> On Feb 19, 2017, at 13:01, Ngie Cooper (yaneurabeya) <[email protected]> > wrote: > >> >> On Feb 19, 2017, at 11:30, Allan Jude <[email protected]> wrote: >> >> Author: allanjude >> Date: Sun Feb 19 19:30:31 2017 >> New Revision: 313962 >> URL: https://svnweb.freebsd.org/changeset/base/313962 >> >> Log: >> improve PBKDF2 performance >> >> The PBKDF2 in sys/geom/eli/pkcs5v2.c is around half the speed it could be >> >> GELI's PBKDF2 uses a simple benchmark to determine a number of iterations >> that will takes approximately 2 seconds. The security provided is actually >> half what is expected, because an attacker could use the optimized >> algorithm to brute force the key in half the expected time. >> >> With this change, all newly generated GELI keys will be approximately 2x >> as strong. Previously generated keys will talk half as long to calculate, >> resulting in faster mounting of encrypted volumes. Users may choose to >> rekey, to generate a new key with the larger default number of iterations >> using the geli(8) setkey command. >> >> Security of existing data is not compromised, as ~1 second per brute force >> attempt is still a very high threshold. >> >> PR: 202365 >> Original Research: https://jbp.io/2015/08/11/pbkdf2-performance-matters/ >> Submitted by: Joe Pixton <[email protected]> (Original Version), jmg >> (Later Version) >> Reviewed by: ed, pjd, delphij >> Approved by: secteam, pjd (maintainer) >> MFC after: 2 weeks >> Differential Revision: https://reviews.freebsd.org/D8236 >> >> Added: >> head/tests/sys/geom/eli/ >> head/tests/sys/geom/eli/Makefile (contents, props changed) >> head/tests/sys/geom/eli/pbkdf2/ >> head/tests/sys/geom/eli/pbkdf2/Makefile (contents, props changed) >> head/tests/sys/geom/eli/pbkdf2/gentestvect.py (contents, props changed) >> head/tests/sys/geom/eli/pbkdf2/hmactest.c (contents, props changed) >> head/tests/sys/geom/eli/pbkdf2/testvect.h (contents, props changed) >> Modified: >> head/etc/mtree/BSD.tests.dist >> head/sys/boot/geli/Makefile >> head/sys/geom/eli/g_eli.h >> head/sys/geom/eli/g_eli_hmac.c >> head/sys/geom/eli/pkcs5v2.c >> head/tests/sys/geom/Makefile > > python (2.x) is now a requirement for the build after this commit--this > is problematic for a few reasons: > 1. py3k is quickly becoming the defacto version upstream, and sometime > in the future will become the one and only version. > 2. python is not in the limited path when the build is executed, and > unfortunately this path might be triggered if the file that’s generated is > older than the script. > 3. Not everyone is guaranteed to install the python port. > Could you please fix this? > Thanks, > -Ngie > > PS. The script that was committed is also not-PEP8 compliant (I see hard tab > indentation instead of 4-space indents).
Also, why wasn’t this test instead committed to
…/tests/sys/geom/class/eli/ instead of …/tests/sys/geom/eli/pbkdf2/ ?
Thanks,
-Ngie
signature.asc
Description: Message signed with OpenPGP using GPGMail
