Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

In message on Sun, 8 Apr 2018 21:51:52 +, "Dr. Matthias St. Pierre" said: Matthias.St.Pierre> > So I guess I'm still on track with wanting to specify a get_nonce Matthias.St.Pierre> > function for VMS.

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

> This also puts into question the no_df tests in test/drbgtest.c, how > can we possibly, under the diverse conditions we're facing, assume to > know if those tests will succeed or fail? The no_df tests are o.k. as they are. In fact, OpenSSL supports using the DRBG with or without the derivation

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

On Sun, Apr 08, 2018 at 08:29:18PM +, Dr. Matthias St. Pierre wrote: > Just for completeness sake: The entropy requirement is 256 and *not* 384 if a > derivation function is used. But one way of implementing the nonce when a DF is not used, is to also have 384 bit in that case, which is our

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

In message on Sun, 8 Apr 2018 20:10:22 +, "Salz, Rich" said: rsalz> >The 384 comes straight out of SP800-90A, see the table 10.2.1. rsalz> rsalz> I think we're getting close to needing a team vote on whether rsalz>

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

In message <83ae9015-a766-4497-a71d-d537837cf...@openssl.org> on Sun, 08 Apr 2018 19:15:16 +0200, Richard Levitte said: levitte> levitte> levitte> Kurt Roeckx skrev: (8 april 2018 17:36:27 CEST) levitte> >On Sat, Apr 07, 2018 at 08:50:35PM +0200, Kurt

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

l.org> Im Auftrag von > Salz, Rich > Gesendet: Sonntag, 8. April 2018 22:10 > An: openssl-project@openssl.org > Betreff: Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy > demand for this platform specifically (#5904) > > >The 384 comes straight ou

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

>The 384 comes straight out of SP800-90A, see the table 10.2.1. I think we're getting close to needing a team vote on whether or not we want to follow SP800-90A for this release. ___ openssl-project mailing list openssl-project@openssl.org

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

> > Wait what? This sounds nuts... Can you refer to something that backs your > > claim? > > The 384 comes straight out of SP800-90A, see the table 10.2.1. > It's also in the code where we do: > drbg->seedlen = keylen + 16; > [...] > if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) { >

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

On Sun, Apr 08, 2018 at 07:15:16PM +0200, Richard Levitte wrote: > > > Kurt Roeckx skrev: (8 april 2018 17:36:27 CEST) > >On Sat, Apr 07, 2018 at 08:50:35PM +0200, Kurt Roeckx wrote: > >> On Sat, Apr 07, 2018 at 05:55:14PM +, Salz, Rich wrote: > >> > > Because > >> >

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

Kurt Roeckx skrev: (8 april 2018 17:36:27 CEST) >On Sat, Apr 07, 2018 at 08:50:35PM +0200, Kurt Roeckx wrote: >> On Sat, Apr 07, 2018 at 05:55:14PM +, Salz, Rich wrote: >> > > Because >> > > - It is not clear we need to do so >> > >> > >That we need to

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

On Sat, Apr 07, 2018 at 08:50:35PM +0200, Kurt Roeckx wrote: > On Sat, Apr 07, 2018 at 05:55:14PM +, Salz, Rich wrote: > > > Because > > > - It is not clear we need to do so > > > > >That we need to do what? > > > > Do FIPS compliant random numbers in this release. > >

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

rsalz> My expectation was that the *maximum* would also be 128 bits. >Not sure what you're saying there. If the entropy acquisition routines is over enthusiastic and delivers 277 bits of entropy, are you saying it shouldn't be allowed to? I meant to say that the

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

>Yes, after what I all said previously, it's clear the code could use improvements. I think at least Matthias and I assumed the code about the minimum size was correct and that there was a minimum requirement of 128 bit. My expectation was that the *maximum* would also be 128

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

kurt> So then I suggest we support the syscalls on all platforms that kurt> provide it. Who takes responsibility for fixing this? ___ openssl-project mailing list openssl-project@openssl.org

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

On Sun, Apr 08, 2018 at 10:31:58AM +0200, Richard Levitte wrote: > In message <20180408080942.gb3...@roeckx.be> on Sun, 8 Apr 2018 10:09:42 > +0200, Kurt Roeckx said: > > kurt> On Sun, Apr 08, 2018 at 07:39:30AM +0200, Richard Levitte wrote: > kurt> > In message

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

In message <20180408080942.gb3...@roeckx.be> on Sun, 8 Apr 2018 10:09:42 +0200, Kurt Roeckx said: kurt> On Sun, Apr 08, 2018 at 07:39:30AM +0200, Richard Levitte wrote: kurt> > In message <20180407190250.ga27...@roeckx.be> on Sat, 7 Apr 2018 21:02:51 +0200, Kurt Roeckx

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

On 04/08/18 09:49, Kurt Roeckx wrote: > On Sun, Apr 08, 2018 at 07:15:32AM +0200, Richard Levitte wrote: >> In message <20180407185034.ga25...@roeckx.be> on Sat, 7 Apr 2018 20:50:35 >> +0200, Kurt Roeckx said: >> >> kurt> > In going from 1.1.0 to 1.1.1, breaking platforms that

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

On Sun, Apr 08, 2018 at 07:39:30AM +0200, Richard Levitte wrote: > In message <20180407190250.ga27...@roeckx.be> on Sat, 7 Apr 2018 21:02:51 > +0200, Kurt Roeckx said: > > kurt> On Sat, Apr 07, 2018 at 06:49:50PM +0200, Richard Levitte wrote: > kurt> > H... case 4 shouldn't

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

In message <20180407190250.ga27...@roeckx.be> on Sat, 7 Apr 2018 21:02:51 +0200, Kurt Roeckx said: kurt> On Sat, Apr 07, 2018 at 06:49:50PM +0200, Richard Levitte wrote: kurt> > H... case 4 shouldn't pose too much problems unless you restart kurt> > the application more

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

In message <20180407185034.ga25...@roeckx.be> on Sat, 7 Apr 2018 20:50:35 +0200, Kurt Roeckx said: kurt> > In going from 1.1.0 to 1.1.1, breaking platforms that used to kurt> > work is just plain wrong. kurt> kurt> So then I suggest we support the syscalls on all platforms that

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

On Sat, Apr 07, 2018 at 05:55:14PM +, Salz, Rich wrote: > > Because > > - It is not clear we need to do so > > >That we need to do what? > > Do FIPS compliant random numbers in this release. We will never have that in any release by default, like I already stated a

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

On Sat, Apr 07, 2018 at 06:49:50PM +0200, Richard Levitte wrote: > In message <20180407154649.ga12...@roeckx.be> on Sat, 7 Apr 2018 17:46:50 > +0200, Kurt Roeckx said: > > kurt> | For case 2 above, the timestamp must be trusted. A trusted > kurt> | timestamp is generated and

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

On Sat, Apr 07, 2018 at 04:48:51PM +, Salz, Rich wrote: > >Like I said in the post I just made, I see zero problems with having > that requirement on systems that can support it. I don't see why we > must lower the bar for *everyone* just because we currently need to do > so

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

>NIST SP800-90A rev1 section 8.6.7 has: Compliance with this was never a stated goal of this release. So not relevant. ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

In message <20180407154649.ga12...@roeckx.be> on Sat, 7 Apr 2018 17:46:50 +0200, Kurt Roeckx said: kurt> On Sat, Apr 07, 2018 at 02:15:51PM +, Salz, Rich wrote: kurt> > I would like to see this put on hold until we fix the ‘now requires 50% more random seeding’ issue. kurt>

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

>Like I said in the post I just made, I see zero problems with having that requirement on systems that can support it. I don't see why we must lower the bar for *everyone* just because we currently need to do so for VMS Because - It is not clear we need to do so

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

Like I said in the post I just made, I see zero problems with having that requirement on systems that can support it. I don't see why we must lower the bar for *everyone* just because we currently need to do so for VMS Cheers, Richard In message