Fix algorithm rollover bug wrt keytag conflicts

If there is an algorithm rollover and two keys of different algorithm
share the same keytags, then there is a possibility that if we check
that a key matches a specific state, we are checking against the wrong
key.

Fix this by not only checking for matching key id but also key
algorithm.

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index 9e0f808dd8d27f211f10ea7e07a54a529b1acf06..3eb61185e898a87941be92a9c8390487e1133bd6 100644 (file)
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -595,6 +595,7 @@ keymgr_key_match_state(dst_key_t *key, dst_key_t *subject, int type,
                        continue;
                }
                if (next_state != NA && i == type &&
+                   dst_key_alg(key) == dst_key_alg(subject) &&
                    dst_key_id(key) == dst_key_id(subject))
                {
                        /* Check next state rather than current state. */