From d0db5c07f84ef5dc60596f35e2989e1bc20df686 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 21 Aug 2024 17:14:48 +0200 Subject: [PATCH] Fix algorithm rollover bug wrt keytag conflicts If there is an algorithm rollover and two keys of different algorithm share the same keytags, then there is a possibility that if we check that a key matches a specific state, we are checking against the wrong key. Fix this by not only checking for matching key id but also key algorithm. (cherry picked from commit f37eb33f29ad50cead2673f4f7634839ef7e2a26) --- lib/dns/keymgr.c | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c index 9f54922ee8..83a217530b 100644 --- a/lib/dns/keymgr.c +++ b/lib/dns/keymgr.c @@ -596,6 +596,7 @@ keymgr_key_match_state(dst_key_t *key, dst_key_t *subject, int type, continue; } if (next_state != NA && i == type && + dst_key_alg(key) == dst_key_alg(subject) && dst_key_id(key) == dst_key_id(subject)) { /* Check next state rather than current state. */