diff --git a/lang/erlang-runtime17/Makefile b/lang/erlang-runtime17/Makefile index f066634c619e..aac3519c8464 100644 --- a/lang/erlang-runtime17/Makefile +++ b/lang/erlang-runtime17/Makefile @@ -3,7 +3,7 @@ PORTNAME= erlang PORTVERSION= 17.5.6.9 -PORTREVISION= 6 +PORTREVISION= 7 CATEGORIES= lang parallel java MASTER_SITES= http://www.erlang.org/download/:erlangorg \ http://erlang.stacken.kth.se/download/:erlangorg \ diff --git a/lang/erlang-runtime17/files/patch-lib_ssl_src_ssl__connection.erl b/lang/erlang-runtime17/files/patch-lib_ssl_src_ssl__connection.erl new file mode 100644 index 000000000000..8a8d93487cf5 --- /dev/null +++ b/lang/erlang-runtime17/files/patch-lib_ssl_src_ssl__connection.erl @@ -0,0 +1,30 @@ +--- lib/ssl/src/ssl_connection.erl.orig 2015-03-31 12:32:52.000000000 +0000 ++++ lib/ssl/src/ssl_connection.erl 2017-12-14 13:13:46.570861000 +0000 +@@ -1135,8 +1135,25 @@ + request_client_cert(State2, Connection). + + certify_client_key_exchange(#encrypted_premaster_secret{premaster_secret= EncPMS}, +- #state{private_key = Key} = State, Connection) -> +- PremasterSecret = ssl_handshake:premaster_secret(EncPMS, Key), ++ #state{private_key = Key, client_hello_version = {Major, Minor} = Version } = State, Connection) -> ++ ++ %% Countermeasure for Bleichenbacher attack always provide some kind of premaster secret ++ %% and fail handshake later.RFC 5246 section 7.4.7.1. ++ PremasterSecret = ++ try ssl_handshake:premaster_secret(EncPMS, Key) of ++ Secret when erlang:byte_size(Secret) == ?NUM_OF_PREMASTERSECRET_BYTES -> ++ case Secret of ++ <> -> %% Correct ++ Secret; ++ <> -> %% Version mismatch ++ <> ++ end; ++ _ -> %% erlang:byte_size(Secret) =/= ?NUM_OF_PREMASTERSECRET_BYTES ++ make_premaster_secret(Version, rsa) ++ catch ++ #alert{description = ?DECRYPT_ERROR} -> ++ make_premaster_secret(Version, rsa) ++ end, + calculate_master_secret(PremasterSecret, State, Connection, certify, cipher); + + certify_client_key_exchange(#client_diffie_hellman_public{dh_public = ClientPublicDhKey}, diff --git a/lang/erlang-runtime17/files/patch-lib_ssl_src_ssl__connection.hrl b/lang/erlang-runtime17/files/patch-lib_ssl_src_ssl__connection.hrl new file mode 100644 index 000000000000..cb4b91907b7c --- /dev/null +++ b/lang/erlang-runtime17/files/patch-lib_ssl_src_ssl__connection.hrl @@ -0,0 +1,12 @@ +--- lib/ssl/src/ssl_connection.hrl.orig 2015-03-31 12:32:52.000000000 +0000 ++++ lib/ssl/src/ssl_connection.hrl 2017-12-14 13:18:02.736638000 +0000 +@@ -53,7 +53,8 @@ + session :: #session{} | secret_printout(), + session_cache :: db_handle(), + session_cache_cb :: atom(), +- negotiated_version :: ssl_record:ssl_version(), ++ negotiated_version :: ssl_record:ssl_version() | 'undefined', ++ client_hello_version :: ssl_record:ssl_version() | 'undefined', + client_certificate_requested = false :: boolean(), + key_algorithm :: ssl_cipher:key_algo(), + hashsign_algorithm = {undefined, undefined}, diff --git a/lang/erlang-runtime17/files/patch-lib_ssl_src_tls__connection.erl b/lang/erlang-runtime17/files/patch-lib_ssl_src_tls__connection.erl new file mode 100644 index 000000000000..fd4eac923732 --- /dev/null +++ b/lang/erlang-runtime17/files/patch-lib_ssl_src_tls__connection.erl @@ -0,0 +1,10 @@ +--- lib/ssl/src/tls_connection.erl.orig 2015-03-31 12:32:52.000000000 +0000 ++++ lib/ssl/src/tls_connection.erl 2017-12-14 13:22:41.792681000 +0000 +@@ -197,6 +197,7 @@ + ssl_connection:hello({common_client_hello, Type, ServerHelloExt, HashSign}, + State#state{connection_states = ConnectionStates, + negotiated_version = Version, ++ client_hello_version = ClientVersion, + session = Session, + client_ecc = {EllipticCurves, EcPointFormats}}, ?MODULE); + #alert{} = Alert ->