Update PEM file.
pushd %~dp0\r
set var0=VC-WIN64A\r
set var1=..\dist\amd64\r
-perl Configure %var0% no-asm enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers\r
-md %var1%\r
+rem Use compat51.bat to support Windows XP or later.\r
+rem Use compat50.bat to support Windows 2000.\r
+call compat50.bat\r
perl nodebug.pl\r
nmake /f makefile\r
copy /y libeay32.dll %var1%\libeay32.dll\r
pushd %~dp0\r
set var0=VC-WIN32\r
set var1=..\dist\r
-perl Configure %var0% no-asm enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers\r
-md %var1%\r
+rem Use compat51.bat to support Windows XP or later.\r
+rem Use compat50.bat to support Windows 2000.\r
+call compat50.bat\r
perl nodebug.pl\r
nmake /f makefile\r
copy /y libeay32.dll %var1%\libeay32.dll\r
--- /dev/null
+perl Configure %var0% no-asm no-async enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers\r
+perl compat50.pl\r
+exit /b\r
--- /dev/null
+open(FILE, '<e_os.h');\r
+@data = <FILE>;\r
+close(FILE);\r
+open(FILE, '>e_os.h');\r
+for(@data)\r
+{\r
+ print FILE $_;\r
+}\r
+print FILE "#undef AI_PASSIVE\n";\r
+close(FILE);\r
+exit(0);\r
--- /dev/null
+perl Configure %var0% no-asm enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers\r
+exit /b\r
print FILE $_;\r
}\r
close(FILE);\r
-exit(0);\r
BEGIN\r
DEFPUSHBUTTON "OK",IDOK,133,294,50,14\r
ICON ffftp,-1,7,4,20,20\r
- CTEXT "FFFTP Ver 1.99a-20160911",-1,113,11,90,8\r
+ CTEXT "FFFTP Ver 1.99a-20160924",-1,113,11,90,8\r
CTEXT "FFFTP\82Ífreeware\82Å\82·",-1,7,279,305,8\r
CTEXT "Copyright(C) 1997-2010 Sota & \82²\8b¦\97Í\82¢\82½\82¾\82¢\82½\95û\81X\nCopyright (C) 2011-2016 FFFTP Project (Hiromichi Matsushima, Suguru Kawamoto, IWAMOTO Kouichi, vitamin0x, \82¤\82È\81[, Asami, fortran90, tomo1192, Yuji Tanaka, Moriguchi Hirokazu, \82Ó\82¤\82¹\82ñ)",-1,7,25,305,44,SS_NOPREFIX\r
CTEXT "",ABOUT_JRE,7,96,305,8\r
//\r
\r
VS_VERSION_INFO VERSIONINFO\r
- FILEVERSION 1,99,1,5\r
- PRODUCTVERSION 1,99,1,5\r
+ FILEVERSION 1,99,1,6\r
+ PRODUCTVERSION 1,99,1,6\r
FILEFLAGSMASK 0x3fL\r
#ifdef _DEBUG\r
FILEFLAGS 0x1L\r
VALUE "Comments", "\82±\82ê\82Í\83t\83\8a\81[\83\\83t\83g\83E\83G\83A\82Å\82·\81B"\r
VALUE "CompanyName", "Sota, FFFTP Project"\r
VALUE "FileDescription", "FFFTP"\r
- VALUE "FileVersion", "1, 99, 1, 5"\r
+ VALUE "FileVersion", "1, 99, 1, 6"\r
VALUE "InternalName", "FFFTP"\r
VALUE "LegalCopyright", "Copyright (C) 1997-2010 Sota & \82²\8b¦\97Í\82¢\82½\82¾\82¢\82½\95û\81X\nCopyright (C) 2011-2016 FFFTP Project (Hiromichi Matsushima, Suguru Kawamoto, IWAMOTO Kouichi, vitamin0x, \82¤\82È\81[, Asami, fortran90, tomo1192, Yuji Tanaka, Moriguchi Hirokazu, \82Ó\82¤\82¹\82ñ)."\r
VALUE "OriginalFilename", "FFFTP.exe"\r
VALUE "ProductName", "FFFTP"\r
- VALUE "ProductVersion", "1, 99, 1, 5"\r
+ VALUE "ProductVersion", "1, 99, 1, 6"\r
END\r
END\r
BLOCK "VarFileInfo"\r
BEGIN\r
DEFPUSHBUTTON "OK",IDOK,132,296,50,14\r
ICON ffftp,-1,7,4,20,20\r
- CTEXT "FFFTP Ver 1.99a-20160911",-1,110,11,90,8\r
+ CTEXT "FFFTP Ver 1.99a-20160924",-1,110,11,90,8\r
CTEXT "FFFTP is freeware",-1,7,281,301,8\r
CTEXT "Copyright(C) 1997-2010 Sota && cooperators\nCopyright (C) 2011-2016 FFFTP Project (Hiromichi Matsushima, Suguru Kawamoto, IWAMOTO Kouichi, vitamin0x, unarist, Asami, fortran90, tomo1192, Yuji Tanaka, Moriguchi Hirokazu, Fu-sen)",-1,7,25,301,44\r
CTEXT "",ABOUT_JRE,7,93,301,8\r
//\r
\r
VS_VERSION_INFO VERSIONINFO\r
- FILEVERSION 1,99,1,5\r
- PRODUCTVERSION 1,99,1,5\r
+ FILEVERSION 1,99,1,6\r
+ PRODUCTVERSION 1,99,1,6\r
FILEFLAGSMASK 0x3fL\r
#ifdef _DEBUG\r
FILEFLAGS 0x1L\r
VALUE "Comments", "This software is Free Software"\r
VALUE "CompanyName", "Sota, FFFTP Project"\r
VALUE "FileDescription", "FFFTP"\r
- VALUE "FileVersion", "1, 99, 1, 5"\r
+ VALUE "FileVersion", "1, 99, 1, 6"\r
VALUE "InternalName", "FFFTP"\r
VALUE "LegalCopyright", "Copyright (C) 1997-2010 Sota & cooperators\nCopyright (C) 2011-2016 FFFTP Project (Hiromichi Matsushima, Suguru Kawamoto, IWAMOTO Kouichi, vitamin0x, unarist, Asami, fortran90, tomo1192, Yuji Tanaka, Moriguchi Hirokazu, Fu-sen)."\r
VALUE "OriginalFilename", "FFFTP.exe"\r
VALUE "ProductName", "FFFTP"\r
- VALUE "ProductVersion", "1, 99, 1, 5"\r
+ VALUE "ProductVersion", "1, 99, 1, 6"\r
END\r
END\r
BLOCK "VarFileInfo"\r
//#define PROGRAM_VERSION_NUM 1972 /* バージョン */\r
// 64ビット対応\r
#ifdef _WIN64\r
-#define VER_STR "1.99a-20160911 64bit"\r
+#define VER_STR "1.99a-20160924 64bit"\r
#else\r
-#define VER_STR "1.99a-20160911"\r
+#define VER_STR "1.99a-20160924"\r
#endif\r
#define VER_NUM 1990 /* 設定バージョン */\r
#define PROGRAM_VERSION_NUM 1990 /* バージョン */\r
// ソフトウェア自動更新\r
// リリースバージョンはリリース予定年(10進数4桁)+月(2桁)+日(2桁)+通し番号(0スタート2桁)とする\r
// 2014年7月31日中の30個目のリリースは2014073129\r
-#define RELEASE_VERSION_NUM 2016091100 /* リリースバージョン */\r
+#define RELEASE_VERSION_NUM 2016092400 /* リリースバージョン */\r
\r
\r
// SourceForge.JPによるフォーク\r
OpenSSL CHANGES
_______________
+ Changes between 1.1.0 and 1.1.0a [22 Sep 2016]
+
+ *) OCSP Status Request extension unbounded memory growth
+
+ A malicious client can send an excessively large OCSP Status Request
+ extension. If that client continually requests renegotiation, sending a
+ large OCSP Status Request extension each time, then there will be unbounded
+ memory growth on the server. This will eventually lead to a Denial Of
+ Service attack through memory exhaustion. Servers with a default
+ configuration are vulnerable even if they do not support OCSP. Builds using
+ the "no-ocsp" build time option are not affected.
+
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ (CVE-2016-6304)
+ [Matt Caswell]
+
+ *) SSL_peek() hang on empty record
+
+ OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer
+ sends an empty record. This could be exploited by a malicious peer in a
+ Denial Of Service attack.
+
+ This issue was reported to OpenSSL by Alex Gaynor.
+ (CVE-2016-6305)
+ [Matt Caswell]
+
+ *) Excessive allocation of memory in tls_get_message_header() and
+ dtls1_preprocess_fragment()
+
+ A (D)TLS message includes 3 bytes for its length in the header for the
+ message. This would allow for messages up to 16Mb in length. Messages of
+ this length are excessive and OpenSSL includes a check to ensure that a
+ peer is sending reasonably sized messages in order to avoid too much memory
+ being consumed to service a connection. A flaw in the logic of version
+ 1.1.0 means that memory for the message is allocated too early, prior to
+ the excessive message length check. Due to way memory is allocated in
+ OpenSSL this could mean an attacker could force up to 21Mb to be allocated
+ to service a connection. This could lead to a Denial of Service through
+ memory exhaustion. However, the excessive message length check still takes
+ place, and this would cause the connection to immediately fail. Assuming
+ that the application calls SSL_free() on the failed conneciton in a timely
+ manner then the 21Mb of allocated memory will then be immediately freed
+ again. Therefore the excessive memory allocation will be transitory in
+ nature. This then means that there is only a security impact if:
+
+ 1) The application does not call SSL_free() in a timely manner in the event
+ that the connection fails
+ or
+ 2) The application is working in a constrained environment where there is
+ very little free memory
+ or
+ 3) The attacker initiates multiple connection attempts such that there are
+ multiple connections in a state where memory has been allocated for the
+ connection; SSL_free() has not yet been called; and there is insufficient
+ memory to service the multiple requests.
+
+ Except in the instance of (1) above any Denial Of Service is likely to be
+ transitory because as soon as the connection fails the memory is
+ subsequently freed again in the SSL_free() call. However there is an
+ increased risk during this period of application crashes due to the lack of
+ memory - which would then mean a more serious Denial of Service.
+
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ (CVE-2016-6307 and CVE-2016-6308)
+ [Matt Caswell]
+
+ *) solaris-x86-cc, i.e. 32-bit configuration with vendor compiler,
+ had to be removed. Primary reason is that vendor assembler can't
+ assemble our modules with -KPIC flag. As result it, assembly
+ support, was not even available as option. But its lack means
+ lack of side-channel resistant code, which is incompatible with
+ security by todays standards. Fortunately gcc is readily available
+ prepackaged option, which we firmly point at...
+ [Andy Polyakov]
+
Changes between 1.0.2h and 1.1.0 [25 Aug 2016]
*) Windows command-line tool supports UTF-8 opt-in option for arguments
combination: call this in fips_test_suite.
[Steve Henson]
- *) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test
- and POST to handle Dual EC cases.
- [Steve Henson]
-
*) Add support for canonical generation of DSA parameter 'g'. See
FIPS 186-3 A.2.3.
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.1.0 and OpenSSL 1.1.0a [22 Sep 2016]
+
+ o OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
+ o SSL_peek() hang on empty record (CVE-2016-6305)
+ o Excessive allocation of memory in tls_get_message_header()
+ (CVE-2016-6307)
+ o Excessive allocation of memory in dtls1_preprocess_fragment()
+ (CVE-2016-6308)
+
Major changes between OpenSSL 1.0.2h and OpenSSL 1.1.0 [25 Aug 2016]
o Copyright text was shrunk to a boilerplate that points to the license
- OpenSSL 1.1.0 25 Aug 2016
+ OpenSSL 1.1.0a 22 Sep 2016
Copyright (c) 1998-2016 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
# define BIO_set_conn_port(b,port) BIO_ctrl(b,BIO_C_SET_CONNECT,1,(char *)port)
# define BIO_set_conn_address(b,addr) BIO_ctrl(b,BIO_C_SET_CONNECT,2,(char *)addr)
# define BIO_set_conn_ip_family(b,f) BIO_int_ctrl(b,BIO_C_SET_CONNECT,3,f)
-# define BIO_get_conn_hostname(b) ((const char *)BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,0,NULL))
-# define BIO_get_conn_port(b) ((const char *)BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,1,NULL))
-# define BIO_get_conn_address(b) ((const BIO_ADDR *)BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,2,NULL))
+# define BIO_get_conn_hostname(b) ((const char *)BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,0))
+# define BIO_get_conn_port(b) ((const char *)BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,1))
+# define BIO_get_conn_address(b) ((const BIO_ADDR *)BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,2))
# define BIO_get_conn_ip_family(b) BIO_ctrl(b,BIO_C_GET_CONNECT,3,NULL)
# define BIO_set_conn_mode(b,n) BIO_ctrl(b,BIO_C_SET_CONNECT_MODE,(n),NULL)
int OCSP_basic_sign(OCSP_BASICRESP *brsp,
X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
STACK_OF(X509) *certs, unsigned long flags);
+int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert);
+int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert);
+int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert);
X509_EXTENSION *OCSP_crlID_new(const char *url, long *n, char *tim);
#ifndef OPENSSL_SYS_WIN32\r
# define OPENSSL_SYS_WIN32 1\r
#endif\r
+#ifndef OPENSSL_NO_MD2\r
+# define OPENSSL_NO_MD2\r
+#endif\r
+#ifndef OPENSSL_NO_RC5\r
+# define OPENSSL_NO_RC5\r
+#endif\r
+#ifndef OPENSSL_THREADS\r
+# define OPENSSL_THREADS\r
+#endif\r
#ifndef OPENSSL_NO_ASAN\r
# define OPENSSL_NO_ASAN\r
#endif\r
+#ifndef OPENSSL_NO_ASM\r
+# define OPENSSL_NO_ASM\r
+#endif\r
+#ifndef OPENSSL_NO_ASYNC\r
+# define OPENSSL_NO_ASYNC\r
+#endif\r
#ifndef OPENSSL_NO_CRYPTO_MDEBUG\r
# define OPENSSL_NO_CRYPTO_MDEBUG\r
#endif\r
#ifndef OPENSSL_NO_HEARTBEATS\r
# define OPENSSL_NO_HEARTBEATS\r
#endif\r
-#ifndef OPENSSL_NO_MD2\r
-# define OPENSSL_NO_MD2\r
-#endif\r
#ifndef OPENSSL_NO_MSAN\r
# define OPENSSL_NO_MSAN\r
#endif\r
-#ifndef OPENSSL_NO_RC5\r
-# define OPENSSL_NO_RC5\r
-#endif\r
#ifndef OPENSSL_NO_SCTP\r
# define OPENSSL_NO_SCTP\r
#endif\r
#ifndef OPENSSL_NO_UNIT_TEST\r
# define OPENSSL_NO_UNIT_TEST\r
#endif\r
-#ifndef OPENSSL_THREADS\r
-# define OPENSSL_THREADS\r
-#endif\r
-#ifndef OPENSSL_NO_ASM\r
-# define OPENSSL_NO_ASM\r
-#endif\r
#ifndef OPENSSL_NO_AFALGENG\r
# define OPENSSL_NO_AFALGENG\r
#endif\r
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x1010000fL
+# define OPENSSL_VERSION_NUMBER 0x1010001fL
# ifdef OPENSSL_FIPS
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0-fips 25 Aug 2016"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0a-fips 22 Sep 2016"
# else
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0 25 Aug 2016"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0a 22 Sep 2016"
# endif
/*-
# define SSL_R_TLS_HEARTBEAT_PENDING 366
# define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367
# define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
+# define SSL_R_TOO_MANY_WARN_ALERTS 409
# define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS 314
# define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239
# define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242
##
## Bundle of CA Root Certificates
##
-## Certificate data from Mozilla as of: Wed Sep 7 03:12:05 2016
+## Certificate data from Mozilla as of: Wed Sep 14 03:12:05 2016
##
## This is a bundle of X.509 certificates of public Certificate Authorities
## (CA). These were automatically extracted from Mozilla's root certificates
## Just configure this file as the SSLCACertificateFile.
##
## Conversion done with mk-ca-bundle.pl version 1.26.
-## SHA1: 36aebbcc910dcab8838e6e721523d84f0ed20589
+## SHA256: 01bbf1ecdd693f554ff4dcbe15880b3e6c33188a956c15ff845d313ca69cfeb8
##
for(i = 0; i < 5; i++)\r
Hash[i] = _byteswap_ulong(Hash[i]);\r
// 同梱する"ssl.pem"に合わせてSHA1ハッシュ値を変更すること\r
- if(memcmp(&Hash, &SSLRootCAFileHash, 20) == 0 || memcmp(&Hash, "\xDF\x8E\xE2\x5A\xC7\x01\x03\x1C\x3A\x61\x00\xA2\x53\xCA\xF8\xDC\xA0\xC1\xA6\x3B", 20) == 0\r
+ if(memcmp(&Hash, &SSLRootCAFileHash, 20) == 0 || memcmp(&Hash, "\x73\xB7\x54\x80\xEE\x1C\x4C\x66\x1C\x57\xD2\x0B\xDF\x85\xAD\x11\x69\xAF\x14\x8B", 20) == 0\r
|| DialogBox(GetFtpInst(), MAKEINTRESOURCE(updatesslroot_dlg), GetMainHwnd(), ExeEscDialogProc) == YES)\r
{\r
memcpy(&SSLRootCAFileHash, &Hash, 20);\r
#ifdef ENABLE_PROCESS_PROTECTION\r
// 同梱するOpenSSLのバージョンに合わせてSHA1ハッシュ値を変更すること\r
#if defined(_M_IX86)\r
- // ssleay32.dll 1.1.0\r
- RegisterTrustedModuleSHA1Hash("\x91\x4D\xEC\xE1\x30\x6C\xCB\x62\x89\xA6\xC1\x55\xC5\x94\x05\xF6\xA1\x58\x60\x7F");\r
- // libeay32.dll 1.1.0\r
- RegisterTrustedModuleSHA1Hash("\xAF\xE4\xFF\x1D\xC6\xCE\x4F\x76\xE9\x84\x16\x4F\xA3\xC4\x75\x72\xAF\xE0\x83\x07");\r
+ // ssleay32.dll 1.1.0a\r
+ RegisterTrustedModuleSHA1Hash("\xBF\x25\x75\x85\x71\x67\x5D\x3E\x07\x11\x40\xE2\x47\xC0\xE0\x5C\xB2\xCD\xC3\x12");\r
+ // libeay32.dll 1.1.0a\r
+ RegisterTrustedModuleSHA1Hash("\x0A\x29\x8D\xAC\x2C\xA2\xB1\x43\x2B\x9F\xA4\xD8\x14\x80\x9B\x04\xD9\x23\x73\x41");\r
#elif defined(_M_AMD64)\r
- // ssleay32.dll 1.1.0\r
- RegisterTrustedModuleSHA1Hash("\xD6\x21\xD0\xF5\xDA\x9D\xD5\x3F\x92\xD3\x63\xD5\xDC\x5D\xBB\xE6\x49\xE2\x7E\x72");\r
- // libeay32.dll 1.1.0\r
- RegisterTrustedModuleSHA1Hash("\xFA\xFA\xB7\x06\x58\x46\x5A\x5F\x41\x05\x28\x9F\x65\x57\xD2\x4B\xC6\x1B\xE6\x02");\r
+ // ssleay32.dll 1.1.0a\r
+ RegisterTrustedModuleSHA1Hash("\xCE\x74\x3E\x3D\x88\x2C\xC4\xAC\x33\x53\xD4\x5A\xAE\x17\x4F\x59\x01\x8A\x6E\xAB");\r
+ // libeay32.dll 1.1.0a\r
+ RegisterTrustedModuleSHA1Hash("\xA1\x40\x78\xD1\xD5\x47\xCA\x47\x8A\x03\x93\xBC\x9E\xAD\xFA\xCA\x65\x1F\x36\x78");\r
#endif\r
#endif\r
g_hOpenSSL = LoadLibrary("ssleay32.dll");\r