Problem - Kevin Tafuro

Recommendations

Info

You can use a whitelist in place of normal certificate verification routines. Whitelists are most often useful in servers that want to authenticate clients, rather than the other way around, but they can be used either way. In server mode, you can use the SSL_VERIFY_PEER flag to request a certificate from the client, but remember that the client does not have to supply a certificate in response to a request. If you want to require that the client respond, you also need to use the SSL_VERIFY_FAIL_IF_NO_ PEER_CERT flag so that the connection is terminated if the client does not send a certificate. The downside to using these flags is that OpenSSLwill attempt to verify the certificate on its own. With a little trickery, we can short-circuit OpenSSL’s certificate verification routines and do a little post-connection verification of our own. We will do this by setting up a verify callback function that always returns success. The verify callback is called for each certificate in the chain when verifying a certificate. It is called with the X509_STORE_CTX containing everything relevant, as well as a boolean indicator of whether OpenSSLhas determined the certificate to be valid or not. Typically, the callback will return the same verification status, but it is not required. The callback can reverse the decision that OpenSSL has made. int spc_whitelist_callback(int ok, X509_STORE_CTX *store) { return 1; } Once the connection has been established, we can get a copy of the peer’s certificate, compute its fingerprint, and compare it against the fingerprints we have in our list. The list can be stored in memory, in a disk file, on a flash memory card, or on some other medium. How the list is stored is irrelevant; what is important is the comparison of fingerprints. The functions shown in the previous code are flexible in that they allow you to choose any message digest algorithm you like. Note, though, that if you are always using the same ones, the functions can be simplified, and you need not keep track of the fingerprint length because you know that a message digest is a fixed size (MD5 is 16 bytes; SHA1 is 20 bytes). The following snippet of code roughly demonstrates the work that needs to be done to employ whitelist-based certificate verification: int fingerprint_length; SSL *ssl; EVP_MD *digest; SSL_CTX *ctx; unsigned char fingerprint[EVP_MAX_MD_SIZE]; spc_x509store_t spc_store; spc_init_x509store(&spc_store); spc_x509store_setcallback(&spc_store, spc_whitelist_callback); spc_x509store_setflags(&spc_store, SPC_X509STORE_SSL_VERIFY_PEER | SPC_X509STORE_SSL_VERIFY_FAIL_IF_NO_PEER_CERT); ctx = spc_create_sslctx(&spc_store); /* use the ctx to establish a connection. This will yield an SSL object */ cert = SSL_get_peer_certificate(ssl); 546 | Chapter 10: Public Key Infrastructure This is the Title of the Book, eMatter Edition Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
digest = EVP_sha1( ); fingerprint_length = sizeof(fingerprint); spc_fingerprint_cert(cert, digest, fingerprint, &fingerprint_length); /* use the fingerprint to compare against the list of known cert fingerprints */ 10.10 Obtaining Certificate Revocation Lists with OpenSSL <strong>Problem</strong> You have a certificate that you want to verify, as well as the certificate that was used to issue it, but you need to check the issuing authority’s CRLto make sure that the certificate has not been revoked. We cover how to use a CRLonce you have it in Recipe 10.5—but how do you get it in the first place? Solution All CAs should publish a CRLfor each certificate used for issuing certificates, but many do not seem to. In fact, most CAs make it very difficult to find the CRLs they do publish, so it is easy to come to the conclusion that they do not publish a CRLat all. It turns out that some CAs do not publish a CRL, but the most prominent of CAs all do. Unfortunately, the CAs that do make it easy to find their CRLs are in the minority. We have spent a sizable amount of time attempting to track down CRLs for each of the certificates we have listed in Recipe 10.3, as well as numerous others with which we had no success. We have also managed to find many CRLs for which we were unable to find matching issuing certificates, but we have omitted them here. Many of them can be found at http://www.openvalidation.org. Note that many CAs require acceptance of a licensing agreement before you’re allowed to download their CRLs. You should make sure to check the information that we provide here before you use it, to ensure that you have the legal right to use the data and that the CA has not changed the location of their URLs since this book went to press. We have found many certificates that contain cRLDistributionPoints extensions in them where the URLwas no longer valid. It may be that the URLs are invalid because no CRLhas ever been issued; however, to avoid any possible confusion, it would be better for these CAs to issue an empty CRL. Discussion To obtain a CRL, first check the certificate and its issuing certificate for a cRLDistributionPoints extension that contains a URI GeneralName. This extension is defined in RFC 3280, and it specifies a way for CAs to communicate the location of Obtaining Certificate Revocation Lists with OpenSSL | 547 This is the Title of the Book, eMatter Edition Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
Page 3 and 4:
Secure Programming Cookbook ΤΜ fo
Page 5 and 6:
Secure Programming CookbookΤΜ for
Page 7 and 8:
Table of Contents Foreword . . . .
Page 9 and 10:
5.8 Using a Generic OFB Mode Implem
Page 11 and 12:
8.10 Performing Password-Based Auth
Page 13:
12.10 Restructuring Arrays 672 12.1
Page 16 and 17:
they are in the top 50% of safe dri
Page 18 and 19:
think you are in, you will probably
Page 20 and 21:
the C programming language, with so
Page 22 and 23:
igger risks than anticipated. You s
Page 24 and 25:
Recipe Compatibility Most of the re
Page 26 and 27:
The O’Reilly web site for the boo
Page 29 and 30:
Chapter 1 CHAPTER 1 Safe Initializa
Page 31 and 32:
using the code in this recipe on Wi
Page 33 and 34:
variables you preserve, be sure to
Page 35 and 36:
ptr = (char *)new_environ + (arr_si
Page 37 and 38:
an impersonation token for a thread
Page 39 and 40:
Creating a new process with a restr
Page 41 and 42:
array that is the Privileges field.
Page 43 and 44:
eturn 0; } if (!LookupAccountName(0
Page 45 and 46:
privileges. We strongly advise agai
Page 47 and 48:
#include #include #include #incl
Page 49 and 50:
sockets provide a means by which fi
Page 51 and 52:
The privman library provides a numb
Page 53 and 54:
The potential for security vulnerab
Page 55 and 56:
It’s important to remember that t
Page 57 and 58:
Discussion execve( ) is the system
Page 59 and 60:
should call pclose( ) to clean up t
Page 61 and 62:
dup2(stdout_pipe[1], 1); close(stdo
Page 63 and 64:
lpCommandLine Any command-line argu
Page 65 and 66:
#include #include #include void
Page 67 and 68:
and a saved user ID. * The effectiv
Page 69 and 70:
See Also Recipes 1.3, 1.4, 2.8 2.2
Page 71 and 72:
of the object, regardless of what t
Page 73 and 74:
There are many other situations whe
Page 75 and 76:
if (!(fd = opendir("."))) break; if
Page 77 and 78:
spc_file_wipe( ) A wrapper around t
Page 79 and 80:
if (pattern_pass(fd, buf, sizeof(bu
Page 81 and 82:
CryptReleaseContext(hProvider, 0);
Page 83 and 84:
2.7 Restricting Access Permissions
Page 85 and 86:
eset the umask between your adjustm
Page 87 and 88:
Locking files on Windows Where Unix
Page 89 and 90:
NFS older than Version 3 in particu
Page 91 and 92:
a loop until all the data is read.
Page 93 and 94:
if (!(hResourceLock = CreateMutex(0
Page 95 and 96:
generator. The code presented here
Page 97 and 98:
access to the filesystem, the poten
Page 99 and 100:
Chapter 3 CHAPTER 3 Input Validatio
Page 101 and 102:
components of the system are truste
Page 103 and 104:
try to use them. For example, what
Page 105 and 106:
To combat malicious uses of “%n
Page 107 and 108:
Discussion Buffer overflows get a l
Page 109 and 110:
Unfortunately, strlcpy( ) and strlc
Page 111 and 112:
The second problem area occurs when
Page 113 and 114:
(see Recipe 3.2). The format-string
Page 115 and 116:
safestr_release( ) or safestr_free(
Page 117 and 118:
Solution Unfortunately, integer coe
Page 119 and 120:
which the records begin. Generally,
Page 121 and 122:
pointer or a different value altoge
Page 123 and 124:
if (!(new_environ = (char **)malloc
Page 125 and 126:
if (spc_environ) free(environ); env
Page 127 and 128:
GetFullPathName( ) requires the len
Page 129 and 130:
if (*c != '%' || !isxdigit(c[1]) ||
Page 131 and 132:
3.10 Preventing Cross-Site Scriptin
Page 133 and 134:
* These are HTML tags that do not t
Page 135 and 136:
*ptr++ = *c; } while (*++c != ’>
Page 137 and 138:
Finally, if you are using the LIKE
Page 139 and 140:
Table 3-2. UTF-8 encoding byte sequ
Page 141 and 142:
the connections to the server. The
Page 143 and 144:
SPC_FD_SET read_mask; for (;;) { sp
Page 145 and 146:
To ensure that you choose the right
Page 147 and 148:
See Also Recipe 13.2 4.2 Generating
Page 149 and 150:
This function takes the following a
Page 151 and 152:
} break; default: if (isspace(p[0])
Page 153 and 154:
*p = 0; return output; } } } The pu
Page 155 and 156:
} return result; case -1: if (stric
Page 157 and 158:
#define MAX_WORDLEN 4 /* len parame
Page 159 and 160:
Discussion This function spc_words2
Page 161 and 162:
4.9 Using Salts, Nonces, and Initia
Page 163 and 164:
the lifetime of the key; the counte
Page 165 and 166:
#include #include #include #incl
Page 167 and 168:
#include #include /* This value n
Page 169 and 170:
} CryptReleaseContext(hProvider, hK
Page 171 and 172:
cryptographic one-way hash from a t
Page 173 and 174:
HMAC_CTX c; unsigned long ctr = 0,
Page 175 and 176:
database does not support binary st
Page 177 and 178:
Remember to use a MAC anytime you e
Page 179 and 180:
For many different reasons, it can
Page 181 and 182:
A more portable but less accurate w
Page 183 and 184:
Chapter 5 CHAPTER 5 Symmetric Encry
Page 185 and 186:
Discussion Be sure to read this dis
Page 187 and 188:
Pentium III, which should give a go
Page 189 and 190:
locations where 40-bit keys or 56-b
Page 191 and 192:
can arise. For general-purpose use,
Page 193 and 194:
or similar mechanism is used. As wi
Page 195 and 196:
shares many properties with CTR mod
Page 197 and 198:
case, the faster of the two algorit
Page 199 and 200:
parison to standard modes. As of th
Page 201 and 202:
work, which severely limits portabi
Page 203 and 204:
Table 5-4. Implementations for the
Page 205 and 206:
Plaintext block 1 Plaintext block 2
Page 207 and 208:
typedef struct { SPC_KEY_SCHED ks;
Page 209 and 210:
If you are using padding and you kn
Page 211 and 212:
This function has the following arg
Page 213 and 214:
if (ol) *ol = out - start; return 1
Page 215 and 216:
that the state function is always r
Page 217 and 218:
Note that this code depends on the
Page 219 and 220:
if (!il--) return 1; ctx->nonce[ctx
Page 221 and 222:
one block at a time, by encrypting
Page 223 and 224:
spc_memset(key,0, kl); memcpy(ctx->
Page 225 and 226:
5.9 Using a Generic CTR Mode Implem
Page 227 and 228:
These two functions also erase the
Page 229 and 230:
we ignore that because it will alwa
Page 231 and 232:
Once those bindings are made, the Z
Page 233 and 234:
output Buffer into which the plaint
Page 235 and 236:
eturn the number of valid bytes in
Page 237 and 238:
In CBC, CFB, and OFB modes, encrypt
Page 239 and 240:
void spc_pctr_do_odd(SPC_CTR2_CTX *
Page 241 and 242:
5.15 Performing File or Disk Encryp
Page 243 and 244:
Therefore, we’ll show you LION, b
Page 245 and 246:
} RC4_set_key(&k, HASH_SZ, (char *)
Page 247 and 248:
techniques from Chapter 8), the key
Page 249 and 250:
communicate asynchronously (that is
Page 251 and 252:
key Pointer to the encryption key t
Page 253 and 254:
Table 5-6. Cipher instantiation ref
Page 255 and 256:
While RC2, RC4, and RC5 support abs
Page 257 and 258:
The function EVP_CIPHER_CTX_ctrl( )
Page 259 and 260:
Discussion As a reminder, use a raw
Page 261 and 262:
ol = 0; if (!(ret = (char *)malloc(
Page 263 and 264:
The “official” RC4 key setup fu
Page 265 and 266:
Discussion One-time pads are provab
Page 267 and 268:
Once a provider context has been su
Page 269 and 270:
Table 5-8. Symmetric ciphers suppor
Page 271 and 272:
hKey Key to use for performing the
Page 273 and 274:
if (!CryptAcquireContext(&hProvider
Page 275 and 276:
exportable from key objects, but th
Page 277 and 278:
Chapter 6 CHAPTER 6 Hashes and Mess
Page 279 and 280:
Generally, you should prefer an enc
Page 281 and 282:
See Also Recipes 6.7, 6.8, 6.12 6.2
Page 283 and 284:
Noncorrelation It should also be co
Page 285 and 286:
Let’s look briefly at the pros an
Page 287 and 288:
Solution In most cases, instead of
Page 289 and 290:
MAC (which we recommend), we strong
Page 291 and 292:
Libraries with cryptographic hash f
Page 293 and 294:
#include int main(int argc, char *
Page 295 and 296:
See Also Implementations of SHA-256
Page 297 and 298:
CryptAcquireContext(&hProvider, 0,
Page 299 and 300:
To ensure the best security, we str
Page 301 and 302:
if (!(vfy = (unsigned char *)malloc
Page 303 and 304:
you might use a library such as Ope
Page 305 and 306:
Otherwise, you can use the HMAC imp
Page 307 and 308:
if (klen inner[i] ^= key[i]; ctx->o
Page 309 and 310:
OMAC has been explicitly specified
Page 311 and 312:
unsigned char c1[SPC_BLOCK_SZ]; /*
Page 313 and 314:
ing the all-zero data block. Each p
Page 315 and 316:
CMAC is the message-integrity compo
Page 317 and 318:
To postprocess, we encrypt the hash
Page 319 and 320:
6.15 Constructing a Hash Function f
Page 321 and 322:
unsigned char b[SPC_KEY_SZ]; size_t
Page 323 and 324:
Figure 6-2. The Mayas-Meyer-Oseas c
Page 325 and 326:
c->ix = 0; c->tl = 0; } static void
Page 327 and 328:
modes such as CWC and CCM are start
Page 329 and 330:
authentication in a straightforward
Page 331 and 332:
SPC_HMAC_Reset(&ctx); SPC_HMAC_Upda
Page 333 and 334:
divide up the data stream between t
Page 335 and 336:
Chapter 7 CHAPTER 7 Public Key Cryp
Page 337 and 338:
The code presented in this chapter
Page 339 and 340:
Because public key encryption is so
Page 341 and 342:
Solution There’s some debate on t
Page 343 and 344:
7.4 Manipulating Big Numbers Proble
Page 345 and 346:
There’s a similar function for as
Page 347 and 348:
Additionally, you can ask for a ran
Page 349 and 350:
In addition, you might wish to test
Page 351 and 352:
Table 7-2. Math operations supporte
Page 353 and 354:
313, 317, 331, 337, 347, 349, 353,
Page 355 and 356:
for (b = 0; !BN_is_odd(x); b++) BN_
Page 357 and 358:
BIGNUM *dP, *dQ, *qInv; } RSA_PRIVA
Page 359 and 360:
This would map to the hexadecimal v
Page 361 and 362:
compute d. Without those two primes
Page 363 and 364:
The constants that may be used to s
Page 365 and 366:
When using OpenSSL, decryption can
Page 367 and 368:
ecommend using it, unless you are c
Page 369 and 370:
ture is valid. A successful check w
Page 371 and 372:
et = RSA_verify(NID_sha1, hash, 20,
Page 373 and 374:
#define MIN(x,y) ((x) > (y) ? (y) :
Page 375 and 376:
memcpy(signedtext, decrypt, 16); if
Page 377 and 378:
h_ret Optional argument that, if no
Page 379 and 380:
siglen The number of bytes written
Page 381 and 382:
data ready to go into the certifica
Page 383 and 384:
ut it requires you to pass in the l
Page 385 and 386:
LjKQ2r1Yt9foxbHdLKZeClqZuzN7PoEmy+b
Page 387 and 388:
ing in data, pass in a pointer to a
Page 389 and 390:
Table 7-6 lists the FILE object-bas
Page 391 and 392:
Solution The correct method depends
Page 393 and 394:
Use across applications For some pe
Page 395 and 396:
key agreement protocol, where both
Page 397 and 398:
consider slightly more sophisticate
Page 399 and 400:
Kerberos does assume that the envir
Page 401 and 402:
The function used to look up user i
Page 403 and 404:
The group structure that is returne
Page 405 and 406:
found, NULL will be returned, and G
Page 407 and 408:
ReferencedDomainName = (LPTSTR)Loca
Page 409 and 410:
if (errno != EINTR && errno != EAGA
Page 411 and 412:
if (!(spc_host_rulecount % 256)) {
Page 413 and 414:
} else { if (inet_addr(tmp) = = INA
Page 415 and 416:
8.5 Generating Random Passwords and
Page 417 and 418:
for this list is not insignificant.
Page 419 and 420:
file, it may allocate a sizable amo
Page 421 and 422:
On Windows, you can use the standar
Page 423 and 424:
Once getpass( ) or readpassphrase(
Page 425 and 426:
ters typed by the user. Instead, th
Page 427 and 428:
compute the future time at which th
Page 429 and 430:
decrypt the encrypted data. To make
Page 431 and 432:
On systems that support MCF through
Page 433 and 434:
for (i = 0; i < 1000; i++) { MD5_In
Page 435 and 436:
CryptHashData(hHash1, lpszKey, dwKe
Page 437 and 438:
Solution Use the PBKDF2 method of c
Page 439 and 440:
Verifying a password encrypted usin
Page 441 and 442:
c Pointer to an integer that will r
Page 443 and 444:
each of these pieces of information
Page 445 and 446:
server-side part of the authenticat
Page 447 and 448:
8.14 Authenticating with HTTP Cooki
Page 449 and 450:
char *spc_cookie_encode(char *cooki
Page 451 and 452:
• Let the salt be public, in whic
Page 453 and 454:
extra Additional application-specif
Page 455 and 456:
xl Pointer into which the length of
Page 457 and 458:
With a valid socket descriptor in h
Page 459 and 460:
11. The client and the server compu
Page 461 and 462:
Some people like to use a fixed mod
Page 463 and 464:
Often, you’ll want to generate a
Page 465 and 466:
Discussion Remember, authentication
Page 467 and 468:
• Provide the user with some way
Page 469 and 470:
if (!fgets(answer, sizeof(answer),
Page 471 and 472:
uffer = (char *)realloc(buffer, buf
Page 473 and 474:
compromise. If our system has such
Page 475 and 476:
When using RSA, if you’re doing o
Page 477 and 478:
see the confirmation request and th
Page 479 and 480:
Upon receipt of a response to a con
Page 481 and 482:
BOOL SpcConfirmationCreate(LPCTSTR
Page 483 and 484:
Additionally, over time, SSPI-speci
Page 485 and 486:
if (!spc_verify_cert_hostname(SSL_g
Page 487 and 488:
The next step is to call spc_accept
Page 489 and 490:
Discussion Session caching is norma
Page 491 and 492:
if (BIO_do_connect(conn)
Page 493 and 494:
The next step is to connect to the
Page 495 and 496:
DWORD dwHeadersLength = 0; LPSTR lp
Page 497 and 498:
attempt to develop and debug SSL-en
Page 499 and 500:
API for encryption and decryption,
Page 501 and 502:
memcpy(in_data.data, inbuf, inlen);
Page 503 and 504:
*outlen = out_data.length - (blksz
Page 505 and 506:
so. Likewise, any process with the
Page 507 and 508:
struct sockaddr_un *addr_unix; *dom
Page 509 and 510:
error_exit: if (sock) spc_socket_cl
Page 511 and 512:
different ways. On FreeBSD systems,
Page 513 and 514:
msg.msg_iov->iov_base = (void *)&sy
Page 515 and 516:
it’s unique and unpredictable! Yo
Page 517 and 518:
if (mysql_real_connect(mysql, host,
Page 519 and 520:
maintenance. Adding or removing ser
Page 521 and 522:
ut they shouldn’t tolerate reorde
Page 523 and 524: #define SPC_CLIENT_DISTINGUISHER 0x
Page 525 and 526: } static void spc_ssock_write( int
Page 527 and 528: while (mlen) { if ((r = read(fd, ms
Page 529 and 530: In such cases, you need to be able
Page 531 and 532: Discussion One of the big motivator
Page 533 and 534: A digital certificate contains info
Page 535 and 536: Certificate revocation What happens
Page 537 and 538: cate as long as it still has its pr
Page 539 and 540: Currently, OCSP is not nearly as wi
Page 541 and 542: ple is the permissible uses for a c
Page 543 and 544: automated email to the address you
Page 545 and 546: The type of code-signing certificat
Page 547 and 548: 10.3 Using Root Certificates Proble
Page 549 and 550: Table 10-1. CA certificates, their
Page 551 and 552: ights of the entity tied to that ce
Page 553 and 554: 10.5 Performing X.509 Certificate V
Page 555 and 556: sk_X509_free(spc_store->crls); sk_X
Page 557 and 558: X509_LOOKUP *lookup; store = X509_S
Page 559 and 560: CertGetIssuerCertificateFromStore(
Page 561 and 562: HCERTSTORE hCertStore; PCCERT_CONTE
Page 563 and 564: See Also Recipe 10.11 10.7 Verifyin
Page 565 and 566: SPC_X509STORE_SSL_VERIFY_NONE This
Page 567 and 568: verify_flags |= SSL_VERIFY_FAIL_IF_
Page 569 and 570: int spc_verify_cert_hostname(X509 *
Page 571 and 572: for (i = 0; !bResult && i < pNameIn
Page 573: only work you really need to do is
Page 577 and 578: if (cert && (uri = get_distribution
Page 579 and 580: "\xb3\x9c\x25\xb1\xc3\x2e\x32\x53\x
Page 581 and 582: headerlen -= (*datalen + 2); if (*d
Page 583 and 584: In this recipe, we have used a numb
Page 585 and 586: { "\x8d\x26\xff\x2f\x31\x6d\x59x\29
Page 587 and 588: LocalFree(pvStructInfo); return 0;
Page 589 and 590: lpFullBuffer = lpNewBuffer; lpBuffe
Page 591 and 592: of tunable variables that affect th
Page 593 and 594: SPC_OCSPRESULT_CERTIFICATE_VALID =
Page 595 and 596: * All done. Set the return code bas
Page 597 and 598: Solution There are essentially thre
Page 599 and 600: the byte is even, he reduces the nu
Page 601 and 602: See Also Recipes 11.16, 11.18, 11.1
Page 603 and 604: 11.3 Using the Standard Unix Random
Page 605 and 606: a pointer to data. Instead, they re
Page 607 and 608: if (errno = = EINTR) continue; perr
Page 609 and 610: Here we show how to use this functi
Page 611 and 612: attacks are a realistic threat, you
Page 613 and 614: This function never fails (save for
Page 615 and 616: Using a stream cipher as a generato
Page 617 and 618: One very safe way to use a cryptogr
Page 619 and 620: out Buffer into which the random da
Page 621 and 622: 1. Figure out how big a seed you ne
Page 623 and 624: 0x00 Query the amount of entropy be
Page 625 and 626:
strncpy(a.sun_path, EGD_SOCKET_PATH
Page 627 and 628:
} } while (nb = = -1); } } } See Al
Page 629 and 630:
nbytes Number of bytes of entropy t
Page 631 and 632:
See Also • EGADS by Secure Softwa
Page 633 and 634:
If the generator is not seeded with
Page 635 and 636:
Discussion In all cases, you will s
Page 637 and 638:
Solution Because of the way that fl
Page 639 and 640:
double spc_rand_cunifvariate(double
Page 641 and 642:
See Also Recipe 11.11 11.16 Compres
Page 643 and 644:
It would be nice if you did not hav
Page 645 and 646:
For this reason, we think the full
Page 647 and 648:
} int cur_val, i, j, runsz; unsigne
Page 649 and 650:
See Also • NIST Cryptographic Mod
Page 651 and 652:
ecause even if a source does fail c
Page 653 and 654:
you use a seed file, you can just c
Page 655 and 656:
• If you have to accept data from
Page 657 and 658:
with a high-resolution clock (i.e.,
Page 659 and 660:
Collecting entropy from the keyboar
Page 661 and 662:
f[c + 2] = '>'; } else snprintf(bf,
Page 663 and 664:
SpcGatherKeyboardEntropy( ) uses th
Page 665 and 666:
} } if (hWndParent) EnableWindow(hW
Page 667 and 668:
number of bits of entropy has been
Page 669 and 670:
} return TRUE; pDlgData->cbRequeste
Page 671 and 672:
See Also Recipes 11.19, 11.20 11.22
Page 673 and 674:
Discussion We strongly recommend th
Page 675 and 676:
Chapter 12 CHAPTER 12 Anti-Tamperin
Page 677 and 678:
tecture-specific checks to determin
Page 679 and 680:
ure or to examine a hardware valida
Page 681 and 682:
• Detecting modification to a com
Page 683 and 684:
for (j = 8; j > 0; j--) { if (crc &
Page 685 and 686:
#include CRC_START_BLOCK(test) int
Page 687 and 688:
Solution Obfuscating compiled code
Page 689 and 690:
" movl 0f( , %%ebx ), %%eax \n\t" \
Page 691 and 692:
Because library functions are loade
Page 693 and 694:
encoded as a series of 32 Obcode bi
Page 695 and 696:
12.5 Performing Constant Transforms
Page 697 and 698:
12.7 Splitting Variables Problem La
Page 699 and 700:
12.9 Using Function Pointers Proble
Page 701 and 702:
arrays. This array type will hide t
Page 703 and 704:
eak; case SPC_ARRAY_FOLD: index = (
Page 705 and 706:
The following example demonstrates
Page 707 and 708:
Discussion The techniques for hidin
Page 709 and 710:
12.12 Detecting Debuggers Problem S
Page 711 and 712:
Discussion The spc_trap_detect( ) f
Page 713 and 714:
12.14 Detecting Windows Debuggers P
Page 715 and 716:
The int3 interface can also be used
Page 717 and 718:
To demonstrate the effect this macr
Page 719 and 720:
08048388 83 db 83h ; â 08048389 7D
Page 721 and 722:
ine the instruction making the refe
Page 723 and 724:
mprotect(buf, buf_len, PROT_READ |
Page 725 and 726:
eturn 4; } /* get entry point : her
Page 727 and 728:
need to use one of the three ring3
Page 729 and 730:
cates failure, it’s likely that n
Page 731 and 732:
tion gets caught. The only ways to
Page 733 and 734:
memory location will generally stil
Page 735 and 736:
eturn dst; } volatile void *spc_mem
Page 737 and 738:
The mlock( ) system call on Unix im
Page 739 and 740:
Discussion Both C and C++ allow the
Page 741 and 742:
Do not share signal handlers. Sever
Page 743 and 744:
#endif } static int signal_was_caug
Page 745 and 746:
paper reached the widest audience,
Page 747 and 748:
The proper way to handle a program
Page 749 and 750:
handles[0] = cond; handles[1] = mut
Page 751 and 752:
#ifndef WIN32 pool->tids = (pthread
Page 753 and 754:
#define SPC_ACQUIRE_MUTEX(mtx) pthr
Page 755 and 756:
if (socketpool_limit > 0 && socketp
Page 757 and 758:
Table 13-1. Resources that may be l
Page 759 and 760:
ability to run. The default limits
Page 761 and 762:
Note that the structures as present
Page 763 and 764:
access to the machine. This makes i
Page 765:
ing log entries. It is possible, ho
Page 768 and 769:
attacks (continued) capture replay
Page 770 and 771:
CFB (Cipher Feedback) mode, 167, 18
Page 772 and 773:
deriving symmetric keys from a pass
Page 774 and 775:
EVP_CIPHER_CTX_set_padding( ), 227
Page 776 and 777:
integrity checking cipher modes, 16
Page 778 and 779:
message digests (continued) desirab
Page 780 and 781:
parallelizing MACs, 304 parent and
Page 782 and 783:
RAND_bytes( ), 604 RAND_load_file(
Page 784 and 785:
session ID context, 461 session IDs
Page 786 and 787:
spc_gather_keyboard_entropy( ), 631
Page 788 and 789:
symmetric cryptography, 116-154 alg
Page 790 and 791:
Windows (continued) Win 2000, restr
Page 792:
oads. They will often travel up to
show all

Problem - Kevin Tafuro

Create successful ePaper yourself

Delete template?

Save as template?