Commit graph

39320 commits

Author SHA1 Message Date
Domen Kožar
ee14f8da9a remove references to isSystemUser and fix eval of tested job 2014-02-08 21:10:00 +01:00
Shea Levy
dea562b6b9 services.mesa -> hardware.opengl
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-02-08 14:45:37 -05:00
Domen Kožar
4a1e74673a pypy: support only linux for now 2014-02-08 20:27:57 +01:00
Domen Kožar
a23b87a13a pypy: disable a test with transient error #1634 2014-02-08 20:26:23 +01:00
Domen Kožar
b17edbac57 ModemManager: 0.5.4.0 -> 0.7.991 2014-02-08 20:17:00 +01:00
Domen Kožar
61f20ca45e libqmi: 1.0 -> 1.8.0, move outside gnome3 namespace, fix build 2014-02-08 20:17:00 +01:00
Moritz Ulrich
bb66a3ff6c Anki: Update to 2.0.22. 2014-02-08 19:19:50 +01:00
Moritz Ulrich
c983d23e33 elixir: Update to 0.12.3. 2014-02-08 19:05:31 +01:00
Moritz Ulrich
93f45ad2e5 Rebar: update to 2.2.0 2014-02-08 18:54:34 +01:00
Domen Kožar
4baa1197dd spring: add missing function parameters 2014-02-08 18:16:28 +01:00
Domen Kožar
64a8ae3692 SpringRTS: fix runtime dependencies and maintain 2014-02-08 18:11:59 +01:00
Vladimír Čunát
94ae555c06 Merge #1654: grsecurity: fix build and update 2014-02-08 17:46:27 +01:00
Vladimír Čunát
e78351cf3a llvm: revert to _33 default on darwin as a temp workaround
_34 doesn't build and I don't have a clue what to do about it
(and I don't have a machine to test it anyway).
2014-02-08 17:24:17 +01:00
Ricardo M. Correia
979473a17b chromium: Update stable channel from 32.0.1700.102 -> 32.0.1700.107 2014-02-08 15:40:25 +00:00
Ricardo M. Correia
b31547654d grsecurity: Update stable and test patches
stable: 3.0-3.2.54-201401191012 -> 3.0-3.2.54-201402062221
test:   3.0-3.12.8-201401191015 -> 3.0-3.13.2-201402062224
2014-02-08 16:16:58 +01:00
Ricardo M. Correia
31fa2cd52b grsecurity: Fix building grsec-3.x.0 kernels 2014-02-08 15:16:40 +00:00
Petr Rockai
12315a278c Merge branch 'yubikey' of git://github.com/Calrama/nixpkgs 2014-02-08 16:01:22 +01:00
Moritz Maxeiner
09f9af17b4 Update to the Yubikey PBA
Security-relevant changes:
 * No (salted) passphrase hash send to the yubikey, only hash of the salt (as it was in the original implementation).
 * Derive $k_luks with PBKDF2 from the yubikey $response (as the PBKDF2 salt) and the passphrase $k_user
   (as the PBKDF2 password), so that if two-factor authentication is enabled
   (a) a USB-MITM attack on the yubikey itself is not enough to break the system
   (b) the potentially low-entropy $k_user is better protected against brute-force attacks
 * Instead of using uuidgen, gather the salt (previously random uuid / uuid_r) directly from /dev/random.
 * Length of the new salt in byte added as the parameter "saltLength", defaults to 16 byte.
   Note: Length of the challenge is 64 byte, so saltLength > 64 may have no benefit over saltLengh = 64.
 * Length of $k_luks derived with PBKDF2 in byte added as the parameter "keyLength", defaults to 64 byte.
   Example: For a luks device with a 512-bit key, keyLength should be 64.
 * Increase of the PBKDF2 iteration count per successful authentication added as the
   parameter "iterationStep", defaults to 0.

Other changes:
 * Add optional grace period before trying to find the yubikey, defaults to 2 seconds.

Full overview of the yubikey authentication process:

  (1) Read $salt and $iterations from unencrypted device (UD).
  (2) Calculate the $challenge from the $salt with a hash function.
      Chosen instantiation: SHA-512($salt).
  (3) Challenge the yubikey with the $challenge and receive the $response.
  (4) Repeat three times:
    (a) Prompt for the passphrase $k_user.
    (b) Derive the key $k_luks for the luks device with a key derivation function from $k_user and $response.
        Chosen instantiation: PBKDF2(HMAC-SHA-512, $k_user, $response, $iterations, keyLength).
    (c) Try to open the luks device with $k_luks and escape loop (4) only on success.
  (5) Proceed only if luks device was opened successfully, fail otherwise.

  (6) Gather $new_salt from a cryptographically secure pseudorandom number generator
      Chosen instantiation: /dev/random
  (7) Calculate the $new_challenge from the $new_salt with the same hash function as (2).
  (8) Challenge the yubikey with the $new_challenge and receive the $new_response.
  (9) Derive the new key $new_k_luks for the luks device in the same manner as in (4) (b),
      but with more iterations as given by iterationStep.
 (10) Try to change the luks device's key $k_luks to $new_k_luks.
 (11) If (10) was successful, write the $new_salt and the $new_iterations to the UD.
      Note: $new_iterations = $iterations + iterationStep

Known (software) attack vectors:

 * A MITM attack on the keyboard can recover $k_user. This, combined with a USB-MITM
   attack on the yubikey for the $response (1) or the $new_response (2) will result in
   (1) $k_luks being recovered,
   (2) $new_k_luks being recovered.
 * Any attacker with access to the RAM state of stage-1 at mid- or post-authentication
   can recover $k_user, $k_luks, and  $new_k_luks
 * If an attacker has recovered $response or $new_response, he can perform a brute-force
   attack on $k_user with it without the Yubikey needing to be present (using cryptsetup's
   "luksOpen --verify-passphrase" oracle. He could even make a copy of the luks device's
   luks header and run the brute-force attack without further access to the system.
 * A USB-MITM attack on the yubikey will allow an attacker to attempt to brute-force
   the yubikey's internal key ("shared secret") without it needing to be present anymore.

Credits:

 * Florian Klien,
   for the original concept and the reference implementation over at
   https://github.com/flowolf/initramfs_ykfde
 * Anthony Thysse,
   for the reference implementation of accessing OpenSSL's PBKDF2 over at
   http://www.ict.griffith.edu.au/anthony/software/pbkdf2.c
2014-02-08 14:59:52 +01:00
Petr Rockai
8d877463f6 rpm: Build python bindings (--enable-python). 2014-02-08 14:38:09 +01:00
Petr Rockai
63478d9590 Add fedpkg, koji &c. + their python dependencies. 2014-02-08 14:37:53 +01:00
Petr Rockai
140e06f9aa osc: Add an OBS (open build system) CLI client. 2014-02-08 14:36:51 +01:00
Domen Kožar
5ffab7710d gnome3.gnome_control_center: build and fix runtime deps 2014-02-08 12:30:23 +01:00
Vladimír Čunát
4b5cfa6574 Merge #1699: firefox-27.0 and nss-3.15.4 2014-02-08 12:13:40 +01:00
Vladimír Čunát
24029ec478 linux: minor updates 3.12.10, 3.10.29, 3.4.79 2014-02-08 11:54:16 +01:00
Vladimír Čunát
9665c85f99 kde410.kde_workspace: fix CVE-2013-4132 by upstream patch 2014-02-08 11:52:56 +01:00
mornfall
24966fff21 Merge pull request #1702 from vlstill/perf-fix
perf: Allow proceeding in build even if patch fails.
2014-02-08 11:32:10 +01:00
Pascal Wittmann
0fa30be7a8 andagii: fix fetch by providing a different user-agent
Close #1706.
2014-02-08 11:16:22 +01:00
Vladimír Čunát
989bfbac79 llvmPackages on darwin: attempt to fix build by using gcc48 2014-02-08 09:49:41 +01:00
Vladimír Čunát
3967a1c444 spring: disable parallel building, as it breaks on Hydra
(cherry picked from commit e43018e019)
2014-02-08 09:15:20 +01:00
Vladimír Čunát
7ae5902c59 libchop: fix build by reverting to gnutls31
The errors were a bit cryptic.
CC @viric.
2014-02-08 09:01:16 +01:00
Domen Kožar
b0f6170468 Merge pull request #1703 from PkmX/pr-ibus
Fix ibus-setup
2014-02-08 08:38:18 +01:00
Vladimír Čunát
c4dbb0a961 rtmpdump: fix build by reverting to gnutls31 2014-02-08 08:29:09 +01:00
William A. Kennington III
4191ee53b9 murmur: Upgrade 1.2.4 -> 1.2.5 2014-02-07 21:29:38 -06:00
William A. Kennington III
07b38340bd mumble: Upgrade 1.2.4 -> 1.2.5 2014-02-07 21:29:29 -06:00
James Cook
6e6351a376 Merge remote-tracking branch 'official/master' into firefox_27 2014-02-07 17:31:54 -08:00
James Cook
8ef2cadca4 gnash: Hack to define nullptr as NULL, since some included mozilla headers seem to want nullptr 2014-02-07 17:28:02 -08:00
PkmX
f7e47552bf Add dconf to GIO_EXTRA_MODULES so ibus-setup doesn't use the memory backend. 2014-02-08 07:38:04 +08:00
Bjørn Forsman
db12d783ff nixos: add uid/gid for munin
To be compatible with eb2f44c18c (Generate
/etc/passwd and /etc/group at build time). Without this you'll get this:

  $ nixos-rebuild build
  [...]
  user-thrown exception: The option `users.extraGroups.unnamed-9.1.gid' is used but not defined.
2014-02-07 23:08:15 +01:00
Vladimir Still
d3979b659c perf: Make build fix for 3.13 cleaner. 2014-02-07 22:53:55 +01:00
PkmX
498c068799 Add pygobject3 to PYTHONPATH and add relevant paths to LD_LIBRRY_PATH and GI_TYPELIB_PATH to fix the perference GUI (ibus-setup). 2014-02-08 05:44:44 +08:00
Peter Simons
f163bce98d Merge pull request #1694 from oxij/haskell-updates
add several haskell packages
2014-02-07 19:47:49 +01:00
Vladimir Still
70e4f8f928 perf: Allow proceeding in build even if patch fails.
Patching fails for linux 3.13 but it builds OK.
2014-02-07 18:16:24 +01:00
Jan Malakhovski
a8db8e15e6 add haskellPackages.ixdopp 2014-02-07 16:46:21 +00:00
William A. Kennington III
6b2533c48f glfw: Update packaging and add v3
This patch cleans up the previous glfw2 package. Additionally, it adds
glfw3 and makes that the new default glfw version.
2014-02-07 16:05:28 +00:00
Peter Simons
97f5ebd742 Merge pull request #1668 from errge/master
Added snapBlaze and sqliteSimple haskell packages
2014-02-07 16:45:10 +01:00
Shea Levy
e058de1642 Add option to enforce uniqueness of uids/gids (on by default)
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-02-07 09:57:28 -05:00
Sander van der Burg
5b243ad015 netbeans: Bump to version 7.4 2014-02-07 13:20:52 +01:00
Jan Malakhovski
515d4ad8fe add haskellPackages.preprocessorTools (0.1.3 and 1.0.1) 2014-02-07 12:05:54 +00:00
Domen Kožar
4f3d4c55ff vim-ft: match attributes with dash and set nix as ft 2014-02-07 11:06:41 +01:00
Peter Simons
56d26d04ec haskell-sparse: jailbreak to fix build with current versions of vector-algorithms and QuickCheck
https://github.com/NixOS/nixpkgs/pull/1692
https://github.com/ekmett/sparse/issues/3
https://github.com/ekmett/sparse/issues/4
2014-02-07 10:04:38 +01:00