Version 3.0.15.

[libpwmd.git] / NEWS

PWMD v3.0.15
------------
This verions contains two important security fixes. After installing please
change your passphrase for all non-gpg-agent data files with the PASSWD
command (or ".passwd" if using pwmc). Please note that after the new data file
is written it will be incompatible with previous versions of pwmd.

Fixed initializing the passphrase salt with a nonce. This was a mistake
introduced in pwmd 3.0.

The --cipher-iterations command line and SAVE options are now an alias for
--s2k-count. This is do to how the encryption scheme has changed. The count is
now the number of times to hash the passphrase before encryption of the XML
document. In previous versions the count was  using a small static
compile-time count then encrypting the XML with the iteration count. The
default S2K iteration count is now 5000000. This change removes the need for
the "cipher_progress" configuration parameter and has been removed from the
documentation but is still valid for older data files.

Fixed potential cache corruption of the data file key.


PWMD v3.0.14
------------
Require GnuTLS >= 3.0.0 when --enable-gnutls is passed to configure.

Explicitly set pthread compiler and linker flags for Android.

Build fix for systems without getpwnam_r().

The "invoking_user" configuration parameter now accepts an ACL list as an
argument. This removes the "invoking_tls" parameter since a TLS fingerprint
hash can be specified in the ACL.

Added configuration parameter "invoking_file".

Attribute names must now conform to the XML 1.0 specification. This is to
prevent parsing errors during the next OPEN. Element names (attribute values)
remain the same.

The ATTR LIST command can now show attributes for an element path it otherwise
would not have permission to access provided there is permission for its
parent.

Fixed the LIST command showing an arbitrary element path after element access
error.

Added a username field to the "GETINFO --verbose CLIENTS" command.

LIST now appends a target flag to an element with an error.

LIST command bug fixes.

Can now set a "target" attribute value to a restricted but visible element
path.

Added configuration parameter "strict_kill" to let a client KILL another
client when the client to kill is of the same uid or TLS fingerprint. Set to
"true" to keep the old behavior.


PWMD v3.0.13
------------
Fixed configure.ac to use any required pthread CFLAGS or LIBS.

Thread cancellation fixes.

Client names specified with "OPTION name=value" may no longer contain
whitespace.

Added "GETINFO --verbose CLIENTS" to show connected clients and their state.

Added the "STATE" status message which is sent to connected clients during a
client state change and has the same line format as the "GETINFO --verbose
CLIENTS" command. This also adds a new configuration parameter "send_state" to
disable sending the client state, send client states to only other clients who
are invoking_user's or all connected clients. The default is invoking users.

Added configuration parameter "lock_timeout" that behaves as the default for
"OPTION lock-timeout". The default is 5 seconds.

Added the "KILL" command to terminate another client when the current one is
the "invoking_user".

Now sends a keepalive status message while waiting for a data file lock to be
aquired.

Added command line option --kill to terminate a running pwmd instance.

The --use-agent command line option can now also disable gpg-agent use when
"use_agent" is enabled in a configuration file.

A few bug fixes discovered by Coverity.

Added configuration parameter "tls_dh_level".

Changed the default "tls_cipher_suite" to
SECURE256:SECURE192:SECURE128:-VERS-SSL3.0.


PWMD v3.0.12
------------
When opening a new file then opening another, the first file would be cached
when not saved. So remove the cache entry for non-saved file to prevent a
possible DoS.

Fixed the verbose flag of LIST to not append a "T" flag when no target
existed for a root element.

Updated Debian packaging info so 'make deb' should now reflect the current
version.


PWMD v3.0.11
------------
Update to work with newest gpg-agent. This adds configuration parameter
"gpg_agent_socket" to replace "agent_env_file".

Fix doc/magic and the version string.


PWMD v3.0.10
------------
Fixed SAVE --keygrip and --sign-keygrip when not a new file.

Fixed SAVE using the previously opened files signing key when the current file
is an new one.

Fixed TLS socket hanging during handshake failure.

Fixed TLS wait interval during EAGAIN.

Added GETINFO USER to return the client username/hash.

Fixed MOVE doing an unneeded permission check.

Fixed CACHETIMEOUT to apply the new timeout immediately and not wait for the
existing timer to expire.

Bugfixes. See ChangeLog for details.



PWMD v3.0.9
-----------
Fix SAVE --inquire-keyparam for new files.

Fix TLS fingerprint hash case comparison.

Check permissions before modifying a "target" attribute.

Access is denied for an element that does not contain an "_acl" attribute
unless the client is the invoking_user.


PWMD v3.0.8
-----------
Support for ELG keypairs.

The "allowed" configuration parameter supports TLS fingerprint hashes by
prefixing the hash with a '#' character. This removes the "tls_access"
configuration parameter.

Added configuration parameter "allowed_file" which should contain one
username, group name or hash per line and has the same syntax as the "allowed"
parameter.

TLS fingerprint hashes are now in SHA256 format and not SHA1 and when
specified in a configuration parameter, or "allowed_file", should be
prefixed with a '#'.

Added per-element access control lists (ACL). Works like the "allowed"
configuration parameter but the ACL is stored in the element attribute "_acl".
This adds a LIST --verbose flag 'P' to indicate that the current client is not
allowed access to the element. This also adds the "invoking_user" and
"invoking_tls" configuration parameters. See the documentation for details. 

Removed libacl support for data files. It isn't very useful.

Fixed a recursion loop in the LIST command. See move test #8 and #9.

Disable attaching to the pwmd process. This is Linux specific and has the
effect of hiding the pwmd process from 'ps' output.

A few other bug fixes. See ChangeLog for details.


PWMD v3.0.7
-----------
More lenient element and attribute names. This reverts the behavior introduced
in version 3.0.5. This allows for things like '@' or digits in an element or
attribute name making pwmd more useful. I don't remember why I made it so
strict in that version so I'll revert it for now until I do remember.


PWMD v3.0.6
-----------
Write a PID file upon startup to detect a stale socket when running another
instance.

Bind to the local socket before doing cache pushing.

Added command line option --force as an alias to --ignore.

Fixed a few cppcheck(1) warnings.

Fixed a bug that ignored the return value from launch_pinentry().

Added configuration parameter "log_keepopen" for use when logging to a file.


PWMD v3.0.5
-----------
More strict element and attribute names. Conform to the XML naming spec.

Log any non-fatal XML error. These may occur when loading or parsing
an XML file.

Fixed a memory leak.

Set XML standalone mode; and UTF-8 encoding explicitly (the default).


PWMD v3.0.4
-----------
A few "target" attribute fixes.

Updated Debian packaging stuff. Try 'make deb'.


PWMD v3.0.3
-----------
Fixed the PASSWD command requiring a passphrase for a non-PKI data file
without a passphrase.

Fixed a few memory leaks.

The 'OPTION disable-pinentry' now resets the gpg-agent '--pinentry-mode'
when needed.

Fixed new non-PKI data file cache entry getting cleared during SAVE.

The CLEARCACHE and CACHETIMEOUT commands now make use of the
"tls_access" configuration parameter in a data file section like the
OPEN command does. Also added a "-" flag to the fingerprint which
behaves like the "!" flag.


PWMD v3.0.2
-----------
The "allowed" configuration parameter now works in a data file section
and is a list of local user or group names allowed to open the data
file. The OPEN, CLEARCACHE and CACHETIMEOUT commands make use of
this. This also adds a deny flag '-' to a user or group name.

Fixed the cache timer to expire deferred cache entries. No longer need
to wait for the next OPEN or SAVE command.

Make use of the --no-passphrase option for non-PKI data files. This
adds the --no-passphrase option to the PASSWD command.

Show a backtrace on SIGABRT.


PWMD v3.0.1
-----------
Fix crash when checking the cache status of a new file.

Set the default cache_timeout configuration parameter to 600.

Set the default keepalive_interval to 60.

Fix SAVE not caching new files.


PWMD v3.0.0
-----------
This version contains quite a few changes and enhancements. Most
commands and syntax have changed in this release so please read the
example configuration file and the html or texinfo documentation in
the doc/ directory.

You will need to convert your existing pwmd v2.x data file to the new
data file format by doing the following:

        $ pwmd --convert datafile -o newfile

then place "newfile" in ~/.pwmd/data. If you built with gpg-agent
support by passing --enable-agent to configure, then append
--use-agent to the above command line to use the gpg-agent to generate
a public and private keypair. No keypair is generated by default; the
data file is symmetrically encrypted.

Pwmd now supports the use of the gpg-agent for passphrase caching and
key management. This means smartcards are also supported. A "stub" of
the secret key is stored in the above mentioned key directory, but the
secret portion of the key is stored on the smartcard. To convert your
existing data while encrypting to an existing public key, pass the
--keygrip option with --convert or --import, along with
--use-agent. You may also need to pass the --sign-keygrip, too. See
the pwmd manual for details.

The XML document is now cached in pwmd when the passphrase is also
cached. This is needed to prevent requiring a smartcard to be inserted
for each OPEN command although it can still be required by setting the
CACHETIMEOUT of a data file to 0. Pwmd will operate on a copy of the
cached document and update the cached one after a SAVE. It is also
much faster than having to decrypt the data file during each OPEN.
The cached document is encrypted to prevent memory grepping attacks.

Ported to POSIX threads (pthreads).

Renamed error codes:
    PWMD_LIBXML_ERROR -> GPG_ERR_BAD_DATA
    PWMD_NO_FILE -> GPG_ERR_INV_STATE
    PWMD_FILE_MODIFIED -> GPG_ERR_CHECKSUM

Most commands now have an --inquire option to retrieve remaining
non-option arguments via a server inquire. This avoids the libassuan
line length limit for longer element paths.

Added the PASSWD command to change the passphrase of a secret key or a
symmetrically encrypted key (SAVE --no-agent).

The IMPORT command can now import siblings.

Added the AGENT command to send a command directly to gpg-agent.

Added the GETINFO command to retrieve server details. This removes the
VERSION and GETPID commands.

Removed the CONFIG and KEEPALIVE status messages.

Added the NEWFILE status message to determine when the file OPEN'ed is
a new one.

Added ISCACHED --lock to lock the file mutex. This doesn't require an
OPEN'd file. It was added to prevent a race condition with another
client accessing the same file when one client needed to determine the
cache status before the OPEN.

Texinfo documentation and the manual page is generated from the
texinfo source.

Commands that normally returned GPG_ERR_NO_VALUE now return
GPG_ERR_NO_DATA.

The --iterations command line, configuration and SAVE options have
been renamed to "s2k-count". The PASSWD command can be used to change
this value for an existing secret key.

The CLEARCACHE command returns an error when the file mutex associated
with the data file is locked by another client. Although an error is
returned the cached file is flagged for cache removal which will occur
when the data file mutex is released.

Added LIST --all to retrieve the entire element tree. Flags are
appended to each element path when this option is used. See the
documentation for details.

The checksum is now a CRC32 checksum rather than a stat() of the ctime
of the data file.

Can now listen for remote connections via TLS (IPv4 and IPv6) as well
as the local UNIX domain socket.

Added tests. Run them with 'make tests' in the tests/ directory.

More portable: *BSD, SunOS/Solaris/OpenSolaris, Android and Linux and
32 and 64 bit versions of these as well as little and big endian.

Removed the libglib-2.0 dependency.