lang/erlang-runtime17: backport fix for CVE-2017-1000385 from erlang-runtime18.

PR:		224278
Submitted by:	Stefan Grundmann

lang/erlang-runtime17/Makefile

@@ -3,7 +3,7 @@
 
 PORTNAME=	erlang
 PORTVERSION=	17.5.6.9
-PORTREVISION=	6
+PORTREVISION=	7
 CATEGORIES=	lang parallel java
 MASTER_SITES=	http://www.erlang.org/download/:erlangorg		\
 		http://erlang.stacken.kth.se/download/:erlangorg	\

lang/erlang-runtime17/files/patch-lib_ssl_src_ssl__connection.erl

@@ -0,0 +1,30 @@
+--- lib/ssl/src/ssl_connection.erl.orig	2015-03-31 12:32:52.000000000 +0000
++++ lib/ssl/src/ssl_connection.erl	2017-12-14 13:13:46.570861000 +0000
+@@ -1135,8 +1135,25 @@
+     request_client_cert(State2, Connection).
+ 
+ certify_client_key_exchange(#encrypted_premaster_secret{premaster_secret= EncPMS},
+-			    #state{private_key = Key} = State, Connection) ->
+-    PremasterSecret = ssl_handshake:premaster_secret(EncPMS, Key),
++			    #state{private_key = Key, client_hello_version = {Major, Minor} = Version } = State, Connection) ->
++
++    %% Countermeasure for Bleichenbacher attack always provide some kind of premaster secret
++    %% and fail handshake later.RFC 5246 section 7.4.7.1.
++    PremasterSecret =
++	try ssl_handshake:premaster_secret(EncPMS, Key) of
++	    Secret when erlang:byte_size(Secret) == ?NUM_OF_PREMASTERSECRET_BYTES ->
++		case Secret of
++		    <<?BYTE(Major), ?BYTE(Minor), _/binary>> -> %% Correct
++			Secret;
++		    <<?BYTE(_), ?BYTE(_), Rest/binary>> -> %% Version mismatch
++			<<?BYTE(Major), ?BYTE(Minor), Rest/binary>>
++		end;
++	    _ -> %% erlang:byte_size(Secret) =/= ?NUM_OF_PREMASTERSECRET_BYTES
++		make_premaster_secret(Version, rsa)
++	catch
++	    #alert{description = ?DECRYPT_ERROR} ->
++		make_premaster_secret(Version, rsa)
++	end,
+     calculate_master_secret(PremasterSecret, State, Connection, certify, cipher);
+ 
+ certify_client_key_exchange(#client_diffie_hellman_public{dh_public = ClientPublicDhKey},

lang/erlang-runtime17/files/patch-lib_ssl_src_ssl__connection.hrl

@@ -0,0 +1,12 @@
+--- lib/ssl/src/ssl_connection.hrl.orig	2015-03-31 12:32:52.000000000 +0000
++++ lib/ssl/src/ssl_connection.hrl	2017-12-14 13:18:02.736638000 +0000
+@@ -53,7 +53,8 @@
+           session               :: #session{} | secret_printout(),
+ 	  session_cache         :: db_handle(),
+ 	  session_cache_cb      :: atom(),
+-          negotiated_version    :: ssl_record:ssl_version(),
++          negotiated_version    :: ssl_record:ssl_version() | 'undefined',
++          client_hello_version  :: ssl_record:ssl_version() | 'undefined',
+           client_certificate_requested = false :: boolean(),
+ 	  key_algorithm         :: ssl_cipher:key_algo(),
+ 	  hashsign_algorithm = {undefined, undefined},

lang/erlang-runtime17/files/patch-lib_ssl_src_tls__connection.erl

@@ -0,0 +1,10 @@
+--- lib/ssl/src/tls_connection.erl.orig	2015-03-31 12:32:52.000000000 +0000
++++ lib/ssl/src/tls_connection.erl	2017-12-14 13:22:41.792681000 +0000
+@@ -197,6 +197,7 @@
+             ssl_connection:hello({common_client_hello, Type, ServerHelloExt, HashSign},
+ 				 State#state{connection_states  = ConnectionStates,
+ 					     negotiated_version = Version,
++					     client_hello_version = ClientVersion,
+ 					     session = Session,
+ 					     client_ecc = {EllipticCurves, EcPointFormats}}, ?MODULE);
+         #alert{} = Alert ->