From patchwork Fri Jan 7 03:53:59 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lev Stipakov X-Patchwork-Id: 2209 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id 4KqpEXFU2GF1QwAAqwncew (envelope-from ) for ; Fri, 07 Jan 2022 09:55:45 -0500 Received: from proxy8.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id iPamIHFU2GH+VgAApN4f7A (envelope-from ) for ; Fri, 07 Jan 2022 09:55:45 -0500 Received: from smtp38.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.ord1d.rsapps.net with LMTPS id MGm5IHFU2GETQAAAGdz6CA (envelope-from ) for ; Fri, 07 Jan 2022 09:55:45 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp38.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: e2aedf8a-6fc9-11ec-9c72-5452007bdf16-1-1 Received: from [216.105.38.7] ([216.105.38.7:52680] helo=lists.sourceforge.net) by smtp38.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 4E/E1-05813-07458D16; Fri, 07 Jan 2022 09:55:44 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1n5qdW-0005zO-BI; Fri, 07 Jan 2022 14:54:33 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1n5qdV-0005zE-LI for openvpn-devel@lists.sourceforge.net; Fri, 07 Jan 2022 14:54:32 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=uHgXl/0wHJeyqAPg7qOHGSTAiDpU06bUYyIvaqroTcQ=; b=QIRC8m6OkC1uv2qMOQwjJFICgP 1GTrtOyQRvNQCz870esfXz6H8iEpFFeBZn/QniycRzm5qLgOCof+szGbLMrRb90AvO+IijXkOaXTP 2wVQWHlI44n64Wgku9YKu0hdMygC5tl6FO2ZUJiCU7HgpDh6bl2PN8s9PjKU3U4ikvxo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=uHgXl/0wHJeyqAPg7qOHGSTAiDpU06bUYyIvaqroTcQ=; b=YlD+qVP2kkZCKLFw+BBHPGhe1D n+CGMRuERPqZys+YJTIJf86GLHjtxeGZe/i4fai/W9B0y1/AEMMbauR+ZbXoLCFHKL9lYxULIMifg 2gs+340+yUlqh2VAwGr0JZ+LhmkYGXd0sqi7bwPoH9MvwCE5xxmwMnA3sx0hATJOTGyw=; Received: from mail-lf1-f52.google.com ([209.85.167.52]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) id 1n5qdT-005ECV-9Q for openvpn-devel@lists.sourceforge.net; Fri, 07 Jan 2022 14:54:32 +0000 Received: by mail-lf1-f52.google.com with SMTP id j11so16389097lfg.3 for ; Fri, 07 Jan 2022 06:54:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id; bh=uHgXl/0wHJeyqAPg7qOHGSTAiDpU06bUYyIvaqroTcQ=; b=NGfw84EiO4iUvUdWAPDiUBVqV9j9MSds36iZIuL2EhlQ6LMoM5Ly4lymae9Fniumq6 cDZXp8uiIAcg+oYGKYfInXGlb1UlVb80NfihpWtLhh3M9j0mMJStMwAtnwJ+7diEUHEp v8YqtCUwpFS+h+irDS/dQxVpSGqNmrVdsrEq+7CaGP2lJbENfWnxs5cOa0jRJ4ck+gOn Ll6dL37CxuVF+JY2CFtUplIwUWKHcCLCnwmED8aSWx4y7otPZHplfb2YG1JulDNTT0bd 2GoXaWQnmai5QFS4vaW0eXltSQ0kv0wBjr96QB0BE9SnySdIE06vwxPSu4lq/nqIKWgU ZXyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=uHgXl/0wHJeyqAPg7qOHGSTAiDpU06bUYyIvaqroTcQ=; b=Z6V9X94b6zW5aieXrE1YXi0HRYbK1pbKtDpJuJNM7GVdEkh8gkCdYOtzVSOpCA8hDN juNqRxcSWINowRcgqrwoSiHtHgSJnu6TIM32FzOD+Y5zNwNZKoy7s4dazlykcCeseG8/ 8yT1MLp5UuEx3HBRttuVp6nFvFu/+L3dzJxSkk7XCt9zdLz8MBFlTuA3yDqAZQrIWBtD Z/ngaEUdrM+SSAwmc3YLDWmLEAl8nNVdgQCxQJq/TB/r8eZBT0o74HBr/DeZlhVwDqGp j5JyqlsqK2KLp9y2QIrwA7p3BTKHVMQAXacgErWd4fMMj1obneg1SyLazOi1r9dgwRtP Wmfg== X-Gm-Message-State: AOAM5302FpJK3QlMsv1EqWJIZSgpU4ORcKEP8fwJnXHTqxYi5l1YlGUH T6PnjIDghcsTOMS65XRqof10jdI+HfbR7Q== X-Google-Smtp-Source: ABdhPJy0YLdN24qy2X/ja4en/Lt1EbQbzPIzbySSkF8B2ZroaxjlMgWBPueLhlQYVdm4iQEhM9gr/g== X-Received: by 2002:a05:6512:e91:: with SMTP id bi17mr52296458lfb.345.1641567264449; Fri, 07 Jan 2022 06:54:24 -0800 (PST) Received: from LAPTOP-4L3N7KFS.localdomain (176-93-145-150.bb.dnainternet.fi. [176.93.145.150]) by smtp.gmail.com with ESMTPSA id u7sm603309lfs.218.2022.01.07.06.54.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 07 Jan 2022 06:54:24 -0800 (PST) From: Lev Stipakov To: openvpn-devel@lists.sourceforge.net Date: Fri, 7 Jan 2022 16:53:59 +0200 Message-Id: <20220107145359.311-1-lstipakov@gmail.com> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lev Stipakov - enable hardware-enforced stack protection on compatible hardware/software (/CETCOMPAT linker option) - hash object files with SHA256 (/ZH:SHA_256 compiler option) Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.167.52 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [lstipakov[at]gmail.com] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.167.52 listed in wl.mailspike.net] -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1n5qdT-005ECV-9Q Subject: [Openvpn-devel] [PATCH 2.5] msvc: adjust build options to harden binaries X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Lev Stipakov MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Lev Stipakov - enable hardware-enforced stack protection on compatible hardware/software (/CETCOMPAT linker option) - hash object files with SHA256 (/ZH:SHA_256 compiler option) - enable SDL. The required to add _CRT_NONSTDC_NO_DEPRECATE _CRT_SECURE_NO_WARNINGS _WINSOCK_DEPRECATED_NO_WARNINGS preprocessor definitions. I don't feel like replacing strdup (which is correct POSIX function) and inet_ntoa (we always pass IPv4 address to it, inet_ntop will make code more complex) Above issues were discovered by bitskim. Signed-off-by: Lev Stipakov Acked-by: Firstname Lastname Acked-by: Firstname Lastname <email@example.com>
--- Note that one needs to cherry-pick commit "e5e9a07" (tapctl: Resolve MSVC C4996 warnings) before applying this patch. src/openvpn/openvpn.vcxproj | 35 +++++++++++------ src/openvpnmsica/openvpnmsica.vcxproj | 43 +++++++++++++++++++++ src/openvpnserv/openvpnserv.vcxproj | 26 ++++++++++--- src/tapctl/tapctl.vcxproj | 54 ++++++++++++++++++++++++--- 4 files changed, 134 insertions(+), 24 deletions(-) diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj index 33b8f19a..a540ec22 100644 --- a/src/openvpn/openvpn.vcxproj +++ b/src/openvpn/openvpn.vcxproj @@ -147,11 +147,12 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;$(SolutionDir);%(AdditionalIncludeDirectories) + Level2 + /ZH:SHA_256 %(AdditionalOptions) @@ -162,11 +163,12 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;$(SolutionDir)include;$(SolutionDir);%(AdditionalIncludeDirectories) + Level2 + /ZH:SHA_256 %(AdditionalOptions) @@ -177,11 +179,12 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;$(SolutionDir);%(AdditionalIncludeDirectories) + Level2 + /ZH:SHA_256 %(AdditionalOptions) @@ -192,44 +195,52 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;$(SolutionDir);%(AdditionalIncludeDirectories) Guard + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true Ncrypt.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;setupapi.lib;Advapi32.lib $(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories) Console + true - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;$(SolutionDir);%(AdditionalIncludeDirectories) Guard + true + Level2 + /ZH:SHA_256 %(AdditionalOptions) Ncrypt.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;setupapi.lib;Advapi32.lib $(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories) Console + true - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;$(SolutionDir);%(AdditionalIncludeDirectories) Guard + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true diff --git a/src/openvpnmsica/openvpnmsica.vcxproj b/src/openvpnmsica/openvpnmsica.vcxproj index 11aa78bb..5e774430 100644 --- a/src/openvpnmsica/openvpnmsica.vcxproj +++ b/src/openvpnmsica/openvpnmsica.vcxproj @@ -135,6 +135,49 @@ true + + + true + + + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + + + + + true + + + /ZH:SHA_256 %(AdditionalOptions) + true + %(PreprocessorDefinitions) + + + + + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + + + + + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + + + + + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + + + + + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + + diff --git a/src/openvpnserv/openvpnserv.vcxproj b/src/openvpnserv/openvpnserv.vcxproj index 520242f4..c70db229 100644 --- a/src/openvpnserv/openvpnserv.vcxproj +++ b/src/openvpnserv/openvpnserv.vcxproj @@ -124,7 +124,9 @@ ..\openvpn;..\compat;%(AdditionalIncludeDirectories) - _CONSOLE;%(PreprocessorDefinitions) + _CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) @@ -135,7 +137,9 @@ ..\openvpn;..\compat;%(AdditionalIncludeDirectories) - _CONSOLE;%(PreprocessorDefinitions) + _CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) @@ -146,7 +150,9 @@ ..\openvpn;..\compat;%(AdditionalIncludeDirectories) - _CONSOLE;%(PreprocessorDefinitions) + _CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) @@ -157,29 +163,37 @@ ..\openvpn;..\compat;%(AdditionalIncludeDirectories) - _CONSOLE;%(PreprocessorDefinitions) + _CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) Userenv.lib;Iphlpapi.lib;ntdll.lib;Fwpuclnt.lib;Netapi32.lib;Shlwapi.lib;%(AdditionalDependencies) Console + true ..\openvpn;..\compat;%(AdditionalIncludeDirectories) - _CONSOLE;%(PreprocessorDefinitions) + _CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) legacy_stdio_definitions.lib;Userenv.lib;Iphlpapi.lib;ntdll.lib;Fwpuclnt.lib;Netapi32.lib;Shlwapi.lib;%(AdditionalDependencies) Console + true ..\openvpn;..\compat;%(AdditionalIncludeDirectories) - _CONSOLE;%(PreprocessorDefinitions) + _CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) diff --git a/src/tapctl/tapctl.vcxproj b/src/tapctl/tapctl.vcxproj index 79da9d33..f439dc4f 100644 --- a/src/tapctl/tapctl.vcxproj +++ b/src/tapctl/tapctl.vcxproj @@ -135,12 +135,54 @@ true - - - - - - + + + true + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + + + + + true + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + + + + + true + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + + + + + true + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + + + true + + + + + true + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + + + + + true + + + true + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + +