mirror of
https://github.com/hackerschoice/segfault.git
synced 2024-07-09 03:21:34 +00:00
94 lines
2.5 KiB
Bash
Executable File
94 lines
2.5 KiB
Bash
Executable File
#! /bin/bash
|
|
|
|
CR="\e[1;31m" # red
|
|
# CG="\e[1;32m" # green
|
|
CN="\e[0m" # none
|
|
|
|
ERREXIT()
|
|
{
|
|
local code
|
|
code="$1"
|
|
# shellcheck disable=SC2181 #(style): Check exit code directly with e.g
|
|
[[ $? -ne 0 ]] && code="$?"
|
|
[[ -z $code ]] && code=99
|
|
|
|
shift 1
|
|
[[ -n "$1" ]] && echo -e >&2 "${CR}ERROR:${CN} $*"
|
|
|
|
exit "$code"
|
|
}
|
|
|
|
# add [PORT]
|
|
xadd()
|
|
{
|
|
cp "/var/lib/tor/hidden/service-${1}/hostname" "/config/guest/onion_hostname-${1}"
|
|
chmod 644 "/config/guest/onion_hostname-${1}"
|
|
}
|
|
|
|
# Tor has no easy way to generate keys in a script and then derive the onion address
|
|
# from the public key. This is a nightmare.
|
|
# (We need the onion address before we start TOR....)
|
|
genkey_hidden()
|
|
{
|
|
local port
|
|
local dir
|
|
port="$1"
|
|
dir="/var/lib/tor/hidden/service-$1"
|
|
|
|
[[ ! -d "${dir}/authorized_clients" ]] && mkdir -p "${dir}/authorized_clients"
|
|
[[ ! -f "${dir}/hs_ed25519_secret_key" ]] && {
|
|
mkdir /tmp/tor
|
|
chown tor /tmp/tor
|
|
chown tor "${dir}"
|
|
(sleep 1; echo -en "\r\r") | su -s /bin/ash - tor -c 'script -q -c "tor --keygen --DataDirectory /tmp/tor" /dev/null' >/dev/null
|
|
cp /tmp/tor/keys/ed25519_master_id_secret_key "${dir}/hs_ed25519_secret_key"
|
|
cp /tmp/tor/keys/ed25519_master_id_public_key "${dir}/hs_ed25519_public_key"
|
|
rm -rf /tmp/tor
|
|
rm -f "${dir}/hostname"
|
|
}
|
|
|
|
[[ ! -f "${dir}/hostname" ]] && {
|
|
# Create ./hostname from public key
|
|
pub=$(tail --bytes 32 <"${dir}/hs_ed25519_public_key")
|
|
chk=$((echo -n ".onion checksum${pub}"; echo -en "\003") | openssl sha3-256 -binary | head --bytes 2)
|
|
s=$((echo -n "${pub}${chk}"; echo -en "\003") | base32)
|
|
echo "${s,,}.onion" >"${dir}/hostname"
|
|
echo "Port ${port}: ${s,,}.onion"
|
|
}
|
|
|
|
# Always fix permission (and also when files already existed)
|
|
find "${dir}" -type d -exec chmod 700 {} \; || ERREXIT
|
|
find "${dir}" -type f -exec chmod 600 {} \; || ERREXIT
|
|
}
|
|
|
|
# Route all traffic that comes to this instance through TOR.
|
|
iptables -t nat -A PREROUTING -p tcp ! -d sf-tor --syn -j REDIRECT --to-ports 9040
|
|
|
|
if [[ -n $SF_TOR_VIA_VPN ]]; then
|
|
# Route TOR via VPN
|
|
ip route del default
|
|
ip route add default via 172.20.0.2
|
|
else
|
|
# Route TOR directly to Internet but incoming
|
|
# onion connectoins to these two (via sf-router)
|
|
ip route add 172.22.0.22/32 via 172.20.0.2
|
|
ip route add 172.20.1.80/32 via 172.20.0.2
|
|
fi
|
|
|
|
umask 0077
|
|
genkey_hidden 22
|
|
genkey_hidden 80
|
|
umask 0022
|
|
xadd 22
|
|
xadd 80
|
|
|
|
chmod 700 /var/lib/tor
|
|
chown -R tor /var/lib/tor/hidden || ERREXIT
|
|
|
|
if [[ -f /config/host/etc/tor/torrc ]]; then
|
|
exec su -s /bin/ash - tor -c "tor --hush -f /config/host/etc/tor/torrc"
|
|
else
|
|
exec su -s /bin/ash - tor -c "tor --hush"
|
|
fi
|
|
# NOT REACHED
|