From owner-svn-src-head@freebsd.org Sun Feb 19 21:07:02 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B9FC0CE5D0C; Sun, 19 Feb 2017 21:07:02 +0000 (UTC) (envelope-from yaneurabeya@gmail.com) Received: from mail-pf0-x244.google.com (mail-pf0-x244.google.com [IPv6:2607:f8b0:400e:c00::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 85BBE1863; Sun, 19 Feb 2017 21:07:02 +0000 (UTC) (envelope-from yaneurabeya@gmail.com) Received: by mail-pf0-x244.google.com with SMTP id c193so3072934pfb.3; Sun, 19 Feb 2017 13:07:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=gq4XMkK7oYGeN7zY4u7XoF/jYwbGOC+QEWgMG9rHdVo=; b=L/NCF+hPiPtW6HLQfli5HtkVzprSAYZOPetuj8ABDL0WYl6nBDZfg+lKqOoLT7DFSG lc3Bv9STbvfia5ARrqRM3NXdbwX1yjK3MpgyF3LDLozYSBhIME5PLdlVEWE9qcX3sDy8 thwYhwBXVVZEut3+iuDk1AiPoqRAfg/2aaB6GNVrDockjdzOFHtGl0L9iNy+quL3816K Kxaf/zFZCO7NdGabqOZXt8d0c4pWiRffqqMFi+L7egLnwru26brnr5zksu2ml0XcQZVq FAmOqx7ndyw1/sWT9ygqK03cjC53jcNETZSmoQkMbUEUxFrkiOPH/CLzyq6T6B1jZ4WY ri8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to; bh=gq4XMkK7oYGeN7zY4u7XoF/jYwbGOC+QEWgMG9rHdVo=; b=C0eemWBAUu8H1FSWwFGBot6Age9Mt3exujp6PPTn8hBtGR9bEYJZ85Era7AFZS3Y8n lrMNcdhyOWtnoMaA6tKWypwIM6WMk8QRmYU+F1RtkYqnge7BeuF5OtJ3F2t6IiWSAjhr XpSmyb3xgUz9ZJ96jonz0aJs93QXcliNDugoK0G7XI4tgjL1Yq41b8RF3UqvwtMNpQpF a6+kYPmTvVR58Y8JVqi/1ADlKICh8o/lyMV0M1sIpCmlDuZaLkrAikz0wiCABl3G+Rw+ OAHxT2Srjq4QMs0ouEBAMJtClaK5lrUzbv9atJ7J8sqUI/PAJlTI3o64aqejaPkdi+DB my0g== X-Gm-Message-State: AMke39npnQrbeyiyWVVPWnbgD6LJr24qmhH5YfVjQMvESE8n94AhXhiMzE92y+sYYbWyJQ== X-Received: by 10.99.115.71 with SMTP id d7mr23333946pgn.56.1487538421706; Sun, 19 Feb 2017 13:07:01 -0800 (PST) Received: from pinklady.local (c-73-19-52-228.hsd1.wa.comcast.net. [73.19.52.228]) by smtp.gmail.com with ESMTPSA id p66sm30824426pfb.88.2017.02.19.13.07.00 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 19 Feb 2017 13:07:00 -0800 (PST) Subject: Re: svn commit: r313962 - in head: etc/mtree sys/boot/geli sys/geom/eli tests/sys/geom tests/sys/geom/eli tests/sys/geom/eli/pbkdf2 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Content-Type: multipart/signed; boundary="Apple-Mail=_10773C72-170A-4915-BBEE-234171C04697"; protocol="application/pgp-signature"; micalg=pgp-sha512 X-Pgp-Agent: GPGMail From: "Ngie Cooper (yaneurabeya)" In-Reply-To: Date: Sun, 19 Feb 2017 13:06:59 -0800 Cc: src-committers , svn-src-all@freebsd.org, svn-src-head@freebsd.org Message-Id: References: <201702191930.v1JJUW3q051018@repo.freebsd.org> To: Allan Jude X-Mailer: Apple Mail (2.3124) X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Feb 2017 21:07:02 -0000 --Apple-Mail=_10773C72-170A-4915-BBEE-234171C04697 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Feb 19, 2017, at 13:01, Ngie Cooper (yaneurabeya) = wrote: >=20 >>=20 >> On Feb 19, 2017, at 11:30, Allan Jude wrote: >>=20 >> Author: allanjude >> Date: Sun Feb 19 19:30:31 2017 >> New Revision: 313962 >> URL: https://svnweb.freebsd.org/changeset/base/313962 >>=20 >> Log: >> improve PBKDF2 performance >>=20 >> The PBKDF2 in sys/geom/eli/pkcs5v2.c is around half the speed it = could be >>=20 >> GELI's PBKDF2 uses a simple benchmark to determine a number of = iterations >> that will takes approximately 2 seconds. The security provided is = actually >> half what is expected, because an attacker could use the optimized >> algorithm to brute force the key in half the expected time. >>=20 >> With this change, all newly generated GELI keys will be approximately = 2x >> as strong. Previously generated keys will talk half as long to = calculate, >> resulting in faster mounting of encrypted volumes. Users may choose = to >> rekey, to generate a new key with the larger default number of = iterations >> using the geli(8) setkey command. >>=20 >> Security of existing data is not compromised, as ~1 second per brute = force >> attempt is still a very high threshold. >>=20 >> PR: 202365 >> Original Research: = https://jbp.io/2015/08/11/pbkdf2-performance-matters/ >> Submitted by: Joe Pixton (Original = Version), jmg (Later Version) >> Reviewed by: ed, pjd, delphij >> Approved by: secteam, pjd (maintainer) >> MFC after: 2 weeks >> Differential Revision: https://reviews.freebsd.org/D8236 >>=20 >> Added: >> head/tests/sys/geom/eli/ >> head/tests/sys/geom/eli/Makefile (contents, props changed) >> head/tests/sys/geom/eli/pbkdf2/ >> head/tests/sys/geom/eli/pbkdf2/Makefile (contents, props changed) >> head/tests/sys/geom/eli/pbkdf2/gentestvect.py (contents, props = changed) >> head/tests/sys/geom/eli/pbkdf2/hmactest.c (contents, props changed) >> head/tests/sys/geom/eli/pbkdf2/testvect.h (contents, props changed) >> Modified: >> head/etc/mtree/BSD.tests.dist >> head/sys/boot/geli/Makefile >> head/sys/geom/eli/g_eli.h >> head/sys/geom/eli/g_eli_hmac.c >> head/sys/geom/eli/pkcs5v2.c >> head/tests/sys/geom/Makefile >=20 > python (2.x) is now a requirement for the build after this = commit--this is problematic for a few reasons: > 1. py3k is quickly becoming the defacto version upstream, and = sometime in the future will become the one and only version. > 2. python is not in the limited path when the build is executed, = and unfortunately this path might be triggered if the file that=E2=80=99s = generated is older than the script. > 3. Not everyone is guaranteed to install the python port. > Could you please fix this? > Thanks, > -Ngie >=20 > PS. The script that was committed is also not-PEP8 compliant (I see = hard tab indentation instead of 4-space indents). Also, why wasn=E2=80=99t this test instead committed to = =E2=80=A6/tests/sys/geom/class/eli/ instead of = =E2=80=A6/tests/sys/geom/eli/pbkdf2/ ? Thanks, -Ngie --Apple-Mail=_10773C72-170A-4915-BBEE-234171C04697 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJYqgjzAAoJEPWDqSZpMIYVs0MP/15hNmHebJvm80c3bgJ20A48 4UfSNZgPsUY9Oh0ob04/8u18LsT2X4QK51HUwAVypMMArW+TZTiG4Z7hpEwZIry5 r1rge6TL/D+KjIsL4OwRdvvgY4z2erGc0+ktsSoBTzNi9roDF0AlmHF/szAxyJhD NRsT/wD4RLAqet2pwSsGcxJM56ZIQrOpCuz15a79mT6pb0HhoyEYZHOCpDssL2NJ wSrViq2IY8BN1kNFYQ4TetL7Fq7YCZYDCIbl1r1a6JsNs7SKPUFbuAXlno59kQES 8dZ6b2MuyWrNj9n56a86kf2/40Sw2FfCqP7b/L03U/qlrlBkX6WNmpp3bURAJHip fcVeRiIvONYSQWWRkbvER6cBvttYJq5oNMklmRc1WJUbPoi0qjr979JNXI6rCfNq cDFFLEddE4LNUeuT9x05/DLt+L9KBRl6OPhqKwSVPzrn0oUHHIzYHiTihSs38boA JnVlYr33XcpmW3BuonmQlpGfEo7DTTZAU8OSIsV6oN+22g14t3OweWLjdtZq6e+j /pzJHBkcEN/98yiyrYGVnNQ0n1MIUxbYJPThnutScOcLLD7D747Yzcu57Rd1PWUy G5TOWr6dBlhX1/EyfH0DAuE7Fdc8cEMVF4MsMWsXqm3aXZOD5oKYmo7x2QO6FwRL fru569MHMyz4b3hWsDq1 =rVk+ -----END PGP SIGNATURE----- --Apple-Mail=_10773C72-170A-4915-BBEE-234171C04697--