Update OpenSSL to 1.0.1d.

diff --git a/FFFTP_Eng_Release/FFFTP.exe b/FFFTP_Eng_Release/FFFTP.exe
index 5cdf617..b891b2e 100644 (file)
Binary files a/FFFTP_Eng_Release/FFFTP.exe and b/FFFTP_Eng_Release/FFFTP.exe differ

diff --git a/Release/FFFTP.exe b/Release/FFFTP.exe
index b3b548b..4401fe5 100644 (file)
Binary files a/Release/FFFTP.exe and b/Release/FFFTP.exe differ

diff --git a/contrib/openssl/bin/libeay32.dll b/contrib/openssl/bin/libeay32.dll
index 696b300..ac529bb 100644 (file)
Binary files a/contrib/openssl/bin/libeay32.dll and b/contrib/openssl/bin/libeay32.dll differ

diff --git a/contrib/openssl/bin/libssl32.dll b/contrib/openssl/bin/libssl32.dll
index c0d6d1f..d5c477e 100644 (file)
Binary files a/contrib/openssl/bin/libssl32.dll and b/contrib/openssl/bin/libssl32.dll differ

diff --git a/contrib/openssl/bin/ssleay32.dll b/contrib/openssl/bin/ssleay32.dll
index c0d6d1f..d5c477e 100644 (file)
Binary files a/contrib/openssl/bin/ssleay32.dll and b/contrib/openssl/bin/ssleay32.dll differ

diff --git a/contrib/openssl/changes.txt b/contrib/openssl/changes.txt
index 7013e4c..b7d36c2 100644 (file)
--- a/contrib/openssl/changes.txt
+++ b/contrib/openssl/changes.txt
@@ -2,6 +2,49 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.1c and 1.0.1d [5 Feb 2013]
+
+  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
+
+     This addresses the flaw in CBC record processing discovered by 
+     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+     at: http://www.isg.rhul.ac.uk/tls/     
+
+     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+     Security Group at Royal Holloway, University of London
+     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+     Emilia Käsper for the initial patch.
+     (CVE-2013-0169)
+     [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+
+  *) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
+     ciphersuites which can be exploited in a denial of service attack.
+     Thanks go to and to Adam Langley <agl@chromium.org> for discovering
+     and detecting this bug and to Wolfgang Ettlinger
+     <wolfgang.ettlinger@gmail.com> for independently discovering this issue.
+     (CVE-2012-2686)
+     [Adam Langley]
+
+  *) Return an error when checking OCSP signatures when key is NULL.
+     This fixes a DoS attack. (CVE-2013-0166)
+     [Steve Henson]
+
+  *) Make openssl verify return errors.
+     [Chris Palmer <palmer@google.com> and Ben Laurie]
+
+  *) Call OCSP Stapling callback after ciphersuite has been chosen, so
+     the right response is stapled. Also change SSL_get_certificate()
+     so it returns the certificate actually sent.
+     See http://rt.openssl.org/Ticket/Display.html?id=2836.
+     [Rob Stradling <rob.stradling@comodo.com>]
+
+  *) Fix possible deadlock when decoding public keys.
+     [Steve Henson]
+
+  *) Don't use TLS 1.0 record version number in initial client hello
+     if renegotiating.
+     [Steve Henson]
+
  Changes between 1.0.1b and 1.0.1c [10 May 2012]
 
   *) Sanity check record length before skipping explicit IV in TLS

diff --git a/contrib/openssl/faq.txt b/contrib/openssl/faq.txt
index bb6f7e2..fcd6e1a 100644 (file)
--- a/contrib/openssl/faq.txt
+++ b/contrib/openssl/faq.txt
@@ -83,7 +83,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.1c was released on May 10th, 2012.
+OpenSSL 1.0.1d was released on Feb 5th, 2013.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:

diff --git a/contrib/openssl/include/openssl/crypto.h b/contrib/openssl/include/openssl/crypto.h
index 773c9b2..186689f 100644 (file)
--- a/contrib/openssl/include/openssl/crypto.h
+++ b/contrib/openssl/include/openssl/crypto.h
@@ -488,10 +488,10 @@ void CRYPTO_get_mem_debug_functions(void (**m)(void *,int,const char *,int,int),
                                    long (**go)(void));\r
 \r
 void *CRYPTO_malloc_locked(int num, const char *file, int line);\r
-void CRYPTO_free_locked(void *);\r
+void CRYPTO_free_locked(void *ptr);\r
 void *CRYPTO_malloc(int num, const char *file, int line);\r
 char *CRYPTO_strdup(const char *str, const char *file, int line);\r
-void CRYPTO_free(void *);\r
+void CRYPTO_free(void *ptr);\r
 void *CRYPTO_realloc(void *addr,int num, const char *file, int line);\r
 void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file,\r
                           int line);\r
@@ -574,6 +574,13 @@ void OPENSSL_init(void);
 #define fips_cipher_abort(alg) while(0)\r
 #endif\r
 \r
+/* CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It\r
+ * takes an amount of time dependent on |len|, but independent of the contents\r
+ * of |a| and |b|. Unlike memcmp, it cannot be used to put elements into a\r
+ * defined order as the return value when a != b is undefined, other than to be\r
+ * non-zero. */\r
+int CRYPTO_memcmp(const void *a, const void *b, size_t len);\r
+\r
 /* BEGIN ERROR CODES */\r
 /* The following lines are auto generated by the script mkerr.pl. Any changes\r
  * made after this point may be overwritten when the script is next run.\r

diff --git a/contrib/openssl/include/openssl/dtls1.h b/contrib/openssl/include/openssl/dtls1.h
index b004322..7c59781 100644 (file)
--- a/contrib/openssl/include/openssl/dtls1.h
+++ b/contrib/openssl/include/openssl/dtls1.h
@@ -72,8 +72,12 @@
 #elif defined(OPENSSL_SYS_NETWARE) && !defined(_WINSOCK2API_)\r
 #include <sys/timeval.h>\r
 #else\r
+#if defined(OPENSSL_SYS_VXWORKS)\r
+#include <sys/times.h>\r
+#else\r
 #include <sys/time.h>\r
 #endif\r
+#endif\r
 \r
 #ifdef  __cplusplus\r
 extern "C" {\r

diff --git a/contrib/openssl/include/openssl/ec.h b/contrib/openssl/include/openssl/ec.h
index 71eae8b..83a19ed 100644 (file)
--- a/contrib/openssl/include/openssl/ec.h
+++ b/contrib/openssl/include/openssl/ec.h
@@ -274,10 +274,10 @@ int EC_GROUP_get_curve_name(const EC_GROUP *group);
 void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag);\r
 int EC_GROUP_get_asn1_flag(const EC_GROUP *group);\r
 \r
-void EC_GROUP_set_point_conversion_form(EC_GROUP *, point_conversion_form_t);\r
+void EC_GROUP_set_point_conversion_form(EC_GROUP *group, point_conversion_form_t form);\r
 point_conversion_form_t EC_GROUP_get_point_conversion_form(const EC_GROUP *);\r
 \r
-unsigned char *EC_GROUP_get0_seed(const EC_GROUP *);\r
+unsigned char *EC_GROUP_get0_seed(const EC_GROUP *x);\r
 size_t EC_GROUP_get_seed_len(const EC_GROUP *);\r
 size_t EC_GROUP_set_seed(EC_GROUP *, const unsigned char *, size_t len);\r
 \r
@@ -626,8 +626,8 @@ int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *c
  */\r
 int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx);\r
 \r
-int EC_POINT_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);\r
-int EC_POINTs_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);\r
+int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx);\r
+int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx);\r
 \r
 /** Computes r = generator * n sum_{i=0}^num p[i] * m[i]\r
  *  \param  group  underlying EC_GROUP object\r
@@ -800,16 +800,24 @@ const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key);
 int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub);\r
 \r
 unsigned EC_KEY_get_enc_flags(const EC_KEY *key);\r
-void EC_KEY_set_enc_flags(EC_KEY *, unsigned int);\r
-point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *);\r
-void EC_KEY_set_conv_form(EC_KEY *, point_conversion_form_t);\r
+void EC_KEY_set_enc_flags(EC_KEY *eckey, unsigned int flags);\r
+point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key);\r
+void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform);\r
 /* functions to set/get method specific data  */\r
-void *EC_KEY_get_key_method_data(EC_KEY *,\r
+void *EC_KEY_get_key_method_data(EC_KEY *key,\r
        void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));\r
-void EC_KEY_insert_key_method_data(EC_KEY *, void *data,\r
+/** Sets the key method data of an EC_KEY object, if none has yet been set.\r
+ *  \param  key              EC_KEY object\r
+ *  \param  data             opaque data to install.\r
+ *  \param  dup_func         a function that duplicates |data|.\r
+ *  \param  free_func        a function that frees |data|.\r
+ *  \param  clear_free_func  a function that wipes and frees |data|.\r
+ *  \return the previously set data pointer, or NULL if |data| was inserted.\r
+ */\r
+void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data,\r
        void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));\r
 /* wrapper functions for the underlying EC_GROUP object */\r
-void EC_KEY_set_asn1_flag(EC_KEY *, int);\r
+void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);\r
 \r
 /** Creates a table of pre-computed multiples of the generator to\r
  *  accelerate further EC_KEY operations.\r

diff --git a/contrib/openssl/include/openssl/evp.h b/contrib/openssl/include/openssl/evp.h
index c2e7998..57b0c14 100644 (file)
--- a/contrib/openssl/include/openssl/evp.h
+++ b/contrib/openssl/include/openssl/evp.h
@@ -402,7 +402,6 @@ struct evp_cipher_st
 /* Length of tag for TLS */\r
 #define EVP_GCM_TLS_TAG_LEN                            16\r
 \r
-\r
 typedef struct evp_cipher_info_st\r
        {\r
        const EVP_CIPHER *cipher;\r
@@ -789,8 +788,8 @@ const EVP_CIPHER *EVP_aes_128_cfb128(void);
 # define EVP_aes_128_cfb EVP_aes_128_cfb128\r
 const EVP_CIPHER *EVP_aes_128_ofb(void);\r
 const EVP_CIPHER *EVP_aes_128_ctr(void);\r
-const EVP_CIPHER *EVP_aes_128_gcm(void);\r
 const EVP_CIPHER *EVP_aes_128_ccm(void);\r
+const EVP_CIPHER *EVP_aes_128_gcm(void);\r
 const EVP_CIPHER *EVP_aes_128_xts(void);\r
 const EVP_CIPHER *EVP_aes_192_ecb(void);\r
 const EVP_CIPHER *EVP_aes_192_cbc(void);\r
@@ -800,8 +799,8 @@ const EVP_CIPHER *EVP_aes_192_cfb128(void);
 # define EVP_aes_192_cfb EVP_aes_192_cfb128\r
 const EVP_CIPHER *EVP_aes_192_ofb(void);\r
 const EVP_CIPHER *EVP_aes_192_ctr(void);\r
-const EVP_CIPHER *EVP_aes_192_gcm(void);\r
 const EVP_CIPHER *EVP_aes_192_ccm(void);\r
+const EVP_CIPHER *EVP_aes_192_gcm(void);\r
 const EVP_CIPHER *EVP_aes_256_ecb(void);\r
 const EVP_CIPHER *EVP_aes_256_cbc(void);\r
 const EVP_CIPHER *EVP_aes_256_cfb1(void);\r
@@ -810,8 +809,8 @@ const EVP_CIPHER *EVP_aes_256_cfb128(void);
 # define EVP_aes_256_cfb EVP_aes_256_cfb128\r
 const EVP_CIPHER *EVP_aes_256_ofb(void);\r
 const EVP_CIPHER *EVP_aes_256_ctr(void);\r
-const EVP_CIPHER *EVP_aes_256_gcm(void);\r
 const EVP_CIPHER *EVP_aes_256_ccm(void);\r
+const EVP_CIPHER *EVP_aes_256_gcm(void);\r
 const EVP_CIPHER *EVP_aes_256_xts(void);\r
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)\r
 const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void);\r
@@ -1243,6 +1242,8 @@ void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth,
        int (*ctrl_str)(EVP_PKEY_CTX *ctx,\r
                                        const char *type, const char *value));\r
 \r
+void EVP_add_alg_module(void);\r
+\r
 /* BEGIN ERROR CODES */\r
 /* The following lines are auto generated by the script mkerr.pl. Any changes\r
  * made after this point may be overwritten when the script is next run.\r
@@ -1257,6 +1258,7 @@ void ERR_load_EVP_strings(void);
 #define EVP_F_AES_INIT_KEY                              133\r
 #define EVP_F_AES_XTS                                   172\r
 #define EVP_F_AES_XTS_CIPHER                            175\r
+#define EVP_F_ALG_MODULE_INIT                           177\r
 #define EVP_F_CAMELLIA_INIT_KEY                                 159\r
 #define EVP_F_CMAC_INIT                                         173\r
 #define EVP_F_D2I_PKEY                                  100\r
@@ -1350,15 +1352,19 @@ void ERR_load_EVP_strings(void);
 #define EVP_R_DIFFERENT_PARAMETERS                      153\r
 #define EVP_R_DISABLED_FOR_FIPS                                 163\r
 #define EVP_R_ENCODE_ERROR                              115\r
+#define EVP_R_ERROR_LOADING_SECTION                     165\r
+#define EVP_R_ERROR_SETTING_FIPS_MODE                   166\r
 #define EVP_R_EVP_PBE_CIPHERINIT_ERROR                  119\r
 #define EVP_R_EXPECTING_AN_RSA_KEY                      127\r
 #define EVP_R_EXPECTING_A_DH_KEY                        128\r
 #define EVP_R_EXPECTING_A_DSA_KEY                       129\r
 #define EVP_R_EXPECTING_A_ECDSA_KEY                     141\r
 #define EVP_R_EXPECTING_A_EC_KEY                        142\r
+#define EVP_R_FIPS_MODE_NOT_SUPPORTED                   167\r
 #define EVP_R_INITIALIZATION_ERROR                      134\r
 #define EVP_R_INPUT_NOT_INITIALIZED                     111\r
 #define EVP_R_INVALID_DIGEST                            152\r
+#define EVP_R_INVALID_FIPS_MODE                                 168\r
 #define EVP_R_INVALID_KEY_LENGTH                        130\r
 #define EVP_R_INVALID_OPERATION                                 148\r
 #define EVP_R_IV_TOO_LARGE                              102\r
@@ -1383,6 +1389,7 @@ void ERR_load_EVP_strings(void);
 #define EVP_R_TOO_LARGE                                         164\r
 #define EVP_R_UNKNOWN_CIPHER                            160\r
 #define EVP_R_UNKNOWN_DIGEST                            161\r
+#define EVP_R_UNKNOWN_OPTION                            169\r
 #define EVP_R_UNKNOWN_PBE_ALGORITHM                     121\r
 #define EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS               135\r
 #define EVP_R_UNSUPPORTED_ALGORITHM                     156\r

diff --git a/contrib/openssl/include/openssl/opensslv.h b/contrib/openssl/include/openssl/opensslv.h
index 717db53..683966b 100644 (file)
--- a/contrib/openssl/include/openssl/opensslv.h
+++ b/contrib/openssl/include/openssl/opensslv.h
@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for\r
  *  major minor fix final patch/beta)\r
  */\r
-#define OPENSSL_VERSION_NUMBER 0x1000103fL\r
+#define OPENSSL_VERSION_NUMBER 0x1000104fL\r
 #ifdef OPENSSL_FIPS\r
-#define OPENSSL_VERSION_TEXT   "OpenSSL 1.0.1c-fips 10 May 2012"\r
+#define OPENSSL_VERSION_TEXT   "OpenSSL 1.0.1d-fips 5 Feb 2013"\r
 #else\r
-#define OPENSSL_VERSION_TEXT   "OpenSSL 1.0.1c 10 May 2012"\r
+#define OPENSSL_VERSION_TEXT   "OpenSSL 1.0.1d 5 Feb 2013"\r
 #endif\r
 #define OPENSSL_VERSION_PTEXT  " part of " OPENSSL_VERSION_TEXT\r
 \r

diff --git a/contrib/openssl/include/openssl/rsa.h b/contrib/openssl/include/openssl/rsa.h
index ce5bc98..a7c62fd 100644 (file)
--- a/contrib/openssl/include/openssl/rsa.h
+++ b/contrib/openssl/include/openssl/rsa.h
@@ -280,7 +280,7 @@ struct rsa_st
 \r
 RSA *  RSA_new(void);\r
 RSA *  RSA_new_method(ENGINE *engine);\r
-int    RSA_size(const RSA *);\r
+int    RSA_size(const RSA *rsa);\r
 \r
 /* Deprecated version */\r
 #ifndef OPENSSL_NO_DEPRECATED\r

diff --git a/contrib/openssl/include/openssl/ssl.h b/contrib/openssl/include/openssl/ssl.h
index 27e60d7..a3bcce2 100644 (file)
--- a/contrib/openssl/include/openssl/ssl.h
+++ b/contrib/openssl/include/openssl/ssl.h
@@ -493,6 +493,9 @@ struct ssl_session_st
        char *psk_identity_hint;\r
        char *psk_identity;\r
 #endif\r
+       /* Used to indicate that session resumption is not allowed.\r
+        * Applications can also set this bit for a new session via\r
+        * not_resumable_session_cb to disable session caching and tickets. */\r
        int not_resumable;\r
 \r
        /* The cert is the certificate used to establish this connection */\r
@@ -535,7 +538,7 @@ struct ssl_session_st
 #endif /* OPENSSL_NO_EC */\r
        /* RFC4507 info */\r
        unsigned char *tlsext_tick;     /* Session ticket */\r
-       size_t  tlsext_ticklen;         /* Session ticket length */\r
+       size_t tlsext_ticklen;          /* Session ticket length */\r
        long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */\r
 #endif\r
 #ifndef OPENSSL_NO_SRP\r
@@ -927,6 +930,7 @@ struct ssl_ctx_st
        /* Callback for status request */\r
        int (*tlsext_status_cb)(SSL *ssl, void *arg);\r
        void *tlsext_status_arg;\r
+\r
        /* draft-rescorla-tls-opaque-prf-input-00.txt information */\r
        int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg);\r
        void *tlsext_opaque_prf_input_callback_arg;\r
@@ -952,6 +956,7 @@ struct ssl_ctx_st
 #endif\r
 \r
 #ifndef OPENSSL_NO_TLSEXT\r
+\r
 # ifndef OPENSSL_NO_NEXTPROTONEG\r
        /* Next protocol negotiation information */\r
        /* (for experimental NPN extension). */\r
@@ -2206,6 +2211,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_GET_NEW_SESSION                       181\r
 #define SSL_F_SSL_GET_PREV_SESSION                      217\r
 #define SSL_F_SSL_GET_SERVER_SEND_CERT                  182\r
+#define SSL_F_SSL_GET_SERVER_SEND_PKEY                  317\r
 #define SSL_F_SSL_GET_SIGN_PKEY                                 183\r
 #define SSL_F_SSL_INIT_WBIO_BUFFER                      184\r
 #define SSL_F_SSL_LOAD_CLIENT_CA_FILE                   185\r

diff --git a/contrib/openssl/include/openssl/ssl3.h b/contrib/openssl/include/openssl/ssl3.h
index 4acc4d6..beddf73 100644 (file)
--- a/contrib/openssl/include/openssl/ssl3.h
+++ b/contrib/openssl/include/openssl/ssl3.h
@@ -578,8 +578,10 @@ typedef struct ssl3_state_st
 #define SSL3_ST_CW_CERT_VRFY_B         (0x191|SSL_ST_CONNECT)\r
 #define SSL3_ST_CW_CHANGE_A            (0x1A0|SSL_ST_CONNECT)\r
 #define SSL3_ST_CW_CHANGE_B            (0x1A1|SSL_ST_CONNECT)\r
+#ifndef OPENSSL_NO_NEXTPROTONEG\r
 #define SSL3_ST_CW_NEXT_PROTO_A                (0x200|SSL_ST_CONNECT)\r
 #define SSL3_ST_CW_NEXT_PROTO_B                (0x201|SSL_ST_CONNECT)\r
+#endif\r
 #define SSL3_ST_CW_FINISHED_A          (0x1B0|SSL_ST_CONNECT)\r
 #define SSL3_ST_CW_FINISHED_B          (0x1B1|SSL_ST_CONNECT)\r
 /* read from server */\r
@@ -629,8 +631,10 @@ typedef struct ssl3_state_st
 #define SSL3_ST_SR_CERT_VRFY_B         (0x1A1|SSL_ST_ACCEPT)\r
 #define SSL3_ST_SR_CHANGE_A            (0x1B0|SSL_ST_ACCEPT)\r
 #define SSL3_ST_SR_CHANGE_B            (0x1B1|SSL_ST_ACCEPT)\r
+#ifndef OPENSSL_NO_NEXTPROTONEG\r
 #define SSL3_ST_SR_NEXT_PROTO_A                (0x210|SSL_ST_ACCEPT)\r
 #define SSL3_ST_SR_NEXT_PROTO_B                (0x211|SSL_ST_ACCEPT)\r
+#endif\r
 #define SSL3_ST_SR_FINISHED_A          (0x1C0|SSL_ST_ACCEPT)\r
 #define SSL3_ST_SR_FINISHED_B          (0x1C1|SSL_ST_ACCEPT)\r
 /* write to client */\r
@@ -655,7 +659,9 @@ typedef struct ssl3_state_st
 #define SSL3_MT_CLIENT_KEY_EXCHANGE            16\r
 #define SSL3_MT_FINISHED                       20\r
 #define SSL3_MT_CERTIFICATE_STATUS             22\r
+#ifndef OPENSSL_NO_NEXTPROTONEG\r
 #define SSL3_MT_NEXT_PROTO                     67\r
+#endif\r
 #define DTLS1_MT_HELLO_VERIFY_REQUEST    3\r
 \r
 \r

diff --git a/contrib/openssl/include/openssl/symhacks.h b/contrib/openssl/include/openssl/symhacks.h
index 1b08289..4e3f0d6 100644 (file)
--- a/contrib/openssl/include/openssl/symhacks.h
+++ b/contrib/openssl/include/openssl/symhacks.h
@@ -193,17 +193,17 @@
 #undef SSL_CTX_set_srp_username_callback\r
 #define SSL_CTX_set_srp_username_callback      SSL_CTX_set_srp_un_cb\r
 #undef ssl_add_clienthello_use_srtp_ext\r
-#define ssl_add_clienthello_use_srtp_ext ssl_add_clihello_use_srtp_ext\r
+#define ssl_add_clienthello_use_srtp_ext       ssl_add_clihello_use_srtp_ext\r
 #undef ssl_add_serverhello_use_srtp_ext\r
-#define ssl_add_serverhello_use_srtp_ext ssl_add_serhello_use_srtp_ext\r
+#define ssl_add_serverhello_use_srtp_ext       ssl_add_serhello_use_srtp_ext\r
 #undef ssl_parse_clienthello_use_srtp_ext\r
-#define ssl_parse_clienthello_use_srtp_ext ssl_parse_clihello_use_srtp_ext\r
+#define ssl_parse_clienthello_use_srtp_ext     ssl_parse_clihello_use_srtp_ext\r
 #undef ssl_parse_serverhello_use_srtp_ext\r
-#define ssl_parse_serverhello_use_srtp_ext ssl_parse_serhello_use_srtp_ext\r
+#define ssl_parse_serverhello_use_srtp_ext     ssl_parse_serhello_use_srtp_ext\r
 #undef SSL_CTX_set_next_protos_advertised_cb\r
-#define SSL_CTX_set_next_protos_advertised_cb SSL_CTX_set_next_protos_adv_cb\r
+#define SSL_CTX_set_next_protos_advertised_cb  SSL_CTX_set_next_protos_adv_cb\r
 #undef SSL_CTX_set_next_proto_select_cb\r
-#define SSL_CTX_set_next_proto_select_cb SSL_CTX_set_next_proto_sel_cb\r
+#define SSL_CTX_set_next_proto_select_cb       SSL_CTX_set_next_proto_sel_cb\r
 \r
 /* Hack some long ENGINE names */\r
 #undef ENGINE_get_default_BN_mod_exp_crt\r
@@ -316,8 +316,6 @@
 #define ec_GFp_simple_point_set_to_infinity     ec_GFp_simple_pt_set_to_inf\r
 #undef ec_GFp_simple_points_make_affine\r
 #define ec_GFp_simple_points_make_affine       ec_GFp_simple_pts_make_affine\r
-#undef ec_GFp_simple_group_get_curve_GFp\r
-#define ec_GFp_simple_group_get_curve_GFp       ec_GFp_simple_grp_get_curve_GFp\r
 #undef ec_GFp_simple_set_Jprojective_coordinates_GFp\r
 #define ec_GFp_simple_set_Jprojective_coordinates_GFp \\r
                                                 ec_GFp_smp_set_Jproj_coords_GFp\r

diff --git a/contrib/openssl/news.txt b/contrib/openssl/news.txt
index 4f069cb..a5ba7dd 100644 (file)
--- a/contrib/openssl/news.txt
+++ b/contrib/openssl/news.txt
@@ -5,6 +5,14 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d:
+
+      o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version.
+      o Include the fips configuration module.
+      o Fix OCSP bad key DoS attack CVE-2013-0166
+      o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
+      o Fix for TLS AESNI record handling flaw CVE-2012-2686
+
   Major changes between OpenSSL 1.0.1b and OpenSSL 1.0.1c:
 
       o Fix TLS/DTLS record length checking bug CVE-2012-2333

diff --git a/contrib/openssl/readme.txt b/contrib/openssl/readme.txt
index de51583..31bb2f0 100644 (file)
--- a/contrib/openssl/readme.txt
+++ b/contrib/openssl/readme.txt
@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.1c 10 May 2012
+ OpenSSL 1.0.1d 5 Feb 2013
 
  Copyright (c) 1998-2011 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

diff --git a/dist/libeay32.dll b/dist/libeay32.dll
index 696b300..ac529bb 100644 (file)
Binary files a/dist/libeay32.dll and b/dist/libeay32.dll differ

diff --git a/dist/ssleay32.dll b/dist/ssleay32.dll
index c0d6d1f..d5c477e 100644 (file)
Binary files a/dist/ssleay32.dll and b/dist/ssleay32.dll differ

diff --git a/socketwrapper.c b/socketwrapper.c
index 6090cc2..c82d8cf 100644 (file)
--- a/socketwrapper.c
+++ b/socketwrapper.c
@@ -116,10 +116,10 @@ BOOL LoadOpenSSL()
                return FALSE;\r
 #ifdef ENABLE_PROCESS_PROTECTION\r
        // 同梱するOpenSSLのバージョンに合わせてSHA1ハッシュ値を変更すること\r
-       // ssleay32.dll 1.0.1c\r
-       RegisterTrustedModuleSHA1Hash("\x8A\xB5\x6D\x5E\x0B\x31\x80\x5E\x21\x55\x2D\x6E\x4F\xAF\xB1\x47\x7B\xD3\xB5\x23");\r
-       // libeay32.dll 1.0.1c\r
-       RegisterTrustedModuleSHA1Hash("\xB4\x88\x17\x2E\x5C\x26\x9D\x62\x83\x65\x3A\xC1\x1B\xC9\x6E\x70\x1A\x8D\x6E\x76");\r
+       // ssleay32.dll 1.0.1d\r
+       RegisterTrustedModuleSHA1Hash("\x52\x2F\xA2\x9D\xDC\x20\x73\x1D\xDF\x08\xEF\x79\x63\xA8\xB7\xC7\x68\xAC\x9F\xF4");\r
+       // libeay32.dll 1.0.1d\r
+       RegisterTrustedModuleSHA1Hash("\x16\x46\x92\xB4\x55\x67\xA4\x0B\x25\x0B\xBF\x05\xA7\xC7\x9E\xB7\x0F\x6E\xBE\x0D");\r
 #endif\r
        g_hOpenSSL = LoadLibrary("ssleay32.dll");\r
        // バージョン固定のためlibssl32.dllの読み込みは脆弱性の原因になり得るので廃止\r