New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make openVMS seeding less dependent of OpenVMS version [1.1.1] #18730
Conversation
I am unsure whether this is a bug fix or a feature. |
It's a regression... before introducing the call of In OpenVMS land, this isn't a strange concept, especially when you have clusters with multiple OpenVMS versions in mind. @mgdaniel, feel free to correct me if I remember things wrong... |
The call of |
Agreed. And I do not imagine it adds significant entropy to the the mix. The difference between |
I put it in as a bug fix because it prevented execution on less recent versions of VMS. Not a feature. |
With SYS$GET_ENTROPY becoming available I believe SYS$GETTIM_PREC could easily be eliminated completely in favour of SYS$GETTIM with no effective/significant loss of entropy all-told, thus immediately eliminating the backward compatibility issue. |
So what you're saying is that the call of |
Agreed. Certainly not significant with the current range of (rather passe) Alphas, and most Itanics (AIUI). The current crop of X86 systems/hypervisors; who knows what the TOD/interrupt clock will be doing. Perhaps we should ask VSI about hypervisor interrupt/timer resolution. |
|
The upshot of asking this question (ignoring the hypervisor element) is that there is no (current) effective difference between the result of the two calls. This combined with your own SP 800-90A section 4 observation suggests that SYS$GETTIM_PREC may be eliminated while still maintaining compliance. Suggest you get coding 😁 |
And to give your a start, this seems to work:
|
This PR is in a state where it requires action by @openssl/otc but the last update was 30 days ago |
Approving for reasons given in #18731. |
This PR is in a state where it requires action by @openssl/otc but the last update was 30 days ago |
I'm reworking this change the same way I did #18731, i.e. forego |
5258d24
to
79c135a
Compare
SYS$GETTIM_PREC is a very new function, only available on OpenVMS v8.4. OpenSSL binaries built on OpenVMS v8.4 become unusable on older OpenVM versions, but building for the older CRTL version will make the high precision time functions unavailable. Tests have shown that on Alpha and Itanium, the time update granularity between SYS$GETTIM and SYS$GETTIM_PREC is marginal, so the former plus a sequence number turns out to be better to guarantee a unique nonce. Fixes openssl#18727
79c135a
to
e363760
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One nit. Otherwise, looks OK.
On Tue, 25 Oct 2022 04:49:14 -0700 ***@***.*** wrote:
Reworked. @mgdaniel, sorry that this took time to get back to. Would you be willing to test this (and by all means, #18731 too!)?
Sure Richard. Can you provide web links into the final rand_vms.c(s)?
… --
Reply to this email directly or view it on GitHub:
#18730 (comment)
You are receiving this because you were mentioned.
Message ID: ***@***.***>
|
That's for 1.1.1. I'll get you the same separately in #18731 for 3.0
|
Merged aa542d2 Make openVMS seeding less dependent of OpenVMS version |
SYS$GETTIM_PREC is a very new function, only available on OpenVMS v8.4. OpenSSL binaries built on OpenVMS v8.4 become unusable on older OpenVM versions, but building for the older CRTL version will make the high precision time functions unavailable. Tests have shown that on Alpha and Itanium, the time update granularity between SYS$GETTIM and SYS$GETTIM_PREC is marginal, so the former plus a sequence number turns out to be better to guarantee a unique nonce. Fixes #18727 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from #18730)
SYS$GETTIM_PREC
is a very new function, only available on OpenVMS v8.4.OpenSSL binaries built on OpenVMS v8.4 become unusable on older OpenVMS
versions, but building for the older CRTL version will make the high
precision time functions unavailable.
Tests have shown that on Alpha and Itanium, the time update granularity
between
SYS$GETTIM
andSYS$GETTIM_PREC
is marginal, so the former plusa sequence number turns out to be better to guarantee a unique nonce.
Fixes #18727