From patchwork Wed Feb 16 22:01:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lev Stipakov X-Patchwork-Id: 2297 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id oM8PDUkPDmILTAAAqwncew (envelope-from ) for ; Thu, 17 Feb 2022 04:03:05 -0500 Received: from proxy9.mail.ord1d.rsapps.net ([172.30.191.6]) by director14.mail.ord1d.rsapps.net with LMTP id YHcsKUkPDmLhRQAAeJ7fFg (envelope-from ) for ; Thu, 17 Feb 2022 04:03:05 -0500 Received: from smtp14.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy9.mail.ord1d.rsapps.net with LMTPS id EHDjKEkPDmJ6XAAA7h+8OQ (envelope-from ) for ; Thu, 17 Feb 2022 04:03:05 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp14.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 6a94e1ee-8fd0-11ec-b1d1-525400504bae-1-1 Received: from [216.105.38.7] ([216.105.38.7:60980] helo=lists.sourceforge.net) by smtp14.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 22/3E-21562-84F0E026; Thu, 17 Feb 2022 04:03:05 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nKcg9-0003rR-Qy; Thu, 17 Feb 2022 09:02:20 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nKcg2-0003rG-1z for openvpn-devel@lists.sourceforge.net; Thu, 17 Feb 2022 09:02:13 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=O//mRizTxx3S6zOucM00ho1jOX1dlLIAGEHuK58zcxE=; b=L0b7kOY3BpyysxIJw2fNx55KUF oGsa4yJkj5UMu51tzFsrgw8hE5UOn6u3Qzo9/ysj5ndttXWAXdDCvTfRkXruDDTCa8O7d/racwY80 aM2mbs6u419gAh2NwuyFFzg6bUrUScI1gw/e1DpaWsRRQz71Dq1H8RZM1jUZ8CR/SvXw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=O//mRizTxx3S6zOucM00ho1jOX1dlLIAGEHuK58zcxE=; b=I81p0x/94LexLz2LT3p2ehQ/51 BWlhKMmsNVcsoS7fUyPDXoUVYv8X+3wkiBAR+cvAhOLabn/wNtUA9UTPuZNQhDSzzEolMFiJXUSTu tXNh0xJXdyNMeKki8ef28H0fS+IoNOJS+cpezl4EeCB7LRVLzovu0GvE61TUCitVNov4=; Received: from mail-wm1-f43.google.com ([209.85.128.43]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.94.2) id 1nKcfy-004bGO-Pm for openvpn-devel@lists.sourceforge.net; Thu, 17 Feb 2022 09:02:12 +0000 Received: by mail-wm1-f43.google.com with SMTP id l12-20020a7bc34c000000b003467c58cbdfso5613260wmj.2 for ; Thu, 17 Feb 2022 01:02:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=O//mRizTxx3S6zOucM00ho1jOX1dlLIAGEHuK58zcxE=; b=EvAM7GBaBplLaWRahN+sIVY6pBTbyxasbUc6HwJQx0fukltnd7SEV6wI3ZHohzhD3S p31phCSTdG08X4cXsCjS07VBbbFwi1o26uhe8gOCQg6N6rCrCoRY+vuV/QSNwHoYqL2A GjDABOzmmoUZSNuYRZi+RfzGc0jsOQoRe94N0pUj77TwhdHnDA0DZJQ9NK1mVzLDR/ix uNFdtkRFUo22fffVzc6CMkJVxgrY9xTDb5UyAlTS1s+apMm3d4+qFC7Rl7KRdGtYNXLi pVzdRHFgnRMpc+745oiMxWUTgpEbrccP4hlkx+b4HtPGjAUAOuVyEyDkjqcuf3JoyhKv 9Xug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=O//mRizTxx3S6zOucM00ho1jOX1dlLIAGEHuK58zcxE=; b=C2sX4OdlAgrAUa0vIeLJE0oreeArw9LU3egaL6EpXgM1kjER0n2pyjO9rdzKO4XlYG uicRs14KuV7q0tiXFgRtWTCBxJuVblGJ3HpkK7Bmbyqi6DbtG99k2j9eATZRd7i02K7V e4sQobqCE3gUmHdGgvSWPStHDgvn73WjODv+NkSulcRHWMyco+2TJsHfu+qPJbrKgmfT Zy4Vai4uL21xuCn5WGnEf24uLBM3wO30yXmxd6lDprtLXZ2umYx61ilkA666kzF+Yl4J R2yM84Ukn6Sh9pQRfoP8ygW/qDlLwgiy6c7d1ciFajw/K7oeyq6HlcC+Ymz3QMpyVBBo wRlQ== X-Gm-Message-State: AOAM532gU0BTMDnJ60fOqcLMauSoHACI7gqmc3mGiLyq9R7gryDzIQ5I WY9fx/yvbl5P8s2yivsRb8GX/zu/tnGV6w== X-Google-Smtp-Source: ABdhPJymTSp0JW8TD2sqEieRlAd42MagZVgo7ZB9Jfp9ibFxrxqXOxa+Ddohw3wqpy4KXyr8BoBjLA== X-Received: by 2002:a05:600c:4fc4:b0:37c:9116:ef3d with SMTP id o4-20020a05600c4fc400b0037c9116ef3dmr1674287wmq.167.1645088523948; Thu, 17 Feb 2022 01:02:03 -0800 (PST) Received: from LAPTOP-4L3N7KFS.localdomain (nat4.panoulu.net. [185.38.2.4]) by smtp.gmail.com with ESMTPSA id v5sm18070129wrr.7.2022.02.17.01.02.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Feb 2022 01:02:03 -0800 (PST) From: Lev Stipakov To: openvpn-devel@lists.sourceforge.net Date: Thu, 17 Feb 2022 11:01:53 +0200 Message-Id: <20220217090153.394-1-lstipakov@gmail.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220107145359.311-1-lstipakov@gmail.com> References: <20220107145359.311-1-lstipakov@gmail.com> X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lev Stipakov - enable hardware-enforced stack protection on compatible hardware/software (/CETCOMPAT linker option) - hash object files with SHA256 (/ZH:SHA_256 compiler option) Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.43 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [lstipakov[at]gmail.com] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.43 listed in wl.mailspike.net] -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1nKcfy-004bGO-Pm Subject: [Openvpn-devel] [PATCH v2 release/2.5] msvc: adjust build options to harden binaries X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Lev Stipakov MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Lev Stipakov - enable hardware-enforced stack protection on compatible hardware/software (/CETCOMPAT linker option) - hash object files with SHA256 (/ZH:SHA_256 compiler option) - enable SDL. The required to add _CRT_NONSTDC_NO_DEPRECATE _CRT_SECURE_NO_WARNINGS _WINSOCK_DEPRECATED_NO_WARNINGS preprocessor definitions. I don't feel like replacing strdup (which is correct POSIX function) and inet_ntoa (we always pass IPv4 address to it, inet_ntop will make code more complex) Above issues were discovered by bitskim. Before applying this patch, this one must be applied from master: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21774.html Signed-off-by: Lev Stipakov Signed-off-by: Lev Stipakov <lev@openvpn.net>
--- v2: - rebase on top of latest release/2.5 - add SDL checks to all configurations src/openvpn/auth_token.c | 1 + src/openvpn/openvpn.vcxproj | 38 +++++++++++++------ src/openvpnmsica/openvpnmsica.vcxproj | 48 ++++++++++++++++++++++++ src/openvpnserv/openvpnserv.vcxproj | 26 ++++++++++--- src/tapctl/tapctl.vcxproj | 54 ++++++++++++++++++++++++--- 5 files changed, 143 insertions(+), 24 deletions(-) diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index ca7e5a4d..37af6605 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -87,6 +87,7 @@ add_session_token_env(struct tls_session *session, struct tls_multi *multi, default: /* Silence compiler warning, all four possible combinations are covered */ + state = NULL; ASSERT(0); } } diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj index 91d5ebbe..05c63b03 100644 --- a/src/openvpn/openvpn.vcxproj +++ b/src/openvpn/openvpn.vcxproj @@ -147,11 +147,13 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true @@ -162,11 +164,13 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true @@ -177,11 +181,13 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true @@ -192,44 +198,52 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) Guard + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true Ncrypt.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;setupapi.lib;Advapi32.lib $(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories) Console + true - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) Guard + true + Level2 + /ZH:SHA_256 %(AdditionalOptions) Ncrypt.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;setupapi.lib;Advapi32.lib $(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories) Console + true - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) Guard + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true diff --git a/src/openvpnmsica/openvpnmsica.vcxproj b/src/openvpnmsica/openvpnmsica.vcxproj index 11aa78bb..3a9f0c97 100644 --- a/src/openvpnmsica/openvpnmsica.vcxproj +++ b/src/openvpnmsica/openvpnmsica.vcxproj @@ -135,6 +135,54 @@ true + + + true + + + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + true + + + + + true + + + /ZH:SHA_256 %(AdditionalOptions) + true + %(PreprocessorDefinitions) + + + + + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + true + + + + + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + true + + + + + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + true + + + + + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + true + + diff --git a/src/openvpnserv/openvpnserv.vcxproj b/src/openvpnserv/openvpnserv.vcxproj index 520242f4..c70db229 100644 --- a/src/openvpnserv/openvpnserv.vcxproj +++ b/src/openvpnserv/openvpnserv.vcxproj @@ -124,7 +124,9 @@ ..\openvpn;..\compat;%(AdditionalIncludeDirectories) - _CONSOLE;%(PreprocessorDefinitions) + _CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) @@ -135,7 +137,9 @@ ..\openvpn;..\compat;%(AdditionalIncludeDirectories) - _CONSOLE;%(PreprocessorDefinitions) + _CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) @@ -146,7 +150,9 @@ ..\openvpn;..\compat;%(AdditionalIncludeDirectories) - _CONSOLE;%(PreprocessorDefinitions) + _CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) @@ -157,29 +163,37 @@ ..\openvpn;..\compat;%(AdditionalIncludeDirectories) - _CONSOLE;%(PreprocessorDefinitions) + _CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) Userenv.lib;Iphlpapi.lib;ntdll.lib;Fwpuclnt.lib;Netapi32.lib;Shlwapi.lib;%(AdditionalDependencies) Console + true ..\openvpn;..\compat;%(AdditionalIncludeDirectories) - _CONSOLE;%(PreprocessorDefinitions) + _CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) legacy_stdio_definitions.lib;Userenv.lib;Iphlpapi.lib;ntdll.lib;Fwpuclnt.lib;Netapi32.lib;Shlwapi.lib;%(AdditionalDependencies) Console + true ..\openvpn;..\compat;%(AdditionalIncludeDirectories) - _CONSOLE;%(PreprocessorDefinitions) + _CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) diff --git a/src/tapctl/tapctl.vcxproj b/src/tapctl/tapctl.vcxproj index 79da9d33..f439dc4f 100644 --- a/src/tapctl/tapctl.vcxproj +++ b/src/tapctl/tapctl.vcxproj @@ -135,12 +135,54 @@ true - - - - - - + + + true + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + + + + + true + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + + + + + true + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + + + + + true + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + + + true + + + + + true + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + + + + + true + + + true + /ZH:SHA_256 %(AdditionalOptions) + %(PreprocessorDefinitions) + +