From: Lev Stipakov <l...@openvpn.net>
Commit a4071b ("crypto_openssl: add initialization to pick up local
configuration")
added openssl initialization to load configuration file. However on Windows
this file is loaded from user-writable directory, such as c.\etc\ssl for mingw
builds
and (for example) c:\vcpkg\packages\openssl_x64-windows\openvpn.cnf for vcpkg
builds. This could be a security risk.
Since aforementioned commit implements a niche feature which anyway
should use CryptoAPI on Windows, make this code conditional.
Signed-off-by: Lev Stipakov <l...@openvpn.net>
---
src/openvpn/crypto_openssl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index c571030b..603c67b0 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -154,11 +154,13 @@ crypto_init_lib_engine(const char *engine_name)
void
crypto_init_lib(void)
{
+#ifndef _WIN32
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
#else
OPENSSL_config(NULL);
#endif
+#endif /* _WIN32 */
/*
* If you build the OpenSSL library and OpenVPN with
* CRYPTO_MDEBUG, you will get a listing of OpenSSL
--
2.23.0.windows.1
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
