From owner-svn-src-all@freebsd.org  Sun Feb 19 21:08:11 2017
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D1EEECE5DAC;
 Sun, 19 Feb 2017 21:08:11 +0000 (UTC)
 (envelope-from allanjude@freebsd.org)
Received: from mx1.scaleengine.net (mx1.scaleengine.net [209.51.186.6])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id AA51219BC;
 Sun, 19 Feb 2017 21:08:11 +0000 (UTC)
 (envelope-from allanjude@freebsd.org)
Received: from [10.1.1.2] (unknown [10.1.1.2])
 (Authenticated sender: allanjude.freebsd@scaleengine.com)
 by mx1.scaleengine.net (Postfix) with ESMTPSA id 80C8513F22;
 Sun, 19 Feb 2017 21:08:09 +0000 (UTC)
Subject: Re: svn commit: r313962 - in head: etc/mtree sys/boot/geli
 sys/geom/eli tests/sys/geom tests/sys/geom/eli tests/sys/geom/eli/pbkdf2
To: "Ngie Cooper (yaneurabeya)" <yaneurabeya@gmail.com>
References: <201702191930.v1JJUW3q051018@repo.freebsd.org>
 <FEC3571D-4183-4386-913D-6854636C102A@gmail.com>
Cc: src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
From: Allan Jude <allanjude@freebsd.org>
Message-ID: <b08b4252-7910-077b-0a6e-256aa06774ab@freebsd.org>
Date: Sun, 19 Feb 2017 16:07:57 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.6.0
MIME-Version: 1.0
In-Reply-To: <FEC3571D-4183-4386-913D-6854636C102A@gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="MvUVXPviLnRO6W18Wp1NtbnClPWs6fbTh"
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Feb 2017 21:08:11 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--MvUVXPviLnRO6W18Wp1NtbnClPWs6fbTh
Content-Type: multipart/mixed; boundary="QH7CWWFDu9XBIcTd4Oxnhd1AMCinI8HEr";
 protected-headers="v1"
From: Allan Jude <allanjude@freebsd.org>
To: "Ngie Cooper (yaneurabeya)" <yaneurabeya@gmail.com>
Cc: src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Message-ID: <b08b4252-7910-077b-0a6e-256aa06774ab@freebsd.org>
Subject: Re: svn commit: r313962 - in head: etc/mtree sys/boot/geli
 sys/geom/eli tests/sys/geom tests/sys/geom/eli tests/sys/geom/eli/pbkdf2
References: <201702191930.v1JJUW3q051018@repo.freebsd.org>
 <FEC3571D-4183-4386-913D-6854636C102A@gmail.com>
In-Reply-To: <FEC3571D-4183-4386-913D-6854636C102A@gmail.com>

--QH7CWWFDu9XBIcTd4Oxnhd1AMCinI8HEr
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 2017-02-19 16:01, Ngie Cooper (yaneurabeya) wrote:
>=20
>> On Feb 19, 2017, at 11:30, Allan Jude <allanjude@FreeBSD.org> wrote:
>>
>> Author: allanjude
>> Date: Sun Feb 19 19:30:31 2017
>> New Revision: 313962
>> URL: https://svnweb.freebsd.org/changeset/base/313962
>>
>> Log:
>>  improve PBKDF2 performance
>>
>>  The PBKDF2 in sys/geom/eli/pkcs5v2.c is around half the speed it coul=
d be
>>
>>  GELI's PBKDF2 uses a simple benchmark to determine a number of iterat=
ions
>>  that will takes approximately 2 seconds. The security provided is act=
ually
>>  half what is expected, because an attacker could use the optimized
>>  algorithm to brute force the key in half the expected time.
>>
>>  With this change, all newly generated GELI keys will be approximately=
 2x
>>  as strong. Previously generated keys will talk half as long to calcul=
ate,
>>  resulting in faster mounting of encrypted volumes. Users may choose t=
o
>>  rekey, to generate a new key with the larger default number of iterat=
ions
>>  using the geli(8) setkey command.
>>
>>  Security of existing data is not compromised, as ~1 second per brute =
force
>>  attempt is still a very high threshold.
>>
>>  PR:		202365
>>  Original Research:	https://jbp.io/2015/08/11/pbkdf2-performance-matte=
rs/
>>  Submitted by:	Joe Pixton <jpixton@gmail.com> (Original Version), jmg =
(Later Version)
>>  Reviewed by:	ed, pjd, delphij
>>  Approved by:	secteam, pjd (maintainer)
>>  MFC after:	2 weeks
>>  Differential Revision:	https://reviews.freebsd.org/D8236
>>
>> Added:
>>  head/tests/sys/geom/eli/
>>  head/tests/sys/geom/eli/Makefile   (contents, props changed)
>>  head/tests/sys/geom/eli/pbkdf2/
>>  head/tests/sys/geom/eli/pbkdf2/Makefile   (contents, props changed)
>>  head/tests/sys/geom/eli/pbkdf2/gentestvect.py   (contents, props chan=
ged)
>>  head/tests/sys/geom/eli/pbkdf2/hmactest.c   (contents, props changed)=

>>  head/tests/sys/geom/eli/pbkdf2/testvect.h   (contents, props changed)=

>> Modified:
>>  head/etc/mtree/BSD.tests.dist
>>  head/sys/boot/geli/Makefile
>>  head/sys/geom/eli/g_eli.h
>>  head/sys/geom/eli/g_eli_hmac.c
>>  head/sys/geom/eli/pkcs5v2.c
>>  head/tests/sys/geom/Makefile
>=20
> 	python (2.x) is now a requirement for the build after this commit--thi=
s is problematic for a few reasons:
> 	1. py3k is quickly becoming the defacto version upstream, and sometime=
 in the future will become the one and only version.
> 	2. python is not in the limited path when the build is executed, and u=
nfortunately this path might be triggered if the file that=E2=80=99s gene=
rated is older than the script.
> 	3. Not everyone is guaranteed to install the python port.
> 	Could you please fix this?
> Thanks,
> -Ngie
>=20
> PS. The script that was committed is also not-PEP8 compliant (I see har=
d tab indentation instead of 4-space indents).
>=20

Sorry, I didn't think it actually built these tests unless testvect.h
did not exist.

These tests were written by jmg@, years ago, but by me.

What do you think the best course of action is? Just disconnect this test=
?

--=20
Allan Jude


--QH7CWWFDu9XBIcTd4Oxnhd1AMCinI8HEr--

--MvUVXPviLnRO6W18Wp1NtbnClPWs6fbTh
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJYqgkwAAoJEBmVNT4SmAt+aRkQAMX2Xq79ShhTBaz+A7jXKMxr
KF6wPyzCsDOMqUKe9rUJIXm6+UjGiH4llpbADf3O0z4GVO7m+MRpOomR1V4zWOF2
+YcszF6SlNMNOARKFWgKGX//TEr/JeiWaSwgZJNUZSEjbIxMbtu0I2Yr31wrD3IE
Qr0whFe5YbgjslVeaGjBi8axKggxf+i9J4M0x7ZKh7o/mF4Pr768TvrCmHPd0l9H
ozvSvTVpuN4gpf9Z/AZ6et8tfb85dm4oZbRKK1Hh+DmpGnoyR9G4XWaKtU/p2YkT
/NtdoJ0wooHFcWkYBa9HUHSBeWk8Deobjk+3sztMBPMCCfXI0HVKiHOJq1PqdjgI
Pho3/YyO8GztfIfmjsPSP7t/9hn5TPSbS/DmKxP/OLIIKiPpJugSnwlCK1zwhZIk
Fauv3U/ETWSY1EQXoPf17kfcIE409NfaexsDH24rsUOgHKsP3vpD1MH6RL/HZak4
nK3LSZen/Y8W2bvw/2o7OykL+qMbm0d9Kv5HAtPrZat5pNmPal5y3O9qv6M2fQMm
cQ8g/8/j1JwGgktaxAvDX4DhO0EYY1P7t0qEc82wb5qGlyYLPIYqk4RuJc/8BJH7
+FZds4d9d/arFOw1vJYHIlEvhIeoUXLGrXZR+WRFRcZPizow4Wu24jihwLbpJgsq
vtUcquvm1UbA449zSQNB
=X4QP
-----END PGP SIGNATURE-----

--MvUVXPviLnRO6W18Wp1NtbnClPWs6fbTh--