From 61ced82cb46bbb0bad294dbc36551d9ea47cab6e Mon Sep 17 00:00:00 2001
From: Sarah Jamie Lewis <sarah@openprivacy.ca>
Date: Wed, 16 Aug 2023 10:31:48 -0700
Subject: [PATCH] Restrict Ports when BINE_WHONIX is enabled.

---
 tor/torProvider.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/tor/torProvider.go b/tor/torProvider.go
index 47b6275..a1e2748 100644
--- a/tor/torProvider.go
+++ b/tor/torProvider.go
@@ -274,6 +274,10 @@ func (tp *torProvider) Listen(identity connectivity.PrivateKey, port int) (conne
 		if _, ferr := os.Stat("/usr/share/anon-ws-base-files/workstation"); !os.IsNotExist(ferr) {
 			localListener, err = net.Listen("tcp", "0.0.0.0:"+strconv.Itoa(localport))
 		}
+		// for whonix like systems we tightly restrict possible listen...
+		// pick a random port between 15300 and 15378
+		// cwtch = 63 *77 *74* 63* 68 = 1537844616
+		localport = 15300 + ((localport - 1024) % 78)
 	} else {
 		localListener, err = net.Listen("tcp", "127.0.0.1:"+strconv.Itoa(localport))
 	}
@@ -298,6 +302,7 @@ func (tp *torProvider) Listen(identity connectivity.PrivateKey, port int) (conne
 		return nil, err
 	}
 
+	os.ID = onion
 	os.CloseLocalListenerOnClose = true
 
 	ols := &onionListenService{os: os, tp: tp}