From 60aa04ef0b133b12b881121d07ec345b4f0cfce8 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Thu, 6 Jun 2024 12:38:02 +0000
Subject: [PATCH] Tell my future self why I don't want to change this check

---
 usr.sbin/rpki-client/cert.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 56eef09194f..0b07944125c 100644
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cert.c,v 1.139 2024/06/06 11:53:09 tb Exp $ */
+/*	$OpenBSD: cert.c,v 1.140 2024/06/06 12:38:02 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -1121,6 +1121,10 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey,
 		warnx("%s: BGPsec cert cannot be a trust anchor", fn);
 		goto badcert;
 	}
+	/*
+	 * Do not replace with a <= 0 check since OpenSSL 3 broke that:
+	 * https://github.com/openssl/openssl/issues/24575
+	 */
 	if (X509_verify(p->x509, pk) != 1) {
 		warnx("%s: failed to verify signature", fn);
 		goto badcert;
-- 
2.20.1