<div dir="ltr"><div>Thanks for replying!</div><div><br></div><div>I found two libraries at application's directory: libeay32.dll and ssleay32.dll, both with file version 0.9.8.14 and product version 0.9.8n.</div><div><br></div><div>I totally agree about properly initializing the random number generator, however I don't know how to do that yet. That code I'm using is a third party Pascal binding for the OpenSSL C library, and I've noticed that many other packages was based on that implementation too (eg: <a href="https://github.com/graemeg/freepascal/blob/master/packages/openssl/src/openssl.pas#L4442">https://github.com/graemeg/freepascal/blob/master/packages/openssl/src/openssl.pas#L4442</a> - it seems based on an old LibOpenSsl version).</div><div><br></div><div>The application I'm fixing uses the same file this link above, and I can edit it without problems. I removed the line RAND_screen and now the application initializes fast, but I'm not sure if it will turn my application vulnerable.</div><div><br></div><div>If I get to solve it I will try some patch sharing it to the authors of these bindings.</div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Dec 3, 2016 at 2:34 PM, Salz, Rich <span dir="ltr"><<a href="mailto:rsalz@akamai.com" target="_blank">rsalz@akamai.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_-6117875981998210103WordSection1">
<p class="MsoNormal"><span style="font-size:11pt;font-family:calibri,sans-serif;color:rgb(31,73,125)">What version of openssl are you using? Current versions do not call RAND_screen or other long-term heap-walking on Windows.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:calibri,sans-serif;color:rgb(31,73,125)">You absolutely *<b>must</b>* properly initialize the random number generator. If you fail to do that, attackers can guess the keys that you use. You will
be providing only the illusion of security.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:calibri,sans-serif;color:rgb(31,73,125)">Please pass this along to that other app. What it, and you, are doing is horrible.<span class="gmail-HOEnZb"><font color="#888888"><u></u><u></u></font></span></span></p><span class="gmail-HOEnZb"><font color="#888888">
<p class="MsoNormal"><span style="font-size:11pt;font-family:calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:calibri,sans-serif;color:rgb(31,73,125)">--
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:calibri,sans-serif;color:rgb(31,73,125)">Senior Architect, Akamai Technologies<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:calibri,sans-serif;color:rgb(31,73,125)">Member, OpenSSL Dev Team<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:calibri,sans-serif;color:rgb(31,73,125)">IM: <a href="mailto:richsalz@jabber.at" target="_blank">richsalz@jabber.at</a> Twitter: RichSalz</span></p></font></span></div></div></blockquote></div><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div>Silvio Clécio</div></div></div>
</div></div>