diff options
| author | Joe Holden | 2020-10-27 00:00:15 +0100 |
|---|---|---|
| committer | Joe Holden | 2020-10-27 00:00:15 +0100 |
| commit | 2b7e4bffb02390d4a795b3b3aeccb2847c88f306 (patch) | |
| tree | 0b1172357758210100bfbc36d45cd48365db0910 | |
| download | aur-2b7e4bffb02390d4a795b3b3aeccb2847c88f306.tar.gz | |
init
| -rw-r--r-- | .SRCINFO | 20 | ||||
| -rw-r--r-- | PKGBUILD | 23 | ||||
| -rw-r--r-- | config.sh | 3 | ||||
| -rw-r--r-- | torhttp_hook | 87 | ||||
| -rw-r--r-- | torhttp_install | 40 | ||||
| -rw-r--r-- | torrc | 5 |
6 files changed, 178 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..98fd759545d4 --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,20 @@ +pkgbase = mkinitcpio-tor-http + pkgdesc = Arch Linux mkinitcpio hook for running tor on the initramfs and requesting decryption keys + pkgver = 0.0.1 + pkgrel = 1 + arch = any + license = BSD + depends = tor + depends = mkinitcpio-netconf + depends = jq + source = torhttp_hook + source = torhttp_install + source = torrc + source = config.sh + md5sums = 4c9e7d637403b2848906bf44ba32cbfd + md5sums = 381258176f933d21e0fd7249920d4763 + md5sums = fa551b003e0c8f908a5c3d4aa9bfb706 + md5sums = bf6e7349c35f873d59a5e2d198a804fb + +pkgname = mkinitcpio-tor-http + diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..5b70629bbe3a --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,23 @@ +# stolen from https://aur.archlinux.org/packages/mkinitcpio-tor/ +pkgname=mkinitcpio-tor-http +pkgver=0.0.1 +pkgrel=1 +pkgdesc="Arch Linux mkinitcpio hook for running tor on the initramfs and requesting decryption keys" +arch=('any') +license=('BSD') +depends=('tor' 'mkinitcpio-netconf' 'jq') +source=('torhttp_hook' 'torhttp_install' 'torrc' 'config.sh') + +package() { + install -Dm644 "$srcdir/torhttp_hook" "$pkgdir/usr/lib/initcpio/hooks/torhttp" + install -Dm644 "$srcdir/torhttp_install" "$pkgdir/usr/lib/initcpio/install/torhttp" + install -Dm644 "$srcdir/torrc" "$pkgdir/usr/share/$pkgname/torrc" + install -Dm644 "$srcdir/config.sh" "$pkgdir/usr/share/$pkgname/config.sh" +} + + + +md5sums=('4c9e7d637403b2848906bf44ba32cbfd' + '381258176f933d21e0fd7249920d4763' + 'fa551b003e0c8f908a5c3d4aa9bfb706' + 'bf6e7349c35f873d59a5e2d198a804fb') diff --git a/config.sh b/config.sh new file mode 100644 index 000000000000..809774ccbb15 --- /dev/null +++ b/config.sh @@ -0,0 +1,3 @@ +#!/bin/sh +URL="http://yourthing.onion/tor" +WAIT=30 diff --git a/torhttp_hook b/torhttp_hook new file mode 100644 index 000000000000..ff954da28e51 --- /dev/null +++ b/torhttp_hook @@ -0,0 +1,87 @@ +#!/usr/bin/ash + +run_hook () +{ + sysctl -w kernel.panic=20 + /sbin/modprobe -a -q dm-crypt >/dev/null 2>&1 + if [ -e "/sys/class/misc/device-mapper" ]; then + if [ ! -e "/dev/mapper/control" ]; then + mkdir /dev/mapper + mknod "/dev/mapper/control" c $(cat /sys/class/misc/device-mapper/dev | sed 's|:| |') + fi + if [ -n "${cryptdevice}" ]; then + cryptdev="$(echo "${cryptdevice}" | cut -d: -f1)" + cryptname="$(echo "${cryptdevice}" | cut -d: -f2)" + cryptoptions="$(echo "${cryptdevice}" | cut -d: -f3)" + fi + if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then + if /sbin/cryptsetup isLuks ${resolved} >/dev/null 2>&1; then + source /config.sh + # collect info + CMDLINE=$(cat /proc/cmdline) + MEM=$(grep MemTotal /proc/meminfo | awk '{ print $2 " " $3}') + CPU=$(echo -ne $(grep ^model\ name /proc/cpuinfo | cut -d: -f2 | uniq)) + CORES=$(grep -c ^processor /proc/cpuinfo) + # figure out interface + INTERFACES=$(ip link show up | grep -o 'eth[0-9]') + macaddr=$(cat /sys/class/net/eth0/address) + + echo "Starting tor" + mkdir -p /tmp/tor + /usr/bin/tor -f /torrc + + echo "Waiting ${WAIT} seconds..." + sleep ${WAIT} + + # send request + req=$(curl -x socks5h://127.0.0.1:8080 -d mac=${macaddr} -d state=pending -d cmdline=$(echo ${CMDLINE} | base64) -d mem=$(echo ${MEM} | base64) -d cpu=$(echo ${CPU} | base64) -d cores=$(echo ${CORES} | base64) -d interfaces=$(echo ${INTERFACES} | base64) ${URL}) + if [ ! $req ]; then + echo "Empty response" + sleep 10 + exit 1 + elif [ $req == "DESTROY" ]; then + echo "Destroy returned, changing keys" + dd if=/dev/urandom bs=32 count=1 status=none | base64 | cryptsetup -q luksFormat ${resolved} -d - + sleep 10 + exit 1 + fi + + sleep 3 + + # try and parse some bits + passphrase=$(echo $req | jq -r .passphrase) + if [ ! $passphrase ]; then + echo "No passphrase, aborting." + exit 1 + fi + echo "Trying to unlock ${resolved}" + if ! (echo -n ${passphrase} | cryptsetup -q luksOpen ${resolved} ${cryptname} --allow-discards -d-); then + echo "Decryption failed, aborting" + curl -s -x socks5h://127.0.0.1:8080 -d mac=${macaddr} -d state=failed -d path=${resolved} ${URL} + exit 1 + fi + if [ ! -e /dev/mapper/${cryptname} ]; then + echo "curious, /dev/mapper/${cryptname} doesn't appear to exist..." + sleep 10 + exit 1 + fi + unset passphrase + unset req + echo "Opened ${resolved}, signal booting..." + curl -s -x socks5h://127.0.0.1:8080 -d mac=${macaddr} -d state=booting -d path=${resolved} ${URL} + else + echo "${resolved} is not a luks volume" + exit 1 + fi + else + echo "who knows" + exit 1 + fi + fi +} + +run_cleanuphook () +{ + killall tor + rm -rf /tmp/tor +} diff --git a/torhttp_install b/torhttp_install new file mode 100644 index 000000000000..535a0b9cd4dc --- /dev/null +++ b/torhttp_install @@ -0,0 +1,40 @@ +#!/bin/bash + +build () +{ + local mod + + add_module dm-crypt + if [[ $CRYPTO_MODULES ]]; then + for mod in $CRYPTO_MODULES; do + add_module "$mod" + done + else + add_all_modules '/crypto/' + fi + + add_binary "cryptsetup" + add_binary "dmsetup" + add_file "/usr/lib/udev/rules.d/10-dm.rules" + add_file "/usr/lib/udev/rules.d/13-dm-disk.rules" + add_file "/usr/lib/udev/rules.d/95-dm-notify.rules" + add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules" + add_binary "/usr/bin/jq" + add_binary "/usr/bin/sysctl" + add_binary "/usr/bin/curl" + add_binary "/usr/bin/killall" + add_binary "/usr/bin/tor" + add_file "/usr/share/mkinitcpio-tor-http/torrc" /torrc + add_file "/usr/share/mkinitcpio-tor-http/config.sh" /config.sh 0755 + + add_runscript +} + +help () +{ + cat<<HELPEOF +This hook will add tor binary and configuration to the initramfs. It is meant +for situations where the server does not have direct connectivity or the user +wants to conceal the fact a server is using remote unlocking. +HELPEOF +} diff --git a/torrc b/torrc new file mode 100644 index 000000000000..84c08f0afd5f --- /dev/null +++ b/torrc @@ -0,0 +1,5 @@ +Log notice stderr +RunAsDaemon 1 +DataDirectory /tmp/tor +ORPort 0 +SocksPort 8080 |