Re: [Openvpn-devel] [PATCH v2 release/2.5] msvc: adjust build options to harden binaries

2022-03-15 Thread Frank Lichtenheld 
Acked-by: Frank Lichtenheld 

Build tested on Win10 VS 2019. See notes below about the patch
dependency.

> Lev Stipakov  hat am 19.02.2022 00:52 geschrieben:
> 
>  
> From: Lev Stipakov 
> 
>  - enable hardware-enforced stack protection on
> compatible hardware/software (/CETCOMPAT linker option)
> 
>  - hash object files with SHA256 (/ZH:SHA_256 compiler option)
> 
>  - enable SDL. The required to add
> 
> _CRT_NONSTDC_NO_DEPRECATE
> _CRT_SECURE_NO_WARNINGS
> _WINSOCK_DEPRECATED_NO_WARNINGS
> 
> preprocessor definitions. I don't feel like replacing strdup (which is
> correct POSIX function) and inet_ntoa (we always pass IPv4 address to
> it, inet_ntop will make code more complex)
> 
> Above issues were discovered by bitskim.
> 
> Before applying this patch, this one must be applied from master:
> 
> https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21774.html

Notes:
- This is e5e9a07e8baee4065b7dfd65736bfa77b8329cfc
- Automatic cherry-pick fails due to trivial conflict in copyright years
- Author of e5e9a07e8baee4065b7dfd65736bfa77b8329cfc is
  "Author: Simon Rozman via Openvpn-devel "
  so that is something that could be cleaned up on cherry-pick.

Regards,
--
Frank Lichtenheld


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v2 release/2.5] msvc: adjust build options to harden binaries

2022-02-21 Thread Lev Stipakov 
From: Lev Stipakov 

 - enable hardware-enforced stack protection on
compatible hardware/software (/CETCOMPAT linker option)

 - hash object files with SHA256 (/ZH:SHA_256 compiler option)

 - enable SDL. The required to add

_CRT_NONSTDC_NO_DEPRECATE
_CRT_SECURE_NO_WARNINGS
_WINSOCK_DEPRECATED_NO_WARNINGS

preprocessor definitions. I don't feel like replacing strdup (which is
correct POSIX function) and inet_ntoa (we always pass IPv4 address to
it, inet_ntop will make code more complex)

Above issues were discovered by bitskim.

Before applying this patch, this one must be applied from master:

https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21774.html

Signed-off-by: Lev Stipakov 
---

 v2:
  - rebase on top of latest release/2.5
  - add SDL checks to all configurations

 src/openvpn/auth_token.c  |  1 +
 src/openvpn/openvpn.vcxproj   | 38 +--
 src/openvpnmsica/openvpnmsica.vcxproj | 48 
 src/openvpnserv/openvpnserv.vcxproj   | 26 ++---
 src/tapctl/tapctl.vcxproj | 54 ---
 5 files changed, 143 insertions(+), 24 deletions(-)

diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c
index ca7e5a4d..37af6605 100644
--- a/src/openvpn/auth_token.c
+++ b/src/openvpn/auth_token.c
@@ -87,6 +87,7 @@ add_session_token_env(struct tls_session *session, struct 
tls_multi *multi,
 
 default:
 /* Silence compiler warning, all four possible combinations 
are covered */
+state = NULL;
 ASSERT(0);
 }
 }
diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj
index 91d5ebbe..05c63b03 100644
--- a/src/openvpn/openvpn.vcxproj
+++ b/src/openvpn/openvpn.vcxproj
@@ -147,11 +147,13 @@
   
   
 
-  
_CONSOLE;%(PreprocessorDefinitions)
+  
_CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions)
   
%(UndefinePreprocessorDefinitions)
-  Level2
   true
   
..\compat;%(AdditionalIncludeDirectories)
+  Level2
+  /ZH:SHA_256 %(AdditionalOptions)
+  true
 
 
 
@@ -162,11 +164,13 @@
   
   
 
-  
_CONSOLE;%(PreprocessorDefinitions)
+  
_CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions)
   
%(UndefinePreprocessorDefinitions)
-  Level2
   true
   
..\compat;%(AdditionalIncludeDirectories)
+  Level2
+  /ZH:SHA_256 %(AdditionalOptions)
+  true
 
 
 
@@ -177,11 +181,13 @@
   
   
 
-  
_CONSOLE;%(PreprocessorDefinitions)
+  
_CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions)
   
%(UndefinePreprocessorDefinitions)
-  Level2
   true
   
..\compat;%(AdditionalIncludeDirectories)
+  Level2
+  /ZH:SHA_256 %(AdditionalOptions)
+  true
 
 
 
@@ -192,44 +198,52 @@
   
   
 
-  
_CONSOLE;%(PreprocessorDefinitions)
+  
_CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions)
   
%(UndefinePreprocessorDefinitions)
-  Level2
   true
   
..\compat;%(AdditionalIncludeDirectories)
   Guard
+  Level2
+  /ZH:SHA_256 %(AdditionalOptions)
+  true
 
 
 
   
Ncrypt.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;setupapi.lib;Advapi32.lib
   
$(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories)
   Console
+  true
 
   
   
 
-  
_CONSOLE;%(PreprocessorDefinitions)
+  
_CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions)
   
%(UndefinePreprocessorDefinitions)
-  Level2
   true
   
..\compat;%(AdditionalIncludeDirectories)
   Guard
+  true
+  Level2
+  /ZH:SHA_256 %(AdditionalOptions)
 
 
 
   
Ncrypt.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;setupapi.lib;Advapi32.lib
   
$(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories)
   Console
+  true
 
   
   
 
-  
_CONSOLE;%(PreprocessorDefinitions)
+  
_CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions)
   
%(UndefinePreprocessorDefinitions)
-  Level2
   true
   
..\compat;%(AdditionalIncludeDirectories)
   Guard
+  Level2
+  /ZH:SHA_256 %(AdditionalOptions)
+  true
 
 
 
diff --git a/src/openvpnmsica/openvpnmsica.vcxproj 
b/src/openvpnmsica/openvpnmsica.vcxproj
index 11aa78bb..3a9f0c97 100644
--- a/src/openvpnmsica/openvpnmsica.vcxproj
+++ b/src/openvpnmsica/openvpnmsica.vcxproj
@@

Re: [Openvpn-devel] [PATCH v2 release/2.5] msvc: adjust build options to harden binaries

2022-02-17 Thread Илья Шипицин 
I've missed that patch [Openvpn-devel] [PATCH v2 4/5] tapctl: Resolve MSVC
C4996 warnings (mail-archive.com)


I'll test updated patch soon.

чт, 17 февр. 2022 г. в 14:03, Lev Stipakov :

> From: Lev Stipakov 
>
>  - enable hardware-enforced stack protection on
> compatible hardware/software (/CETCOMPAT linker option)
>
>  - hash object files with SHA256 (/ZH:SHA_256 compiler option)
>
>  - enable SDL. The required to add
>
> _CRT_NONSTDC_NO_DEPRECATE
> _CRT_SECURE_NO_WARNINGS
> _WINSOCK_DEPRECATED_NO_WARNINGS
>
> preprocessor definitions. I don't feel like replacing strdup (which is
> correct POSIX function) and inet_ntoa (we always pass IPv4 address to
> it, inet_ntop will make code more complex)
>
> Above issues were discovered by bitskim.
>
> Before applying this patch, this one must be applied from master:
>
>
> https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21774.html
>
>
> Signed-off-by: Lev Stipakov 
> ---
>  v2:
>- rebase on top of latest release/2.5
>- add SDL checks to all configurations
>
>  src/openvpn/auth_token.c  |  1 +
>  src/openvpn/openvpn.vcxproj   | 38 +--
>  src/openvpnmsica/openvpnmsica.vcxproj | 48 
>  src/openvpnserv/openvpnserv.vcxproj   | 26 ++---
>  src/tapctl/tapctl.vcxproj | 54 ---
>  5 files changed, 143 insertions(+), 24 deletions(-)
>
> diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c
> index ca7e5a4d..37af6605 100644
> --- a/src/openvpn/auth_token.c
> +++ b/src/openvpn/auth_token.c
> @@ -87,6 +87,7 @@ add_session_token_env(struct tls_session *session,
> struct tls_multi *multi,
>
>  default:
>  /* Silence compiler warning, all four possible
> combinations are covered */
> +state = NULL;
>  ASSERT(0);
>  }
>  }
> diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj
> index 91d5ebbe..05c63b03 100644
> --- a/src/openvpn/openvpn.vcxproj
> +++ b/src/openvpn/openvpn.vcxproj
> @@ -147,11 +147,13 @@
>
> Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
>  
> -
> _CONSOLE;%(PreprocessorDefinitions)
> +
> _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions)
>
>  
> %(UndefinePreprocessorDefinitions)
> -  Level2
>true
>
>  
> ..\compat;%(AdditionalIncludeDirectories)
> +  Level2
> +  /ZH:SHA_256
> %(AdditionalOptions)
> +  true
>  
>  
>  
> @@ -162,11 +164,13 @@
>
> Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
>  
> -
> _CONSOLE;%(PreprocessorDefinitions)
> +
> _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions)
>
>  
> %(UndefinePreprocessorDefinitions)
> -  Level2
>true
>
>  
> ..\compat;%(AdditionalIncludeDirectories)
> +  Level2
> +  /ZH:SHA_256
> %(AdditionalOptions)
> +  true
>  
>  
>  
> @@ -177,11 +181,13 @@
>
> Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
>  
> -
> _CONSOLE;%(PreprocessorDefinitions)
> +
> _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions)
>
>  
> %(UndefinePreprocessorDefinitions)
> -  Level2
>true
>
>  
> ..\compat;%(AdditionalIncludeDirectories)
> +  Level2
> +  /ZH:SHA_256
> %(AdditionalOptions)
> +  true
>  
>  
>  
> @@ -192,44 +198,52 @@
>
> Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
>  
> -
> _CONSOLE;%(PreprocessorDefinitions)
> +
> _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions)
>
>  
> %(UndefinePreprocessorDefinitions)
> -  Level2
>true
>
>  
> ..\compat;%(AdditionalIncludeDirectories)
>Guard
> +  Level2
> +  /ZH:SHA_256
> %(AdditionalOptions)
> +  true
>  
>  
>  
>
>  
> Ncrypt.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;setupapi.lib;Advapi32.lib
>
>  
> $(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories)
>Console
> +  true
>  
>
> Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
>  
> -
> _CONSOLE;%(PreprocessorDefinitions)
> +
> _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions)
>
>  
> %(UndefinePreprocessorDefinitions)
> -  Level2
>true
>
>  
> ..\compat;%(AdditionalIncludeDirectories)
>Guard
> +  true
> +  Level2
> +  /ZH:SHA_256
> %(AdditionalOptions)
>  
>  
>  
>
>  
>