Re: [openssl-users] Signing an XML file
On Wed, Dec 14, 2016 at 11:47 AM, Anibal F. Martinez Cortina < linuxkid.z...@gmail.com> wrote: [...] > As a matter of facts, you're indeed right. I was daunted by the idea of > going through PHP's source myself.. > Thanks for the pointers, guys. > I'll report back as soon as I get some progress. > > Kind regards, > Anibal.- > Add xmlsec to your wishlist. :-) https://www.aleksey.com/xmlsec/api/xmlsec-examples.html -- Silvio Clécio -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application
On Mon, Dec 12, 2016 at 3:53 PM, Jeffrey Waltonwrote: > > So what is the correct way, 1 or 2? > > > > 1) > > > > RAND_poll() > > /* RAND_bytes is unnecessary */ > > /* RAND_add is unnecessary */ > > > > 2) > > > > RAND_poll() > > RAND_bytes(buf, 128); > > /* RAND_add is unnecessary */ > > On Windows, you call CryptGenRandom to obtain your seed for the > OpenSSL PRNG. On Linux, you use one of the random devices, like > /dev/srandom, /dev/random, or /dev/urandom. > > Windows Phone and Windows Store apps add a twist, like requiring calls > to BCryptGenRandom. There's no way to wrote portable code when you > factor in Windows Phone and Windows Store. It will be a #define mess. > > Jeff Perfect! So I just need to call RAND_poll(), because it seems already choosing that funcs above. :-) https://github.com/openssl/openssl/blob/master/crypto/rand/rand_win.c#L49 https://github.com/openssl/openssl/blob/master/crypto/rand/rand_unix.c#L161 Thanks a lot dude! -- Silvio Clécio -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application
On Mon, Dec 12, 2016 at 3:33 PM, silvioprog <silviop...@gmail.com> wrote: [...] > So what is the correct way, 1 or 2? > *"which is ..." -- Silvio Clécio -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application
On Mon, Dec 12, 2016 at 3:28 PM, Salz, Richwrote: > > > You fed RAND_bytes output back into RAND_add? That's silly. > > Yes. Is it unnecessary? My steps are: > > It is a bad idea. It is pointless. Don't do it. So what is the correct way, 1 or 2? 1) RAND_poll() /* RAND_bytes is unnecessary */ /* RAND_add is unnecessary */ 2) RAND_poll() RAND_bytes(buf, 128); /* RAND_add is unnecessary */ :-S -- Silvio Clécio -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application
On Mon, Dec 12, 2016 at 3:04 PM, Salz, Richwrote: > > "In short, I just replaced the RAND_screen() call to the RAND_poll(), > generated a random buffer using RAND_bytes() (based on > https://wiki.openssl.org/index.php/Random_Numbers#Software) seeding it > via RAND_add()" > > You fed RAND_bytes output back into RAND_add? That's silly. Yes. Is it unnecessary? My steps are: ... - RAND_scree() + RAND_poll() + RAND_bytes(buf, 128); + RAND_add(buf, length(buf), length(buf)); ... (I noticed I sent wrong patch, the correct one declare the RAND_bytes func ^^' ) -- Silvio Clécio -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application
Oops, I meant: "In short, I just replaced the RAND_screen() call to the RAND_poll(), generated a random buffer using RAND_bytes() (based on https://wiki.openssl.org/index.php/Random_Numbers#Software) seeding it via RAND_add()" On Mon, Dec 12, 2016 at 2:46 PM, silvioprog <silviop...@gmail.com> wrote: [...] > In short, I just removed the RAND_screen() call, generated a random buffer > using RAND_bytes() (based on https://wiki.openssl.org/ > index.php/Random_Numbers#Software) seeding via RAND_add(). > -- Silvio Clécio -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application
Finally I think I solved this problem! :-) This is the patch I'm going to send to the `ssl_openssl_lib` authors: http://pastebin.com/VgSpnwxB . In short, I just removed the RAND_screen() call, generated a random buffer using RAND_bytes() (based on https://wiki.openssl.org/index.php/Random_Numbers#Software) seeding via RAND_add(). Thanks a lot for the help, dudes! :-) On Sun, Dec 4, 2016 at 12:01 AM, silvioprog <silviop...@gmail.com> wrote: > Thanks for sharing the links, I'm going to check them. > > The original code call RAND_screen() only once in the app initialization, > so can I replace it by RAND_add()? (I'm newbie on SSL) > > I've noticed the application is just a HTTP client consuming some web > services via HTTPS. It doesn't call explicitly any OpenSSL random function, > so I think it uses the default OpenSSL configurations. > > On Sat, Dec 3, 2016 at 3:42 PM, Jeffrey Walton <noloa...@gmail.com> wrote: > [...] > >> Also see https://wiki.openssl.org/index.php/Library_Initialization and >> https://wiki.openssl.org/index.php/Random_Numbers#Windows_Issues. >> >> The short of it is, you should stop relying on auto-initialization of >> the RNG, and seed it yourself with a call to `RAND_add`. >> >> Jeff > > -- Silvio Clécio -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application
Thanks for sharing the links, I'm going to check them. The original code call RAND_screen() only once in the app initialization, so can I replace it by RAND_add()? (I'm newbie on SSL) I've noticed the application is just a HTTP client consuming some web services via HTTPS. It doesn't call explicitly any OpenSSL random function, so I think it uses the default OpenSSL configurations. On Sat, Dec 3, 2016 at 3:42 PM, Jeffrey Waltonwrote: [...] > Also see https://wiki.openssl.org/index.php/Library_Initialization and > https://wiki.openssl.org/index.php/Random_Numbers#Windows_Issues. > > The short of it is, you should stop relying on auto-initialization of > the RNG, and seed it yourself with a call to `RAND_add`. > > Jeff -- Silvio Clécio -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application
Thanks for replying! I found two libraries at application's directory: libeay32.dll and ssleay32.dll, both with file version 0.9.8.14 and product version 0.9.8n. I totally agree about properly initializing the random number generator, however I don't know how to do that yet. That code I'm using is a third party Pascal binding for the OpenSSL C library, and I've noticed that many other packages was based on that implementation too (eg: https://github.com/graemeg/freepascal/blob/master/packages/openssl/src/openssl.pas#L4442 - it seems based on an old LibOpenSsl version). The application I'm fixing uses the same file this link above, and I can edit it without problems. I removed the line RAND_screen and now the application initializes fast, but I'm not sure if it will turn my application vulnerable. If I get to solve it I will try some patch sharing it to the authors of these bindings. On Sat, Dec 3, 2016 at 2:34 PM, Salz, Richwrote: > What version of openssl are you using? Current versions do not call > RAND_screen or other long-term heap-walking on Windows. > > > > You absolutely **must** properly initialize the random number generator. > If you fail to do that, attackers can guess the keys that you use. You > will be providing only the illusion of security. > > > > Please pass this along to that other app. What it, and you, are doing is > horrible. > > > > -- > > Senior Architect, Akamai Technologies > > Member, OpenSSL Dev Team > > IM: richs...@jabber.at Twitter: RichSalz > -- Silvio Clécio -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Doubt about OpenSSL library initialization in an HTTP client application
Hello all, I'm trying to speed up the initialization of a legacy HTTP client application. Debugging that code, I found the following functions being called each application startup: initialization SSL_library_init() SSL_load_error_strings() OpenSSL_add_all_algorithms() RAND_screen() however, the execution of RAND_screen() spends about 3 seconds. The first idea was commenting this line, but I don't know if I really can do that. After some "googling" I found someone doing something like this: initialization SSL_library_init() SSL_load_error_strings() OpenSSL_add_all_algorithms() //RAND_screen() unsigned char c; RAND_bytes(, 1); anyway I don't know if it is really necessary, so I just commented RAND_screen() line and without add this call to RAND_bytes(). So I have a question: do I really need to call some function like RAND_* at each application initialization? This project has that same initialization: https://github.com/svn2github/Ararat-Synapse/blob/master/trunk/ssl_openssl_lib.pas#L2001 . -- Silvio Clécio -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users