Loweynet
| 修订版 | 2da77525e96cf18d2fb43fca7acfa301a66bc541 (tree) |
|---|---|
| 时间 | 2016-01-30 17:07:29 |
| 作者 | s_kawamoto <s_kawamoto@user...> |
| Commiter | s_kawamoto |
Update OpenSSL to 1.0.2f.
FFFTP_Eng_Release/FFFTP.exe (diff) FFFTP_Eng_Release_64/FFFTP.exe (diff) Release/FFFTP.exe (diff) Release_64/FFFTP.exe (diff)
common.h (diff)
contrib/openssl/CHANGES (diff) contrib/openssl/LICENSE (diff) contrib/openssl/NEWS (diff) contrib/openssl/README (diff) contrib/openssl/include/openssl/aes.h (diff) contrib/openssl/include/openssl/bio.h (diff) contrib/openssl/include/openssl/camellia.h (diff) contrib/openssl/include/openssl/des_old.h (diff) contrib/openssl/include/openssl/dh.h (diff) contrib/openssl/include/openssl/dso.h (diff) contrib/openssl/include/openssl/kssl.h (diff) contrib/openssl/include/openssl/opensslv.h (diff) contrib/openssl/include/openssl/ssl.h (diff) contrib/openssl/include/openssl/ui.h (diff) contrib/openssl/include/openssl/ui_compat.h (diff) contrib/openssl/include/openssl/x509_vfy.h (diff) dist/amd64/libeay32.dll (diff) dist/amd64/ssleay32.dll (diff) dist/libeay32.dll (diff) dist/ssleay32.dll (diff)
socketwrapper.c (diff)| @@ -81,7 +81,7 @@ | ||
| 81 | 81 | // ソフトウェア自動更新 |
| 82 | 82 | // リリースバージョンはリリース予定年(10進数4桁)+月(2桁)+日(2桁)+通し番号(0スタート2桁)とする |
| 83 | 83 | // 2014年7月31日中の30個目のリリースは2014073129 |
| 84 | -#define RELEASE_VERSION_NUM 2016012300 /* リリースバージョン */ | |
| 84 | +#define RELEASE_VERSION_NUM 2016013000 /* リリースバージョン */ | |
| 85 | 85 | |
| 86 | 86 | |
| 87 | 87 | // SourceForge.JPによるフォーク |
| @@ -2,6 +2,54 @@ | ||
| 2 | 2 | OpenSSL CHANGES |
| 3 | 3 | _______________ |
| 4 | 4 | |
| 5 | + Changes between 1.0.2e and 1.0.2f [28 Jan 2016] | |
| 6 | + | |
| 7 | + *) DH small subgroups | |
| 8 | + | |
| 9 | + Historically OpenSSL only ever generated DH parameters based on "safe" | |
| 10 | + primes. More recently (in version 1.0.2) support was provided for | |
| 11 | + generating X9.42 style parameter files such as those required for RFC 5114 | |
| 12 | + support. The primes used in such files may not be "safe". Where an | |
| 13 | + application is using DH configured with parameters based on primes that are | |
| 14 | + not "safe" then an attacker could use this fact to find a peer's private | |
| 15 | + DH exponent. This attack requires that the attacker complete multiple | |
| 16 | + handshakes in which the peer uses the same private DH exponent. For example | |
| 17 | + this could be used to discover a TLS server's private DH exponent if it's | |
| 18 | + reusing the private DH exponent or it's using a static DH ciphersuite. | |
| 19 | + | |
| 20 | + OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in | |
| 21 | + TLS. It is not on by default. If the option is not set then the server | |
| 22 | + reuses the same private DH exponent for the life of the server process and | |
| 23 | + would be vulnerable to this attack. It is believed that many popular | |
| 24 | + applications do set this option and would therefore not be at risk. | |
| 25 | + | |
| 26 | + The fix for this issue adds an additional check where a "q" parameter is | |
| 27 | + available (as is the case in X9.42 based parameters). This detects the | |
| 28 | + only known attack, and is the only possible defense for static DH | |
| 29 | + ciphersuites. This could have some performance impact. | |
| 30 | + | |
| 31 | + Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by | |
| 32 | + default and cannot be disabled. This could have some performance impact. | |
| 33 | + | |
| 34 | + This issue was reported to OpenSSL by Antonio Sanso (Adobe). | |
| 35 | + (CVE-2016-0701) | |
| 36 | + [Matt Caswell] | |
| 37 | + | |
| 38 | + *) SSLv2 doesn't block disabled ciphers | |
| 39 | + | |
| 40 | + A malicious client can negotiate SSLv2 ciphers that have been disabled on | |
| 41 | + the server and complete SSLv2 handshakes even if all SSLv2 ciphers have | |
| 42 | + been disabled, provided that the SSLv2 protocol was not also disabled via | |
| 43 | + SSL_OP_NO_SSLv2. | |
| 44 | + | |
| 45 | + This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram | |
| 46 | + and Sebastian Schinzel. | |
| 47 | + (CVE-2015-3197) | |
| 48 | + [Viktor Dukhovni] | |
| 49 | + | |
| 50 | + *) Reject DH handshakes with parameters shorter than 1024 bits. | |
| 51 | + [Kurt Roeckx] | |
| 52 | + | |
| 5 | 53 | Changes between 1.0.2d and 1.0.2e [3 Dec 2015] |
| 6 | 54 | |
| 7 | 55 | *) BN_mod_exp may produce incorrect results on x86_64 |
| @@ -12,7 +12,7 @@ | ||
| 12 | 12 | --------------- |
| 13 | 13 | |
| 14 | 14 | /* ==================================================================== |
| 15 | - * Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved. | |
| 15 | + * Copyright (c) 1998-2016 The OpenSSL Project. All rights reserved. | |
| 16 | 16 | * |
| 17 | 17 | * Redistribution and use in source and binary forms, with or without |
| 18 | 18 | * modification, are permitted provided that the following conditions |
| @@ -5,6 +5,11 @@ | ||
| 5 | 5 | This file gives a brief overview of the major changes between each OpenSSL |
| 6 | 6 | release. For more details please read the CHANGES file. |
| 7 | 7 | |
| 8 | + Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016] | |
| 9 | + | |
| 10 | + o DH small subgroups (CVE-2016-0701) | |
| 11 | + o SSLv2 doesn't block disabled ciphers (CVE-2015-3197) | |
| 12 | + | |
| 8 | 13 | Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015] |
| 9 | 14 | |
| 10 | 15 | o BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193) |
| @@ -1,5 +1,5 @@ | ||
| 1 | 1 | |
| 2 | - OpenSSL 1.0.2e 3 Dec 2015 | |
| 2 | + OpenSSL 1.0.2f 28 Jan 2016 | |
| 3 | 3 | |
| 4 | 4 | Copyright (c) 1998-2015 The OpenSSL Project |
| 5 | 5 | Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson |
| @@ -90,11 +90,12 @@ | ||
| 90 | 90 | |
| 91 | 91 | In order to avoid spam, this is a moderated mailing list, and it might |
| 92 | 92 | take a day for the ticket to show up. (We also scan posts to make sure |
| 93 | - that security disclosures aren't publically posted by mistake.) Mail to | |
| 94 | - this address is recorded in the public RT (request tracker) database (see | |
| 95 | - https://www.openssl.org/support/rt.html for details) and also forwarded | |
| 96 | - the public openssl-dev mailing list. Confidential mail may be sent to | |
| 97 | - openssl-security@openssl.org (PGP key available from the key servers). | |
| 93 | + that security disclosures aren't publically posted by mistake.) Mail | |
| 94 | + to this address is recorded in the public RT (request tracker) database | |
| 95 | + (see https://www.openssl.org/community/index.html#bugs for details) and | |
| 96 | + also forwarded the public openssl-dev mailing list. Confidential mail | |
| 97 | + may be sent to openssl-security@openssl.org (PGP key available from the | |
| 98 | + key servers). | |
| 98 | 99 | |
| 99 | 100 | Please do NOT use this for general assistance or support queries. |
| 100 | 101 | Just because something doesn't work the way you expect does not mean it |
| @@ -1,4 +1,4 @@ | ||
| 1 | -/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */ | |
| 1 | +/* crypto/aes/aes.h */ | |
| 2 | 2 | /* ==================================================================== |
| 3 | 3 | * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. |
| 4 | 4 | * |
| @@ -479,11 +479,11 @@ struct bio_dgram_sctp_prinfo { | ||
| 479 | 479 | # define BIO_get_conn_hostname(b) BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,0) |
| 480 | 480 | # define BIO_get_conn_port(b) BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,1) |
| 481 | 481 | # define BIO_get_conn_ip(b) BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,2) |
| 482 | -# define BIO_get_conn_int_port(b) BIO_int_ctrl(b,BIO_C_GET_CONNECT,3,0) | |
| 482 | +# define BIO_get_conn_int_port(b) BIO_ctrl(b,BIO_C_GET_CONNECT,3,0,NULL) | |
| 483 | 483 | |
| 484 | 484 | # define BIO_set_nbio(b,n) BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL) |
| 485 | 485 | |
| 486 | -/* BIO_s_accept_socket() */ | |
| 486 | +/* BIO_s_accept() */ | |
| 487 | 487 | # define BIO_set_accept_port(b,name) BIO_ctrl(b,BIO_C_SET_ACCEPT,0,(char *)name) |
| 488 | 488 | # define BIO_get_accept_port(b) BIO_ptr_ctrl(b,BIO_C_GET_ACCEPT,0) |
| 489 | 489 | /* #define BIO_set_nbio(b,n) BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL) */ |
| @@ -496,6 +496,7 @@ struct bio_dgram_sctp_prinfo { | ||
| 496 | 496 | # define BIO_set_bind_mode(b,mode) BIO_ctrl(b,BIO_C_SET_BIND_MODE,mode,NULL) |
| 497 | 497 | # define BIO_get_bind_mode(b,mode) BIO_ctrl(b,BIO_C_GET_BIND_MODE,0,NULL) |
| 498 | 498 | |
| 499 | +/* BIO_s_accept() and BIO_s_connect() */ | |
| 499 | 500 | # define BIO_do_connect(b) BIO_do_handshake(b) |
| 500 | 501 | # define BIO_do_accept(b) BIO_do_handshake(b) |
| 501 | 502 | # define BIO_do_handshake(b) BIO_ctrl(b,BIO_C_DO_STATE_MACHINE,0,NULL) |
| @@ -515,12 +516,15 @@ struct bio_dgram_sctp_prinfo { | ||
| 515 | 516 | # define BIO_get_url(b,url) BIO_ctrl(b,BIO_C_GET_PROXY_PARAM,2,(char *)(url)) |
| 516 | 517 | # define BIO_get_no_connect_return(b) BIO_ctrl(b,BIO_C_GET_PROXY_PARAM,5,NULL) |
| 517 | 518 | |
| 519 | +/* BIO_s_datagram(), BIO_s_fd(), BIO_s_socket(), BIO_s_accept() and BIO_s_connect() */ | |
| 518 | 520 | # define BIO_set_fd(b,fd,c) BIO_int_ctrl(b,BIO_C_SET_FD,c,fd) |
| 519 | 521 | # define BIO_get_fd(b,c) BIO_ctrl(b,BIO_C_GET_FD,0,(char *)c) |
| 520 | 522 | |
| 523 | +/* BIO_s_file() */ | |
| 521 | 524 | # define BIO_set_fp(b,fp,c) BIO_ctrl(b,BIO_C_SET_FILE_PTR,c,(char *)fp) |
| 522 | 525 | # define BIO_get_fp(b,fpp) BIO_ctrl(b,BIO_C_GET_FILE_PTR,0,(char *)fpp) |
| 523 | 526 | |
| 527 | +/* BIO_s_fd() and BIO_s_file() */ | |
| 524 | 528 | # define BIO_seek(b,ofs) (int)BIO_ctrl(b,BIO_C_FILE_SEEK,ofs,NULL) |
| 525 | 529 | # define BIO_tell(b) (int)BIO_ctrl(b,BIO_C_FILE_TELL,0,NULL) |
| 526 | 530 |
| @@ -1,4 +1,4 @@ | ||
| 1 | -/* crypto/camellia/camellia.h -*- mode:C; c-file-style: "eay" -*- */ | |
| 1 | +/* crypto/camellia/camellia.h */ | |
| 2 | 2 | /* ==================================================================== |
| 3 | 3 | * Copyright (c) 2006 The OpenSSL Project. All rights reserved. |
| 4 | 4 | * |
| @@ -1,4 +1,4 @@ | ||
| 1 | -/* crypto/des/des_old.h -*- mode:C; c-file-style: "eay" -*- */ | |
| 1 | +/* crypto/des/des_old.h */ | |
| 2 | 2 | |
| 3 | 3 | /*- |
| 4 | 4 | * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING |
| @@ -174,6 +174,7 @@ struct dh_st { | ||
| 174 | 174 | /* DH_check_pub_key error codes */ |
| 175 | 175 | # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 |
| 176 | 176 | # define DH_CHECK_PUBKEY_TOO_LARGE 0x02 |
| 177 | +# define DH_CHECK_PUBKEY_INVALID 0x03 | |
| 177 | 178 | |
| 178 | 179 | /* |
| 179 | 180 | * primes p where (p-1)/2 is prime too are called "safe"; we define this for |
| @@ -1,4 +1,4 @@ | ||
| 1 | -/* dso.h -*- mode:C; c-file-style: "eay" -*- */ | |
| 1 | +/* dso.h */ | |
| 2 | 2 | /* |
| 3 | 3 | * Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL project |
| 4 | 4 | * 2000. |
| @@ -1,4 +1,4 @@ | ||
| 1 | -/* ssl/kssl.h -*- mode: C; c-file-style: "eay" -*- */ | |
| 1 | +/* ssl/kssl.h */ | |
| 2 | 2 | /* |
| 3 | 3 | * Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project |
| 4 | 4 | * 2000. project 2000. |
| @@ -30,11 +30,11 @@ extern "C" { | ||
| 30 | 30 | * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for |
| 31 | 31 | * major minor fix final patch/beta) |
| 32 | 32 | */ |
| 33 | -# define OPENSSL_VERSION_NUMBER 0x1000205fL | |
| 33 | +# define OPENSSL_VERSION_NUMBER 0x1000206fL | |
| 34 | 34 | # ifdef OPENSSL_FIPS |
| 35 | -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2e-fips 3 Dec 2015" | |
| 35 | +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2f-fips 28 Jan 2016" | |
| 36 | 36 | # else |
| 37 | -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2e 3 Dec 2015" | |
| 37 | +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2f 28 Jan 2016" | |
| 38 | 38 | # endif |
| 39 | 39 | # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT |
| 40 | 40 |
| @@ -625,7 +625,7 @@ struct ssl_session_st { | ||
| 625 | 625 | # define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L |
| 626 | 626 | /* If set, always create a new key when using tmp_ecdh parameters */ |
| 627 | 627 | # define SSL_OP_SINGLE_ECDH_USE 0x00080000L |
| 628 | -/* If set, always create a new key when using tmp_dh parameters */ | |
| 628 | +/* Does nothing: retained for compatibility */ | |
| 629 | 629 | # define SSL_OP_SINGLE_DH_USE 0x00100000L |
| 630 | 630 | /* Does nothing: retained for compatibiity */ |
| 631 | 631 | # define SSL_OP_EPHEMERAL_RSA 0x0 |
| @@ -2092,7 +2092,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) | ||
| 2092 | 2092 | # define SSL_CTX_set1_sigalgs_list(ctx, s) \ |
| 2093 | 2093 | SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)s) |
| 2094 | 2094 | # define SSL_set1_sigalgs(ctx, slist, slistlen) \ |
| 2095 | - SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS,clistlen,(int *)slist) | |
| 2095 | + SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS,slistlen,(int *)slist) | |
| 2096 | 2096 | # define SSL_set1_sigalgs_list(ctx, s) \ |
| 2097 | 2097 | SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)s) |
| 2098 | 2098 | # define SSL_CTX_set1_client_sigalgs(ctx, slist, slistlen) \ |
| @@ -2713,6 +2713,7 @@ void ERR_load_SSL_strings(void); | ||
| 2713 | 2713 | # define SSL_F_SSL3_SETUP_KEY_BLOCK 157 |
| 2714 | 2714 | # define SSL_F_SSL3_SETUP_READ_BUFFER 156 |
| 2715 | 2715 | # define SSL_F_SSL3_SETUP_WRITE_BUFFER 291 |
| 2716 | +# define SSL_F_SSL3_SHUTDOWN 396 | |
| 2716 | 2717 | # define SSL_F_SSL3_WRITE_BYTES 158 |
| 2717 | 2718 | # define SSL_F_SSL3_WRITE_PENDING 159 |
| 2718 | 2719 | # define SSL_F_SSL_ADD_CERT_CHAIN 318 |
| @@ -3056,6 +3057,7 @@ void ERR_load_SSL_strings(void); | ||
| 3056 | 3057 | # define SSL_R_SERVERHELLO_TLSEXT 275 |
| 3057 | 3058 | # define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277 |
| 3058 | 3059 | # define SSL_R_SHORT_READ 219 |
| 3060 | +# define SSL_R_SHUTDOWN_WHILE_IN_INIT 407 | |
| 3059 | 3061 | # define SSL_R_SIGNATURE_ALGORITHMS_ERROR 360 |
| 3060 | 3062 | # define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 |
| 3061 | 3063 | # define SSL_R_SRP_A_CALC 361 |
| @@ -1,4 +1,4 @@ | ||
| 1 | -/* crypto/ui/ui.h -*- mode:C; c-file-style: "eay" -*- */ | |
| 1 | +/* crypto/ui/ui.h */ | |
| 2 | 2 | /* |
| 3 | 3 | * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project |
| 4 | 4 | * 2001. |
| @@ -1,4 +1,4 @@ | ||
| 1 | -/* crypto/ui/ui.h -*- mode:C; c-file-style: "eay" -*- */ | |
| 1 | +/* crypto/ui/ui.h */ | |
| 2 | 2 | /* |
| 3 | 3 | * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project |
| 4 | 4 | * 2001. |
| @@ -313,7 +313,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); | ||
| 313 | 313 | X509_LOOKUP_ctrl((x),X509_L_ADD_DIR,(name),(long)(type),NULL) |
| 314 | 314 | |
| 315 | 315 | # define X509_V_OK 0 |
| 316 | -/* illegal error (for uninitialized values, to avoid X509_V_OK): 1 */ | |
| 316 | +# define X509_V_ERR_UNSPECIFIED 1 | |
| 317 | 317 | |
| 318 | 318 | # define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2 |
| 319 | 319 | # define X509_V_ERR_UNABLE_TO_GET_CRL 3 |
| @@ -153,15 +153,15 @@ BOOL LoadOpenSSL() | ||
| 153 | 153 | #ifdef ENABLE_PROCESS_PROTECTION |
| 154 | 154 | // 同梱するOpenSSLのバージョンに合わせてSHA1ハッシュ値を変更すること |
| 155 | 155 | #if defined(_M_IX86) |
| 156 | - // ssleay32.dll 1.0.2e | |
| 157 | - RegisterTrustedModuleSHA1Hash("\xE8\xD5\xBE\x7A\xD7\xAC\x17\x7E\x1E\x60\xA7\x6A\xD3\xE6\x14\xC9\x7A\x79\x87\x7C"); | |
| 158 | - // libeay32.dll 1.0.2e | |
| 159 | - RegisterTrustedModuleSHA1Hash("\x45\xEC\x0B\xCC\x1E\x5F\xC9\xF4\xDA\x03\xF5\xEE\xAB\x6C\x85\x3A\xD8\x49\x23\xD4"); | |
| 156 | + // ssleay32.dll 1.0.2f | |
| 157 | + RegisterTrustedModuleSHA1Hash("\xB7\xA4\x25\x22\x73\x62\xC9\x0D\xAA\xBD\x1F\x11\x61\x16\x02\x8A\x5C\x23\xDE\x38"); | |
| 158 | + // libeay32.dll 1.0.2f | |
| 159 | + RegisterTrustedModuleSHA1Hash("\x89\xE8\x42\x0E\xDE\x75\x31\x94\xF3\xD0\x54\x02\xD1\x29\x89\x28\x89\x41\xDF\x19"); | |
| 160 | 160 | #elif defined(_M_AMD64) |
| 161 | - // ssleay32.dll 1.0.2e | |
| 162 | - RegisterTrustedModuleSHA1Hash("\xCB\x81\x60\x86\x1C\x27\xB8\x6D\x43\xA5\xBF\x34\x9F\x8E\xE0\x81\x2F\xFD\xC9\xA6"); | |
| 163 | - // libeay32.dll 1.0.2e | |
| 164 | - RegisterTrustedModuleSHA1Hash("\x4A\xD3\x39\x10\x66\xA7\x89\x17\xCF\x5C\x65\x8C\xDE\x43\x9B\xF1\x64\xAE\x0E\x04"); | |
| 161 | + // ssleay32.dll 1.0.2f | |
| 162 | + RegisterTrustedModuleSHA1Hash("\xB0\x89\xBB\x7C\x7A\xC1\x4E\x00\xC6\x9B\xEC\x36\xDE\x6C\xB6\x1F\xBE\x46\x55\x0E"); | |
| 163 | + // libeay32.dll 1.0.2f | |
| 164 | + RegisterTrustedModuleSHA1Hash("\xC5\x59\x7B\x0C\x3C\xF6\x8E\xF8\x10\x18\x3D\x59\x8C\x47\x14\xCA\xB6\xD2\x58\x75"); | |
| 165 | 165 | #endif |
| 166 | 166 | #endif |
| 167 | 167 | g_hOpenSSL = LoadLibrary("ssleay32.dll"); |
amalsyah1
Fork