crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606)
Commit a4071b ("crypto_openssl: add initialization to pick up local
configuration") added openssl initialization to load configuration
file. However on Windows this file is loaded from user-writable
directory, such as c:\etc\ssl for mingw builds and (for example)
c:\vcpkg\packages\openssl_x64-windows\openvpn.cnf for vcpkg
builds. This could be a security risk.
CVE-2121-3606 has been assigned to acknowledge this risk.
Since aforementioned commit implements a niche feature which might
be better solved with CryptoAPI on Windows, make this code conditional
(for now).
CVE: 2121-3606
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210617061226.244-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22568.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov authored on 2021/06/17 15:12:26Showing 1 changed files
| ... | ... |
@@ -154,11 +154,13 @@ crypto_init_lib_engine(const char *engine_name) |
| 154 | 154 |
void |
| 155 | 155 |
crypto_init_lib(void) |
| 156 | 156 |
{
|
| 157 |
+#ifndef _WIN32 |
|
| 157 | 158 |
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) |
| 158 | 159 |
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); |
| 159 | 160 |
#else |
| 160 | 161 |
OPENSSL_config(NULL); |
| 161 | 162 |
#endif |
| 163 |
+#endif /* _WIN32 */ |
|
| 162 | 164 |
/* |
| 163 | 165 |
* If you build the OpenSSL library and OpenVPN with |
| 164 | 166 |
* CRYPTO_MDEBUG, you will get a listing of OpenSSL |