Hi,
I added
_putenv("OPENSSL_CONF=c:\\Temp\\lol.conf");
to openvpn_main() and see
22:01:38,9512311 openvpn.exe 27668 CreateFile C:\Temp\lol.conf
NAME NOT FOUND
in procmon. So would it be enough to set config/engines/modules paths
as env variables for openvpn and gui? OTOH we also ship openssl.exe,
which is used by easyrsa?
ma 22. marrask. 2021 klo 19.56 Selva Nair (selva.n...@gmail.com) kirjoitti:
>
> Hi,
>
> On Mon, Nov 22, 2021 at 12:20 PM Lev Stipakov <lstipa...@gmail.com> wrote:
>>
>> I added a commit to vcpkg/openssl PR
>> (https://github.com/microsoft/vcpkg/pull/21540) which gives an option
>> to customize ENGINESDIR. Unfortunately openssl doesn't make it easy -
>> ENGINESDIR is built based on --prefix, which is set to vcpkg build
>> dir. The prefix cannot be set to something like C:\SSL, because in
>> this case vcpkg build would require an elevated prompt. So I had to
>> patch the makefile template. Let's see if there are less hacky ways to
>> do it.
>
>
> A common practice for locally installing to a private path for development
> would be to do a "prefix relocation" using DESTDIR:
>
> make DESTDIR=/home/selva/openssl-pkg/ install
>
> which will preserve the search paths compiled into the library. This will
> work for cross-compile on linux even with drive letters in prefix, though
> awkward. But such an approach cannot work on Windows as "C:" cannot be
> embedded in Windows paths.
>
> A hack could be to use paths without a drive letter: like prefix = "/Program
> Files/OpenVPN/" etc. and then use DESTDIR to relocate for the development
> installation. That relies on the Windows behaviour that paths starting with
> "/" resolve to "C:/" and depends on the value of "current drive" which is
> probably reliable.
>
> Otherwise patching as you propose may be the only way..
>
> That said, how safe is this use of "C:/Program files/foo-bar" itself? Could
> it be vulnerable in localized Windows -- e.g., "C:/Program Files/" may not
> exist in some language versions and any user could then create one. If so, we
> may have to set "C:/Windows/System32/" or some such path as OPENSSLDIR,
> ENGINESDIR and MODULESDIR. It's unfortunate that OpenSSL folks decided to use
> hard-coded values in the library for config location and dll search paths.
>
> Given these difficulties, shall we (also) set env vars in OpenVPN.exe on
> startup so that OpenSSL config file and search paths will point to safe
> locations determined at run time (only if not already set by user) -- needed
> only for Windows as we do not distribute OpenSSL for other platforms. OpenSSL
> docs say what env vars are used to override built-in paths, I'll do some
> tests to be sure.
>
> Selva
--
-Lev
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
