Allow explicit cert trusts or distrusts for EKU any

This matches the current OpenSSL behaviour introduced
in their commit:
commit 0daccd4dc1f1ac62181738a91714f35472e50f3c
Date:   Thu Jan 28 03:01:45 2016 -0500

ok jsing@ tb@

1 files changed, 6 insertions, 4 deletions

diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c
index 72d616a106..a967edf933 100644
--- a/src/lib/libcrypto/x509/x509_trs.c
+++ b/src/lib/libcrypto/x509/x509_trs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_trs.c,v 1.25 2021/11/01 20:53:08 tb Exp $ */
+/* $OpenBSD: x509_trs.c,v 1.26 2022/11/10 16:52:19 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -322,7 +322,7 @@ static int
 obj_trust(int id, X509 *x, int flags)
 {
         ASN1_OBJECT *obj;
-        int i;
+        int i, nid;
         X509_CERT_AUX *ax;
 
         ax = x->aux;
@@ -331,14 +331,16 @@ obj_trust(int id, X509 *x, int flags)
         if (ax->reject) {
                 for (i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
                         obj = sk_ASN1_OBJECT_value(ax->reject, i);
-                        if (OBJ_obj2nid(obj) == id)
+                        nid = OBJ_obj2nid(obj);
+                        if (nid == id || nid == NID_anyExtendedKeyUsage)
                                 return X509_TRUST_REJECTED;
                 }
         }
         if (ax->trust) {
                 for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
                         obj = sk_ASN1_OBJECT_value(ax->trust, i);
-                        if (OBJ_obj2nid(obj) == id)
+                        nid = OBJ_obj2nid(obj);
+                        if (nid == id || nid == NID_anyExtendedKeyUsage)
                                 return X509_TRUST_TRUSTED;
                 }
         }