Opened 4 months ago

Last modified 4 months ago

#30487 new defect

dirmngr goes berserk making tor requests after gpg --recv-key attempt ends

Reported by: arma Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: unspecified
Severity: Normal Keywords: network-health
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I'm not sure where we should actually file this ticket, but I'm going to start here so I can get my logs up somewhere before they disappear.

I run Debian, and have the single line "use-tor" in my ~/.gnupg/dirmngr.conf.

I unslept my laptop recently, and did a

torify gpg --recv-key ...

which hung. Eventually I ctrl-C'ed it.

Later, I realized that my Tor was working really hard to make connections. Here is a little snippet from 'setevents circ stream orconn'

650 STREAM 2394 CLOSED 8 8.8.8.8:53 REASON=DONE
650 STREAM 2398 NEW 0 [2001:610:1:40cc::9164:b9e5]:11371 SOURCE_ADDR=127.0.0.1:54162 PURPOSE=USER
650 STREAM 2398 SENTCONNECT 10 [2001:610:1:40cc::9164:b9e5]:11371
650 STREAM 2397 CLOSED 8 8.8.8.8:53 REASON=DONE
650 STREAM 2395 CLOSED 8 8.8.8.8:53 REASON=DONE
650 STREAM 2399 NEW 0 [2001:610:1:40cc::9164:b9e5]:11371 SOURCE_ADDR=127.0.0.1:54164 PURPOSE=USER
650 STREAM 2399 SENTCONNECT 10 [2001:610:1:40cc::9164:b9e5]:11371
650 STREAM 2398 REMAP 10 [2001:610:1:40cc::9164:b9e5]:11371 SOURCE=EXIT
650 STREAM 2398 SUCCEEDED 10 [2001:610:1:40cc::9164:b9e5]:11371
650 STREAM 2399 REMAP 10 [2001:610:1:40cc::9164:b9e5]:11371 SOURCE=EXIT
650 STREAM 2399 SUCCEEDED 10 [2001:610:1:40cc::9164:b9e5]:11371
650 STREAM 2398 CLOSED 10 [2001:610:1:40cc::9164:b9e5]:11371 REASON=END REMOTE_REASON=DONE
650 STREAM 2400 NEW 0 8.8.8.8:53 SOURCE_ADDR=127.0.0.1:54166 PURPOSE=USER
650 STREAM 2400 SENTCONNECT 8 8.8.8.8:53
650 STREAM 2399 CLOSED 10 [2001:610:1:40cc::9164:b9e5]:11371 REASON=END REMOTE_REASON=DONE
650 STREAM 2401 NEW 0 8.8.8.8:53 SOURCE_ADDR=127.0.0.1:54168 PURPOSE=USER
650 STREAM 2401 SENTCONNECT 8 8.8.8.8:53
650 STREAM 2400 REMAP 8 8.8.8.8:53 SOURCE=EXIT
650 STREAM 2400 SUCCEEDED 8 8.8.8.8:53

These were just streaming by. You can tell from the streamid of 2400 that it had made many many streams already.

$ netstat -aen|grep 9050|wc -l
260

"lsof|grep 9050" told me it was dirmngr making the connections.

I kill -9'ed dirmngr and the stream requests stopped.

That can't have been good for the Tor network. Especially if we have even a small pile of people with this buggy berserk dirmngr hammering the network nonstop forever.

It seems like we might want to track down the poor decision making choices inside dirmngr, for the good of our network.

Child Tickets

Change History (7)

comment:1 Changed 4 months ago by arma

Ok, it's repeatable.

I ran "gpg --recv-key d8219c8c43f6c5e1" again, and the flood of streams resumed. I ctrl-C'ed the gpg attempt, and flood continued unabated.

comment:2 Changed 4 months ago by arma

I run, and kill, the gpg command five times, and now the flood is five times as fast.

comment:3 Changed 4 months ago by arma

I have version 2.2.12-1 of the dirmngr deb.

comment:4 Changed 4 months ago by madage

I tried but could not reproduce it here.

The only thing I think worth mentioning is that I could download the key with fp A85FF376759C994A8A1168D8D8219C8C43F6C5E1 using gpg _without_ torify, since gpg is capable of accessing tor directly if there is a use-tor on dirmngr.conf.

When I tried "torify gpg ..." I did get the following error message:

gpg: keyserver receive failed: No keyserver available

And then I kept receiving this message even when using gpg without torify. Only after restarting dirmngr I could receive the key again.

gpg 2.2.15
ligcrypt 1.8.4

comment:5 Changed 4 months ago by madage

After some more digging on it, it's reproducible here and it appears using torify with use-tor on dirmngr conf is unrelated. I was not getting it before because I was searching the key on a onion keyserver. When trying to get it on clearnet I got the same behaviour.

Also, dirmngr's log is full of:

dirmngr[30365.10] error accessing 'http://pgp.surfnet.nl:11371/pks/lookup?op=get&options=mr&search=0xD8219C8C43F6C5E1': http status 503
dirmngr[30365.10] selecting a different host due to a 503 (Service Unavailable)
dirmngr[30365.10] setting CA from file '/etc/ssl/certs/ca-certificates.crt' failed: ASN1 parser: Error in TAG.

comment:6 Changed 4 months ago by madage

I've let gpg run to see if it would eventualy fail and it did after ~20min and on dirmngr.log I've got the following messages:

dirmngr[30493.6] resolving 'pgp.surfnet.nl' failed: Connection closed in DNS
dirmngr[30493.6] can't connect to 'pgp.surfnet.nl': host not found
dirmngr[30493.6] error connecting to 'http://pgp.surfnet.nl:11371': Connection closed in DNS
dirmngr[30493.6] command 'KS_GET' failed: Connection closed in DNS

comment:7 Changed 4 months ago by ahf

Milestone: Tor: unspecified
Version: Tor: unspecified
Note: See TracTickets for help on using tickets.