From 05b1c13e36ec49891e89593b25e668e983a4fc41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?John=20H=C3=B6gberg?= <john@erlang.org>
Date: Tue, 24 Apr 2018 13:30:00 +0200
Subject: heart: Use ntohs instead of manual conversion

Multiplying a signed char by 256 is undefined behavior and caused
problems on some platforms when the length was long enough. We
could cast it to an unsigned int to make it work, but it's best not
to reinvent the wheel.

Fixes OTP-15034
---
 erts/etc/common/heart.c         |  5 +----
 lib/kernel/test/heart_SUITE.erl | 13 ++++++++++---
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/erts/etc/common/heart.c b/erts/etc/common/heart.c
index 01ef840b5d..aaaffbca79 100644
--- a/erts/etc/common/heart.c
+++ b/erts/etc/common/heart.c
@@ -847,11 +847,8 @@ write_message(fd, mp)
   int   fd;
   struct msg *mp;
 {
-  int   len;
-  char* tmp;
+  int len = ntohs(mp->len);
 
-  tmp = (char*) &(mp->len);
-  len = (*tmp * 256) + *(tmp+1); 
   if ((len == 0) || (len > MSG_BODY_SIZE)) {
     return MSG_HDR_SIZE;
   }				/* cc68k wants (char *) */
diff --git a/lib/kernel/test/heart_SUITE.erl b/lib/kernel/test/heart_SUITE.erl
index 83efbb4c35..02954aa54c 100644
--- a/lib/kernel/test/heart_SUITE.erl
+++ b/lib/kernel/test/heart_SUITE.erl
@@ -352,9 +352,16 @@ clear_cmd(Config) when is_list(Config) ->
 get_cmd(suite) -> [];
 get_cmd(Config) when is_list(Config) ->
     {ok, Node} = start_check(slave, heart_test),
-    Cmd = "test",
-    ok  = rpc:call(Node, heart, set_cmd, [Cmd]),
-    {ok, Cmd} = rpc:call(Node, heart, get_cmd, []),
+
+    ShortCmd = "test",
+    ok  = rpc:call(Node, heart, set_cmd, [ShortCmd]),
+    {ok, ShortCmd} = rpc:call(Node, heart, get_cmd, []),
+
+    %% This would hang prior to OTP-15024 being fixed.
+    LongCmd = [$a || _ <- lists:seq(1, 160)],
+    ok  = rpc:call(Node, heart, set_cmd, [LongCmd]),
+    {ok, LongCmd} = rpc:call(Node, heart, get_cmd, []),
+
     stop_node(Node),
     ok.
 
-- 
cgit v1.2.3


From c44477a5f174343673b429a17b518fb0697a0d22 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Thu, 26 Apr 2018 16:58:28 +0200
Subject: ssl: Proper handling of clients that choose to send an empty answer
 to a certificate request

Solves ERL-599
---
 lib/ssl/src/ssl_connection.erl                | 16 +++++
 lib/ssl/src/ssl_connection.hrl                |  2 +-
 lib/ssl/src/ssl_handshake.erl                 |  6 --
 lib/ssl/test/ssl_certificate_verify_SUITE.erl | 92 ++++++++++++++++++---------
 4 files changed, 78 insertions(+), 38 deletions(-)

diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 63fae78195..64ecc29b97 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -709,6 +709,22 @@ certify(internal, #server_key_exchange{exchange_keys = Keys},
 						Version, ?FUNCTION_NAME, State)
 	    end
     end;
+certify(internal, #certificate_request{},
+	#state{role = client, negotiated_version = Version,
+               key_algorithm = Alg} = State, _)
+  when Alg == dh_anon; Alg == ecdh_anon;
+       Alg == psk; Alg == dhe_psk; Alg == ecdhe_psk; Alg == rsa_psk;
+       Alg == srp_dss; Alg == srp_rsa; Alg == srp_anon ->
+    handle_own_alert(?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE),
+                     Version, ?FUNCTION_NAME, State);
+certify(internal, #certificate_request{},
+	#state{session = #session{own_certificate = undefined},
+	       role = client} = State0, Connection) ->
+    %% The client does not have a certificate and will send an empty reply, the server may fail 
+    %% or accept the connection by its own preference. No signature algorihms needed as there is
+    %% no certificate to verify.
+    {Record, State} = Connection:next_record(State0),
+    Connection:next_event(?FUNCTION_NAME, Record, State#state{client_certificate_requested = true});
 certify(internal, #certificate_request{} = CertRequest,
 	#state{session = #session{own_certificate = Cert},
 	       role = client,
diff --git a/lib/ssl/src/ssl_connection.hrl b/lib/ssl/src/ssl_connection.hrl
index f9d2149170..72a7e6ebcc 100644
--- a/lib/ssl/src/ssl_connection.hrl
+++ b/lib/ssl/src/ssl_connection.hrl
@@ -61,7 +61,7 @@
           client_certificate_requested = false :: boolean(),
 	  key_algorithm         :: ssl_cipher:key_algo(),
 	  hashsign_algorithm = {undefined, undefined},
-	  cert_hashsign_algorithm,
+	  cert_hashsign_algorithm = {undefined, undefined},
           public_key_info      :: ssl_handshake:public_key_info() | 'undefined',
           private_key          :: public_key:private_key() | secret_printout() | 'undefined',
 	  diffie_hellman_params:: #'DHParameter'{} | undefined | secret_printout(),
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 7efb89bfae..8b1ea52ac9 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -1066,12 +1066,6 @@ select_hashsign(_, Cert, _, _, Version) ->
 %%
 %% Description: Handles signature algorithms selection for certificate requests (client) 
 %%--------------------------------------------------------------------
-select_hashsign(#certificate_request{}, undefined, _, {Major, Minor})  when Major >= 3 andalso Minor >= 3->
-    %% There client does not have a certificate and will send an empty reply, the server may fail 
-    %% or accept the connection by its own preference. No signature algorihms needed as there is
-    %% no certificate to verify.
-    {undefined, undefined}; 
- 
 select_hashsign(#certificate_request{hashsign_algorithms = #hash_sign_algos{hash_sign_algos = HashSigns}, 
 				     certificate_types = Types}, Cert, SupportedHashSigns, 
 		{Major, Minor})  when Major >= 3 andalso Minor >= 3->
diff --git a/lib/ssl/test/ssl_certificate_verify_SUITE.erl b/lib/ssl/test/ssl_certificate_verify_SUITE.erl
index 0bc265fa10..1de4c89d7f 100644
--- a/lib/ssl/test/ssl_certificate_verify_SUITE.erl
+++ b/lib/ssl/test/ssl_certificate_verify_SUITE.erl
@@ -40,14 +40,22 @@
 %%--------------------------------------------------------------------
 all() ->
     [
-     {group, tls},
-     {group, dtls}
+     {group, 'tlsv1.2'},
+     {group, 'tlsv1.1'},
+     {group, 'tlsv1'},
+     {group, 'sslv3'},
+     {group, 'dtlsv1.2'},
+     {group, 'dtlsv1'}
     ].
 
 groups() ->
     [
-     {tls, [], all_protocol_groups()},
-     {dtls, [], all_protocol_groups()},
+     {'tlsv1.2', [], all_protocol_groups()},
+     {'tlsv1.1', [], all_protocol_groups()},
+     {'tlsv1', [], all_protocol_groups()},
+     {'sslv3', [], all_protocol_groups()},
+     {'dtlsv1.2', [], all_protocol_groups()},
+     {'dtlsv1', [], all_protocol_groups()},
      {active, [], tests()},
      {active_once, [], tests()},
      {passive, [], tests()},
@@ -65,6 +73,7 @@ tests() ->
      verify_none,
      server_require_peer_cert_ok,
      server_require_peer_cert_fail,
+     server_require_peer_cert_empty_ok,
      server_require_peer_cert_partial_chain,
      server_require_peer_cert_allow_partial_chain,
      server_require_peer_cert_do_not_allow_partial_chain,
@@ -104,24 +113,6 @@ end_per_suite(_Config) ->
     ssl:stop(),
     application:stop(crypto).
 
-init_per_group(tls, Config0) ->
-    Version = tls_record:protocol_version(tls_record:highest_protocol_version([])),
-    ssl:stop(),
-    application:load(ssl),
-    application:set_env(ssl, protocol_version, Version),
-    ssl:start(),
-    Config = ssl_test_lib:init_tls_version(Version, Config0),
-    [{version, tls_record:protocol_version(Version)} | Config];
-
-init_per_group(dtls, Config0) ->
-    Version = dtls_record:protocol_version(dtls_record:highest_protocol_version([])),
-    ssl:stop(),
-    application:load(ssl),
-    application:set_env(ssl, protocol_version, Version),
-    ssl:start(),
-    Config = ssl_test_lib:init_tls_version(Version, Config0),
-    [{version, dtls_record:protocol_version(Version)} | Config];
-
 init_per_group(active, Config) ->
     [{active, true}, {receive_function, send_recv_result_active} | Config];
 init_per_group(active_once, Config) ->
@@ -130,15 +121,24 @@ init_per_group(passive, Config) ->
     [{active, false}, {receive_function, send_recv_result} | Config];
 init_per_group(error_handling, Config) ->
     [{active, false}, {receive_function, send_recv_result} | Config];
+init_per_group(GroupName, Config) ->
+    case ssl_test_lib:is_tls_version(GroupName) of
+	true ->
+	    case ssl_test_lib:sufficient_crypto_support(GroupName) of
+		true ->
+		    [{version, GroupName} | ssl_test_lib:init_tls_version(GroupName, Config)];
+		false ->
+		    {skip, "Missing crypto support"}
+	    end
+    end.
 
-init_per_group(_, Config) ->
-    Config.
-
-end_per_group(GroupName, Config) when GroupName == tls;
-                                      GroupName == dtls ->
-    ssl_test_lib:clean_tls_version(Config);
-end_per_group(_GroupName, Config) ->
-    Config.
+end_per_group(GroupName, Config) ->
+       case ssl_test_lib:is_tls_version(GroupName) of
+        true ->
+            ssl_test_lib:clean_tls_version(Config);
+        false ->
+            Config
+    end.
 
 init_per_testcase(_TestCase, Config) ->
     ssl:stop(),
@@ -305,6 +305,35 @@ server_require_peer_cert_fail(Config) when is_list(Config) ->
 	    end
     end.
 
+%%--------------------------------------------------------------------
+server_require_peer_cert_empty_ok() ->
+    [{doc,"Test server option fail_if_no_peer_cert when peer sends cert"}].
+
+server_require_peer_cert_empty_ok(Config) when is_list(Config) ->
+    ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, false}
+		  | ssl_test_lib:ssl_options(server_rsa_opts, Config)],
+    ClientOpts0 = ssl_test_lib:ssl_options(client_rsa_opts, Config),
+    Active = proplists:get_value(active, Config),
+    ReceiveFunction =  proplists:get_value(receive_function, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+    ClientOpts = proplists:delete(keyfile, proplists:delete(certfile, ClientOpts0)),
+
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+					{from, self()},
+			   {mfa, {ssl_test_lib, ReceiveFunction, []}},
+			   {options, [{active, Active} | ServerOpts]}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+					{host, Hostname},
+			   {from, self()},
+			   {mfa, {ssl_test_lib, ReceiveFunction, []}},
+			   {options, [{active, Active} | ClientOpts]}]),
+
+    ssl_test_lib:check_result(Server, ok, Client, ok),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client).
+
 %%--------------------------------------------------------------------
 
 server_require_peer_cert_partial_chain() ->
@@ -930,6 +959,7 @@ client_with_cert_cipher_suites_handshake(Config) when is_list(Config) ->
                                                                  Config, "_sign_only_extensions"),
     ClientOpts =  ssl_test_lib:ssl_options(ClientOpts0, Config),
     ServerOpts =  ssl_test_lib:ssl_options(ServerOpts0, Config),
+    TLSVersion = ssl_test_lib:protocol_version(Config, tuple),
 
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
     Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
@@ -938,7 +968,7 @@ client_with_cert_cipher_suites_handshake(Config) when is_list(Config) ->
 					       send_recv_result_active, []}},
 					{options, [{active, true},
 						   {ciphers, 
-						    ssl_test_lib:rsa_non_signed_suites(proplists:get_value(version, Config))}
+						    ssl_test_lib:rsa_non_signed_suites(TLSVersion)}
 						   | ServerOpts]}]),
     Port  = ssl_test_lib:inet_port(Server),
     Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
-- 
cgit v1.2.3


From 8c8d71980e1f94a3987e4e72e93b3e8a84c49f6a Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Fri, 27 Apr 2018 10:54:10 +0200
Subject: ssl: Prepare for release

---
 lib/ssl/src/ssl.appup.src | 2 --
 lib/ssl/vsn.mk            | 2 +-
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/lib/ssl/src/ssl.appup.src b/lib/ssl/src/ssl.appup.src
index 4ad2a2f1fd..bfdd0c205b 100644
--- a/lib/ssl/src/ssl.appup.src
+++ b/lib/ssl/src/ssl.appup.src
@@ -1,7 +1,6 @@
 %% -*- erlang -*-
 {"%VSN%",
  [
-  {<<"8.2.4">>, [{load_module, ssl_cipher, soft_purge, soft_purge, []}]},
   {<<"8\\..*">>, [{restart_application, ssl}]},
   {<<"7\\..*">>, [{restart_application, ssl}]},
   {<<"6\\..*">>, [{restart_application, ssl}]},
@@ -10,7 +9,6 @@
   {<<"3\\..*">>, [{restart_application, ssl}]}
  ], 
  [
-  {<<"8.2.4">>, [{load_module, ssl_cipher, soft_purge, soft_purge, []}]},
   {<<"8\\..*">>, [{restart_application, ssl}]},
   {<<"7\\..*">>, [{restart_application, ssl}]},
   {<<"6\\..*">>, [{restart_application, ssl}]},
diff --git a/lib/ssl/vsn.mk b/lib/ssl/vsn.mk
index 0ff22c5eab..eb85a55717 100644
--- a/lib/ssl/vsn.mk
+++ b/lib/ssl/vsn.mk
@@ -1 +1 @@
-SSL_VSN = 8.2.5
+SSL_VSN = 8.2.6
-- 
cgit v1.2.3


From 23f55b391c0dcab7af62fd31542706ccbf45af99 Mon Sep 17 00:00:00 2001
From: Erlang/OTP <otp@erlang.org>
Date: Wed, 2 May 2018 15:53:30 +0200
Subject: Update version numbers

---
 erts/vsn.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/erts/vsn.mk b/erts/vsn.mk
index c3a62a5535..25acd9cc34 100644
--- a/erts/vsn.mk
+++ b/erts/vsn.mk
@@ -18,7 +18,7 @@
 # %CopyrightEnd%
 # 
 
-VSN = 9.3
+VSN = 9.3.1
 
 # Port number 4365 in 4.2
 # Port number 4366 in 4.3
-- 
cgit v1.2.3


From d45a09c774b6173f4db804e25b21a67e58b66d6b Mon Sep 17 00:00:00 2001
From: Erlang/OTP <otp@erlang.org>
Date: Wed, 2 May 2018 15:53:43 +0200
Subject: Update release notes

---
 erts/doc/src/notes.xml    | 15 +++++++++++++++
 lib/ssl/doc/src/notes.xml | 16 ++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/erts/doc/src/notes.xml b/erts/doc/src/notes.xml
index 21168eee23..8bd8e6c7b8 100644
--- a/erts/doc/src/notes.xml
+++ b/erts/doc/src/notes.xml
@@ -31,6 +31,21 @@
   </header>
   <p>This document describes the changes made to the ERTS application.</p>
 
+<section><title>Erts 9.3.1</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+	    <p>Fixed a crash in <c>heart:get_cmd/0</c> when the
+	    stored command was too long.</p>
+          <p>
+	    Own Id: OTP-15034</p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
 <section><title>Erts 9.3</title>
 
     <section><title>Fixed Bugs and Malfunctions</title>
diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml
index 4ad7da9486..34fe352d08 100644
--- a/lib/ssl/doc/src/notes.xml
+++ b/lib/ssl/doc/src/notes.xml
@@ -27,6 +27,22 @@
   </header>
   <p>This document describes the changes made to the SSL application.</p>
 
+<section><title>SSL 8.2.6</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    Proper handling of clients that choose to send an empty
+	    answer to a certificate request</p>
+          <p>
+	    Own Id: OTP-15050</p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
 <section><title>SSL 8.2.5</title>
 
     <section><title>Fixed Bugs and Malfunctions</title>
-- 
cgit v1.2.3


From b5b627ded69445c06e8fbe34cda3421854c5582e Mon Sep 17 00:00:00 2001
From: Erlang/OTP <otp@erlang.org>
Date: Wed, 2 May 2018 15:53:45 +0200
Subject: Updated OTP version

---
 OTP_VERSION        | 2 +-
 otp_versions.table | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/OTP_VERSION b/OTP_VERSION
index 3338f72b5b..1092f91b35 100644
--- a/OTP_VERSION
+++ b/OTP_VERSION
@@ -1 +1 @@
-20.3.4
+20.3.5
diff --git a/otp_versions.table b/otp_versions.table
index 3cf996405e..c893e48248 100644
--- a/otp_versions.table
+++ b/otp_versions.table
@@ -1,3 +1,4 @@
+OTP-20.3.5 : erts-9.3.1 ssl-8.2.6 # asn1-5.0.5 common_test-1.15.4 compiler-7.1.5 cosEvent-2.2.2 cosEventDomain-1.2.2 cosFileTransfer-1.2.2 cosNotification-1.2.3 cosProperty-1.2.3 cosTime-1.2.3 cosTransactions-1.3.3 crypto-4.2.1 debugger-4.2.4 dialyzer-3.2.4 diameter-2.1.4 edoc-0.9.2 eldap-1.2.3 erl_docgen-0.7.2 erl_interface-3.10.2 et-1.6.1 eunit-2.3.5 hipe-3.17.1 ic-4.4.4 inets-6.5.1 jinterface-1.8.1 kernel-5.4.3 megaco-3.18.3 mnesia-4.15.3 observer-2.7 odbc-2.12.1 orber-3.8.4 os_mon-2.4.4 otp_mibs-1.1.2 parsetools-2.1.6 public_key-1.5.2 reltool-0.7.5 runtime_tools-1.12.5 sasl-3.1.2 snmp-5.2.10 ssh-4.6.8 stdlib-3.4.5 syntax_tools-2.1.4 tools-2.11.2 wx-1.8.3 xmerl-1.3.16 :
 OTP-20.3.4 : erl_interface-3.10.2 ic-4.4.4 inets-6.5.1 ssh-4.6.8 # asn1-5.0.5 common_test-1.15.4 compiler-7.1.5 cosEvent-2.2.2 cosEventDomain-1.2.2 cosFileTransfer-1.2.2 cosNotification-1.2.3 cosProperty-1.2.3 cosTime-1.2.3 cosTransactions-1.3.3 crypto-4.2.1 debugger-4.2.4 dialyzer-3.2.4 diameter-2.1.4 edoc-0.9.2 eldap-1.2.3 erl_docgen-0.7.2 erts-9.3 et-1.6.1 eunit-2.3.5 hipe-3.17.1 jinterface-1.8.1 kernel-5.4.3 megaco-3.18.3 mnesia-4.15.3 observer-2.7 odbc-2.12.1 orber-3.8.4 os_mon-2.4.4 otp_mibs-1.1.2 parsetools-2.1.6 public_key-1.5.2 reltool-0.7.5 runtime_tools-1.12.5 sasl-3.1.2 snmp-5.2.10 ssl-8.2.5 stdlib-3.4.5 syntax_tools-2.1.4 tools-2.11.2 wx-1.8.3 xmerl-1.3.16 :
 OTP-20.3.3 : sasl-3.1.2 # asn1-5.0.5 common_test-1.15.4 compiler-7.1.5 cosEvent-2.2.2 cosEventDomain-1.2.2 cosFileTransfer-1.2.2 cosNotification-1.2.3 cosProperty-1.2.3 cosTime-1.2.3 cosTransactions-1.3.3 crypto-4.2.1 debugger-4.2.4 dialyzer-3.2.4 diameter-2.1.4 edoc-0.9.2 eldap-1.2.3 erl_docgen-0.7.2 erl_interface-3.10.1 erts-9.3 et-1.6.1 eunit-2.3.5 hipe-3.17.1 ic-4.4.3 inets-6.5 jinterface-1.8.1 kernel-5.4.3 megaco-3.18.3 mnesia-4.15.3 observer-2.7 odbc-2.12.1 orber-3.8.4 os_mon-2.4.4 otp_mibs-1.1.2 parsetools-2.1.6 public_key-1.5.2 reltool-0.7.5 runtime_tools-1.12.5 snmp-5.2.10 ssh-4.6.7 ssl-8.2.5 stdlib-3.4.5 syntax_tools-2.1.4 tools-2.11.2 wx-1.8.3 xmerl-1.3.16 :
 OTP-20.3.2 : ssh-4.6.7 stdlib-3.4.5 # asn1-5.0.5 common_test-1.15.4 compiler-7.1.5 cosEvent-2.2.2 cosEventDomain-1.2.2 cosFileTransfer-1.2.2 cosNotification-1.2.3 cosProperty-1.2.3 cosTime-1.2.3 cosTransactions-1.3.3 crypto-4.2.1 debugger-4.2.4 dialyzer-3.2.4 diameter-2.1.4 edoc-0.9.2 eldap-1.2.3 erl_docgen-0.7.2 erl_interface-3.10.1 erts-9.3 et-1.6.1 eunit-2.3.5 hipe-3.17.1 ic-4.4.3 inets-6.5 jinterface-1.8.1 kernel-5.4.3 megaco-3.18.3 mnesia-4.15.3 observer-2.7 odbc-2.12.1 orber-3.8.4 os_mon-2.4.4 otp_mibs-1.1.2 parsetools-2.1.6 public_key-1.5.2 reltool-0.7.5 runtime_tools-1.12.5 sasl-3.1.1 snmp-5.2.10 ssl-8.2.5 syntax_tools-2.1.4 tools-2.11.2 wx-1.8.3 xmerl-1.3.16 :
-- 
cgit v1.2.3