Summary: | net-misc/curl: .onion resolution behaviour differs with USE={-,}adns | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Kaizu Shibata <kaizushi> |
Component: | Current packages | Assignee: | Matt Jolly <kangie> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | base-system, sam |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://github.com/c-ares/c-ares/issues/196 https://github.com/curl/curl/pull/10705 https://github.com/curl/curl/pull/5159 https://github.com/curl/curl/issues/543 https://github.com/gentoo/gentoo/pull/30020 https://github.com/curl/curl/issues/11111 |
||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Kaizu Shibata
2022-12-20 07:15:41 UTC
It's unclear to me: 1. Why this broke recently (the curl bug linked last has activity in 2020) 2. What configuration options we actually need to pass to curl in the ebuild? Do they exist...? (In reply to Sam James from comment #1) > It's unclear to me: > 1. Why this broke recently (the curl bug linked last has activity in 2020) > 2. What configuration options we actually need to pass to curl in the > ebuild? Do they exist...? (If they don't exist, please file a bug upstream asking them to add one.) Right, re-reading your forum post, I see you don't know what change caused it. You can then two things: 1. Report a bug upstream to curl explaining your use case and requesting an option, and 2. git bisect curl between a known good and known bad version. I decided to get the upstream tarball from curls website for version 7.86.0 and when I compiled it I could run the binary in that directory. This worked and was able to resolve the onion domain and so I installed it to /usr/local/bin/curl and I removed /usr/bin/curl on my testing system. After doing this it once again instantly fails to resolve onion addresses. Something has to be wrong with my environment or something! Here is my environment for my testing system: http://dpaste.com/AHQYDPH8X I just took a wild stab in the dark and fixed it this way, and it now tests as working! USE="-adns" emerge -1av curl Sorry. (In reply to Kaizu Shibata from comment #5) > I just took a wild stab in the dark and fixed it this way, and it now tests > as working! > > USE="-adns" emerge -1av curl > > Sorry. Ah. See bug 699632 (and bug 853973) for the details there for why it's default on. Not sure we can do much about this then, but glad you're able to turn it off and keep things working on your end. I would recommend a global USE flag for people who are certain their system is safe from DNS leakage. It could be called 'dnssafe' or something like that, and it should prevent these kind of issues. This is a bit of a mess; I haven't actually tested or validated your results, but my suspicion is that the adns/c-ares backend was updated at some point to be RFC 7686-compliant. A quick google confirms this happened in 2018: https://github.com/c-ares/c-ares/issues/196 As this is the default in Gentoo, curl/libcurl will send a request to c-ares and get back "NXDOMAIN" as per the RFC: > Name Resolution APIs and Libraries (...) MUST either respond to requests for > .onion names by resolving them according to [tor-rendezvous] or by responding > with NXDOMAIN. When you disable that, (as you have here) curl simply sends the request directly using system DNS. TL;DR - this shouldn't have worked (RFC 7686) and I've submitted a patch upstream to make curl intentionally fail when any `.onion` tld needs to be resolved. The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7a9dcc44364ee6ae07f6bfa4c48661736d3d05f commit f7a9dcc44364ee6ae07f6bfa4c48661736d3d05f Author: Matt Jolly <Matt.Jolly@footclan.ninja> AuthorDate: 2023-03-09 13:19:13 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-03-15 05:04:42 +0000 net-misc/curl: add 7.88.1-r2 cURL attempts to resolve .onion tlds and depending on USE flags may leak that you're using Tor. This commit adds the upstream patch for RFC7686 compliance a little early as it may not make the next cURL release. Closes: https://bugs.gentoo.org/887287 Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja> Signed-off-by: Sam James <sam@gentoo.org> net-misc/curl/curl-7.88.1-r2.ebuild | 307 +++++++++++++++++++++ .../curl/files/curl-7.88.1-onion-resolution.patch | 132 +++++++++ 2 files changed, 439 insertions(+) |