From patchwork Wed Feb 16 21:58:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lev Stipakov X-Patchwork-Id: 2296 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id 4BehDIEODmIQQQAAqwncew (envelope-from ) for ; Thu, 17 Feb 2022 03:59:45 -0500 Received: from proxy18.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id OJRXJ4EODmLkdgAAalYnBA (envelope-from ) for ; Thu, 17 Feb 2022 03:59:45 -0500 Received: from smtp24.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy18.mail.ord1d.rsapps.net with LMTPS id cD8zJ4EODmLcOgAATCaURg (envelope-from ) for ; Thu, 17 Feb 2022 03:59:45 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp24.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: f37d6ef0-8fcf-11ec-b65e-52540091a1c4-1-1 Received: from [216.105.38.7] ([216.105.38.7:32958] helo=lists.sourceforge.net) by smtp24.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 9A/CE-21679-18E0E026; Thu, 17 Feb 2022 03:59:45 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nKccm-00044t-7g; Thu, 17 Feb 2022 08:58:51 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nKccj-00044n-Vc for openvpn-devel@lists.sourceforge.net; Thu, 17 Feb 2022 08:58:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=x96uOBTvnVM8bY3vh2XDsZbJcZ4GeY3zYmcxgADFddk=; b=khcJizBzKPzSol9lSbYA64rqiv Nn5bI/dWaEXe4yYfvprqPim/JiQMgpMz6+nHiAOa7eEAlLGwz9k9hVcREddEEZw3UbJcx7C1Pqc3i DNkvOZI2mPcw8TImlTkrgRNsOObrA2tsfYPzjoZbJL0x0lpJ498+YK/RYMFwN3Nf3rK0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=x96uOBTvnVM8bY3vh2XDsZbJcZ4GeY3zYmcxgADFddk=; b=du4RCShygo3yhhKQwOqSvOh8nJ cEWBNvpG8GtPRzJG3C37Sz7PXPpJiH7TT/LDngaRE2eq0JeaMblSmYMKkerClAEnzYrLFSgblmr94 Fekbh2n/+UXmeiMAVnL5AlpTk54QZlxH+kreAkFWUwane4ML2r9bfdEmGZaJeE9IOVsA=; Received: from mail-wm1-f51.google.com ([209.85.128.51]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.94.2) id 1nKcce-004b1E-7y for openvpn-devel@lists.sourceforge.net; Thu, 17 Feb 2022 08:58:48 +0000 Received: by mail-wm1-f51.google.com with SMTP id j9-20020a05600c190900b0037bff8a24ebso5587439wmq.4 for ; Thu, 17 Feb 2022 00:58:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=x96uOBTvnVM8bY3vh2XDsZbJcZ4GeY3zYmcxgADFddk=; b=o1eVWoaVEG8C/HCfbMKuzYFJNaTocjMUadRrOYUoxB+tc02lVLzTAno6tovwp9u3ij CfONWgUNtNETY56ujkTFKps7OnEc6PJAmEuJoINL8hygA4lI3oUzVxYSwAxZ7IHYKFSu 5gLVhNInA9NGQK34E7XvRXCDMrS2CxLyhbvE3qBRVHmWKWRdS7L04XBb8dOhZYakdC/1 /TDgzf/VME7j+dTmpNlGmr0Hhayh/+8+Qo2iP4E3gIA6brxwCDjj5q3vvAav4Ko3d6iV h0OAF5OPuFb5jke6J4i5OIeJyCBSNQCZ7Y5prAo6pKJvU3WYIJSyAgg2WVvSayrvggXq /NHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=x96uOBTvnVM8bY3vh2XDsZbJcZ4GeY3zYmcxgADFddk=; b=EITrUk7SMUh4VLLiqY8vKskbBnj66sjtuH/vPaM7QEDjD5bP3mjVRskmI58AMXbas8 z6sTDsclMaXJYt03qR/MWztpgkF/1GZQq820hjVEx5/tGrnLQOVEWZNESBiXOsWPnsMf D9C8HwV2eS7VQpzuispN6FrEhz1/SOtAH1awUjakfUJ81v39MaXvU4f9dagiH8IWdrQq p4So6tqWzXh55rs6zRIlVE6a9Ty4Zo4sORcihpJhQ1dlU6c17axQdpVjez3/Sw2eS4vr jHPOMFEoN0z3nJm8pss9aq3FvQxBCdGw8wpnURNuYZ2IiBssaFTWtUFdgxBvKnEZChSh gqGA== X-Gm-Message-State: AOAM531giEQ63I/14JpbwCNOUZpCMKGToWq3/WMI9yVrIquzg4/3GCSY bnUTZty65o/TpmK2j2SiDpE2lDL6N3+n2A== X-Google-Smtp-Source: ABdhPJwt5ZM0WNYh7US7oTpqrbymct2nJQOaJEWPjKEz3fMnyIH8TNhTLOoUZwkjPbVHPYp/3QNbkg== X-Received: by 2002:a1c:4e05:0:b0:37c:2c83:45d8 with SMTP id g5-20020a1c4e05000000b0037c2c8345d8mr1749917wmh.153.1645088315768; Thu, 17 Feb 2022 00:58:35 -0800 (PST) Received: from LAPTOP-4L3N7KFS.localdomain (nat4.panoulu.net. [185.38.2.4]) by smtp.gmail.com with ESMTPSA id g5sm545400wmk.38.2022.02.17.00.58.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Feb 2022 00:58:35 -0800 (PST) From: Lev Stipakov To: openvpn-devel@lists.sourceforge.net Date: Thu, 17 Feb 2022 10:58:14 +0200 Message-Id: <20220217085814.274-1-lstipakov@gmail.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220107145522.435-1-lstipakov@gmail.com> References: <20220107145522.435-1-lstipakov@gmail.com> X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lev Stipakov - enable hardware-enforced stack protection on compatible hardware/software (/CETCOMPAT linker option) - hash object files with SHA256 (/ZH:SHA_256 compiler option) Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.51 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [lstipakov[at]gmail.com] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.51 listed in wl.mailspike.net] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1nKcce-004b1E-7y Subject: [Openvpn-devel] [PATCH v2] msvc: adjust build options to harden binaries X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Lev Stipakov MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Lev Stipakov - enable hardware-enforced stack protection on compatible hardware/software (/CETCOMPAT linker option) - hash object files with SHA256 (/ZH:SHA_256 compiler option) - enable SDL. The required to add _CRT_NONSTDC_NO_DEPRECATE _CRT_SECURE_NO_WARNINGS _WINSOCK_DEPRECATED_NO_WARNINGS preprocessor definitions. I don't feel like replacing strdup (which is correct POSIX function) and inet_ntoa (we always pass IPv4 address to it, inet_ntop will make code more complex) Above issues were discovered by bitskim. Signed-off-by: Lev Stipakov --- v2: - rebase on top of latest master - mute ossl3 deprecation warnings treated as errors by msvc - add SDL checks to all configurations src/openvpn/crypto_openssl.c | 5 +++ src/openvpn/openvpn.vcxproj | 44 +++++++++++++++--------- src/openvpn/openvpn.vcxproj.filters | 9 +++++ src/openvpnmsica/openvpnmsica.vcxproj | 42 +++++++++++++++++++++++ src/openvpnserv/openvpnserv.vcxproj | 14 ++++++++ src/tapctl/tapctl.vcxproj | 48 +++++++++++++++++++++++---- 6 files changed, 141 insertions(+), 21 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 8bc41792..e84b33f1 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -62,6 +62,11 @@ #error Windows build with OPENSSL_NO_EC: disabling EC key is not supported. #endif +#ifdef _MSC_VER +/* mute ossl3 deprecation warnings treated as errors in msvc */ +#pragma warning(disable: 4996) +#endif + /* * Check for key size creepage. */ diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj index 56fdf520..1d32c41f 100644 --- a/src/openvpn/openvpn.vcxproj +++ b/src/openvpn/openvpn.vcxproj @@ -147,11 +147,13 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true @@ -162,11 +164,13 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true @@ -177,11 +181,13 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true @@ -192,44 +198,52 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) Guard + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true Ncrypt.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;setupapi.lib;Advapi32.lib $(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories) Console + true - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) Guard + true + Level2 + /ZH:SHA_256 %(AdditionalOptions) Ncrypt.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;setupapi.lib;Advapi32.lib $(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories) Console + true - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) Guard + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true @@ -316,8 +330,8 @@ - - + + @@ -409,7 +423,7 @@ - + diff --git a/src/openvpn/openvpn.vcxproj.filters b/src/openvpn/openvpn.vcxproj.filters index f5fdfcd7..4cf0bb00 100644 --- a/src/openvpn/openvpn.vcxproj.filters +++ b/src/openvpn/openvpn.vcxproj.filters @@ -246,6 +246,12 @@ Source Files + + Source Files + + + Source Files + @@ -515,6 +521,9 @@ Header Files + + Header Files + diff --git a/src/openvpnmsica/openvpnmsica.vcxproj b/src/openvpnmsica/openvpnmsica.vcxproj index 11aa78bb..bf384db6 100644 --- a/src/openvpnmsica/openvpnmsica.vcxproj +++ b/src/openvpnmsica/openvpnmsica.vcxproj @@ -135,6 +135,48 @@ true + + + true + + + /ZH:SHA_256 %(AdditionalOptions) + true + + + + + true + + + /ZH:SHA_256 %(AdditionalOptions) + true + + + + + /ZH:SHA_256 %(AdditionalOptions) + true + + + + + /ZH:SHA_256 %(AdditionalOptions) + true + + + + + /ZH:SHA_256 %(AdditionalOptions) + true + + + + + /ZH:SHA_256 %(AdditionalOptions) + true + + diff --git a/src/openvpnserv/openvpnserv.vcxproj b/src/openvpnserv/openvpnserv.vcxproj index 5fd7d60b..d42e9642 100644 --- a/src/openvpnserv/openvpnserv.vcxproj +++ b/src/openvpnserv/openvpnserv.vcxproj @@ -125,6 +125,8 @@ ..\openvpn;..\compat;%(AdditionalIncludeDirectories) _CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) @@ -136,6 +138,8 @@ ..\openvpn;..\compat;%(AdditionalIncludeDirectories) _CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) @@ -147,6 +151,8 @@ ..\openvpn;..\compat;%(AdditionalIncludeDirectories) _CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) @@ -158,28 +164,36 @@ ..\openvpn;..\compat;%(AdditionalIncludeDirectories) _CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) Userenv.lib;Iphlpapi.lib;ntdll.lib;Fwpuclnt.lib;Netapi32.lib;Shlwapi.lib;%(AdditionalDependencies) Console + true ..\openvpn;..\compat;%(AdditionalIncludeDirectories) _CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) legacy_stdio_definitions.lib;Userenv.lib;Iphlpapi.lib;ntdll.lib;Fwpuclnt.lib;Netapi32.lib;Shlwapi.lib;%(AdditionalDependencies) Console + true ..\openvpn;..\compat;%(AdditionalIncludeDirectories) _CONSOLE;%(PreprocessorDefinitions) + true + /ZH:SHA_256 %(AdditionalOptions) diff --git a/src/tapctl/tapctl.vcxproj b/src/tapctl/tapctl.vcxproj index 79da9d33..0fc22d97 100644 --- a/src/tapctl/tapctl.vcxproj +++ b/src/tapctl/tapctl.vcxproj @@ -135,12 +135,48 @@ true - - - - - - + + + true + /ZH:SHA_256 %(AdditionalOptions) + + + + + true + /ZH:SHA_256 %(AdditionalOptions) + + + + + true + /ZH:SHA_256 %(AdditionalOptions) + + + + + true + /ZH:SHA_256 %(AdditionalOptions) + + + true + + + + + true + /ZH:SHA_256 %(AdditionalOptions) + + + + + true + + + true + /ZH:SHA_256 %(AdditionalOptions) + +