From patchwork Fri Jan 7 03:55:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lev Stipakov X-Patchwork-Id: 2210 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id 4IoMM6BU2GG0RAAAqwncew (envelope-from ) for ; Fri, 07 Jan 2022 09:56:32 -0500 Received: from proxy4.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id oJSrBqFU2GE2PwAAalYnBA (envelope-from ) for ; Fri, 07 Jan 2022 09:56:33 -0500 Received: from smtp6.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.ord1d.rsapps.net with LMTPS id iJtsBqFU2GEKagAAiYrejw (envelope-from ) for ; Fri, 07 Jan 2022 09:56:33 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp6.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 0001a130-6fca-11ec-af43-bc305bf03f9c-1-1 Received: from [216.105.38.7] ([216.105.38.7:38760] helo=lists.sourceforge.net) by smtp6.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 5D/87-13379-0A458D16; Fri, 07 Jan 2022 09:56:32 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1n5qeg-0001lk-1O; Fri, 07 Jan 2022 14:55:46 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1n5qee-0001lZ-Eq for openvpn-devel@lists.sourceforge.net; Fri, 07 Jan 2022 14:55:44 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=11ppDDi+wZra9CUzX9nNnGdhbJL20N6B1zd8EGdCK78=; b=O7N17KnSqBzMVyHq93mVQLWrzS vmCM0aGyWnlyaOlufx71m8q4x5b/8f4ZiQOvLa7hVDqLR5bqzz2rmmff8WOzhtxt6DWzmybnYX/GI JOZWQTOSwV3aZ7wAbE8ZKXdNMMUPWc2NzmSk8pbVnuWvUGvVwHMGoqREDthoFz9GHuuo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=11ppDDi+wZra9CUzX9nNnGdhbJL20N6B1zd8EGdCK78=; b=HxjZWyX0EHyRO3hQKzKHdoGymb d6Z8G5Ye/ke1+M3oDvWQlgUGPlOIiJ/m7ubQeyfNaj50yu/i+JM3Jg7u9V2DhPME3xOlu03Ja9uG+ 63vgMSl7werRmsShpS/9gECutTQxXeaYCea2/R1lkup+K16A94TE1SkIcDyXnXWwYATs=; Received: from mail-lf1-f52.google.com ([209.85.167.52]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) id 1n5qed-005EFx-CG for openvpn-devel@lists.sourceforge.net; Fri, 07 Jan 2022 14:55:44 +0000 Received: by mail-lf1-f52.google.com with SMTP id h2so16382514lfv.9 for ; Fri, 07 Jan 2022 06:55:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id; bh=11ppDDi+wZra9CUzX9nNnGdhbJL20N6B1zd8EGdCK78=; b=O5+EYnISTm+SSOTdp+lUXHuDjE4WUPTw6XEgLhFnsi/k8x9koBedu7D6Vw5+Z7B/Zi quZqCCOR6jBOvcppfsKytPjXVaVKOBee/UOvlJAp1kTRerlvGuy3ATwMwdeoMUYC7ny1 yLFqBGCwzG3soIfC4Ab/t+a8xB2vYvl7ft7ztjqqUkmWkb3y3TeVOo8EXboFj4y2vUF1 p7V8Nf2DURQ9QPk6p90J/eK+ZVqoJG0yWy7tC0gGpO/X8mYatlVOu3a7nQhVbK3wADF9 lI85gDsVPrzlevxF7/fID5MGAmETiwBjv1TOw5vYGZ9aNPRW8RNlB562YGEwJYxsq4WL hvLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=11ppDDi+wZra9CUzX9nNnGdhbJL20N6B1zd8EGdCK78=; b=YE8hf0rWcmDYv9ePC7WzzfECUaGtHtJxdDERDrgQNxRJrhhcpCGQt3GeSp4p0SgMFG l6hzfmgC9HgZBIUsmxoEUcJNR0/Js0A3SADu9gA1v30sjcUK0cdFzPAb5jbxV4sgENSH DkZqucFKtzmeQK8FIvB8FScKXdWgsZSJA0BTPpkEZqRUWHZlUTE8iWKlY6NvjhdOzSFI ttm8sJWj3hpQ2T0dT70kYkcNw1oYtzGZxtyTvkKyDkClFC25q6z0/hk6JSnTDQyk8K+u LH4xtPEsZMLRqdWNbIYMjDLxjDOj043TQPZsqFpoRI5zxPZOrWGip1p0jTbzf6L4z5rV JH5w== X-Gm-Message-State: AOAM533mt/SfOQvT6WDocmhK6AC1XbsbiIrqjAvAdEbFltgDCWgUPm1u H61dMxdX8qEUMvweDBXeOx2lsgINkc7u6w== X-Google-Smtp-Source: ABdhPJwZ1JB3MCvfpMlGa0SDF9118uw3f4hAzpLOJsTamn2dlm1dnJ8BLjXLdLrFHU9cHjA3R8NFlg== X-Received: by 2002:a05:6512:3b11:: with SMTP id f17mr55448454lfv.658.1641567336601; Fri, 07 Jan 2022 06:55:36 -0800 (PST) Received: from LAPTOP-4L3N7KFS.localdomain (176-93-145-150.bb.dnainternet.fi. [176.93.145.150]) by smtp.gmail.com with ESMTPSA id s10sm606510lfr.45.2022.01.07.06.55.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 07 Jan 2022 06:55:36 -0800 (PST) From: Lev Stipakov To: openvpn-devel@lists.sourceforge.net Date: Fri, 7 Jan 2022 16:55:22 +0200 Message-Id: <20220107145522.435-1-lstipakov@gmail.com> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lev Stipakov - enable hardware-enforced stack protection on compatible hardware/software (/CETCOMPAT linker option) - hash object files with SHA256 (/ZH:SHA_256 compiler option) Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.167.52 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [lstipakov[at]gmail.com] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.167.52 listed in wl.mailspike.net] -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1n5qed-005EFx-CG Subject: [Openvpn-devel] [PATCH] msvc: adjust build options to harden binaries X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Lev Stipakov MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Lev Stipakov - enable hardware-enforced stack protection on compatible hardware/software (/CETCOMPAT linker option) - hash object files with SHA256 (/ZH:SHA_256 compiler option) - enable SDL. The required to add _CRT_NONSTDC_NO_DEPRECATE _CRT_SECURE_NO_WARNINGS _WINSOCK_DEPRECATED_NO_WARNINGS preprocessor definitions. I don't feel like replacing strdup (which is correct POSIX function) and inet_ntoa (we always pass IPv4 address to it, inet_ntop will make code more complex) Above issues were discovered by bitskim. Signed-off-by: Lev Stipakov --- src/openvpn/openvpn.vcxproj | 35 ++++++++++++------- src/openvpnmsica/openvpnmsica.vcxproj | 37 +++++++++++++++++++++ src/openvpnserv/openvpnserv.vcxproj | 14 ++++++++ src/tapctl/tapctl.vcxproj | 48 +++++++++++++++++++++++---- 4 files changed, 116 insertions(+), 18 deletions(-) diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj index 65ee6839..55ad7197 100644 --- a/src/openvpn/openvpn.vcxproj +++ b/src/openvpn/openvpn.vcxproj @@ -147,11 +147,12 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;$(SolutionDir);%(AdditionalIncludeDirectories) + Level2 + /ZH:SHA_256 %(AdditionalOptions) @@ -162,11 +163,12 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;$(SolutionDir)include;$(SolutionDir);%(AdditionalIncludeDirectories) + Level2 + /ZH:SHA_256 %(AdditionalOptions) @@ -177,11 +179,12 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;$(SolutionDir);%(AdditionalIncludeDirectories) + Level2 + /ZH:SHA_256 %(AdditionalOptions) @@ -192,44 +195,52 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;$(SolutionDir);%(AdditionalIncludeDirectories) Guard + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true Ncrypt.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;setupapi.lib;Advapi32.lib $(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories) Console + true - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;$(SolutionDir);%(AdditionalIncludeDirectories) Guard + true + Level2 + /ZH:SHA_256 %(AdditionalOptions) Ncrypt.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;setupapi.lib;Advapi32.lib $(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories) Console + true - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;$(SolutionDir);%(AdditionalIncludeDirectories) Guard + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true diff --git a/src/openvpnmsica/openvpnmsica.vcxproj b/src/openvpnmsica/openvpnmsica.vcxproj index 11aa78bb..1af8899e 100644 --- a/src/openvpnmsica/openvpnmsica.vcxproj +++ b/src/openvpnmsica/openvpnmsica.vcxproj @@ -135,6 +135,43 @@ true + + + true + + + /ZH:SHA_256 %(AdditionalOptions) + + + + + true + + + /ZH:SHA_256 %(AdditionalOptions) + true + + + + + /ZH:SHA_256 %(AdditionalOptions) + + + + + /ZH:SHA_256 %(AdditionalOptions) + + + + + /ZH:SHA_256 %(AdditionalOptions) + + + + + /ZH:SHA_256 %(AdditionalOptions) + + diff --git a/src/openvpnserv/openvpnserv.vcxproj b/src/openvpnserv/openvpnserv.vcxproj index 5fd7d60b..d42e9642 100644 --- a/src/openvpnserv/openvpnserv.vcxproj +++ b/src/openvpnserv/openvpnserv.vcxproj @@ -125,6 +125,8 @@ ..\openvpn;..\compat;%(AdditionalIncludeDirectories) _CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) @@ -136,6 +138,8 @@ ..\openvpn;..\compat;%(AdditionalIncludeDirectories) _CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) @@ -147,6 +151,8 @@ ..\openvpn;..\compat;%(AdditionalIncludeDirectories) _CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) @@ -158,28 +164,36 @@ ..\openvpn;..\compat;%(AdditionalIncludeDirectories) _CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) Userenv.lib;Iphlpapi.lib;ntdll.lib;Fwpuclnt.lib;Netapi32.lib;Shlwapi.lib;%(AdditionalDependencies) Console + true ..\openvpn;..\compat;%(AdditionalIncludeDirectories) _CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) legacy_stdio_definitions.lib;Userenv.lib;Iphlpapi.lib;ntdll.lib;Fwpuclnt.lib;Netapi32.lib;Shlwapi.lib;%(AdditionalDependencies) Console + true ..\openvpn;..\compat;%(AdditionalIncludeDirectories) _CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) diff --git a/src/tapctl/tapctl.vcxproj b/src/tapctl/tapctl.vcxproj index 79da9d33..0fc22d97 100644 --- a/src/tapctl/tapctl.vcxproj +++ b/src/tapctl/tapctl.vcxproj @@ -135,12 +135,48 @@ true - - - - - - + + + true + /ZH:SHA_256 %(AdditionalOptions) + + + + + true + /ZH:SHA_256 %(AdditionalOptions) + + + + + true + /ZH:SHA_256 %(AdditionalOptions) + + + + + true + /ZH:SHA_256 %(AdditionalOptions) + + + true + + + + + true + /ZH:SHA_256 %(AdditionalOptions) + + + + + true + + + true + /ZH:SHA_256 %(AdditionalOptions) + +