FFFTPのソースコードです。
Révision | ab22331c4684f3fe643042f647883a77bf48e516 (tree) |
---|---|
l'heure | 2016-05-04 14:43:28 |
Auteur | s_kawamoto <s_kawamoto@user...> |
Commiter | s_kawamoto |
Update OpenSSL to 1.0.2h.
@@ -242,7 +242,7 @@ FONT 9, "MS Shell Dlg", 0, 0, 0x0 | ||
242 | 242 | BEGIN |
243 | 243 | DEFPUSHBUTTON "OK",IDOK,133,294,50,14 |
244 | 244 | ICON ffftp,-1,7,4,20,20 |
245 | - CTEXT "FFFTP Ver 1.99-20160423",-1,113,11,90,8 | |
245 | + CTEXT "FFFTP Ver 1.99-20160504",-1,113,11,90,8 | |
246 | 246 | CTEXT "FFFTPはfreewareです",-1,7,279,305,8 |
247 | 247 | CTEXT "Copyright(C) 1997-2010 Sota & ご協力いただいた方々\nCopyright (C) 2011-2016 FFFTP Project (Hiromichi Matsushima, Suguru Kawamoto, IWAMOTO Kouichi, vitamin0x, うなー, Asami, fortran90, tomo1192, Yuji Tanaka, Moriguchi Hirokazu, ふうせん)",-1,7,25,305,44,SS_NOPREFIX |
248 | 248 | CTEXT "",ABOUT_JRE,7,96,305,8 |
@@ -242,7 +242,7 @@ FONT 9, "MS Shell Dlg", 0, 0, 0x0 | ||
242 | 242 | BEGIN |
243 | 243 | DEFPUSHBUTTON "OK",IDOK,132,296,50,14 |
244 | 244 | ICON ffftp,-1,7,4,20,20 |
245 | - CTEXT "FFFTP Ver 1.99-20160423",-1,110,11,90,8 | |
245 | + CTEXT "FFFTP Ver 1.99-20160504",-1,110,11,90,8 | |
246 | 246 | CTEXT "FFFTP is freeware",-1,7,281,301,8 |
247 | 247 | CTEXT "Copyright(C) 1997-2010 Sota && cooperators\nCopyright (C) 2011-2016 FFFTP Project (Hiromichi Matsushima, Suguru Kawamoto, IWAMOTO Kouichi, vitamin0x, unarist, Asami, fortran90, tomo1192, Yuji Tanaka, Moriguchi Hirokazu, Fu-sen)",-1,7,25,301,44 |
248 | 248 | CTEXT "",ABOUT_JRE,7,93,301,8 |
@@ -72,16 +72,16 @@ | ||
72 | 72 | //#define PROGRAM_VERSION_NUM 1972 /* バージョン */ |
73 | 73 | // 64ビット対応 |
74 | 74 | #ifdef _WIN64 |
75 | -#define VER_STR "1.99-20160423 64bit" | |
75 | +#define VER_STR "1.99-20160504 64bit" | |
76 | 76 | #else |
77 | -#define VER_STR "1.99-20160423" | |
77 | +#define VER_STR "1.99-20160504" | |
78 | 78 | #endif |
79 | 79 | #define VER_NUM 1990 /* 設定バージョン */ |
80 | 80 | #define PROGRAM_VERSION_NUM 1990 /* バージョン */ |
81 | 81 | // ソフトウェア自動更新 |
82 | 82 | // リリースバージョンはリリース予定年(10進数4桁)+月(2桁)+日(2桁)+通し番号(0スタート2桁)とする |
83 | 83 | // 2014年7月31日中の30個目のリリースは2014073129 |
84 | -#define RELEASE_VERSION_NUM 2016042300 /* リリースバージョン */ | |
84 | +#define RELEASE_VERSION_NUM 2016050400 /* リリースバージョン */ | |
85 | 85 | |
86 | 86 | |
87 | 87 | // SourceForge.JPによるフォーク |
@@ -2,6 +2,103 @@ | ||
2 | 2 | OpenSSL CHANGES |
3 | 3 | _______________ |
4 | 4 | |
5 | + Changes between 1.0.2g and 1.0.2h [3 May 2016] | |
6 | + | |
7 | + *) Prevent padding oracle in AES-NI CBC MAC check | |
8 | + | |
9 | + A MITM attacker can use a padding oracle attack to decrypt traffic | |
10 | + when the connection uses an AES CBC cipher and the server support | |
11 | + AES-NI. | |
12 | + | |
13 | + This issue was introduced as part of the fix for Lucky 13 padding | |
14 | + attack (CVE-2013-0169). The padding check was rewritten to be in | |
15 | + constant time by making sure that always the same bytes are read and | |
16 | + compared against either the MAC or padding bytes. But it no longer | |
17 | + checked that there was enough data to have both the MAC and padding | |
18 | + bytes. | |
19 | + | |
20 | + This issue was reported by Juraj Somorovsky using TLS-Attacker. | |
21 | + (CVE-2016-2107) | |
22 | + [Kurt Roeckx] | |
23 | + | |
24 | + *) Fix EVP_EncodeUpdate overflow | |
25 | + | |
26 | + An overflow can occur in the EVP_EncodeUpdate() function which is used for | |
27 | + Base64 encoding of binary data. If an attacker is able to supply very large | |
28 | + amounts of input data then a length check can overflow resulting in a heap | |
29 | + corruption. | |
30 | + | |
31 | + Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by | |
32 | + the PEM_write_bio* family of functions. These are mainly used within the | |
33 | + OpenSSL command line applications, so any application which processes data | |
34 | + from an untrusted source and outputs it as a PEM file should be considered | |
35 | + vulnerable to this issue. User applications that call these APIs directly | |
36 | + with large amounts of untrusted data may also be vulnerable. | |
37 | + | |
38 | + This issue was reported by Guido Vranken. | |
39 | + (CVE-2016-2105) | |
40 | + [Matt Caswell] | |
41 | + | |
42 | + *) Fix EVP_EncryptUpdate overflow | |
43 | + | |
44 | + An overflow can occur in the EVP_EncryptUpdate() function. If an attacker | |
45 | + is able to supply very large amounts of input data after a previous call to | |
46 | + EVP_EncryptUpdate() with a partial block then a length check can overflow | |
47 | + resulting in a heap corruption. Following an analysis of all OpenSSL | |
48 | + internal usage of the EVP_EncryptUpdate() function all usage is one of two | |
49 | + forms. The first form is where the EVP_EncryptUpdate() call is known to be | |
50 | + the first called function after an EVP_EncryptInit(), and therefore that | |
51 | + specific call must be safe. The second form is where the length passed to | |
52 | + EVP_EncryptUpdate() can be seen from the code to be some small value and | |
53 | + therefore there is no possibility of an overflow. Since all instances are | |
54 | + one of these two forms, it is believed that there can be no overflows in | |
55 | + internal code due to this problem. It should be noted that | |
56 | + EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths. | |
57 | + Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances | |
58 | + of these calls have also been analysed too and it is believed there are no | |
59 | + instances in internal usage where an overflow could occur. | |
60 | + | |
61 | + This issue was reported by Guido Vranken. | |
62 | + (CVE-2016-2106) | |
63 | + [Matt Caswell] | |
64 | + | |
65 | + *) Prevent ASN.1 BIO excessive memory allocation | |
66 | + | |
67 | + When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() | |
68 | + a short invalid encoding can casuse allocation of large amounts of memory | |
69 | + potentially consuming excessive resources or exhausting memory. | |
70 | + | |
71 | + Any application parsing untrusted data through d2i BIO functions is | |
72 | + affected. The memory based functions such as d2i_X509() are *not* affected. | |
73 | + Since the memory based functions are used by the TLS library, TLS | |
74 | + applications are not affected. | |
75 | + | |
76 | + This issue was reported by Brian Carpenter. | |
77 | + (CVE-2016-2109) | |
78 | + [Stephen Henson] | |
79 | + | |
80 | + *) EBCDIC overread | |
81 | + | |
82 | + ASN1 Strings that are over 1024 bytes can cause an overread in applications | |
83 | + using the X509_NAME_oneline() function on EBCDIC systems. This could result | |
84 | + in arbitrary stack data being returned in the buffer. | |
85 | + | |
86 | + This issue was reported by Guido Vranken. | |
87 | + (CVE-2016-2176) | |
88 | + [Matt Caswell] | |
89 | + | |
90 | + *) Modify behavior of ALPN to invoke callback after SNI/servername | |
91 | + callback, such that updates to the SSL_CTX affect ALPN. | |
92 | + [Todd Short] | |
93 | + | |
94 | + *) Remove LOW from the DEFAULT cipher list. This removes singles DES from the | |
95 | + default. | |
96 | + [Kurt Roeckx] | |
97 | + | |
98 | + *) Only remove the SSLv2 methods with the no-ssl2-method option. When the | |
99 | + methods are enabled and ssl2 is disabled the methods return NULL. | |
100 | + [Kurt Roeckx] | |
101 | + | |
5 | 102 | Changes between 1.0.2f and 1.0.2g [1 Mar 2016] |
6 | 103 | |
7 | 104 | * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. |
@@ -5,6 +5,19 @@ | ||
5 | 5 | This file gives a brief overview of the major changes between each OpenSSL |
6 | 6 | release. For more details please read the CHANGES file. |
7 | 7 | |
8 | + Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016] | |
9 | + | |
10 | + o Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107) | |
11 | + o Fix EVP_EncodeUpdate overflow (CVE-2016-2105) | |
12 | + o Fix EVP_EncryptUpdate overflow (CVE-2016-2106) | |
13 | + o Prevent ASN.1 BIO excessive memory allocation (CVE-2016-2109) | |
14 | + o EBCDIC overread (CVE-2016-2176) | |
15 | + o Modify behavior of ALPN to invoke callback after SNI/servername | |
16 | + callback, such that updates to the SSL_CTX affect ALPN. | |
17 | + o Remove LOW from the DEFAULT cipher list. This removes singles DES from | |
18 | + the default. | |
19 | + o Only remove the SSLv2 methods with the no-ssl2-method option. | |
20 | + | |
8 | 21 | Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016] |
9 | 22 | |
10 | 23 | o Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. |
@@ -1,5 +1,5 @@ | ||
1 | 1 | |
2 | - OpenSSL 1.0.2g 1 Mar 2016 | |
2 | + OpenSSL 1.0.2h 3 May 2016 | |
3 | 3 | |
4 | 4 | Copyright (c) 1998-2015 The OpenSSL Project |
5 | 5 | Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson |
@@ -4,6 +4,10 @@ | ||
4 | 4 | |
5 | 5 | # include <openssl/crypto.h> |
6 | 6 | |
7 | +# ifdef OPENSSL_NO_COMP | |
8 | +# error COMP is disabled. | |
9 | +# endif | |
10 | + | |
7 | 11 | #ifdef __cplusplus |
8 | 12 | extern "C" { |
9 | 13 | #endif |
@@ -30,11 +30,11 @@ extern "C" { | ||
30 | 30 | * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for |
31 | 31 | * major minor fix final patch/beta) |
32 | 32 | */ |
33 | -# define OPENSSL_VERSION_NUMBER 0x1000207fL | |
33 | +# define OPENSSL_VERSION_NUMBER 0x1000208fL | |
34 | 34 | # ifdef OPENSSL_FIPS |
35 | -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2g-fips 1 Mar 2016" | |
35 | +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2h-fips 3 May 2016" | |
36 | 36 | # else |
37 | -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2g 1 Mar 2016" | |
37 | +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2h 3 May 2016" | |
38 | 38 | # endif |
39 | 39 | # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT |
40 | 40 |
@@ -338,7 +338,7 @@ extern "C" { | ||
338 | 338 | * The following cipher list is used by default. It also is substituted when |
339 | 339 | * an application-defined cipher list string starts with 'DEFAULT'. |
340 | 340 | */ |
341 | -# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2" | |
341 | +# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2" | |
342 | 342 | /* |
343 | 343 | * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always |
344 | 344 | * starts with a reasonable order, and all we have to do for DEFAULT is |
@@ -2345,7 +2345,7 @@ const char *SSL_get_version(const SSL *s); | ||
2345 | 2345 | /* This sets the 'default' SSL version that SSL_new() will create */ |
2346 | 2346 | int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth); |
2347 | 2347 | |
2348 | -# ifndef OPENSSL_NO_SSL2 | |
2348 | +# ifndef OPENSSL_NO_SSL2_METHOD | |
2349 | 2349 | const SSL_METHOD *SSLv2_method(void); /* SSLv2 */ |
2350 | 2350 | const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */ |
2351 | 2351 | const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */ |
@@ -1305,6 +1305,7 @@ void ERR_load_X509_strings(void); | ||
1305 | 1305 | # define X509_R_LOADING_CERT_DIR 103 |
1306 | 1306 | # define X509_R_LOADING_DEFAULTS 104 |
1307 | 1307 | # define X509_R_METHOD_NOT_SUPPORTED 124 |
1308 | +# define X509_R_NAME_TOO_LONG 134 | |
1308 | 1309 | # define X509_R_NEWER_CRL_NOT_NEWER 132 |
1309 | 1310 | # define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 105 |
1310 | 1311 | # define X509_R_NO_CRL_NUMBER 130 |
@@ -153,15 +153,15 @@ BOOL LoadOpenSSL() | ||
153 | 153 | #ifdef ENABLE_PROCESS_PROTECTION |
154 | 154 | // 同梱するOpenSSLのバージョンに合わせてSHA1ハッシュ値を変更すること |
155 | 155 | #if defined(_M_IX86) |
156 | - // ssleay32.dll 1.0.2g | |
157 | - RegisterTrustedModuleSHA1Hash("\x96\x60\x94\xD8\x35\xB8\xAC\x1B\xEC\xCB\x45\xAD\x1B\x3E\x4C\x9F\xDC\x78\xA9\xDC"); | |
158 | - // libeay32.dll 1.0.2g | |
159 | - RegisterTrustedModuleSHA1Hash("\xBD\x91\xB9\x36\xC1\xC5\x65\x6D\x8F\xAA\xCF\x6F\x84\x8B\xC7\x77\x23\x8D\xE6\x2B"); | |
156 | + // ssleay32.dll 1.0.2h | |
157 | + RegisterTrustedModuleSHA1Hash("\x7E\x40\xBE\x64\xDC\x67\xAC\x54\x5E\x27\x62\x02\x80\x41\x08\x0A\xA7\xB4\xD9\x3C"); | |
158 | + // libeay32.dll 1.0.2h | |
159 | + RegisterTrustedModuleSHA1Hash("\xE5\x35\x05\x1B\xEC\x5A\xF1\xC9\xE5\xAA\x3D\x85\x3B\xCE\xBB\x9A\xCA\xC8\x6A\x17"); | |
160 | 160 | #elif defined(_M_AMD64) |
161 | - // ssleay32.dll 1.0.2g | |
162 | - RegisterTrustedModuleSHA1Hash("\xF8\x88\xEB\xC1\x2B\xE6\xE4\xFD\xFA\xCA\x9F\xAB\x2F\x46\x47\xC4\x56\x11\xF8\x21"); | |
163 | - // libeay32.dll 1.0.2g | |
164 | - RegisterTrustedModuleSHA1Hash("\x70\xAD\x36\x15\xB1\x2C\x82\xAF\xD4\x93\x17\xD4\x82\xC7\x15\x4B\x89\x86\xE3\xE6"); | |
161 | + // ssleay32.dll 1.0.2h | |
162 | + RegisterTrustedModuleSHA1Hash("\x32\x2E\x8A\x61\xCF\x64\xC0\xB4\xFF\x98\x93\x88\x8D\x16\xC8\x7B\xA3\x4D\x90\x78"); | |
163 | + // libeay32.dll 1.0.2h | |
164 | + RegisterTrustedModuleSHA1Hash("\x27\x5F\x56\x01\xDC\xE5\xBA\xF8\x3E\x0E\x32\xB6\xCF\x6C\xF4\x1A\x08\x1E\x49\x16"); | |
165 | 165 | #endif |
166 | 166 | #endif |
167 | 167 | g_hOpenSSL = LoadLibrary("ssleay32.dll"); |