Commit graph

39296 commits

Author SHA1 Message Date
Ricardo M. Correia
31fa2cd52b grsecurity: Fix building grsec-3.x.0 kernels 2014-02-08 15:16:40 +00:00
Petr Rockai
12315a278c Merge branch 'yubikey' of git://github.com/Calrama/nixpkgs 2014-02-08 16:01:22 +01:00
Moritz Maxeiner
09f9af17b4 Update to the Yubikey PBA
Security-relevant changes:
 * No (salted) passphrase hash send to the yubikey, only hash of the salt (as it was in the original implementation).
 * Derive $k_luks with PBKDF2 from the yubikey $response (as the PBKDF2 salt) and the passphrase $k_user
   (as the PBKDF2 password), so that if two-factor authentication is enabled
   (a) a USB-MITM attack on the yubikey itself is not enough to break the system
   (b) the potentially low-entropy $k_user is better protected against brute-force attacks
 * Instead of using uuidgen, gather the salt (previously random uuid / uuid_r) directly from /dev/random.
 * Length of the new salt in byte added as the parameter "saltLength", defaults to 16 byte.
   Note: Length of the challenge is 64 byte, so saltLength > 64 may have no benefit over saltLengh = 64.
 * Length of $k_luks derived with PBKDF2 in byte added as the parameter "keyLength", defaults to 64 byte.
   Example: For a luks device with a 512-bit key, keyLength should be 64.
 * Increase of the PBKDF2 iteration count per successful authentication added as the
   parameter "iterationStep", defaults to 0.

Other changes:
 * Add optional grace period before trying to find the yubikey, defaults to 2 seconds.

Full overview of the yubikey authentication process:

  (1) Read $salt and $iterations from unencrypted device (UD).
  (2) Calculate the $challenge from the $salt with a hash function.
      Chosen instantiation: SHA-512($salt).
  (3) Challenge the yubikey with the $challenge and receive the $response.
  (4) Repeat three times:
    (a) Prompt for the passphrase $k_user.
    (b) Derive the key $k_luks for the luks device with a key derivation function from $k_user and $response.
        Chosen instantiation: PBKDF2(HMAC-SHA-512, $k_user, $response, $iterations, keyLength).
    (c) Try to open the luks device with $k_luks and escape loop (4) only on success.
  (5) Proceed only if luks device was opened successfully, fail otherwise.

  (6) Gather $new_salt from a cryptographically secure pseudorandom number generator
      Chosen instantiation: /dev/random
  (7) Calculate the $new_challenge from the $new_salt with the same hash function as (2).
  (8) Challenge the yubikey with the $new_challenge and receive the $new_response.
  (9) Derive the new key $new_k_luks for the luks device in the same manner as in (4) (b),
      but with more iterations as given by iterationStep.
 (10) Try to change the luks device's key $k_luks to $new_k_luks.
 (11) If (10) was successful, write the $new_salt and the $new_iterations to the UD.
      Note: $new_iterations = $iterations + iterationStep

Known (software) attack vectors:

 * A MITM attack on the keyboard can recover $k_user. This, combined with a USB-MITM
   attack on the yubikey for the $response (1) or the $new_response (2) will result in
   (1) $k_luks being recovered,
   (2) $new_k_luks being recovered.
 * Any attacker with access to the RAM state of stage-1 at mid- or post-authentication
   can recover $k_user, $k_luks, and  $new_k_luks
 * If an attacker has recovered $response or $new_response, he can perform a brute-force
   attack on $k_user with it without the Yubikey needing to be present (using cryptsetup's
   "luksOpen --verify-passphrase" oracle. He could even make a copy of the luks device's
   luks header and run the brute-force attack without further access to the system.
 * A USB-MITM attack on the yubikey will allow an attacker to attempt to brute-force
   the yubikey's internal key ("shared secret") without it needing to be present anymore.

Credits:

 * Florian Klien,
   for the original concept and the reference implementation over at
   https://github.com/flowolf/initramfs_ykfde
 * Anthony Thysse,
   for the reference implementation of accessing OpenSSL's PBKDF2 over at
   http://www.ict.griffith.edu.au/anthony/software/pbkdf2.c
2014-02-08 14:59:52 +01:00
Petr Rockai
8d877463f6 rpm: Build python bindings (--enable-python). 2014-02-08 14:38:09 +01:00
Petr Rockai
63478d9590 Add fedpkg, koji &c. + their python dependencies. 2014-02-08 14:37:53 +01:00
Petr Rockai
140e06f9aa osc: Add an OBS (open build system) CLI client. 2014-02-08 14:36:51 +01:00
Domen Kožar
5ffab7710d gnome3.gnome_control_center: build and fix runtime deps 2014-02-08 12:30:23 +01:00
Vladimír Čunát
4b5cfa6574 Merge #1699: firefox-27.0 and nss-3.15.4 2014-02-08 12:13:40 +01:00
Vladimír Čunát
24029ec478 linux: minor updates 3.12.10, 3.10.29, 3.4.79 2014-02-08 11:54:16 +01:00
Vladimír Čunát
9665c85f99 kde410.kde_workspace: fix CVE-2013-4132 by upstream patch 2014-02-08 11:52:56 +01:00
mornfall
24966fff21 Merge pull request #1702 from vlstill/perf-fix
perf: Allow proceeding in build even if patch fails.
2014-02-08 11:32:10 +01:00
Pascal Wittmann
0fa30be7a8 andagii: fix fetch by providing a different user-agent
Close #1706.
2014-02-08 11:16:22 +01:00
Vladimír Čunát
989bfbac79 llvmPackages on darwin: attempt to fix build by using gcc48 2014-02-08 09:49:41 +01:00
Vladimír Čunát
3967a1c444 spring: disable parallel building, as it breaks on Hydra
(cherry picked from commit e43018e019)
2014-02-08 09:15:20 +01:00
Vladimír Čunát
9b69117fec Merge master into x-updates 2014-02-08 09:12:51 +01:00
Vladimír Čunát
7ae5902c59 libchop: fix build by reverting to gnutls31
The errors were a bit cryptic.
CC @viric.
2014-02-08 09:01:16 +01:00
Domen Kožar
b0f6170468 Merge pull request #1703 from PkmX/pr-ibus
Fix ibus-setup
2014-02-08 08:38:18 +01:00
Vladimír Čunát
c4dbb0a961 rtmpdump: fix build by reverting to gnutls31 2014-02-08 08:29:09 +01:00
William A. Kennington III
4191ee53b9 murmur: Upgrade 1.2.4 -> 1.2.5 2014-02-07 21:29:38 -06:00
William A. Kennington III
07b38340bd mumble: Upgrade 1.2.4 -> 1.2.5 2014-02-07 21:29:29 -06:00
James Cook
6e6351a376 Merge remote-tracking branch 'official/master' into firefox_27 2014-02-07 17:31:54 -08:00
James Cook
8ef2cadca4 gnash: Hack to define nullptr as NULL, since some included mozilla headers seem to want nullptr 2014-02-07 17:28:02 -08:00
PkmX
f7e47552bf Add dconf to GIO_EXTRA_MODULES so ibus-setup doesn't use the memory backend. 2014-02-08 07:38:04 +08:00
Bjørn Forsman
db12d783ff nixos: add uid/gid for munin
To be compatible with eb2f44c18c (Generate
/etc/passwd and /etc/group at build time). Without this you'll get this:

  $ nixos-rebuild build
  [...]
  user-thrown exception: The option `users.extraGroups.unnamed-9.1.gid' is used but not defined.
2014-02-07 23:08:15 +01:00
Vladimir Still
d3979b659c perf: Make build fix for 3.13 cleaner. 2014-02-07 22:53:55 +01:00
PkmX
498c068799 Add pygobject3 to PYTHONPATH and add relevant paths to LD_LIBRRY_PATH and GI_TYPELIB_PATH to fix the perference GUI (ibus-setup). 2014-02-08 05:44:44 +08:00
Peter Simons
f163bce98d Merge pull request #1694 from oxij/haskell-updates
add several haskell packages
2014-02-07 19:47:49 +01:00
Vladimir Still
70e4f8f928 perf: Allow proceeding in build even if patch fails.
Patching fails for linux 3.13 but it builds OK.
2014-02-07 18:16:24 +01:00
Jan Malakhovski
a8db8e15e6 add haskellPackages.ixdopp 2014-02-07 16:46:21 +00:00
William A. Kennington III
6b2533c48f glfw: Update packaging and add v3
This patch cleans up the previous glfw2 package. Additionally, it adds
glfw3 and makes that the new default glfw version.
2014-02-07 16:05:28 +00:00
Peter Simons
97f5ebd742 Merge pull request #1668 from errge/master
Added snapBlaze and sqliteSimple haskell packages
2014-02-07 16:45:10 +01:00
Shea Levy
e058de1642 Add option to enforce uniqueness of uids/gids (on by default)
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-02-07 09:57:28 -05:00
Sander van der Burg
5b243ad015 netbeans: Bump to version 7.4 2014-02-07 13:20:52 +01:00
Jan Malakhovski
515d4ad8fe add haskellPackages.preprocessorTools (0.1.3 and 1.0.1) 2014-02-07 12:05:54 +00:00
Domen Kožar
4f3d4c55ff vim-ft: match attributes with dash and set nix as ft 2014-02-07 11:06:41 +01:00
Peter Simons
56d26d04ec haskell-sparse: jailbreak to fix build with current versions of vector-algorithms and QuickCheck
https://github.com/NixOS/nixpkgs/pull/1692
https://github.com/ekmett/sparse/issues/3
https://github.com/ekmett/sparse/issues/4
2014-02-07 10:04:38 +01:00
Thomas Tuegel
5b421f7bdb Add Haskell packages 'hybrid-vectors' and 'sparse'.
Also, disable the test suite of 'linear' which fails running the doctests.
2014-02-07 10:04:38 +01:00
Peter Simons
6498f48976 haskell-linear: this package requires lens 4.x to compile 2014-02-07 10:04:38 +01:00
Peter Simons
fabda56521 haskell-lens: update to version 4.0.1 2014-02-07 10:04:38 +01:00
Vladimír Čunát
6fa5612a46 gnutls2: fix build in chroot (/usr/bin/perl doc script)
I've got no idea how this could get triggered on Hydra, 97e7ce2 ?
2014-02-07 09:50:27 +01:00
Mathijs Kwik
896ae598d1 Merge pull request #1698 from wkennington/master.kernel
kernel: Upgrade from 3.13.1 -> 3.13.2
2014-02-07 06:42:53 +01:00
Corey O'Connor
7a653e5156 add guvcview package 2014-02-07 00:01:40 +00:00
Jan Malakhovski
f5de6b8fc8 updates: mr, vcsh and transmission-remote-gtk
- mr: copy some more stuff to output
- add vcsh package
- transmission-remote-gtk: 1.0.1 -> 1.1.1
2014-02-06 23:37:53 +00:00
Domen Kožar
506a030b91 gnome3: add missing files 2014-02-07 00:37:17 +01:00
Domen Kožar
65a28e8b73 Add gnome3 desktop manager. Very experimental.
Currently very basic gnome-shell launches on my laptop. Quite some
services won't start yet, most notable is gnome-control-center.

GTK3 apps still don't have theming applied and for example launching
chromium results in horrible red windows.
2014-02-07 00:31:29 +01:00
Domen Kožar
c5c14c72f4 gnome3.gnome-settings-daemon: add missing input 2014-02-07 00:31:10 +01:00
Domen Kožar
1142be6301 gnome3.gnome_terminal: add missing runtime dependencies 2014-02-07 00:30:21 +01:00
Domen Kožar
2d166153ec gnome3.gnome-shell: add GDK_PIXBUG_MODULE that has svg and png loaders 2014-02-07 00:30:21 +01:00
Domen Kožar
c9decf12e3 gnome3.gnome-keyring: add missing runtime dependency 2014-02-07 00:30:21 +01:00
Domen Kožar
15fb296b43 xfce: partially add gtk3 support 2014-02-07 00:30:21 +01:00