From ebc10f445fc4ddda90c2e0888baf310a9370cb33 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Mon, 2 Jul 2018 15:37:56 +0200
Subject: ssl: Correct handling of empty server SNI extension

---
 lib/ssl/src/ssl_handshake.erl        | 2 +-
 lib/ssl/test/ssl_handshake_SUITE.erl | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'lib/ssl')

diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 8b1ea52ac9..dd194275ac 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -1849,7 +1849,7 @@ dec_hello_extensions(<<?UINT16(?EC_POINT_FORMATS_EXT), ?UINT16(Len),
 									      ECPointFormats}});
 
 dec_hello_extensions(<<?UINT16(?SNI_EXT), ?UINT16(Len), Rest/binary>>, Acc) when Len == 0 ->
-    dec_hello_extensions(Rest, Acc#hello_extensions{sni = ""}); %% Server may send an empy SNI
+    dec_hello_extensions(Rest, Acc#hello_extensions{sni = #sni{hostname = ""}}); %% Server may send an empy SNI
 
 dec_hello_extensions(<<?UINT16(?SNI_EXT), ?UINT16(Len),
                 ExtData:Len/binary, Rest/binary>>, Acc) ->
diff --git a/lib/ssl/test/ssl_handshake_SUITE.erl b/lib/ssl/test/ssl_handshake_SUITE.erl
index 9658cb5f56..c492c54066 100644
--- a/lib/ssl/test/ssl_handshake_SUITE.erl
+++ b/lib/ssl/test/ssl_handshake_SUITE.erl
@@ -157,7 +157,7 @@ decode_single_hello_sni_extension_correctly(_Config) ->
     Exts = Decoded.
 
 decode_empty_server_sni_correctly(_Config) ->
-    Exts = #hello_extensions{sni = ""},
+    Exts = #hello_extensions{sni = #sni{hostname = ""}},
     SNI = <<?UINT16(?SNI_EXT),?UINT16(0)>>,
     Decoded = ssl_handshake:decode_hello_extensions(SNI),
     Exts = Decoded.
-- 
cgit v1.2.3


From 1e82b6329a8b53467453aba1ec52309094ab489d Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Mon, 6 Aug 2018 13:04:25 +0200
Subject: ssl: Make sure that a correct cipher suite is selected

The keyexchange ECDHE-RSA requires an RSA-keyed server cert
(corresponding for ECDHE-ECDSA), the code did not assert this
resulting in that a incorrect cipher suite could be selected.

Alas test code was also wrong hiding the error.
---
 lib/ssl/src/ssl_cipher.erl    | 4 ++++
 lib/ssl/test/ssl_test_lib.erl | 5 -----
 2 files changed, 4 insertions(+), 5 deletions(-)

(limited to 'lib/ssl')

diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 40d974f6a5..aa453fe3f1 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -2555,6 +2555,8 @@ ecdsa_signed_suites(Ciphers, Version) ->
 
 rsa_keyed(dhe_rsa) -> 
     true;
+rsa_keyed(ecdhe_rsa) -> 
+    true;
 rsa_keyed(rsa) -> 
     true;
 rsa_keyed(rsa_psk) -> 
@@ -2618,6 +2620,8 @@ ec_keyed(ecdh_ecdsa) ->
     true;
 ec_keyed(ecdh_rsa) ->
     true;
+ec_keyed(ecdhe_ecdsa) ->
+    true;
 ec_keyed(_) -> 
     false.
 
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index ed02b795ab..3e6c5e8b8a 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -1417,11 +1417,6 @@ v_1_2_check(ecdh_ecdsa, ecdh_rsa) ->
     true;
 v_1_2_check(ecdh_rsa, ecdh_ecdsa) ->
     true;
-v_1_2_check(ecdhe_ecdsa, ecdhe_rsa) ->
-    true;
-v_1_2_check(ecdhe_rsa, ecdhe_ecdsa) ->
-    true;
-
 v_1_2_check(_, _) ->
     false.
 
-- 
cgit v1.2.3


From c5a344a3cace51ef9697adbab05e45f41d44bf13 Mon Sep 17 00:00:00 2001
From: Erlang/OTP <otp@erlang.org>
Date: Thu, 9 Aug 2018 17:28:32 +0200
Subject: Update version numbers

---
 lib/ssl/vsn.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/ssl')

diff --git a/lib/ssl/vsn.mk b/lib/ssl/vsn.mk
index ed68e6bf11..b46c1334cf 100644
--- a/lib/ssl/vsn.mk
+++ b/lib/ssl/vsn.mk
@@ -1 +1 @@
-SSL_VSN = 8.2.6.1
+SSL_VSN = 8.2.6.2
-- 
cgit v1.2.3


From 962ea06fa99e36a4631ec6459895d9466e61964c Mon Sep 17 00:00:00 2001
From: Erlang/OTP <otp@erlang.org>
Date: Thu, 9 Aug 2018 17:29:04 +0200
Subject: Update release notes

---
 lib/ssl/doc/src/notes.xml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

(limited to 'lib/ssl')

diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml
index e04b33edb9..b2a774adf0 100644
--- a/lib/ssl/doc/src/notes.xml
+++ b/lib/ssl/doc/src/notes.xml
@@ -27,6 +27,29 @@
   </header>
   <p>This document describes the changes made to the SSL application.</p>
 
+<section><title>SSL 8.2.6.2</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    Correct handling of empty server SNI extension</p>
+          <p>
+	    Own Id: OTP-15168</p>
+        </item>
+        <item>
+          <p>
+	    Correct cipher suite handling for ECDHE_*, the incorrect
+	    handling could cause an incorrrect suite to be selected
+	    and most likly fail the handshake.</p>
+          <p>
+	    Own Id: OTP-15203</p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
 <section><title>SSL 8.2.6.1</title>
 
     <section><title>Fixed Bugs and Malfunctions</title>
-- 
cgit v1.2.3