1 From: Werner Koch <wk@gnupg.org>
2 Date: Wed, 1 Feb 2017 17:54:14 +0100
3 Subject: dirmngr: New option --no-use-tor and internal changes.
5 * dirmngr/dns-stuff.c (disable_dns_tormode): New.
6 * dirmngr/dirmngr.c (oNoUseTor): New const.
7 (opts): New option --no-use-tor.
9 (parse_rereadable_options): Change to use TOR_MODE.
10 (dirmngr_use_tor): New.
11 (set_tor_mode): Call disable_dns_tormode. Implement oNoUseTor.
12 * dirmngr/dirmngr.h (opt): Remove field 'use_tor'. Replace all
13 references by a call to dirmngr_use_tor().
14 * dirmngr/server.c (cmd_getinfo): Distinguish between default and
18 This patch replaces the global variable opt.use_tar by a function
19 testing a file local mode flag. This patch prepares for a
20 use-tor-if-available mode.
23 Signed-off-by: Werner Koch <wk@gnupg.org>
24 (cherry picked from commit 7440119e729d3fdedda8a9b44b70f8959beea8d7)
26 dirmngr/crlfetch.c | 10 +++++-----
27 dirmngr/dirmngr.c | 46 +++++++++++++++++++++++++++++++++++++++++++---
28 dirmngr/dirmngr.h | 3 +--
29 dirmngr/dns-stuff.c | 8 ++++++++
30 dirmngr/dns-stuff.h | 1 +
31 dirmngr/ks-engine-finger.c | 2 +-
32 dirmngr/ks-engine-hkp.c | 6 +++---
33 dirmngr/ks-engine-http.c | 2 +-
34 dirmngr/ks-engine-ldap.c | 6 +++---
35 dirmngr/ocsp.c | 4 ++--
36 dirmngr/server.c | 10 +++++++---
37 11 files changed, 75 insertions(+), 23 deletions(-)
39 diff --git a/dirmngr/crlfetch.c b/dirmngr/crlfetch.c
40 index aa82137f7..337fe6e4d 100644
41 --- a/dirmngr/crlfetch.c
42 +++ b/dirmngr/crlfetch.c
43 @@ -198,7 +198,7 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader)
44 err = http_open_document (&hd, url, NULL,
45 ((opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0)
46 |(DBG_LOOKUP? HTTP_FLAG_LOG_RESP:0)
47 - |(opt.use_tor? HTTP_FLAG_FORCE_TOR:0)
48 + |(dirmngr_use_tor()? HTTP_FLAG_FORCE_TOR:0)
49 |(opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4:0)
51 ctrl->http_proxy, NULL, NULL, NULL);
52 @@ -292,7 +292,7 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader)
54 err = gpg_error (GPG_ERR_NOT_SUPPORTED);
56 - else if (opt.use_tor)
57 + else if (dirmngr_use_tor ())
59 /* For now we do not support LDAP over Tor. */
60 log_error (_("CRL access not possible due to Tor mode\n"));
61 @@ -318,7 +318,7 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader)
63 crl_fetch_default (ctrl_t ctrl, const char *issuer, ksba_reader_t *reader)
66 + if (dirmngr_use_tor ())
68 /* For now we do not support LDAP over Tor. */
69 log_error (_("CRL access not possible due to Tor mode\n"));
70 @@ -350,7 +350,7 @@ crl_fetch_default (ctrl_t ctrl, const char *issuer, ksba_reader_t *reader)
72 ca_cert_fetch (ctrl_t ctrl, cert_fetch_context_t *context, const char *dn)
75 + if (dirmngr_use_tor ())
77 /* For now we do not support LDAP over Tor. */
78 log_error (_("CRL access not possible due to Tor mode\n"));
79 @@ -377,7 +377,7 @@ gpg_error_t
80 start_cert_fetch (ctrl_t ctrl, cert_fetch_context_t *context,
81 strlist_t patterns, const ldap_server_t server)
84 + if (dirmngr_use_tor ())
86 /* For now we do not support LDAP over Tor. */
87 log_error (_("CRL access not possible due to Tor mode\n"));
88 diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
89 index 83356c94c..43e9cbd07 100644
90 --- a/dirmngr/dirmngr.c
91 +++ b/dirmngr/dirmngr.c
92 @@ -138,6 +138,7 @@ enum cmd_and_opt_values {
99 oDisableCheckOwnSocket,
100 @@ -224,6 +225,7 @@ static ARGPARSE_OPTS opts[] = {
101 N_("|FILE|use the CA certificates in FILE for HKP over TLS")),
103 ARGPARSE_s_n (oUseTor, "use-tor", N_("route all network traffic via Tor")),
104 + ARGPARSE_s_n (oNoUseTor, "no-use-tor", "@"),
106 ARGPARSE_s_n (oDisableIPv4, "disable-ipv4", "@"),
108 @@ -300,6 +302,16 @@ static volatile int shutdown_pending;
109 /* Flags to indicate that we shall not watch our own socket. */
110 static int disable_check_own_socket;
112 +/* Flag to control the Tor mode. */
114 + { TOR_MODE_AUTO = 0, /* Switch to NO or YES */
115 + TOR_MODE_NEVER, /* Never use Tor. */
116 + TOR_MODE_NO, /* Do not use Tor */
117 + TOR_MODE_YES, /* Use Tor */
118 + TOR_MODE_FORCE /* Force using Tor */
122 /* Counter for the active connections. */
123 static int active_connections;
125 @@ -475,7 +487,7 @@ set_debug (void)
130 + if (dirmngr_use_tor ())
132 /* Enable Tor mode and when called again force a new curcuit
133 * (e.g. on SIGHUP). */
134 @@ -486,6 +498,26 @@ set_tor_mode (void)
135 log_info ("(is your Libassuan recent enough?)\n");
139 + disable_dns_tormode ();
143 +/* Return true if Tor shall be used. */
145 +dirmngr_use_tor (void)
147 + if (tor_mode == TOR_MODE_AUTO)
149 + /* FIXME: Figure out whether Tor is running. */
152 + if (tor_mode == TOR_MODE_FORCE)
153 + return 2; /* Use Tor (using 2 to indicate force mode) */
154 + else if (tor_mode == TOR_MODE_YES)
155 + return 1; /* Use Tor */
157 + return 0; /* Do not use Tor. */
161 @@ -548,7 +580,9 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
162 FREE_STRLIST (opt.ignored_cert_extensions);
163 http_register_tls_ca (NULL);
164 FREE_STRLIST (opt.keyserver);
165 - /* Note: We do not allow resetting of opt.use_tor at runtime. */
166 + /* Note: We do not allow resetting of TOR_MODE_FORCE at runtime. */
167 + if (tor_mode != TOR_MODE_FORCE)
168 + tor_mode = TOR_MODE_AUTO;
169 disable_check_own_socket = 0;
170 enable_standard_resolver (0);
172 @@ -625,7 +659,13 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
173 add_to_strlist (&opt.ignored_cert_extensions, pargs->r.ret_str);
176 - case oUseTor: opt.use_tor = 1; break;
178 + tor_mode = TOR_MODE_FORCE;
181 + if (tor_mode != TOR_MODE_FORCE)
182 + tor_mode = TOR_MODE_NEVER;
185 case oStandardResolver: enable_standard_resolver (1); break;
186 case oRecursiveResolver: enable_recursive_resolver (1); break;
187 diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h
188 index fd80d7237..6a4fd003f 100644
189 --- a/dirmngr/dirmngr.h
190 +++ b/dirmngr/dirmngr.h
191 @@ -91,7 +91,6 @@ struct
194 int running_detached; /* We are running in detached mode. */
195 - int use_tor; /* Tor mode has been enabled. */
196 int allow_version_check; /* --allow-version-check is active. */
198 int force; /* Force loading outdated CRLs. */
199 @@ -191,7 +190,7 @@ void dirmngr_init_default_ctrl (ctrl_t ctrl);
200 void dirmngr_deinit_default_ctrl (ctrl_t ctrl);
201 void dirmngr_sighup_action (void);
202 const char* dirmngr_get_current_socket_name (void);
204 +int dirmngr_use_tor (void);
206 /*-- Various housekeeping functions. --*/
207 void ks_hkp_reload (void);
208 diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
209 index ad19fc2ce..52f011a00 100644
210 --- a/dirmngr/dns-stuff.c
211 +++ b/dirmngr/dns-stuff.c
212 @@ -222,6 +222,14 @@ enable_dns_tormode (int new_circuit)
216 +/* Disable tor mode. */
218 +disable_dns_tormode (void)
224 /* Set verbosity and debug mode for this module. */
226 set_dns_verbose (int verbose, int debug)
227 diff --git a/dirmngr/dns-stuff.h b/dirmngr/dns-stuff.h
228 index 9eb97fd6a..9b8303c3b 100644
229 --- a/dirmngr/dns-stuff.h
230 +++ b/dirmngr/dns-stuff.h
231 @@ -120,6 +120,7 @@ int recursive_resolver_p (void);
232 /* Put this module eternally into Tor mode. When called agained with
233 * NEW_CIRCUIT request a new TOR circuit for the next DNS query. */
234 void enable_dns_tormode (int new_circuit);
235 +void disable_dns_tormode (void);
237 /* Change the default IP address of the nameserver to IPADDR. The
238 address needs to be a numerical IP address and will be used for the
239 diff --git a/dirmngr/ks-engine-finger.c b/dirmngr/ks-engine-finger.c
240 index 114f2e9ac..811b72de4 100644
241 --- a/dirmngr/ks-engine-finger.c
242 +++ b/dirmngr/ks-engine-finger.c
243 @@ -83,7 +83,7 @@ ks_finger_fetch (ctrl_t ctrl, parsed_uri_t uri, estream_t *r_fp)
246 err = http_raw_connect (&http, server, 79,
247 - ((opt.use_tor? HTTP_FLAG_FORCE_TOR : 0)
248 + ((dirmngr_use_tor ()? HTTP_FLAG_FORCE_TOR : 0)
249 | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)),
252 diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
253 index 858cd2f26..be8b08333 100644
254 --- a/dirmngr/ks-engine-hkp.c
255 +++ b/dirmngr/ks-engine-hkp.c
256 @@ -285,7 +285,7 @@ tor_not_running_p (ctrl_t ctrl)
261 + if (!dirmngr_use_tor ())
264 sock = assuan_sock_connect_byname (NULL, 0, 0, NULL, ASSUAN_SOCK_TOR);
265 @@ -1088,7 +1088,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
266 /* fixme: AUTH */ NULL,
268 |(opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0)
269 - |(opt.use_tor? HTTP_FLAG_FORCE_TOR:0)
270 + |(dirmngr_use_tor ()? HTTP_FLAG_FORCE_TOR:0)
271 |(opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)),
274 @@ -1245,7 +1245,7 @@ handle_send_request_error (ctrl_t ctrl, gpg_error_t err, const char *request,
279 + if (dirmngr_use_tor ())
281 log_info ("(Tor configuration problem)\n");
282 dirmngr_status (ctrl, "WARNING", "tor_config_problem 0",
283 diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c
284 index dbbf4bb79..69642ff98 100644
285 --- a/dirmngr/ks-engine-http.c
286 +++ b/dirmngr/ks-engine-http.c
287 @@ -88,7 +88,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
289 /* fixme: AUTH */ NULL,
290 ((opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0)
291 - | (opt.use_tor? HTTP_FLAG_FORCE_TOR:0)
292 + | (dirmngr_use_tor ()? HTTP_FLAG_FORCE_TOR:0)
293 | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)),
296 diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c
297 index 6d520e98e..b7aa7cc65 100644
298 --- a/dirmngr/ks-engine-ldap.c
299 +++ b/dirmngr/ks-engine-ldap.c
300 @@ -850,7 +850,7 @@ ks_ldap_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec,
305 + if (dirmngr_use_tor ())
307 /* For now we do not support LDAP over Tor. */
308 log_error (_("LDAP access not possible due to Tor mode\n"));
309 @@ -1033,7 +1033,7 @@ ks_ldap_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern,
314 + if (dirmngr_use_tor ())
316 /* For now we do not support LDAP over Tor. */
317 log_error (_("LDAP access not possible due to Tor mode\n"));
318 @@ -1909,7 +1909,7 @@ ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri,
319 /* Elide a warning. */
323 + if (dirmngr_use_tor ())
325 /* For now we do not support LDAP over Tor. */
326 log_error (_("LDAP access not possible due to Tor mode\n"));
327 diff --git a/dirmngr/ocsp.c b/dirmngr/ocsp.c
328 index b46c78567..aff8e3288 100644
331 @@ -132,7 +132,7 @@ do_ocsp_request (ctrl_t ctrl, ksba_ocsp_t ocsp, gcry_md_hd_t md,
336 + if (dirmngr_use_tor ())
338 /* For now we do not allow OCSP via Tor due to possible privacy
339 concerns. Needs further research. */
340 @@ -174,7 +174,7 @@ do_ocsp_request (ctrl_t ctrl, ksba_ocsp_t ocsp, gcry_md_hd_t md,
342 err = http_open (&http, HTTP_REQ_POST, url, NULL, NULL,
343 ((opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0)
344 - | (opt.use_tor? HTTP_FLAG_FORCE_TOR:0)
345 + | (dirmngr_use_tor ()? HTTP_FLAG_FORCE_TOR:0)
346 | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)),
347 ctrl->http_proxy, NULL, NULL, NULL);
349 diff --git a/dirmngr/server.c b/dirmngr/server.c
350 index c9c4ad437..bca3a61e4 100644
351 --- a/dirmngr/server.c
352 +++ b/dirmngr/server.c
353 @@ -625,7 +625,7 @@ option_handler (assuan_context_t ctx, const char *key, const char *value)
354 else if (!strcmp (key, "honor-keyserver-url-used"))
356 /* Return an error if we are running in Tor mode. */
358 + if (dirmngr_use_tor ())
359 err = gpg_error (GPG_ERR_FORBIDDEN);
362 @@ -2338,14 +2338,18 @@ cmd_getinfo (assuan_context_t ctx, char *line)
364 else if (!strcmp (line, "tor"))
369 + use_tor = dirmngr_use_tor ();
372 if (!is_tor_running (ctrl))
373 err = assuan_write_status (ctx, "NO_TOR", "Tor not running");
377 - assuan_set_okay_line (ctx, "- Tor mode is enabled");
378 + assuan_set_okay_line (ctx, use_tor == 1 ? "- Tor mode is enabled"
379 + /**/ : "- Tor mode is enforced");
382 err = set_error (GPG_ERR_FALSE, "Tor mode is NOT enabled");