Commit 0d07de92 authored by Michał Kępień's avatar Michał Kępień

Do not call exit() upon match_nsec3() errors

Make match_nsec3() return the verification result through a separate
pointer, thus making it possible to signal errors using function
return value.  Replace all check_result() and fprintf() calls inside
match_nsec3() with zoneverify_log_error() calls and error handling code.

Modify all call sites of match_nsec3() so that its errors are properly
handled.
parent 0ed3a2b2
......@@ -444,7 +444,7 @@ static isc_result_t
match_nsec3(const vctx_t *vctx, dns_name_t *name,
dns_rdata_nsec3param_t *nsec3param, dns_rdataset_t *rdataset,
unsigned char types[8192], unsigned int maxtype,
unsigned char *rawhash, size_t rhsize)
unsigned char *rawhash, size_t rhsize, isc_result_t *vresult)
{
unsigned char cbm[8244];
char namebuf[DNS_NAME_FORMATSIZE];
......@@ -472,8 +472,10 @@ match_nsec3(const vctx_t *vctx, dns_name_t *name,
}
if (result != ISC_R_SUCCESS) {
dns_name_format(name, namebuf, sizeof(namebuf));
fprintf(stderr, "Missing NSEC3 record for %s\n", namebuf);
return (result);
zoneverify_log_error(vctx, "Missing NSEC3 record for %s",
namebuf);
*vresult = result;
return (ISC_R_SUCCESS);
}
/*
......@@ -482,9 +484,12 @@ match_nsec3(const vctx_t *vctx, dns_name_t *name,
len = dns_nsec_compressbitmap(cbm, types, maxtype);
if (nsec3.len != len || memcmp(cbm, nsec3.typebits, len) != 0) {
dns_name_format(name, namebuf, sizeof(namebuf));
fprintf(stderr, "Bad NSEC3 record for %s, bit map "
"mismatch\n", namebuf);
return (ISC_R_FAILURE);
zoneverify_log_error(vctx,
"Bad NSEC3 record for %s, bit map "
"mismatch",
namebuf);
*vresult = ISC_R_FAILURE;
return (ISC_R_SUCCESS);
}
/*
......@@ -492,7 +497,11 @@ match_nsec3(const vctx_t *vctx, dns_name_t *name,
*/
result = record_nsec3(rawhash, &nsec3, vctx->mctx,
vctx->expected_chains);
check_result(result, "record_nsec3()");
if (result != ISC_R_SUCCESS) {
zoneverify_log_error(vctx, "record_nsec3(): %s",
isc_result_totext(result));
return (result);
}
/*
* Make sure there is only one NSEC3 record with this set of
......@@ -511,17 +520,20 @@ match_nsec3(const vctx_t *vctx, dns_name_t *name,
memcmp(nsec3.salt, nsec3param->salt,
nsec3.salt_length) == 0) {
dns_name_format(name, namebuf, sizeof(namebuf));
fprintf(stderr, "Multiple NSEC3 records with the "
"same parameter set for %s", namebuf);
result = DNS_R_DUPLICATE;
break;
zoneverify_log_error(vctx,
"Multiple NSEC3 records with the "
"same parameter set for %s",
namebuf);
*vresult = DNS_R_DUPLICATE;
return (ISC_R_SUCCESS);
}
}
if (result != ISC_R_NOMORE)
return (result);
result = ISC_R_SUCCESS;
return (result);
*vresult = ISC_R_SUCCESS;
return (ISC_R_SUCCESS);
}
static isc_boolean_t
......@@ -679,7 +691,7 @@ verifynsec3(const vctx_t *vctx, dns_name_t *name, dns_rdata_t *rdata,
dns_rdata_nsec3param_t nsec3param;
dns_fixedname_t fixed;
dns_name_t *hashname;
isc_result_t result;
isc_result_t result, tvresult;
dns_dbnode_t *node = NULL;
unsigned char rawhash[NSEC3_MAX_HASH_LENGTH];
size_t rhsize = sizeof(rawhash);
......@@ -737,17 +749,23 @@ verifynsec3(const vctx_t *vctx, dns_name_t *name, dns_rdata_t *rdata,
result = ISC_R_SUCCESS;
} else if (result == ISC_R_SUCCESS) {
result = match_nsec3(vctx, name, &nsec3param, &rdataset, types,
maxtype, rawhash, rhsize);
maxtype, rawhash, rhsize, &tvresult);
if (result != ISC_R_SUCCESS) {
goto done;
}
result = tvresult;
}
*vresult = result;
result = ISC_R_SUCCESS;
done:
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
if (node != NULL)
dns_db_detachnode(vctx->db, &node);
return (ISC_R_SUCCESS);
return (result);
}
static isc_result_t
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment