From owner-svn-src-all@freebsd.org Sun Feb 19 21:01:18 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7A198CE583A; Sun, 19 Feb 2017 21:01:18 +0000 (UTC) (envelope-from yaneurabeya@gmail.com) Received: from mail-pg0-x241.google.com (mail-pg0-x241.google.com [IPv6:2607:f8b0:400e:c05::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 294D211D8; Sun, 19 Feb 2017 21:01:18 +0000 (UTC) (envelope-from yaneurabeya@gmail.com) Received: by mail-pg0-x241.google.com with SMTP id 5so10225913pgj.0; Sun, 19 Feb 2017 13:01:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=Tq4UB0haOuXacB3eBCQbBDACyBzlmx72TkWiD7jtaZQ=; b=OblfQhNQjIDSkgLSl4nNLFaKJQMBjXerDEKO47abeuXFCgm45SipqrRAzKA78h87ub pbmQiFKB59k5zDeZnFiT+4hi3vgFZXElJi2wexf8dm2S8QHDiTlE5bqYQ/3X+5+Yw9rr m4i56Ibzn+ERImT1iNSqS1gNlnlq+EqrwjRJhnC8PwqBlLU6PzRhwxulSIjIjS3qz61e /b6nfPXFiMZRBMf7NVn1dK9E7JIOon20w/gJb7CyjeTsWGxwBox/wy82T5mHG/Efc4+9 Q4BSyj+cwWIr1ctgNlydJlGopNu6ezh0Im4D9jZ3c8DvmX8HUutxt5y3Lq6LEV5n4Ku5 dndg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to; bh=Tq4UB0haOuXacB3eBCQbBDACyBzlmx72TkWiD7jtaZQ=; b=PWB1yx7R3x0+/aclUDV+ksuyNMpzThw2B5OvKMGwJxMAT22SK8M8VXVh/j+i0WEsJg /RHwJU5es4om58EJ4nGYoxuS9CetzybXUK+gl3cMIwHI5PvWPuXMNHD7OqQqxsSdbEZ/ ogtayVYrbol+oU4IWsQYnV4hhUxggvipyiZ/FyOovnOjHlkbCZejjI/HcdAPQffViPN5 kJMzI44bnOj6k+GbVUWHIUzaVsK/e0JI1Pr92ctEyRE99z28+Wh9bCuAZpJzYFY+9jem Xnspq5BH6RXEzdOFSPzkCrbx6RzoWrUILEVII53q2i5bCyieS+KMR0embgIh1tptiUyU IL8A== X-Gm-Message-State: AMke39lYg7suBK+7W3MsyEqMlcc9t84QnimDXGVA5TsfWdn8J2Bmb7Hx4t2CWLsV+N+obw== X-Received: by 10.99.102.135 with SMTP id a129mr23412605pgc.220.1487538077451; Sun, 19 Feb 2017 13:01:17 -0800 (PST) Received: from pinklady.local (c-73-19-52-228.hsd1.wa.comcast.net. [73.19.52.228]) by smtp.gmail.com with ESMTPSA id t133sm31098465pgc.24.2017.02.19.13.01.16 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 19 Feb 2017 13:01:16 -0800 (PST) Subject: Re: svn commit: r313962 - in head: etc/mtree sys/boot/geli sys/geom/eli tests/sys/geom tests/sys/geom/eli tests/sys/geom/eli/pbkdf2 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Content-Type: multipart/signed; boundary="Apple-Mail=_690F6A92-9D27-4313-A51D-220C98283BA3"; protocol="application/pgp-signature"; micalg=pgp-sha512 X-Pgp-Agent: GPGMail From: "Ngie Cooper (yaneurabeya)" In-Reply-To: <201702191930.v1JJUW3q051018@repo.freebsd.org> Date: Sun, 19 Feb 2017 13:01:15 -0800 Cc: src-committers , svn-src-all@freebsd.org, svn-src-head@freebsd.org Message-Id: References: <201702191930.v1JJUW3q051018@repo.freebsd.org> To: Allan Jude X-Mailer: Apple Mail (2.3124) X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Feb 2017 21:01:18 -0000 --Apple-Mail=_690F6A92-9D27-4313-A51D-220C98283BA3 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Feb 19, 2017, at 11:30, Allan Jude wrote: >=20 > Author: allanjude > Date: Sun Feb 19 19:30:31 2017 > New Revision: 313962 > URL: https://svnweb.freebsd.org/changeset/base/313962 >=20 > Log: > improve PBKDF2 performance >=20 > The PBKDF2 in sys/geom/eli/pkcs5v2.c is around half the speed it = could be >=20 > GELI's PBKDF2 uses a simple benchmark to determine a number of = iterations > that will takes approximately 2 seconds. The security provided is = actually > half what is expected, because an attacker could use the optimized > algorithm to brute force the key in half the expected time. >=20 > With this change, all newly generated GELI keys will be approximately = 2x > as strong. Previously generated keys will talk half as long to = calculate, > resulting in faster mounting of encrypted volumes. Users may choose = to > rekey, to generate a new key with the larger default number of = iterations > using the geli(8) setkey command. >=20 > Security of existing data is not compromised, as ~1 second per brute = force > attempt is still a very high threshold. >=20 > PR: 202365 > Original Research: = https://jbp.io/2015/08/11/pbkdf2-performance-matters/ > Submitted by: Joe Pixton (Original = Version), jmg (Later Version) > Reviewed by: ed, pjd, delphij > Approved by: secteam, pjd (maintainer) > MFC after: 2 weeks > Differential Revision: https://reviews.freebsd.org/D8236 >=20 > Added: > head/tests/sys/geom/eli/ > head/tests/sys/geom/eli/Makefile (contents, props changed) > head/tests/sys/geom/eli/pbkdf2/ > head/tests/sys/geom/eli/pbkdf2/Makefile (contents, props changed) > head/tests/sys/geom/eli/pbkdf2/gentestvect.py (contents, props = changed) > head/tests/sys/geom/eli/pbkdf2/hmactest.c (contents, props changed) > head/tests/sys/geom/eli/pbkdf2/testvect.h (contents, props changed) > Modified: > head/etc/mtree/BSD.tests.dist > head/sys/boot/geli/Makefile > head/sys/geom/eli/g_eli.h > head/sys/geom/eli/g_eli_hmac.c > head/sys/geom/eli/pkcs5v2.c > head/tests/sys/geom/Makefile python (2.x) is now a requirement for the build after this = commit--this is problematic for a few reasons: 1. py3k is quickly becoming the defacto version upstream, and = sometime in the future will become the one and only version. 2. python is not in the limited path when the build is executed, = and unfortunately this path might be triggered if the file that=E2=80=99s = generated is older than the script. 3. Not everyone is guaranteed to install the python port. Could you please fix this? Thanks, -Ngie PS. The script that was committed is also not-PEP8 compliant (I see hard = tab indentation instead of 4-space indents). --Apple-Mail=_690F6A92-9D27-4313-A51D-220C98283BA3 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJYqgebAAoJEPWDqSZpMIYVQggQAJoc9/+tD9w/utxTvlH42r4Z IPY49A6hWM57CCvUQ/REPuim5306Og/iK2iImXJaOjXNHFTK638dMhIJ+yXw/u+F cVIQke7TEJBi49whvAZhJ0sG3dlCx70jGRDgrNozjYXko5Eh3ewwXPTlk8DBjknR eYR0mnNZ7p3geKoQPMzuDKkzWS79cWrT2210B86IPPCnLKcpB2bB9Na6Q7jRVjr4 DNhRQzULLjkGe2/yoN8WZdpCElceTldrM7CbeyJ2nMm7neuTKdKaulQSd9gjV+8W eUcAsFLWkIbIrXOcS6kA6wFw4DOBJOFiJBedjI2+TsdPzpFQCLPSpmgnfWD/+5nJ jvWGXpI+pTpFHu6HimtYI/xK+b3erbcKXCzm+9GxfEnQ675CNKefSMoAsShVzoQt 21/gC3xrnua07MCuPxSlYMJpjqiEDDvYBXTdCf5//6Ma8Vhit3S16+7MpMgH+Jum SeiC7xWwQ82tsX6MALukgweRrlCK1EjDc+AGSwOgaEtKVx8UIb7c418JGKgRqjo0 1EPePdfG2bH7UXa1P7uhqw342L6bag2Zri7r5htVYW8rLyvytB7O2BAbdHzm73Vr a0DE5e79lfyyPYxcPwjFsRCAEETZq85L89TD0x1jtdAVsQuQaNaWqx4zhJxSbd2u bUHgb1c8MJDmFjZVn7Xt =3AH5 -----END PGP SIGNATURE----- --Apple-Mail=_690F6A92-9D27-4313-A51D-220C98283BA3--