svn commit: r313962 - in head: etc/mtree sys/boot/geli sys/geom/eli tests/sys/geom tests/sys/geom/eli tests/sys/geom/eli/pbkdf2

Ngie Cooper (yaneurabeya) yaneurabeya at gmail.com
Sun Feb 19 21:01:18 UTC 2017 

> On Feb 19, 2017, at 11:30, Allan Jude <allanjude at FreeBSD.org> wrote:
> 
> Author: allanjude
> Date: Sun Feb 19 19:30:31 2017
> New Revision: 313962
> URL: https://svnweb.freebsd.org/changeset/base/313962
> 
> Log:
>  improve PBKDF2 performance
> 
>  The PBKDF2 in sys/geom/eli/pkcs5v2.c is around half the speed it could be
> 
>  GELI's PBKDF2 uses a simple benchmark to determine a number of iterations
>  that will takes approximately 2 seconds. The security provided is actually
>  half what is expected, because an attacker could use the optimized
>  algorithm to brute force the key in half the expected time.
> 
>  With this change, all newly generated GELI keys will be approximately 2x
>  as strong. Previously generated keys will talk half as long to calculate,
>  resulting in faster mounting of encrypted volumes. Users may choose to
>  rekey, to generate a new key with the larger default number of iterations
>  using the geli(8) setkey command.
> 
>  Security of existing data is not compromised, as ~1 second per brute force
>  attempt is still a very high threshold.
> 
>  PR:		202365
>  Original Research:	https://jbp.io/2015/08/11/pbkdf2-performance-matters/
>  Submitted by:	Joe Pixton <jpixton at gmail.com> (Original Version), jmg (Later Version)
>  Reviewed by:	ed, pjd, delphij
>  Approved by:	secteam, pjd (maintainer)
>  MFC after:	2 weeks
>  Differential Revision:	https://reviews.freebsd.org/D8236
> 
> Added:
>  head/tests/sys/geom/eli/
>  head/tests/sys/geom/eli/Makefile   (contents, props changed)
>  head/tests/sys/geom/eli/pbkdf2/
>  head/tests/sys/geom/eli/pbkdf2/Makefile   (contents, props changed)
>  head/tests/sys/geom/eli/pbkdf2/gentestvect.py   (contents, props changed)
>  head/tests/sys/geom/eli/pbkdf2/hmactest.c   (contents, props changed)
>  head/tests/sys/geom/eli/pbkdf2/testvect.h   (contents, props changed)
> Modified:
>  head/etc/mtree/BSD.tests.dist
>  head/sys/boot/geli/Makefile
>  head/sys/geom/eli/g_eli.h
>  head/sys/geom/eli/g_eli_hmac.c
>  head/sys/geom/eli/pkcs5v2.c
>  head/tests/sys/geom/Makefile

	python (2.x) is now a requirement for the build after this commit--this is problematic for a few reasons:
	1. py3k is quickly becoming the defacto version upstream, and sometime in the future will become the one and only version.
	2. python is not in the limited path when the build is executed, and unfortunately this path might be triggered if the file that’s generated is older than the script.
	3. Not everyone is guaranteed to install the python port.
	Could you please fix this?
Thanks,
-Ngie

PS. The script that was committed is also not-PEP8 compliant (I see hard tab indentation instead of 4-space indents).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/svn-src-head/attachments/20170219/1e2d51a5/attachment.sig>

More information about the svn-src-head mailing list