• R/O
  • HTTP
  • SSH
  • HTTPS

Commit

Tags
Keine Tags

Frequently used words (click to add to your profile)

javaandroidc++linuxc#objective-ccocoa誰得qtrubypythonwindowsphpgamebathyscaphegui翻訳comegattwitterframeworkbtronvb.net計画中(planning stage)testdomarduinodirectxpreviewerゲームエンジン

FFFTPのソースコードです。


Commit MetaInfo

Revisionab22331c4684f3fe643042f647883a77bf48e516 (tree)
Zeit2016-05-04 14:43:28
Autors_kawamoto <s_kawamoto@user...>
Commiters_kawamoto

Log Message

Update OpenSSL to 1.0.2h.

Ändern Zusammenfassung

Diff

Binary files a/FFFTP_Eng_Release/FFFTP.exe and b/FFFTP_Eng_Release/FFFTP.exe differ
Binary files a/FFFTP_Eng_Release_64/FFFTP.exe and b/FFFTP_Eng_Release_64/FFFTP.exe differ
Binary files a/Release/FFFTP.exe and b/Release/FFFTP.exe differ
Binary files a/Release_64/FFFTP.exe and b/Release_64/FFFTP.exe differ
--- a/Resource/FFFTP.rc
+++ b/Resource/FFFTP.rc
@@ -242,7 +242,7 @@ FONT 9, "MS Shell Dlg", 0, 0, 0x0
242242 BEGIN
243243 DEFPUSHBUTTON "OK",IDOK,133,294,50,14
244244 ICON ffftp,-1,7,4,20,20
245- CTEXT "FFFTP Ver 1.99-20160423",-1,113,11,90,8
245+ CTEXT "FFFTP Ver 1.99-20160504",-1,113,11,90,8
246246 CTEXT "FFFTPはfreewareです",-1,7,279,305,8
247247 CTEXT "Copyright(C) 1997-2010 Sota & ご協力いただいた方々\nCopyright (C) 2011-2016 FFFTP Project (Hiromichi Matsushima, Suguru Kawamoto, IWAMOTO Kouichi, vitamin0x, うなー, Asami, fortran90, tomo1192, Yuji Tanaka, Moriguchi Hirokazu, ふうせん)",-1,7,25,305,44,SS_NOPREFIX
248248 CTEXT "",ABOUT_JRE,7,96,305,8
--- a/Resource_eng/ffftp.rc
+++ b/Resource_eng/ffftp.rc
@@ -242,7 +242,7 @@ FONT 9, "MS Shell Dlg", 0, 0, 0x0
242242 BEGIN
243243 DEFPUSHBUTTON "OK",IDOK,132,296,50,14
244244 ICON ffftp,-1,7,4,20,20
245- CTEXT "FFFTP Ver 1.99-20160423",-1,110,11,90,8
245+ CTEXT "FFFTP Ver 1.99-20160504",-1,110,11,90,8
246246 CTEXT "FFFTP is freeware",-1,7,281,301,8
247247 CTEXT "Copyright(C) 1997-2010 Sota && cooperators\nCopyright (C) 2011-2016 FFFTP Project (Hiromichi Matsushima, Suguru Kawamoto, IWAMOTO Kouichi, vitamin0x, unarist, Asami, fortran90, tomo1192, Yuji Tanaka, Moriguchi Hirokazu, Fu-sen)",-1,7,25,301,44
248248 CTEXT "",ABOUT_JRE,7,93,301,8
--- a/common.h
+++ b/common.h
@@ -72,16 +72,16 @@
7272 //#define PROGRAM_VERSION_NUM 1972 /* バージョン */
7373 // 64ビット対応
7474 #ifdef _WIN64
75-#define VER_STR "1.99-20160423 64bit"
75+#define VER_STR "1.99-20160504 64bit"
7676 #else
77-#define VER_STR "1.99-20160423"
77+#define VER_STR "1.99-20160504"
7878 #endif
7979 #define VER_NUM 1990 /* 設定バージョン */
8080 #define PROGRAM_VERSION_NUM 1990 /* バージョン */
8181 // ソフトウェア自動更新
8282 // リリースバージョンはリリース予定年(10進数4桁)+月(2桁)+日(2桁)+通し番号(0スタート2桁)とする
8383 // 2014年7月31日中の30個目のリリースは2014073129
84-#define RELEASE_VERSION_NUM 2016042300 /* リリースバージョン */
84+#define RELEASE_VERSION_NUM 2016050400 /* リリースバージョン */
8585
8686
8787 // SourceForge.JPによるフォーク
--- a/contrib/openssl/CHANGES
+++ b/contrib/openssl/CHANGES
@@ -2,6 +2,103 @@
22 OpenSSL CHANGES
33 _______________
44
5+ Changes between 1.0.2g and 1.0.2h [3 May 2016]
6+
7+ *) Prevent padding oracle in AES-NI CBC MAC check
8+
9+ A MITM attacker can use a padding oracle attack to decrypt traffic
10+ when the connection uses an AES CBC cipher and the server support
11+ AES-NI.
12+
13+ This issue was introduced as part of the fix for Lucky 13 padding
14+ attack (CVE-2013-0169). The padding check was rewritten to be in
15+ constant time by making sure that always the same bytes are read and
16+ compared against either the MAC or padding bytes. But it no longer
17+ checked that there was enough data to have both the MAC and padding
18+ bytes.
19+
20+ This issue was reported by Juraj Somorovsky using TLS-Attacker.
21+ (CVE-2016-2107)
22+ [Kurt Roeckx]
23+
24+ *) Fix EVP_EncodeUpdate overflow
25+
26+ An overflow can occur in the EVP_EncodeUpdate() function which is used for
27+ Base64 encoding of binary data. If an attacker is able to supply very large
28+ amounts of input data then a length check can overflow resulting in a heap
29+ corruption.
30+
31+ Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by
32+ the PEM_write_bio* family of functions. These are mainly used within the
33+ OpenSSL command line applications, so any application which processes data
34+ from an untrusted source and outputs it as a PEM file should be considered
35+ vulnerable to this issue. User applications that call these APIs directly
36+ with large amounts of untrusted data may also be vulnerable.
37+
38+ This issue was reported by Guido Vranken.
39+ (CVE-2016-2105)
40+ [Matt Caswell]
41+
42+ *) Fix EVP_EncryptUpdate overflow
43+
44+ An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
45+ is able to supply very large amounts of input data after a previous call to
46+ EVP_EncryptUpdate() with a partial block then a length check can overflow
47+ resulting in a heap corruption. Following an analysis of all OpenSSL
48+ internal usage of the EVP_EncryptUpdate() function all usage is one of two
49+ forms. The first form is where the EVP_EncryptUpdate() call is known to be
50+ the first called function after an EVP_EncryptInit(), and therefore that
51+ specific call must be safe. The second form is where the length passed to
52+ EVP_EncryptUpdate() can be seen from the code to be some small value and
53+ therefore there is no possibility of an overflow. Since all instances are
54+ one of these two forms, it is believed that there can be no overflows in
55+ internal code due to this problem. It should be noted that
56+ EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
57+ Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
58+ of these calls have also been analysed too and it is believed there are no
59+ instances in internal usage where an overflow could occur.
60+
61+ This issue was reported by Guido Vranken.
62+ (CVE-2016-2106)
63+ [Matt Caswell]
64+
65+ *) Prevent ASN.1 BIO excessive memory allocation
66+
67+ When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
68+ a short invalid encoding can casuse allocation of large amounts of memory
69+ potentially consuming excessive resources or exhausting memory.
70+
71+ Any application parsing untrusted data through d2i BIO functions is
72+ affected. The memory based functions such as d2i_X509() are *not* affected.
73+ Since the memory based functions are used by the TLS library, TLS
74+ applications are not affected.
75+
76+ This issue was reported by Brian Carpenter.
77+ (CVE-2016-2109)
78+ [Stephen Henson]
79+
80+ *) EBCDIC overread
81+
82+ ASN1 Strings that are over 1024 bytes can cause an overread in applications
83+ using the X509_NAME_oneline() function on EBCDIC systems. This could result
84+ in arbitrary stack data being returned in the buffer.
85+
86+ This issue was reported by Guido Vranken.
87+ (CVE-2016-2176)
88+ [Matt Caswell]
89+
90+ *) Modify behavior of ALPN to invoke callback after SNI/servername
91+ callback, such that updates to the SSL_CTX affect ALPN.
92+ [Todd Short]
93+
94+ *) Remove LOW from the DEFAULT cipher list. This removes singles DES from the
95+ default.
96+ [Kurt Roeckx]
97+
98+ *) Only remove the SSLv2 methods with the no-ssl2-method option. When the
99+ methods are enabled and ssl2 is disabled the methods return NULL.
100+ [Kurt Roeckx]
101+
5102 Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
6103
7104 * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
--- a/contrib/openssl/NEWS
+++ b/contrib/openssl/NEWS
@@ -5,6 +5,19 @@
55 This file gives a brief overview of the major changes between each OpenSSL
66 release. For more details please read the CHANGES file.
77
8+ Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016]
9+
10+ o Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
11+ o Fix EVP_EncodeUpdate overflow (CVE-2016-2105)
12+ o Fix EVP_EncryptUpdate overflow (CVE-2016-2106)
13+ o Prevent ASN.1 BIO excessive memory allocation (CVE-2016-2109)
14+ o EBCDIC overread (CVE-2016-2176)
15+ o Modify behavior of ALPN to invoke callback after SNI/servername
16+ callback, such that updates to the SSL_CTX affect ALPN.
17+ o Remove LOW from the DEFAULT cipher list. This removes singles DES from
18+ the default.
19+ o Only remove the SSLv2 methods with the no-ssl2-method option.
20+
821 Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016]
922
1023 o Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
--- a/contrib/openssl/README
+++ b/contrib/openssl/README
@@ -1,5 +1,5 @@
11
2- OpenSSL 1.0.2g 1 Mar 2016
2+ OpenSSL 1.0.2h 3 May 2016
33
44 Copyright (c) 1998-2015 The OpenSSL Project
55 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
--- a/contrib/openssl/include/openssl/comp.h
+++ b/contrib/openssl/include/openssl/comp.h
@@ -4,6 +4,10 @@
44
55 # include <openssl/crypto.h>
66
7+# ifdef OPENSSL_NO_COMP
8+# error COMP is disabled.
9+# endif
10+
711 #ifdef __cplusplus
812 extern "C" {
913 #endif
--- a/contrib/openssl/include/openssl/opensslv.h
+++ b/contrib/openssl/include/openssl/opensslv.h
@@ -30,11 +30,11 @@ extern "C" {
3030 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
3131 * major minor fix final patch/beta)
3232 */
33-# define OPENSSL_VERSION_NUMBER 0x1000207fL
33+# define OPENSSL_VERSION_NUMBER 0x1000208fL
3434 # ifdef OPENSSL_FIPS
35-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2g-fips 1 Mar 2016"
35+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2h-fips 3 May 2016"
3636 # else
37-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2g 1 Mar 2016"
37+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2h 3 May 2016"
3838 # endif
3939 # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
4040
--- a/contrib/openssl/include/openssl/ssl.h
+++ b/contrib/openssl/include/openssl/ssl.h
@@ -338,7 +338,7 @@ extern "C" {
338338 * The following cipher list is used by default. It also is substituted when
339339 * an application-defined cipher list string starts with 'DEFAULT'.
340340 */
341-# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
341+# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"
342342 /*
343343 * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
344344 * starts with a reasonable order, and all we have to do for DEFAULT is
@@ -2345,7 +2345,7 @@ const char *SSL_get_version(const SSL *s);
23452345 /* This sets the 'default' SSL version that SSL_new() will create */
23462346 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
23472347
2348-# ifndef OPENSSL_NO_SSL2
2348+# ifndef OPENSSL_NO_SSL2_METHOD
23492349 const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
23502350 const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
23512351 const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
--- a/contrib/openssl/include/openssl/x509.h
+++ b/contrib/openssl/include/openssl/x509.h
@@ -1305,6 +1305,7 @@ void ERR_load_X509_strings(void);
13051305 # define X509_R_LOADING_CERT_DIR 103
13061306 # define X509_R_LOADING_DEFAULTS 104
13071307 # define X509_R_METHOD_NOT_SUPPORTED 124
1308+# define X509_R_NAME_TOO_LONG 134
13081309 # define X509_R_NEWER_CRL_NOT_NEWER 132
13091310 # define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 105
13101311 # define X509_R_NO_CRL_NUMBER 130
Binary files a/dist/amd64/libeay32.dll and b/dist/amd64/libeay32.dll differ
Binary files a/dist/amd64/ssleay32.dll and b/dist/amd64/ssleay32.dll differ
Binary files a/dist/libeay32.dll and b/dist/libeay32.dll differ
Binary files a/dist/ssleay32.dll and b/dist/ssleay32.dll differ
--- a/socketwrapper.c
+++ b/socketwrapper.c
@@ -153,15 +153,15 @@ BOOL LoadOpenSSL()
153153 #ifdef ENABLE_PROCESS_PROTECTION
154154 // 同梱するOpenSSLのバージョンに合わせてSHA1ハッシュ値を変更すること
155155 #if defined(_M_IX86)
156- // ssleay32.dll 1.0.2g
157- RegisterTrustedModuleSHA1Hash("\x96\x60\x94\xD8\x35\xB8\xAC\x1B\xEC\xCB\x45\xAD\x1B\x3E\x4C\x9F\xDC\x78\xA9\xDC");
158- // libeay32.dll 1.0.2g
159- RegisterTrustedModuleSHA1Hash("\xBD\x91\xB9\x36\xC1\xC5\x65\x6D\x8F\xAA\xCF\x6F\x84\x8B\xC7\x77\x23\x8D\xE6\x2B");
156+ // ssleay32.dll 1.0.2h
157+ RegisterTrustedModuleSHA1Hash("\x7E\x40\xBE\x64\xDC\x67\xAC\x54\x5E\x27\x62\x02\x80\x41\x08\x0A\xA7\xB4\xD9\x3C");
158+ // libeay32.dll 1.0.2h
159+ RegisterTrustedModuleSHA1Hash("\xE5\x35\x05\x1B\xEC\x5A\xF1\xC9\xE5\xAA\x3D\x85\x3B\xCE\xBB\x9A\xCA\xC8\x6A\x17");
160160 #elif defined(_M_AMD64)
161- // ssleay32.dll 1.0.2g
162- RegisterTrustedModuleSHA1Hash("\xF8\x88\xEB\xC1\x2B\xE6\xE4\xFD\xFA\xCA\x9F\xAB\x2F\x46\x47\xC4\x56\x11\xF8\x21");
163- // libeay32.dll 1.0.2g
164- RegisterTrustedModuleSHA1Hash("\x70\xAD\x36\x15\xB1\x2C\x82\xAF\xD4\x93\x17\xD4\x82\xC7\x15\x4B\x89\x86\xE3\xE6");
161+ // ssleay32.dll 1.0.2h
162+ RegisterTrustedModuleSHA1Hash("\x32\x2E\x8A\x61\xCF\x64\xC0\xB4\xFF\x98\x93\x88\x8D\x16\xC8\x7B\xA3\x4D\x90\x78");
163+ // libeay32.dll 1.0.2h
164+ RegisterTrustedModuleSHA1Hash("\x27\x5F\x56\x01\xDC\xE5\xBA\xF8\x3E\x0E\x32\xB6\xCF\x6C\xF4\x1A\x08\x1E\x49\x16");
165165 #endif
166166 #endif
167167 g_hOpenSSL = LoadLibrary("ssleay32.dll");