From 02b8356a19b119d895d611c9ce17f24a207faa6d Mon Sep 17 00:00:00 2001

From: Mark Andrews <marka@isc.org>

Date: Tue, 23 Jun 2020 10:26:01 +1000

Subject: [PATCH] The validator could fail when select_signing_key/get_dst_key

 failed

to select the signing key because the algorithm was not supported

and the loop was prematurely aborted.

(cherry picked from commit d475f3aeedbb0dff940ff5bd25c71fcfc3a71f95)

---

 lib/dns/validator.c | 33 ++++++++++++++++-----------------

 1 file changed, 16 insertions(+), 17 deletions(-)

diff --git a/lib/dns/validator.c b/lib/dns/validator.c

index 864301ba1b..092de65172 100644

--- a/lib/dns/validator.c

+++ b/lib/dns/validator.c

@@ -1651,26 +1651,25 @@ get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,

 		INSIST(val->key == NULL);

 		result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,

 					 val->view->mctx, &val->key);

-		if (result != ISC_R_SUCCESS)

-			goto failure;

-		if (siginfo->algorithm ==

-		    (dns_secalg_t)dst_key_alg(val->key) &&

-		    siginfo->keyid ==

-		    (dns_keytag_t)dst_key_id(val->key) &&

-		    dst_key_iszonekey(val->key))

-		{

-			if (foundold)

-				/*

-				 * This is the key we're looking for.

-				 */

-				return (ISC_R_SUCCESS);

-			else if (dst_key_compare(oldkey, val->key) == ISC_TRUE)

+		if (result == ISC_R_SUCCESS) {

+			if (siginfo->algorithm ==

+				    (dns_secalg_t)dst_key_alg(val->key) &&

+			    siginfo->keyid ==

+				    (dns_keytag_t)dst_key_id(val->key) &&

+			    dst_key_iszonekey(val->key))

 			{

-				foundold = ISC_TRUE;

-				dst_key_free(&oldkey);

+				if (foundold) {

+					/*

+					 * This is the key we're looking for.

+					 */

+					return (ISC_R_SUCCESS);

+				} else if (dst_key_compare(oldkey, val->key)) {

+					foundold = ISC_TRUE;

+					dst_key_free(&oldkey);

+				}

 			}

+			dst_key_free(&val->key);

 		}

-		dst_key_free(&val->key);

 		dns_rdata_reset(&rdata);

 		result = dns_rdataset_next(rdataset);

 	} while (result == ISC_R_SUCCESS);

-- 

2.26.2