The --use-tor option

Werner Koch wk at gnupg.org
Mon Oct 19 15:03:35 CEST 2015 

Hi!

I implemented a --use-tor option for dirmngr which routes all traffic
over TOR.  This should be HTTP based CRLs (not tested), keyserver access
and all non-LDAP --fetch-key URLs.  If traffic can't be torified the
command will fail.

This is not complete because DNS lookups are leaking.  This could be
fixed for some commands (like gpg --fetch-key URL) but that would be a
specialized solution.  The more problematic areas are resolving of the
keyserver pools and retrieving of CERT and DANE records.  Thus I did not
implemented the specialized case for --fetch-key.

Given that it is not likely that we will seen generic DNS support in TOR
soon, we need to find our own solution.  Using a public server via TCP
is probably the only thing we can do.  This requires two thing:

  - Being able to specify a public DNS server independent of
    /etc/resolv.conf.

  - Forcing the use of a virtual circuit (ie. TCP) so that TOR can route
    the request.

With the standard resolver this is not possible.  Adding a full-fledged
resolver library to Dirmngr is overkill and we will likely run into
problems under Windows.  My idea is to make use of the ADNS library.  A
quick check showed that it is not too much work to add SOCKS5 support
(to access TOR) and a flag to enable this.

Now, for Windows we are making use of ADNS for a long time now.  In 2008
I ported ADNS to Windows and updated the build system to make use of
autotools [1].

Unfortunately back then the ADNS author did not liked the use of
autotools and was not genuinely interested in Windows support.  Thus I
maintain my port under the name libadns-1.4-g10-N but use it with GnuPG
only on Windows.  Adding the TOR support would be easy for me but that
would be a Windows only solution to avoid a real fork.  Possible
solutions are:

 - Add the required parts of ADNS to GnuPG proper.  That would actually
   be the easiest way but it has similar problems as static linking.

 - Rename my port and keep it separate from ADNS.

 - Check with upstream ADNS whether adding SOCKS5 support and a TOR flag
   would be accepted, develop that, and keep keep the APIs of my
   (Windows) port and upstream in sync.


Suggestions?


Salam-Shalom,

   Werner


[1] http://git.gnupg.org/cgi-bin/gitweb.cgi?p=adns.git

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list