From 447cfb4f30fd96126f7d2945cd14ef39cc13a08a Mon Sep 17 00:00:00 2001 From: Lev Stipakov Date: Thu, 17 Jun 2021 09:12:26 +0300 Subject: [PATCH] crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606) Commit a4071b ("crypto_openssl: add initialization to pick up local configuration") added openssl initialization to load configuration file. However on Windows this file is loaded from user-writable directory, such as c:\etc\ssl for mingw builds and (for example) c:\vcpkg\packages\openssl_x64-windows\openvpn.cnf for vcpkg builds. This could be a security risk. CVE-2121-3606 has been assigned to acknowledge this risk. Since aforementioned commit implements a niche feature which might be better solved with CryptoAPI on Windows, make this code conditional (for now). CVE: 2121-3606 Signed-off-by: Lev Stipakov Acked-by: Gert Doering Message-Id: <20210617061226.244-1-lstipakov@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22568.html Signed-off-by: Gert Doering (cherry picked from commit abd5ee9b7dc4ba85438da5d16bb7dfb31714dac7) --- src/openvpn/crypto_openssl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index a3fec986b..58573d80b 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -150,11 +150,13 @@ crypto_init_lib_engine(const char *engine_name) void crypto_init_lib(void) { +#ifndef _WIN32 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); #else OPENSSL_config(NULL); #endif +#endif /* _WIN32 */ /* * If you build the OpenSSL library and OpenVPN with * CRYPTO_MDEBUG, you will get a listing of OpenSSL -- 2.47.2