Hi
On Thu, Jun 17, 2021 at 2:13 AM Lev Stipakov <lstipa...@gmail.com> wrote:
> From: Lev Stipakov <l...@openvpn.net>
>
> Commit a4071b ("crypto_openssl: add initialization to pick up local
> configuration")
> added openssl initialization to load configuration file. However on Windows
> this file is loaded from user-writable directory, such as c.\etc\ssl for
> mingw builds
> and (for example) c:\vcpkg\packages\openssl_x64-windows\openvpn.cnf for
> vcpkg
> builds. This could be a security risk.
>
> Since aforementioned commit implements a niche feature which anyway
> should use CryptoAPI on Windows, make this code conditional.
>
> Signed-off-by: Lev Stipakov <l...@openvpn.net>
> ---
> src/openvpn/crypto_openssl.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
> index c571030b..603c67b0 100644
> --- a/src/openvpn/crypto_openssl.c
> +++ b/src/openvpn/crypto_openssl.c
> @@ -154,11 +154,13 @@ crypto_init_lib_engine(const char *engine_name)
> void
> crypto_init_lib(void)
> {
> +#ifndef _WIN32
> #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
> OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
> #else
> OPENSSL_config(NULL);
> #endif
> +#endif /* _WIN32 */
> /*
> * If you build the OpenSSL library and OpenVPN with
> * CRYPTO_MDEBUG, you will get a listing of OpenSSL
> --
> 2.23.0.windows.1
>
This would make it impossible to use openssl.cnf on Windows, wouldn't it? I
use configuraton file to restrict signature algorithms, for example. There
are other uses like configuring engines.
Instead of disabling, why not make the default path a restricted location
within, say, C:\Windows. The user can then override it using env variables.
What path does OpenSSL Windows binaries described in OpensSL wiki use? (
https://wiki.openssl.org/index.php/Binaries)
Selva
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
