Commit 24bca1c4 authored by Michał Kępień's avatar Michał Kępień

Propagate dns_zoneverify_dnssec() errors to callers

Since exit() is no longer called upon any dns_zoneverify_dnssec() error,
verification failures should be signalled to callers.  Make
dns_zoneverify_dnssec() return an isc_result_t and handle both success
and error appropriately in bin/dnssec/dnssec-signzone.c and
bin/dnssec/dnssec-verify.c.  This enables memory leak detection during
shutdown of these tools and causes dnssec-signzone to print signing
statistics even when zone verification fails.
parent a7ae6157
......@@ -3227,7 +3227,7 @@ main(int argc, char *argv[]) {
isc_time_t timer_start, timer_finish;
isc_time_t sign_start, sign_finish;
dns_dnsseckey_t *key;
isc_result_t result;
isc_result_t result, vresult;
isc_log_t *log = NULL;
#ifdef USE_PKCS11
const char *engine = PKCS11_ENGINE;
......@@ -3912,9 +3912,18 @@ main(int argc, char *argv[]) {
postsign();
TIME_NOW(&sign_finish);
if (!disable_zone_check)
dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin, mctx,
ignore_kskflag, keyset_kskonly);
if (disable_zone_check) {
vresult = ISC_R_SUCCESS;
} else {
vresult = dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin,
mctx, ignore_kskflag,
keyset_kskonly);
if (vresult != ISC_R_SUCCESS) {
fprintf(output_stdout ? stderr : stdout,
"Zone verification failed (%s)\n",
isc_result_totext(vresult));
}
}
if (outputformat != dns_masterformat_text) {
dns_masterrawheader_t header;
......@@ -3940,12 +3949,16 @@ main(int argc, char *argv[]) {
check_result(result, "isc_stdio_close");
removefile = ISC_FALSE;
result = isc_file_rename(tempfile, output);
if (result != ISC_R_SUCCESS)
fatal("failed to rename temp file to %s: %s",
output, isc_result_totext(result));
printf("%s\n", output);
if (vresult == ISC_R_SUCCESS) {
result = isc_file_rename(tempfile, output);
if (result != ISC_R_SUCCESS) {
fatal("failed to rename temp file to %s: %s",
output, isc_result_totext(result));
}
printf("%s\n", output);
} else {
isc_file_remove(tempfile);
}
}
dns_db_closeversion(gdb, &gversion, ISC_FALSE);
......@@ -3985,5 +3998,5 @@ main(int argc, char *argv[]) {
#ifdef _WIN32
DestroySockets();
#endif
return (0);
return (vresult == ISC_R_SUCCESS ? 0 : 1);
}
......@@ -323,8 +323,8 @@ main(int argc, char *argv[]) {
result = dns_db_newversion(gdb, &gversion);
check_result(result, "dns_db_newversion()");
dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin, mctx,
ignore_kskflag, keyset_kskonly);
result = dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin, mctx,
ignore_kskflag, keyset_kskonly);
dns_db_closeversion(gdb, &gversion, ISC_FALSE);
dns_db_detach(&gdb);
......@@ -338,5 +338,5 @@ main(int argc, char *argv[]) {
(void) isc_app_finish();
return (0);
return (result == ISC_R_SUCCESS ? 0 : 1);
}
......@@ -31,7 +31,7 @@ ISC_LANG_BEGINDECLS
* The rest of the zone was signed with at least one of the ZSKs
* present in the DNSKEY RRSET.
*/
void
isc_result_t
dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
dns_name_t *origin, isc_mem_t *mctx,
isc_boolean_t ignore_kskflag,
......
......@@ -1809,7 +1809,7 @@ print_summary(const vctx_t *vctx, isc_boolean_t keyset_kskonly) {
}
}
void
isc_result_t
dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
dns_name_t *origin, isc_mem_t *mctx,
isc_boolean_t ignore_kskflag,
......@@ -1820,7 +1820,7 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
result = vctx_init(&vctx, mctx, zone, db, ver, origin);
if (result != ISC_R_SUCCESS) {
return;
return (result);
}
result = check_apex_rrsets(&vctx);
......@@ -1879,4 +1879,6 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
done:
vctx_destroy(&vctx);
return (result);
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment