50-htp.sh 2.62 KB
Newer Older
amnesia's avatar
amnesia committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#!/bin/bash

# Rationale: Tor needs a somewhat accurate clock to work, and for that
# HTP is currently the only practically usable solution when one wants
# to authenticate the servers providing the time. We then need to get
# the IPs of a bunch of HTTPS servers.

# However, since all DNS lookups are normally made through the Tor
# network, which we are not connected to at this point, we use the
# local DNS servers obtained through DHCP if possible, or the OpenDNS
# ones, else.

# To limit fingerprinting possibilities, we do not want to send HTTP
# requests aimed at an IP-based virtualhost such as https://IP/, but
# rather to the usual hostname (e.g. https://www.eff.org/) as any
# "normal" user would do. Once we have got the HTTPS servers IPs, we
# write these to /etc/hosts so the system resolver knows about them.
# htpdate is then run, and we eventually remove the added entries from
# /etc/hosts.

# Note that all network operations (host, htpdate) are done with the
# htp user, who has an exception in the firewall configuration
# granting it direct access to the needed network ports.

# That's why we tell the htpdate script to drops priviledges and run
# as the htp user all operations but the actual setting of time, which
# has to be done as root.

# Run whenever an interface gets "up", not otherwise:
if [[ $2 != "up" ]]; then
	exit 0
fi

34
LOG=/var/log/nm-htp.log
35
HTPDATE_LOG=/var/log/htpdate.log
36

amnesia's avatar
amnesia committed
37
38
declare -a HTP_POOL
HTP_POOL=(
amnesia's avatar
amnesia committed
39
40
41
42
	'www.torproject.org'
	'www.eff.org'
	'mail.google.com'
	'secure.wikimedia.org'
amnesia's avatar
amnesia committed
43
44
45
46
47
48
49
50
51
52
53
)

BEGIN_MAGIC='### END HTP HOSTS'
END_MAGIC='### END HTP HOSTS'

if [[ -n "${DHCP4_DOMAIN_NAME_SERVERS}" ]]; then
	NAME_SERVERS="${DHCP4_DOMAIN_NAME_SERVERS}"
else
	NAME_SERVERS="208.67.222.222 208.67.220.220"
fi

54
55
echo "${NAME_SERVERS}" >>$LOG

amnesia's avatar
amnesia committed
56
cleanup_etc_hosts() {
57
	echo "FIXME: cleanup /etc/hosts" >>$LOG
amnesia's avatar
amnesia committed
58
59
60
61
62
63
64
65
66
67
68
	true
}

echo "${BEGIN_MAGIC}" >> /etc/hosts

for HTP_HOST in ${HTP_POOL[*]} ; do
	DNS_QUERY_CMD=`for NS in ${NAME_SERVERS}; do
	               echo -n "|| host ${HTP_HOST} ${NS} ";
	               done | \
	               tail --bytes=+4`
	IP=$(sudo -u htp sh -c "${DNS_QUERY_CMD}" | \
amnesia's avatar
amnesia committed
69
	       grep "has address" | \
amnesia's avatar
amnesia committed
70
71
72
	       head -n 1 | \
	       cut -d ' ' -f 4)
	if [[ -z ${IP} ]]; then
73
		echo "Failed to resolve ${HTP_HOST}" >>$LOG
amnesia's avatar
amnesia committed
74
75
76
77
78
79
80
81
82
83
84
		echo "${END_MAGIC}" >> /etc/hosts
		cleanup_etc_hosts
		exit 17
	else
		echo "${IP}	${HTP_HOST}" >> /etc/hosts
	fi
done

echo "${END_MAGIC}" >> /etc/hosts

/usr/local/sbin/htpdate \
85
	-d \
86
	-l "${HTPDATE_LOG}" \
amnesia's avatar
amnesia committed
87
88
89
90
91
92
	-a "`/usr/local/bin/getTorbuttonUserAgent`" \
	-f \
	-u htp \
	${HTP_POOL[*]}

HTPDATE_RET=$?
93
echo "htpdate returned with exist code ${HTPDATE_RET}" >>$LOG
amnesia's avatar
amnesia committed
94
95
96
97

cleanup_etc_hosts

exit ${HTPDATE_RET}