Commit 4354f44d authored by Michał Kępień's avatar Michał Kępień

Do not call exit() upon verify_nodes() errors

Replace all fatal(), check_result(), and check_dns_dbiterator_current()
calls inside verify_nodes() with zoneverify_log_error() calls and error
handling code.  Enable verify_nodes() to signal errors to the caller
using its return value.

Modify the call site of verify_nodes() so that its errors are properly
handled.

Free all heap elements upon verification context cleanup as a
verification error may prevent them from being freed elsewhere.

Remove the check_dns_dbiterator_current() macro as it is no longer used
anywhere in lib/dns/zoneverify.c.
parent 00ecbad2
...@@ -50,10 +50,6 @@ ...@@ -50,10 +50,6 @@
#include <isc/types.h> #include <isc/types.h>
#include <isc/util.h> #include <isc/util.h>
#define check_dns_dbiterator_current(result) \
check_result((result == DNS_R_NEWORIGIN) ? ISC_R_SUCCESS : result, \
"dns_dbiterator_current()")
typedef struct vctx { typedef struct vctx {
isc_mem_t * mctx; isc_mem_t * mctx;
dns_zone_t * zone; dns_zone_t * zone;
...@@ -920,6 +916,14 @@ free_element(isc_mem_t *mctx, struct nsec3_chain_fixed *e) { ...@@ -920,6 +916,14 @@ free_element(isc_mem_t *mctx, struct nsec3_chain_fixed *e) {
isc_mem_put(mctx, e, len); isc_mem_put(mctx, e, len);
} }
static void
free_element_heap(void *element, void *uap) {
struct nsec3_chain_fixed *e = (struct nsec3_chain_fixed *)element;
isc_mem_t *mctx = (isc_mem_t *)uap;
free_element(mctx, e);
}
static isc_boolean_t static isc_boolean_t
checknext(const struct nsec3_chain_fixed *first, checknext(const struct nsec3_chain_fixed *first,
const struct nsec3_chain_fixed *e) const struct nsec3_chain_fixed *e)
...@@ -1151,7 +1155,9 @@ vctx_destroy(vctx_t *vctx) { ...@@ -1151,7 +1155,9 @@ vctx_destroy(vctx_t *vctx) {
if (dns_rdataset_isassociated(&vctx->nsec3paramsigs)) { if (dns_rdataset_isassociated(&vctx->nsec3paramsigs)) {
dns_rdataset_disassociate(&vctx->nsec3paramsigs); dns_rdataset_disassociate(&vctx->nsec3paramsigs);
} }
isc_heap_foreach(vctx->expected_chains, free_element_heap, vctx->mctx);
isc_heap_destroy(&vctx->expected_chains); isc_heap_destroy(&vctx->expected_chains);
isc_heap_foreach(vctx->found_chains, free_element_heap, vctx->mctx);
isc_heap_destroy(&vctx->found_chains); isc_heap_destroy(&vctx->found_chains);
} }
...@@ -1413,7 +1419,7 @@ determine_active_algorithms(vctx_t *vctx, isc_boolean_t ignore_kskflag, ...@@ -1413,7 +1419,7 @@ determine_active_algorithms(vctx_t *vctx, isc_boolean_t ignore_kskflag,
* Check that all the records not yet verified were signed by keys that are * Check that all the records not yet verified were signed by keys that are
* present in the DNSKEY RRset. * present in the DNSKEY RRset.
*/ */
static void static isc_result_t
verify_nodes(vctx_t *vctx, isc_result_t *vresult) { verify_nodes(vctx_t *vctx, isc_result_t *vresult) {
dns_fixedname_t fname, fnextname, fprevname, fzonecut; dns_fixedname_t fname, fnextname, fprevname, fzonecut;
dns_name_t *name, *nextname, *prevname, *zonecut; dns_name_t *name, *nextname, *prevname, *zonecut;
...@@ -1430,24 +1436,42 @@ verify_nodes(vctx_t *vctx, isc_result_t *vresult) { ...@@ -1430,24 +1436,42 @@ verify_nodes(vctx_t *vctx, isc_result_t *vresult) {
zonecut = NULL; zonecut = NULL;
result = dns_db_createiterator(vctx->db, DNS_DB_NONSEC3, &dbiter); result = dns_db_createiterator(vctx->db, DNS_DB_NONSEC3, &dbiter);
check_result(result, "dns_db_createiterator()"); if (result != ISC_R_SUCCESS) {
zoneverify_log_error(vctx, "dns_db_createiterator(): %s",
isc_result_totext(result));
return (result);
}
result = dns_dbiterator_first(dbiter); result = dns_dbiterator_first(dbiter);
check_result(result, "dns_dbiterator_first()"); if (result != ISC_R_SUCCESS) {
zoneverify_log_error(vctx, "dns_dbiterator_first(): %s",
isc_result_totext(result));
goto done;
}
while (!done) { while (!done) {
isc_boolean_t isdelegation = ISC_FALSE; isc_boolean_t isdelegation = ISC_FALSE;
result = dns_dbiterator_current(dbiter, &node, name); result = dns_dbiterator_current(dbiter, &node, name);
check_dns_dbiterator_current(result); if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
zoneverify_log_error(vctx,
"dns_dbiterator_current(): %s",
isc_result_totext(result));
goto done;
}
if (!dns_name_issubdomain(name, vctx->origin)) { if (!dns_name_issubdomain(name, vctx->origin)) {
check_no_nsec(vctx, name, node); check_no_nsec(vctx, name, node);
dns_db_detachnode(vctx->db, &node); dns_db_detachnode(vctx->db, &node);
result = dns_dbiterator_next(dbiter); result = dns_dbiterator_next(dbiter);
if (result == ISC_R_NOMORE) if (result == ISC_R_NOMORE) {
done = ISC_TRUE; done = ISC_TRUE;
else } else if (result != ISC_R_SUCCESS) {
check_result(result, "dns_dbiterator_next()"); zoneverify_log_error(
vctx,
"dns_dbiterator_next(): %s",
isc_result_totext(result));
goto done;
}
continue; continue;
} }
if (is_delegation(vctx, name, node, NULL)) { if (is_delegation(vctx, name, node, NULL)) {
...@@ -1463,7 +1487,16 @@ verify_nodes(vctx_t *vctx, isc_result_t *vresult) { ...@@ -1463,7 +1487,16 @@ verify_nodes(vctx_t *vctx, isc_result_t *vresult) {
while (result == ISC_R_SUCCESS) { while (result == ISC_R_SUCCESS) {
result = dns_dbiterator_current(dbiter, &nextnode, result = dns_dbiterator_current(dbiter, &nextnode,
nextname); nextname);
check_dns_dbiterator_current(result); if (result != ISC_R_SUCCESS &&
result != DNS_R_NEWORIGIN)
{
zoneverify_log_error(
vctx,
"dns_dbiterator_current(): %s",
isc_result_totext(result));
dns_db_detachnode(vctx->db, &node);
goto done;
}
if (!dns_name_issubdomain(nextname, vctx->origin) || if (!dns_name_issubdomain(nextname, vctx->origin) ||
(zonecut != NULL && (zonecut != NULL &&
dns_name_issubdomain(nextname, zonecut))) dns_name_issubdomain(nextname, zonecut)))
...@@ -1484,9 +1517,14 @@ verify_nodes(vctx_t *vctx, isc_result_t *vresult) { ...@@ -1484,9 +1517,14 @@ verify_nodes(vctx_t *vctx, isc_result_t *vresult) {
if (result == ISC_R_NOMORE) { if (result == ISC_R_NOMORE) {
done = ISC_TRUE; done = ISC_TRUE;
nextname = vctx->origin; nextname = vctx->origin;
} else if (result != ISC_R_SUCCESS) } else if (result != ISC_R_SUCCESS) {
fatal("iterating through the database failed: %s", zoneverify_log_error(vctx,
isc_result_totext(result)); "iterating through the database "
"failed: %s",
isc_result_totext(result));
dns_db_detachnode(vctx->db, &node);
goto done;
}
result = verifynode(vctx, name, node, isdelegation, result = verifynode(vctx, name, node, isdelegation,
&vctx->keyset, &vctx->nsecset, &vctx->keyset, &vctx->nsecset,
&vctx->nsec3paramset, nextname); &vctx->nsec3paramset, nextname);
...@@ -1509,21 +1547,40 @@ verify_nodes(vctx_t *vctx, isc_result_t *vresult) { ...@@ -1509,21 +1547,40 @@ verify_nodes(vctx_t *vctx, isc_result_t *vresult) {
dns_dbiterator_destroy(&dbiter); dns_dbiterator_destroy(&dbiter);
result = dns_db_createiterator(vctx->db, DNS_DB_NSEC3ONLY, &dbiter); result = dns_db_createiterator(vctx->db, DNS_DB_NSEC3ONLY, &dbiter);
check_result(result, "dns_db_createiterator()"); if (result != ISC_R_SUCCESS) {
zoneverify_log_error(vctx, "dns_db_createiterator(): %s",
isc_result_totext(result));
return (result);
}
for (result = dns_dbiterator_first(dbiter); for (result = dns_dbiterator_first(dbiter);
result == ISC_R_SUCCESS; result == ISC_R_SUCCESS;
result = dns_dbiterator_next(dbiter) ) { result = dns_dbiterator_next(dbiter) ) {
result = dns_dbiterator_current(dbiter, &node, name); result = dns_dbiterator_current(dbiter, &node, name);
check_dns_dbiterator_current(result); if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
zoneverify_log_error(vctx,
"dns_dbiterator_current(): %s",
isc_result_totext(result));
goto done;
}
result = verifynode(vctx, name, node, ISC_FALSE, &vctx->keyset, result = verifynode(vctx, name, node, ISC_FALSE, &vctx->keyset,
NULL, NULL, NULL); NULL, NULL, NULL);
check_result(result, "verifynode"); if (result != ISC_R_SUCCESS) {
zoneverify_log_error(vctx, "verifynode: %s",
isc_result_totext(result));
dns_db_detachnode(vctx->db, &node);
goto done;
}
record_found(vctx, name, node, &vctx->nsec3paramset); record_found(vctx, name, node, &vctx->nsec3paramset);
dns_db_detachnode(vctx->db, &node); dns_db_detachnode(vctx->db, &node);
} }
result = ISC_R_SUCCESS;
done:
dns_dbiterator_destroy(&dbiter); dns_dbiterator_destroy(&dbiter);
return (result);
} }
static isc_result_t static isc_result_t
...@@ -1616,7 +1673,10 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, ...@@ -1616,7 +1673,10 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
determine_active_algorithms(&vctx, ignore_kskflag, keyset_kskonly); determine_active_algorithms(&vctx, ignore_kskflag, keyset_kskonly);
verify_nodes(&vctx, &vresult); result = verify_nodes(&vctx, &vresult);
if (result != ISC_R_SUCCESS) {
goto done;
}
result = verify_nsec3_chains(&vctx, mctx); result = verify_nsec3_chains(&vctx, mctx);
if (vresult == ISC_R_UNSET) if (vresult == ISC_R_UNSET)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment