Load OpenSSL config on Windows from trusted location
Commits
-
92535b6 ("contrib/vcpkg-ports: add openssl port with
--no-autoload-config option set (CVE-2121-3606)")
-
447cfb4 ("crypto_openssl.c: disable explicit initialization on Windows
(CVE-2121-3606)")
disabled OpenSSL config loading functionality, which could be
exploited by loading config from untrusted locations.
This feature might be useful for some users. This brings it back
and sets OpenSSL enviroment variables
OPENSSL_CONF, OPENSSL_ENGINES, OPENSSL_MODULES
which are used to load config, engines and modules, to a trusted location.
The location is constructed based on installation path, read from registry
on startup.
If installation path cannot be read, Windows\System32 is used as a
fallback.
While on it, remove unused "bool impersonate_as_system();" declaration.
Trac: #1296
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <
20211119015548.687-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23248.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit
23e6aaef149bd31a7e80af28ee1e3658d2810d4f)
projects / thirdparty / openvpn.git / commit
