[Openvpn-devel] msvc: mark x64 release binaries as compatible with CET shadow stack

Message ID 20220107101708.100-1-lstipakov@gmail.com
State Superseded
Headers show
Series
  • [Openvpn-devel] msvc: mark x64 release binaries as compatible with CET shadow stack
Related show

Commit Message

Lev Stipakov Jan. 7, 2022, 10:17 a.m.
From: Lev Stipakov <lev@openvpn.net>

This provides hardware-enforced stack protection on compatible hardware/software.

This is based on patch from Ilya Shipitsin <chipitsine@gmail.com>
https://patchwork.openvpn.net/patch/1987/

See https://techcommunity.microsoft.com/t5/windows-kernel-internals-blog/developer-guidance-for-hardware-enforced-stack-protection/ba-p/2163340 for more info.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
---
 src/openvpn/openvpn.vcxproj           | 1 +
 src/openvpnmsica/openvpnmsica.vcxproj | 5 +++++
 src/openvpnserv/openvpnserv.vcxproj   | 1 +
 src/tapctl/tapctl.vcxproj             | 6 +++++-
 4 files changed, 12 insertions(+), 1 deletion(-)

Comments

Lev Stipakov Jan. 7, 2022, 3 p.m. | #1
Please disregard this patch,

I've sent two separate ones for 2.5 and master which fix multiple
issues found by binskim, including HW-enforced stack protection.

  https://patchwork.openvpn.net/patch/2209/
  https://patchwork.openvpn.net/patch/2210/

Note that before applying 2.5 patch, one needs to cherry-pick this commit

  https://github.com/openvpn/openvpn/commit/e5e9a07e8baee4065b7dfd65736bfa77b8329cfc

from the master.

Patch

diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj
index d583c281..fb08c1c7 100644
--- a/src/openvpn/openvpn.vcxproj
+++ b/src/openvpn/openvpn.vcxproj
@@ -220,6 +220,7 @@ 
       <AdditionalDependencies>Ncrypt.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;setupapi.lib;Advapi32.lib</AdditionalDependencies>
       <AdditionalLibraryDirectories>$(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
       <SubSystem>Console</SubSystem>
+      <CETCompat>true</CETCompat>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
diff --git a/src/openvpnmsica/openvpnmsica.vcxproj b/src/openvpnmsica/openvpnmsica.vcxproj
index 11aa78bb..e7186e70 100644
--- a/src/openvpnmsica/openvpnmsica.vcxproj
+++ b/src/openvpnmsica/openvpnmsica.vcxproj
@@ -135,6 +135,11 @@ 
   <PropertyGroup Label="Vcpkg" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
     <VcpkgEnabled>true</VcpkgEnabled>
   </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Link>
+      <CETCompat>true</CETCompat>
+    </Link>
+  </ItemDefinitionGroup>
   <ItemGroup>
     <ClCompile Include="..\tapctl\error.c" />
     <ClCompile Include="..\tapctl\tap.c" />
diff --git a/src/openvpnserv/openvpnserv.vcxproj b/src/openvpnserv/openvpnserv.vcxproj
index 5fd7d60b..deed8db1 100644
--- a/src/openvpnserv/openvpnserv.vcxproj
+++ b/src/openvpnserv/openvpnserv.vcxproj
@@ -174,6 +174,7 @@ 
     <Link>
       <AdditionalDependencies>legacy_stdio_definitions.lib;Userenv.lib;Iphlpapi.lib;ntdll.lib;Fwpuclnt.lib;Netapi32.lib;Shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <SubSystem>Console</SubSystem>
+      <CETCompat>true</CETCompat>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
diff --git a/src/tapctl/tapctl.vcxproj b/src/tapctl/tapctl.vcxproj
index 79da9d33..da9f2703 100644
--- a/src/tapctl/tapctl.vcxproj
+++ b/src/tapctl/tapctl.vcxproj
@@ -140,7 +140,11 @@ 
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" />
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" />
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" />
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" />
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Link>
+      <CETCompat>true</CETCompat>
+    </Link>
+  </ItemDefinitionGroup>
   <ItemGroup>
     <ClCompile Include="error.c" />
     <ClCompile Include="tap.c" />