|
|
|
@ -270,9 +270,22 @@ func (tp *torProvider) Listen(identity connectivity.PrivateKey, port int) (conne
|
|
|
|
|
|
|
|
|
|
var localListener net.Listener
|
|
|
|
|
var err error
|
|
|
|
|
if bineWhonix := os.Getenv("BINE_WHONIX"); strings.ToLower(bineWhonix) == "true" {
|
|
|
|
|
|
|
|
|
|
if cwtchRestrictPorts := os.Getenv("CWTCH_RESTRICT_PORTS"); strings.ToLower(cwtchRestrictPorts) == "true" {
|
|
|
|
|
// for whonix like systems we tightly restrict possible listen...
|
|
|
|
|
// pick a random port between 15000 and 15378
|
|
|
|
|
// cwtch = 63 *77 *74* 63* 68 = 1537844616
|
|
|
|
|
log.Infof("using restricted ports, CWTCH_RESTRICT_PORTS=true");
|
|
|
|
|
localport = 15000 + (localport % 378)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if bindExternal := os.Getenv("CWTCH_BIND_EXTERNAL_WHONIX"); strings.ToLower(bindExternal) == "true" {
|
|
|
|
|
if _, ferr := os.Stat("/usr/share/anon-ws-base-files/workstation"); !os.IsNotExist(ferr) {
|
|
|
|
|
log.Infof("WARNING: binding to external interfaces. This is potentially unsafe outside of a containerized environment.");
|
|
|
|
|
localListener, err = net.Listen("tcp", "0.0.0.0:"+strconv.Itoa(localport))
|
|
|
|
|
} else {
|
|
|
|
|
log.Errorf("CWTCH_BIND_EXTERNAL_WHONIX flag set, but /usr/share/anon-ws-base-files/workstation does not exist. Defaulting to binding to local ports");
|
|
|
|
|
localListener, err = net.Listen("tcp", "127.0.0.1:"+strconv.Itoa(localport))
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
localListener, err = net.Listen("tcp", "127.0.0.1:"+strconv.Itoa(localport))
|
|
|
|
@ -298,6 +311,8 @@ func (tp *torProvider) Listen(identity connectivity.PrivateKey, port int) (conne
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// We need to set os.ID here, otherwise os.Close() may not shut down the onion service properly...
|
|
|
|
|
os.ID = onion
|
|
|
|
|
os.CloseLocalListenerOnClose = true
|
|
|
|
|
|
|
|
|
|
ols := &onionListenService{os: os, tp: tp}
|
|
|
|
|