Fix bug in keymgr_key_has_successor

The logic in `keymgr_key_has_successor(key, keyring)` is flawed, it returns true if there is any key in the keyring that has a successor, while what we really want here is to make sure that the given key has a successor in the given keyring. Rather than relying on `keymgr_key_exists_with_state`, walk the list of keys in the keyring and check if the key is a successor of the given predecessor key.
2025-08-31 06:25:31 +00:00 · 2020-05-14 15:06:54 +02:00
parent ab036232f0
commit 0d578097ef
4 changed files with 22 additions and 9 deletions
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -633,11 +633,16 @@ keymgr_key_exists_with_state(dns_dnsseckeylist_t *keyring, dns_dnsseckey_t *key,
 * Check if a key has a successor.
 */
 static bool
-keymgr_key_has_successor(dns_dnsseckey_t *key, dns_dnsseckeylist_t *keyring) {
-	/* Don't worry about key states. */
-	dst_key_state_t na[4] = { NA, NA, NA, NA };
-	return (keymgr_key_exists_with_state(keyring, key, DST_KEY_DNSKEY, NA,
-					     na, na, true, true));
+keymgr_key_has_successor(dns_dnsseckey_t *predecessor,
+			 dns_dnsseckeylist_t *keyring) {
+	for (dns_dnsseckey_t *successor = ISC_LIST_HEAD(*keyring);
+	     successor != NULL; successor = ISC_LIST_NEXT(successor, link))
+	{
+		if (keymgr_key_is_successor(predecessor->key, successor->key)) {
+			return (true);
+		}
+	}
+	return (false);
 }

 /*