From 44aa33d40901b0f3751231c8029b6743cf31f789 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Fri, 15 May 2026 18:56:06 +0900
Subject: [PATCH] gnutls: Perform ExtendedKeyUsage validation

Adopt gnutls_certificate_verify_peers to perform ExtendedKeyUsage
validation.
---
 src/LibgnutlsTLSSession.cc | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/LibgnutlsTLSSession.cc b/src/LibgnutlsTLSSession.cc
index 9fd83fc433..8f3e449676 100644
--- a/src/LibgnutlsTLSSession.cc
+++ b/src/LibgnutlsTLSSession.cc
@@ -252,8 +252,16 @@ int GnuTLSSession::tlsConnect(const std::string& hostname, TLSVersion& version,
   }
   if (tlsContext_->getVerifyPeer()) {
     // verify peer
+    gnutls_typed_vdata_st data[] = {
+        {
+            GNUTLS_DT_KEY_PURPOSE_OID,
+            reinterpret_cast<unsigned char*>(
+                const_cast<char*>(GNUTLS_KP_TLS_WWW_SERVER)),
+        },
+    };
     unsigned int status;
-    rv_ = gnutls_certificate_verify_peers2(sslSession_, &status);
+    rv_ = gnutls_certificate_verify_peers(
+        sslSession_, data, sizeof(data) / sizeof(data[0]), &status);
     if (rv_ != GNUTLS_E_SUCCESS) {
       return TLS_ERR_ERROR;
     }
@@ -278,6 +286,9 @@ int GnuTLSSession::tlsConnect(const std::string& hostname, TLSVersion& version,
       if (status & GNUTLS_CERT_EXPIRED) {
         handshakeErr += " `expired'";
       }
+      if (status & GNUTLS_CERT_PURPOSE_MISMATCH) {
+        handshakeErr += " `unsuitable certificate purpose`";
+      }
       // TODO Add GNUTLS_CERT_SIGNATURE_FAILURE here
       if (!handshakeErr.empty()) {
         return TLS_ERR_ERROR;