Thanks for replying!
I found two libraries at application's directory: libeay32.dll and ssleay32.dll, both with file version 0.9.8.14 and product version 0.9.8n.
I totally agree about properly initializing the random number generator, however I don't know how to do that yet. That code I'm using is a third party Pascal binding for the OpenSSL C library, and I've noticed that many other packages was based on that implementation too (eg: https://github.com/graemeg/freepascal/blob/master/packages/openssl/src/openssl.pas#L4442 - it seems based on an old LibOpenSsl version).
The application I'm fixing uses the same file this link above, and I can edit it without problems. I removed the line RAND_screen and now the application initializes fast, but I'm not sure if it will turn my application vulnerable.
If I get to solve it I will try some patch sharing it to the authors of these bindings.
On Sat, Dec 3, 2016 at 2:34 PM, Salz, Rich <rsalz@xxxxxxxxxx> wrote:
What version of openssl are you using? Current versions do not call RAND_screen or other long-term heap-walking on Windows.
You absolutely *must* properly initialize the random number generator. If you fail to do that, attackers can guess the keys that you use. You will be providing only the illusion of security.
Please pass this along to that other app. What it, and you, are doing is horrible.
--
Senior Architect, Akamai Technologies
Member, OpenSSL Dev Team
IM: richsalz@xxxxxxxxx Twitter: RichSalz
Silvio Clécio
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
