From: Lev Stipakov <lev@openvpn.net>
Date: Thu, 17 Jun 2021 06:12:26 +0000 (+0300)
Subject: crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606)
X-Git-Tag: v2.6_beta1~475
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=abd5ee9b7dc4ba85438da5d16bb7dfb31714dac7;p=thirdparty%2Fopenvpn.git

crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606)

Commit a4071b ("crypto_openssl: add initialization to pick up local
configuration") added openssl initialization to load configuration
file.  However on Windows this file is loaded from user-writable
directory, such as c:\etc\ssl for mingw builds and (for example)
c:\vcpkg\packages\openssl_x64-windows\openvpn.cnf for vcpkg
builds.  This could be a security risk.

CVE-2121-3606 has been assigned to acknowledge this risk.

Since aforementioned commit implements a niche feature which might
be better solved with CryptoAPI on Windows, make this code conditional
(for now).

CVE: 2121-3606
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210617061226.244-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22568.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index c571030b7..603c67b04 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -154,11 +154,13 @@ crypto_init_lib_engine(const char *engine_name)
 void
 crypto_init_lib(void)
 {
+#ifndef _WIN32
 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
     OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
 #else
     OPENSSL_config(NULL);
 #endif
+#endif /* _WIN32 */
     /*
      * If you build the OpenSSL library and OpenVPN with
      * CRYPTO_MDEBUG, you will get a listing of OpenSSL