Date: Sun, 19 Feb 2017 13:06:59 -0800 From: "Ngie Cooper (yaneurabeya)" <yaneurabeya@gmail.com> To: Allan Jude <allanjude@FreeBSD.org> Cc: src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r313962 - in head: etc/mtree sys/boot/geli sys/geom/eli tests/sys/geom tests/sys/geom/eli tests/sys/geom/eli/pbkdf2 Message-ID: <A5D9304A-BA60-4991-9B35-3163B3888DD9@gmail.com> In-Reply-To: <FEC3571D-4183-4386-913D-6854636C102A@gmail.com> References: <201702191930.v1JJUW3q051018@repo.freebsd.org> <FEC3571D-4183-4386-913D-6854636C102A@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_10773C72-170A-4915-BBEE-234171C04697 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Feb 19, 2017, at 13:01, Ngie Cooper (yaneurabeya) = <yaneurabeya@gmail.com> wrote: >=20 >>=20 >> On Feb 19, 2017, at 11:30, Allan Jude <allanjude@FreeBSD.org> wrote: >>=20 >> Author: allanjude >> Date: Sun Feb 19 19:30:31 2017 >> New Revision: 313962 >> URL: https://svnweb.freebsd.org/changeset/base/313962 >>=20 >> Log: >> improve PBKDF2 performance >>=20 >> The PBKDF2 in sys/geom/eli/pkcs5v2.c is around half the speed it = could be >>=20 >> GELI's PBKDF2 uses a simple benchmark to determine a number of = iterations >> that will takes approximately 2 seconds. The security provided is = actually >> half what is expected, because an attacker could use the optimized >> algorithm to brute force the key in half the expected time. >>=20 >> With this change, all newly generated GELI keys will be approximately = 2x >> as strong. Previously generated keys will talk half as long to = calculate, >> resulting in faster mounting of encrypted volumes. Users may choose = to >> rekey, to generate a new key with the larger default number of = iterations >> using the geli(8) setkey command. >>=20 >> Security of existing data is not compromised, as ~1 second per brute = force >> attempt is still a very high threshold. >>=20 >> PR: 202365 >> Original Research: = https://jbp.io/2015/08/11/pbkdf2-performance-matters/ >> Submitted by: Joe Pixton <jpixton@gmail.com> (Original = Version), jmg (Later Version) >> Reviewed by: ed, pjd, delphij >> Approved by: secteam, pjd (maintainer) >> MFC after: 2 weeks >> Differential Revision: https://reviews.freebsd.org/D8236 >>=20 >> Added: >> head/tests/sys/geom/eli/ >> head/tests/sys/geom/eli/Makefile (contents, props changed) >> head/tests/sys/geom/eli/pbkdf2/ >> head/tests/sys/geom/eli/pbkdf2/Makefile (contents, props changed) >> head/tests/sys/geom/eli/pbkdf2/gentestvect.py (contents, props = changed) >> head/tests/sys/geom/eli/pbkdf2/hmactest.c (contents, props changed) >> head/tests/sys/geom/eli/pbkdf2/testvect.h (contents, props changed) >> Modified: >> head/etc/mtree/BSD.tests.dist >> head/sys/boot/geli/Makefile >> head/sys/geom/eli/g_eli.h >> head/sys/geom/eli/g_eli_hmac.c >> head/sys/geom/eli/pkcs5v2.c >> head/tests/sys/geom/Makefile >=20 > python (2.x) is now a requirement for the build after this = commit--this is problematic for a few reasons: > 1. py3k is quickly becoming the defacto version upstream, and = sometime in the future will become the one and only version. > 2. python is not in the limited path when the build is executed, = and unfortunately this path might be triggered if the file that=E2=80=99s = generated is older than the script. > 3. Not everyone is guaranteed to install the python port. > Could you please fix this? > Thanks, > -Ngie >=20 > PS. The script that was committed is also not-PEP8 compliant (I see = hard tab indentation instead of 4-space indents). Also, why wasn=E2=80=99t this test instead committed to = =E2=80=A6/tests/sys/geom/class/eli/ instead of = =E2=80=A6/tests/sys/geom/eli/pbkdf2/ ? Thanks, -Ngie --Apple-Mail=_10773C72-170A-4915-BBEE-234171C04697 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJYqgjzAAoJEPWDqSZpMIYVs0MP/15hNmHebJvm80c3bgJ20A48 4UfSNZgPsUY9Oh0ob04/8u18LsT2X4QK51HUwAVypMMArW+TZTiG4Z7hpEwZIry5 r1rge6TL/D+KjIsL4OwRdvvgY4z2erGc0+ktsSoBTzNi9roDF0AlmHF/szAxyJhD NRsT/wD4RLAqet2pwSsGcxJM56ZIQrOpCuz15a79mT6pb0HhoyEYZHOCpDssL2NJ wSrViq2IY8BN1kNFYQ4TetL7Fq7YCZYDCIbl1r1a6JsNs7SKPUFbuAXlno59kQES 8dZ6b2MuyWrNj9n56a86kf2/40Sw2FfCqP7b/L03U/qlrlBkX6WNmpp3bURAJHip fcVeRiIvONYSQWWRkbvER6cBvttYJq5oNMklmRc1WJUbPoi0qjr979JNXI6rCfNq cDFFLEddE4LNUeuT9x05/DLt+L9KBRl6OPhqKwSVPzrn0oUHHIzYHiTihSs38boA JnVlYr33XcpmW3BuonmQlpGfEo7DTTZAU8OSIsV6oN+22g14t3OweWLjdtZq6e+j /pzJHBkcEN/98yiyrYGVnNQ0n1MIUxbYJPThnutScOcLLD7D747Yzcu57Rd1PWUy G5TOWr6dBlhX1/EyfH0DAuE7Fdc8cEMVF4MsMWsXqm3aXZOD5oKYmo7x2QO6FwRL fru569MHMyz4b3hWsDq1 =rVk+ -----END PGP SIGNATURE----- --Apple-Mail=_10773C72-170A-4915-BBEE-234171C04697--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A5D9304A-BA60-4991-9B35-3163B3888DD9>