curly

#!/bin/sh # # pollinate: an Entropy-as-a-Service client # # Copyright (C) 2012-2016 Dustin Kirkland <dustin.kirkland@gmail.com> # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, version 3 of the License. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. set -e set -f PKG="pollinate" TMPDIR=$(mktemp -d -t "${PKG}.XXXXXXXXXXXX") trap "rm -rf ${TMPDIR} 2>/dev/null || true" EXIT HUP INT QUIT TERM CACHEDIR="/var/cache/${PKG}" FLAG="${CACHEDIR}/seeded" LOG="${CACHEDIR}/log" HOSTNAME=$(hostname) STRICT=0 # Only recent logger version supports --id=[ID] logger_ver=$(logger -V 2>&1 | awk '{print $4}') dpkg --compare-versions $logger_ver ge 2.26.2 && LOGGER="logger --id=$$" || LOGGER="logger" # Log to both syslog, and stderr, if we're on an interactive terminal [ -t 0 ] && LOGGER="$LOGGER -s" error() { $LOGGER -t ${PKG} "ERROR: $@" exit 1 } warning() { if [ "$STRICT" = "1" ]; then $LOGGER -t ${PKG} "ERROR: $@" exit 1 else $LOGGER -t ${PKG} "WARNING: $@" exit 0 fi } log() { if [ "${QUIET}" = "1" ]; then # quiet mode, don't log to stderr if [ -w "$CACHEDIR" ]; then # log to file, if we can $LOGGER -t ${PKG} "$@" >>"${LOG}" 2>&1 else # log to syslog, if its up $LOGGER -t ${PKG} "$@" fi else # log to both stderr and syslog $LOGGER -t ${PKG} "$@" fi } random_hash() { # Read and print urandom bytes head -c "${BYTES}" /dev/urandom | sha512sum | awk '{print $1}' } hash_and_write() { # Whiten input with a hash, and write to device local hex=$(cat "${TMPDIR}/out" "${TMPDIR}/err" | sha512sum | awk '{print $1}') if [ "${BINARY}" = "1" ]; then if [ "${DEVICE}" = "-" ]; then printf "${hex}" | xxd -r -p else printf "${hex}" | xxd -r -p > "${DEVICE}" fi else if [ "${DEVICE}" = "-" ]; then printf "%s" "${hex}" else printf "%s" "${hex}" > "${DEVICE}" fi fi log "client hashed response from [${1}]" } read_build_info() { # ubuntu images place build information in /etc/cloud/build.info # format of file is '<key>: <value>' put these under img/<key>/<value> local bifile="${1:-/etc/cloud/build.info}" ret="" _RET="" [ -s "$bifile" ] || return 0 ret=$(awk '{ gsub(/#.*/, ""); gsub(/\s+$/, ""); if ($0 == "" || $0 !~ /:/) next; gsub(/:\s*/, "/"); printf("img/%s ", $0) }' "$bifile") || return _RET="${ret% }" } read_addl_info() { # allow additinal info file to contain entries one per line. lines must # have a '/' in them. remove trailing space and '#' as comment. example: # key/value # fookey/foovalue # written by foo local aifile="${1:-/etc/pollinate/add-user-agent}" ret="" _RET="" [ -s "$aifile" ] || return 0 ret=$(awk '{ gsub(/#.*/, ""); gsub(/\s+$/, ""); if ($0 == "" || $0 !~ /\//) next; printf("%s ", $0); }' "$aifile") || return _RET=${ret% } } read_virt() { # return virt/<value> where value is the virtualization platform the # system is running on. local ret="" _RET="" if command -v systemd-detect-virt >/dev/null; then ret=$(systemd-detect-virt) # systemd-detect-virt returns 1 for 'none' [ $? -eq 0 -o "$ret" = "none" ] || ret="" else # trusty would take this path. if [ -d /dev/xen ]; then ret="xen" elif [ -d /dev/lxd ]; then # call this 'lxc' for consistency with systemd-detect-virt. ret="lxc" elif dmesg | grep --quiet " kvm-clock:"; then ret="kvm" fi fi [ -n "$ret" ] || return _RET="virt/$ret" } read_package_versions() { local pkgs="pollinate curl cloud-init" data="" p="" data=$(dpkg-query \ -W --showformat='${Package}/${Version} ' $pkgs 2>/dev/null) || : # fill in 'package/' for any package not installed. for p in ${pkgs}; do [ "${data#*$p/}" = "$data" ] && data="${data} $p/" done if [ -n "$TESTING" ]; then p="pollinate" data="${data%%$p/*}$p${TESTING}/${data#*$p/}" fi set -- $data _RET="$*" } read_uname_info() { # taken from cloud-init ds-identify. # run uname, and parse output. # uname is tricky to parse as it outputs always in a given order # independent of option order. kernel-version is known to have spaces. # 1 -s kernel-name # 2 -n nodename # 3 -r kernel-release # 4.. -v kernel-version(whitespace) # N-2 -m machine # N-1 -o operating-system local out="" krel="" machine="" os="" out=$(uname -snrvmo) || { _RET=""; return; } set -- $out krel="$3" shift 3 while [ $# -gt 2 ]; do shift done machine=$1 os=$2 _RET="$os/$krel/$machine" return 0 } user_agent() { # Construct a user agent, with useful debug information # Very similar to Firefox and Chrome . /etc/lsb-release local pkg_info="" lsb="" platform="" cpu="" up="NA" idle="NA" uptime read_package_versions && pkg_info="$_RET" read_uname_info && platform="$_RET" lsb=$(echo "${DISTRIB_DESCRIPTION}" | sed -e "s/ /\//g") cpu="$(grep -m1 "^model name" /proc/cpuinfo | sed -e "s/.*: //" -e "s:\s\+:/:g")" { read up idle < /proc/uptime ; } >/dev/null 2>&1 || : uptime="uptime/$up/$idle" local addl_data="" build_info="" virt="" read_build_info && build_info="${_RET}" read_addl_info && addl_data="${_RET}" read_virt && virt="${_RET}" USER_AGENT="${pkg_info} ${lsb} ${platform} ${cpu} ${uptime}${virt:+ ${virt}}${build_info:+ ${build_info}}${addl_data:+ ${addl_data}}" } exchange() { local server="${1}" local f1="${TMPDIR}/challenge" case "${server}" in "http://"*|"https://"*) # looks good true ;; *) # otherwise, default to https:// server="https://${server}" ;; esac if [ "${NO_CHALLENGE}" != "1" ]; then # Create and enforce a challenge/response, to ensure personal communication local challenge=$(random_hash) local challenge_response=$(printf "${challenge}" | sha512sum | awk '{print $1}') printf "challenge=%s" "$challenge" > "${f1}" log "client sent challenge to [${1}]" else f1="/dev/null" fi local out="${TMPDIR}/out" local err="${TMPDIR}/err" user_agent if curl --connect-timeout "${WAIT}" --max-time "${WAIT}" -A "${USER_AGENT}" -o- -v --trace-time --data @${f1} ${CURL_OPTS} ${server} >"${out}" 2>"${err}"; then if [ "${NO_CHALLENGE}" != "1" ]; then if [ "${challenge_response}" = $(head -n1 "${out}") ]; then log "client verified challenge/response with [${server}]" else error "Server failed challenge/response [expected=${challenge_response}] != [got=$(head -n1 ${out})]" fi fi hash_and_write "${server}" log "client successfully seeded [${DEVICE}]" else case $? in 124) warning "Network communication failed [$?], timeout after [${WAIT}s] $(cat ${out} ${err})" ;; *) warning "Network communication failed [$?] $(cat ${out} ${err})" ;; esac fi } # Source configuration [ -r "/etc/default/${PKG}" ] && . "/etc/default/${PKG}" while [ ! -z "$1" ]; do case "${1}" in -b|--binary) BINARY=1 shift ;; -c|--curl-opts) CURL_OPTS="${CURL_OPTS} $2" shift 2 ;; -d|--device) DEVICE="$2" shift 2 ;; -i|--insecure) CURL_OPTS="${CURL_OPTS} --insecure" shift 1 ;; -n|--no-challenge) NO_CHALLENGE=1 shift 1 ;; -r|--reseed) RESEED=1 shift 1 ;; -s|--server) SERVER="$2" shift 2 ;; -p|--pool) POOL="${POOL} $2" shift 2 ;; -q|--quiet) QUIET=1 shift ;; --strict) STRICT=1 shift ;; -t|--testing) TESTING="-testing" shift 1 ;; -w|--wait) WAIT="$2" shift 2 ;; --print-user-agent) user_agent || error "Failed to get user-agent." echo "${USER_AGENT}" exit ;; *) error "Unknown options [$1]" ;; esac done # Pollinate prefers to run as a privileged user unless --testing communications if [ -z "${TESTING}" ]; then if [ ! -w "${CACHEDIR}" ]; then error "should execute as the [${PKG}] user" fi if [ -e "${FLAG}" ]; then timestamp=$(stat -c "%y" "${FLAG}") log "system was previously seeded at [${timestamp}]" if [ "${RESEED}" != "1" ]; then log "To re-seed this system again, use the -r|--reseed option" exit 0 fi fi else # Output device must be stdout if we're in testing mode DEVICE="-" fi [ -n "${DEVICE}" ] || DEVICE="/dev/urandom" [ -n "${BYTES}" ] || BYTES=64 [ -n "${WAIT}" ] || WAIT="10" if [ -n "${SERVER}" ]; then POOL="${SERVER}" fi if [ -z "${POOL}" ]; then error "No servers configured in pool" fi for i in ${POOL}; do exchange "${i}" done if [ -z "${TESTING}" ]; then touch "${FLAG}" fi

curly

Latest stories

Can You Watch These 27 Examples of Food Porn Without Getting Hungry?

Latest stories

Log In

Sign In

Forgot password?

Your password reset link appears to be invalid or expired.

Log in

Privacy Policy

Add to Collection

No Collections

Hey Friend!Before You Go…

Hey Friend!
Before You Go…