3 Allow comments in configuration list files. Comments begin with a semicolon
6 Configuration list parameter values may now contain spaces.
8 Fixed cached key corruption for non-gpg-agent data files that would prevent
9 opening the data file if the passphrase was previously cached during a SAVE.
10 Note: pwmd will use gpgme for all crypto operations in the next major version
11 bump and data files will be in OpenPGP format.
13 Added option "SAVE --ask" to require the data file passphrase before saving.
14 Behaves like --reset but doesn't clear the cache entry which may have caused a
15 DoS for other clients if there was a failure.
17 PASSWD now kills the scdaemon if enabled in the configuration ("kill_scd").
19 Fixed the "s2k_count" configuration parameter.
21 More strict protocol command option parsing.
23 Removed "OPTION log_level" since it should not be configurable by a client.
25 The KILL command now works on systems without pthread_cancel().
27 Now uses poll(2) rather than select(2) since poll() allows for more file
33 This verions contains two important security fixes. After installing please
34 change your passphrase for all non-gpg-agent data files with the PASSWD
35 command (or ".passwd" if using pwmc). Please note that after the new data file
36 is written it will be incompatible with previous versions of pwmd.
38 Fixed initializing the passphrase salt with a nonce. This was a mistake
39 introduced in pwmd 3.0.
41 The --cipher-iterations command line and SAVE options are now an alias for
42 --s2k-count. This is do to how the encryption scheme has changed. The count is
43 now the number of times to hash the passphrase before encryption of the XML
44 document. In previous versions the count was using a small static
45 compile-time count then encrypting the XML with the iteration count. The
46 default S2K iteration count is now 5000000. This change removes the need for
47 the "cipher_progress" configuration parameter and has been removed from the
48 documentation but is still valid for older data files.
50 Fixed potential cache corruption of the data file key.
55 Require GnuTLS >= 3.0.0 when --enable-gnutls is passed to configure.
57 Explicitly set pthread compiler and linker flags for Android.
59 Build fix for systems without getpwnam_r().
61 The "invoking_user" configuration parameter now accepts an ACL list as an
62 argument. This removes the "invoking_tls" parameter since a TLS fingerprint
63 hash can be specified in the ACL.
65 Added configuration parameter "invoking_file".
67 Attribute names must now conform to the XML 1.0 specification. This is to
68 prevent parsing errors during the next OPEN. Element names (attribute values)
71 The ATTR LIST command can now show attributes for an element path it otherwise
72 would not have permission to access provided there is permission for its
75 Fixed the LIST command showing an arbitrary element path after element access
78 Added a username field to the "GETINFO --verbose CLIENTS" command.
80 LIST now appends a target flag to an element with an error.
82 LIST command bug fixes.
84 Can now set a "target" attribute value to a restricted but visible element
87 Added configuration parameter "strict_kill" to let a client KILL another
88 client when the client to kill is of the same uid or TLS fingerprint. Set to
89 "true" to keep the old behavior.
94 Fixed configure.ac to use any required pthread CFLAGS or LIBS.
96 Thread cancellation fixes.
98 Client names specified with "OPTION name=value" may no longer contain
101 Added "GETINFO --verbose CLIENTS" to show connected clients and their state.
103 Added the "STATE" status message which is sent to connected clients during a
104 client state change and has the same line format as the "GETINFO --verbose
105 CLIENTS" command. This also adds a new configuration parameter "send_state" to
106 disable sending the client state, send client states to only other clients who
107 are invoking_user's or all connected clients. The default is invoking users.
109 Added configuration parameter "lock_timeout" that behaves as the default for
110 "OPTION lock-timeout". The default is 5 seconds.
112 Added the "KILL" command to terminate another client when the current one is
115 Now sends a keepalive status message while waiting for a data file lock to be
118 Added command line option --kill to terminate a running pwmd instance.
120 The --use-agent command line option can now also disable gpg-agent use when
121 "use_agent" is enabled in a configuration file.
123 A few bug fixes discovered by Coverity.
125 Added configuration parameter "tls_dh_level".
127 Changed the default "tls_cipher_suite" to
128 SECURE256:SECURE192:SECURE128:-VERS-SSL3.0.
133 When opening a new file then opening another, the first file would be cached
134 when not saved. So remove the cache entry for non-saved file to prevent a
137 Fixed the verbose flag of LIST to not append a "T" flag when no target
138 existed for a root element.
140 Updated Debian packaging info so 'make deb' should now reflect the current
146 Update to work with newest gpg-agent. This adds configuration parameter
147 "gpg_agent_socket" to replace "agent_env_file".
149 Fix doc/magic and the version string.
154 Fixed SAVE --keygrip and --sign-keygrip when not a new file.
156 Fixed SAVE using the previously opened files signing key when the current file
159 Fixed TLS socket hanging during handshake failure.
161 Fixed TLS wait interval during EAGAIN.
163 Added GETINFO USER to return the client username/hash.
165 Fixed MOVE doing an unneeded permission check.
167 Fixed CACHETIMEOUT to apply the new timeout immediately and not wait for the
168 existing timer to expire.
170 Bugfixes. See ChangeLog for details.
176 Fix SAVE --inquire-keyparam for new files.
178 Fix TLS fingerprint hash case comparison.
180 Check permissions before modifying a "target" attribute.
182 Access is denied for an element that does not contain an "_acl" attribute
183 unless the client is the invoking_user.
188 Support for ELG keypairs.
190 The "allowed" configuration parameter supports TLS fingerprint hashes by
191 prefixing the hash with a '#' character. This removes the "tls_access"
192 configuration parameter.
194 Added configuration parameter "allowed_file" which should contain one
195 username, group name or hash per line and has the same syntax as the "allowed"
198 TLS fingerprint hashes are now in SHA256 format and not SHA1 and when
199 specified in a configuration parameter, or "allowed_file", should be
202 Added per-element access control lists (ACL). Works like the "allowed"
203 configuration parameter but the ACL is stored in the element attribute "_acl".
204 This adds a LIST --verbose flag 'P' to indicate that the current client is not
205 allowed access to the element. This also adds the "invoking_user" and
206 "invoking_tls" configuration parameters. See the documentation for details.
208 Removed libacl support for data files. It isn't very useful.
210 Fixed a recursion loop in the LIST command. See move test #8 and #9.
212 Disable attaching to the pwmd process. This is Linux specific and has the
213 effect of hiding the pwmd process from 'ps' output.
215 A few other bug fixes. See ChangeLog for details.
220 More lenient element and attribute names. This reverts the behavior introduced
221 in version 3.0.5. This allows for things like '@' or digits in an element or
222 attribute name making pwmd more useful. I don't remember why I made it so
223 strict in that version so I'll revert it for now until I do remember.
228 Write a PID file upon startup to detect a stale socket when running another
231 Bind to the local socket before doing cache pushing.
233 Added command line option --force as an alias to --ignore.
235 Fixed a few cppcheck(1) warnings.
237 Fixed a bug that ignored the return value from launch_pinentry().
239 Added configuration parameter "log_keepopen" for use when logging to a file.
244 More strict element and attribute names. Conform to the XML naming spec.
246 Log any non-fatal XML error. These may occur when loading or parsing
251 Set XML standalone mode; and UTF-8 encoding explicitly (the default).
256 A few "target" attribute fixes.
258 Updated Debian packaging stuff. Try 'make deb'.
263 Fixed the PASSWD command requiring a passphrase for a non-PKI data file
264 without a passphrase.
266 Fixed a few memory leaks.
268 The 'OPTION disable-pinentry' now resets the gpg-agent '--pinentry-mode'
271 Fixed new non-PKI data file cache entry getting cleared during SAVE.
273 The CLEARCACHE and CACHETIMEOUT commands now make use of the
274 "tls_access" configuration parameter in a data file section like the
275 OPEN command does. Also added a "-" flag to the fingerprint which
276 behaves like the "!" flag.
281 The "allowed" configuration parameter now works in a data file section
282 and is a list of local user or group names allowed to open the data
283 file. The OPEN, CLEARCACHE and CACHETIMEOUT commands make use of
284 this. This also adds a deny flag '-' to a user or group name.
286 Fixed the cache timer to expire deferred cache entries. No longer need
287 to wait for the next OPEN or SAVE command.
289 Make use of the --no-passphrase option for non-PKI data files. This
290 adds the --no-passphrase option to the PASSWD command.
292 Show a backtrace on SIGABRT.
297 Fix crash when checking the cache status of a new file.
299 Set the default cache_timeout configuration parameter to 600.
301 Set the default keepalive_interval to 60.
303 Fix SAVE not caching new files.
308 This version contains quite a few changes and enhancements. Most
309 commands and syntax have changed in this release so please read the
310 example configuration file and the html or texinfo documentation in
313 You will need to convert your existing pwmd v2.x data file to the new
314 data file format by doing the following:
316 $ pwmd --convert datafile -o newfile
318 then place "newfile" in ~/.pwmd/data. If you built with gpg-agent
319 support by passing --enable-agent to configure, then append
320 --use-agent to the above command line to use the gpg-agent to generate
321 a public and private keypair. No keypair is generated by default; the
322 data file is symmetrically encrypted.
324 Pwmd now supports the use of the gpg-agent for passphrase caching and
325 key management. This means smartcards are also supported. A "stub" of
326 the secret key is stored in the above mentioned key directory, but the
327 secret portion of the key is stored on the smartcard. To convert your
328 existing data while encrypting to an existing public key, pass the
329 --keygrip option with --convert or --import, along with
330 --use-agent. You may also need to pass the --sign-keygrip, too. See
331 the pwmd manual for details.
333 The XML document is now cached in pwmd when the passphrase is also
334 cached. This is needed to prevent requiring a smartcard to be inserted
335 for each OPEN command although it can still be required by setting the
336 CACHETIMEOUT of a data file to 0. Pwmd will operate on a copy of the
337 cached document and update the cached one after a SAVE. It is also
338 much faster than having to decrypt the data file during each OPEN.
339 The cached document is encrypted to prevent memory grepping attacks.
341 Ported to POSIX threads (pthreads).
344 PWMD_LIBXML_ERROR -> GPG_ERR_BAD_DATA
345 PWMD_NO_FILE -> GPG_ERR_INV_STATE
346 PWMD_FILE_MODIFIED -> GPG_ERR_CHECKSUM
348 Most commands now have an --inquire option to retrieve remaining
349 non-option arguments via a server inquire. This avoids the libassuan
350 line length limit for longer element paths.
352 Added the PASSWD command to change the passphrase of a secret key or a
353 symmetrically encrypted key (SAVE --no-agent).
355 The IMPORT command can now import siblings.
357 Added the AGENT command to send a command directly to gpg-agent.
359 Added the GETINFO command to retrieve server details. This removes the
360 VERSION and GETPID commands.
362 Removed the CONFIG and KEEPALIVE status messages.
364 Added the NEWFILE status message to determine when the file OPEN'ed is
367 Added ISCACHED --lock to lock the file mutex. This doesn't require an
368 OPEN'd file. It was added to prevent a race condition with another
369 client accessing the same file when one client needed to determine the
370 cache status before the OPEN.
372 Texinfo documentation and the manual page is generated from the
375 Commands that normally returned GPG_ERR_NO_VALUE now return
378 The --iterations command line, configuration and SAVE options have
379 been renamed to "s2k-count". The PASSWD command can be used to change
380 this value for an existing secret key.
382 The CLEARCACHE command returns an error when the file mutex associated
383 with the data file is locked by another client. Although an error is
384 returned the cached file is flagged for cache removal which will occur
385 when the data file mutex is released.
387 Added LIST --all to retrieve the entire element tree. Flags are
388 appended to each element path when this option is used. See the
389 documentation for details.
391 The checksum is now a CRC32 checksum rather than a stat() of the ctime
394 Can now listen for remote connections via TLS (IPv4 and IPv6) as well
395 as the local UNIX domain socket.
397 Added tests. Run them with 'make tests' in the tests/ directory.
399 More portable: *BSD, SunOS/Solaris/OpenSolaris, Android and Linux and
400 32 and 64 bit versions of these as well as little and big endian.
402 Removed the libglib-2.0 dependency.