Re: [openssl-users] Signing an XML file

2016-12-14 Thread silvioprog 
On Wed, Dec 14, 2016 at 11:47 AM, Anibal F. Martinez Cortina <
linuxkid.z...@gmail.com> wrote:
[...]

> As a matter of facts, you're indeed right. I was daunted by the idea of
> going through PHP's source myself..
> Thanks for the pointers, guys.
> I'll report back as soon as I get some progress.
>
> Kind regards,
> Anibal.-
>

Add xmlsec to your wishlist. :-)

https://www.aleksey.com/xmlsec/api/xmlsec-examples.html

--
Silvio Clécio
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-12 Thread silvioprog 
On Mon, Dec 12, 2016 at 3:53 PM, Jeffrey Walton  wrote:

> > So what is the correct way, 1 or 2?
> >
> > 1)
> >
> > RAND_poll()
> > /* RAND_bytes is unnecessary */
> > /* RAND_add is unnecessary */
> >
> > 2)
> >
> > RAND_poll()
> > RAND_bytes(buf, 128);
> > /* RAND_add is unnecessary */
>
> On Windows, you call CryptGenRandom to obtain your seed for the
> OpenSSL PRNG. On Linux, you use one of the random devices, like
> /dev/srandom, /dev/random, or /dev/urandom.
>
> Windows Phone and Windows Store apps add a twist, like requiring calls
> to BCryptGenRandom. There's no way to wrote portable code when you
> factor in Windows Phone and Windows Store. It will be a #define mess.
>
> Jeff


Perfect! So I just need to call RAND_poll(), because it seems already
choosing that funcs above. :-)

https://github.com/openssl/openssl/blob/master/crypto/rand/rand_win.c#L49

https://github.com/openssl/openssl/blob/master/crypto/rand/rand_unix.c#L161

Thanks a lot dude!

--
Silvio Clécio
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-12 Thread silvioprog 
On Mon, Dec 12, 2016 at 3:33 PM, silvioprog <silviop...@gmail.com> wrote:
[...]

> So what is the correct way, 1 or 2?
>

*"which is ..."

-- 
Silvio Clécio
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-12 Thread silvioprog 
On Mon, Dec 12, 2016 at 3:28 PM, Salz, Rich  wrote:

> > > You fed RAND_bytes output back into RAND_add?  That's silly.
> > Yes. Is it unnecessary? My steps are:
>
> It is a bad idea.  It is pointless.  Don't do it.


So what is the correct way, 1 or 2?

1)

RAND_poll()
/* RAND_bytes is unnecessary */
/* RAND_add is unnecessary */

2)

RAND_poll()
RAND_bytes(buf, 128);
/* RAND_add is unnecessary */

:-S

-- 
Silvio Clécio
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-12 Thread silvioprog 
On Mon, Dec 12, 2016 at 3:04 PM, Salz, Rich  wrote:

> > "In short, I just replaced the RAND_screen() call to the RAND_poll(),
> generated a random buffer using RAND_bytes() (based on
> https://wiki.openssl.org/index.php/Random_Numbers#Software) seeding it
> via RAND_add()"
>
> You fed RAND_bytes output back into RAND_add?  That's silly.


Yes. Is it unnecessary? My steps are:

...
- RAND_scree()
+ RAND_poll()
+ RAND_bytes(buf, 128);
+ RAND_add(buf, length(buf), length(buf));
...

(I noticed I sent wrong patch, the correct one declare the RAND_bytes func
^^' )

-- 
Silvio Clécio
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-12 Thread silvioprog 
Oops,

I meant:

"In short, I just replaced the RAND_screen() call to the RAND_poll(),
generated a random buffer using RAND_bytes() (based on
https://wiki.openssl.org/index.php/Random_Numbers#Software) seeding it via
RAND_add()"

On Mon, Dec 12, 2016 at 2:46 PM, silvioprog <silviop...@gmail.com> wrote:
[...]

> In short, I just removed the RAND_screen() call, generated a random buffer
> using RAND_bytes() (based on https://wiki.openssl.org/
> index.php/Random_Numbers#Software) seeding via RAND_add().
>

-- 
Silvio Clécio
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-12 Thread silvioprog 
Finally I think I solved this problem! :-)

This is the patch I'm going to send to the `ssl_openssl_lib` authors:
http://pastebin.com/VgSpnwxB .

In short, I just removed the RAND_screen() call, generated a random buffer
using RAND_bytes() (based on
https://wiki.openssl.org/index.php/Random_Numbers#Software) seeding via
RAND_add().

Thanks a lot for the help, dudes! :-)

On Sun, Dec 4, 2016 at 12:01 AM, silvioprog <silviop...@gmail.com> wrote:

> Thanks for sharing the links, I'm going to check them.
>
> The original code call RAND_screen() only once in the app initialization,
> so can I replace it by RAND_add()? (I'm newbie on SSL)
>
> I've noticed the application is just a HTTP client consuming some web
> services via HTTPS. It doesn't call explicitly any OpenSSL random function,
> so I think it uses the default OpenSSL configurations.
>
> On Sat, Dec 3, 2016 at 3:42 PM, Jeffrey Walton <noloa...@gmail.com> wrote:
> [...]
>
>> Also see https://wiki.openssl.org/index.php/Library_Initialization and
>> https://wiki.openssl.org/index.php/Random_Numbers#Windows_Issues.
>>
>> The short of it is, you should stop relying on auto-initialization of
>> the RNG, and seed it yourself with a call to `RAND_add`.
>>
>> Jeff
>
>
-- 
Silvio Clécio
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-03 Thread silvioprog 
Thanks for sharing the links, I'm going to check them.

The original code call RAND_screen() only once in the app initialization,
so can I replace it by RAND_add()? (I'm newbie on SSL)

I've noticed the application is just a HTTP client consuming some web
services via HTTPS. It doesn't call explicitly any OpenSSL random function,
so I think it uses the default OpenSSL configurations.

On Sat, Dec 3, 2016 at 3:42 PM, Jeffrey Walton  wrote:
[...]

> Also see https://wiki.openssl.org/index.php/Library_Initialization and
> https://wiki.openssl.org/index.php/Random_Numbers#Windows_Issues.
>
> The short of it is, you should stop relying on auto-initialization of
> the RNG, and seed it yourself with a call to `RAND_add`.
>
> Jeff


-- 
Silvio Clécio
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-03 Thread silvioprog 
Thanks for replying!

I found two libraries at application's directory: libeay32.dll and
ssleay32.dll, both with file version 0.9.8.14 and product version 0.9.8n.

I totally agree about properly initializing the random number generator,
however I don't know how to do that yet. That code I'm using is a third
party Pascal binding for the OpenSSL C library, and I've noticed that many
other packages was based on that implementation too (eg:
https://github.com/graemeg/freepascal/blob/master/packages/openssl/src/openssl.pas#L4442
- it seems based on an old LibOpenSsl version).

The application I'm fixing uses the same file this link above, and I can
edit it without problems. I removed the line RAND_screen and now the
application initializes fast, but I'm not sure if it will turn my
application vulnerable.

If I get to solve it I will try some patch sharing it to the authors of
these bindings.

On Sat, Dec 3, 2016 at 2:34 PM, Salz, Rich  wrote:

> What version of openssl are you using?  Current versions do not call
> RAND_screen or other long-term heap-walking on Windows.
>
>
>
> You absolutely **must** properly initialize the random number generator.
> If you fail to do that, attackers can guess the keys that you use.  You
> will be providing only the illusion of security.
>
>
>
> Please pass this along to that other app.  What it, and you, are doing is
> horrible.
>
>
>
> --
>
> Senior Architect, Akamai Technologies
>
> Member, OpenSSL Dev Team
>
> IM: richs...@jabber.at Twitter: RichSalz
>

-- 
Silvio Clécio
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

2016-12-03 Thread silvioprog 
Hello all,

I'm trying to speed up the initialization of a legacy HTTP client
application. Debugging that code, I found the following functions being
called each application startup:

  initialization
SSL_library_init()
SSL_load_error_strings()
OpenSSL_add_all_algorithms()
RAND_screen()

however, the execution of RAND_screen()  spends about 3 seconds.

The first idea was commenting this line, but I don't know if I really can
do that. After some "googling" I found someone doing something like this:

  initialization
SSL_library_init()
SSL_load_error_strings()
OpenSSL_add_all_algorithms()
//RAND_screen()
unsigned char c;
RAND_bytes(, 1);

anyway I don't know if it is really necessary, so I just commented
RAND_screen() line and without add this call to RAND_bytes().

So I have a question: do I really need to call some function like RAND_* at
each application initialization?

This project has that same initialization:
https://github.com/svn2github/Ararat-Synapse/blob/master/trunk/ssl_openssl_lib.pas#L2001
.

--
Silvio Clécio
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users