0.0.1' /etc/resolv.conf ; then
$NETS | grep -q :53 || {
ERROR $prog retval=$? test=$ARG local resolv.conf but :53 not running
[ -z "$ALL" ] && exit 1 || continue
}
fi
fi
[ -n "$GREP" ] && [ $DMESG_LINES -gt 0 ] && \
DBUG `dmesg|tail|grep $GREP|tail -$DMESG_LINES`
done
exit 0
1)
env https_proxy=http://${SOCKS_HOST}:${HTTPS_PORT} wget $D -O - --no-check-certificate
2)
curl $D -k --proxy
3)
curl $D -k --proxy socks5://${SOCKS_HOST}:$SOCKS_PORT --proxy-insecure
5)
nslookup -port=$SOCKS_DNS www.whatismypublicip.com ${SOCKS_HOST} \
6)
curl -k --proxy $HTTP_PORT
16)
nslookup $PRIV_BIN_OWNER
18)
ntpdate as sroot
19)
curl raw noproxy
0)
usage

10
overlay/Linux/usr/local/bin/proxy_sdwdate.bash Executable file
View file

@ -0,0 +1,10 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
sh $PREFIX/bin/proxy_ping_test.bash wifi || exit 1
sh $PREFIX/bin/proxy_ping_test.bash tor || exit 2
exec $PREFIX/bin/python3.7.sh $PREFIX/bin/sdwdate_.py "$@"

69
overlay/Linux/usr/local/bin/proxy_ssl_certs.bash Executable file
View file

@ -0,0 +1,69 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
# https://medium.com/@appmattus/android-security-ssl-pinning-1db8acb6621e
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/proxy_ping_lib.bash || \
{ ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
. /usr/local/bin/usr_local_base.bash || exit 2
proxy_ping_mode
#? . /usr/local/bin/proxy_export.bash $MODE
. /usr/local/bin/usr_local_base.bash || exit 2
CERT=$( proxy_ping_update_cacert )
[ "$?" -ne 0 -o -n "$CERT" ] && CAFILE=$CERT || \
CAFILE=/usr/local/etc/ssl/cacert-testforge.pem
openssl=openssl
OPENSSL_ARGS="-4 --CAfile $CAFILE -bugs -showcerts"
if [ -n "$https_proxy" ] ; then
HTTPS_HOST=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/https* //' -e 's/ .*//' )
HTTPS_PORT=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
OPENSSL_ARGS="$OPENSSL_ARGS -proxy ${HTTPS_HOST}:$HTTPS_PORT"
elif [ -n "$socks_proxy" ] ; then
SOCKS_HOST=$( echo $socks_proxy|sed -e 's/.*@//' -e 's@/@@g' -e 's/:/ /g' -e 's/socks5* //' -e 's/ .*//' )
SOCKS_PORT=$( echo $socks_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
# check /etc/tor/torsocks.conf
openssl='torsocks openssl'
fi
OUTR=/tmp/$prog$$
for item in "$@" ; do
i=0
OUTRF=$OUTR.$item
INFO openssl s_client -connect ${item}:443 -servername $item $OPENSSL_ARGS
$openssl s_client -connect ${item}:443 -servername $item $OPENSSL_ARGS \
</dev/null 2>$OUTRF.err >$OUTRF.out
[ $? -eq 0 ] || {
retval=$?
ERROR $prog $retval see $OUTRF.err
cat $OUTRF.err
exit 1$retval
}
[ -s $OUTRF.out ] || { ERROR $prog empty $OUTRF.out ; exit 2 ; }
sed -n '/Certificate chain/,/Server certificate/p' $OUTRF.out >$OUTRF.chain
DBUG $prog Certificate chain:
grep '^ [0-9][0-9]* ' $OUTRF.chain
INFO $prog Base64 Certificate sha256 digests:
rest=$( cat $OUTRF.chain )
while [[ "$rest" =~ '-----BEGIN CERTIFICATE-----' ]] ; do
cert="${rest%%-----END CERTIFICATE-----*}-----END CERTIFICATE-----"
rest=${rest#*-----END CERTIFICATE-----}
echo $( echo "$cert" | grep 's:' | sed 's/.*s:\(.*\)/\1/' ) echo "$cert" |
openssl x509 -pubkey -noout |
openssl rsa -pubin -outform der 2>/dev/null |
openssl dgst -sha256 -binary | openssl enc -base64
done
# rm -f $OUTRF.chain $OUTRF.out $OUTRF.err
done
exit 0

351
overlay/Linux/usr/local/bin/proxy_test_ssl.bash Executable file
View file

@ -0,0 +1,351 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
. /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
NOW=$( date -u +%y-%m-%d_%H%m )
DEBUG=1
PROXY_WLAN=wlan4
prog=$( basename $0 .bash )
# SocksPolicy Accept in /etc/tor/torrc - required and works with sslscan
ip route | grep ^default || { ERROR "not connected" ; exit 1 ; }
PATH=$PATH:/sbin
BADSSL_SITES=(
self-signed.badssl.com
expired.badssl.com
mixed.badssl.com
rc4.badssl.com
hsts.badssl.com
)
badssl=0
[ "$#" -eq 0 ] && badssl=1
# tests="$MODE"
tests=""
nodig=1
verbosity=2
outdir=/tmp
timeout=20
#[ -f /usr/local/etc/testforge/testforge.bash ] && \
# . /usr/local/etc/testforge/testforge.bash
. /usr/local/bin/proxy_ping_lib.bash || \
{ ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
if [ -f /usr/local/etc/ssl/cacert-testforge.pem ] ; then
CAFILE=/usr/local/etc/ssl/cacert-testforge.pem
else
CERT=$( proxy_ping_update_cacert )
[ "$?" -ne 0 -o -n "$CERT" ] && CAFILE=$CERT || \
CAFILE=/usr/local/etc/ssl/cacert-testforge.pem
fi
[ -z "$MODE" ] || MODE=`proxy_ping_mode`
if [ "$MODE" = tor ] ; then
[ -z "PROXY_WLAN" ] && PROXY_WLAN=`proxy_get_if`
[ -z "PROXY_WLAN" ] && { ERROR " error getting device $?" ; exit 3 ; }
if ip route | grep ^def ; then
PROXY_WLAN_IP=$( proxy_get_wlan_ip )
[ -n "$PROXY_WLAN_IP" ] || { ERROR "no PROXY_WLAN_IP" ; exit 4 ; }
fi
fi
usage() {
echo "Usage: $0 [OPTIONS] dirs-or-files"
echo
echo " -B | --badssl - test badssl.org sites"
echo " -D | --nodig - no dig sites"
echo " -T | --tests - ping tests to run first"
echo " -o | --outdir=/tmp - output directory"
echo " -v | --verbosity=$verbosity - verbosity 0 least 5 most"
echo
echo " -V | --version - print version of this script"
echo " -h | --help - print this help"
}
SHORTOPTS="hVBDT:v:"
LONGOPTS="help,version:,badssl,nodig,tests:,verbosity:"
HOSTS=
ARGS=$(getopt --options $SHORTOPTS --longoptions $LONGOPTS -- "$@")
[ $? != 0 ] && { ERROR "error parsing getopt" ; exit 5 ; }
eval set -- "$ARGS"
while true; do
case "$1" in
# -t --tests
-o|--outdir)
shift
outdir="$1"
;;
-v|--verbosity)
shift
verbosity="$1"
;;
-B|--badssl)
badssl=1
;;
-D|--nodig)
nodig=1
;;
-T|--tests)
shift
tests="$1"
;;
-V|--version)
usage
exit 0
;;
-h|--help)
usage
exit 0
;;
'--')
shift
HOSTS="$*"
break
;;
*)
{ ERROR "unrecognized arguments $*" ; exit 6 ; }
break
;;
esac
shift
done
[ $badssl -ne 0 ] && HOSTS="${BADSSL_SITES[*]}"
[ -z "$HOSTS" ] && { ERROR "no arguments $*" ; exit 0 ; }
[ -d "$outdir" ] || mkdir -p "$outdir" || { ERROR "mkdir $outdir" ; exit 7 ; }
kill_time=$( expr $timeout + 10 )
[ -z "$tests" ] || \
for elt in $tests ; do
/usr/local/bin/proxy_ping_test.bash $elt || exit 9$?
done
if which sslscan 2>/dev/null ; then
sslscan='sslscan'
SSLSCAN_ARGS="-4 --show-client-cas --show-certificate --bugs --timeout $timeout --tlsall --show-ciphers --no-colour --verbose"
else
# no proxy support
sslscan=''
fi
# sslscan --show-client-cas - no proxy
openssl=openssl
OPENSSL_ARGS="-4 -bugs -showcerts"
if [ -e /dev/tcp ] && which testssl.bash 2>/dev/null ; then
testssl='testssl.bash'
TESTSSL_ARGS="--connect-timeout $timeout --openssl-timeout $timeout --standard --vulnerable"
#? --ssl-native
TESTSSL_ARGS="$TESTSSL_ARGS --add-ca $CAFILE --assume-http --hints --color=0 --append"
else
# no proxy support
testssl=''
fi
if [ -f /usr/local/bin/scurl.bash ] ; then
curl="/usr/local/bin/scurl.bash -- -s -S"
else
curl='curl -s -S'
fi
CURL_ARGS="-vvv --cacert $CAFILE --cert-status --connect-timeout $timeout"
if [ -f /var/local/bin/analyze-ssl.pl.bash ] ; then
analyze=/var/local/bin/analyze-ssl.pl.bash
ANALYZE_ARGS="-v --timeout $timeout --CApath $CAFILE --all-ciphers"
else
analyze=""
fi
warns=0
OUTR=$outdir/$prog-$NOW
if [ $nodig -eq 0 ] ; then
for item in $HOSTS ; do
i=0
OUTRF=$OUTR.$item
if [ $MODE = tor ] ; then
torresolve $item > $OUTRF.dig.out 2>&1
retval=$?
[ $retval -ne 0 ] && ERROR "torresolve $item $? - see $OUTRF.dig.out" && exit 1$?
elif false ; then
nslookup $item > $OUTRF.nslookup.out 2>&1
#?[ $? -eq 0 ] || WARN "nslookup $item $? - see $OUTRF.nslookup.out"
#?grep NXDOMAIN "$OUTRF.nslookup.out" && WARN "nslookup $item NXDOMAIN - see $OUTRF.nslookup.out"
else
dig $item > $OUTRF.dig.out 2>&1
[ $? -ne 0 ] && ERROR "dig $item $? - see $OUTRF.dig.out" && exit 1$?
grep 'ANSWER: 1' "$OUTRF.dig.out" || ERROR "dig $item no ANSWER - see $OUTRF.dig.out" && exit 2$?
fi
done
fi
# [ -r /etc/tor/torrc ]
# was https take precedence over socks
if [ -n "$socks_proxy" ] ; then
SOCKS_HOST=$( echo $socks_proxy|sed -e 's/.*@//' -e 's@/@@g' -e 's/:/ /g' -e 's/socks5* //' -e 's/ .*//' )
SOCKS_PORT=$( echo $socks_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
openssl='torsocks openssl'
# --interface lo --dns-interface lo
[ -n "$analyze" ] && analyze="torsocks $analyze"
[ -n "$testssl" ] && testssl="torsocks $testssl"
[ -n "$sslscan" ] && sslscan="torsocks $sslscan"
if [ $MODE = tor -o $MODE = selektor ] ; then
sudo grep -q "SocksPolicy *accept *$PROXY_WLAN_IP" /etc/tor/torrc || \
{ WARN "need SocksPolicy accept $PROXY_WLAN_IP in /etc/tor/torrc" ; }
fi
CURL_ARGS="$CURL_ARGS --proxy $socks_proxy "
if [ ${HTTPS_HOST} = 127.0.0.1 ] ; then
CURL_ARGS="$CURL_ARGS --interface"
fi
if netstat -nle4 | grep 127.0.1:53 ; then
CURL_ARGS="$CURL_ARGS --dns-interface lo"
fi
elif [ -n "$https_proxy" ] ; then
HTTPS_HOST=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/https* //' -e 's/ .*//' )
HTTPS_PORT=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
OPENSSL_ARGS="$OPENSSL_ARGS -proxy ${HTTPS_HOST}:$HTTPS_PORT"
TESTSSL_ARGS="$TESTSSL_ARGS --proxy=auto"
CURL_ARGS="$CURL_ARGS --proxy http://${HTTPS_HOST}:$HTTPS_PORT"
ANALYZE_ARGS="$ANALYZE_ARGS --starttls http_proxy:${HTTPS_HOST}:$HTTPS_PORT"
[ -n "$testssl" ] && testssl="torsocks $testssl"
[ -n "$sslscan" ] && sslscan="torsocks $sslscan"
else
: direct
fi
TENVS="DNS_VIA_PROXY=true"
errs=0
for CAFILE in /etc/ssl/certs/ca-certificates.crt /usr/local/etc/ssl/cacert-testforge.pem ; do
[ -f $CAFILE ] || { ERROR "CAfile not found $CAFILE" ; exit 8; }
for item in $HOSTS ; do
i=0
OUTRF=$OUTR.$item
if [ -n "$openssl" ] ; then
INFO "$openssl s_client -connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE"
echo $openssl s_client \
-connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE \
< /dev/null > $OUTRF.s_client.out
timeout ${kill_time}s \
$openssl s_client \
-connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE \
< /dev/null >> $OUTRF.s_client.out 2>&1
# :error:\|
if [ $? -eq 124 ] ; then
echo "DEBUG: timeout openssl s_client failed $? see $OUTRF.s_client.out"
elif [ $? -ne 0 ] ; then
WARN "openssl s_client failed $? see $OUTRF.s_client.out"
i=$( expr $i + 1 )
elif str='unable to get local issuer certificate' && \
grep "$str" $OUTRF.s_client.out; then
WARN "openssl s_client failed - $str see $OUTRF.s_client.out"
i=$( expr $i + 1 )
elif str='Cipher is (NONE)' && \
grep "$str" $OUTRF.s_client.out; then
WARN "openssl s_client failed - $str see $OUTRF.s_client.out"
i=$( expr $i + 1 )
elif str='SSL handshake has read 0 bytes' && \
grep "$str" $OUTRF.s_client.out; then
WARN "openssl s_client failed - $str see $OUTRF.s_client.out"
i=$( expr $i + 1 )
else
echo "DEBUG: openssl s_client -showcerts $OPENSSL_ARGS --CAfile $CAFILE $item"
timeout ${kill_time}s \
$openssl s_client -showcerts \
-connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE < /dev/null \
> $OUTRF.s_client.certs 2>&1
fi
fi
if [ -n "$sslscan" ] ; then
echo $sslscan $SSLSCAN_ARGS --certs $CAFILE --sni-name $item $item > $OUTRF.sslscan.out
timeout ${kill_time}s \
$sslscan $SSLSCAN_ARGS --sni-name $item $item >> $OUTRF.sslscan.out 2>&1
if [ $? -eq 124 ] ; then
echo "DEBUG: timeout sslscan failed $? see $OUTRF.sslscan.out "
elif [ $? -ne 0 ] ; then
WARN "sslscan failed $? see $OUTRF.sslscan.out "
i=$( expr $i + 1 )
elif grep 'SSL Certificate' $OUTRF.sslscan.out ; then
WARN "sslscan failed see $OUTRF.sslscan.out "
i=$( expr $i + 1 )
elif grep 'Connection failed' $OUTRF.sslscan.out ; then
# tail -1 $OUTRF.sslscan.out | grep 'Supported Server Cipher'
WARN "sslscan failed see $OUTRF.sslscan.out "
i=$( expr $i + 1 )
else
INFO "$sslscan $SSLSCAN_ARGS $item"
fi
fi
if [ -n "$testssl" -a -n "$https_proxy" ] ; then
# rDNS (140.82.114.3): lb-140-82-114-3-iad.github.com.testssl.sh: line 10330: /dev/tcp/140.82.114.3/443: No such file or directory
echo $TENVS $testssl $TESTSSL_ARGS $item > $OUTRF.testssl.out
env $TENVS $testssl $TESTSSL_ARGS $item >> $OUTRF.testssl.out 2>&1
if [ $? -ne 0 ] ; then
WARN "testssl failed $? see $OUTRF.testssl.out"
i=$( expr $i + 1 )
elif grep ': unable to\| error:\|doesn.t seem to be a TLS/SSL enabled server' $OUTRF.testssl.out; then
WARN "testssl failure see $OUTRF.testssl.out"
i=$( expr $i + 1 )
else
INFO "$testssl $TESTSSL_ARGS $item"
echo "DEBUG: $testssl $TESTSSL_ARGS --jsonfile-pretty $OUTRF.testssl.json $item"
env $TENVS $testssl $TESTSSL_ARGS --jsonfile-pretty $OUTRF.testssl.json $item > $OUTRF.testssl-json.out 2>&1
fi
fi
if [ -n "$curl" ] ; then
DBUG $TENVS $curl $CURL_ARGS -o /dev/null https://$item/
env $TENVS $curl $CURL_ARGS -o /dev/null https://$item/ > $OUTRF.curl-vvv.out 2>&1
if [ $? -eq 0 ] ; then
grep 'SSL certificate problem:' $OUTRF.curl-vvv.out && \
{ WARN "curl -vvv failed $? see $OUTRF.curl-vvv.out" ;
i=$( expr $i + 1 ) ; } || \
INFO $curl $CURL_ARGS $item
else
INFO $curl $CURL_ARGS $item
fi
fi
if [ -n "$analyze" ] ; then
timeout ${kill_time}s \
$analyze $ANALYZE_ARGS --name $item ${item}:443 \
> $OUTRF.analyze-ssl.out 2>&1
# certificate verified : ok
if [ $? -eq 124 ] ; then
echo "DEBUG: timeout $analyze $ANALYZE_ARGS $item"
elif [ $? -eq 0 ] ; then
INFO "$analyze $ANALYZE_ARGS $item"
else
WARN "$analyze failed $? see $OUTRF.analyze-ssl.out"
i=$( expr $i + 1 )
fi
fi
[ $i -eq 0 ] && continue
WARN "$i failures for $item"
errs=$(expr $errs + $i )
DBUG $OUTRF.*.out
done
done
find $OUTRF.* -type f -empty -delete
exit $errs

137
overlay/Linux/usr/local/bin/proxy_whonix.bash Executable file
View file

@ -0,0 +1,137 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
USAGE="host|to_tor|tor|from_tor|client|whonix|gateway|vda|nat|workstation|ping|ssl|status|test|refresh|update|up|down"
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
[ $( id -u ) -eq 0 ] || { ERROR $prog should be run as root ; exit 1 ; }
. /usr/local/sbin/proxy_whonix_lib.bash || \
{ ERROR loading /usr/local/sbin/proxy_whonix_host_lib.bash ; exit 2; }
#. /usr/local/bin/proxy_ping_lib.bash || \
# { ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
. /usr/local/bin/usr_local_base.bash || exit 2
proxy_whonix_mode
## proxy_whonix_test_mode - proxy_whonix_host.bash test
proxy_whonix_test_mode () { DBUG proxy_whonix_test_mode $* ;
if [ $MODE = tor -o $MODE = whonix -o $MODE = host ]; then
/usr/local/sbin/proxy_whonix_host.bash test || return 1$?
fi
return 0
}
## proxy_whonix_status - proxy_ping_test.bash "$MODE"
proxy_whonix_status () { DBUG proxy_whonix_status $* ;
$PREFIX/bin/proxy_ping_test.bash "$MODE" || return 1$?
return 0
}
## proxy_whonix_refresh
proxy_whonix_refresh () { DBUG proxy_whonix_refresh $* ;
local USAGE="python|pip"
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $USAGE
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
elif [ "$1" = 'python' ] ; then
/usr/local/bin/testforge_clean_usr_local_lib.bash
elif [ "$1" = 'pip' ] ; then
/usr/local/bin/base_pip_upgrade.bash -p 2 -i 0
/usr/local/bin/base_pip_upgrade.bash -p 3 -i 0
base_sheebang_after_pip.bash
else
:
fi
}
UPGRADE_USAGE="python|pip"
## proxy_whonix_update - $UPGRADE_USAGE
proxy_whonix_update() {
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $UPGRADE_USAGE
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
elif [ "$1" = 'python' ] ; then
:
elif [ "$1" = 'pip' ] ; then
:
else
:
fi
}
TEST_USAGE="ssl|ping|mode|libvirt|ga"
## proxy_whonix_test - test $TEST_USAGE
proxy_whonix_test () { DBUG proxy_whonix_test $* ;
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $TEST_USAGE
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
elif [ "$1" = 'ssl' ] ; then
$PREFIX/sbin/proxy_test_ssl.bash "$@" || exit 3$?
elif [ "$1" = 'mode' ] ; then
proxy_whonix_test_mode || exit 4$?
elif [ "$1" = 'ping' ] ; then
$PREFIX/sbin/proxy_ping_test.bash "$@" || exit 4$?
elif [ "$1" = 'libvirt' ] ; then
$PREFIX/bin/proxy_ping_lib.bash proxy_libvirt_test || exit 5$?
elif [ "$1" = 'ga' ] ; then
$PREFIX/bin/proxy_libvirt_ga_test.bash || exit 5$?
else
:
fi
return 0
}
WD=$PWD
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $USAGE
exit 0
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
grep '^## ' $0 | sed -e 's/^## //'
exit 0
elif [ "$1" = client ] ; then
shift
elif [ "$1" = ws -o "$1" = 'workstation' -o "$1" = 'gateway' ] ; then
[ $1 = ws ] && arg=workstation || arg=$1
shift
$PREFIX/sbin/proxy_whonix_guest_$arg.bash "$*" || exit 3$?
elif [ 'to_tor' -o "$1" = 'tor' -o "$1" = 'from_tor' -o "$1" = 'whonix' ] ; then
$PREFIX/sbin/proxy_whonix_host.bash "$@" || exit $?
elif [ "$1" = host ] ; then
shift
$PREFIX/sbin/proxy_whonix_host.bash "$@" || exit $?
elif [ "$1" = refresh -o "$1" = update -o "$1" = 'test' -o "$1" = 'status' ] ; then
arg=$1;shift
proxy_whonix_$arg "$@"
elif [ "$1" = 'down' -o "$1" = 'up' ] ; then
arg=$1;shift
proxy_whonix_$arg "$@"
elif [ "$1" = hourly -o "$1" = 'refresh' ] ; then
:
else
DBUG $prog $*
eval "$@"
exit $?
fi
exit 0

254
overlay/Linux/usr/local/bin/scurl.bash Executable file
View file

@ -0,0 +1,254 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
# must not use stdout
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
prog=scurl
umask 022
RETRIES=2
SSL_VER=3
. /usr/local/bin/proxy_ping_lib.bash
[ -f /usr/local/bin/proxy_curl_lib.bash ] && \
. /usr/local/bin/proxy_curl_lib.bash
if ! route | grep -q ^def ; then
WARN $prog we are not connected >&2
exit -1
fi
usage="curls with some wget options
Usage: $prog options -- curl-options
Options:
-P, --directory-prefix
-X, --force-directories create directories to download to
-C, --cacert CA certs in .pem
-M, --mode proxy_ping_mode
-S, --ssl ssl version 2=tls1.2 3=tls1.3
-Y, --ciphers comma sep list of ciphers
-Q, --quiet --silent --show-error
-h, --help display this help and exit
"
if [[ $? -ne 0 ]]; then
echo "$usage"
exit 2
fi
declare -a LARGS
# --location is required to follow redirects
# im not sure about --http2
LARGS+=( --remote-time --location --max-redirs 10 --continue-at - )
LARGS+=( --retry-delay 10 --show-error --fail )
# --proto-redir https --proto =https is required to prevent protocol downgrades
LARGS+=( --proto-redir https --proto-default https --proto =https )
[ -z "$MODE" ] && MODE=$( /usr/local/bin/proxy_ping_lib.bash proxy_ping_mode )
[ -z "$socks_proxy" ] && . /usr/local/bin/proxy_export.bash
SSL_LIB=openssl # nss
if [ -x /var/local/bin/curl.bash ] ; then
EXE=/var/local/bin/curl.bash
elif which scurl ; then
EXE=`which scurl`
else
EXE=curl
fi
SHORT=M:QP:XC:F:hS:
LONG=mode:,quiet,directory-prefix:,force-directories,cacert,ca-cert:,help,ssl:
#? export POSIXLY_CORRECT=1
PARSED=$(getopt --options $SHORT --longoptions $LONG --name "$prog" -- "$@")
eval set -- "$PARSED"
P="$PWD"
X="0"
# echo DEBUG: WD=$WD rest=$*
LOGF=/tmp/$prog$$.err
SSL_CIPHERS=""
while true; do
case "$1" in
-P|--directory-prefix)
shift
P="$1"
shift
# echo DEBUG: P=$WD rest=$*
;;
-X|--force-directories)
X=1
shift
;;
-S|--ssl)
shift
SSL_VER="$1"
shift
;;
-Y|--ciphers)
shift
SSL_CIPHERS="$1"
shift
;;
-C|--cacert|-Z|--ca-cert)
shift
CA_CERT="$1"
shift
;;
-M|--mode)
shift
MODE="$1"
shift
;;
-Q|--quiet)
shift
LARGS="$LARGS --silent --show-error"
;;
-h|--help)
echo USAGE: "$usage"
exit 0
;;
--)
shift
break
;;
*)
# echo ERROR: unhandled arguments $* - use -- after -P $PWD or -X ; exit 3
break
;;
esac
done
[ "$SSL_VER" -ge 2 -a "$SSL_VER" -le 3 ] || { ERROR "SSL_VER $SSL_VER" ; exit 6 ; }
LARGS+=( --tlsv1.$SSL_VER )
if [ -n "$SSL_CIPHERS" -a "$SSL_VER" = 2 ] ; then
[ $SSL_LIB = openssl ] && \
SSL_CIPHERS="ECDHE-RSA-AES256-SHA" # ECDHE-RSA-AES256-GCM-SHA384
[ $SSL_LIB = nss ] && \
SSL_CIPHERS="ecdhe_rsa_aes_256_sha"
fi
if [ -n "$SSL_CIPHERS" -a "$SSL_VER" = 3 ] ; then
[ $SSL_LIB = openssl ] && \
SSL_CIPHERS="TLS_AES_256_GCM_SHA384" # TLS_CHACHA20_POLY1305_SHA256
[ $SSL_LIB = nss ] && \
SSL_CIPHERS="aes_256_gcm_sha_384"
fi
[ -n "$SSL_CIPHERS" ] && LARGS+=( --ciphers "$SSL_CIPHERS" )
if [ "$MODE" = tor -o "$MODE" = selektor -o "$MODE" = whonix ] && \
netstat -nle4 | grep -q 127.0.0.1:53 ; then
LARGS+=( --dns-ipv4-addr 127.0.0.1 --dns-servers 127.0.0.1 )
elif [ "$MODE" = whonix ] && ifconfig virbr1 | grep -q 10.0.2.2 ; then
LARGS+=( --dns-ipv4-addr 10.0.2.15:9053 --dns-servers 10.0.2.15:9053 )
else
debug 127.0.0.1:53 not running MODE=$MODE
fi
if ! uname -a | grep -q 'Devuan\|Debian' ; then
if [ -f $HOME/.local/ ] ; then
[ -f $HOME/.local/alt.svc ] || touch $HOME/.local/alt.svc
LARGS+=( --alt-svc $HOME/.local/alt.svc )
# #define CURLALTSVC_H2 (1<<4)
fi
export CURLOPT_ALTSVC_CTRL=16
fi
declare -a RARGS
RARGS=("$@")
DBUG "$#" "${RARGS[*]}" >&2
i=0
while [ $i -le $RETRIES ] ; do
# assumes one URL
if [ "${#RARGS[@]}" -eq 1 ] ; then
the_url=`sed -e 's@http://@https://@g' -e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' -e 's@https*://gentoo.osuosl.org@https://mirror.leaseweb.com/gentoo@g' <<< "${RARGS[*]}"`
else
the_url=`sed -e 's@http://@https://@' -e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' -e 's@https*://gentoo.osuosl.org@https://mirror.leaseweb.com/gentoo@g' <<< "${RARGS[-1]}"`
fi
RARGS[-1]="$the_url"
site=`sed -e 's@https*://@@g' -e 's@/.*@@' <<< $the_url`
i=`expr $i + 1`
if [ "$X" = 1 ] ; then
rel_file=$( sed -e 's@^file://*@@' -e 's@^https*://*@@' -e 's@[&?#].*@@' <<< $the_url )
rel_dir=$( sed -e 's@/$@@' <<< $rel_file )
rel_dir=$( sed -e 's@/[^/]*$@@' <<< $rel_dir )
[ -d "$P/$rel_dir" ] || mkdir -p "$P/$rel_dir"
output=`sed -e 's/[!:?#]/_/g' <<< "$P/$rel_file"`
LARGS+=( --output "$output" --create-dirs )
fi
DBUG $EXE "${LARGS[@]}" "${RARGS[@]}" >&2
echo $EXE "${LARGS[@]}" "${RARGS[@]}" > $LOGF
$EXE "${LARGS[@]}" "${RARGS[@]}" >> $LOGF 2>&1
retval=$?
if [ "$retval" -eq 22 ] || \
tail -4 $LOGF | grep -q 'The requested URL returned error:'; then
# on 22 - change to HTTP code
code=`tail -4 $LOGF | grep 'The requested URL returned error:' | sed -e 's/.*returned error: //' -e 's/ *$//'`
if [ "$code" = 416 ] ; then
INFO "$prog retval=$retval code=$code ${HTTP_RESPONSE[416]} $the_url = $LOGF" >&2
retval=$code
elif [ "$code" = 429 ] ; then
ERROR "$prog retval=$retval code=$code ${HTTP_RESPONSE[$code]} $the_url = $LOGF" >&2
retval=$code
exit $retval
elif [ -n "$code" ] && [ "$code" -ge 400 ] ; then
# 403 Cloudflare
ERROR "$prog retval=$retval code=$code ${HTTP_RESPONSE[$code]} $the_url = $LOGF" >&2
retval=$code
elif [ -n "$code" ] && [ "$code" -lt 400 ] ; then
INFO "$prog retval=$retval code=$code ${HTTP_RESPONSE[$code]} $the_url = $LOGF" >&2
else
WARN "$prog retval=$retval \"$code\" $the_url = $LOGF" >&2
fi
elif [ "$retval" = 35 ] ; then
# 35 CURLE_SSL_CONNECT_ERROR
ERROR "$prog retval=$retval CURLE_SSL_CONNECT_ERROR $the_url = $LOGF" >&2
# feedback to scurl_urls.sh
NOTLSV3+=( $site )
elif [ "$retval" = 1 ] ; then
# retval=1 CURLE=CURLE_UNSUPPORTED_PROTOCOL - seems to be a transient error
WARN "$prog retval=$retval CURLE=${CURLE[$retval]} $the_url = $LOGF" >&2
continue
elif [ "$retval" = 92 ] ; then
# curl: (92) HTTP/2 stream 0 was not closed cleanly: INTERNAL_ERROR (err 2)
WARN "$prog retval=$retval CURLE=${CURLE[$retval]} $the_url = $LOGF" >&2
continue
elif [ "$retval" -ne 0 ] ; then
# curl: (3) URL using bad/illegal format or missing URL - worked
WARN "$prog retval=$retval CURLE=${CURLE[$retval]} $the_url = $LOGF" >&2
elif tail -3 $LOGF | grep -q "HTTP code 504 from proxy after CONNECT" ; then
WARN "$prog HTTP code 504 from proxy after CONNECT $the_url = $LOGF" >&2
continue
elif tail -3 $LOGF | grep -q "503 - Forwarding failure" ; then
WARN "$prog 503 - Forwarding failure $the_url = $LOGF" >&2
continue
else
INFO "$prog $output = $LOGF" >&2
# rm -f $LOGF
fi
break
# "$P/$rel_file"
# if [ $retval -gt 0 ] ; then
# The requested URL returned error: 416
# if [ $retval = 22 ] && [ "$code" = 416 ] && [ -f "$P/$rel_file" ] ; then
# fi
done
exit $retval

18
overlay/Linux/usr/local/bin/sdwdate.bash Executable file
View file

@ -0,0 +1,18 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
PREFIX=/usr/local
ROLE=proxy
if [ -x $PREFIX/bin/proxy_ping_test.bash ] ; then
if virsh|grep Whonix-Gateway ; then
sh $PREFIX/bin/proxy_ping_test.bash whonix || exit 1
else
sh $PREFIX/bin/proxy_ping_test.bash wifi || exit 1
sh $PREFIX/bin/proxy_ping_test.bash 30 || exit 2
fi
fi
export PYTHONPATH=$PREFIX/lib64/python3.7/site-packages
exec python3.sh $PREFIX/bin/sdwdate_.py "$@"