summaryrefslogtreecommitdiff
path: root/usr.sbin/rpki-client
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2024-06-06 12:38:03 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2024-06-06 12:38:03 +0000
commit50bd0f83511a67960dacba8864b56433d76f32d6 (patch)
treea53ee7d65e2147a3b85ca3b0509607a4fe74590d /usr.sbin/rpki-client
parent52d18b15663cf76ae53f48dcd26d7b9b6cfa05ce (diff)
Tell my future self why I don't want to change this check
Diffstat (limited to 'usr.sbin/rpki-client')
-rw-r--r--usr.sbin/rpki-client/cert.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 56eef09194f..0b07944125c 100644
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cert.c,v 1.139 2024/06/06 11:53:09 tb Exp $ */
+/* $OpenBSD: cert.c,v 1.140 2024/06/06 12:38:02 tb Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -1121,6 +1121,10 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey,
warnx("%s: BGPsec cert cannot be a trust anchor", fn);
goto badcert;
}
+ /*
+ * Do not replace with a <= 0 check since OpenSSL 3 broke that:
+ * https://github.com/openssl/openssl/issues/24575
+ */
if (X509_verify(p->x509, pk) != 1) {
warnx("%s: failed to verify signature", fn);
goto badcert;