From 306badbd13a70fa232091ca3f7ea4fe92c9cfe24 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Wed, 11 Jan 2017 14:35:58 +0100
Subject: ssl: Correct ssl_certificate:validate/3

Changes made to ssl_certificate:validate appear to be preventing CRL
validation from happening when an id-ce-extKeyUsage extension is
present in the cert before the DistributionPoint extension.

https://github.com/erlang/otp/blob/448e8aca77dd29ed5b37d56f0700d24ac26a7243/lib/ssl/src/ssl_certificate.erl#L131

See also ERL-338 and PR-1302
---
 lib/ssl/src/ssl_certificate.erl | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index f359655d85..8aa2aa4081 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -125,21 +125,21 @@ file_to_crls(File, DbHandle) ->
 %% Description:  Validates ssl/tls specific extensions
 %%--------------------------------------------------------------------
 validate(_,{extension, #'Extension'{extnID = ?'id-ce-extKeyUsage',
-				    extnValue = KeyUse}}, {Role, _,_, _, _}) ->
+				    extnValue = KeyUse}}, UserState = {Role, _,_, _, _}) ->
     case is_valid_extkey_usage(KeyUse, Role) of
 	true ->
-	    {valid, Role};
+	    {valid, UserState};
 	false ->
 	    {fail, {bad_cert, invalid_ext_key_usage}}
     end;
-validate(_, {extension, _}, Role) ->
-    {unknown, Role};
+validate(_, {extension, _}, UserState) ->
+    {unknown, UserState};
 validate(_, {bad_cert, _} = Reason, _) ->
     {fail, Reason};
-validate(_, valid, Role) ->
-    {valid, Role};
-validate(_, valid_peer, Role) ->
-    {valid, Role}.
+validate(_, valid, UserState) ->
+    {valid, UserState};
+validate(_, valid_peer, UserState) ->
+    {valid, UserState}.
 
 %%--------------------------------------------------------------------
 -spec is_valid_key_usage(list(), term()) -> boolean().
-- 
cgit v1.2.3