The validator could fail when select_signing_key/get_dst_key failed

to select the signing key because the algorithm was not supported
and the loop was prematurely aborted.

(cherry picked from commit d475f3aeedbb0dff940ff5bd25c71fcfc3a71f95)

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 684f7ca159f67f25e99321ce989eb89334f627bf..ef5fd255e785d69ed4aecc0f55e39b7cd175791b 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1229,26 +1229,25 @@ get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
                INSIST(val->key == NULL);
                result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
                                         val->view->mctx, &val->key);
-               if (result != ISC_R_SUCCESS)
-                       goto failure;
-               if (siginfo->algorithm ==
-                   (dns_secalg_t)dst_key_alg(val->key) &&
-                   siginfo->keyid ==
-                   (dns_keytag_t)dst_key_id(val->key) &&
-                   dst_key_iszonekey(val->key))
-               {
-                       if (foundold)
-                               /*
-                                * This is the key we're looking for.
-                                */
-                               return (ISC_R_SUCCESS);
-                       else if (dst_key_compare(oldkey, val->key) == true)
+               if (result == ISC_R_SUCCESS) {
+                       if (siginfo->algorithm ==
+                                   (dns_secalg_t)dst_key_alg(val->key) &&
+                           siginfo->keyid ==
+                                   (dns_keytag_t)dst_key_id(val->key) &&
+                           dst_key_iszonekey(val->key))
                        {
-                               foundold = true;
-                               dst_key_free(&oldkey);
+                               if (foundold) {
+                                       /*
+                                        * This is the key we're looking for.
+                                        */
+                                       return (ISC_R_SUCCESS);
+                               } else if (dst_key_compare(oldkey, val->key)) {
+                                       foundold = true;
+                                       dst_key_free(&oldkey);
+                               }
                        }
+                       dst_key_free(&val->key);
                }
-               dst_key_free(&val->key);
                dns_rdata_reset(&rdata);
                result = dns_rdataset_next(rdataset);
        } while (result == ISC_R_SUCCESS);