pwmd-devel Mailing List for pwmd
Serves XML element content over a UDS or TLS.
Brought to you by:
benkibbey
You can subscribe to this list here.
2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2013 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
|
Jun
(1) |
Jul
(2) |
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
2014 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
(3) |
Oct
(2) |
Nov
|
Dec
|
2015 |
Jan
|
Feb
|
Mar
|
Apr
(4) |
May
|
Jun
|
Jul
|
Aug
(2) |
Sep
|
Oct
(1) |
Nov
|
Dec
|
2016 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
2017 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2021 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Ben K. <bj...@lu...> - 2021-02-28 23:27:40
|
Hello, It has been a while since a release so heres the release notes for pwmd from version 3.1.0-beta3 to the latest version 3.3.0: PWMD v3.3.0 ----------- When an ACL for an element is the empty string, treat the element as having a non-existent _acl attribute. Now also tests for valid characters in a UNIX username in an _acl value. Now appends the current git commit hash to the version string to aid in development. Fixed to allow for larger PID values to be able to properly terminate or start another daemon process. Reworked the tests to use the TAP harness. Run 'make check' rather then 'make tests' to run the tests. See tests/README for details. Disabled TLS1.1 and CBC cipher suites by default. Fixed creating a Debian package with 'make deb'. An "allowed" configuration parameter value may now contain a whitelist of local client command names that are allowed to connect or open a data file. This is Linux specific for now. Added the "--sexp" option to the LIST command to show elements along with their attributes in an s-expression format. Releases are now signed using a new signing key. The fingerprint of the new key is 6078FEB430EFA427499E6E78555B69666326961C and is cross-signed with my new primary key which is cross-signed with my old primary key. I don't believe the old keys to be compromised; it is only to rotate them and update to newer standards. PWMD v3.2.2 ----------- Disable gpg-agent caching of the key for symmetrically encrypted data files. The gpg-agent options to do this were previously mentioned in the pwmd documentation, but we will pass the option to gpgme explicitly to prevent misuse. Portability fix. PWMD v3.2.1 ----------- Fixed creating a Debian package from a tarball. Fixed a crash during recursion loop detection. Fixed a crash in the LIST command. Fixed the GENKEY command to work properly when passed --expire due to a typo. Fixed the BULK command to sometimes not work when not used as an --inquire. Fixed the cache potentially returning a stale document. Fixed the OPEN command to update the checksum for a reopened file. Fixed a bug in the STORE command refusing the create an element path even with proper access rights. PWMD v3.2 --------- Add the BULK protocol command to allow sending multiple commands using an (semi) s-expression syntax. This can speed up remote connections quite a bit since less socket IO is needed. This also adds a BULK status message to inform the client of the current bulk command being run which may be needed when a command inquires data from the client. No longer flood a TLS client with assuan protocol comment lines when spinning in a read. The _mtime and _ctime element attributes can no longer be modified or removed by a client. All known attributes to pwmd are now prefixed with an _: "target" -> "_target" "expire" -> "_expire" "expire_increment" -> "_age" Added a "_version" attribute to the document root element to hold the current version of pwmd. PWMD v3.1.1 ----------- The XFER status message is now sent only once and before the transfer starts leaving it to the client to calculate the amount of data transferred. Added "LS --verbose" to include the filesystem atime, mtime and ctime timestamps of data files. Build, portability and other bug fixes. See ChangeLog for details. PWMD v3.1 --------- The project has moved to GitLab (https://gitlab.com/bjk/pwmd/wikis). Downloads are still available at SourceForge but the issue tracker, git repository and wiki are now hosted at GitLab. Re-added the "tls_use_crl" configuration parameter although it is disabled by default. DELETE no longer does any confirmation before deleting public and private keys. Portability and undefined behavior bugfixes. See ChangeLog for details. PWMD v3.1-beta3 --------------- The LS command now sorts filenames. Fixed a long standing memory leak related to a client's thread name. Key expiration is now ignored when OPEN'ing a data file. The next SAVE will fail if using an expired key. See docs for details about what to do. The CACHETIMEOUT command now requires an opened data file and no longer considers an "invoking_user". The syntax has also changed to require only a timeout parameter. Added GENKEY --no-expire to allow creating keys that do not expire. GENKEY now requires an opened data file. Bug fixes. See ChangeLog for details. -- Ben Kibbey |
From: Ben K. <bj...@lu...> - 2017-01-02 01:02:17
|
Here's the NEWS: New GENKEY command to generate a new keypair or subkey of an existing key without saving the data file to disk. Removed key generation altogether from the SAVE command. You must generate a new key with the GENKEY command or use an existing key and pass the fingerprint to the --keyid option. The --sign-keyid option is also required for new data files. The SAVE command now allows only a single signer. Although, multiple recipients may be specified. LISTKEYS no longer requires an open data file. Added configuration parameter "strict_open" to prevent a (non-invoking) client from creating a new data file. New command DELETEKEY to remove the private key associated with the currently opened data file from the keyring. Added copy-on-write for commands that modify the document. The DUMP command no longer does a checksum test. -- Ben Kibbey |
From: Ben K. <bj...@lu...> - 2016-10-23 01:12:29
|
Hello, This is a beta version with many changes to how crypto and element paths are done. Please test and submit patches here or to https://gitlab.com/bjk/pwmd/issues. I am open to things other than bug fixes; i.e., features and reworking of commands or whatever. I would just like to have (more) people using it and get suggestions on how to make pwmd better. Heres the NEWS: Ported to libgpgme. Data files are now OpenPGP encrypted and signed. A signer is required when using asymmetric encryption and optional if using symmetric encryption. New global configuration parameter "gpg_homedir". The default is ~/.pwmd/.gnupg which will spawn a gpg-agent process with this as it's homedir. The secret and public keyrings live here. To use your regular keyring set this to ~/.gnupg. This removes the "gpg_agent_socket" configuration parameter. Added the pwmd-dump(1) utility to dump the contents of a v3.0.x data file. The output file can then be imported by using 'pwmd --import'. pwmd-dump can also update a v3.1 raw XML file to the latest element or attribute changes by passing the --xml option. See the pwmd-dump(1) manual page for details. Removed the notion of "literal" elements. Targets are always followed for elements that have a 'target' attribute. This changes how the ATTR command works. See the pwmd texinfo or html docs for details. Also note the inherited and reserved attributes for elements with a target. The LIST command now always implies the deprecated '--verbose' and '--with-target' switches and adds the '--recurse' switch to replace the also deprecated '--all' switch. Rewrote the LIST command to better handle recursion loops. Still needs some work, though. See KnownBugs. New special attributes 'expire' and 'expire_increment'. See docs for details. This also adds a new STATUS_EXPIRE status message. New command LISTKEYS to show available (secret) keyid's. New command KEYINFO to show encryption and signing keyid's for an opened data file and --learn to create private key stubs for keys stored on a smartcard. New global configuration parameters "encrypt_to" and "always_trust". Added connected timestamp field to 'GETINFO --verbose CLIENTS'. New status messages PASSPHRASE_HINT and PASSPHRASE_INFO when pinentry is disabled. New global configuration option "backlog" to set the TCP backlog for TLS connections. The default is 128 (Linux default, too). All clients now are cancelled upon SIGINT and SIGTERM without waiting for them to disconnect themselves. Added OPTION CLIENT-STATE to allow a client to opt-in to receive client STATE status messages. By default, no client state is sent. CACHETIMEOUT now allows access to an invoking user. TLS rehandshake support upon SIGHUP. New configuration option "tls_dh_params_file". This removes "tls_dh_level". Removed configuration option "tcp_wait". OPEN: Always allow an invoking user. CLEARCACHE: Reworked to test the client ACL for each data file. -- Ben Kibbey |
From: Ben K. <bj...@lu...> - 2015-10-18 01:39:57
|
This release contains mostly fixes backported from the master branch. The next version, 3.1, is almost ready with only data file conversion needing to be done before the release. Libpwmd and QPwmc have been updated make use of 3.1 features and changes and although there are still some things that need to be done, none are blocking. Here's the NEWS for this release: The "tcp_require_key" configuration parameter will no longer clear the cache entry for a data file. It will only try to decrypt it. Do an fsync(2) on the data file directory after a SAVE as recommended by the manual page. Only show regular files in the LS command and also be sure the OPEN'd file is a regular one. Disallow a new line character in an attribute value to prevent ATTR LIST corruption. TLS-1.0 is now disabled by default. Fixed handling of invalid group names in an ACL. They are ignored rather than returning an error. When using gpg-agent and the agent cached key has expired, return GPG_ERR_KEY_EXPIRED rather than GPG_ERR_NO_DATA. This can make it easier to determine why you are asked for a passphrase by reviewing a pwmd log. Note that the "max-cache-ttl" gpg-agent configuration parameter also affects the cache state for a data file. A few minor bug fixes. See ChangeLog for details. -- Ben Kibbey |
From: Ben K. <bj...@lu...> - 2015-08-30 15:08:22
|
Here's the NEWS: Added advisory locking for data files implemented via flock(2). Re-added data file ACL support. More useful now with advisory locking. Release a data file mutex before data transfer to let other clients do work unless explicitly locked. A few minor bug fixes. See ChangeLog for details. -- Ben Kibbey |
From: Ben K. <bj...@lu...> - 2015-08-01 20:00:05
|
Here's the NEWS: Allow comments in configuration list files. Comments begin with a semicolon ';' character. Configuration list parameter values may now contain spaces. Fixed cached key corruption for non-gpg-agent data files that would prevent opening the data file if the passphrase was previously cached during a SAVE. Note: pwmd will use gpgme for all crypto operations in the next major version bump and data files will be in OpenPGP format. Added option "SAVE --ask" to require the data file passphrase before saving. Behaves like --reset but doesn't clear the cache entry which may have caused a DoS for other clients if there was a failure. PASSWD now kills the scdaemon if enabled in the configuration ("kill_scd"). Fixed the "s2k_count" configuration parameter. More strict protocol command option parsing. Removed "OPTION log_level" since it should not be configurable by a client. The KILL command now works on systems without pthread_cancel(). Now uses poll(2) rather than select(2) since poll() allows for more file descriptors. -- Ben Kibbey |
From: Ben K. <bj...@lu...> - 2015-04-22 22:42:52
|
Here's the NEWS: This verions contains two important security fixes. After installing please change your passphrase for all non-gpg-agent data files with the PASSWD command (or ".passwd" if using pwmc). Please note that after the new data file is written it will be incompatible with previous versions of pwmd. Fixed initializing the passphrase salt with a nonce. This was a mistake introduced in pwmd 3.0. The --cipher-iterations command line and SAVE options are now an alias for --s2k-count. This is do to how the encryption scheme has changed. The count is now the number of times to hash the passphrase before encryption of the XML document. In previous versions the count was using a small static compile-time count then encrypting the XML with the iteration count. The default S2K iteration count is now 5000000. This change removes the need for the "cipher_progress" configuration parameter and has been removed from the documentation but is still valid for older data files. Fixed potential cache corruption of the data file key. -- Ben Kibbey |
From: Ben K. <bj...@lu...> - 2015-04-07 01:33:01
|
Hello, The master branch of the pwmd git repository contains support for OpenPGP encrypted data files while removing the support for older pwmd data file versions. The OpenPGP support is provided by libgpgme which uses gnupg (gpg2) for all crypto operations and also for pinentry handling. There currently isn't a way to convert from version 3.0.x to 3.1 other than dumping the raw XML (DUMP) from 3.0.x then --import'ing it into 3.1. Converting will be added sometime soon. Either from a pwmd --convert command line option or an external utility. There are a couple changes needed to libgpgme itself before all functionality of 3.0.x is available in 3.1: custom memory allocators and key file support. Everything else works! Using libgpgme also has the benefit of sending keep-alive status messages to a client for each crypto operation. Even key generation! How pwmd handles the SAVE command is still up in the air but the way it is done now is that in order for a previously OPEN'ed data file to be SAVE'd the user must be able to decrypt it again if the current SAVE keyid parameters have changed. After encrypting at least one signing key is required. If not specified then all keyid's previously SAVE'd are used as well as signers. Multiple encryption and signing keys may be used. If an encryption keyid is specified but no signers are specified then the encryption keyid is used as the signing keyid. It is safe to do this since gpg will return an error of there are no signing keys available for some reason. This is what I'm unsure about: maybe there should be a configured encryption and signing key that is used for each data file and a "global" default rather than letting them change during SAVE. It's less flexible but yet less error prone and less confusing. Thoughts and ideas are always welcome. -- Ben Kibbey |
From: Ben K. <bj...@lu...> - 2015-04-05 15:09:01
|
Heres the (delayed) NEWS for version 3.0.13: Fixed configure.ac to use any required pthread CFLAGS or LIBS. Thread cancellation fixes. Client names specified with "OPTION name=value" may no longer contain whitespace. Added "GETINFO --verbose CLIENTS" to show connected clients and their state. Added the "STATE" status message which is sent to connected clients during a client state change and has the same line format as the "GETINFO --verbose CLIENTS" command. This also adds a new configuration parameter "send_state" to disable sending the client state, send client states to only other clients who are invoking_user's or all connected clients. The default is invoking users. Added configuration parameter "lock_timeout" that behaves as the default for "OPTION lock-timeout". The default is 5 seconds. Added the "KILL" command to terminate another client when the current one is the "invoking_user". Now sends a keepalive status message while waiting for a data file lock to be aquired. Added command line option --kill to terminate a running pwmd instance. The --use-agent command line option can now also disable gpg-agent use when "use_agent" is enabled in a configuration file. A few bug fixes discovered by Coverity. Added configuration parameter "tls_dh_level". Changed the default "tls_cipher_suite" to SECURE256:SECURE192:SECURE128:-VERS-SSL3.0. |
From: Ben K. <bj...@lu...> - 2015-04-05 15:08:59
|
Here's the NEWS: Require GnuTLS >= 3.0.0 when --enable-gnutls is passed to configure. Explicitly set pthread compiler and linker flags for Android. Build fix for systems without getpwnam_r(). The "invoking_user" configuration parameter now accepts an ACL list as an argument. This removes the "invoking_tls" parameter since a TLS fingerprint hash can be specified in the ACL. Added configuration parameter "invoking_file". Attribute names must now conform to the XML 1.0 specification. This is to prevent parsing errors during the next OPEN. Element names (attribute values) remain the same. The ATTR LIST command can now show attributes for an element path it otherwise would not have permission to access provided there is permission for its parent. Fixed the LIST command showing an arbitrary element path after element access error. Added a username field to the "GETINFO --verbose CLIENTS" command. LIST now appends a target flag to an element with an error. LIST command bug fixes. Can now set a "target" attribute value to a restricted but visible element path. Added configuration parameter "strict_kill" to let a client KILL another client when the client to kill is of the same uid or TLS fingerprint. Set to "true" to keep the old behavior. |
From: Ben K. <bj...@lu...> - 2014-10-29 01:27:55
|
Here's the NEWS: When opening a new file then opening another, the first file would be cached when not saved. So remove the cache entry for non-saved file to prevent a possible DoS. Fixed the verbose flag of LIST to not append a "T" flag when no target existed for a root element. Updated Debian packaging info so 'make deb' should now reflect the current version. -- Ben Kibbey |
From: Ben K. <bj...@lu...> - 2014-10-05 15:14:55
|
Here's the NEWS: Update to work with newest gpg-agent. This adds configuration parameter "gpg_agent_socket" to replace "agent_env_file". Fix doc/magic and the version string. -- Ben Kibbey |
From: Ben K. <bj...@lu...> - 2014-09-29 00:46:49
|
Here's the NEWS: Fixed SAVE --keygrip and --sign-keygrip when not a new file. Fixed SAVE using the previously opened files signing key when the current file is an new one. Fixed TLS socket hanging during handshake failure. Fixed TLS wait interval during EAGAIN. Added GETINFO USER to return the client username/hash. Fixed MOVE doing an unneeded permission check. Fixed CACHETIMEOUT to apply the new timeout immediately and not wait for the existing timer to expire. Bugfixes. See ChangeLog for details. -- Ben Kibbey [XMPP: bjk AT jabber DOT org] - [IRC: (bjk) FreeNode/OFTC] |
From: Ben K. <bj...@lu...> - 2014-09-21 17:05:42
|
Sorry for the quick release but it fixes a couple of important things: Fix SAVE --inquire-keyparam for new files. Fix TLS fingerprint hash case comparison. Check permissions before modifying a "target" attribute. Access is denied for an element that does not contain an "_acl" attribute unless the client is the invoking_user. -- Ben Kibbey [XMPP: bjk AT jabber DOT org] - [IRC: (bjk) FreeNode/OFTC] |
From: Ben K. <bj...@lu...> - 2014-09-20 21:16:42
|
Here's the NEWS for this release: Support for ELG keypairs. The "allowed" configuration parameter supports TLS fingerprint hashes by prefixing the hash with a '#' character. This removes the "tls_access" configuration parameter. Added configuration parameter "allowed_file" which should contain one username, group name or hash per line and has the same syntax as the "allowed" parameter. TLS fingerprint hashes are now in SHA256 format and not SHA1 and when specified in a configuration parameter, or "allowed_file", should be prefixed with a '#'. Added per-element access control lists (ACL). Works like the "allowed" configuration parameter but the ACL is stored in the element attribute "_acl". This adds a LIST --verbose flag 'P' to indicate that the current client is not allowed access to the element. This also adds the "invoking_user" and "invoking_tls" configuration parameters. See the documentation for details. Removed libacl support for data files. It isn't very useful. Fixed a recursion loop in the LIST command. See move test #8 and #9. Disable attaching to the pwmd process. This is Linux specific and has the effect of hiding the pwmd process from 'ps' output. A few other bug fixes. See ChangeLog for details. -- Ben Kibbey |
From: Ben K. <bj...@lu...> - 2014-05-16 01:41:09
|
Here's the NEWS: More lenient element and attribute names. This reverts the behavior introduced in version 3.0.5. This allows for things like '@' or digits in an element or attribute name making pwmd more useful. I don't remember why I made it so strict in that version so I'll revert it for now until I do remember. -- Ben Kibbey [XMPP: bjk AT jabber DOT org] - [IRC: (bjk) FreeNode/OFTC] |
From: Ben K. <bj...@lu...> - 2014-01-12 15:05:32
|
Hello, Heres the release notes for version 3.0.6: Write a PID file upon startup to detect a stale socket when running another instance. Bind to the local socket before doing cache pushing. Added command line option --force as an alias to --ignore. Fixed a few cppcheck(1) warnings. Fixed a bug that ignored the return value from launch_pinentry(). Added configuration parameter "log_keepopen" for use when logging to a file. -- Ben Kibbey [XMPP: bjk AT jabber DOT org] - [IRC: (bjk) FreeNode/OFTC] |
From: Ben K. <bj...@lu...> - 2013-08-03 00:15:33
|
Here's the NEWS: PWMD v3.0.5 ----------- More strict element and attribute names. Conform to the XML naming spec. Log any non-fatal XML error. These may occur when loading or parsing an XML file. Fixed a memory leak. Set XML standalone mode; and UTF-8 encoding explicitly (the default). (forgot to add this:) Fix ATTR SET who's value contains whitespace. -- Ben Kibbey |
From: Ben K. <bj...@lu...> - 2013-07-27 01:00:29
|
Heres the NEWS for version 3.0.4: A few "target" attribute fixes. Updated Debian packaging stuff. Try 'make deb'. -- Ben Kibbey |
From: Ben K. <bj...@lu...> - 2013-07-13 14:15:08
|
Hello, Here's the NEWS for this release: Fixed the PASSWD command requiring a passphrase for a non-PKI data file without a passphrase. Fixed a few memory leaks. The 'OPTION disable-pinentry' now resets the gpg-agent '--pinentry-mode' when needed. Fixed new non-PKI data file cache entry getting cleared during SAVE. The CLEARCACHE and CACHETIMEOUT commands now make use of the "tls_access" configuration parameter in a data file section like the OPEN command does. Also added a "-" flag to the fingerprint which behaves like the "!" flag. -- Ben Kibbey |
From: Ben K. <bj...@lu...> - 2013-06-22 23:10:51
|
Hello, Here's the NEWS for pwmd v3.0.2: The "allowed" configuration parameter now works in a data file section and is a list of local user or group names allowed to open the data file. The OPEN, CLEARCACHE and CACHETIMEOUT commands make use of this. This also adds a deny flag '-' to a user or group name. Fixed the cache timer to expire deferred cache entries. No longer need to wait for the next OPEN or SAVE command. Make use of the --no-passphrase option for non-PKI data files. This adds the --no-passphrase option to the PASSWD command. Show a backtrace on SIGABRT. -- Ben Kibbey |
From: Ben K. <bj...@lu...> - 2013-04-01 01:17:36
|
This version fixes a few bugs when SAVE'ing to a new file (one of them a nasty crasher). It also changes the default values for the cache_timeout and keepalive_interval configuration parameters. Upgrading is recommended since most users probably didn't get very far with the previous release. The crasher bug was discovered when running on Android and was undetected everywhere else, for me. Very strange. Even 'smatch' didn't see it. http://sourceforge.net/projects/pwmd/files/3.0.1/ -- Ben Kibbey |
From: Ben K. <bj...@lu...> - 2013-03-10 23:53:30
|
Hello, I've released version 3.0 of pwmd. This version contains a few protocol command changes and improves portability and stability. It also supports using gpg-agent for PKI data files. Although gpg-agent is supported, the data file format is not OpenPGP compatible. This may change in the future, when I get smarter. :) You can still use any key that gpg-agent knows about, including keys stored on a smartcard. Gpg-agent support is disabled by default since it requires development version (2.1.0) that has not been released yet. Enable it by passing --enable-agent to configure. You will also need to pass --use-agent to pwmd. Please read NEWS included in the archive[1] for a full list of changes in this version. Libpwmd version 7.0[2] has also been released to make use of pwmd 3.0. 1. http://sourceforge.net/projects/pwmd/files/3.0 2. http://sourceforge.net/projects/libpwmd/files/7.0.0 -- Ben Kibbey |
From: Ben K. <bj...@lu...> - 2012-06-07 23:23:51
|
Hello again, Since the last announcement of pwmd 3.0 development, quite a few things have been implemented. Including: * encryption of the cached document * remote connections over TLS * file mutex lock timeouts * more LIST command options for faster client parsing * CRC32 checksum of the data file (no longer use ctime) * pinentry-loopback support (keyfiles and used over TLS) * pinentry not blocking other clients when a different data file is opened * a few protocol command bug fixes The 'next' branch used to contain the 3.0 development and is now merged with 'master' where future changes will be committed. Testers are appreciated. So are bug reports, feature requests and patches. The git repository for pwmd and libpwmd are available at the following URLs: http://repo.or.cz/w/pwmd.git http://repo.or.cz/w/libpwmd.git -- Ben Kibbey [XMPP: bjk AT jabber DOT org] - [IRC: (bjk) FreeNode/OFTC] |
From: Ben K. <bj...@lu...> - 2011-06-20 22:51:22
|
I cant decide if OPEN should keep the file mutex lock on command error or not. For example, if a client were to try OPEN'ing a file and send the wrong passphrase while another client is waiting for the lock, should the failed OPEN keep the lock until UNLOCK or disconnect, or give up the lock to the other client? As it is now, the lock is removed and the other client can obtain it. -- Ben Kibbey [XMPP: bjk AT thiessen DOT org] - [IRC: (bjk) FreeNode/OFTC] |