Check key tag range when matching dnssec keys to kasp keys

author Mark Andrews <marka@isc.org>

Wed, 7 Aug 2024 06:57:45 +0000 (16:57 +1000)

committer Mark Andrews <marka@isc.org>

Thu, 22 Aug 2024 12:12:02 +0000 (12:12 +0000)
author Mark Andrews <marka@isc.org>
Wed, 7 Aug 2024 06:57:45 +0000 (16:57 +1000)
committer Mark Andrews <marka@isc.org>
Thu, 22 Aug 2024 12:12:02 +0000 (12:12 +0000)
diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c

index 03308b44b67608bdb5abd920dc275f88966aafb2..285ae0bb7f185fa57a70c80105bd7bc3ebf159f0 100644 (file)
--- a/lib/dns/kasp.c
+++ b/lib/dns/kasp.c
@@ -544,6 +544,16 @@ dns_kasp_key_match(dns_kasp_key_t *key, dns_dnsseckey_t *dkey) {
         if (ret != ISC_R_SUCCESS || role != dns_kasp_key_zsk(key)) {
                 return (false);
         }
+       /* Valid key tag range? */
+       uint16_t id = dst_key_id(dkey->key);
+       uint16_t rid = dst_key_rid(dkey->key);
+       if (id < key->tag_min || id > key->tag_max) {
+               return (false);
+       }
+       if (rid < key->tag_min || rid > key->tag_max) {
+               return (false);
+       }
+
         /* Found a match. */
         return (true);
  }
author	Mark Andrews <marka@isc.org>
	Wed, 7 Aug 2024 06:57:45 +0000 (16:57 +1000)
committer	Mark Andrews <marka@isc.org>
	Thu, 22 Aug 2024 12:12:02 +0000 (12:12 +0000)