diff options
author | Lev Stipakov | 2021-06-17 09:12:26 +0300 |
---|---|---|
committer | Gert Doering | 2021-06-17 10:39:29 +0200 |
commit | abd5ee9b7dc4ba85438da5d16bb7dfb31714dac7 (patch) | |
tree | 19a08fb2c8488e4e48a116f6e0e1b44f2c626135 /src/openvpn/crypto_openssl.c | |
parent | 063d55afeea723fc6df0af29a19df257a8ab6920 (diff) | |
download | openvpn-abd5ee9b7dc4ba85438da5d16bb7dfb31714dac7.zip openvpn-abd5ee9b7dc4ba85438da5d16bb7dfb31714dac7.tar.gz |
crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606)
Commit a4071b ("crypto_openssl: add initialization to pick up local
configuration") added openssl initialization to load configuration
file. However on Windows this file is loaded from user-writable
directory, such as c:\etc\ssl for mingw builds and (for example)
c:\vcpkg\packages\openssl_x64-windows\openvpn.cnf for vcpkg
builds. This could be a security risk.
CVE-2121-3606 has been assigned to acknowledge this risk.
Since aforementioned commit implements a niche feature which might
be better solved with CryptoAPI on Windows, make this code conditional
(for now).
CVE: 2121-3606
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210617061226.244-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22568.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/crypto_openssl.c')
-rw-r--r-- | src/openvpn/crypto_openssl.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index c571030..603c67b 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -154,11 +154,13 @@ crypto_init_lib_engine(const char *engine_name) void crypto_init_lib(void) { +#ifndef _WIN32 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); #else OPENSSL_config(NULL); #endif +#endif /* _WIN32 */ /* * If you build the OpenSSL library and OpenVPN with * CRYPTO_MDEBUG, you will get a listing of OpenSSL |