croc .onion relay for GnuPG encrypted documents or files.

[Stefan Claas]

Hi all,

email might sometimes not be ideal for GnuPG encrypted data transfer,
due to attachment file size limits or that users do not like to show
to third parties the communication paths used, revealing the sender
and receiver.

Some of you may know Micah's OnionShare or Magic Wormhole etc.

The disadvantage of OnionShare is IMHO that you always must tell your
communications partner the .onion URL in advance and that it can
not be used with an Android smart phone, AFAIR.

Magic Wormhole I found to difficult to install under Windows, for the
average user, if he does not know how to fix erros, which may occur
when installing.

So I looked a while ago a bit around and found croc,

https://github.com/schollz/croc

which is easy to use and written in Golang (yay :-)), thus allowing
one also to use it under Android, with Termux, for example.

While there is no information available to use it with socat (which
is also available as Windows .exe) via Tor, I noodled a bit around
and found a solution to use croc via a Tor Hidden Service Onion
Relay.

The good thing is that setting up an .onion relay does only require
a cheap VPS server, without registering an own domain.

croc does not store files nor does it keep logs and only 'glues'
together both endpoints, in order to perform the transfer.

A croc operator can set a pass phrase for his relay and users can
also use pre-defined codes, which they share in advance.

Ok. here is the set-up I used:

1. Open ports 9009, 9010, 9011, 9012 and 9013 in your firewall,
on your VPS server.

Once you have set-up your Tor Hidden Service add the following lines
to your torrc:

HiddenServicePort 9009 127.0.0.1:9009
HiddenServicePort 9010 127.0.0.1:9010
HiddenServicePort 9011 127.0.0.1:9011
HiddenServicePort 9012 127.0.0.1:9012
HiddenServicePort 9013 127.0.0.1:9013

restart Tor.

Follow the instructions on GitHub on how to use croc.

As relay operator you can start your relay like this:

$ croc relay --pass="yourrelaypassphrase"

In order that you can send GnuPG encrypted documents, files or folders
via the Tor relay you and your communication partner needs of course Tor
and socat installed and the following socat onliner:

echo -n 9009 9010 9011 9012 9013 | xargs -d ' ' -I% bash -c 'socat 
tcp4-listen:5870,fork
socks4a:127.0.0.1:youronionaddresss.onion:%,socksport=9050'

What I have not figured out yet is to run this onliner properly under cmd.exe,
due to the xargs command. If you have a Windows solution for this please post
it here.

Hope you find this info useful. And if you know a better and easier way to 
transfer
GnuPG encrypted documents or files (cross-platform and mobile), please let 
me/us know.

Regards
Stefan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

[Announce] [security fix] GnuPG 2.2.23 released

[Werner Koch via Gnupg-users]

Hello!

We are pleased to announce the availability of a new GnuPG release:
version 2.2.23.  This version fixes a *critical security bug* in
versions 2.2.21 and 2.2.22.


Impact
==

These versions are affected:

 - GnuPG 2.2.21   (released 2020-07-09)
 - GnuPG 2.2.22   (released 2020-08-27)
 - Gpg4win 3.1.12 (released 2020-07-24)

All other versions are not affected.

Importing an OpenPGP key having a preference list for AEAD algorithms
will lead to an array overflow and thus often to a crash or other
undefined behaviour.

Importing an arbitrary key can often easily be triggered by an attacker
and thus triggering this bug.  Exploiting the bug aside from crashes is
not trivial but likely possible for a dedicated attacker.  The major
hurdle for an attacker is that only every second byte is under their
control with every first byte having a fixed value of 0x04.

Software distribution verification should not be affected by this bug
because such a system uses a curated list of keys.

A CVE-id has not yet been assigned.  We track this bug at
https://dev.gnupg.org/T5050


Solution


If GnuPG version 2.2.21 or 2.2.22 is in use please update ASAP to
version 2.2.23.

If you are using an older version or a beta of version 2.3 no immediate
action is required.

If you are using Gpg4win 3.1.12 or GnuPG VS-Desktop 3.1.12 you may
either wait for a fixed release which we will provide very soon or
install GnuPG version 2.2.23 on top.

If installation of a new version is not possible, applying the patch
https://dev.gnupg.org/rGaeb8272ca8aad403a4baac33b8d5673719cfd8f0
is also sufficient.


About GnuPG
===

The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation
of the OpenPGP and S/MIME standards.

GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories.  GnuPG itself is a command line tool with features for easy
integration with other applications.  The separate library GPGME provides
a uniform API to use the GnuPG engine by software written in common
programming languages.  A wealth of frontend applications and libraries
making use of GnuPG are available.  As an universal crypto engine GnuPG
provides support for S/MIME and Secure Shell in addition to OpenPGP.

GnuPG is Free Software (meaning that it respects your freedom).  It can
be freely used, modified and distributed under the terms of the GNU
General Public License.


Noteworthy changes in version 2.2.23


  * gpg: Fix AEAD preference list overflow.  [#5050]

  * gpg: Fix a possible segv in the key cleaning code.

  * gpgsm: Fix a minor RFC2253 parser bug.  [#5037]

  * scdaemon: Fix a PIN verify failure on certain OpenPGP card
implementations.  Regression in 2.2.22.  [#5039]

  * po: Fix bug in the Hungarian translation.  Updates for the Czech,
Polish, and Ukrainian translations.

  Release-info: https://dev.gnupg.org/T5045


Getting the Software


Please follow the instructions found at  or
read on:

GnuPG 2.2.23 may be downloaded from one of the GnuPG mirror sites or
direct from its primary FTP server.  The list of mirrors can be found at
.  Note that GnuPG is not
available at ftp.gnu.org.

The GnuPG source code compressed using BZIP2 and its OpenPGP signature
are available here:

 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.23.tar.bz2 (6933k)
 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.23.tar.bz2.sig

An installer for Windows without any graphical frontend except for a
very minimal Pinentry tool is available here:

 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.23_20200903.exe (4187k)
 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.23_20200903.exe.sig

The source used to build the Windows installer can be found in the same
directory with a ".tar.xz" suffix.

A new version of the GnuPG Desktop for Windows (aka Gpg4win) featuring
this version of GnuPG will be released shortly.


Checking the Integrity
==

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a version of GnuPG installed, you can simply
   verify the supplied signature.  For example to verify the signature
   of the file gnupg-2.2.23.tar.bz2 you would use this command:

 gpg --verify gnupg-2.2.23.tar.bz2.sig gnupg-2.2.23.tar.bz2

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by one or more of the release signing keys.  Make sure that
   this is a valid key, either by matching the shown fingerprint
   against a trustworthy list of valid release signing keys or by
   checking that the key has been signed by trustworthy other keys.
   See the end of this mail for information on the signing