svn commit: r313962 - in head: etc/mtree sys/boot/geli sys/geom/eli tests/sys/geom tests/sys/geom/eli tests/sys/geom/eli/pbkdf2
Allan Jude
allanjude at freebsd.org
Sun Feb 19 22:05:15 UTC 2017
On 2017-02-19 16:06, Ngie Cooper (yaneurabeya) wrote:
>
>> On Feb 19, 2017, at 13:01, Ngie Cooper (yaneurabeya) <yaneurabeya at gmail.com> wrote:
>>
>>>
>>> On Feb 19, 2017, at 11:30, Allan Jude <allanjude at FreeBSD.org> wrote:
>>>
>>> Author: allanjude
>>> Date: Sun Feb 19 19:30:31 2017
>>> New Revision: 313962
>>> URL: https://svnweb.freebsd.org/changeset/base/313962
>>>
>>> Log:
>>> improve PBKDF2 performance
>>>
>>> The PBKDF2 in sys/geom/eli/pkcs5v2.c is around half the speed it could be
>>>
>>> GELI's PBKDF2 uses a simple benchmark to determine a number of iterations
>>> that will takes approximately 2 seconds. The security provided is actually
>>> half what is expected, because an attacker could use the optimized
>>> algorithm to brute force the key in half the expected time.
>>>
>>> With this change, all newly generated GELI keys will be approximately 2x
>>> as strong. Previously generated keys will talk half as long to calculate,
>>> resulting in faster mounting of encrypted volumes. Users may choose to
>>> rekey, to generate a new key with the larger default number of iterations
>>> using the geli(8) setkey command.
>>>
>>> Security of existing data is not compromised, as ~1 second per brute force
>>> attempt is still a very high threshold.
>>>
>>> PR: 202365
>>> Original Research: https://jbp.io/2015/08/11/pbkdf2-performance-matters/
>>> Submitted by: Joe Pixton <jpixton at gmail.com> (Original Version), jmg (Later Version)
>>> Reviewed by: ed, pjd, delphij
>>> Approved by: secteam, pjd (maintainer)
>>> MFC after: 2 weeks
>>> Differential Revision: https://reviews.freebsd.org/D8236
>>>
>>> Added:
>>> head/tests/sys/geom/eli/
>>> head/tests/sys/geom/eli/Makefile (contents, props changed)
>>> head/tests/sys/geom/eli/pbkdf2/
>>> head/tests/sys/geom/eli/pbkdf2/Makefile (contents, props changed)
>>> head/tests/sys/geom/eli/pbkdf2/gentestvect.py (contents, props changed)
>>> head/tests/sys/geom/eli/pbkdf2/hmactest.c (contents, props changed)
>>> head/tests/sys/geom/eli/pbkdf2/testvect.h (contents, props changed)
>>> Modified:
>>> head/etc/mtree/BSD.tests.dist
>>> head/sys/boot/geli/Makefile
>>> head/sys/geom/eli/g_eli.h
>>> head/sys/geom/eli/g_eli_hmac.c
>>> head/sys/geom/eli/pkcs5v2.c
>>> head/tests/sys/geom/Makefile
>>
>> python (2.x) is now a requirement for the build after this commit--this is problematic for a few reasons:
>> 1. py3k is quickly becoming the defacto version upstream, and sometime in the future will become the one and only version.
>> 2. python is not in the limited path when the build is executed, and unfortunately this path might be triggered if the file that’s generated is older than the script.
>> 3. Not everyone is guaranteed to install the python port.
>> Could you please fix this?
>> Thanks,
>> -Ngie
>>
>> PS. The script that was committed is also not-PEP8 compliant (I see hard tab indentation instead of 4-space indents).
>
> Also, why wasn’t this test instead committed to …/tests/sys/geom/class/eli/ instead of …/tests/sys/geom/eli/pbkdf2/ ?
> Thanks,
> -Ngie
>
I think you are right, and this should be moved to geom/class/eli/pbkdf2
as well.
--
Allan Jude
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/svn-src-head/attachments/20170219/a9531c39/attachment.sig>
More information about the svn-src-head
mailing list