1 files changed, 16 insertions, 4 deletions
diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c
index a967edf933..23eca4927b 100644
--- a/src/lib/libcrypto/x509/x509_trs.c
+++ b/src/lib/libcrypto/x509/x509_trs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_trs.c,v 1.26 2022/11/10 16:52:19 beck Exp $ */
+/* $OpenBSD: x509_trs.c,v 1.27 2022/11/13 18:37:32 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -110,8 +110,8 @@ int
        return oldtrust;
 }
-int
+static int
-X509_check_trust(X509 *x, int id, int flags)
+X509_check_trust_internal(X509 *x, int id, int flags, int compat)
 {
        X509_TRUST *pt;
        int idx;
@@ -132,7 +132,7 @@ X509_check_trust(X509 *x, int id, int flags)
                rv = obj_trust(NID_anyExtendedKeyUsage, x, 0);
                if (rv != X509_TRUST_UNTRUSTED)
                        return rv;
-                return trust_compat(NULL, x, 0);
+                return compat && trust_compat(NULL, x, 0);
        }
        idx = X509_TRUST_get_by_id(id);
        if (idx == -1)
@@ -142,6 +142,18 @@ X509_check_trust(X509 *x, int id, int flags)
 }
 int
+X509_check_trust(X509 *x, int id, int flags)
+{
+        return X509_check_trust_internal(x, id, flags, /*compat =*/1);
+}
+int
+x509_check_trust_no_compat(X509 *x, int id, int flags)
+{
+        return X509_check_trust_internal(x, id, flags, /*compat =*/0);
+}
+int
 X509_TRUST_get_count(void)
 {
        if (!trtable)