From 02b8356a19b119d895d611c9ce17f24a207faa6d Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 23 Jun 2020 10:26:01 +1000
Subject: [PATCH] The validator could fail when select_signing_key/get_dst_key
 failed

to select the signing key because the algorithm was not supported
and the loop was prematurely aborted.

(cherry picked from commit d475f3aeedbb0dff940ff5bd25c71fcfc3a71f95)
---
 lib/dns/validator.c | 33 ++++++++++++++++-----------------
 1 file changed, 16 insertions(+), 17 deletions(-)

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 864301ba1b..092de65172 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1651,26 +1651,25 @@ get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
 		INSIST(val->key == NULL);
 		result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
 					 val->view->mctx, &val->key);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-		if (siginfo->algorithm ==
-		    (dns_secalg_t)dst_key_alg(val->key) &&
-		    siginfo->keyid ==
-		    (dns_keytag_t)dst_key_id(val->key) &&
-		    dst_key_iszonekey(val->key))
-		{
-			if (foundold)
-				/*
-				 * This is the key we're looking for.
-				 */
-				return (ISC_R_SUCCESS);
-			else if (dst_key_compare(oldkey, val->key) == ISC_TRUE)
+		if (result == ISC_R_SUCCESS) {
+			if (siginfo->algorithm ==
+				    (dns_secalg_t)dst_key_alg(val->key) &&
+			    siginfo->keyid ==
+				    (dns_keytag_t)dst_key_id(val->key) &&
+			    dst_key_iszonekey(val->key))
 			{
-				foundold = ISC_TRUE;
-				dst_key_free(&oldkey);
+				if (foundold) {
+					/*
+					 * This is the key we're looking for.
+					 */
+					return (ISC_R_SUCCESS);
+				} else if (dst_key_compare(oldkey, val->key)) {
+					foundold = ISC_TRUE;
+					dst_key_free(&oldkey);
+				}
 			}
+			dst_key_free(&val->key);
 		}
-		dst_key_free(&val->key);
 		dns_rdata_reset(&rdata);
 		result = dns_rdataset_next(rdataset);
 	} while (result == ISC_R_SUCCESS);
-- 
2.26.2