18 files changed, 96 insertions, 115 deletions

diff --git a/erts/emulator/beam/global.h b/erts/emulator/beam/global.h
index 280421952e..ecd3c8f68a 100644
--- a/erts/emulator/beam/global.h
+++ b/erts/emulator/beam/global.h
@@ -1499,7 +1499,7 @@ erts_cmp_timeval(SysTimeval *t1p, SysTimeval *t2p)
 #endif
 
 #ifdef DEBUG
-void p_slpq(_VOID_);
+void p_slpq(void);
 #endif
 
 /* utils.c */
diff --git a/lib/public_key/asn1/OTP-PKIX.asn1 b/lib/public_key/asn1/OTP-PKIX.asn1
index c0cf440496..ad704191a9 100644
--- a/lib/public_key/asn1/OTP-PKIX.asn1
+++ b/lib/public_key/asn1/OTP-PKIX.asn1
@@ -302,18 +302,25 @@ SupportedPublicKeyAlgorithms PUBLIC-KEY-ALGORITHM-CLASS ::= {
 
    --   DSA Keys and Signatures
 
+
+      DSAParams  ::=  CHOICE
+       {
+        params     Dss-Parms,
+        null       NULL
+       }
+
    -- SubjectPublicKeyInfo:
 
    dsa PUBLIC-KEY-ALGORITHM-CLASS ::= {
        ID id-dsa
-       TYPE Dss-Parms -- XXX Must be OPTIONAL
+       TYPE DSAParams -- XXX Must be OPTIONAL
        PUBLIC-KEY-TYPE DSAPublicKey }
 
    -- Certificate.signatureAlgorithm
 
    dsa-with-sha1 SIGNATURE-ALGORITHM-CLASS ::= {
-		 ID id-dsa-with-sha1 
-		 TYPE Dss-Parms } 
+		 ID id-dsa-with-sha1
+		 TYPE  DSAParams }
 
 				  --
    --   RSA Keys and Signatures
diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl
index c1819e6ddc..ac59b6313d 100644
--- a/lib/public_key/src/pubkey_cert.erl
+++ b/lib/public_key/src/pubkey_cert.erl
@@ -223,10 +223,15 @@ validate_revoked_status(_OtpCert, UserState, _VerifyFun) ->
 %%--------------------------------------------------------------------	
 validate_extensions(OtpCert, ValidationState, UserState, VerifyFun) ->
     TBSCert = OtpCert#'OTPCertificate'.tbsCertificate,
-    Extensions = TBSCert#'OTPTBSCertificate'.extensions,
-    validate_extensions(OtpCert, Extensions, ValidationState, no_basic_constraint,
-			is_self_signed(OtpCert), UserState, VerifyFun).
-
+    case TBSCert#'OTPTBSCertificate'.version of
+	N when N >= 3 ->
+	    Extensions = TBSCert#'OTPTBSCertificate'.extensions,
+	    validate_extensions(OtpCert, Extensions,
+				ValidationState, no_basic_constraint,
+				is_self_signed(OtpCert), UserState, VerifyFun);
+	_ -> %% Extensions not present in versions 1 & 2
+	    {ValidationState, UserState}
+    end.
 %%--------------------------------------------------------------------
 -spec normalize_general_name({rdnSequence, term()}) -> {rdnSequence, term()}. 
 %%
@@ -389,10 +394,12 @@ public_key_info(PublicKeyInfo,
     
     NewPublicKeyParams =
 	case PublicKeyParams of
-	    'NULL' when WorkingAlgorithm == Algorithm ->
+	    {null, 'NULL'} when WorkingAlgorithm == Algorithm ->
 		WorkingParams;
-	    _ ->
-		PublicKeyParams
+	    {params, Params} ->
+		Params;
+	    Params ->
+		Params
 	end,
     {Algorithm, PublicKey, NewPublicKeyParams}.
 
diff --git a/lib/public_key/src/public_key.appup.src b/lib/public_key/src/public_key.appup.src
index c9d15b8747..adc50d1d45 100644
--- a/lib/public_key/src/public_key.appup.src
+++ b/lib/public_key/src/public_key.appup.src
@@ -1,7 +1,7 @@
 %% -*- erlang -*-
 {"%VSN%",
  [
-  {"0.7",
+  {"0.8",
    [
     {update, 'OTP-PUB-KEY', soft, soft_purge, soft_purge, []},
     {update, public_key, soft, soft_purge, soft_purge, []},
@@ -9,29 +9,10 @@
     {update, pubkey_cert_records, soft, soft_purge, soft_purge, []}
     {update, pubkey_cert, soft, soft_purge, soft_purge, []}
    ]
-  },
-  {"0.6",
-   [
-    {update, 'OTP-PUB-KEY', soft, soft_purge, soft_purge, []},
-    {update, public_key, soft, soft_purge, soft_purge, []},
-    {update, pubkey_pem, soft, soft_purge, soft_purge, []},
-    {update, pubkey_cert_records, soft, soft_purge, soft_purge, []}
-    {update, pubkey_cert, soft, soft_purge, soft_purge, []}
-   ]
-  },
-  {"0.5",
-   [
-    {update, 'OTP-PUB-KEY', soft, soft_purge, soft_purge, []},
-    {update, public_key, soft, soft_purge, soft_purge, []},
-    {update, pubkey_crypto, soft, soft_purge, soft_purge, []},
-    {update, pubkey_pem, soft, soft_purge, soft_purge, []},
-    {update, pubkey_cert_records, soft, soft_purge, soft_purge, []},
-    {update, pubkey_cert, soft, soft_purge, soft_purge, []}
-   ]
   }
  ],
  [
-  {"0.7",
+  {"0.8",
    [
     {update, 'OTP-PUB-KEY', soft, soft_purge, soft_purge, []},
     {update, public_key, soft, soft_purge, soft_purge, []},
@@ -39,24 +20,5 @@
     {update, pubkey_cert_records, soft, soft_purge, soft_purge, []}
     {update, pubkey_cert, soft, soft_purge, soft_purge, []}
    ]
-  },
-  {"0.6",
-   [
-    {update, 'OTP-PUB-KEY', soft, soft_purge, soft_purge, []},
-    {update, public_key, soft, soft_purge, soft_purge, []},
-    {update, pubkey_pem, soft, soft_purge, soft_purge, []},
-    {update, pubkey_cert_records, soft, soft_purge, soft_purge, []}
-    {update, pubkey_cert, soft, soft_purge, soft_purge, []}
-   ]
-  },
-  {"0.5",
-   [
-    {update, 'OTP-PUB-KEY', soft, soft_purge, soft_purge, []},
-    {update, public_key, soft, soft_purge, soft_purge, []},
-    {update, pubkey_crypto, soft, soft_purge, soft_purge, []},
-    {update, pubkey_pem, soft, soft_purge, soft_purge, []},
-    {update, pubkey_cert_records, soft, soft_purge, soft_purge, []},
-    {update, pubkey_cert, soft, soft_purge, soft_purge, []}
-   ]
-  }
+   }
  ]}.
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index 6de5f388dc..aa3018bd2d 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -437,7 +437,7 @@ pkix_normalize_name(Issuer) ->
     pubkey_cert:normalize_general_name(Issuer).
 
 %%-------------------------------------------------------------------- 
--spec pkix_path_validation(der_encoded()| #'OTPCertificate'{} | unknown_ca,
+-spec pkix_path_validation(der_encoded()| #'OTPCertificate'{} | atom(),
 			   CertChain :: [der_encoded()] , 
 			   Options :: list()) ->  
 				  {ok, {PublicKeyInfo :: term(), 
@@ -445,11 +445,11 @@ pkix_normalize_name(Issuer) ->
 				  {error, {bad_cert, Reason :: term()}}.
 %% Description: Performs a basic path validation according to RFC 5280.
 %%--------------------------------------------------------------------
-pkix_path_validation(unknown_ca, [Cert | Chain], Options0) ->
+pkix_path_validation(PathErr, [Cert | Chain], Options0) when is_atom(PathErr)->
     {VerifyFun, Userstat0} =
 	proplists:get_value(verify_fun, Options0, ?DEFAULT_VERIFYFUN),
     Otpcert = pkix_decode_cert(Cert, otp),
-    Reason = {bad_cert, unknown_ca},
+    Reason = {bad_cert, PathErr},
     try VerifyFun(Otpcert, Reason, Userstat0) of
 	{valid, Userstate} ->
 	    Options = proplists:delete(verify_fun, Options0),
@@ -575,7 +575,7 @@ sized_binary(List) ->
 %%--------------------------------------------------------------------
 pem_to_der(CertSource) ->
     {ok, Bin} = file:read_file(CertSource),
-    pubkey_pem:decode(Bin).
+    {ok, pubkey_pem:decode(Bin)}.
 
 decode_private_key(KeyInfo) ->
     decode_private_key(KeyInfo, no_passwd).
diff --git a/lib/public_key/test/erl_make_certs.erl b/lib/public_key/test/erl_make_certs.erl
index e31e5552d3..8b01ca3ad4 100644
--- a/lib/public_key/test/erl_make_certs.erl
+++ b/lib/public_key/test/erl_make_certs.erl
@@ -66,7 +66,7 @@ make_cert(Opts) ->
 %% @end
 %%--------------------------------------------------------------------
 write_pem(Dir, FileName, {Cert, Key = {_,_,not_encrypted}}) when is_binary(Cert) ->
-    ok = der_to_pem(filename:join(Dir, FileName ++ ".pem"), 
+    ok = der_to_pem(filename:join(Dir, FileName ++ ".pem"),
 			       [{'Certificate', Cert, not_encrypted}]),
     ok = der_to_pem(filename:join(Dir, FileName ++ "_key.pem"), [Key]).
 
@@ -268,7 +268,7 @@ publickey(#'RSAPrivateKey'{modulus=N, publicExponent=E}) ->
 			       subjectPublicKey = Public};
 publickey(#'DSAPrivateKey'{p=P, q=Q, g=G, y=Y}) ->
     Algo = #'PublicKeyAlgorithm'{algorithm= ?'id-dsa', 
-				 parameters=#'Dss-Parms'{p=P, q=Q, g=G}},
+				 parameters={params, #'Dss-Parms'{p=P, q=Q, g=G}}},
     #'OTPSubjectPublicKeyInfo'{algorithm = Algo, subjectPublicKey = Y}.
 
 validity(Opts) ->
@@ -290,7 +290,7 @@ sign_algorithm(#'RSAPrivateKey'{}, Opts) ->
 	   end,
     {Type, 'NULL'};
 sign_algorithm(#'DSAPrivateKey'{p=P, q=Q, g=G}, _Opts) ->
-    {?'id-dsa-with-sha1', #'Dss-Parms'{p=P, q=Q, g=G}}.
+    {?'id-dsa-with-sha1', {params,#'Dss-Parms'{p=P, q=Q, g=G}}}.
 
 make_key(rsa, _Opts) ->
     %% (OBS: for testing only)
diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl
index ea6a925139..829b6a9215 100644
--- a/lib/public_key/test/public_key_SUITE.erl
+++ b/lib/public_key/test/public_key_SUITE.erl
@@ -411,11 +411,11 @@ deprecated(suite) ->
     [];
 deprecated(Config) when is_list(Config) -> 
     Datadir = ?config(data_dir, Config),
-    [DsaKey = {'DSAPrivateKey', _DsaKey, _}] = 
+    {ok, [DsaKey = {'DSAPrivateKey', _DsaKey, _}]} =
 	public_key:pem_to_der(filename:join(Datadir, "dsa.pem")), 
-    [RsaKey = {'RSAPrivateKey', _RsaKey,_}] = 
+    {ok, [RsaKey = {'RSAPrivateKey', _RsaKey,_}]} =
 	public_key:pem_to_der(filename:join(Datadir, "client_key.pem")),
-    [ProtectedRsaKey = {'RSAPrivateKey', _ProtectedRsaKey,_}] = 
+    {ok, [ProtectedRsaKey = {'RSAPrivateKey', _ProtectedRsaKey,_}]} =
 	public_key:pem_to_der(filename:join(Datadir, "rsa.pem")),
 
     {ok, #'DSAPrivateKey'{}} = public_key:decode_private_key(DsaKey),
diff --git a/lib/public_key/vsn.mk b/lib/public_key/vsn.mk
index f70209d891..2810942171 100644
--- a/lib/public_key/vsn.mk
+++ b/lib/public_key/vsn.mk
@@ -1 +1 @@
-PUBLIC_KEY_VSN = 0.8
+PUBLIC_KEY_VSN = 0.9
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index d5b7253ef3..8348301aed 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -244,10 +244,8 @@ fun(OtpCert :: #'OtpCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
       <p>The default verify_fun option in verify_none mode:</p>
 
        <code>
-{fun(_,{bad_cert, unknown_ca}, UserState) ->
+{fun(_,{bad_cert, _}, UserState) ->
 	 {valid, UserState};
-    (_,{bad_cert, _} = Reason, _) ->
-	 {fail, Reason};
     (_,{extension, _}, UserState) ->
 	 {unknown, UserState};
     (_, valid, UserState) ->
@@ -267,13 +265,14 @@ fun(OtpCert :: #'OtpCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
    <section>
     <title>SSL OPTION DESCRIPTIONS - CLIENT SIDE</title>
 
-    <p>Option described here are client specific or has a slightly different
+    <p>Options described here are client specific or has a slightly different
     meaning in the client than in the server.</p>
 
     <taglist>
       <tag>{verify, verify_type()}</tag>
-      <item> In verify_none mode the x509-path validation error {bad_cert, unknown_ca}
-      will automatically be accepted. See also the verify_fun option.
+      <item> In verify_none mode the default behavior will be to
+      allow all x509-path validation errors. See also the verify_fun
+      option.
       </item>
       <tag>{reuse_sessions, boolean()}</tag>
       <item>Specifies if client should try to reuse sessions
@@ -286,7 +285,7 @@ fun(OtpCert :: #'OtpCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
   <section>
     <title>SSL OPTION DESCRIPTIONS - SERVER SIDE</title>
 
-    <p>Option described here are server specific or has a slightly different
+    <p>Options described here are server specific or has a slightly different
     meaning in the server than in the client.</p>
 
     <taglist>
diff --git a/lib/ssl/src/ssl.appup.src b/lib/ssl/src/ssl.appup.src
index 88cd73be74..f4e6b59b6d 100644
--- a/lib/ssl/src/ssl.appup.src
+++ b/lib/ssl/src/ssl.appup.src
@@ -1,32 +1,9 @@
 %% -*- erlang -*-
 {"%VSN%",
  [
-  {"4.0", [{restart_application, ssl}]},
-  {"3.11.1", [{restart_application, ssl}]},
-  {"3.11", [{restart_application, ssl}]},			
-  {"3.10", [{restart_application, ssl}]},			
-  {"3.10.1", [{restart_application, ssl}]},
-  {"3.10.2", [{restart_application, ssl}]},
-  {"3.10.3", [{restart_application, ssl}]},
-  {"3.10.4", [{restart_application, ssl}]},
-  {"3.10.5", [{restart_application, ssl}]},
-  {"3.10.6", [{restart_application, ssl}]},
-  {"3.10.7", [{restart_application, ssl}]},
-  {"3.10.8", [{restart_application, ssl}]},
-  {"3.10.9", [{restart_application, ssl}]}
+  {"4.0.1", [{restart_application, ssl}]}
  ], 
  [
-  {"4.0", [{restart_application, ssl}]},
-  {"3.11.1", [{restart_application, ssl}]},
-  {"3.11", [{restart_application, ssl}]},			
-  {"3.10", [{restart_application, ssl}]},	
-  {"3.10.1", [{restart_application, ssl}]},		
-  {"3.10.2", [{restart_application, ssl}]},
-  {"3.10.3", [{restart_application, ssl}]},
-  {"3.10.4", [{restart_application, ssl}]},
-  {"3.10.5", [{restart_application, ssl}]},
-  {"3.10.6", [{restart_application, ssl}]},
-  {"3.10.8", [{restart_application, ssl}]},
-  {"3.10.9", [{restart_application, ssl}]}
+  {"4.0.1", [{restart_application, ssl}]}
  ]}.
 
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 314bdd1aab..c13dee96f1 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -621,17 +621,17 @@ handle_options(Opts0, _Role) ->
     
     ReuseSessionFun = fun(_, _, _, _) -> true end,
 
-    VerifyNoneFun =
-	{fun(_,{bad_cert, unknown_ca}, UserState) ->
+    DefaultVerifyNoneFun =
+	{fun(_,{bad_cert, _}, UserState) ->
 		 {valid, UserState};
-	    (_,{bad_cert, _} = Reason, _) ->
-		 {fail, Reason};
 	    (_,{extension, _}, UserState) ->
 		 {unknown, UserState};
 	    (_, valid, UserState) ->
 		 {valid, UserState}
 	 end, []},
 
+    VerifyNoneFun = handle_option(verify_fun, Opts, DefaultVerifyNoneFun),
+
     UserFailIfNoPeerCert = handle_option(fail_if_no_peer_cert, Opts, false),
     UserVerifyFun = handle_option(verify_fun, Opts, undefined),
     CaCerts = handle_option(cacerts, Opts, undefined),
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index d2ab21657c..3c7ce837e4 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -57,30 +57,32 @@
 trusted_cert_and_path(CertChain, CertDbRef) ->
     Path = [Cert | _] = lists:reverse(CertChain),
     OtpCert = public_key:pkix_decode_cert(Cert, otp),
-    IssuerID =
+    SignedAndIssuerID =
 	case public_key:pkix_is_self_signed(OtpCert) of
 	    true ->
 		{ok, IssuerId} = public_key:pkix_issuer_id(OtpCert, self),
-		IssuerId;
+		{self, IssuerId};
 	    false ->
 		case public_key:pkix_issuer_id(OtpCert, other) of
 		    {ok, IssuerId} ->
-			IssuerId;
+			{other, IssuerId};
 		    {error, issuer_not_found} ->
 			case find_issuer(OtpCert, no_candidate) of
 			    {ok, IssuerId} ->
-				IssuerId;
+				{other, IssuerId};
 			    Other ->
 				Other
 			end
 		end
 	end,
     
-    case IssuerID of
+    case SignedAndIssuerID of
 	{error, issuer_not_found} ->
 	    %% The root CA was not sent and can not be found.
 	    {unknown_ca, Path};
-	{SerialNr, Issuer} ->
+	{self, _} when length(Path) == 1 ->
+	    {selfsigned_peer, Path};
+	{_ ,{SerialNr, Issuer}} ->
 	    case ssl_manager:lookup_trusted_cert(CertDbRef, SerialNr, Issuer) of
 		{ok, {BinCert,_}} ->
 		    {BinCert, Path};
diff --git a/lib/ssl/src/ssl_certificate_db.erl b/lib/ssl/src/ssl_certificate_db.erl
index 86477f369d..2a5a7f3394 100644
--- a/lib/ssl/src/ssl_certificate_db.erl
+++ b/lib/ssl/src/ssl_certificate_db.erl
@@ -216,9 +216,15 @@ add_certs_from_file(File, Ref, CertsDb) ->
     [Add(Cert) || {'Certificate', Cert, not_encrypted} <- PemEntries].
     
 add_certs(Cert, Ref, CertsDb) ->
-    ErlCert = public_key:pkix_decode_cert(Cert, otp),
-    TBSCertificate = ErlCert#'OTPCertificate'.tbsCertificate,
-    SerialNumber = TBSCertificate#'OTPTBSCertificate'.serialNumber,
-    Issuer = public_key:pkix_normalize_name(
-	       TBSCertificate#'OTPTBSCertificate'.issuer),
-    insert({Ref, SerialNumber, Issuer}, {Cert,ErlCert}, CertsDb).
+    try  ErlCert = public_key:pkix_decode_cert(Cert, otp),
+	 TBSCertificate = ErlCert#'OTPCertificate'.tbsCertificate,
+	 SerialNumber = TBSCertificate#'OTPTBSCertificate'.serialNumber,
+	 Issuer = public_key:pkix_normalize_name(
+		    TBSCertificate#'OTPTBSCertificate'.issuer),
+	 insert({Ref, SerialNumber, Issuer}, {Cert,ErlCert}, CertsDb)
+    catch
+	error:_ ->
+	    Report = io_lib:format("SSL WARNING: Ignoring a CA cert as "
+				   "it could not be correctly decoded.~n", []),
+	    error_logger:info_report(Report)
+    end.
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 3f01be101c..5b1a510034 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -578,6 +578,8 @@ path_validation_alert({bad_cert, unknown_critical_extension}) ->
     ?ALERT_REC(?FATAL, ?UNSUPPORTED_CERTIFICATE);
 path_validation_alert({bad_cert, cert_revoked}) ->
     ?ALERT_REC(?FATAL, ?CERTIFICATE_REVOKED);
+path_validation_alert({bad_cert, selfsigned_peer}) ->
+    ?ALERT_REC(?FATAL, ?BAD_CERTIFICATE);
 path_validation_alert({bad_cert, unknown_ca}) ->
      ?ALERT_REC(?FATAL, ?UNKNOWN_CA);
 path_validation_alert(_) ->
diff --git a/lib/ssl/test/erl_make_certs.erl b/lib/ssl/test/erl_make_certs.erl
index f8aef55754..8b01ca3ad4 100644
--- a/lib/ssl/test/erl_make_certs.erl
+++ b/lib/ssl/test/erl_make_certs.erl
@@ -268,7 +268,7 @@ publickey(#'RSAPrivateKey'{modulus=N, publicExponent=E}) ->
 			       subjectPublicKey = Public};
 publickey(#'DSAPrivateKey'{p=P, q=Q, g=G, y=Y}) ->
     Algo = #'PublicKeyAlgorithm'{algorithm= ?'id-dsa', 
-				 parameters=#'Dss-Parms'{p=P, q=Q, g=G}},
+				 parameters={params, #'Dss-Parms'{p=P, q=Q, g=G}}},
     #'OTPSubjectPublicKeyInfo'{algorithm = Algo, subjectPublicKey = Y}.
 
 validity(Opts) ->
@@ -290,7 +290,7 @@ sign_algorithm(#'RSAPrivateKey'{}, Opts) ->
 	   end,
     {Type, 'NULL'};
 sign_algorithm(#'DSAPrivateKey'{p=P, q=Q, g=G}, _Opts) ->
-    {?'id-dsa-with-sha1', #'Dss-Parms'{p=P, q=Q, g=G}}.
+    {?'id-dsa-with-sha1', {params,#'Dss-Parms'{p=P, q=Q, g=G}}}.
 
 make_key(rsa, _Opts) ->
     %% (OBS: for testing only)
diff --git a/lib/ssl/vsn.mk b/lib/ssl/vsn.mk
index 709a089892..dd75d44aca 100644
--- a/lib/ssl/vsn.mk
+++ b/lib/ssl/vsn.mk
@@ -1 +1,2 @@
-SSL_VSN = 4.0.1
+
+SSL_VSN = 4.0.2
diff --git a/lib/syntax_tools/src/epp_dodger.erl b/lib/syntax_tools/src/epp_dodger.erl
index 6b0f2034f8..9f6f7d815e 100644
--- a/lib/syntax_tools/src/epp_dodger.erl
+++ b/lib/syntax_tools/src/epp_dodger.erl
@@ -809,6 +809,8 @@ tokens_to_string([{atom,_,A} | Ts]) ->
     io_lib:write_atom(A) ++ " " ++ tokens_to_string(Ts);
 tokens_to_string([{string, _, S} | Ts]) ->
     io_lib:write_string(S) ++ " " ++ tokens_to_string(Ts);
+tokens_to_string([{char, _, C} | Ts]) ->
+    io_lib:write_char(C) ++ " " ++ tokens_to_string(Ts);
 tokens_to_string([{float, _, F} | Ts]) ->
     float_to_list(F) ++ " " ++ tokens_to_string(Ts);
 tokens_to_string([{integer, _, N} | Ts]) ->
diff --git a/lib/tools/emacs/erlang.el b/lib/tools/emacs/erlang.el
index 91acfdf2b6..ed825a298f 100644
--- a/lib/tools/emacs/erlang.el
+++ b/lib/tools/emacs/erlang.el
@@ -1481,7 +1481,23 @@ Other commands:
 				    erlang-font-lock-keywords-3 
 				    erlang-font-lock-keywords-4)
 	 nil nil ((?_ . "w")) erlang-beginning-of-clause
-	 (font-lock-mark-block-function . erlang-mark-clause))))
+	 (font-lock-mark-block-function . erlang-mark-clause)
+         (font-lock-syntactic-keywords
+          ;; A dollar sign right before the double quote that ends a
+          ;; string is not a character escape.
+          ;;
+          ;; And a "string" has with a double quote not escaped by a
+          ;; dollar sign, any number of non-backslash non-newline
+          ;; characters or escaped backslashes, a dollar sign
+          ;; (otherwise we wouldn't care) and a double quote.  This
+          ;; doesn't match multi-line strings, but this is probably
+          ;; the best we can get, since while font-locking we don't
+          ;; know whether matching started inside a string: limiting
+          ;; search to a single line keeps things sane.
+          . (("\\(?:^\\|[^$]\\)\"\\(?:[^\"\n]\\|\\\\\"\\)*\\(\\$\\)\"" 1 "w")
+             ;; And the dollar sign in $\" escapes two characters, not
+             ;; just one.
+             ("\\(\\$\\)\\\\\\\"" 1 "'"))))))