Merge branch 'maint'

Conflicts:
	OTP_VERSION

12 files changed, 148 insertions, 8 deletions

diff --git a/lib/public_key/doc/src/notes.xml b/lib/public_key/doc/src/notes.xml
index 7a7c828760..a4c0194328 100644
--- a/lib/public_key/doc/src/notes.xml
+++ b/lib/public_key/doc/src/notes.xml
@@ -35,6 +35,30 @@
     <file>notes.xml</file>
   </header>
 
+<section><title>Public_Key 1.5.1</title>
+
+    <section><title>Improvements and New Features</title>
+      <list>
+        <item>
+          <p>
+	    Hostname verification: Add handling of the general name
+	    <c>iPAddress</c> in certificate's subject alternative
+	    name extension (<c>subjAltName</c>).</p>
+          <p>
+	    Own Id: OTP-14653</p>
+        </item>
+        <item>
+          <p>
+	    Correct key handling in pkix_test_data/1 and use a
+	    generic example mail address instead of an existing one.</p>
+          <p>
+	    Own Id: OTP-14766</p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
 <section><title>Public_Key 1.5</title>
 
     <section><title>Fixed Bugs and Malfunctions</title>
diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl
index 38e8f30a25..9e5e288a1a 100644
--- a/lib/public_key/test/public_key_SUITE.erl
+++ b/lib/public_key/test/public_key_SUITE.erl
@@ -1034,8 +1034,6 @@ pkix_verify_hostname_subjAltName_IP(Config) ->
     true  =  public_key:pkix_verify_hostname(Cert, [{ip, {10,67,16,75}}]),
     false =  public_key:pkix_verify_hostname(Cert, [{ip, {1,2,3,4}}]),
     false =  public_key:pkix_verify_hostname(Cert, [{ip, {10,11,12,13}}]).
-        
-
 %%--------------------------------------------------------------------
 pkix_iso_rsa_oid() ->
  [{doc, "Test workaround for supporting certs that use ISO oids"
diff --git a/lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem b/lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem
index 97d12cdadf..dc20285f30 100644
--- a/lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem
+++ b/lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem
@@ -1,4 +1,5 @@
 -----BEGIN CERTIFICATE-----
+<<<<<<< HEAD
 MIICBzCCAXCgAwIBAgIJAJgbo5FL73LuMA0GCSqGSIb3DQEBCwUAMCMxCzAJBgNV
 BAYTAlNFMRQwEgYDVQQDEwtleGFtcGxlLmNvbTAeFw0xNzEwMTExMDM0NDJaFw0x
 NzExMTAxMDM0NDJaMCMxCzAJBgNVBAYTAlNFMRQwEgYDVQQDEwtleGFtcGxlLmNv
@@ -10,4 +11,17 @@ S4cQq80A7wAAAAAAAAAAAAAAAYYTaHR0cHM6Ly8xMC4xMS4xMi4xMzANBgkqhkiG
 9w0BAQsFAAOBgQDMn8aqs/5FkkWhspvN2n+D2l87M+33a5My54ZVZhayZ/KRmhCN
 Gix/BiVYJ3UlmWmGcnQXb3MLt/LQHaD3S2whDaLN3xJ8BbnX7A4ZTybitdyeFhDw
 K3iDVUM3bSsBJ4EcBPWIMnow3ALP5HlGRMlH/87Qt+uVPXuwNh9pmyIhRQ==
+=======
+MIIB/zCCAWigAwIBAgIJAMoSejmTjwAGMA0GCSqGSIb3DQEBCwUAMB8xCzAJBgNV
+BAYTAlNFMRAwDgYDVQQDEwc1LjYuNy44MB4XDTE3MDkyODE0MDAxNVoXDTE3MTAy
+ODE0MDAxNVowHzELMAkGA1UEBhMCU0UxEDAOBgNVBAMTBzUuNi43LjgwgZ8wDQYJ
+KoZIhvcNAQEBBQADgY0AMIGJAoGBAMUPU89KwVbTCDkyxQSz3wprMbZTLe35K6jm
+Q7oY1rJyVXjsFHwZrFqqNMScEyX40rJhczQ2Z9etEX6qYLbdb/DZeFcKo14fR583
+QMFZC+qqpLWHdvjaQN0KwD99VFeZIGpRgywG8SR+BXZjDHUkGsMrikAEJtf0Tgih
+IPyiFtiJAgMBAAGjQzBBMD8GA1UdEQQ4MDaCBzEuMi4zLjSHBAUGBwiHEKvNAO8A
+AAAAAAAAAAAAAAGGE2h0dHBzOi8vMTAuMTEuMTIuMTMwDQYJKoZIhvcNAQELBQAD
+gYEAtWVeQaRFZ0kH/pzSWMSsOCUrjbwlWRwDNbagNKoM6nCRv0QQ59fG6XrVZwR3
+c0s5arlMh3U2+bjKE+Iq9+b/lN1lGzf8iaAqBNa7KptwTSUEY3TiNG5X0zlSXKTI
+3z7AaUEtghL9ImCPj5V3tVksqWd7U0zLmeeLZnM+wGAL9Hc=
+>>>>>>> maint-20
 -----END CERTIFICATE-----
diff --git a/lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf b/lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf
index 798592e4f6..f27dac07ec 100644
--- a/lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf
+++ b/lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf
@@ -5,13 +5,21 @@ distinguished_name = DN
 [DN]
 C=SE
 CN=example.com
+<<<<<<< HEAD
+=======
+CN=5.6.7.8
+>>>>>>> maint-20
 
 [SAN]
 subjectAltName = @alt_names
 
 [alt_names]
 DNS = 1.2.3.4
+<<<<<<< HEAD
 IP.1 = 10.67.16.75
+=======
+IP.1 = 5.6.7.8
+>>>>>>> maint-20
 IP.2 = abcd:ef::1
 URI = https://10.11.12.13
 
diff --git a/lib/public_key/vsn.mk b/lib/public_key/vsn.mk
index bb96c2237d..c01d8820f2 100644
--- a/lib/public_key/vsn.mk
+++ b/lib/public_key/vsn.mk
@@ -1 +1 @@
-PUBLIC_KEY_VSN = 1.5
+PUBLIC_KEY_VSN = 1.5.1
diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml
index 4c6a204e63..a8450c2630 100644
--- a/lib/ssl/doc/src/notes.xml
+++ b/lib/ssl/doc/src/notes.xml
@@ -28,6 +28,84 @@
   <p>This document describes the changes made to the SSL application.</p>
 
 
+<section><title>SSL 8.2.2</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    TLS sessions must be registered with SNI if provided, so
+	    that sessions where client hostname verification would
+	    fail can not connect reusing a session created when the
+	    server name verification succeeded.</p>
+          <p>
+	    Own Id: OTP-14632</p>
+        </item>
+        <item>
+	    <p> An erlang TLS server configured with cipher suites
+	    using rsa key exchange, may be vulnerable to an Adaptive
+	    Chosen Ciphertext attack (AKA Bleichenbacher attack)
+	    against RSA, which when exploited, may result in
+	    plaintext recovery of encrypted messages and/or a
+	    Man-in-the-middle (MiTM) attack, despite the attacker not
+	    having gained access to the server’s private key
+	    itself. <url
+	    href="https://nvd.nist.gov/vuln/detail/CVE-2017-1000385">CVE-2017-1000385</url>
+	    </p> <p> Exploiting this vulnerability to perform
+	    plaintext recovery of encrypted messages will, in most
+	    practical cases, allow an attacker to read the plaintext
+	    only after the session has completed. Only TLS sessions
+	    established using RSA key exchange are vulnerable to this
+	    attack. </p> <p> Exploiting this vulnerability to conduct
+	    a MiTM attack requires the attacker to complete the
+	    initial attack, which may require thousands of server
+	    requests, during the handshake phase of the targeted
+	    session within the window of the configured handshake
+	    timeout. This attack may be conducted against any TLS
+	    session using RSA signatures, but only if cipher suites
+	    using RSA key exchange are also enabled on the server.
+	    The limited window of opportunity, limitations in
+	    bandwidth, and latency make this attack significantly
+	    more difficult to execute. </p> <p> RSA key exchange is
+	    enabled by default although least prioritized if server
+	    order is honored. For such a cipher suite to be chosen it
+	    must also be supported by the client and probably the
+	    only shared cipher suite. </p> <p> Captured TLS sessions
+	    encrypted with ephemeral cipher suites (DHE or ECDHE) are
+	    not at risk for subsequent decryption due to this
+	    vulnerability. </p> <p> As a workaround if default cipher
+	    suite configuration was used you can configure the server
+	    to not use vulnerable suites with the ciphers option like
+	    this: </p> <c> {ciphers, [Suite || Suite &lt;-
+	    ssl:cipher_suites(), element(1,Suite) =/= rsa]} </c> <p>
+	    that is your code will look somethingh like this: </p>
+	    <c> ssl:listen(Port, [{ciphers, [Suite || Suite &lt;-
+	    ssl:cipher_suites(), element(1,S) =/= rsa]} | Options]).
+	    </c> <p> Thanks to Hanno Böck, Juraj Somorovsky and
+	    Craig Young for reporting this vulnerability. </p>
+          <p>
+	    Own Id: OTP-14748</p>
+        </item>
+      </list>
+    </section>
+
+
+    <section><title>Improvements and New Features</title>
+      <list>
+        <item>
+          <p>
+	    If no SNI is available and the hostname is an IP-address
+	    also check for IP-address match. This check is not as
+	    good as a DNS hostname check and certificates using
+	    IP-address are not recommended.</p>
+          <p>
+	    Own Id: OTP-14655</p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
 <section><title>SSL 8.2.1</title>
 
     <section><title>Fixed Bugs and Malfunctions</title>
diff --git a/lib/ssl/src/dtls_connection.erl b/lib/ssl/src/dtls_connection.erl
index eed49ca090..1907b67690 100644
--- a/lib/ssl/src/dtls_connection.erl
+++ b/lib/ssl/src/dtls_connection.erl
@@ -461,7 +461,6 @@ init({call, _} = Type, Event, #state{role = server} = State) ->
     ssl_connection:?FUNCTION_NAME(Type, Event, State#state{flight_state = reliable}, ?MODULE);
 init(Type, Event, State) ->
     ssl_connection:?FUNCTION_NAME(Type, Event, State, ?MODULE).
-
 %%--------------------------------------------------------------------
 -spec error(gen_statem:event_type(),
 	   {start, timeout()} | term(), #state{}) ->
@@ -596,6 +595,7 @@ abbreviated(state_timeout, Event, State) ->
     handle_state_timeout(Event, ?FUNCTION_NAME, State);
 abbreviated(Type, Event, State) ->
     ssl_connection:?FUNCTION_NAME(Type, Event, State, ?MODULE).
+
 %%--------------------------------------------------------------------
 -spec certify(gen_statem:event_type(), term(), #state{}) ->
 		     gen_statem:state_function_result().
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 79485833e0..414b181078 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -1541,8 +1541,25 @@ server_certify_and_key_exchange(State0, Connection) ->
     request_client_cert(State2, Connection).
 
 certify_client_key_exchange(#encrypted_premaster_secret{premaster_secret= EncPMS},
-			    #state{private_key = Key} = State, Connection) ->
-    PremasterSecret = ssl_handshake:premaster_secret(EncPMS, Key),
+			    #state{private_key = Key, client_hello_version = {Major, Minor} = Version} = State, Connection) ->
+
+    %% Countermeasure for Bleichenbacher attack always provide some kind of premaster secret
+    %% and fail handshake later.RFC 5246 section 7.4.7.1.
+    PremasterSecret =
+        try ssl_handshake:premaster_secret(EncPMS, Key) of
+            Secret when erlang:byte_size(Secret) == ?NUM_OF_PREMASTERSECRET_BYTES ->
+                case Secret of
+                    <<?BYTE(Major), ?BYTE(Minor), _/binary>> -> %% Correct
+                        Secret;
+                    <<?BYTE(_), ?BYTE(_), Rest/binary>> -> %% Version mismatch
+                        <<?BYTE(Major), ?BYTE(Minor), Rest/binary>>
+                end;
+            _ -> %% erlang:byte_size(Secret) =/= ?NUM_OF_PREMASTERSECRET_BYTES
+                make_premaster_secret(Version, rsa)
+        catch 
+            #alert{description = ?DECRYPT_ERROR} ->
+                make_premaster_secret(Version, rsa)     
+        end,        
     calculate_master_secret(PremasterSecret, State, Connection, certify, cipher);
 certify_client_key_exchange(#client_diffie_hellman_public{dh_public = ClientPublicDhKey},
 			    #state{diffie_hellman_params = #'DHParameter'{} = Params,
diff --git a/lib/ssl/src/ssl_connection.hrl b/lib/ssl/src/ssl_connection.hrl
index 3e26f67de1..f9d2149170 100644
--- a/lib/ssl/src/ssl_connection.hrl
+++ b/lib/ssl/src/ssl_connection.hrl
@@ -57,6 +57,7 @@
 	  session_cache_cb      :: atom(),
 	  crl_db                :: term(), 
           negotiated_version    :: ssl_record:ssl_version() | 'undefined',
+          client_hello_version  :: ssl_record:ssl_version() | 'undefined',
           client_certificate_requested = false :: boolean(),
 	  key_algorithm         :: ssl_cipher:key_algo(),
 	  hashsign_algorithm = {undefined, undefined},
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 1560340ccf..24f3a97b9b 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -1224,7 +1224,6 @@ certificate_authorities_from_db(_CertDbHandle, {extracted, CertDbData}) ->
 		[], CertDbData).
 
 %%-------------Handle handshake messages --------------------------------
-
 validation_fun_and_state({Fun, UserState0}, Role,  CertDbHandle, CertDbRef, 
                          ServerNameIndication, CRLCheck, CRLDbHandle, CertPath) ->
     {fun(OtpCert, {extension, _} = Extension, {SslState, UserState}) ->
diff --git a/lib/ssl/src/tls_connection.erl b/lib/ssl/src/tls_connection.erl
index 43422fab8d..a43e0ac56e 100644
--- a/lib/ssl/src/tls_connection.erl
+++ b/lib/ssl/src/tls_connection.erl
@@ -476,6 +476,7 @@ hello(internal, #client_hello{client_version = ClientVersion} = Hello,
 	    gen_handshake(ssl_connection, hello, internal, {common_client_hello, Type, ServerHelloExt},
 				 State#state{connection_states  = ConnectionStates,
 					     negotiated_version = Version,
+                                             client_hello_version = ClientVersion,
 					     hashsign_algorithm = HashSign,
 					     session = Session,
 					     negotiated_protocol = Protocol})
diff --git a/lib/ssl/vsn.mk b/lib/ssl/vsn.mk
index bb77326751..cf6481d14c 100644
--- a/lib/ssl/vsn.mk
+++ b/lib/ssl/vsn.mk
@@ -1 +1 @@
-SSL_VSN = 8.2.1
+SSL_VSN = 8.2.2