diff options
author | Theo Buehler <tb@cvs.openbsd.org> | 2024-06-06 12:38:03 +0000 |
---|---|---|
committer | Theo Buehler <tb@cvs.openbsd.org> | 2024-06-06 12:38:03 +0000 |
commit | 50bd0f83511a67960dacba8864b56433d76f32d6 (patch) | |
tree | a53ee7d65e2147a3b85ca3b0509607a4fe74590d /usr.sbin/rpki-client | |
parent | 52d18b15663cf76ae53f48dcd26d7b9b6cfa05ce (diff) |
Tell my future self why I don't want to change this check
Diffstat (limited to 'usr.sbin/rpki-client')
-rw-r--r-- | usr.sbin/rpki-client/cert.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 56eef09194f..0b07944125c 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.139 2024/06/06 11:53:09 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.140 2024/06/06 12:38:02 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler <tb@openbsd.org> * Copyright (c) 2021 Job Snijders <job@openbsd.org> @@ -1121,6 +1121,10 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey, warnx("%s: BGPsec cert cannot be a trust anchor", fn); goto badcert; } + /* + * Do not replace with a <= 0 check since OpenSSL 3 broke that: + * https://github.com/openssl/openssl/issues/24575 + */ if (X509_verify(p->x509, pk) != 1) { warnx("%s: failed to verify signature", fn); goto badcert; |