emdee/proxy_role
1
0
Fork 0
Code Issues Pull requests Wiki Activity

bash

Browse source
This commit is contained in:
emdee 2024-01-09 15:35:38 +00:00
parent d29b1e4542
commit a354df3d40
63 changed files with 26542 additions and 453 deletions
Download patch file Download diff file Expand all files Collapse all files

35
overlay/Linux/usr/local/bin/curl.bash
View file

@ -2,16 +2,36 @@
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
ROLE=proxy
PREFIX=/usr/local
. /usr/local/bin/usr_local_tput.bash || exit 2
ip route | grep -q ^def || {
WARN we are not connected
WARN we are not connected >&2
exit 1
}
[ -f $HOME/.curlrc ] || touch $HOME/.curlrc
declare -a CURL_OPTS
# --silent --show-error
CURL_OPTS=( --fail-early --fail )
[[ "$*" =~ --http0.9 ]] || [[ "$*" =~ --http1 ]] || [[ "$*" =~ --http1.1 ]] || \
[[ "$*" =~ --http2 ]] || [[ "$*" =~ --http3 ]] || CURL_OPTS+=( --http0.9 )
[[ ! "$*" =~ --retry ]] && CURL_OPTS+=( --retry 3 )
[[ ! "$*" =~ -4 ]] && CURL_OPTS+=( -4 )
# [[ ! "$*" =~ --http2 ]] && CURL_OPTS+=( --http2 )
[[ ! "$*" =~ --max-redirs ]] && CURL_OPTS+=( --max-redirs 10 )
[[ ! "$*" =~ --location ]] && CURL_OPTS+=( --location )
[[ ! "$*" =~ --remote-time ]] && CURL_OPTS+=( --remote-time )
[[ ! "$*" =~ --create-dirs ]] && CURL_OPTS+=( --create-dirs )
if [[ "$socks_proxy" =~ socks5://.* ]] ; then
export socks_proxy="$( echo $socks_proxy | sed -e 's@socks5://@socks5h://@' )"
fi
if [[ ! "$*" =~ --proxy ]] && [ -n "$socks_proxy" ] ; then
CURL_OPTS+=( --proxy $socks_proxy )
[ -n "$https_proxy" ] && export https_proxy= && unset https_proxy
[ -n "$http_proxy" ] && export http_proxy= && unset http_proxy
@ -21,8 +41,14 @@ if [[ "$socks_proxy" =~ socks5://.* ]] ; then
elif [ -n "$http_proxy" ] ; then
CURL_OPTS+=( --proxy $http_proxy )
fi
export CURL_OPTS+=( -L )
if [ -d $HOME/.local/ ] ; then
[ -f $HOME/.local/jar.cookie ] || touch $HOME/.local/jar.cookie
[[ ! "$*" =~ --cookie-jar ]] && \
CURL_OPTS+=( --cookie-jar $HOME/.local/jar.cookie --junk-session-cookies )
fi
export CURL_OPTS+=( -L --remote-time )
if ! uname -a | grep -q 'Devuan\|Debian' && [ -s $HOME/.local/alt.svc ] ; then
export CURL_OPTS+=( --alt-svc $HOME/.local/alt.svc )
# #define CURLALTSVC_H2 (1<<4)
@ -41,5 +67,6 @@ if [[ ! "$*" =~ --capath ]] && \
export CURL_CA_BUNDLE=/usr/local/etc/ssl/cacert-testforge.pem
fi
echo INFO: curl $CURL_OPTS "$@"
exec curl $CURL_OPTS "$@"
export CURL_OPTS
DBUG /usr/bin/curl "${CURL_OPTS[@]}" "$@" >&2
exec /usr/bin/curl "${CURL_OPTS[@]}" "$@"

2
overlay/Linux/usr/local/bin/dirmngr.bash
View file

@ -31,7 +31,7 @@ if [ -n "$PROXY_WLAN" ] ; then
echo 1 > /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6
fi
route | grep -q ^default || { ERROR no route ; exit 1; }
grep -q "^wlan[1-9][ ]00000000" /proc/net/route || { ERROR no route ; exit 1; }
[ ! -x /usr/bin/netstat ] || \
netstat -nlp | grep -q 127.0.0.1:53 || { ERROR no nameserver ; exit 4; }

7
overlay/Linux/usr/local/bin/proxy_daily.bash
View file

@ -13,7 +13,8 @@ ROLE=proxy
# It is also run at the end of ansible_local.bash --tags daily to raise the issues.
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
[ -f /usr/local/etc/testforge/testforge.bash ] && \
. /usr/local/etc/testforge/testforge.bash
MYID=$( id -u )
[ $MYID -eq 0 ] || { ERROR $prog must be run as root $MYID ; exit 1 ; }
@ -34,8 +35,8 @@ rm -f $LOG_DIR/*${prog}_${ly}*.log
elt=doctest3
if [ $MYID -ne 0 ] && [ -f /var/local/bin/testforge_python_doctest3.bash ] ; then
/var/local/bin/testforge_python_doctest3.bash \
/var/local/share/doc/txt/proxy3.txt \
$PREFIX/bin/testforge_python_doctest3.bash \
/usr/local/share/doc/txt/proxy3.txt \
> "$LOG_DIR"/$ly/$elt$$.log 2>> $ELOG || ERROR $elt >> $ELOG
fi

2
overlay/Linux/usr/local/bin/proxy_dirmngr.bash
View file

@ -28,7 +28,7 @@ if [ -n "$PROXY_WLAN" ] ; then
echo 1 > /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6
fi
route | grep -q ^default || { ERROR no route ; exit 1; }
grep -q "^wlan[1-9][ ]00000000" /proc/net/route || { ERROR no route ; exit 1; }
[ -z "$USER" ] && USER=$(id -un )
if [ $USER = root ] ; then

15
overlay/Linux/usr/local/bin/proxy_dirmngr_test.bash
View file

@ -41,17 +41,21 @@ if [ -d /etc/pacman.d/gnupg ] ; then
fi
fi
if [ ! -f /etc/dirmngr/dirmngr.conf ] || \
grep ^keyserver /etc/dirmngr/dirmngr.conf ; then
echo ERROR: no ^keyserver in /etc/dirmngr/dirmngr.conf
exit 1
fi
GPG="gpg --verbose --home $HOMEDIR"
[ -f /etc/dirmngr/dirmngr.conf ] || { echo ERROR: no ^keyserver in /etc/dirmngr/dirmngr.conf ; exit 1 ; }
$GPG --refresh-keys --verbose
ps ax | grep /usr/bin/dirmngr.bin|grep -v grep|sed -e 's/ .*//'|xargs kill
grep '^keyserver hkp' /etc/dirmngr/dirmngr.conf| \
grep '^keyserver hkp' /etc/dirmngr/dirmngr.conf | \
sed -e 's@keyserver hkp://@@' | \
while read elt;do
while read elt ; do
for proxy in $PROXIES; do
echo 1 | http_proxy=$proxy $GPG --yes \
--debug-level guru \
@ -61,3 +65,4 @@ grep '^keyserver hkp' /etc/dirmngr/dirmngr.conf| \
done
done
/usr/local/bin/proxy_ping_test.bash dirmngr

235
overlay/Linux/usr/local/bin/proxy_hourly.bash
View file

@ -12,15 +12,25 @@ DEBUG=1
# It is also run at the end of ansible_local.bash --tags daily to raise the issues.
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash || exit 2
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[ -f /usr/local/etc/testforge/testforge.bash ] && \
. /usr/local/etc/testforge/testforge.bash >/dev/null
. /usr/local/bin/proxy_export.bash
PL=/usr/local/bin/proxy_ping_lib.bash
. $PL
PL=
PLL=/usr/local/bin/proxy_libvirt_lib.bash
. $PLL
PLL=
DEBUG=1
declare -a BOX_NBD_OVERLAY_EXTERNAL
# fill this in with the ansible hosts.yml
BOX_NBD_OVERLAY_EXTERNALS=(
/o/var/local/src/play_tox/hosts.yml
/o/data/TestForge/src/ansible/hosts.yml
)
[ -z "$USER" ] && USER=$(id -un )
MYID=$( id -u )
[ $MYID -eq 0 ] || { ERROR $prog must be run as root $MYID ; exit 1 ; }
@ -40,48 +50,113 @@ ELOG=$LOG_DIR/E${prog}_${ly}$$.log
WLOG=$LOG_DIR/W${prog}_${ly}$$.log
OUT=$LOG_DIR/O${prog}_${ly}$$.log
[ -f /usr/local/etc/testforge/testforge.bash ] && \
. /usr/local/etc/testforge/testforge.bash
export PATH=$PATH:/usr/local/bin
[ -n "$BASE_SRC_ANSIBLE" ] || BASE_SRC_ANSIBLE=/g/TestForge/src/ansible
[ -z "$MODE" ] && MODE=$( $PL proxy_ping_mode )
[ -n "$DEBUG" ] && echo >&2 DEBUG: $prog $ly MODE=$MODE 0=$0 "$#" "$@"
[ -z "$MODE" ] && exit 2
[ ! -d $LOG_DIR/ ] && mkdir -p $LOG_DIR && chmod 1777 $LOG_DIR
find $LOG_DIR/*${prog}_${ly}*.log -ctime +2 -delete
elt=proxy_export
DBUG elt=$elt
. /usr/local/bin/$elt.bash || exit 2
DBUG http_proxy=$http_proxy
DBUG https_proxy=$https_proxy
DBUG socks_proxy=$socks_proxy
IP=`ifconfig|grep -A1 'eth\|wlan'|grep inet|sed -e 's/.*inet //' -e 's/ .*//'`
DBUG external=$IP
GW=`ip route | grep ^def | sed -e 's/.*via //' -e 's/ .*//'`
DBUG gw=$GW
grep -q "^wlan[1-9][ ]00000000" /proc/net/route && ZERO_CONNECTED=0 || ZERO_CONNECTED=1
if [ $ZERO_CONNECTED == 0 ] ; then
/usr/local/bin/proxy_ping_test.bash $MODE 2>&1| grep ERROR: | tee $ELOG
[ -s $ELOG ] || INFO /usr/local/bin/proxy_ping_test.bash $MODE
fi
elt=/etc/ssl/certs
DBUG elt=$elt
if [ -d /etc/ssl/certs/ ] ; then
find -L /etc/ssl/certs/ -type l | tee -a $ELOG
find -L /etc/ssl/certs/ -type l -delete
else
WARN /etc/ssl/certs/ missing
fi
elt=route
DBUG elt=$elt
# ubuntu / devuan oddball
route | grep -q 'lo$' || \
ip route add 127.0.0.0/8 dev lo scope host
/usr/local/bin/proxy_ping_test.bash $MODE 2> $ELOG
if [ $ONE_GUEST -eq 0 ] ; then
IP=`ifconfig |grep -A1 wlan|grep inet|sed -e 's/.*inet //' -e 's/ .*//'`
# 10.24.216.64
if [ -n "$IP" ] ; then
grep -q " external" /etc/hosts && \
sed -e "s/.* external/$IP external/" -i /etc/hosts || \
echo "$IP external" >> /etc/hosts
fi
a=`grep nameserver /etc/resolv.conf | grep -v 'nameserver 127.0.0.1'| wc -l`
if [ "$MODE" = whonix -o "$MODE" = tor -o "$MODE" = selektor ] ; then
NS=127.0.0.1
elif [ "$MODE" = nat -o "$MODE" = vda -o "$MODE" = ws ] ; then
NS=10.0.2.2
else
NS=
fi
if [ -n "$NS" ] ; then
elt=/etc/resolv.conf
DBUG elt=$elt
a=`grep nameserver /etc/resolv.conf | grep -v "nameserver $IP" | wc -l`
if [ $? -eq 0 -a -n "$a" -a "$a" -gt 0 ] ; then
/usr/local/bin/base_wall.bash "CRIT: $prog /etc/resolv.conf" `grep nameserver /etc/resolv.conf`
echo 'nameserver 127.0.0.1' > /etc/resolv.conf
echo "nameserver $IP" > /etc/resolv.conf
fi
fi
[ -d $LOG_DIR/ ] || mkdir -p $LOG_DIR/ || true
find $LOG_DIR/*${prog}_${ly}*.log -ctime +2 -delete || true
if [ -d /etc/ssl/certs/ ] ; then
find -L /etc/ssl/certs/ -type l >> $WLOG
find -L /etc/ssl/certs/ -type l -delete
else
WARN /etc/ssl/certs/ missing
if [ "$MODE" = whonix -o "$MODE" = tor -o "$MODE" = selektor ] ; then
# 10.24.216.64
elt=/etc/hosts
DBUG elt=$elt
if [ -n "$IP" ] ; then
grep -q " external" /etc/hosts && \
sed -e "s/.* external/$IP external/" -i /etc/hosts || \
echo "$IP external" >> /etc/hosts
for file in "${BOX_NBD_OVERLAY_EXTERNALS[@]}" ; do
[ -f $file ] || continue
grep -q "BOX_NBD_OVERLAY_EXTERNAL.*" $file && continue
sed -i -e "s/BOX_NBD_OVERLAY_EXTERNAL:.*/BOX_NBD_OVERLAY_EXTERNAL: \"$IP\"/" $file
done
fi
elt=/etc/firewall.conf
DBUG elt=$elt
[ -f /etc/firewall.conf ] || {
ERROR $prog NO FIREWALL /etc/firewall.conf | tee -a $ELOG | \
xargs /usr/local/bin/base_wall.bash
}
elt=iptables
DBUG elt=$elt
$PL proxy_iptables_save >$OUT 2>&1
if [ $? -ne 0 ] || ! grep -q DROP $OUT ; then
ERROR $prog NO FIREWALL - DROP `cat $OUT` | tee -a $ELOG
/usr/local/bin/base_wall.bash ERROR $prog NO FIREWALL - DROP
#? /usr/local/bin/proxy_firewall_restore_iptable.bash /etc/firewall.conf
fi
elif [ "$MODE" = nat -o "$MODE" = vda -o "$MODE" = ws ] && [ $ONE_GUEST -eq 1 ]; then
elt=/etc/resolv.conf
DBUG elt=$elt
if [ $? -eq 0 -a -n "$GW" ] ; then
if ! grep -q "$GW" /etc/resolv.conf ; then
/usr/local/bin/base_wall.bash "CRIT: $GW not in /etc/resolv.conf"
echo "nameserver $GW" >> /etc/resolv.conf
fi
$PL proxy_ping_firewall_check || \
/usr/local/bin/base_wall.bash $prog 'CRIT: proxy_ping_firewall_check' retval=$?
fi
fi
if [ $ONE_GUEST -eq 0 ] ; then
if [ "$MODE" = whonix ] ; then
[ -n "$BASE_SRC_ANSIBLE" ] || BASE_SRC_ANSIBLE=/g/TestForge/src/ansible
BOX_WHONIX_PROXY_HOST=$( /usr/local/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST )
if [ -n "$BOX_WHONIX_PROXY_HOST" ] && \
which virsh 2>/dev/null >/dev/null && \
@ -89,18 +164,14 @@ if [ $ONE_GUEST -eq 0 ] ; then
# sh proxy_whonix_host_tor.bash whonix
/usr/local/sbin/proxy_whonix_host.bash proxy_whonix_host_add_block >>$OUT 2>>$ELOG
fi
$PL proxy_libvirt_test >$OUT 2>&1
$PLL proxy_libvirt_test >$OUT 2>&1
retval=$?
[ $retval -gt 1 ] && ERROR $prog proxy_libvirt_test retval=$retval >> $ELOG
fi
[ $retval -gt 1 ] && \
ERROR $prog proxy_libvirt_test retval=$retval | tee -a $ELOG
fi
[ -f /etc/firewall.conf ] || {
ERROR $prog NO FIREWALL /etc/firewall.conf | tee -a $ELOG | \
xargs /usr/local/bin/base_wall.bash
}
ifconfig | grep -q ^wlan
if [ $? -eq 0 ] ; then
wlan7=`ifconfig|grep ^wlan|tail -1| sed -e 's/:.*//'`
wlan7=`ifconfig|grep ^wlan|tail -1| sed -e 's/:.*//'`
if [ -n "$wlan7" ] ; then
grep -q $wlan7 /etc/firewall.conf || {
ERROR $prog NO $wlan7 in /etc/firewall.conf | tee -a $ELOG | \
xargs /usr/local/bin/base_wall.bash
@ -109,66 +180,56 @@ fi
fi
[ -f /var/log/privoxy/logfile ] && \
grep -i fatal /var/log/privoxy/logfile >> $WLOG && \
echo ERROR: Fatal in /var/log/privoxy/logfile |tee -a $ELOG
grep -i fatal /var/log/privoxy/logfile | tee -a $ELOG && \
ERROR Fatal in /var/log/privoxy/logfile |tee -a $ELOG
if route | grep -q ^def ; then
$PL proxy_ping_gw_check || {
ERROR proxy_ping_gw_check >> $ELOG
}
$PL proxy_ping_dnsmasq_check || {
x ERROR proxy_ping_dnsmasq_check >> $ELOG
}
$PL proxy_ping_firewall_check || {
ERROR proxy_ping_firewall_check >> $ELOG
}
if grep -q "^wlan[1-9][ ]00000000" /proc/net/route ; then
$PL proxy_ping_gw_check || {
ERROR proxy_ping_gw_check | tee -a $ELOG
}
$PL proxy_ping_dnsmasq_check && \
ERROR proxy_ping_dnsmasq_check || {
ERROR proxy_ping_dnsmasq_check | tee -a $ELOG
}
$PL proxy_ping_firewall_check && \
INFO proxy_ping_firewall_check || {
ERROR proxy_ping_firewall_check | tee -a $ELOG
}
$PL proxy_iptables_save >$OUT 2>&1
if [ $? -ne 0 ] || ! grep -q DROP $OUT ; then
ERROR $prog NO FIREWALL - DROP `cat $OUT` | tee -a $ELOG
/usr/local/bin/base_wall.bash ERROR $prog NO FIREWALL - DROP
#? /usr/local/bin/proxy_firewall_restore_iptable.bash /etc/firewall.conf
fi
$PL proxy_test_dirmngr $OUT || \
{ retval=$? ; ERROR proxy_test_dirmngr $retval >> $ELOG ; }
$PL proxy_test_dirmngr $OUT && \
INFO proxy_test_dirmngr $retval | tee -a $ELOG || {
retval=$?
ERROR proxy_test_dirmngr $retval | tee -a $ELOG
}
if dmesg | grep --text -A 1 'martian' ; then
dmesg | grep --text -A 1 'martian' | \
xargs echo WARN: martians >> $WLOG
dmesg | grep --text -A 1 'martian' | \
sed -e 's/DST=.*//' -e 's/.*martian_//' -e 's/ OUT=.*SRC=/ /' >> $WLOG
if dmesg | grep --text -A 1 'martian' ; then
dmesg | grep --text -A 1 'martian' | \
xargs echo WARN: martians | tee -a $ELOG
dmesg | grep --text -A 1 'martian' | \
sed -e 's/DST=.*//' -e 's/.*martian_//' -e 's/ OUT=.*SRC=/ /' | tee -a $ELOG
else
INFO proxy_test_dirmngr no martians
fi
/usr/local/bin/proxy_ping_test.bash dns || {
ERROR $prog no dns >> $ELOG ;
}
/usr/local/bin/proxy_ping_test.bash 3128 || {
# can be false
WARN $prog no 3128 >> $WLOG
}
PROXY_WLAN=$( $PL proxy_get_if )
[ -n "$PROXY_WLAN" -a -f /etc/wicd/wireless-settings.conf ] && \
ps ax | grep -q wpa_supplicant && \
grep -A 1 bad$ /etc/wicd/wireless-settings.conf | \
grep bssid | sed -e 's/.*= //' | \
while read elt ; do \
wpa_cli -i "$PROXY_WLAN" blacklist $elt
done
PROXY_WLAN=$( $PL proxy_get_if )
[ -n "$PROXY_WLAN" -a -f /etc/wicd/wireless-settings.conf ] && \
ps ax | grep -q wpa_supplicant && \
grep -A 1 bad$ /etc/wicd/wireless-settings.conf | \
grep bssid | sed -e 's/.*= //' | \
while read elt ; do \
wpa_cli -i "$PROXY_WLAN" blacklist $elt
done
$PL proxy_ping_firewall_check || \
/usr/local/bin/base_wall.bash $prog 'CRIT: proxy_ping_firewall_check' retval=$?
fi
fi
fi
[ -s $OUT ] && grep WARN: $OUT >> $WLOG
# [ -s $OUT ] && grep WARN: $OUT | tee -a $ELOG
if [ -s $ELOG ] ; then
errs=$( wc -l $ELOG | cut -f 1 -d ' ' )
if [ $? -eq 0 -a $errs -ne 0 ] ; then
ERROR $prog $errs $ly $prog errors in $ELOG
cat $ELOG
/usr/local/bin/base_wall.bash "ERROR: $prog $errs errors in $ELOG"
exit $errs
fi
fi
@ -177,15 +238,7 @@ fi
[ $? -eq 0 -a $warns -ne 0 ] && \
WARN "$warns $ly $prog warnings in $WLOG"
[ -f $ELOG ] && errs=`wc -l $ELOG | cut -f 1 -d ' '`
if [ $? -eq 0 -a $errs -ne 0 ] ; then
ERROR "$errs $ly $prog errors in $ELOG"
cat $ELOG
exit $errs
fi
[ $errs -eq 0 ] && \
ols_clean_testforge_logs $HARDEN_LOG_DIR && \
[ $warns -eq 0 ] && \
INFO "$prog No $ly errors in $HARDEN_LOG_DIR"

2
overlay/Linux/usr/local/bin/proxy_jnettop.bash
View file

@ -6,7 +6,7 @@ prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
route | grep -q ^default || exit 0
grep -q "^wlan[1-9][ ]00000000" /proc/net/route || exit 0
[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash \
|| { echo >&2 ERROR: $prog "$PREFIX/etc/testforge/testforge.bash" ; exit 1 ; }

4
overlay/Linux/usr/local/bin/proxy_libvirt_hook_network.bash
View file

@ -5,9 +5,11 @@
# so must be idempotemt - as its called by things it calls?
prog=$( basename $0 .bash )
[ -z "$TERM" ] || . /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
[ -z "$TERM" ] || . /usr/local/bin/usr_local_tput.bash || exit 2
[ -z "$USER" ] && USER=$(id -un )
[ -n "$USER" -a "$USER" = root ] && \

104
overlay/Linux/usr/local/bin/proxy_ping_lib.bash
View file

@ -12,7 +12,11 @@ base=proxy_ping_lib
[ -z "$USER" ] && USER=$(id -un )
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
BASE_SRC_ANSIBLE=/g/TestForge/src/ansible
PROXY_GPG_KEYSERVER=keys.openpgp.org
# shellcheck disable=SC2154
[ -z "$PROXY_HTTP_PROXY_PORT" ] || PROXY_HTTP_PROXY_PORT=3128
# shellcheck disable=SC2154
[ -z "$PROXY_HTTP_PROXY_HOST" ] || PROXY_HTTP_PROXY_HOST="127.0.0.1"
PROXY_IFCONFIG=/sbin/ifconfig
[ -x /sbin/ifconfig ] && PROXY_IFCONFIG=/sbin/ifconfig
@ -36,11 +40,6 @@ proxy_ifconfig () {
$PROXY_IFCONFIG $*
}
# shellcheck disable=SC2154
[ -z "$PROXY_HTTP_PROXY_PORT" ] || PROXY_HTTP_PROXY_PORT=3128
# shellcheck disable=SC2154
[ -z "$PROXY_HTTP_PROXY_HOST" ] || PROXY_HTTP_PROXY_HOST="127.0.0.1"
# shellcheck disable=SC2154
[ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin
# shellcheck disable=SC2154
@ -136,90 +135,6 @@ proxy_whonix_get_gateway_dom_bad () {
return 0
}
proxy_test_dirmngr () { DBUG proxy_test_dirmngr MODE=$MODE $* ;
[ $# -eq 0 ] && set -- \
hkp://$PROXY_GPG_KEYSERVER \
hkp://gpg.mit.edu hkp://keys.gnupg.net
# shellcheck disable=SC2154
[ -z "$ELOG" ] && ELOG=/tmp/proxy_test_dirmngr$$.err
# shellcheck disable=SC2154
[ -z "$WLOG" ] && WLOG=/tmp/proxy_test_dirmngr$$.log
[ -h /usr/bin/dirmngr ] || {
ERROR /usr/bin/dirmngr not a symlink
return 2
}
grep ^hkp-cacert /etc/dirmngr/dirmngr.conf | while read a b; do
[ -f $b ] || WARN file not found $b
done
/usr/bin/dirmngr --version </dev/null || {
ERROR /usr/bin/dirmngr not working --version
return 3
}
# grep ^OK
DBUG /usr/bin/dirmngr working --version
/etc/init.d/privoxy status || /etc/init.d/privoxy start
/etc/init.d/privoxy status || {
WARN /etc/init.d/privoxy not running $PROXY_HTTP_PROXY_PORT
}
# /usr/local/bin/proxy_ping_test.bash 3128
netstat -nlpe4 | grep -q :$PROXY_HTTP_PROXY_PORT || {
ERROR /etc/init.d/privoxy not working $PROXY_HTTP_PROXY_PORT
return 4
}
DBUG /etc/init.d/privoxy working $PROXY_HTTP_PROXY_PORT
route | grep -q ^default || return 0
gpg-connect-agent --dirmngr 'loadswdb --force' /bye </dev/null >/tmp/GpgL$$.tmp 2>&1
retval=$?
[ $retval -ne 0 ] && \
ERROR gpg-connect-agent 'loadswdb --force' /tmp/GpgL$$.tmp && \
cat /tmp/GpgL$$.tmp && \
return 5$retval
! grep -q OK /tmp/GpgL$$.tmp && \
ERROR gpg-connect-agent 'loadswdb --force' not OK `cat /tmp/GpgL$$.tmp` && \
rm -f /tmp/GpgL$$.tmp && \
return 6$retval
DBUG gpg-connect-agent OK `cat /tmp/GpgL$$.tmp`
rm -f /tmp/GpgL$$.tmp
gpg-connect-agent </dev/null --dirmngr 'keyserver' /bye >/tmp/GpgG$$.tmp 2>&1
retval=$?
[ $retval -ne 0 ] && \
ERROR gpg-connect-agent 'keyserver' `cat /tmp/GpgG$$.tmp` && \
rm -f /tmp/GpgG$$.tmp && \
return 7$retval
grep -q ^S /tmp/GpgG$$.tmp || { \
ERROR gpg-connect-agent 'keyserver' no S `cat /tmp/GpgG$$.tmp` && \
rm -f /tmp/GpgG$$.tmp && \
return 8$retval
}
DBUG gpg-connect-agent 'keyserver' S `cat /tmp/GpgG$$.tmp`
if [ -d /root/.emacs.d/elpa/gnupg ] && \
ps ax | grep -q -e '--homedir /root/.emacs.d/elpa/gnupg' ; then
for elt in "$@" ; do
echo keyserver --resolve $elt /bye > /tmp/GpgR$$.tmp
gpg-connect-agent </dev/null --dirmngr --homedir /root/.emacs.d/elpa/gnupg \
-r /tmp/GpgR$$.tmp >/tmp/GpgC$$.tmp 2>&1
retval=$?
[ $retval -ne 0 ] && \
ERROR gpg-connect-agent $elt `cat /tmp/GpgC$$.tmp` | tee -a $ELOG && \
rm -f /tmp/GpgC$$.tmp && \
return 9$retval
grep -q 'ERR\|failed:' /tmp/GpgC$$.tmp && \
ERROR gpg-connect-agent $elt `tail -1 $ELOG` && \
rm -f /tmp/GpgC$$.tmp && \
return 10
INFO gpg-connect-agent $elt
done
rm -f /tmp/GpgC$$.tmp
fi
return 0
}
## proxy_whonix_get_gateway_dom
proxy_whonix_get_gateway_dom () {
# shellcheck disable=SC2154
@ -262,7 +177,7 @@ proxy_ping_mode () { #
# shellcheck disable=SC2154
[ -n "$MODE" ] && echo "$MODE" && return 0
proxy_ifconfig -a > /tmp/ipconfig-a.$$
proxy_ifconfig -a >/tmp/ipconfig-a.$$
if grep -q /dev/vda /proc/cmdline ; then
MODE=vda
elif ps ax | grep -v grep | grep -q 'tor -f /var/lib/tor/.SelekTOR/3xx' ; then
@ -283,7 +198,7 @@ proxy_ping_mode () { #
MODE=$mode
else
host=$( $PREFIX/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST )
[ -n "$host" ] && MODE=whonix
[ -n "$host" ] && MODE=$host # whonix
fi
fi
@ -851,6 +766,7 @@ proxy_whonix_copy_files () { DBUG proxy_whonix_copy_files PROXY_WLAN=$PROXY_WLAN
## proxy_ping_firewall_check
proxy_ping_firewall_check () { DBUG proxy_ping_firewall_check PROXY_WLAN=$PROXY_WLAN MODE=$MODE $* ;
[ -n "$MODE" ] || MODE="$( proxy_ping_mode )"
if [ "$MODE" = workstation -o "$MODE" = ws -o "$MODE" = vda ] ; then
:
elif [ "$MODE" = nat -o "$MODE" = gateway -o "$MODE" = host ] ; then
@ -1473,10 +1389,10 @@ starbucks_pdnsd () {
[ -z "$pdnsd" ] && return 0
if [ "$pdnsd" = "dnscrypt" ] && \
! ps ax | grep -v grep | grep -q /dnscrypt-proxy ; then
cp /dev/null /var/local/var/log/dnscrypt-proxy.log
cp /dev/null $PREFIX/var/log/dnscrypt-proxy.log
$HARDEN_VAR_LOCAL/bin/dnscrypt-proxy --config $HARDEN_VAR_LOCAL/etc/dnscrypt-proxy.toml &
sleep $DELAY
[ ! -s /var/local/var/log/dnscrypt-proxy.log ] || \
[ ! -s $PREFIX/var/log/dnscrypt-proxy.log ] || \
! grep -q 'No servers configured' $HARDEN_VAR_LOCAL/var/log/dnscrypt-proxy.log || return 11
ps ax | grep -v grep | grep -q /dnscrypt-proxy || return 12
elif [ "$pdnsd" = "pdnsd" ] && ! ps ax | grep -v grep | grep -q /pdnsd ; then

391
overlay/Linux/usr/local/bin/proxy_ping_test.bash
View file

@ -11,7 +11,10 @@ PYVER=3
. /usr/local/bin/proxy_ping_lib.bash || \
{ ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 6; }
[ -f $PREFIX/etc/testforge/testforge.bash ] && \
. /usr/local/etc/testforge/testforge.bash >/dev/null || exit 1
PL=/usr/local/bin/proxy_libvirt_lib.bash
declare -a tests
which traceroute 2>/dev/null >/dev/null && HAVE_TRACEROUTE=1 || HAVE_TRACEROUTE=0
@ -20,22 +23,19 @@ which nslookup 2>/dev/null >/dev/null && HAVE_NSLOOKUP=1 || HAVE_NSLOOKUP=0
which tor-resolve 2>/dev/null >/dev/null && HAVE_TOR_RESOLVE=1 || HAVE_TOR_RESOLVE=0
[ -z "$prog" ] || prog=proxy_ping_test
proxy_ping_get_socks >/dev/null
[ -z "$SOCKS_HOST" ] && SOCKS_HOST=127.0.0.1
[ -z "$SOCKS_PORT" ] && SOCKS_PORT=9050
SOCKS_PAIR=`proxy_ping_get_socks`
[ -z "$SOCKS_HOST" ] && SOCKS_HOST=`echo $SOCKS_PAIR|sed -e 's/:.*//'`
[ -z "$SOCKS_PORT" ] && SOCKS_PORT=`echo $SOCKS_PAIR|sed -e 's/.*://'`
[ -z "$SOCKS_DNS" ] && SOCKS_DNS=9053
HTTPS_PORT=9128
HTTPS_HOST=127.0.0.1
proxy_ping_get_https >/dev/null
HTTPS_PORT=`echo $HTTPS_PAIR|sed -e 's/.*://'`
HTTPS_HOST=`echo $HTTPS_PAIR|sed -e 's/:.*//'`
HTTPS_PAIR=`proxy_ping_get_https`
[ -z "$HTTPS_HOST" ] && HTTPS_HOST=127.0.0.1
HTTP_PORT=3128
HTTP_PROXY_HOST=127.0.0.1
proxy_ping_get_http >/dev/null
HTTP_PAIR=`proxy_ping_get_http`
HTTP_PORT=`echo $HTTP_PAIR|sed -e 's/.*://'`
HTTP_HOST=`echo $HTTP_PAIR|sed -e 's/:.*//'`
[ -z "$HTTP_HOST" ] && HTTP_HOST=127.0.0.1
[ -f $PREFIX/etc/testforge/testforge.bash ] && \
. /usr/local/etc/testforge/testforge.bash >/dev/null || exit 1
P="BASE_PYTHON${PYVER}_MINOR"
PYTHON_MINOR="$(eval echo \$$P)"
[ -n "$PYTHON_MINOR" ] || \
@ -65,14 +65,14 @@ TIMEOUT=30
[ -n "$GATEW_DOM" ] || GATEW_DOM="Whonix-Gateway"
DNS_HOST1="208.67.220.220"
DNS_HOST2="8.8.8.8"ggggg
DNS_HOST2="1.1.1.1"
[ -n "$DNS_TARGET" ] || DNS_TARGET=www.whatismypublicip.com # 108.160.151.39
[ -n "$HTTP_TARGET" ] || HTTP_TARGET=www.whatismypublicip.com # 108.160.151.39
HTTP_TARGET=www.whatismypublicip.com
# time.nist.gov 132.163.97.3
NTP_HOST1=132.163.97.3
# pool.ntp.org 78.46.53.2
# pool.ntp.org 78.46.53.2 205.206.70.7
NTP_HOST2=78.46.53.2
# --no-check-certificate
WGET="wget --tries=1 --max-redirect=0 --timeout=$TIMEOUT -O /dev/null"
@ -103,6 +103,113 @@ DNS_HOST=$SOCKS_HOST
[ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin
[ -z "$PRIV_BIN_GID" ] && PRIV_BIN_GID=$( grep ^$PRIV_BIN_OWNER /etc/passwd|cut -d: -f 4 )
PROXY_GPG_KEYSERVER=keys.openpgp.org
declare -a GPG_KEYSERVERS=(
hkp://$PROXY_GPG_KEYSERVER
hkp://gpg.mit.edu
hkp://keys.gnupg.net
)
## proxy_test_dirmngr
proxy_test_dirmngr () {
[ $# -eq 0 ] && set -- "${GPG_KEYSERVERS[@]}"
DBUG proxy_test_dirmngr MODE=$MODE $* ;
# shellcheck disable=SC2154
[ -z "$ELOG" ] && ELOG=/tmp/proxy_test_dirmngr$$.err
# shellcheck disable=SC2154
[ -z "$WLOG" ] && WLOG=/tmp/proxy_test_dirmngr$$.log
[ -h /usr/bin/dirmngr ] || {
WARN /usr/bin/dirmngr not a symlink
#fixed? return 2
}
grep ^hkp-cacert /etc/dirmngr/dirmngr.conf | while read a b; do
[ -f $b ] || WARN file not found $b in /etc/dirmngr/dirmngr.conf
done
/usr/bin/dirmngr --version </dev/null >/dev/null && \
INFO /usr/bin/dirmngr working --version || {
ERROR /usr/bin/dirmngr not working --version
return 3
}
# grep ^OK
DM=`grep ' keyserver ' /etc/dirmngr/dirmngr.conf | head -1 | sed -e 's/.* //'`
grep -q "^wlan[1-9][ ]00000000" /proc/net/route || {
DBUG not connected
return 0
}
echo 'loadswdb --force' /bye | \
gpg-connect-agent --dirmngr \
>/tmp/GpgL$$.tmp 2>&1
retval=$?
[ $retval -ne 0 ] && \
WARN gpg-connect-agent --dirmngr 'loadswdb --force' /bye /tmp/GpgL$$.tmp && \
cat /tmp/GpgL$$.tmp && \
# return 5$retval
! grep -q OK /tmp/GpgL$$.tmp && \
WARN gpg-connect-agent --dirmngr 'loadswdb --force' /bye OK not found /tmp/GpgL$$.tmp && \
# return 6$retval
INFO elt=gpg-connect-agent --dirmngr 'loadswdb --force' OK
rm -f /tmp/GpgL$$.tmp
# gpg-connect-agent --dirmngr 'help keyserver' /bye
echo 'keyserver --resolve' /bye | \
gpg-connect-agent --dirmngr \
>/tmp/GpgG$$.tmp 2>&1
retval=$?
grep 'ERR\|failed:' /tmp/GpgG$$.tmp >> $ELOG && \
ERROR gpg-connect-agent $elt `tail -1 $ELOG` && \
return 10
grep -q ^S /tmp/GpgG$$.tmp || { \
WARN gpg-connect-agent 'keyserver' no S /tmp/GpgG$$.tmp && \
return 8$retval
}
INFO elt=gpg-connect-agent 'keyserver --resolve' S
cat /tmp/GpgG$$.tmp
rm -f /tmp/GpgG$$.tmp
if [ ! -d /root/.emacs.d/elpa/gnupg ] || \
! ps ax | grep -q -e '--homedir /root/.emacs.d/elpa/gnupg' ; then
WARN no running /root/.emacs.d/elpa/gnupg agent
else
INFO running /root/.emacs.d/elpa/gnupg agent
echo keyserver --resolve | \
gpg-connect-agent --dirmngr \
--homedir /root/.emacs.d/elpa/gnupg \
>/tmp/GpgC$$.tmp 2>&1
retval=$?
if grep 'ERR\|failed:' /tmp/GpgC$$.tmp >> $ELOG ; then
WARN /root/.emacs.d/elpa/gnupg gpg-connect-agent `tail -1 $ELOG` && \
cat /tmp/GpgC$$.tmp
else
INFO elt=gpg-connect-agent
cat /tmp/GpgC$$.tmp
rm -f /tmp/GpgC$$.tmp
fi
fi
return 0
}
## proxy_test_privoxy_test
proxy_test_privoxy_test () { DBUG proxy_test_privoxy_test $* ;
return 0
/etc/init.d/privoxy status || /etc/init.d/privoxy start
/etc/init.d/privoxy status && \
DBUG /etc/init.d/privoxy running || {
WARN /etc/init.d/privoxy not running $PROXY_HTTP_PROXY_PORT
}
# /usr/local/bin/proxy_ping_test.bash 3128
netstat -nlpe4 | grep -q :$PROXY_HTTP_PROXY_PORT || {
ERROR /etc/init.d/privoxy not working $PROXY_HTTP_PROXY_PORT
return 4
}
INFO elt=/etc/init.d/privoxy working $PROXY_HTTP_PROXY_PORT
return 0
}
## proxy_test_netstat_dns
proxy_test_netstat_dns () { DBUG proxy_test_netstat_dns $* ;
$NETS | grep -q ":53"
@ -119,7 +226,7 @@ proxy_test_traceroute_icmp_gw () { DBUG proxy_test_traceroute_icmp_gw $* ;
retval=$?
[ $retval -eq 0 ] && return 0
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval traceroute --icmp $PROXY_WLAN_GW
[ -z "$ALL" ] && exit $ARG$retval || return 1
[ -z "$ALL" ] && exit "$ARG$retval" || return 1
# works
GREP="-i icmp"
return 0
@ -128,7 +235,7 @@ proxy_test_traceroute_icmp_gw () { DBUG proxy_test_traceroute_icmp_gw $* ;
## proxy_test_dig_direct
proxy_test_dig_direct () { DBUG proxy_test_dig_direct $* ;
dig @$DNS_HOST1 pool.ntp.org +timeout=$TIMEOUT >/dev/null
dig @$DNS_HOST1 $NTP_HOST2 +timeout=$TIMEOUT >/dev/null
retval=$?
[ $retval -eq 0 ] && return 0
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @$DNS_HOST1
@ -140,8 +247,8 @@ proxy_test_dig_direct () { DBUG proxy_test_dig_direct $* ;
return 0
}
## proxy_test_curl_firewall_bin
proxy_test_curl_firewall_bin () { DBUG proxy_test_curl_firewall_bin $* ;
## proxy_test_curl_firewall_asbin
proxy_test_curl_firewall_asbin () { DBUG proxy_test_curl_firewall_asbin $* ;
su -c "$CURL -k --noproxy '*' https://$HTTP_TARGET" -s /bin/sh $PRIV_BIN_OWNER >/dev/null
retval=$?
[ $retval -eq 0 ] && return 0
@ -154,7 +261,7 @@ proxy_test_curl_firewall_bin () { DBUG proxy_test_curl_firewall_bin $* ;
## proxy_ping_curl
proxy_ping_curl () { DBUG proxy_ping_curl $* ;
local retval
timeout -k $TIMEOUT $TIMEOUT $CURL "$@"
timeout -k $TIMEOUT $TIMEOUT $CURL "$@"
retval=$?
# "DEBUG: wierd failure curl: (35) Encountered end of file"
[ $retval -eq 0 -o $retval -eq 35 ] && return 0
@ -164,7 +271,7 @@ proxy_ping_curl () { DBUG proxy_ping_curl $* ;
## proxy_ping_make_help
proxy_ping_make_help () {
grep 'tests\[[0-9][0-9]*\]=' /usr/local/bin/proxy_ping_test.bash \
> /tmp/proxy_ping_test.hlp
> /tmp/proxy_ping_test-$USER.hlp
return 0
}
@ -260,7 +367,7 @@ proxy_test_pretest_exit () {
{ WARN $prog proxy_ping_test_resolv=$? 'echo nameserver 127.0.0.1 > /etc/resolv.conf' ; exit 4 ; }
proxy_ping_firewall_start || { ERROR "proxy_ping_firewall_start ret=$?" ; exit 5 ; }
elif [ "$1" = nat ] ; then
: proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
else
proxy_do_ping || exit 4$?
proxy_ping_test_resolv $MODE || \
@ -276,19 +383,19 @@ proxy_test_help_args () {
declare -a elts=()
declare -a ret=()
local elt
if [ "$1" = selektor -o "$1" = whonix -o "$1" = torhost ] ; then
elts=($1 socks http dns https tordns firefail)
elif [ "$1" = torlibvirthost ] ; then
elts=($1 libvirthost socks http https tordns firefail)
if [ "$1" = selektor -o "$1" = torhost ] ; then
elts=($1 socks dns http https dirmngr tordns firefail)
elif [ "$1" = torlibvirthost -o "$1" = whonix ] ; then
elts=(libvirthost socks http https dirmngr tordns firefail)
elts+=($MODE)
elif [ "$1" = gateway ] ; then
elts=($1 libvirtguest socks dns http https firefail)
elif [ "$1" = gateway -o "$1" = nat ] ; then
elts=($1 libvirtguest socks dns http https dirmngr firefail)
else
elts=($1)
fi
for elt in "${elts[@]}" ; do
# DBUG proxy_test_help_args $elt $1 >&2
ret+=( $(grep " -.* $elt " /tmp/proxy_ping_test.hlp | \
ret+=( $(grep " -.* $elt " /tmp/proxy_ping_test-$USER.hlp | \
sed -e 's/.=.*//' -e 's/.*tests.//') )
done
DBUG proxy_test_help_args "${ret[@]}" >&2
@ -302,66 +409,88 @@ proxy_ping_test_set_args () {
local args="$@"
local val="$@"
declare -a aret=()
rm -f /tmp/proxy_ping_test.hlp
[ -f /tmp/proxy_ping_test.hlp ] || proxy_ping_make_help
## to_tor - tor with the firewall host side client setup tor server - call tor,dns,ntp in addition
rm -f /tmp/proxy_ping_test-$USER.hlp
[ -f /tmp/proxy_ping_test-$USER.hlp ] || proxy_ping_make_help
## to_tor - tor with the firewall host side client setup tor server - gateway
[ "$1" = to_tor -o "$1" = test_tor -o "$1" = test_to ] &&
aret=( 6 13 16 ) && \
! proxy_ping_test_env && WARN to_tor and no proxy in env - use noenv
## vda - through the Gateway with the firewall - also polipo,panic - uses env
[ "$1" = vda ] &&
aret=( 35 3 20 ) #
## kick - open firewall with tor running - call dns,polipo +tor in addition
[ "$1" = kick -o "$1" = host ] &&
aret=( 24 31 13 16 6 )# 30 24 31 6 13 16
## gateway - on the Gateway, trans firewall with tor running - call dns in addition
[ "$1" = gateway ] &&
aret=( 23 25 4 5 30 24 17 3 21 ) # 31 6 16
# aliases
# socks defines http as the target of a user using socks
[ "$1" = "$SOCKS_PORT" ] && set -- socks
# http defines http as the target of a user using http
[ "$1" = "$HTTP_PORT" ] && set -- http
# https defines http as the target of a user using https
[ "$1" = "$HTTPS_PORT" ] && set -- https
# dns defines http as the target of a user using dns
[ "$1" = "53" ] && set -- dns
# tordns defines http as the target of a user using tordns
[ "$1" = "9053" ] && set -- tordns
# aliases
# socks defines http as the target of a user using socks
[ "$1" = "$SOCKS_PORT" ] && set -- socks
# http defines http as the target of a user using http
[ "$1" = "$HTTP_PORT" ] && set -- http
# https defines http as the target of a user using https
[ "$1" = "$HTTPS_PORT" ] && set -- https
# dns defines http as the target of a user using dns
[ "$1" = "53" ] && set -- dns
# tordns defines http as the target of a user using tordns
[ "$1" = "9053" ] && set -- tordns
# old aliases
[ "$1" = scan ] && set -- iwlist
[ "$1" = panic ] && set -- firewall
[ "$1" = asbin ] && set -- firewall
[ "$1" = to_gateway ] && set -- whonix
[ "$1" = from_tor ] && set -- whonix
[ "$1" = from_gateway ] && set -- gateway
[ "$1" = to_tor ] && set -- gateway
[ "$1" = workstation ] && set -- ws
[ "$1" = scan ] && set -- iwlist
[ "$1" = panic ] && set -- firewall
[ "$1" = to_gateway ] && set -- whonix
[ "$1" = from_tor ] && set -- whonix
[ "$1" = from_gateway ] && set -- gateway
[ "$1" = traceroute ] && set -- = trace
[ "$1" = connected ] && set -- wifi
[ "$1" = clear ] && set -- direct
# scenarios - modes: nat selektor
[ "$1" = traceroute ] && set -- = trace
[ "$1" = connected ] && set -- wifi
[ "$1" = clear ] && set -- direct
[ "$1" = tor ] && set -- torhost
# scenarios - modes: nat selektor
# wifi?
## nat - through the Gateway via the nat
[ "$1" = nat ] && \
set -- ping dns socks http https tordns firefail libvirtguest
# wifi?
[ "$1" = whonix ] && \
set -- ping tordns dns socks http https torhost tordns firefail gw
[ "$1" = tor -o "$1" = selektor ] && \
set -- ping tordns dns trace torhost nmap gw
## torhost implies -
#? tor with the firewall to test the host side tor server - call to_tor,dns,ntp in addition
[ "$1" = direct -o "$1" = '' ] && \
set -- ping dns trace nmap gw
## all - all tests not stopping on the first error
[ "$1" = all ] && ALL=1
# aret="${#tests[@]}"
if [ "$1" = nat ] ; then
set -- $1 ping dns socks http https dirmngr tordns firefail libvirtguest
[ -n "$SOCKS_PORT" ] || WARN empty "$SOCKS_PORT"
## vda - through the Gateway with the firewall - also polipo,panic - uses env
## ws - through the Gateway with the firewall - it is a vda
[ -n "$SOCKS_PORT" ] || WARN empty "$SOCKS_PORT"
elif [ "$1" = vda -o "$1" = ws ] ; then
# Fixme - guessing
# was aret=( 35 3 20 )
set -- ping dns socks http https dirmngr tordns firefail libvirtguest
## gateway - ssh to the whonix gateway from the torhost
elif [ "$1" = gateway ] ; then
## gateway - on the Gateway, trans firewall with tor running -
#? looks like it had direct in gateway;
#? aret=( 23 25 4 5 30 24 17 3 21 ) # 31 6 16
set -- ping dns socks http https dirmngr tordns firefail libvirtguest
[ -n "$SOCKS_PORT" ] || WARN empty "$SOCKS_PORT"
## whonix - whonix torhost with libvirt container running gateway behind firewa
elif [ "$1" = whonix ] ; then
set -- ping libvirtguest tordns dns socks http https dirmngr torhost tordns firefail gw
[ -n "$SOCKS_PORT" ] || WARN empty "$SOCKS_PORT"
## torhost - running tor with the firewall
[ "$1" = torhost -o "$1" = selektor ] && \
set -- ping torhost tordns dns trace nmap gw
[ -n "$SOCKS_PORT" ] || WARN empty "$SOCKS_PORT"
#? tor with the firewall to test the host side tor server - call to_tor,dns,ntp in addition
## direct - assume no firewall and no proxy - but may work depend on env
elif [ "$1" = direct -o "$1" = '' ] ; then
set -- ping dns trace nmap gw
## all - all tests not stopping on the first error
elif [ "$1" = all ] ; then
ALL=1
# aret="${#tests[@]}"
fi
## gw - test if we are connected to the gateway
## env - from the cmdline with a properly setup env
## firefail - test the proxy without env vars to expect failure
## torhost - running tor with the firewall
## http - assumes torhost or whonix and env setup
## https - assumes torhost or whonix and env setup
## socks - assumes torhost or whonix and env setup
@ -373,23 +502,21 @@ proxy_ping_test_set_args () {
## iwlist - wlan scan of a wifi host
## firewall - test that the firewall blocks
## virbr1 - looks for virbr1 on a libvirt host torhost or whonix
## gateway - ssh to the whonix gateway from the torhost
## trace - traceroute to DNSHOST - icmp is allowed by the firewall, except on vda
## wifi - test if we are connected - call scan in addition
## libvirthost - hosting a libvirt container
## libvirtguest - in a libvirt container
## whonix - whonix torhost with libvirt container running gateway behind firewall - aliases: to_gateway from_tor
## direct - assume no firewall and no proxy - but may work depend on env
for elt in "$@" ; do
if [ "$elt" = gw -o "$elt" = '' -o "$elt" = env -o \
if [ "$elt" = gw -o "$elt" = env -o \
"$elt" = https -o "$elt" = http -o "$elt" = socks -o "$elt" = dns -o \
"$elt" = torhost -o "$elt" = tordns -o "$elt" = whonix -o \
"$elt" = torhost -o "$elt" = 'nat' -o "$elt" = whonix -o "$elt" = selektor -o \
"$elt" = tordns -o \
"$elt" = libvirthost -o "$elt" = torlibvirthost -o \
"$elt" = libvirtguest -o "$elt" = virbr1 -o \
"$elt" = ping -o "$elt" = trace -o "$elt" = ntp -o "$elt" = nmap -o \
"$elt" = iwlist -o "$elt" = firefail -o "$elt" = direct -o \
"$elt" = trace -o "$elt" = wifi -o "$elt" = '' -o "$elt" = '' \
"$elt" = trace -o "$elt" = wifi -o "$elt" = 'dirmngr' -o "$elt" = 'test' \
] ; then
aret+=( `proxy_test_help_args $elt` )
else
@ -407,21 +534,23 @@ if [ "$#" = 0 ] ; then
# default to mode
set -- $MODE
fi
if [ $1 = '-h' -o $1 = '--help' ] ; then
if [ "$1" = '-h' -o $1 = '--help' ] ; then
echo USAGE: $USAGE | sed -e 's/[0-9][0-9]*)/\n&/g'
grep '^## [a-oq-z]' $0 | sed -e 's/^## / /'
exit 0
elif [ "$1" = 0 ] ; then
INFO $prog PROXY_WLAN=$PROXY_WLAN MODE=$MODE
echo 0 help /tmp/proxy_ping_test.hlp
[ -f /tmp/proxy_ping_test.hlp ] || proxy_ping_make_help
. /tmp/proxy_ping_test.hlp
echo 0 help /tmp/proxy_ping_test-$USER.hlp
[ -f /tmp/proxy_ping_test-$USER.hlp ] || proxy_ping_make_help
. /tmp/proxy_ping_test-$USER.hlp
for elt in "${!tests[@]}" ; do
echo $elt "${tests[$elt]}"
done
exit 0
elif [[ $1 =~ ^[0-9] ]] ; then
: passthrough
elif [ $1 = 'test' -o $1 = '--test' ] ; then
set -- 99
else
set -- `proxy_ping_test_set_args "$@"`
DBUG running tests numbered "$@"
@ -459,7 +588,7 @@ while [ "$#" -gt 0 ] ; do
tests[1]="wget_https_as_user wget ${HTTPS_PORT} - https "
[ -n "$https_proxy" ] && LARGS="" || \
LARGS="env https_proxy=https://${HTTPS_HOST}:${HTTPS_PORT}"
$LARGS $WGET https://$HTTP_TARGET
$LARGS $WGET https://$HTTP_TARGET 2>/dev/null
retval=$?
if [ $retval -eq 8 -o $retval -eq 0 ] ; then
INFO $prog test=$ARG "${tests[$ARG]}"
@ -547,9 +676,9 @@ while [ "$#" -gt 0 ] ; do
GREP="$SOCKS_DNS"
elif [ $ARG -eq 6 ] ; then
tests[6]="curl_https_as_user - https "
proxy=`proxy_ping_get_https`
desc="curl --proxy http://${proxy}"
tests[6]="curl_https_as_user - https "
proxy_ping_curl --proxy http://${proxy} \
--proxy-insecure https://$HTTP_TARGET || { \
retval=$?
@ -630,7 +759,6 @@ while [ "$#" -gt 0 ] ; do
tests[12]="nmap_dns_as_root --privileged --send-eth -Pn -sU -p U:53 $DNS_HOST1 - nmap direct "
[ $USER = root ] || continue
which nmap 2>/dev/null >/dev/null || continue
[ -z "$DNS_HOST1" ] && DNS_HOST1="208.67.220.220"
nmap --privileged --send-eth -Pn -sU -p U:53 "$DNS_HOST1" || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval nmap 53
@ -641,9 +769,9 @@ while [ "$#" -gt 0 ] ; do
GREP="53"
elif [ $ARG -eq 13 ] ; then
tests[13]="curl_firewall_bin - wifi "
tests[13]="curl_firewall_bin - firewall "
[ $USER = root ] || continue
proxy_test_curl_firewall_bin || continue
proxy_test_curl_firewall_asbin || continue
INFO $prog test=$ARG "${tests[$ARG]}" curl bin
# works
GREP="443"
@ -664,7 +792,7 @@ while [ "$#" -gt 0 ] ; do
INFO $prog test=$ARG "${tests[$ARG]}" proxy_test_dig_direct
elif [ $ARG -eq 16 ] ; then
tests[16]="nslookup_as_root nslookup $PRIV_BIN_OWNER - torhost "
tests[16]="nslookup_as_root nslookup ${DNS_HOST1} $PRIV_BIN_OWNER - firewall "
[ $USER = root ] || continue
[ $HAVE_NSLOOKUP = 1 ] || continue
su -c "$NSL $DNS_TARGET $DNS_HOST1" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \
@ -705,7 +833,8 @@ while [ "$#" -gt 0 ] ; do
GREP="123"
elif [ $ARG -eq 19 ] ; then
tests[19]="curl_noproxy_http_as_user curl raw noproxy - firefail "
proxy_ping_curl --noproxy "'*.*'" --connect-timeout $TIMEOUT \
timeout -k $TIMEOUT $TIMEOUT env - $CURL \
--noproxy "'*.*'" --connect-timeout $TIMEOUT \
http://$HTTP_TARGET >/dev/null && {
retval=$?
ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" curl raw --noproxy
@ -782,7 +911,7 @@ while [ "$#" -gt 0 ] ; do
[ $HAVE_NSLOOKUP = 1 ] || continue
# noenv with or without proxy
# @$DNS_HOST1 should fail for firewall unless dnsmasq is working
$NSL >/dev/null $DNS_TARGET || { \
$NSL >/dev/null $DNS_TARGET ${DNS_HOST} || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval nslookup $DNS_TARGET
[ -z "$ALL" ] && exit $ARG$retval || continue
@ -832,7 +961,7 @@ while [ "$#" -gt 0 ] ; do
elif [ $ARG -eq 30 ] ; then
tests[30]="tor_bootstrap_check_as_root tor_bootstrap_check.py - torhost "
[ $MODE = tor -o $MODE = whonix -o $MODE = selektor ] || {
[ $MODE = tor -o $MODE = whonix -o $MODE = gateway -o $MODE = selektor ] || {
# are there other roles that run tor?
WARN $prog MODE != tor test=$ARG
}
@ -856,9 +985,10 @@ while [ "$#" -gt 0 ] ; do
elif [ $ARG -eq 31 ] ; then
tests[31]="curl_noproxy_as_root polipo http pages $HTTP_PORT - direct http "
proxy_ping_curl --noproxy http://${HTTP_HOST}:$HTTP_PORT && { \
timeout -k $TIMEOUT $TIMEOUT env - $CURL \
--noproxy '*' http://${HTTP_TARGET} && { \
retval=$?
ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" retval=$retval http to $HTTP_PORT
ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" retval=$retval $HTTP_TARGET
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
@ -908,9 +1038,9 @@ while [ "$#" -gt 0 ] ; do
[ $USER = root ] || continue
[ $HAVE_DIG = 1 ] || continue
# @$DNS_HOST1
su -c "dig pool.ntp.org +timeout=$TIMEOUT" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \
su -c "dig $NTP_HOST2 +timeout=$TIMEOUT" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval dig pool.ntp.org $PRIV_BIN_OWNER
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval dig $NTP_HOST2 $PRIV_BIN_OWNER
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
@ -918,12 +1048,12 @@ while [ "$#" -gt 0 ] ; do
GREP="53"
elif [ $ARG -eq 36 ] ; then
tests[36]="tor_resolve_as_user tor-resolve pool.ntp.org - tordns "
tests[36]="tor_resolve_as_user tor-resolve $NTP_HOST2 - tordns "
[ $HAVE_TOR_RESOLVE = 1 ] || continue
tor-resolve pool.ntp.org >/dev/null || { \
tor-resolve $NTP_HOST2 >/dev/null || { \
retval=$?
# dunno Failed parsing SOCKS5 response conf?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval tor-resolve pool.ntp.org
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval tor-resolve $NTP_HOST2
continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
@ -931,7 +1061,7 @@ while [ "$#" -gt 0 ] ; do
GREP="9053"
elif [ $ARG -eq 37 ] ; then
tests[37]="qemu-guest-agent and ports - libvirtguest "
tests[37]="qemu_guest_agent_ports - libvirtguest "
ser=qemu-guest-agent
proxy_rc_service $ser status >/dev/null || proxy_rc_service $ser start
proxy_rc_service $ser status >/dev/null || { \
@ -946,8 +1076,9 @@ while [ "$#" -gt 0 ] ; do
}
INFO $prog test=$ARG "${tests[$ARG]}"
GREP=""
elif [ $ARG -eq 38 ] ; then
tests[38]="qemu-guest-agent and ports - libvirthost "
tests[38]="check_libvirt_running - libvirthost "
[ $USER = root ] || continue
$PL proxy_libvirt_list
aret=$?
@ -957,12 +1088,42 @@ while [ "$#" -gt 0 ] ; do
DBUG proxy_libvirt_status aret=$aret
else
# was $GATEW_DOM but now can be gentoo_vm-2 etc
$PL proxy_libvirt_list 2>&1 | grep -q "running" || {
WARN MODE=$MODE and nothing libvirt running ;
$PL proxy_libvirt_list 2>&1| grep -q "running" || {
WARN MODE=$MODE and nothing libvirt running
continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
fi
elif [ $ARG -eq 39 ] ; then
tests[39]="proxy_test_dirmngr - dirmngr "
[ $USER = root ] || continue
proxy_test_dirmngr
elif [ $ARG -eq 99 ] ; then
tests[99]="test_all_modes unfinished not sure"
[ $USER = root ] || continue
for elt in vda selektor ws gateway nat tor whonix; do
INFO testing $elt
if [ "$MODE" = vda ] ; then
: vda
elif [ "$MODE" = selektor ] ; then
: selektor
elif [ "$MODE" = ws ] ; then
: ws
elif [ "$MODE" = gateway ] ; then
: gateway
elif [ "$MODE" = nat ] ; then
: nat
elif [ "$MODE" = tor ] ; then
: tor
elif [ "$MODE" = whonix ] ; then
: whonix
else
WARN unrecognized mode MODE=$elt
fi
done
elif false ; then
if ! grep -q '10.152.152.10\|127.0.0.1' /etc/resolv.conf ; then
$NETS | grep -q :53 || {
@ -977,21 +1138,3 @@ while [ "$#" -gt 0 ] ; do
done
exit 0
1)
env https_proxy=http://${SOCKS_HOST}:${HTTPS_PORT} wget $D -O - --no-check-certificate
2)
curl $D -k --proxy
3)
curl $D -k --proxy socks5://${SOCKS_HOST}:$SOCKS_PORT --proxy-insecure
6)
curl -k --proxy $HTTP_PORT
16)
nslookup $PRIV_BIN_OWNER
18)
ntpdate as sroot
19)
curl raw noproxy
0)
usage

4
overlay/Linux/usr/local/bin/proxy_test_ssl.bash
View file

@ -161,8 +161,8 @@ else
fi
CURL_ARGS="-vvv --cacert $CAFILE --cert-status --connect-timeout $timeout"
if [ -f /var/local/bin/analyze-ssl.pl.bash ] ; then
analyze=/var/local/bin/analyze-ssl.pl.bash
if [ -f $PREFIX/bin/analyze-ssl.pl.bash ] ; then
analyze=$PREFIX/bin/analyze-ssl.pl.bash
ANALYZE_ARGS="-v --timeout $timeout --CApath $CAFILE --all-ciphers"
else
analyze=""

6
overlay/Linux/usr/local/bin/scurl.bash
View file

@ -15,7 +15,7 @@ SSL_VER=3
. /usr/local/bin/proxy_ping_lib.bash
[ -f /usr/local/bin/proxy_curl_lib.bash ] && \
. /usr/local/bin/proxy_curl_lib.bash
if ! route | grep -q ^def ; then
if ! grep -q "^wlan[1-9][ ]00000000" /proc/net/route ; then
WARN $prog we are not connected >&2
exit -1
fi
@ -51,8 +51,8 @@ LARGS+=( --proto-redir https --proto-default https --proto =https )
[ -z "$socks_proxy" ] && . /usr/local/bin/proxy_export.bash
SSL_LIB=openssl # nss
if [ -x /var/local/bin/curl.bash ] ; then
EXE=/var/local/bin/curl.bash
if [ -x $PREFIX/bin/curl.bash ] ; then
EXE=$PREFIX/bin/curl.bash
elif which scurl ; then
EXE=`which scurl`
else