From ad242addf51715412f101dd5760cedcb7c352469 Mon Sep 17 00:00:00 2001 From: Ben Kibbey Date: Tue, 21 Apr 2015 20:56:47 -0400 Subject: [PATCH] Version 3.0.15. --- NEWS | 22 ++++++++++++ configure.ac | 2 +- debian/changelog | 6 ++++ po/pwmd.pot | 108 ++++++++++++++++++++++++++++--------------------------- 4 files changed, 85 insertions(+), 53 deletions(-) diff --git a/NEWS b/NEWS index 9dd7e3b9..b4f2b588 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,25 @@ +PWMD v3.0.15 +------------ +This verions contains two important security fixes. After installing please +change your passphrase for all non-gpg-agent data files with the PASSWD +command (or ".passwd" if using pwmc). Please note that after the new data file +is written it will be incompatible with previous versions of pwmd. + +Fixed initializing the passphrase salt with a nonce. This was a mistake +introduced in pwmd 3.0. + +The --cipher-iterations command line and SAVE options are now an alias for +--s2k-count. This is do to how the encryption scheme has changed. The count is +now the number of times to hash the passphrase before encryption of the XML +document. In previous versions the count was using a small static +compile-time count then encrypting the XML with the iteration count. The +default S2K iteration count is now 5000000. This change removes the need for +the "cipher_progress" configuration parameter and has been removed from the +documentation but is still valid for older data files. + +Fixed potential cache corruption of the data file key. + + PWMD v3.0.14 ------------ Require GnuTLS >= 3.0.0 when --enable-gnutls is passed to configure. diff --git a/configure.ac b/configure.ac index 29d0ce64..c4a179d9 100644 --- a/configure.ac +++ b/configure.ac @@ -1,6 +1,6 @@ dnl Process this file with autoconf to produce a configure script. AC_PREREQ(2.60) -AC_INIT(pwmd, 3.0.15-dev, [Ben Kibbey bjk@luxsci.net]) +AC_INIT(pwmd, 3.0.15, [Ben Kibbey bjk@luxsci.net]) AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_AUX_DIR(build) AC_CANONICAL_TARGET diff --git a/debian/changelog b/debian/changelog index f6eb0965..0fe0d12c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +pwmd (3.0.15-1) testing; urgency=medium + + * New upstream. + + -- Ben Kibbey Tue, 21 Apr 2015 20:56:27 -0400 + pwmd (3.0.14-1) testing; urgency=medium * New upstream. diff --git a/po/pwmd.pot b/po/pwmd.pot index 6a4ecb3b..5797e716 100644 --- a/po/pwmd.pot +++ b/po/pwmd.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: bjk@luxsci.net\n" -"POT-Creation-Date: 2015-04-04 18:14-0400\n" +"POT-Creation-Date: 2015-04-21 20:54-0400\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -214,12 +214,12 @@ msgstr "" msgid "Using passphrase file \"%s\" for decryption ..." msgstr "" -#: src/pwmd.c:2491 +#: src/pwmd.c:2490 #, c-format msgid "Output written to \"%s\"." msgstr "" -#: src/pwmd.c:2514 +#: src/pwmd.c:2513 #, c-format msgid "" "Usage: %s [OPTIONS] [file1] [...]\n" @@ -244,23 +244,24 @@ msgid "" " --sign-keygrip=hex private key to use when signing\n" " --keyparam=s-exp custom key parameters to use (RSA-2048)\n" " --cipher=string encryption cipher (aes256)\n" -" --cipher-iterations=N cipher iteration count (N+1)\n" +" --cipher-iterations=N cipher iteration count (alias for --s2k-" +"count)\n" " --s2k-count=N hash iteration count (>65536, calibrated)\n" " --help this help text\n" " --version show version and compile time features\n" msgstr "" -#: src/pwmd.c:2548 +#: src/pwmd.c:2547 #, c-format msgid "removing stale socket %s" msgstr "" -#: src/pwmd.c:2623 +#: src/pwmd.c:2622 #, c-format msgid "an instance for socket %s is already running" msgstr "" -#: src/pwmd.c:2867 +#: src/pwmd.c:2863 #, c-format msgid "" "%s\n" @@ -273,26 +274,26 @@ msgid "" "%s" msgstr "" -#: src/pwmd.c:2979 +#: src/pwmd.c:2975 msgid "incompatible gpg-agent version: 2.1.0 or later required" msgstr "" -#: src/pwmd.c:3101 +#: src/pwmd.c:3096 #, c-format msgid "" "Either there is another pwmd running or '%s' is a \n" "stale socket. Please remove it manually." msgstr "" -#: src/pwmd.c:3190 +#: src/pwmd.c:3185 msgid "Done. Daemonizing..." msgstr "" -#: src/pwmd.c:3191 +#: src/pwmd.c:3186 msgid "Done. Waiting for connections..." msgstr "" -#: src/pwmd.c:3272 +#: src/pwmd.c:3267 msgid "pwmd exiting normally" msgstr "" @@ -300,17 +301,17 @@ msgstr "" msgid "Waiting for lock" msgstr "" -#: src/commands.c:398 +#: src/commands.c:399 #, c-format msgid "Bad passphrase (try %i of %i)" msgstr "" -#: src/commands.c:4219 +#: src/commands.c:4222 #, c-format msgid "command completed: rc=%u" msgstr "" -#: src/commands.c:4236 +#: src/commands.c:4239 msgid "" "Usage: HELP []\n" "For commands that take an element path as an argument, each element is " @@ -318,25 +319,25 @@ msgid "" "COMMANDS:" msgstr "" -#: src/commands.c:4269 +#: src/commands.c:4272 #, c-format msgid "Usage: %s" msgstr "" -#: src/commands.c:4777 +#: src/commands.c:4780 msgid "" "HELP []\n" "Show available commands or command specific help text." msgstr "" -#: src/commands.c:4782 +#: src/commands.c:4785 msgid "" "AGENT \n" "Send a @command{gpg-agent} protocol @var{command} directly to the " "@command{gpg-agent}." msgstr "" -#: src/commands.c:4788 +#: src/commands.c:4791 msgid "" "KILL \n" "Terminates the client identified by @var{thread_id} and releases any file " @@ -346,7 +347,7 @@ msgid "" "clients of the same @code{UID} or @abbr{TLS} fingerprint.\n" msgstr "" -#: src/commands.c:4797 +#: src/commands.c:4800 msgid "" "GETINFO [--data] [--verbose] CACHE | CLIENTS | PID | USER | LAST_ERROR | " "VERSION\n" @@ -371,7 +372,7 @@ msgid "" "via a data response rather than a status message." msgstr "" -#: src/commands.c:4822 +#: src/commands.c:4825 msgid "" "PASSWD [--reset] [--s2k-count=N] [--no-passphrase]\n" "Changes the passphrase of the secret key required to open the current file " @@ -390,7 +391,7 @@ msgid "" "Control})." msgstr "" -#: src/commands.c:4843 +#: src/commands.c:4846 msgid "" "KEYGRIP [--sign] \n" "Returns the hex encoded keygrip of the specified @var{filename} with a data " @@ -401,7 +402,7 @@ msgid "" "GPG_ERR_NOT_SUPPORTED." msgstr "" -#: src/commands.c:4855 +#: src/commands.c:4858 msgid "" "OPEN [--lock] []\n" "Opens @var{filename} using @var{passphrase}. When the filename is not found " @@ -415,7 +416,7 @@ msgid "" "has been opened." msgstr "" -#: src/commands.c:4870 +#: src/commands.c:4873 msgid "" "SAVE [--no-passphrase] [--reset] [--no-agent] [--s2k-count=N] [--" "cipher=] [--cipher-iterations=N] [--inquire-keyparam] [--" @@ -435,8 +436,10 @@ msgid "" "The @option{--cipher} option can be used to encrypt the @abbr{XML} data to " "an alternate cipher. The default is @code{aes256}. See the Configuration " "(@pxref{Configuration}) for available ciphers.\n" -"The @option{--cipher-iterations} option specifies the number of times to " -"encrypt the XML data. The default is 0 although 1 iteration is still done.\n" +"The @option{--cipher-iterations} option specifies the number of times to " +"hash the passphrase before encrypting the XML data. The default is " +"@code{5000000}. This option is an alias for @option{--s2k-count} since " +"version @var{3.0.15} of @command{pwmd}.\n" "The @option{--inquire-keyparam} option will send a server @emph{INQUIRE} to " "the client to obtain the key paramaters to use when generating a new " "keypair. The inquired data is expected to be an S-expression. If not " @@ -458,12 +461,13 @@ msgid "" "are not available for non-invoking clients (@pxref{Access Control}).\n" "The @option{--s2k-count} option sets number of hash iterations for a " "passphrase. A value less-than @code{65536} will use the machine calibrated " -"value and is the default. This setting only affects new files. To change the " -"setting use the @code{PASSWD} command (@pxref{PASSWD}). This option has no " -"effect with symmetrically encrypted data files." +"value and is the default when using @command{gpg-agent}. This setting only " +"affects new files when using @command{gpg-agent}. To change the setting use " +"the @code{PASSWD} command (@pxref{PASSWD}). This option is an alias for " +"option @option{--cipher-iterations} when not using @command{gpg-agent}." msgstr "" -#: src/commands.c:4923 +#: src/commands.c:4929 msgid "" "ISCACHED [--lock] \n" "An @emph{OK} response is returned if the specified @var{filename} is found " @@ -476,13 +480,13 @@ msgid "" "command." msgstr "" -#: src/commands.c:4936 +#: src/commands.c:4942 msgid "" "CLEARCACHE []\n" "Clears a file cache entry for all or the specified @var{filename}." msgstr "" -#: src/commands.c:4941 +#: src/commands.c:4947 msgid "" "CACHETIMEOUT \n" "The time in @var{seconds} until @var{filename} will be removed from the " @@ -491,7 +495,7 @@ msgid "" "@pxref{SAVE}). @xref{Configuration}, and the @code{cache_timeout} parameter." msgstr "" -#: src/commands.c:4950 +#: src/commands.c:4956 msgid "" "LIST [--inquire] [--no-recurse] [--verbose] [--with-target] [--all] " "[[!]element[[!]child[..]]]\n" @@ -526,7 +530,7 @@ msgid "" "arguments are retrieved via a server @emph{INQUIRE}." msgstr "" -#: src/commands.c:4988 +#: src/commands.c:4994 msgid "" "REALPATH [--inquire] [!]element[[!]child[..]]\n" "Resolves all @code{target} attributes of the specified element path and " @@ -536,7 +540,7 @@ msgid "" "arguments are retrieved via a server @emph{INQUIRE}." msgstr "" -#: src/commands.c:4997 +#: src/commands.c:5003 msgid "" "STORE [!]element[[!]child[..]][content]\n" "This command uses a server @emph{INQUIRE} to retrieve data from the client.\n" @@ -554,7 +558,7 @@ msgid "" "to prevent @abbr{XML} parsing and @command{pwmd} syntax errors." msgstr "" -#: src/commands.c:5016 +#: src/commands.c:5022 msgid "" "RENAME [--inquire] [!]element[[!]child[..]] \n" "Renames the specified @var{element} to the new @var{value}. If an element of " @@ -563,7 +567,7 @@ msgid "" "arguments are retrieved via a server @emph{INQUIRE}." msgstr "" -#: src/commands.c:5025 +#: src/commands.c:5031 msgid "" "COPY [--inquire] [!]source[[!]child[..]] [!]dest[[!]child[..]]\n" "Copies the entire element tree starting from the child node of the source " @@ -577,7 +581,7 @@ msgid "" "arguments are retrieved via a server @emph{INQUIRE}." msgstr "" -#: src/commands.c:5041 +#: src/commands.c:5047 msgid "" "MOVE [--inquire] [!]source[[!]child[..]] [[!]dest[[!]child[..]]]\n" "Moves the source element path to the destination element path. If the " @@ -589,7 +593,7 @@ msgid "" "arguments are retrieved via a server @emph{INQUIRE}." msgstr "" -#: src/commands.c:5053 +#: src/commands.c:5059 msgid "" "DELETE [--inquire] [!]element[[!]child[..]]\n" "Removes the specified element path and all of its children. This may break " @@ -599,7 +603,7 @@ msgid "" "arguments are retrieved via a server @emph{INQUIRE}." msgstr "" -#: src/commands.c:5063 +#: src/commands.c:5069 msgid "" "GET [--inquire] [!]element[[!]child[..]]\n" "Retrieves the content of the specified element. The content is returned with " @@ -608,7 +612,7 @@ msgid "" "arguments are retrieved via a server @emph{INQUIRE}." msgstr "" -#: src/commands.c:5072 +#: src/commands.c:5078 msgid "" "ATTR [--inquire] SET|GET|DELETE|LIST [] " "[!]element[[!]child[..]] ..\n" @@ -641,7 +645,7 @@ msgid "" "@xref{Target Attribute}, for details about this special attribute." msgstr "" -#: src/commands.c:5109 +#: src/commands.c:5115 msgid "" "XPATH [--inquire] [[value]]\n" "Evaluates an XPath @var{expression}. If no @var{value} argument is specified " @@ -661,7 +665,7 @@ msgid "" "expression syntax." msgstr "" -#: src/commands.c:5132 +#: src/commands.c:5138 msgid "" "XPATHATTR [--inquire] SET|DELETE [[]]\n" "Like the @code{XPATH} command (@pxref{XPATH}) but operates on element " @@ -679,7 +683,7 @@ msgid "" "expression syntax." msgstr "" -#: src/commands.c:5153 +#: src/commands.c:5159 msgid "" "IMPORT [--root=[!]element[[!]child[..]]] \n" "This command uses a server @emph{INQUIRE} to retrieve data from the client.\n" @@ -692,14 +696,14 @@ msgid "" "for details." msgstr "" -#: src/commands.c:5167 +#: src/commands.c:5173 msgid "" "DUMP\n" "Shows the in memory @abbr{XML} document with indenting. @xref{XPATH}, for " "dumping a specific node." msgstr "" -#: src/commands.c:5173 +#: src/commands.c:5179 msgid "" "LOCK\n" "Locks the mutex associated with the opened file. This prevents other clients " @@ -708,7 +712,7 @@ msgid "" "@xref{UNLOCK}." msgstr "" -#: src/commands.c:5181 +#: src/commands.c:5187 msgid "" "UNLOCK\n" "Unlocks the file mutex which was locked with the @code{LOCK} command or a " @@ -716,7 +720,7 @@ msgid "" "@pxref{ISCACHED})." msgstr "" -#: src/commands.c:5188 +#: src/commands.c:5194 msgid "" "GETCONFIG [filename] \n" "Returns the value of a @command{pwmd} configuration @var{parameter} with a " @@ -726,7 +730,7 @@ msgid "" "with the @code{OPTION} command (@pxref{OPTION}) will be returned." msgstr "" -#: src/commands.c:5197 +#: src/commands.c:5203 msgid "" "OPTION =\n" "Sets a client option @var{name} to @var{value}. The value for an option is " @@ -777,20 +781,20 @@ msgid "" "An integer specifiying the logging level.@end table\n" msgstr "" -#: src/commands.c:5251 +#: src/commands.c:5257 msgid "" "LS\n" "Lists the available data files stored in the data directory (@file{~/.pwmd/" "data}). The result is a newline separated list of filenames." msgstr "" -#: src/commands.c:5257 +#: src/commands.c:5263 msgid "" "RESET\n" "Closes the currently opened file but keeps any previously set client options." msgstr "" -#: src/commands.c:5262 +#: src/commands.c:5268 msgid "" "NOP\n" "Does nothing. Always returns successfully." -- 2.11.4.GIT