Re: [Openvpn-devel] [PATCH] doc: cleanup for --data-ciphers and related
> Arne Schwabe hat am 21.02.2022 21:23 geschrieben: > Am 21.02.22 um 12:19 schrieb Frank Lichtenheld: > > @@ -191,7 +191,8 @@ configured in a compatible way between both the local > > and remote side. > > > > For servers, the first cipher from ``cipher-list`` that is also > > supported by the client will be pushed to clients that support cipher > > - negotiation. > > + negotiation. (That feature is also called ``Negotiable crypto > > parameters`` > > + or ``NCP`` for short). > > That was actually a decision to leave out NCP out of this document. NCP > is an internal thing and the documentation does not need to introduce it > and can just talk about cipher negotitation in a non-specific way. Yeah, the problem is that the document mentions NCP a lot, so we at least need to explain what it is. I considered removing it completely, but decided to keep some of the mentions since they make the sentences much shorter than if I would add "cipher negotiation" every time. But if you prefer I can certainly do that. Regards, -- Frank Lichtenheld ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] doc: cleanup for --data-ciphers and related
Am 21.02.22 um 12:19 schrieb Frank Lichtenheld: - Fix various formatting inconsistencies - Explain what NCP means before using it. - Also replace some of the usages of NCP with the clearer "cipher negotiation". Signed-off-by: Frank Lichtenheld --- doc/man-sections/protocol-options.rst | 34 +-- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst index 1c6b1200..4af65983 100644 --- a/doc/man-sections/protocol-options.rst +++ b/doc/man-sections/protocol-options.rst @@ -73,7 +73,7 @@ configured in a compatible way between both the local and remote side. Starting with 2.6.0, this option is always ignored in TLS mode when it comes to configuring the cipher and will only control the cipher for ``--secret`` pre-shared-key mode (note: this mode is - deprecated strictly not recommended). + deprecated and strictly not recommended). If you wish to specify the cipher to use on the data channel, please see ``--data-ciphers`` (for regular negotiation) and @@ -87,8 +87,8 @@ configured in a compatible way between both the local and remote side. Set ``alg`` to :code:`none` to disable encryption. --compress algorithm - **DEPRECATED** Enable a compression algorithm. Compression is generally - not recommended. VPN tunnels which use compression are susceptible to + **DEPRECATED** Enable a compression algorithm. Compression is generally + not recommended. VPN tunnels which use compression are susceptible to the VORALCE attack vector. See also the :code:`migrate` parameter below. The ``algorithm`` parameter may be :code:`lzo`, :code:`lz4`, @@ -191,7 +191,8 @@ configured in a compatible way between both the local and remote side. For servers, the first cipher from ``cipher-list`` that is also supported by the client will be pushed to clients that support cipher - negotiation. + negotiation. (That feature is also called ``Negotiable crypto parameters`` + or ``NCP`` for short). That was actually a decision to leave out NCP out of this document. NCP is an internal thing and the documentation does not need to introduce it and can just talk about cipher negotitation in a non-specific way. Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] doc: cleanup for --data-ciphers and related
On 21/02/2022 12:19, Frank Lichtenheld wrote: - Fix various formatting inconsistencies - Explain what NCP means before using it. - Also replace some of the usages of NCP with the clearer "cipher negotiation". Signed-off-by: Frank Lichtenheld --- doc/man-sections/protocol-options.rst | 34 +-- 1 file changed, 17 insertions(+), 17 deletions(-) Only glared at changes, and they looks good to me. Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Fix --mtu-disc maybe|yes on Linux.
--mtu-disc (on Linux) needs two components to work: - setsockopt() with IP_MTU_DISCOVER or IPV6_MTU_DISCOVER - "extended error reporting" (setsockopt(IP_RECVERR) and then via mtu.c/format_extended_socket_error()) to react on "packet too big" errors on sendto() / sendmsg() Some configure.ac reorganization broke detection of and "struct sock_extended_err". Fix configure.ac, leave syshead.h mess. Thus: 2022-02-21 18:21:11 write UDPv4 [EMSGSIZE Path-MTU=800]: Message too long (fd=3,code=90) 2022-02-21 18:21:11 Note adjusting 'mssfix 1400 mtu' to 'mssfix 800 mtu' according to path MTU discovery 2022-02-21 18:21:11 Note adjusting 'fragment 800 mtu' to 'fragment 800 mtu' according to path MTU discovery ... while at it, fix extra space in first part of message. Trac: #1452 Signed-off-by: Gert Doering --- configure.ac | 8 +++- src/openvpn/mss.c | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index d42185d0..7f4c239c 100644 --- a/configure.ac +++ b/configure.ac @@ -425,7 +425,7 @@ AC_CHECK_HEADERS([ \ unistd.h libgen.h stropts.h \ syslog.h pwd.h grp.h termios.h \ sys/sockio.h sys/uio.h linux/sockios.h \ - linux/types.h poll.h sys/epoll.h err.h \ + linux/types.h linux/errqueue.h poll.h sys/epoll.h err.h \ ]) SOCKET_INCLUDES=" @@ -457,6 +457,12 @@ SOCKET_INCLUDES=" #ifdef HAVE_NETINET_IP_H #include #endif +#ifdef HAVE_LINUX_TYPES_H +#include +#endif +#ifdef HAVE_LINUX_ERRQUEUE_H +#include +#endif " AC_CHECK_HEADERS( diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index 81692e91..c131183f 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -361,7 +361,7 @@ frame_adjust_path_mtu(struct context *c) || (o->ce.mssfix_encap && pmtu < o->ce.mssfix + encap_overhead)) { const char* mtustr = o->ce.mssfix_encap ? " mtu" : ""; -msg(D_MTU_INFO, "Note adjusting 'mssfix %d %s' to 'mssfix %d mtu' " +msg(D_MTU_INFO, "Note adjusting 'mssfix %d%s' to 'mssfix %d mtu' " "according to path MTU discovery", o->ce.mssfix, mtustr, pmtu); o->ce.mssfix = pmtu; @@ -374,7 +374,7 @@ frame_adjust_path_mtu(struct context *c) (o->ce.fragment_encap && pmtu < o->ce.fragment + encap_overhead)) { const char* mtustr = o->ce.fragment_encap ? " mtu" : ""; -msg(D_MTU_INFO, "Note adjusting 'fragment %d %s' to 'fragment %d mtu' " +msg(D_MTU_INFO, "Note adjusting 'fragment %d%s' to 'fragment %d mtu' " "according to path MTU discovery", o->ce.mssfix, mtustr, pmtu); o->ce.fragment = pmtu; -- 2.26.3 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH master+release/2.5] error.c: use correct API to get error description on Windows
Hi On Mon, Feb 21, 2022 at 4:24 AM Lev Stipakov wrote: > We had a long discussion with ordex about this patch and came to the > conclusion that error printing is currently broken on Windows and > needs a proper fixing. > > +1 > What we propose: > > - M_ERRNO prints only C runtime errors on all platforms and should be > only used with C runtime functions > - We add M_WINERR which uses GetLastError and FormatMessage to print > Windows errors > While this would be a cleaner fix, it also requires extensive changes and it is not always easy to decide where to use M_ERRNO and where to use M_WINERR. E.g., without looking into the internals of platform.c one doesn't know whether platform_open() uses _wopen() or CreateFile(). A possible option is to continue the use of M_ERRNO on WIndows as is (except for socket errors), continue to use GetLastError() in x_msg(), but if/when the latter if it returns zero, try errno and strerrror(). Not ideal but less changes and easier and transparent to the user of msg(). That said, I haven't checked whether GetLastError() returns zero or a valid and correct error code for C runtime errors -- without which this approach wont work. - We add M_SOCKERR, which is resolved into M_ERRNO on all platforms > except Windows and on Windows it is M_WSAERR. We use WSAGetLastError > and FormatMessage to print WSA errors. Socket functions use M_SOCKERR. > Sounds good. BTW, there are a couple of uses of strerror() in check_status() (error.c) missed by the original patch. Selva ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 2.5] msvc: adjust build options to harden binaries
sorry, it does not look like "2 new threads". also, I'm not sure patchwork will be able to pick 2 ack from 1 thread. I'm not motivated to run in circles from you to Gert and back. if you can find someone more motivated, I'll appreciate that. пн, 21 февр. 2022 г. в 17:02, Lev Stipakov : > Reply to both of them with the line (remove ">"): > > > Acked-by: Ilya Shipitsin > > if you think that you could ack both of those patches. > > ma 21. helmik. 2022 klo 13.17 Илья Шипицин (chipits...@gmail.com) > kirjoitti: > > > > Lev, I see two new messages in this thread. Please clarify what do you > want me to do? > > > > пн, 21 февр. 2022 г. в 13:59, Lev Stipakov : > >> > >> Let's start from the beginning. > >> > >> I'll start two new threads (master and 2.5) and Ilya could ack them. > >> > >> Ilya, to ack please reply on those threads with following line: > >> > >> Acked-by: Firstname Lastname > >> > >> su 20. helmik. 2022 klo 19.31 Gert Doering (g...@greenie.muc.de) > kirjoitti: > >> > > >> > Hi, > >> > > >> > On Sun, Feb 20, 2022 at 07:53:56PM +0500, ?? > wrote: > >> > > There is ack from me earlier in this thread. > >> > > >> > "ACK in this thread" is not really helpful, as it is not clear for > >> > which patch exactly this is. > >> > > >> > (You basically ACKed in response to v1 of the 2.5 patch, while we > >> > have v2 for the master + 2.5 patch out) > >> > > >> > For me, to make clear which version of which patches an ACK refers > >> > to, it is important that the reply is to the correct e-mail - you can > >> > see in patchwork if your ACK has been recorded or not. > >> > > >> > https://patchwork.openvpn.net/project/openvpn2/list/ > >> > > >> > gert > >> > -- > >> > "If was one thing all people took for granted, was conviction that if > you > >> > feed honest figures into a computer, honest figures come out. Never > doubted > >> > it myself till I met a computer with a sense of humor." > >> > Robert A. Heinlein, The Moon is a Harsh > Mistress > >> > > >> > Gert Doering - Munich, Germany > g...@greenie.muc.de > >> > >> > >> > >> -- > >> -Lev > > > > -- > -Lev > ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 2.5] msvc: adjust build options to harden binaries
Reply to both of them with the line (remove ">"): > Acked-by: Ilya Shipitsin if you think that you could ack both of those patches. ma 21. helmik. 2022 klo 13.17 Илья Шипицин (chipits...@gmail.com) kirjoitti: > > Lev, I see two new messages in this thread. Please clarify what do you want > me to do? > > пн, 21 февр. 2022 г. в 13:59, Lev Stipakov : >> >> Let's start from the beginning. >> >> I'll start two new threads (master and 2.5) and Ilya could ack them. >> >> Ilya, to ack please reply on those threads with following line: >> >> Acked-by: Firstname Lastname >> >> su 20. helmik. 2022 klo 19.31 Gert Doering (g...@greenie.muc.de) kirjoitti: >> > >> > Hi, >> > >> > On Sun, Feb 20, 2022 at 07:53:56PM +0500, ?? wrote: >> > > There is ack from me earlier in this thread. >> > >> > "ACK in this thread" is not really helpful, as it is not clear for >> > which patch exactly this is. >> > >> > (You basically ACKed in response to v1 of the 2.5 patch, while we >> > have v2 for the master + 2.5 patch out) >> > >> > For me, to make clear which version of which patches an ACK refers >> > to, it is important that the reply is to the correct e-mail - you can >> > see in patchwork if your ACK has been recorded or not. >> > >> > https://patchwork.openvpn.net/project/openvpn2/list/ >> > >> > gert >> > -- >> > "If was one thing all people took for granted, was conviction that if you >> > feed honest figures into a computer, honest figures come out. Never >> > doubted >> > it myself till I met a computer with a sense of humor." >> > Robert A. Heinlein, The Moon is a Harsh >> > Mistress >> > >> > Gert Doering - Munich, Germany >> > g...@greenie.muc.de >> >> >> >> -- >> -Lev -- -Lev ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] doc: cleanup for --data-ciphers and related
- Fix various formatting inconsistencies - Explain what NCP means before using it. - Also replace some of the usages of NCP with the clearer "cipher negotiation". Signed-off-by: Frank Lichtenheld --- doc/man-sections/protocol-options.rst | 34 +-- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst index 1c6b1200..4af65983 100644 --- a/doc/man-sections/protocol-options.rst +++ b/doc/man-sections/protocol-options.rst @@ -73,7 +73,7 @@ configured in a compatible way between both the local and remote side. Starting with 2.6.0, this option is always ignored in TLS mode when it comes to configuring the cipher and will only control the cipher for ``--secret`` pre-shared-key mode (note: this mode is - deprecated strictly not recommended). + deprecated and strictly not recommended). If you wish to specify the cipher to use on the data channel, please see ``--data-ciphers`` (for regular negotiation) and @@ -87,8 +87,8 @@ configured in a compatible way between both the local and remote side. Set ``alg`` to :code:`none` to disable encryption. --compress algorithm - **DEPRECATED** Enable a compression algorithm. Compression is generally - not recommended. VPN tunnels which use compression are susceptible to + **DEPRECATED** Enable a compression algorithm. Compression is generally + not recommended. VPN tunnels which use compression are susceptible to the VORALCE attack vector. See also the :code:`migrate` parameter below. The ``algorithm`` parameter may be :code:`lzo`, :code:`lz4`, @@ -191,7 +191,8 @@ configured in a compatible way between both the local and remote side. For servers, the first cipher from ``cipher-list`` that is also supported by the client will be pushed to clients that support cipher - negotiation. + negotiation. (That feature is also called ``Negotiable crypto parameters`` + or ``NCP`` for short). Starting with OpenVPN 2.6 a cipher can be prefixed with a :code:`?` to mark it as optional. This allows including ciphers in the list that may not be @@ -201,25 +202,25 @@ configured in a compatible way between both the local and remote side. supports it. Cipher negotiation is enabled in client-server mode only. I.e. if - ``--mode`` is set to 'server' (server-side, implied by setting + ``--mode`` is set to `server` (server-side, implied by setting ``--server`` ), or if ``--pull`` is specified (client-side, implied by - setting --client). + setting ``--client``). If no common cipher is found during cipher negotiation, the connection is terminated. To support old clients/old servers that do not provide any cipher negotiation support see ``--data-ciphers-fallback``. - Additionally, to allow for more smooth transition, if NCP is enabled, + Additionally, to allow for more smooth transition, if ciper negotiation is enabled, OpenVPN will inherit the cipher of the peer if that cipher is different from the local ``--cipher`` setting, but the peer cipher is one of the ciphers specified in ``--data-ciphers``. E.g. a non-NCP client (<=v2.3, - or with --ncp-disabled set) connecting to a NCP server (v2.4+) with + or 2.4/2.5 with ``--ncp-disabled`` set) connecting to a NCP server (v2.4+) with ``--cipher BF-CBC`` and ``--data-ciphers AES-256-GCM:AES-256-CBC`` set can either specify ``--cipher BF-CBC`` or ``--cipher AES-256-CBC`` and both will work. - Note for using NCP with an OpenVPN 2.4 peer: This list must include the - :code:`AES-256-GCM` and :code:`AES-128-GCM` ciphers. + Note for using cipher negoatiation with an OpenVPN 2.4 peer: This list must + include the :code:`AES-256-GCM` and :code:`AES-128-GCM` ciphers. This list is restricted to be 127 chars long after conversion to OpenVPN ciphers. @@ -228,14 +229,13 @@ configured in a compatible way between both the local and remote side. to ``--data-ciphers`` in OpenVPN 2.5 to more accurately reflect its meaning. --data-ciphers-fallback alg + Configure a cipher that is used to fall back to if we could not determine + which cipher the peer is willing to use. -Configure a cipher that is used to fall back to if we could not determine -which cipher the peer is willing to use. - -This option should only be needed to -connect to peers that are running OpenVPN 2.3 and older version, and -have been configured with `--enable-small` -(typically used on routers or other embedded devices). + This option should only be needed to + connect to peers that are running OpenVPN 2.3 or older versions, and + have been configured with ``--enable-small`` + (typically used on routers or other embedded devices). --secret args **DEPRECATED** Enable Static Key encryption mode (non-TLS). Use pre-shared secret -- 2.30.2 ___ Openvpn-devel mailing list
Re: [Openvpn-devel] [PATCH 2.5] msvc: adjust build options to harden binaries
Lev, I see two new messages in this thread. Please clarify what do you want me to do? пн, 21 февр. 2022 г. в 13:59, Lev Stipakov : > Let's start from the beginning. > > I'll start two new threads (master and 2.5) and Ilya could ack them. > > Ilya, to ack please reply on those threads with following line: > > Acked-by: Firstname Lastname > > su 20. helmik. 2022 klo 19.31 Gert Doering (g...@greenie.muc.de) > kirjoitti: > > > > Hi, > > > > On Sun, Feb 20, 2022 at 07:53:56PM +0500, ?? wrote: > > > There is ack from me earlier in this thread. > > > > "ACK in this thread" is not really helpful, as it is not clear for > > which patch exactly this is. > > > > (You basically ACKed in response to v1 of the 2.5 patch, while we > > have v2 for the master + 2.5 patch out) > > > > For me, to make clear which version of which patches an ACK refers > > to, it is important that the reply is to the correct e-mail - you can > > see in patchwork if your ACK has been recorded or not. > > > > https://patchwork.openvpn.net/project/openvpn2/list/ > > > > gert > > -- > > "If was one thing all people took for granted, was conviction that if you > > feed honest figures into a computer, honest figures come out. Never > doubted > > it myself till I met a computer with a sense of humor." > > Robert A. Heinlein, The Moon is a Harsh > Mistress > > > > Gert Doering - Munich, Germany > g...@greenie.muc.de > > > > -- > -Lev > ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2 release/2.5] msvc: adjust build options to harden binaries
From: Lev Stipakov - enable hardware-enforced stack protection on compatible hardware/software (/CETCOMPAT linker option) - hash object files with SHA256 (/ZH:SHA_256 compiler option) - enable SDL. The required to add _CRT_NONSTDC_NO_DEPRECATE _CRT_SECURE_NO_WARNINGS _WINSOCK_DEPRECATED_NO_WARNINGS preprocessor definitions. I don't feel like replacing strdup (which is correct POSIX function) and inet_ntoa (we always pass IPv4 address to it, inet_ntop will make code more complex) Above issues were discovered by bitskim. Before applying this patch, this one must be applied from master: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21774.html Signed-off-by: Lev Stipakov --- v2: - rebase on top of latest release/2.5 - add SDL checks to all configurations src/openvpn/auth_token.c | 1 + src/openvpn/openvpn.vcxproj | 38 +-- src/openvpnmsica/openvpnmsica.vcxproj | 48 src/openvpnserv/openvpnserv.vcxproj | 26 ++--- src/tapctl/tapctl.vcxproj | 54 --- 5 files changed, 143 insertions(+), 24 deletions(-) diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index ca7e5a4d..37af6605 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -87,6 +87,7 @@ add_session_token_env(struct tls_session *session, struct tls_multi *multi, default: /* Silence compiler warning, all four possible combinations are covered */ +state = NULL; ASSERT(0); } } diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj index 91d5ebbe..05c63b03 100644 --- a/src/openvpn/openvpn.vcxproj +++ b/src/openvpn/openvpn.vcxproj @@ -147,11 +147,13 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true @@ -162,11 +164,13 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true @@ -177,11 +181,13 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true @@ -192,44 +198,52 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) Guard + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true Ncrypt.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;setupapi.lib;Advapi32.lib $(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories) Console + true - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) Guard + true + Level2 + /ZH:SHA_256 %(AdditionalOptions) Ncrypt.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;setupapi.lib;Advapi32.lib $(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories) Console + true - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) Guard + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true diff --git a/src/openvpnmsica/openvpnmsica.vcxproj b/src/openvpnmsica/openvpnmsica.vcxproj index 11aa78bb..3a9f0c97 100644 --- a/src/openvpnmsica/openvpnmsica.vcxproj +++ b/src/openvpnmsica/openvpnmsica.vcxproj @@
[Openvpn-devel] [PATCH v2] msvc: adjust build options to harden binaries
From: Lev Stipakov - enable hardware-enforced stack protection on compatible hardware/software (/CETCOMPAT linker option) - hash object files with SHA256 (/ZH:SHA_256 compiler option) - enable SDL. The required to add _CRT_NONSTDC_NO_DEPRECATE _CRT_SECURE_NO_WARNINGS _WINSOCK_DEPRECATED_NO_WARNINGS preprocessor definitions. I don't feel like replacing strdup (which is correct POSIX function) and inet_ntoa (we always pass IPv4 address to it, inet_ntop will make code more complex) Above issues were discovered by bitskim. Signed-off-by: Lev Stipakov --- v2: - rebase on top of latest master - mute ossl3 deprecation warnings treated as errors by msvc - add SDL checks to all configurations src/openvpn/crypto_openssl.c | 5 +++ src/openvpn/openvpn.vcxproj | 44 +++- src/openvpn/openvpn.vcxproj.filters | 9 + src/openvpnmsica/openvpnmsica.vcxproj | 42 +++ src/openvpnserv/openvpnserv.vcxproj | 14 src/tapctl/tapctl.vcxproj | 48 +++ 6 files changed, 141 insertions(+), 21 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 8bc41792..e84b33f1 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -62,6 +62,11 @@ #error Windows build with OPENSSL_NO_EC: disabling EC key is not supported. #endif +#ifdef _MSC_VER +/* mute ossl3 deprecation warnings treated as errors in msvc */ +#pragma warning(disable: 4996) +#endif + /* * Check for key size creepage. */ diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj index 56fdf520..1d32c41f 100644 --- a/src/openvpn/openvpn.vcxproj +++ b/src/openvpn/openvpn.vcxproj @@ -147,11 +147,13 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true @@ -162,11 +164,13 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true @@ -177,11 +181,13 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true @@ -192,44 +198,52 @@ - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) Guard + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true Ncrypt.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;setupapi.lib;Advapi32.lib $(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories) Console + true - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) Guard + true + Level2 + /ZH:SHA_256 %(AdditionalOptions) Ncrypt.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;setupapi.lib;Advapi32.lib $(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories) Console + true - _CONSOLE;%(PreprocessorDefinitions) + _CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;_CONSOLE;%(PreprocessorDefinitions) %(UndefinePreprocessorDefinitions) - Level2 true ..\compat;%(AdditionalIncludeDirectories) Guard + Level2 + /ZH:SHA_256 %(AdditionalOptions) + true @@ -316,8 +330,8 @@ - - + + @@ -409,7 +423,7 @@ - + diff --git a/src/openvpn/openvpn.vcxproj.filters b/src/openvpn/openvpn.vcxproj.filters index f5fdfcd7..4cf0bb00
Re: [Openvpn-devel] [PATCH master+release/2.5] error.c: use correct API to get error description on Windows
We had a long discussion with ordex about this patch and came to the conclusion that error printing is currently broken on Windows and needs a proper fixing. Why is it broken? - the bug that my patch fixes - we use Windows's GetLastError to get Windows last error code and with that strerror to get C runtime error description - we have code which uses M_ERRNO to get description of C runtime errors, for example int fd = platform_open(filename, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR); if (fd == -1) { msg(M_ERRNO, "Cannot open file '%s' for write", filename); return false; } but this doesn't really work, because msg(M_ERRNO) uses GetLastError on Windows to get error code, and C runtime (in above case it is _wopen) doesn't set the WinAPI's last error code. - we have code which uses M_ERRNO to print description of socket errors const ssize_t size = send(sd, buf, strlen(buf), MSG_NOSIGNAL); if (size != (ssize_t) strlen(buf)) { msg(D_LINK_ERRORS | M_ERRNO, "send_line: TCP port write failed on send()"); return false; } but in this case we should use WSAGetLastError on Windows and errno on other platforms. What we propose: - M_ERRNO prints only C runtime errors on all platforms and should be only used with C runtime functions - We add M_WINERR which uses GetLastError and FormatMessage to print Windows errors - We add M_SOCKERR, which is resolved into M_ERRNO on all platforms except Windows and on Windows it is M_WSAERR. We use WSAGetLastError and FormatMessage to print WSA errors. Socket functions use M_SOCKERR. -Lev ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 2.5] msvc: adjust build options to harden binaries
Let's start from the beginning. I'll start two new threads (master and 2.5) and Ilya could ack them. Ilya, to ack please reply on those threads with following line: Acked-by: Firstname Lastname su 20. helmik. 2022 klo 19.31 Gert Doering (g...@greenie.muc.de) kirjoitti: > > Hi, > > On Sun, Feb 20, 2022 at 07:53:56PM +0500, ?? wrote: > > There is ack from me earlier in this thread. > > "ACK in this thread" is not really helpful, as it is not clear for > which patch exactly this is. > > (You basically ACKed in response to v1 of the 2.5 patch, while we > have v2 for the master + 2.5 patch out) > > For me, to make clear which version of which patches an ACK refers > to, it is important that the reply is to the correct e-mail - you can > see in patchwork if your ACK has been recorded or not. > > https://patchwork.openvpn.net/project/openvpn2/list/ > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany g...@greenie.muc.de -- -Lev ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: CI: github actions: keep pdb in artifacts
Hi, On Sat, Sep 11, 2021 at 06:50:31PM +0200, Gert Doering wrote: > SoB added, no further tests. > > Your patch has been applied to the master branch. > > commit 9da733751ce80b2226ef19923365bd3102cfbd47 > Author: Ilya Shipitsin > Date: Thu Aug 26 15:02:21 2021 +0500 As requested by Lev, also applied to release/2.5 commit fb3661e6690bc2a32b8a35e2451bf256f3a429ee (HEAD -> release/2.5) Author: Ilya Shipitsin Date: Thu Aug 26 15:02:21 2021 +0500 CI: github actions: keep "pdb" in artifacts gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel