mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 03:52:28 +02:00
crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606)
Commit a4071b ("crypto_openssl: add initialization to pick up local configuration") added openssl initialization to load configuration file. However on Windows this file is loaded from user-writable directory, such as c:\etc\ssl for mingw builds and (for example) c:\vcpkg\packages\openssl_x64-windows\openvpn.cnf for vcpkg builds. This could be a security risk. CVE-2121-3606 has been assigned to acknowledge this risk. Since aforementioned commit implements a niche feature which might be better solved with CryptoAPI on Windows, make this code conditional (for now). CVE: 2121-3606 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20210617061226.244-1-lstipakov@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22568.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
parent
063d55afee
commit
abd5ee9b7d
@ -154,11 +154,13 @@ crypto_init_lib_engine(const char *engine_name)
|
||||
void
|
||||
crypto_init_lib(void)
|
||||
{
|
||||
#ifndef _WIN32
|
||||
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
|
||||
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
|
||||
#else
|
||||
OPENSSL_config(NULL);
|
||||
#endif
|
||||
#endif /* _WIN32 */
|
||||
/*
|
||||
* If you build the OpenSSL library and OpenVPN with
|
||||
* CRYPTO_MDEBUG, you will get a listing of OpenSSL
|
||||
|
Loading…
Reference in New Issue
Block a user