4 files changed, 72 insertions, 60 deletions

diff --git a/ssl.c b/ssl.c
index 0d92c8a..d7cdd75 100644
--- a/ssl.c
+++ b/ssl.c
@@ -302,48 +302,6 @@ setenv_untrusted (struct tls_session *session)
   setenv_link_socket_actual (session->opt->es, "untrusted", &session->untrusted_addr, SA_IP_PORT);
 }
 
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-
-bool verify_cert_eku (X509 *x509, const char * const expected_oid) {
-
-	EXTENDED_KEY_USAGE *eku = NULL;
-	bool fFound = false;
-
-	if ((eku = (EXTENDED_KEY_USAGE *)X509_get_ext_d2i (x509, NID_ext_key_usage, NULL, NULL)) == NULL) {
-		msg (D_HANDSHAKE, "Certificate does not have extended key usage extension");
-	}
-	else {
-		int i;
-
-		msg (D_HANDSHAKE, "Validating certificate extended key usage");
-		for(i = 0; !fFound && i < sk_ASN1_OBJECT_num (eku); i++) {
-			ASN1_OBJECT *oid = sk_ASN1_OBJECT_value (eku, i);
-			char szOid[1024];
-
-			if (!fFound && OBJ_obj2txt (szOid, sizeof (szOid), oid, 0) != -1) {
-				msg (D_HANDSHAKE, "++ Certificate has EKU (str) %s, expects %s", szOid, expected_oid);
-				if (!strcmp (expected_oid, szOid)) {
-					fFound = true;
-				}
-			}
-			if (!fFound && OBJ_obj2txt (szOid, sizeof (szOid), oid, 1) != -1) {
-				msg (D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s", szOid, expected_oid);
-				if (!strcmp (expected_oid, szOid)) {
-					fFound = true;
-				}
-			}
-		}
-	}
-
-	if (eku != NULL) {
-		sk_ASN1_OBJECT_pop_free (eku, ASN1_OBJECT_free);
-	}
-
-	return fFound;
-}
-
-#endif	/* OPENSSL_VERSION_NUMBER */
-
 static void
 string_mod_sslname (char *str, const unsigned int restrictive_flags, const unsigned int ssl_flags)
 {
@@ -473,24 +431,6 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
   if (cert_depth == 0 && verify_peer_cert(opt, cert, subject, common_name))
     goto err;
 
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-
-  /* verify certificate eku */
-  if (opt->remote_cert_eku != NULL && cert_depth == 0)
-    {
-      if (verify_cert_eku (cert, opt->remote_cert_eku))
-        {
-	  msg (D_HANDSHAKE, "VERIFY EKU OK");
-	}
-      else
-	{
-	  msg (D_HANDSHAKE, "VERIFY EKU ERROR");
-          goto err;		/* Reject connection */
-	}
-    }
-
-#endif	/* OPENSSL_VERSION_NUMBER */
-
   /* verify X509 name or common name against --tls-remote */
   if (opt->verify_x509name && strlen (opt->verify_x509name) > 0 && cert_depth == 0)
     {
diff --git a/ssl_verify.c b/ssl_verify.c
index 2d8ae49..7c263f8 100644
--- a/ssl_verify.c
+++ b/ssl_verify.c
@@ -367,6 +367,19 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert,
 	}
     }
 
+  /* verify certificate eku */
+  if (opt->remote_cert_eku != NULL)
+    {
+      if (verify_cert_eku (peer_cert, opt->remote_cert_eku))
+        {
+	  msg (D_HANDSHAKE, "VERIFY EKU OK");
+	}
+      else
+	{
+	  msg (D_HANDSHAKE, "VERIFY EKU ERROR");
+          return 1;		/* Reject connection */
+	}
+    }
 
 #endif /* OPENSSL_VERSION_NUMBER */
   return 0;
diff --git a/ssl_verify_backend.h b/ssl_verify_backend.h
index 9b88f71..f54aa04 100644
--- a/ssl_verify_backend.h
+++ b/ssl_verify_backend.h
@@ -167,4 +167,19 @@ bool verify_nsCertType(const x509_cert_t *cert, const int usage);
 bool verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku,
     int expected_len);
 
+/*
+ * Verify X.509 extended key usage extension field.
+ *
+ * @param cert		Certificate to check.
+ * @param expected_oid	String representation of the expected Object ID. May be
+ * 			either the string representation of the numeric OID
+ * 			(e.g. \c "1.2.3.4", or the descriptive string matching
+ * 			the OID.
+ *
+ * @return 		\c true if one of the expected OID matches one of the
+ * 			extended key usage fields, \c false if extended key
+ * 			usage is not enabled, or the values do not match.
+ */
+bool verify_cert_eku (x509_cert_t *x509, const char * const expected_oid);
+
 #endif /* SSL_VERIFY_BACKEND_H_ */
diff --git a/ssl_verify_openssl.c b/ssl_verify_openssl.c
index 1a6bb2d..a33b435 100644
--- a/ssl_verify_openssl.c
+++ b/ssl_verify_openssl.c
@@ -445,4 +445,48 @@ verify_cert_ku (X509 *x509, const unsigned * const expected_ku,
   return fFound;
 }
 
+bool
+verify_cert_eku (X509 *x509, const char * const expected_oid)
+{
+  EXTENDED_KEY_USAGE *eku = NULL;
+  bool fFound = false;
+
+  if ((eku = (EXTENDED_KEY_USAGE *) X509_get_ext_d2i (x509, NID_ext_key_usage,
+      NULL, NULL)) == NULL)
+    {
+      msg (D_HANDSHAKE, "Certificate does not have extended key usage extension");
+    }
+  else
+    {
+      int i;
+
+      msg (D_HANDSHAKE, "Validating certificate extended key usage");
+      for (i = 0; !fFound && i < sk_ASN1_OBJECT_num (eku); i++)
+	{
+	  ASN1_OBJECT *oid = sk_ASN1_OBJECT_value (eku, i);
+	  char szOid[1024];
+
+	  if (!fFound && OBJ_obj2txt (szOid, sizeof(szOid), oid, 0) != -1)
+	    {
+	      msg (D_HANDSHAKE, "++ Certificate has EKU (str) %s, expects %s",
+		  szOid, expected_oid);
+	      if (!strcmp (expected_oid, szOid))
+		fFound = true;
+	    }
+	  if (!fFound && OBJ_obj2txt (szOid, sizeof(szOid), oid, 1) != -1)
+	    {
+	      msg (D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s",
+		  szOid, expected_oid);
+	      if (!strcmp (expected_oid, szOid))
+		fFound = true;
+	    }
+	}
+    }
+
+  if (eku != NULL)
+    sk_ASN1_OBJECT_pop_free (eku, ASN1_OBJECT_free);
+
+  return fFound;
+}
+
 #endif /* OPENSSL_VERSION_NUMBER */