From a4e7dd077217e559c5dea262ad22516c4c66e84c Mon Sep 17 00:00:00 2001
From: tobhe <tobhe@cvs.openbsd.org>
Date: Mon, 27 Jul 2020 14:22:54 +0000
Subject: Fix return value check for openssl API used during pubkey validation.

Found thanks to bug report by Michael Scheibel <m.Scheibel (at) tuvit (dot) de>
ok patrick@, markus@, tb@
---
 sbin/iked/ca.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sbin/iked/ca.c b/sbin/iked/ca.c
index 15a0e4bcbff..afb45a24d92 100644
--- a/sbin/iked/ca.c
+++ b/sbin/iked/ca.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ca.c,v 1.64 2020/07/15 14:45:15 tobhe Exp $	*/
+/*	$OpenBSD: ca.c,v 1.65 2020/07/27 14:22:53 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -1420,7 +1420,7 @@ ca_validate_pubkey(struct iked *env, struct iked_static_id *id,
 	if (localkey == NULL)
 		goto sslerr;
 
-	if (peerkey && !EVP_PKEY_cmp(peerkey, localkey)) {
+	if (peerkey && EVP_PKEY_cmp(peerkey, localkey) != 1) {
 		log_debug("%s: public key does not match %s", __func__, file);
 		goto done;
 	}
-- 
cgit v1.2.3