Releases: davidolrik/keyhole
Releases · davidolrik/keyhole
v1.1.2
4a78636
This commit was signed with the committer’s verified signature.
davidolrik
David Jack Wange Olrik
v1.1.1
674bbd3
This commit was signed with the committer’s verified signature.
davidolrik
David Jack Wange Olrik
Changelog
- 8fd1313 fix: Add defense-in-depth path containment checks in storage layer
- cdb4126 fix: Add dummy DecryptWithKey in DecryptAndUpgrade success path to equalize timing
- 93993e5 fix: Check derivation error instead of nil key in Accept timing equalization
- 79fb832 fix: Log failures when re-wrapping vault key during legacy migration
- 2e29c68 fix: Make sanitizeError robust against unexpected error format patterns
- 4f9b526 fix: Use O_NOFOLLOW in DeleteVault to eliminate symlink TOCTOU window
- 3ffd58b fix: Use O_NOFOLLOW when opening audit log to prevent symlink attacks
- d9dc62e fix: Use ReadFileNoFollow in publicKeyHandler to prevent symlink TOCTOU
- 26042a8 fix: Use legacy key for dummy decrypt in VaultKey timing equalization
- 782671a fix: Use legacy key for dummy decrypt in decryptVaultSecret timing equalization
- 674bbd3 fix: Validate admin usernames at config load time to fail fast on invalid names
v1.1.0
ec31d07
This commit was signed with the committer’s verified signature.
davidolrik
David Jack Wange Olrik
v1.0.0
f174fa3
This commit was signed with the committer’s verified signature.
davidolrik
David Jack Wange Olrik
Changelog
- b0c2d92 feat: Add HKDF salt to all key derivation functions
- 807fe77 feat: Add audit logging for registration and vault operations
- e3240ac feat: Add configurable invite TTL, consumed invite cleanup, and periodic cleanup goroutine
- dc443b4 feat: Add rate limiting, session timeouts, and readLine timeout
- 5585c35 feat: Add vault demote user command
- 10dd1da feat: Add vault revoke user command
- 8e079c9 fix: Add 512-character path length limit to prevent filesystem overflow
- 5dfd6b9 fix: Add 72-hour TTL to invite codes
- 8c24404 fix: Add 72-hour TTL to vault invite tokens
- 487ed4e fix: Add GCM ciphertext tampering tests to verify authentication integrity
- 1adb0d9 fix: Add audit logging for denied vault accept attempts
- 65d3e7c fix: Add graceful shutdown with signal handling to flush audit log on exit
- 911fb3b fix: Add length limits to vault names (64) and usernames (64) to prevent path length abuse
- 09f0dae fix: Add maximum concurrent connection limit to prevent file descriptor exhaustion
- fc6bfe4 fix: Add maximum length validation for invite codes
- 2b97a45 fix: Add per-vault mutex lock to Invite() to prevent race conditions
- b426773 fix: Add per-vault mutex to Create to prevent TOCTOU race on vault creation
- d90973e fix: Add per-vault mutex to Destroy to prevent race conditions with concurrent operations
- 536edee fix: Add per-vault mutex to prevent TOCTOU races on members.json
- 579223b fix: Add reserved name "personal" check to validateVaultRef for consistency with validateVaultName
- e1074ae fix: Add size limits to vault metadata file reads
- 14d45b3 fix: Add symlink checks to AddUserKey to prevent arbitrary file write via symlink
- 5cb36bd fix: Add symlink checks to all vault metadata and key storage operations
- 7afa18c fix: Add symlink detection to storage file operations
- c3c2755 fix: Add timing equalization to vault invite accept to prevent invite existence probing
- 6e68e3c fix: Audit log denied invite generation attempts by non-admin users
- c426537 fix: Audit log failed vault operations for security monitoring
- c4f3224 fix: Audit log successful admin invite code generation
- 169ca6c fix: Avoid temporary string allocation when loading server secret from file
- 719810f fix: Change server.Config.ServerSecret from string to []byte to allow zeroization of sensitive material
- c2703c1 fix: Check chmod errors during audit log rotation and enforce 0600 on open
- 2104912 fix: Check config file permissions before reading to eliminate TOCTOU window for sensitive values
- 08e3b1b fix: Check for symlinks on user directory in addition to .ssh and authorized_keys
- 641e3e5 fix: Check vault directory existence in addition to meta.json to prevent overwriting partial state
- be3dbd0 fix: Check vault ownership before destroy confirmation prompt
- dc8585f fix: Clean up expired invite code files on server startup
- aa2cef9 fix: Clean up orphaned vault key if members write fails during accept
- e4e1734 fix: Cleanup expired entries from rate limiter to prevent memory leak
- 44dc78d fix: Clear config.ServerSecret string after converting to []byte to reduce secret residue in memory
- f68d4b5 fix: Close TCP listener on shutdown to prevent port rebind failures on restart
- 7593cbd fix: Close session stdin on readLine timeout to prevent goroutine leak under slow-trickle attacks
- 20abaf5 fix: Consolidate duplicate zeroize implementations into a single exported crypto.Zeroize
- 735d971 fix: Consolidate vault name validation to single source in vault.ValidateVaultName
- d3089c2 fix: Correct ConnRateLimit comment to match actual default of 10
- 64b3e4d fix: Delete pending invite files on vault member revoke to prevent rejoin via stale tokens
- b1918b1 fix: Document HKDF info field separator safety invariant that depends on input validation rejecting colons
- 9b51e31 fix: Don't ignore rand.Int errors
- 9bb57a6 fix: Don’t ignore HKDF errors
- 4187a55 fix: Eliminate TOCTOU races in file reads using O_NOFOLLOW and fd-based size limits
- cb292a3 fix: Enforce config file permissions unconditionally, not just when server_secret is present
- a2c1086 fix: Enforce reserved underscore-prefix rule in validateVaultRef to match validateVaultName
- 701df26 fix: Enforce secret size limit during read to prevent memory exhaustion
- 11fb03b fix: Enforce size limit when reading secrets from disk to prevent memory exhaustion
- a53cc32 fix: Equalize timing across all registration rejection paths to prevent side-channel leaks
- 032229e fix: Equalize timing across salted and legacy key derivation paths to prevent side-channel leaks
- 0e4b954 fix: Equalize work in invite code validation to prevent timing side-channel
- fc96d60 fix: Explicitly set 0600 permissions on rotated audit log files after rename
- c5d87dc fix: Export BuildChallenge from crypto package to eliminate duplicate in vault
- e51be22 fix: Fall back to raw remote address for rate limiting when SplitHostPort fails
- da5d289 fix: Improve timing side-channel mitigation in vault Accept by running full crypto path on dummy data
- 4b493a8 fix: Include source and destination details in audit log for move operations
- e204849 fix: Log errors from os.Rename during audit log rotation instead of silently ignoring them
- 77c282a fix: Log errors when removing expired invite code files
- 2141414 fix: Log vault access denials as VaultOpDenied instead of generic command errors
- bf2f94f fix: Log warning when pending invite deletion fails after vault accept
- 95f63b7 fix: Mitigate invite code timing side-channel
- 8e61cc6 fix: Normalize error messages in vault Accept to prevent token format disclosure
- d98e87d fix: Prevent TOCTOU race in invite code consumption
- c24fc23 fix: Prevent compiler from eliding Zeroize by adding runtime.KeepAlive
- 244227e fix: Prevent error info leak in move by routing through sanitizeError
- 97c5a0a fix: Prevent username enumeration via SSH auth behavior
- 0a46849 fix: Propagate pending invite deletion errors in vault revoke to prevent stale token rejoin
- 5af06ec fix: Reject colons in vault name references for consistent validation
- d68da43 fix: Reject config files with overly permissive permissions
- aa2de1a fix: Reject control characters in invite codes to prevent log injection
- 83a8dfb fix: Reject data directory with group or world permissions at startup
- 05da694 fix: Reject duplicate vault invites to prevent silent token invalidation
- d6603ac fix: Reject filesystem wildcard characters in vault names
- 73d919f fix: Reject move commands where source and destination are the same
- ebb9bcf fix: Reject reserved usernames that conflict with internal directories
- 650fb9c fix: Reject server secret file with group- or world-readable permissions
- a5efd5d fix: Reject server secrets shorter than 64 characters
- f277e4f fix: Reject symlinked authorized_keys to prevent path redirection
- f37578e fix: Reject symlinked vault directories in ListVaults and DeleteVault to prevent directory traversal
- d1828d3 fix: Reject vault invite accept for users who are already members to prevent role downgrade
- b70eedd fix: Replace custom hexDecode with encoding/hex.DecodeStrin...
v0.4.0
bb85c9b
This commit was signed with the committer’s verified signature.
davidolrik
David Jack Wange Olrik
v0.3.0
a6004b4
This commit was signed with the committer’s verified signature.
davidolrik
David Jack Wange Olrik
v0.2.0
801985d
This commit was signed with the committer’s verified signature.
davidolrik
David Jack Wange Olrik
v0.1.0
2713374
This commit was signed with the committer’s verified signature.
davidolrik
David Jack Wange Olrik