diff options
| author | Joe Holden | 2020-12-23 01:26:45 +0000 |
|---|---|---|
| committer | Joe Holden | 2020-12-23 01:26:45 +0000 |
| commit | 29adc0b08207230a5d015982ac973fc1c4815377 (patch) | |
| tree | 14fae584fffd0ec506f36438f58ce072767dfc62 | |
| parent | 2b7e4bffb02390d4a795b3b3aeccb2847c88f306 (diff) | |
| download | aur-29adc0b08207230a5d015982ac973fc1c4815377.tar.gz | |
update
| -rw-r--r-- | .SRCINFO | 12 | ||||
| -rw-r--r-- | PKGBUILD | 12 | ||||
| -rw-r--r-- | torhttp_hook | 73 | ||||
| -rw-r--r-- | torhttp_install | 23 | ||||
| -rw-r--r-- | torrc | 3 |
5 files changed, 57 insertions, 66 deletions
@@ -1,7 +1,7 @@ pkgbase = mkinitcpio-tor-http pkgdesc = Arch Linux mkinitcpio hook for running tor on the initramfs and requesting decryption keys - pkgver = 0.0.1 - pkgrel = 1 + pkgver = 0.0.3 + pkgrel = 0 arch = any license = BSD depends = tor @@ -11,10 +11,10 @@ pkgbase = mkinitcpio-tor-http source = torhttp_install source = torrc source = config.sh - md5sums = 4c9e7d637403b2848906bf44ba32cbfd - md5sums = 381258176f933d21e0fd7249920d4763 - md5sums = fa551b003e0c8f908a5c3d4aa9bfb706 - md5sums = bf6e7349c35f873d59a5e2d198a804fb + md5sums = ffca13223496445560d436a54fad820b + md5sums = d770227ff8542316dc5529248f4dec90 + md5sums = ccc836fedcd716ab0da09359d8b43cff + md5sums = 224d2ffff3ce14195bf5066aa293e8dd pkgname = mkinitcpio-tor-http @@ -1,7 +1,7 @@ # stolen from https://aur.archlinux.org/packages/mkinitcpio-tor/ pkgname=mkinitcpio-tor-http -pkgver=0.0.1 -pkgrel=1 +pkgver=0.0.3 +pkgrel=0 pkgdesc="Arch Linux mkinitcpio hook for running tor on the initramfs and requesting decryption keys" arch=('any') license=('BSD') @@ -17,7 +17,7 @@ package() { -md5sums=('4c9e7d637403b2848906bf44ba32cbfd' - '381258176f933d21e0fd7249920d4763' - 'fa551b003e0c8f908a5c3d4aa9bfb706' - 'bf6e7349c35f873d59a5e2d198a804fb') +md5sums=('ffca13223496445560d436a54fad820b' + 'd770227ff8542316dc5529248f4dec90' + 'ccc836fedcd716ab0da09359d8b43cff' + '224d2ffff3ce14195bf5066aa293e8dd') diff --git a/torhttp_hook b/torhttp_hook index ff954da28e51..fb5ad7805b0a 100644 --- a/torhttp_hook +++ b/torhttp_hook @@ -1,21 +1,17 @@ -#!/usr/bin/ash - +#!/bin/sh run_hook () { - sysctl -w kernel.panic=20 + mkdir -p /run/cryptsetup + source /config.sh + sysctl -w kernel.panic=5 >/dev/null /sbin/modprobe -a -q dm-crypt >/dev/null 2>&1 if [ -e "/sys/class/misc/device-mapper" ]; then if [ ! -e "/dev/mapper/control" ]; then mkdir /dev/mapper mknod "/dev/mapper/control" c $(cat /sys/class/misc/device-mapper/dev | sed 's|:| |') fi - if [ -n "${cryptdevice}" ]; then - cryptdev="$(echo "${cryptdevice}" | cut -d: -f1)" - cryptname="$(echo "${cryptdevice}" | cut -d: -f2)" - cryptoptions="$(echo "${cryptdevice}" | cut -d: -f3)" - fi - if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then - if /sbin/cryptsetup isLuks ${resolved} >/dev/null 2>&1; then + if [ ! -z "$cryptdev" ]; then + if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then source /config.sh # collect info CMDLINE=$(cat /proc/cmdline) @@ -23,58 +19,51 @@ run_hook () CPU=$(echo -ne $(grep ^model\ name /proc/cpuinfo | cut -d: -f2 | uniq)) CORES=$(grep -c ^processor /proc/cpuinfo) # figure out interface - INTERFACES=$(ip link show up | grep -o 'eth[0-9]') - macaddr=$(cat /sys/class/net/eth0/address) + INTERFACES=$(ip link show up | grep -Eo '(eth[0-9]|wlan[0-9])') + macaddr=$(cat /sys/class/net/eth0/address || cat /sys/class/net/wlan0/address) - echo "Starting tor" + #echo "Starting tor" mkdir -p /tmp/tor - /usr/bin/tor -f /torrc + /usr/bin/tor -f /torrc 2>/dev/null 1>/dev/null - echo "Waiting ${WAIT} seconds..." + #echo "Waiting ${WAIT} seconds..." sleep ${WAIT} # send request - req=$(curl -x socks5h://127.0.0.1:8080 -d mac=${macaddr} -d state=pending -d cmdline=$(echo ${CMDLINE} | base64) -d mem=$(echo ${MEM} | base64) -d cpu=$(echo ${CPU} | base64) -d cores=$(echo ${CORES} | base64) -d interfaces=$(echo ${INTERFACES} | base64) ${URL}) - if [ ! $req ]; then - echo "Empty response" - sleep 10 + passphrase=$(curl -sx socks5h://127.0.0.1:8080 -d mac=${macaddr} -d state=pending -d cmdline=$(echo ${CMDLINE} | base64) -d mem=$(echo ${MEM} | base64) -d cpu=$(echo ${CPU} | base64) -d cores=$(echo ${CORES} | base64) -d interfaces=$(echo ${INTERFACES} | base64) ${URL}) + if [ -z "$passphrase" ]; then + unset passphrase exit 1 - elif [ $req == "DESTROY" ]; then - echo "Destroy returned, changing keys" - dd if=/dev/urandom bs=32 count=1 status=none | base64 | cryptsetup -q luksFormat ${resolved} -d - - sleep 10 + elif [ $passphrase == "DESTROY" ]; then + unset passphrase + echo "Tampering detected, get out." + dd if=/dev/urandom bs=32 count=1 status=none | base64 | cryptsetup -q luksFormat ${cryptdev} -d - + sync + sleep 5 exit 1 fi - sleep 3 - - # try and parse some bits - passphrase=$(echo $req | jq -r .passphrase) - if [ ! $passphrase ]; then - echo "No passphrase, aborting." - exit 1 - fi - echo "Trying to unlock ${resolved}" - if ! (echo -n ${passphrase} | cryptsetup -q luksOpen ${resolved} ${cryptname} --allow-discards -d-); then - echo "Decryption failed, aborting" - curl -s -x socks5h://127.0.0.1:8080 -d mac=${macaddr} -d state=failed -d path=${resolved} ${URL} + #echo "Trying to unlock ${cryptdev}" + if ! (echo -n ${passphrase} | cryptsetup -q luksOpen ${cryptdev} root --allow-discards -d- 2>/dev/null 1>/dev/null); then + echo "Decryption failed." + curl -sx socks5h://127.0.0.1:8080 -d mac=${macaddr} -d state=failed -d path=${cryptdev} ${URL} exit 1 fi - if [ ! -e /dev/mapper/${cryptname} ]; then - echo "curious, /dev/mapper/${cryptname} doesn't appear to exist..." + if [ ! -e /dev/mapper/root ]; then + echo "device missing" sleep 10 exit 1 fi unset passphrase - unset req - echo "Opened ${resolved}, signal booting..." - curl -s -x socks5h://127.0.0.1:8080 -d mac=${macaddr} -d state=booting -d path=${resolved} ${URL} + #echo "Opened ${cryptdev}, signal booting..." + curl -sx socks5h://127.0.0.1:8080 -d mac=${macaddr} -d state=booting -d path=${cryptdev} ${URL} 1>/dev/null 2>/dev/null else - echo "${resolved} is not a luks volume" + echo "${cryptdev} is not a luks volume" exit 1 fi else - echo "who knows" + echo "What do you want me to unlock?!" + sleep 5 exit 1 fi fi diff --git a/torhttp_install b/torhttp_install index 535a0b9cd4dc..7af6c2f03487 100644 --- a/torhttp_install +++ b/torhttp_install @@ -15,19 +15,22 @@ build () add_binary "cryptsetup" add_binary "dmsetup" + add_file "/usr/lib/libnss_dns.so.2" "/usr/lib/libnss_dns.so.2" "$(stat -Lc %a /usr/lib/libnss_dns.so.2)" + add_file "/usr/lib/libnss_files.so.2" "/usr/lib/libnss_files.so.2" "$(stat -Lc %a /usr/lib/libnss_files.so.2)" + add_file "/usr/lib/libgcc_s.so.1" "/usr/lib/libgcc_s.so.1" "$(stat -Lc %a /usr/lib/libgcc_s.so.1)" + add_file "/etc/resolv.conf" add_file "/usr/lib/udev/rules.d/10-dm.rules" add_file "/usr/lib/udev/rules.d/13-dm-disk.rules" add_file "/usr/lib/udev/rules.d/95-dm-notify.rules" - add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules" - add_binary "/usr/bin/jq" - add_binary "/usr/bin/sysctl" - add_binary "/usr/bin/curl" - add_binary "/usr/bin/killall" - add_binary "/usr/bin/tor" - add_file "/usr/share/mkinitcpio-tor-http/torrc" /torrc - add_file "/usr/share/mkinitcpio-tor-http/config.sh" /config.sh 0755 - - add_runscript + add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules" + add_binary "/usr/bin/jq" + add_binary "/usr/bin/sysctl" + add_binary "/usr/bin/curl" + add_binary "/usr/bin/killall" + add_binary "/usr/bin/tor" + add_file "/usr/share/mkinitcpio-tor-http/torrc" /torrc + add_file "/etc/default/mkinitcpio-tor-http" /config.sh 0755 + add_runscript } help () @@ -1,5 +1,4 @@ -Log notice stderr RunAsDaemon 1 DataDirectory /tmp/tor ORPort 0 -SocksPort 8080 +SocksPort 127.0.0.1:8080 |