From: Matthijs Mekking <matthijs@isc.org>
Date: Wed, 21 Aug 2024 15:14:48 +0000 (+0200)
Subject: Fix algorithm rollover bug wrt keytag conflicts
X-Git-Tag: v9.21.1~21^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f37eb33f29ad50cead2673f4f7634839ef7e2a26;p=thirdparty%2Fbind9.git

Fix algorithm rollover bug wrt keytag conflicts

If there is an algorithm rollover and two keys of different algorithm
share the same keytags, then there is a possibility that if we check
that a key matches a specific state, we are checking against the wrong
key.

Fix this by not only checking for matching key id but also key
algorithm.
---

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index 9e0f808dd8d..3eb61185e89 100644
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -595,6 +595,7 @@ keymgr_key_match_state(dst_key_t *key, dst_key_t *subject, int type,
 			continue;
 		}
 		if (next_state != NA && i == type &&
+		    dst_key_alg(key) == dst_key_alg(subject) &&
 		    dst_key_id(key) == dst_key_id(subject))
 		{
 			/* Check next state rather than current state. */