> From: [email protected] [mailto:owner-openssl- > [email protected]] On Behalf Of mswarna > Sent: Friday, 31 January, 2014 08:43 > > We would like to go for windows app certification/Microsoft client logo > certification. One of the requirements for this is running a tool called > Application Verifier that comes along with the certification kit. When the > application is ran under this tool with luaPriv(UAC) related tests, 2 errors > related to UAC were thrown. This basically tests when the user runs > application with LUA priviliges(as standard user).
I've removed the stack trace because it's misleading (for reasons unclear to me). As you note below, the Windows API NetStatisticsGet is not called from EVP_EncodeBlock, as the trace claims, but from RAND_poll in rand_win.c. > After going through the openssl code, root cause maybe use of LanmanServer > and LanmanWorkstation services in netstatisticsget call as since windows > vista they have UAC concept coming in. More precisely, NetStatisticsGet is now reserved to administrative users. An application running under UAC with asInvoker will not have administrative privileges, and consequently cannot successfully invoke NetStatisticsGet. I think the correct fix for this is to skip the two calls to NetStatisticsGet in RAND_poll if the calling thread does not have the Administrators SID in its token. There's sample code in the MSDN documentation for the CheckTokenMembership API showing how to make that test. RAND_poll treats the output of the two NetStatisticsGet calls as contributing 62 bytes of entropy to the pool, but since the calls fail for non-administrative users anyway, they're already not getting that entropy. (And the existing code does check for failure.) Since RAND_poll doesn't depend on NetStatisticsGet succeeding, I believe the only consequence of this issue is the complaint from Application Verifier. So it may not be a high priority for OpenSSL developers. Therefore, you may want to implement the check yourself, or simply remove the calls to NetStatisticsGet in your own OpenSSL build. -- Michael Wojcik Technology Specialist, Micro Focus This message has been scanned for malware by Websense. www.websense.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
