• R/O
  • HTTP
  • SSH
  • HTTPS

ffftp: Commit

FFFTPのソースコードです。


Commit MetaInfo

Revisioneef4ae2ad7b2cdb7ecc41cef07749a89c50e6bb2 (tree)
Time2014-04-09 01:17:59
Authors_kawamoto <s_kawamoto@user...>
Commiters_kawamoto

Log Message

Update OpenSSL to 1.0.1g.

Change Summary

Incremental Difference

Binary files a/FFFTP_Eng_Release/FFFTP.exe and b/FFFTP_Eng_Release/FFFTP.exe differ
Binary files a/Release/FFFTP.exe and b/Release/FFFTP.exe differ
Binary files a/contrib/openssl/bin/libeay32.dll and b/contrib/openssl/bin/libeay32.dll differ
Binary files a/contrib/openssl/bin/libssl32.dll and b/contrib/openssl/bin/libssl32.dll differ
Binary files a/contrib/openssl/bin/ssleay32.dll and b/contrib/openssl/bin/ssleay32.dll differ
--- a/contrib/openssl/changes.txt
+++ b/contrib/openssl/changes.txt
@@ -2,6 +2,35 @@
22 OpenSSL CHANGES
33 _______________
44
5+ Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
6+
7+ *) A missing bounds check in the handling of the TLS heartbeat extension
8+ can be used to reveal up to 64k of memory to a connected client or
9+ server.
10+
11+ Thanks for Neel Mehta of Google Security for discovering this bug and to
12+ Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
13+ preparing the fix (CVE-2014-0160)
14+ [Adam Langley, Bodo Moeller]
15+
16+ *) Fix for the attack described in the paper "Recovering OpenSSL
17+ ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
18+ by Yuval Yarom and Naomi Benger. Details can be obtained from:
19+ http://eprint.iacr.org/2014/140
20+
21+ Thanks to Yuval Yarom and Naomi Benger for discovering this
22+ flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
23+ [Yuval Yarom and Naomi Benger]
24+
25+ *) TLS pad extension: draft-agl-tls-padding-03
26+
27+ Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
28+ TLS client Hello record length value would otherwise be > 255 and
29+ less that 512 pad with a dummy extension containing zeroes so it
30+ is at least 512 bytes long.
31+
32+ [Adam Langley, Steve Henson]
33+
534 Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
635
736 *) Fix for TLS record tampering bug. A carefully crafted invalid
--- a/contrib/openssl/faq.txt
+++ b/contrib/openssl/faq.txt
@@ -768,6 +768,9 @@ openssl-security@openssl.org if you don't get a prompt reply at least
768768 acknowledging receipt then resend or mail it directly to one of the
769769 more active team members (e.g. Steve).
770770
771+Note that bugs only present in the openssl utility are not in general
772+considered to be security issues.
773+
771774 [PROG] ========================================================================
772775
773776 * Is OpenSSL thread-safe?
--- a/contrib/openssl/include/openssl/bn.h
+++ b/contrib/openssl/include/openssl/bn.h
@@ -538,6 +538,8 @@ BIGNUM *BN_mod_inverse(BIGNUM *ret,
538538 BIGNUM *BN_mod_sqrt(BIGNUM *ret,
539539 const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
540540
541+void BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords);
542+
541543 /* Deprecated versions */
542544 #ifndef OPENSSL_NO_DEPRECATED
543545 BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,
@@ -774,11 +776,20 @@ int RAND_pseudo_bytes(unsigned char *buf,int num);
774776
775777 #define bn_fix_top(a) bn_check_top(a)
776778
779+#define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2)
780+#define bn_wcheck_size(bn, words) \
781+ do { \
782+ const BIGNUM *_bnum2 = (bn); \
783+ assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \
784+ } while(0)
785+
777786 #else /* !BN_DEBUG */
778787
779788 #define bn_pollute(a)
780789 #define bn_check_top(a)
781790 #define bn_fix_top(a) bn_correct_top(a)
791+#define bn_check_size(bn, bits)
792+#define bn_wcheck_size(bn, words)
782793
783794 #endif
784795
--- a/contrib/openssl/include/openssl/kssl.h
+++ b/contrib/openssl/include/openssl/kssl.h
@@ -70,6 +70,15 @@
7070 #include <stdio.h>
7171 #include <ctype.h>
7272 #include <krb5.h>
73+#ifdef OPENSSL_SYS_WIN32
74+/* These can sometimes get redefined indirectly by krb5 header files
75+ * after they get undefed in ossl_typ.h
76+ */
77+#undef X509_NAME
78+#undef X509_EXTENSIONS
79+#undef OCSP_REQUEST
80+#undef OCSP_RESPONSE
81+#endif
7382
7483 #ifdef __cplusplus
7584 extern "C" {
--- a/contrib/openssl/include/openssl/opensslv.h
+++ b/contrib/openssl/include/openssl/opensslv.h
@@ -25,11 +25,11 @@
2525 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
2626 * major minor fix final patch/beta)
2727 */
28-#define OPENSSL_VERSION_NUMBER 0x1000106fL
28+#define OPENSSL_VERSION_NUMBER 0x1000107fL
2929 #ifdef OPENSSL_FIPS
30-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1f-fips 6 Jan 2014"
30+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1g-fips 7 Apr 2014"
3131 #else
32-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1f 6 Jan 2014"
32+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1g 7 Apr 2014"
3333 #endif
3434 #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
3535
--- a/contrib/openssl/include/openssl/ssl.h
+++ b/contrib/openssl/include/openssl/ssl.h
@@ -915,7 +915,7 @@ struct ssl_ctx_st
915915 */
916916 unsigned int max_send_fragment;
917917
918-#ifndef OPENSSL_ENGINE
918+#ifndef OPENSSL_NO_ENGINE
919919 /* Engine to pass requests for client certs to
920920 */
921921 ENGINE *client_cert_engine;
--- a/contrib/openssl/include/openssl/symhacks.h
+++ b/contrib/openssl/include/openssl/symhacks.h
@@ -204,6 +204,12 @@
204204 #define SSL_CTX_set_next_protos_advertised_cb SSL_CTX_set_next_protos_adv_cb
205205 #undef SSL_CTX_set_next_proto_select_cb
206206 #define SSL_CTX_set_next_proto_select_cb SSL_CTX_set_next_proto_sel_cb
207+#undef ssl3_cbc_record_digest_supported
208+#define ssl3_cbc_record_digest_supported ssl3_cbc_record_digest_support
209+#undef ssl_check_clienthello_tlsext_late
210+#define ssl_check_clienthello_tlsext_late ssl_check_clihello_tlsext_late
211+#undef ssl_check_clienthello_tlsext_early
212+#define ssl_check_clienthello_tlsext_early ssl_check_clihello_tlsext_early
207213
208214 /* Hack some long ENGINE names */
209215 #undef ENGINE_get_default_BN_mod_exp_crt
--- a/contrib/openssl/include/openssl/tls1.h
+++ b/contrib/openssl/include/openssl/tls1.h
@@ -230,6 +230,12 @@ extern "C" {
230230 /* ExtensionType value from RFC5620 */
231231 #define TLSEXT_TYPE_heartbeat 15
232232
233+/* ExtensionType value for TLS padding extension.
234+ * http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
235+ * http://tools.ietf.org/html/draft-agl-tls-padding-03
236+ */
237+#define TLSEXT_TYPE_padding 21
238+
233239 /* ExtensionType value from RFC4507 */
234240 #define TLSEXT_TYPE_session_ticket 35
235241
--- a/contrib/openssl/news.txt
+++ b/contrib/openssl/news.txt
@@ -5,8 +5,15 @@
55 This file gives a brief overview of the major changes between each OpenSSL
66 release. For more details please read the CHANGES file.
77
8+ Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]
9+
10+ o Fix for CVE-2014-0160
11+ o Add TLS padding extension workaround for broken servers.
12+ o Fix for CVE-2014-0076
13+
814 Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014]
915
16+ o Don't include gmt_unix_time in TLS server and client random values
1017 o Fix for TLS record tampering bug CVE-2013-4353
1118 o Fix for TLS version checking bug CVE-2013-6449
1219 o Fix for DTLS retransmission bug CVE-2013-6450
--- a/contrib/openssl/readme.txt
+++ b/contrib/openssl/readme.txt
@@ -1,5 +1,5 @@
11
2- OpenSSL 1.0.1f 6 Jan 2014
2+ OpenSSL 1.0.1g 7 Apr 2014
33
44 Copyright (c) 1998-2011 The OpenSSL Project
55 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
Binary files a/dist/libeay32.dll and b/dist/libeay32.dll differ
Binary files a/dist/ssleay32.dll and b/dist/ssleay32.dll differ
--- a/socketwrapper.c
+++ b/socketwrapper.c
@@ -116,10 +116,10 @@ BOOL LoadOpenSSL()
116116 return FALSE;
117117 #ifdef ENABLE_PROCESS_PROTECTION
118118 // 同梱するOpenSSLのバージョンに合わせてSHA1ハッシュ値を変更すること
119- // ssleay32.dll 1.0.1f
120- RegisterTrustedModuleSHA1Hash("\x16\xFA\xD2\x39\x74\x27\xE4\x07\xCB\xF5\x1A\xF1\xC3\xCD\x1C\xBB\xFC\xD0\xFC\x40");
121- // libeay32.dll 1.0.1f
122- RegisterTrustedModuleSHA1Hash("\xA6\x2D\x10\xF8\x2A\xB9\xEF\x95\xC3\xF7\x0B\xE0\xD1\xCB\x1C\x9B\x0A\x99\x42\x1F");
119+ // ssleay32.dll 1.0.1g
120+ RegisterTrustedModuleSHA1Hash("\xCB\xBA\x62\x61\x3C\x44\x1E\x94\xD2\xF4\xAD\xD5\x03\x43\x6F\x26\xD2\xAF\x2F\x21");
121+ // libeay32.dll 1.0.1g
122+ RegisterTrustedModuleSHA1Hash("\x4E\x53\x29\xC4\x32\x1B\x17\xA5\x4D\x40\xDF\x6F\xF6\xD2\x53\x7E\xBC\x54\x69\x1B");
123123 #endif
124124 g_hOpenSSL = LoadLibrary("ssleay32.dll");
125125 // バージョン固定のためlibssl32.dllの読み込みは脆弱性の原因になり得るので廃止
Show on old repository browser