Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-12 Thread silvioprog
On Mon, Dec 12, 2016 at 3:53 PM, Jeffrey Walton wrote: > > So what is the correct way, 1 or 2? > > > > 1) > > > > RAND_poll() > > /* RAND_bytes is unnecessary */ > > /* RAND_add is unnecessary */ > > > > 2) > > > > RAND_poll() > > RAND_bytes(buf, 128); > > /* RAND_add is

Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-12 Thread Jeffrey Walton
> So what is the correct way, 1 or 2? > > 1) > > RAND_poll() > /* RAND_bytes is unnecessary */ > /* RAND_add is unnecessary */ > > 2) > > RAND_poll() > RAND_bytes(buf, 128); > /* RAND_add is unnecessary */ On Windows, you call CryptGenRandom to obtain your seed for the OpenSSL PRNG. On Linux, you

Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-12 Thread Salz, Rich
Seed the RNG, via RAND_poll. When or if you need random bytes, call RAND_bytes. If you just need crypto keys, call the appropriate keygen API. Done. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-12 Thread silvioprog
On Mon, Dec 12, 2016 at 3:33 PM, silvioprog wrote: [...] > So what is the correct way, 1 or 2? > *"which is ..." -- Silvio Clécio -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-12 Thread silvioprog
On Mon, Dec 12, 2016 at 3:28 PM, Salz, Rich wrote: > > > You fed RAND_bytes output back into RAND_add? That's silly. > > Yes. Is it unnecessary? My steps are: > > It is a bad idea. It is pointless. Don't do it. So what is the correct way, 1 or 2? 1) RAND_poll() /*

Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-12 Thread Salz, Rich
> > You fed RAND_bytes output back into RAND_add?  That's silly. > Yes. Is it unnecessary? My steps are: It is a bad idea. It is pointless. Don't do it. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-12 Thread silvioprog
On Mon, Dec 12, 2016 at 3:04 PM, Salz, Rich wrote: > > "In short, I just replaced the RAND_screen() call to the RAND_poll(), > generated a random buffer using RAND_bytes() (based on > https://wiki.openssl.org/index.php/Random_Numbers#Software) seeding it > via RAND_add()" > >

Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-12 Thread Salz, Rich
> "In short, I just replaced the RAND_screen() call to the RAND_poll(), > generated a random buffer using RAND_bytes() (based on  > https://wiki.openssl.org/index.php/Random_Numbers#Software) seeding it via > RAND_add()" You fed RAND_bytes output back into RAND_add? That's silly. --

Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-12 Thread silvioprog
Oops, I meant: "In short, I just replaced the RAND_screen() call to the RAND_poll(), generated a random buffer using RAND_bytes() (based on https://wiki.openssl.org/index.php/Random_Numbers#Software) seeding it via RAND_add()" On Mon, Dec 12, 2016 at 2:46 PM, silvioprog

Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-12 Thread silvioprog
Finally I think I solved this problem! :-) This is the patch I'm going to send to the `ssl_openssl_lib` authors: http://pastebin.com/VgSpnwxB . In short, I just removed the RAND_screen() call, generated a random buffer using RAND_bytes() (based on

Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-03 Thread silvioprog
Thanks for sharing the links, I'm going to check them. The original code call RAND_screen() only once in the app initialization, so can I replace it by RAND_add()? (I'm newbie on SSL) I've noticed the application is just a HTTP client consuming some web services via HTTPS. It doesn't call

Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-03 Thread silvioprog
Thanks for replying! I found two libraries at application's directory: libeay32.dll and ssleay32.dll, both with file version 0.9.8.14 and product version 0.9.8n. I totally agree about properly initializing the random number generator, however I don't know how to do that yet. That code I'm using

Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-03 Thread Jeffrey Walton
> I'm trying to speed up the initialization of a legacy HTTP client > application. Debugging that code, I found the following functions being > called each application startup: > > initialization > SSL_library_init() > SSL_load_error_strings() > OpenSSL_add_all_algorithms() >

Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-03 Thread Salz, Rich
What version of openssl are you using? Current versions do not call RAND_screen or other long-term heap-walking on Windows. You absolutely *must* properly initialize the random number generator. If you fail to do that, attackers can guess the keys that you use. You will be providing only

[openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-03 Thread silvioprog
Hello all, I'm trying to speed up the initialization of a legacy HTTP client application. Debugging that code, I found the following functions being called each application startup: initialization SSL_library_init() SSL_load_error_strings() OpenSSL_add_all_algorithms()