From 0d5a2652b49a889987d0f94b51dcbc500db1b45d Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 12 Dec 2025 16:36:43 +0100
Subject: [PATCH] pki: Avoild false positive matches when comparing
 certificates in mbedtls and gcrypt

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
 src/pki_gcrypt.c     | 2 +-
 src/pki_mbedcrypto.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c
index d4219e09..802fa7e2 100644
--- a/src/pki_gcrypt.c
+++ b/src/pki_gcrypt.c
@@ -1409,7 +1409,7 @@ int pki_key_compare(const ssh_key k1, const ssh_key k2, enum ssh_keycmp_e what)
     case SSH_KEYTYPE_SK_ED25519:
     case SSH_KEYTYPE_SK_ED25519_CERT01:
         /* ed25519 keys handled globally */
-        return 0;
+        return 1;
     case SSH_KEYTYPE_ECDSA_P256:
     case SSH_KEYTYPE_ECDSA_P256_CERT01:
     case SSH_KEYTYPE_ECDSA_P384:
diff --git a/src/pki_mbedcrypto.c b/src/pki_mbedcrypto.c
index 4893ac8e..01a9ca80 100644
--- a/src/pki_mbedcrypto.c
+++ b/src/pki_mbedcrypto.c
@@ -782,7 +782,7 @@ int pki_key_compare(const ssh_key k1, const ssh_key k2, enum ssh_keycmp_e what)
         case SSH_KEYTYPE_ED25519:
         case SSH_KEYTYPE_SK_ED25519:
             /* ed25519 keys handled globally */
-            rc = 0;
+            rc = 1;
             break;
         default:
             rc = 1;