Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 19 Feb 2017 17:04:58 -0500
From:      Allan Jude <allanjude@freebsd.org>
To:        "Ngie Cooper (yaneurabeya)" <yaneurabeya@gmail.com>
Cc:        src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   Re: svn commit: r313962 - in head: etc/mtree sys/boot/geli sys/geom/eli tests/sys/geom tests/sys/geom/eli tests/sys/geom/eli/pbkdf2
Message-ID:  <a46a5671-4cc6-bdc9-f10e-7dd93410e4fb@freebsd.org>
In-Reply-To: <A5D9304A-BA60-4991-9B35-3163B3888DD9@gmail.com>
References:  <201702191930.v1JJUW3q051018@repo.freebsd.org> <FEC3571D-4183-4386-913D-6854636C102A@gmail.com> <A5D9304A-BA60-4991-9B35-3163B3888DD9@gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--cx6GrkRAXwBHo7mlo5qkFOrCB301CSdeG
Content-Type: multipart/mixed; boundary="MeKjeHqCW3wf3FfpfvbqQDScJ0IsH7L27";
 protected-headers="v1"
From: Allan Jude <allanjude@freebsd.org>
To: "Ngie Cooper (yaneurabeya)" <yaneurabeya@gmail.com>
Cc: src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Message-ID: <a46a5671-4cc6-bdc9-f10e-7dd93410e4fb@freebsd.org>
Subject: Re: svn commit: r313962 - in head: etc/mtree sys/boot/geli
 sys/geom/eli tests/sys/geom tests/sys/geom/eli tests/sys/geom/eli/pbkdf2
References: <201702191930.v1JJUW3q051018@repo.freebsd.org>
 <FEC3571D-4183-4386-913D-6854636C102A@gmail.com>
 <A5D9304A-BA60-4991-9B35-3163B3888DD9@gmail.com>
In-Reply-To: <A5D9304A-BA60-4991-9B35-3163B3888DD9@gmail.com>

--MeKjeHqCW3wf3FfpfvbqQDScJ0IsH7L27
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 2017-02-19 16:06, Ngie Cooper (yaneurabeya) wrote:
>=20
>> On Feb 19, 2017, at 13:01, Ngie Cooper (yaneurabeya) <yaneurabeya@gmai=
l.com> wrote:
>>
>>>
>>> On Feb 19, 2017, at 11:30, Allan Jude <allanjude@FreeBSD.org> wrote:
>>>
>>> Author: allanjude
>>> Date: Sun Feb 19 19:30:31 2017
>>> New Revision: 313962
>>> URL: https://svnweb.freebsd.org/changeset/base/313962
>>>
>>> Log:
>>> improve PBKDF2 performance
>>>
>>> The PBKDF2 in sys/geom/eli/pkcs5v2.c is around half the speed it coul=
d be
>>>
>>> GELI's PBKDF2 uses a simple benchmark to determine a number of iterat=
ions
>>> that will takes approximately 2 seconds. The security provided is act=
ually
>>> half what is expected, because an attacker could use the optimized
>>> algorithm to brute force the key in half the expected time.
>>>
>>> With this change, all newly generated GELI keys will be approximately=
 2x
>>> as strong. Previously generated keys will talk half as long to calcul=
ate,
>>> resulting in faster mounting of encrypted volumes. Users may choose t=
o
>>> rekey, to generate a new key with the larger default number of iterat=
ions
>>> using the geli(8) setkey command.
>>>
>>> Security of existing data is not compromised, as ~1 second per brute =
force
>>> attempt is still a very high threshold.
>>>
>>> PR:		202365
>>> Original Research:	https://jbp.io/2015/08/11/pbkdf2-performance-matte=
rs/
>>> Submitted by:	Joe Pixton <jpixton@gmail.com> (Original Version), jmg =
(Later Version)
>>> Reviewed by:	ed, pjd, delphij
>>> Approved by:	secteam, pjd (maintainer)
>>> MFC after:	2 weeks
>>> Differential Revision:	https://reviews.freebsd.org/D8236
>>>
>>> Added:
>>> head/tests/sys/geom/eli/
>>> head/tests/sys/geom/eli/Makefile   (contents, props changed)
>>> head/tests/sys/geom/eli/pbkdf2/
>>> head/tests/sys/geom/eli/pbkdf2/Makefile   (contents, props changed)
>>> head/tests/sys/geom/eli/pbkdf2/gentestvect.py   (contents, props chan=
ged)
>>> head/tests/sys/geom/eli/pbkdf2/hmactest.c   (contents, props changed)=

>>> head/tests/sys/geom/eli/pbkdf2/testvect.h   (contents, props changed)=

>>> Modified:
>>> head/etc/mtree/BSD.tests.dist
>>> head/sys/boot/geli/Makefile
>>> head/sys/geom/eli/g_eli.h
>>> head/sys/geom/eli/g_eli_hmac.c
>>> head/sys/geom/eli/pkcs5v2.c
>>> head/tests/sys/geom/Makefile
>>
>> 	python (2.x) is now a requirement for the build after this commit--th=
is is problematic for a few reasons:
>> 	1. py3k is quickly becoming the defacto version upstream, and sometim=
e in the future will become the one and only version.
>> 	2. python is not in the limited path when the build is executed, and =
unfortunately this path might be triggered if the file that=E2=80=99s gen=
erated is older than the script.
>> 	3. Not everyone is guaranteed to install the python port.
>> 	Could you please fix this?
>> Thanks,
>> -Ngie
>>
>> PS. The script that was committed is also not-PEP8 compliant (I see ha=
rd tab indentation instead of 4-space indents).
>=20
> 	Also, why wasn=E2=80=99t this test instead committed to =E2=80=A6/test=
s/sys/geom/class/eli/ instead of =E2=80=A6/tests/sys/geom/eli/pbkdf2/ ?
> Thanks,
> -Ngie
>=20

I think you are right, and this should be moved to geom/class/eli/pbkdf2
as well.

--=20
Allan Jude


--MeKjeHqCW3wf3FfpfvbqQDScJ0IsH7L27--

--cx6GrkRAXwBHo7mlo5qkFOrCB301CSdeG
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJYqhaQAAoJEBmVNT4SmAt+XBwP/3JPUd94lpiuj4g8NafnzTKq
OYUHNTIy3WwCysMrL1TXqsqduHbFdCu8fMUPDkROx5xagciuHqeQ15GRkZyx1TBz
AWOodHWAvEpQt0Du4j3+sgoJ0opr3hYer0fJiaLrZDTT3qZmh4V+Gs1NJXDKZLkH
Ip+QvV5tri37ZcQpKMzVA+obD4rni5pEH6jUmq6gcD3ug8u8H22W3E96LAJNeq1E
JC81KXcDNUemXCuK+7tm4MvrompvLeZC3gSjX55VBvpFxuTG127EE41vv9qgF80O
bugzb6OtQmbab9eE1UIrKhCS/zTbjvL3i4xiqZVfpyUIyHB15qE39+b4xOYoukX+
Iwku5ZppBfDCeCCwVXdBqsY/40IZKThYbIGfL0Trqb0Ijns/uqPVh3Bvek1OuqmB
sEv7L2l9NsgO6YXn7qF8fhREdovRFPA8voV6p6dy6GUk/u9CfLm0OjvtS2BUiXlu
kJYknyTwp3x6xo2HLuu2rzJgQjz8caU0GpAkJN7Tr01ArL9EABzHxf5aly1612uu
Lk1kcOVvkpAONnaivECV6wk81hq3mdPZp9KRcxborP5/kXT5hzDRDne/d8U5S0iR
MCoU9PqahJvFvcCapQG0Btwep9QYgvRMbZ9DqvZvtyki4jWsfiHTmt9HUIKHb2LE
qjkM7+sGfwd8DbWaty4E
=4JPa
-----END PGP SIGNATURE-----

--cx6GrkRAXwBHo7mlo5qkFOrCB301CSdeG--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a46a5671-4cc6-bdc9-f10e-7dd93410e4fb>