[or-cvs] r20468: {torvm} Add GeoIP mount args to Qemu cmdline, pass good entropy to g (in torvm/trunk/build: kamikaze/patches win32/files win32/src/torvm-w32)
coderman at seul.org
coderman at seul.org
Thu Sep 3 03:28:58 UTC 2009
Author: coderman
Date: 2009-09-02 23:28:57 -0400 (Wed, 02 Sep 2009)
New Revision: 20468
Modified:
torvm/trunk/build/kamikaze/patches/001-kamikaze-tor-package.patch
torvm/trunk/build/win32/files/defpolipo.conf
torvm/trunk/build/win32/files/uninstall.bat
torvm/trunk/build/win32/src/torvm-w32/apicommon.c
torvm/trunk/build/win32/src/torvm-w32/apicommon.h
torvm/trunk/build/win32/src/torvm-w32/torvm.c
Log:
Add GeoIP mount args to Qemu cmdline, pass good entropy to guest as bugfix on 1067, clean up vm router and polipo invocations, change priority and memory of Qemu VM based on performance tuning.
Modified: torvm/trunk/build/kamikaze/patches/001-kamikaze-tor-package.patch
===================================================================
--- torvm/trunk/build/kamikaze/patches/001-kamikaze-tor-package.patch 2009-09-03 01:04:16 UTC (rev 20467)
+++ torvm/trunk/build/kamikaze/patches/001-kamikaze-tor-package.patch 2009-09-03 03:28:57 UTC (rev 20468)
@@ -765,8 +765,8 @@
+fi
diff -Naur a/package/tor/files/vmrouter.sh b/package/tor/files/vmrouter.sh
--- a/package/tor/files/vmrouter.sh 1970-01-01 00:00:00.000000000 +0000
-+++ b/package/tor/files/vmrouter.sh 2009-08-19 09:11:53.693450376 +0000
-@@ -0,0 +1,153 @@
++++ b/package/tor/files/vmrouter.sh 2009-09-03 02:24:59.053455953 +0000
+@@ -0,0 +1,171 @@
+#!/bin/bash
+# Utility script for Tor VM routing
+# Source or run directly.
@@ -777,6 +777,10 @@
+CLIENT_BLOCK_TCP_PORTS="445 139 138 137 53 25"
+TOR_TRANSPORT=9095
+TOR_DNSPORT=9093
++LOG_TO=/var/log/vmrouter.log
++if [ -z $DOLOG ]; then
++ export DOLOG=1
++fi
+
+trap_tbl="TRAP"
+host_filt_tbl="HOSTIN"
@@ -785,128 +789,142 @@
+cli_postnat_tbl="CLIPOST"
+
+vmr_trapon() {
-+ iptables -t filter -I $trap_tbl -j DROP
-+ iptables -t filter -I $trap_tbl -p tcp -j TARPIT
++ if (( DOLOG )); then echo "vmr_trapon:">>$LOG_TO 2>&1; fi
++ iptables -t filter -I $trap_tbl -j DROP >>$LOG_TO 2>&1
++ iptables -t filter -I $trap_tbl -p tcp -j TARPIT >>$LOG_TO 2>&1
+}
+
+vmr_trapoff() {
-+ iptables -t filter --flush $trap_tbl
++ if (( DOLOG )); then echo "vmr_trapoff:">>$LOG_TO 2>&1; fi
++ iptables -t filter --flush $trap_tbl >>$LOG_TO 2>&1
+}
+
+vmr_init() {
-+ iptables -t filter --flush INPUT
-+ iptables -t filter --flush FORWARD
-+ iptables -t filter --flush OUTPUT
-+ iptables -t nat --flush PREROUTING
-+ iptables -t nat --flush POSTROUTING
++ if (( DOLOG )); then echo "vmr_init:">>$LOG_TO 2>&1; fi
++ iptables -t filter --flush INPUT >>$LOG_TO 2>&1
++ iptables -t filter --flush FORWARD >>$LOG_TO 2>&1
++ iptables -t filter --flush OUTPUT >>$LOG_TO 2>&1
++ iptables -t nat --flush PREROUTING >>$LOG_TO 2>&1
++ iptables -t nat --flush POSTROUTING >>$LOG_TO 2>&1
+
+ # default policy drop
-+ #iptables -t filter -P INPUT DROP
-+ #iptables -t filter -P FORWARD DROP
-+ #iptables -t filter -P OUTPUT DROP
-+ iptables -t filter -P INPUT ACCEPT
-+ iptables -t filter -P FORWARD ACCEPT
-+ iptables -t filter -P OUTPUT ACCEPT
++ #iptables -t filter -P INPUT DROP >>$LOG_TO 2>&1
++ #iptables -t filter -P FORWARD DROP >>$LOG_TO 2>&1
++ #iptables -t filter -P OUTPUT DROP >>$LOG_TO 2>&1
++ iptables -t filter -P INPUT ACCEPT >>$LOG_TO 2>&1
++ iptables -t filter -P FORWARD ACCEPT >>$LOG_TO 2>&1
++ iptables -t filter -P OUTPUT ACCEPT >>$LOG_TO 2>&1
+
+ # trap table is the global on/off switch for traffic
+ # use a trap table so that tarpit or drop can be set
+ # as atomic op across input/forward/output.
-+ iptables -t filter -N $trap_tbl
-+ iptables -t filter -I INPUT -g $trap_tbl
-+ iptables -t filter -I FORWARD -g $trap_tbl
-+ iptables -t filter -I OUTPUT -g $trap_tbl
++ iptables -t filter -N $trap_tbl >>$LOG_TO 2>&1
++ iptables -t filter -I INPUT -g $trap_tbl >>$LOG_TO 2>&1
++ iptables -t filter -I FORWARD -g $trap_tbl >>$LOG_TO 2>&1
++ iptables -t filter -I OUTPUT -g $trap_tbl >>$LOG_TO 2>&1
+
+ # host filter traffic things to/from the VM
-+ iptables -t filter -N $host_filt_tbl
-+ iptables -t filter -A INPUT -g $host_filt_tbl
-+ iptables -t filter -A $host_filt_tbl -j RETURN
++ iptables -t filter -N $host_filt_tbl >>$LOG_TO 2>&1
++ iptables -t filter -A INPUT -g $host_filt_tbl >>$LOG_TO 2>&1
++ iptables -t filter -A $host_filt_tbl -j RETURN >>$LOG_TO 2>&1
+
+ # client tables for routed traffic
-+ iptables -t filter -N $cli_filt_tbl
-+ iptables -t filter -A FORWARD -g $cli_filt_tbl
-+ iptables -t nat -N $cli_prenat_tbl
-+ iptables -t nat -A PREROUTING -g $cli_prenat_tbl
-+ iptables -t nat -N $cli_postnat_tbl
-+ iptables -t nat -A POSTROUTING -g $cli_postnat_tbl
++ iptables -t filter -N $cli_filt_tbl >>$LOG_TO 2>&1
++ iptables -t filter -A FORWARD -g $cli_filt_tbl >>$LOG_TO 2>&1
++ iptables -t nat -N $cli_prenat_tbl >>$LOG_TO 2>&1
++ iptables -t nat -A PREROUTING -g $cli_prenat_tbl >>$LOG_TO 2>&1
++ iptables -t nat -N $cli_postnat_tbl >>$LOG_TO 2>&1
++ iptables -t nat -A POSTROUTING -g $cli_postnat_tbl >>$LOG_TO 2>&1
+
+ # log default drop targets
-+ iptables -t filter -A INPUT -j LOG
-+ iptables -t filter -A FORWARD -j LOG
-+ iptables -t filter -A OUTPUT -j LOG
++ iptables -t filter -A INPUT -j LOG >>$LOG_TO 2>&1
++ iptables -t filter -A FORWARD -j LOG >>$LOG_TO 2>&1
++ iptables -t filter -A OUTPUT -j LOG >>$LOG_TO 2>&1
+}
+
+vmr_fwdsetup() {
++ if (( DOLOG )); then echo "vmr_fwdsetup:">>$LOG_TO 2>&1; fi
+ # expects default route interface argument
+ if [ -z "$1" ]; then
+ return $FAIL
+ fi
-+ iptables -t filter -I $cli_filt_tbl -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-+ iptables -t filter -I $cli_filt_tbl -m state --state RELATED,ESTABLISHED -j ACCEPT
-+ iptables -t filter -I $cli_filt_tbl -m state --state INVALID -j DROP
++ iptables -t filter -I $cli_filt_tbl -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu >>$LOG_TO 2>&1
++ iptables -t filter -I $cli_filt_tbl -m state --state RELATED,ESTABLISHED -j ACCEPT >>$LOG_TO 2>&1
++ iptables -t filter -I $cli_filt_tbl -m state --state INVALID -j DROP >>$LOG_TO 2>&1
+ for PORTNUM in $CLIENT_BLOCK_TCP_PORTS; do
-+ iptables -t filter -I $cli_filt_tbl -p tcp --dport $PORTNUM -j DROP
++ iptables -t filter -I $cli_filt_tbl -p tcp --dport $PORTNUM -j DROP >>$LOG_TO 2>&1
+ done
-+ iptables -t filter -A $cli_filt_tbl -j RETURN
-+ iptables -t nat -I $cli_postnat_tbl -o "$1" -j MASQUERADE
-+ iptables -t filter -A OUTPUT -o "$1" -j ACCEPT
-+ iptables -t filter -I $host_filt_tbl -i "$1" -m state --state ESTABLISHED,RELATED -j ACCEPT
++ iptables -t filter -A $cli_filt_tbl -j RETURN >>$LOG_TO 2>&1
++ iptables -t nat -I $cli_postnat_tbl -o "$1" -j MASQUERADE >>$LOG_TO 2>&1
++ iptables -t filter -A OUTPUT -o "$1" -j ACCEPT >>$LOG_TO 2>&1
++ iptables -t filter -I $host_filt_tbl -i "$1" -m state --state ESTABLISHED,RELATED -j ACCEPT >>$LOG_TO 2>&1
+}
+
+vmr_fwdadd() {
++ if (( DOLOG )); then echo "vmr_fwdadd:">>$LOG_TO 2>&1; fi
+ # expects interface to forward for as argument
+ if [ -z "$1" ]; then
+ return $FAIL
+ fi
-+ iptables -t nat -A $cli_prenat_tbl -i "$1" -p tcp -j REDIRECT --to $TOR_TRANSPORT
-+ iptables -t nat -A $cli_prenat_tbl -i "$1" -p udp --dport 53 -j REDIRECT --to $TOR_DNSPORT
++ iptables -t nat -A $cli_prenat_tbl -i "$1" -p tcp -j REDIRECT --to $TOR_TRANSPORT >>$LOG_TO 2>&1
++ iptables -t nat -A $cli_prenat_tbl -i "$1" -p udp --dport 53 -j REDIRECT --to $TOR_DNSPORT >>$LOG_TO 2>&1
+}
+
+vmr_fwddel() {
++ if (( DOLOG )); then echo "vmr_fwddel:">>$LOG_TO 2>&1; fi
+ # expects interface to forward for as argument
+ if [ -z "$1" ]; then
+ return $FAIL
+ fi
-+ iptables -t nat -D $cli_prenat_tbl -i "$1" -p tcp -j REDIRECT --to $TOR_TRANSPORT
-+ iptables -t nat -D $cli_prenat_tbl -i "$1" -p udp --dport 53 -j REDIRECT --to $TOR_DNSPORT
++ iptables -t nat -D $cli_prenat_tbl -i "$1" -p tcp -j REDIRECT --to $TOR_TRANSPORT >>$LOG_TO 2>&1
++ iptables -t nat -D $cli_prenat_tbl -i "$1" -p udp --dport 53 -j REDIRECT --to $TOR_DNSPORT >>$LOG_TO 2>&1
+}
+
+vmr_opendhcp() {
++ if (( DOLOG )); then echo "vmr_opendhcp:">>$LOG_TO 2>&1; fi
+ # expects dhcp interface as argument
+ if [ -z "$1" ]; then
+ return $FAIL
+ fi
-+ iptables -t filter -I $host_filt_tbl -i "$1" -p udp --dport 67:68 --sport 67:68 -j ACCEPT
++ iptables -t filter -I $host_filt_tbl -i "$1" -p udp --dport 67:68 --sport 67:68 -j ACCEPT >>$LOG_TO 2>&1
+}
+
+vmr_opentcp() {
-+ iptables -t filter -D $host_filt_tbl -i "$1" -d "$2" -p tcp --dport "$3" -j DROP
-+ iptables -t filter -I $host_filt_tbl -i "$1" -d "$2" -p tcp --dport "$3" -j ACCEPT
++ if (( DOLOG )); then echo "vmr_opentcp:">>$LOG_TO 2>&1; fi
++ iptables -t filter -D $host_filt_tbl -i "$1" -d "$2" -p tcp --dport "$3" -j DROP >>$LOG_TO 2>&1
++ iptables -t filter -I $host_filt_tbl -i "$1" -d "$2" -p tcp --dport "$3" -j ACCEPT >>$LOG_TO 2>&1
+}
+
+vmr_openudp() {
-+ iptables -t filter -D $host_filt_tbl -i "$1" -d "$2" -p udp --dport "$3" -j DROP
-+ iptables -t filter -I $host_filt_tbl -i "$1" -d "$2" -p udp --dport "$3" -j ACCEPT
++ if (( DOLOG )); then echo "vmr_openudp:">>$LOG_TO 2>&1; fi
++ iptables -t filter -D $host_filt_tbl -i "$1" -d "$2" -p udp --dport "$3" -j DROP >>$LOG_TO 2>&1
++ iptables -t filter -I $host_filt_tbl -i "$1" -d "$2" -p udp --dport "$3" -j ACCEPT >>$LOG_TO 2>&1
+}
+
+vmr_closetcp() {
-+ iptables -t filter -D $host_filt_tbl -i "$1" -d "$2" -p tcp --dport "$3" -j ACCEPT
-+ iptables -t filter -I $host_filt_tbl -i "$1" -d "$2" -p tcp --dport "$3" -j DROP
++ if (( DOLOG )); then echo "vmr_closetcp:">>$LOG_TO 2>&1; fi
++ iptables -t filter -D $host_filt_tbl -i "$1" -d "$2" -p tcp --dport "$3" -j ACCEPT >>$LOG_TO 2>&1
++ iptables -t filter -I $host_filt_tbl -i "$1" -d "$2" -p tcp --dport "$3" -j DROP >>$LOG_TO 2>&1
+}
+
+vmr_closeudp() {
-+ iptables -t filter -D $host_filt_tbl -i "$1" -d "$2" -p udp --dport "$3" -j ACCEPT
-+ iptables -t filter -I $host_filt_tbl -i "$1" -d "$2" -p udp --dport "$3" -j DROP
++ if (( DOLOG )); then echo "vmr_closeudp:">>$LOG_TO 2>&1; fi
++ iptables -t filter -D $host_filt_tbl -i "$1" -d "$2" -p udp --dport "$3" -j ACCEPT >>$LOG_TO 2>&1
++ iptables -t filter -I $host_filt_tbl -i "$1" -d "$2" -p udp --dport "$3" -j DROP >>$LOG_TO 2>&1
+}
+
+vmr_redirtcp() {
-+ iptables -t nat -A $cli_prenat_tbl -i "$1" -d "$2" -p tcp --dport "$3" -j REDIRECT --to "$4"
++ if (( DOLOG )); then echo "vmr_redirtcp:">>$LOG_TO 2>&1; fi
++ iptables -t nat -A $cli_prenat_tbl -i "$1" -d "$2" -p tcp --dport "$3" -j REDIRECT --to "$4" >>$LOG_TO 2>&1
+}
+
+vmr_undirtcp() {
-+ iptables -t nat -D $cli_prenat_tbl -i "$1" -d "$2" -p tcp --dport "$3" -j REDIRECT --to "$4"
++ if (( DOLOG )); then echo "vmr_undirtcp:">>$LOG_TO 2>&1; fi
++ iptables -t nat -D $cli_prenat_tbl -i "$1" -d "$2" -p tcp --dport "$3" -j REDIRECT --to "$4" >>$LOG_TO 2>&1
+}
+
+vmr_setarp() {
++ if (( DOLOG )); then echo "vmr_setarp:">>$LOG_TO 2>&1; fi
+ # expects interface, ip, mac arguments
+ if [ -z "$1" ]; then
+ return $FAIL
@@ -917,6 +935,6 @@
+ if [ -z "$3" ]; then
+ return $FAIL
+ fi
-+ arp -i "$1" -s "$2" "$3"
++ arp -i "$1" -s "$2" "$3" >>$LOG_TO 2>&1
+}
+
Modified: torvm/trunk/build/win32/files/defpolipo.conf
===================================================================
--- torvm/trunk/build/win32/files/defpolipo.conf 2009-09-03 01:04:16 UTC (rev 20467)
+++ torvm/trunk/build/win32/files/defpolipo.conf 2009-09-03 03:28:57 UTC (rev 20468)
@@ -15,9 +15,3 @@
serverMaxSlots = 16
serverSlots = 4
tunnelAllowedPorts = 1-65535
-#
-# NOTE: the following are compiled out of the Polipo binary used
-# and do not need to be set.
-# diskCacheRoot = ""
-# localDocumentRoot = ""
-# dnsQueryIPv6 = no
Modified: torvm/trunk/build/win32/files/uninstall.bat
===================================================================
--- torvm/trunk/build/win32/files/uninstall.bat 2009-09-03 01:04:16 UTC (rev 20467)
+++ torvm/trunk/build/win32/files/uninstall.bat 2009-09-03 03:28:57 UTC (rev 20468)
@@ -1,48 +1,64 @@
@ECHO OFF
+ECHO "Removing installed https://www.torproject.org software."
IF EXIST "%USERPROFILE%\Local Settings\Application Data\Thandy\TorVM Updates" (
cd "%USERPROFILE%\Local Settings\Application Data\Thandy\TorVM Updates"
+ for %%f in (*.msi) do ECHO Removing %%f
for %%f in (*.msi) do msiexec /x %%f /qn
cd ..
rmdir /S /Q "TorVM Updates"
)
+IF EXIST "%USERPROFILE%\Local Settings\Application Data\Thandy\GeoIP Data Updates" (
+ cd "%USERPROFILE%\Local Settings\Application Data\Thandy\GeoIP Data Updates"
+ for %%f in (*.msi) do ECHO Removing %%f
+ for %%f in (*.msi) do msiexec /x %%f /qn
+ cd ..
+ rmdir /S /Q "GeoIP Data Updates"
+)
IF EXIST "%USERPROFILE%\Local Settings\Application Data\Thandy\Tor Updates" (
cd "%USERPROFILE%\Local Settings\Application Data\Thandy\Tor Updates"
+ for %%f in (*.msi) do ECHO Removing %%f
for %%f in (*.msi) do msiexec /x %%f /qn
cd ..
rmdir /S /Q "Tor Updates"
)
IF EXIST "%USERPROFILE%\Local Settings\Application Data\Thandy\Polipo Updates" (
cd "%USERPROFILE%\Local Settings\Application Data\Thandy\Polipo Updates"
+ for %%f in (*.msi) do ECHO Removing %%f
for %%f in (*.msi) do msiexec /x %%f /qn
cd ..
rmdir /S /Q "Polipo Updates"
)
IF EXIST "%USERPROFILE%\Local Settings\Application Data\Thandy\TorButton Updates" (
cd "%USERPROFILE%\Local Settings\Application Data\Thandy\TorButton Updates"
+ for %%f in (*.msi) do ECHO Removing %%f
for %%f in (*.msi) do msiexec /x %%f /qn
cd ..
rmdir /S /Q "TorButton Updates"
)
IF EXIST "%USERPROFILE%\Local Settings\Application Data\Thandy\Vidalia Updates" (
cd "%USERPROFILE%\Local Settings\Application Data\Thandy\Vidalia Updates"
+ for %%f in (*.msi) do ECHO Removing %%f
for %%f in (*.msi) do msiexec /x %%f /qn
cd ..
rmdir /S /Q "Vidalia Updates"
)
IF EXIST "%USERPROFILE%\Local Settings\Application Data\Thandy\Vidalia Marble Updates" (
cd "%USERPROFILE%\Local Settings\Application Data\Thandy\Vidalia Marble Updates"
+ for %%f in (*.msi) do ECHO Removing %%f
for %%f in (*.msi) do msiexec /x %%f /qn
cd ..
rmdir /S /Q "Vidalia Marble Updates"
)
IF EXIST %PROGRAMFILES%\TorInstPkgs (
cd %PROGRAMFILES%\TorInstPkgs
+ for %%f in (*.msi) do ECHO Removing %%f
for %%f in (*.msi) do msiexec /x %%f /qn
cd ..
rmdir /S /Q TorInstPkgs
)
IF EXIST "%USERPROFILE%\Local Settings\Application Data\TorInstPkgs" (
cd "%USERPROFILE%\Local Settings\Application Data\TorInstPkgs"
+ for %%f in (*.msi) do ECHO Removing %%f
for %%f in (*.msi) do msiexec /x %%f /qn
cd ..
rmdir /S /Q TorInstPkgs
Modified: torvm/trunk/build/win32/src/torvm-w32/apicommon.c
===================================================================
--- torvm/trunk/build/win32/src/torvm-w32/apicommon.c 2009-09-03 01:04:16 UTC (rev 20467)
+++ torvm/trunk/build/win32/src/torvm-w32/apicommon.c 2009-09-03 03:28:57 UTC (rev 20468)
@@ -625,30 +625,39 @@
return TRUE;
}
-BOOL base16encode(LPBYTE data,
- DWORD len,
- char ** hexstr)
+/* NOTE: because of possibly insecure/exposed PRNG state on some win32 hosts
+ * we must read past the first 128Kbytes of generator output before
+ * using any entropy from the pool.
+ * http://eprint.iacr.org/2007/419
+ */
+BOOL entropy(DWORD len,
+ BYTE ** rndbuf)
{
- BOOL retval = FALSE;
- int olen = 0;
- *hexstr = NULL;
- DWORD i;
- /* sanity check long before we need to worry about int overflow... */
-#define BASE16BUF_MAXSIZE (1024*1024)
- if ((unsigned long)len > BASE16BUF_MAXSIZE) {
- lerror ("Bogus call to base16encode with length: %ld. Over sanity limit of %ld", len, BASE16BUF_MAXSIZE);
+ *rndbuf = NULL;
+ HCRYPTPROV provhnd;
+ int retval, i;
+ BYTE *nullbuf = NULL;
+ DWORD nblen = 1024;
+ retval = CryptAcquireContext(&provhnd, NULL, NULL, PROV_RSA_FULL, 0);
+ if (retval == 0) {
+ lerror("CryptAcquireContext failed in call to entropy.");
return FALSE;
}
- olen = len * 2 + 1;
- *hexstr = malloc(olen);
- if (NULL == *hexstr) {
- lerror ("base16encode malloc failed with length: %ld.", olen);
- return FALSE;
+ rndbuf = malloc(len);
+ nullbuf = malloc(nblen);
+ for (i = 0; i < 128; i++) {
+ if (!CryptGenRandom(provhnd, nblen, nullbuf)) {
+ free(*rndbuf);
+ *rndbuf = NULL;
+ i=128;
+ }
}
- for (i = 0; i < len; i++) {
- snprintf((*hexstr)+(i*2), 3, "%02hhx", (short)data[i]);
+ free(nullbuf);
+ if (*rndbuf && !CryptGenRandom(provhnd, len, *rndbuf)) {
+ free(*rndbuf);
+ *rndbuf = NULL;
}
- (*hexstr)[olen-1] = NULL;
- return retval;
+ CloseHandle(provhnd);
+ return *rndbuf ? TRUE : FALSE;
}
Modified: torvm/trunk/build/win32/src/torvm-w32/apicommon.h
===================================================================
--- torvm/trunk/build/win32/src/torvm-w32/apicommon.h 2009-09-03 01:04:16 UTC (rev 20467)
+++ torvm/trunk/build/win32/src/torvm-w32/apicommon.h 2009-09-03 03:28:57 UTC (rev 20468)
@@ -155,11 +155,7 @@
BOOL rmdirtree(LPSTR path);
-/* Caller is responsible for free'ing hexstr. Note that it will be exactly
- * twice as long plus 1 (null terminated) as the input buffer.
- */
-BOOL base16encode(LPBYTE data,
- DWORD len,
- char ** hexstr);
+BOOL entropy(DWORD len,
+ BYTE ** rndbuf);
#endif /* apicommon_h */
Modified: torvm/trunk/build/win32/src/torvm-w32/torvm.c
===================================================================
--- torvm/trunk/build/win32/src/torvm-w32/torvm.c 2009-09-03 01:04:16 UTC (rev 20467)
+++ torvm/trunk/build/win32/src/torvm-w32/torvm.c 2009-09-03 03:28:57 UTC (rev 20468)
@@ -16,8 +16,8 @@
#define TOR_CAP_SYS "tornpf.sys"
#define TOR_HDD_FILE "hdd.img"
#define TOR_RESTRICTED_USER "Tor"
-#define QEMU_DEF_MEM 32
-#define CAP_MTU 1480
+#define QEMU_DEF_MEM 48
+#define CAP_MTU 1500
/* logging:
* lerror to stderr and log file(s) if set
@@ -1490,9 +1490,34 @@
char ** cmdline)
{
const DWORD cmdlen = CMDMAX;
- *cmdline = malloc(cmdlen);
+ BYTE * rndstr = NULL;
+ char * rndarg = NULL;
+ char * cchr;
+ DWORD rndlen = 32;
const char * basecmds = "quiet loglevel=0 clocksource=hpet";
const char * dbgcmds = "loglevel=9 clocksource=hpet DEBUGINIT";
+ *cmdline = malloc(cmdlen);
+ rndarg = malloc(cmdlen);
+ memset(rndarg, 0, cmdlen);
+ if (!entropy(rndlen, &rndstr)) {
+ free(rndarg);
+ rndarg = NULL;
+ }
+ else {
+ strcpy(rndarg, "ENTROPY=");
+ cchr = rndarg;
+ while (*cchr)
+ cchr++;
+ for (; rndlen >= 0; --rndlen) {
+ snprintf (cchr, 2,
+ "%02X",
+ *(rndstr + rndlen));
+ cchr += 2;
+ }
+ *cchr = 0;
+ free(rndstr);
+ rndstr = NULL;
+ }
/* Give the VM our hostname, since it is assuming the host's place in the network. */
char * myhostname = getenv("COMPUTERNAME");
@@ -1506,13 +1531,14 @@
if (noinit) {
snprintf (*cmdline, cmdlen -1,
- "%s NOINIT",
- basecmds);
+ "%s NOINIT %s",
+ basecmds,
+ rndarg ? rndarg : "");
}
else {
if (brif->isdhcp == FALSE) {
snprintf (*cmdline, cmdlen -1,
- "%s %s%s %s IP=%s MASK=%s GW=%s MAC=%s MTU=%d PRIVIP=%s CTLSOCK=%s:9051 HASHPW=%s %s%s%s%s",
+ "%s %s%s %s IP=%s MASK=%s GW=%s MAC=%s MTU=%d PRIVIP=%s CTLSOCK=%s:9051 HASHPW=%s %s%s%s%s%s",
usedebug ? dbgcmds : basecmds,
myhostname ? "USEHOSTNAME=" : "",
myhostname ? myhostname : "",
@@ -1528,7 +1554,8 @@
brif->gwmacaddr ? "ARPENT1=" : "",
brif->gwmacaddr ? brif->gwmacaddr : "",
brif->gwmacaddr ? "-" : "",
- brif->gwmacaddr ? brif->gateway : "");
+ brif->gwmacaddr ? brif->gateway : "",
+ rndarg ? rndarg : "");
}
else {
/* fallback if we can't get HOSTNAME, use DHCP client name. */
@@ -1536,7 +1563,7 @@
myhostname = brif->dhcpname;
snprintf (*cmdline, cmdlen -1,
- "%s %s%s %s IP=%s MASK=%s GW=%s MAC=%s MTU=%d PRIVIP=%s ISDHCP DHCPSVR=%s DHCPNAME=%s CTLSOCK=%s:9051 HASHPW=%s %s%s%s%s %s%s%s%s",
+ "%s %s%s %s IP=%s MASK=%s GW=%s MAC=%s MTU=%d PRIVIP=%s ISDHCP DHCPSVR=%s DHCPNAME=%s CTLSOCK=%s:9051 HASHPW=%s %s%s%s%s %s%s%s%s%s",
usedebug ? dbgcmds : basecmds,
myhostname ? "USEHOSTNAME=" : "",
myhostname ? myhostname : "",
@@ -1558,9 +1585,12 @@
brif->svrmacaddr ? "ARPENT2=" : "",
brif->svrmacaddr ? brif->svrmacaddr : "",
brif->svrmacaddr ? "-" : "",
- brif->svrmacaddr ? brif->dhcpsvr : "");
+ brif->svrmacaddr ? brif->dhcpsvr : "",
+ rndarg ? rndarg : "");
}
}
+ if (rndarg)
+ free(rndarg);
return TRUE;
}
@@ -1730,10 +1760,16 @@
LPTSTR pcfgdestsave = NULL;
DWORD opts = CREATE_NEW_PROCESS_GROUP;
HANDLE tmphnd;
+ HANDLE stdin_rd;
+ HANDLE stdin_wr;
+ HANDLE stdout_rd;
+ HANDLE stdout_wr;
+ CHAR * buff = NULL;
+ DWORD bufsz, numread;
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
-
+
if (!buildsyspath(SYSDIR_LCLPROGRAMS, "Vidalia", &dir)) {
lerror ("Unable to build path for Vidalia programs dir.");
goto cleanup;
@@ -1764,6 +1800,9 @@
exe,
pcfgdest);
+ bufsz = 512; /* Write to log in small chunks. */
+ buff = malloc(bufsz);
+
while (ctx->running) {
ldebug ("Launching Polipo in dir: %s , with cmd: %s", dir, cmd);
if( !CreateProcess(NULL,
@@ -1779,11 +1818,29 @@
lerror ("Failed to launch process. Error code: %d", GetLastError());
goto cleanup;
}
+ CreatePipe(&stdout_rd, &stdout_wr, &sattr, 0);
+ SetHandleInformation(stdout_rd, HANDLE_FLAG_INHERIT, 0);
+ CreatePipe(&stdin_rd, &stdin_wr, &sattr, 0);
+ SetHandleInformation(stdin_wr, HANDLE_FLAG_INHERIT, 0);
+ si.hStdError = stdout_wr;
+ si.hStdOutput = stdout_wr;
+ si.hStdInput = stdin_rd;
+ si.dwFlags |= STARTF_USESTDHANDLES;
+
+ CloseHandle(stdout_wr);
+ CloseHandle(stdin_rd);
+ CloseHandle(stdin_wr);
+
while ( GetExitCodeProcess(pi.hProcess, &exitcode)
&& (exitcode == STILL_ACTIVE)
&& (ctx->running) ) {
+ while (ReadFile(stdout_rd, buff, bufsz-1, &numread, NULL) && (numread > 0)) {
+ buff[bufsz-1] = 0;
+ ldebug ("polipo std output: %s", buff);
+ }
Sleep (500);
}
+ CloseHandle(stdout_rd);
if (exitcode == STILL_ACTIVE) {
ldebug ("Shutdown signaled, stopping Polipo.");
TerminateProcess(pi.hProcess, 0);
@@ -1794,6 +1851,8 @@
}
cleanup:
+ if(buff)
+ free(buff);
if(cmd)
free(cmd);
if(exe)
@@ -1825,8 +1884,12 @@
SECURITY_ATTRIBUTES sattr;
LPTSTR cmd = NULL;
LPTSTR dir = NULL;
+ LPTSTR iso = NULL;
+ LPTSTR isoarg = NULL;
/* If Tor VM Qemu instance is not below normal prio, performance of host suffers. */
- DWORD opts = CREATE_NEW_PROCESS_GROUP | BELOW_NORMAL_PRIORITY_CLASS;
+ /* DWORD opts = CREATE_NEW_PROCESS_GROUP | BELOW_NORMAL_PRIORITY_CLASS; */
+ /* DWORD opts = CREATE_NEW_PROCESS_GROUP | HIGH_PRIORITY_CLASS; */
+ DWORD opts = CREATE_NEW_PROCESS_GROUP | ABOVE_NORMAL_PRIORITY_CLASS;
DWORD numwritten;
DWORD pipesz;
LPTSTR qemubin = NULL;
@@ -1839,6 +1902,10 @@
lerror ("Unable to build path for qemu program.");
return FALSE;
}
+ if (!buildfpath(PATH_FQ, VMDIR_LIB, NULL, "geoip.iso", &iso)) {
+ lerror ("Unable to build path for GeoIP data iso.");
+ iso = NULL;
+ }
ZeroMemory( &si, sizeof(si) );
ZeroMemory( &sattr, sizeof(sattr) );
@@ -1848,11 +1915,18 @@
sattr.bInheritHandle = TRUE;
sattr.lpSecurityDescriptor = NULL; */
cmd = malloc(CMDMAX);
+ if (iso) {
+ isoarg = malloc(CMDMAX);
+ snprintf (isoarg, CMDMAX -1,
+ "-hdc \"%s\" ",
+ iso);
+ }
if (tapname) {
snprintf (cmd, CMDMAX -1,
- "\"%s\" -name \"Tor VM \" -L . -no-reboot -kernel ../lib/vmlinuz -append \"%s\" -hda ../state/hdd.img -hdc fat:../state/rofs -m %d -sdl -vga std -net nic,model=pcnet,macaddr=%s -net pcap,devicename=\"%s\" -net nic,vlan=0,model=pcnet -net tap,vlan=0,ifname=\"%s\"",
+ "\"%s\" -name \"Tor VM \" -L . -no-reboot -kernel ../lib/vmlinuz -append \"%s\" -hda ../state/hdd.img %s-m %d -sdl -vga std -net nic,model=pcnet,macaddr=%s -net pcap,devicename=\"%s\" -net nic,vlan=0,model=pcnet -net tap,vlan=0,ifname=\"%s\"",
qemubin,
cmdline,
+ iso ? isoarg : "",
QEMU_DEF_MEM,
macaddr,
bridgeintf,
@@ -1860,9 +1934,10 @@
}
else {
snprintf (cmd, CMDMAX -1,
- "\"%s\" -name \"Tor VM \" -L . -no-reboot -kernel ../lib/vmlinuz -append \"%s\" -hda ../state/hdd.img -hdc fat:../state/rofs -m %d -sdl -vga std -net nic,model=pcnet,macaddr=%s -net pcap,devicename=\"%s\"",
+ "\"%s\" -name \"Tor VM \" -L . -no-reboot -kernel ../lib/vmlinuz -append \"%s\" -hda ../state/hdd.img %s-m %d -sdl -vga std -net nic,model=pcnet,macaddr=%s -net pcap,devicename=\"%s\"",
qemubin,
cmdline,
+ iso ? isoarg : "",
QEMU_DEF_MEM,
macaddr,
bridgeintf);
@@ -1901,6 +1976,10 @@
lerror ("Failed to launch Qemu Tor VM process. Error code: %d", GetLastError());
return FALSE;
}
+ if (iso) {
+ free(iso);
+ free(isoarg);
+ }
/*
FlushFileBuffers (stdin_wr);
CloseHandle(stdin_rd);
More information about the tor-commits
mailing list