On 2017-02-19 16:06, Ngie Cooper (yaneurabeya) wrote: > >> On Feb 19, 2017, at 13:01, Ngie Cooper (yaneurabeya) <yaneurab...@gmail.com> >> wrote: >> >>> >>> On Feb 19, 2017, at 11:30, Allan Jude <allanj...@freebsd.org> wrote: >>> >>> Author: allanjude >>> Date: Sun Feb 19 19:30:31 2017 >>> New Revision: 313962 >>> URL: https://svnweb.freebsd.org/changeset/base/313962 >>> >>> Log: >>> improve PBKDF2 performance >>> >>> The PBKDF2 in sys/geom/eli/pkcs5v2.c is around half the speed it could be >>> >>> GELI's PBKDF2 uses a simple benchmark to determine a number of iterations >>> that will takes approximately 2 seconds. The security provided is actually >>> half what is expected, because an attacker could use the optimized >>> algorithm to brute force the key in half the expected time. >>> >>> With this change, all newly generated GELI keys will be approximately 2x >>> as strong. Previously generated keys will talk half as long to calculate, >>> resulting in faster mounting of encrypted volumes. Users may choose to >>> rekey, to generate a new key with the larger default number of iterations >>> using the geli(8) setkey command. >>> >>> Security of existing data is not compromised, as ~1 second per brute force >>> attempt is still a very high threshold. >>> >>> PR: 202365 >>> Original Research: https://jbp.io/2015/08/11/pbkdf2-performance-matters/ >>> Submitted by: Joe Pixton <jpix...@gmail.com> (Original Version), jmg >>> (Later Version) >>> Reviewed by: ed, pjd, delphij >>> Approved by: secteam, pjd (maintainer) >>> MFC after: 2 weeks >>> Differential Revision: https://reviews.freebsd.org/D8236 >>> >>> Added: >>> head/tests/sys/geom/eli/ >>> head/tests/sys/geom/eli/Makefile (contents, props changed) >>> head/tests/sys/geom/eli/pbkdf2/ >>> head/tests/sys/geom/eli/pbkdf2/Makefile (contents, props changed) >>> head/tests/sys/geom/eli/pbkdf2/gentestvect.py (contents, props changed) >>> head/tests/sys/geom/eli/pbkdf2/hmactest.c (contents, props changed) >>> head/tests/sys/geom/eli/pbkdf2/testvect.h (contents, props changed) >>> Modified: >>> head/etc/mtree/BSD.tests.dist >>> head/sys/boot/geli/Makefile >>> head/sys/geom/eli/g_eli.h >>> head/sys/geom/eli/g_eli_hmac.c >>> head/sys/geom/eli/pkcs5v2.c >>> head/tests/sys/geom/Makefile >> >> python (2.x) is now a requirement for the build after this commit--this >> is problematic for a few reasons: >> 1. py3k is quickly becoming the defacto version upstream, and sometime >> in the future will become the one and only version. >> 2. python is not in the limited path when the build is executed, and >> unfortunately this path might be triggered if the file that’s generated is >> older than the script. >> 3. Not everyone is guaranteed to install the python port. >> Could you please fix this? >> Thanks, >> -Ngie >> >> PS. The script that was committed is also not-PEP8 compliant (I see hard tab >> indentation instead of 4-space indents). > > Also, why wasn’t this test instead committed to > …/tests/sys/geom/class/eli/ instead of …/tests/sys/geom/eli/pbkdf2/ ? > Thanks, > -Ngie >
I think you are right, and this should be moved to geom/class/eli/pbkdf2 as well. -- Allan Jude
signature.asc
Description: OpenPGP digital signature
