The --use-tor option

Werner Koch wk at
Mon Oct 19 15:03:35 CEST 2015


I implemented a --use-tor option for dirmngr which routes all traffic
over TOR.  This should be HTTP based CRLs (not tested), keyserver access
and all non-LDAP --fetch-key URLs.  If traffic can't be torified the
command will fail.

This is not complete because DNS lookups are leaking.  This could be
fixed for some commands (like gpg --fetch-key URL) but that would be a
specialized solution.  The more problematic areas are resolving of the
keyserver pools and retrieving of CERT and DANE records.  Thus I did not
implemented the specialized case for --fetch-key.

Given that it is not likely that we will seen generic DNS support in TOR
soon, we need to find our own solution.  Using a public server via TCP
is probably the only thing we can do.  This requires two thing:

  - Being able to specify a public DNS server independent of

  - Forcing the use of a virtual circuit (ie. TCP) so that TOR can route
    the request.

With the standard resolver this is not possible.  Adding a full-fledged
resolver library to Dirmngr is overkill and we will likely run into
problems under Windows.  My idea is to make use of the ADNS library.  A
quick check showed that it is not too much work to add SOCKS5 support
(to access TOR) and a flag to enable this.

Now, for Windows we are making use of ADNS for a long time now.  In 2008
I ported ADNS to Windows and updated the build system to make use of
autotools [1].

Unfortunately back then the ADNS author did not liked the use of
autotools and was not genuinely interested in Windows support.  Thus I
maintain my port under the name libadns-1.4-g10-N but use it with GnuPG
only on Windows.  Adding the TOR support would be easy for me but that
would be a Windows only solution to avoid a real fork.  Possible
solutions are:

 - Add the required parts of ADNS to GnuPG proper.  That would actually
   be the easiest way but it has similar problems as static linking.

 - Rename my port and keep it separate from ADNS.

 - Check with upstream ADNS whether adding SOCKS5 support and a TOR flag
   would be accepted, develop that, and keep keep the APIs of my
   (Windows) port and upstream in sync.





Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list