Commit b3d2ab44 authored by Michał Kępień's avatar Michał Kępień

Extract check_bad_algorithms() from dns_zoneverify_dnssec()

Extract the part of dns_zoneverify_dnssec() responsible for checking
whether the zone is fully signed using all active algorithms to a
separate function.
parent eb17957c
...@@ -1473,6 +1473,28 @@ verify_nodes(vctx_t *vctx, isc_result_t *vresult) { ...@@ -1473,6 +1473,28 @@ verify_nodes(vctx_t *vctx, isc_result_t *vresult) {
dns_dbiterator_destroy(&dbiter); dns_dbiterator_destroy(&dbiter);
} }
static void
check_bad_algorithms(const vctx_t *vctx) {
char algbuf[DNS_SECALG_FORMATSIZE];
isc_boolean_t first = ISC_TRUE;
int i;
for (i = 0; i < 256; i++) {
if (vctx->bad_algorithms[i] != 0) {
if (first)
fprintf(stderr, "The zone is not fully signed "
"for the following algorithms:");
dns_secalg_format(i, algbuf, sizeof(algbuf));
fprintf(stderr, " %s", algbuf);
first = ISC_FALSE;
}
}
if (!first) {
fprintf(stderr, ".\n");
fatal("DNSSEC completeness test failed.");
}
}
void void
dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
dns_name_t *origin, isc_mem_t *mctx, dns_name_t *origin, isc_mem_t *mctx,
...@@ -1481,7 +1503,6 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, ...@@ -1481,7 +1503,6 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
{ {
char algbuf[80]; char algbuf[80];
int i; int i;
isc_boolean_t first = ISC_TRUE;
isc_result_t result, vresult = ISC_R_UNSET; isc_result_t result, vresult = ISC_R_UNSET;
vctx_t vctx; vctx_t vctx;
...@@ -1511,24 +1532,7 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, ...@@ -1511,24 +1532,7 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
if (result != ISC_R_SUCCESS && vresult == ISC_R_SUCCESS) if (result != ISC_R_SUCCESS && vresult == ISC_R_SUCCESS)
vresult = result; vresult = result;
/* check_bad_algorithms(&vctx);
* If we made it this far, we have what we consider a properly signed
* zone. Set the good flag.
*/
for (i = 0; i < 256; i++) {
if (vctx.bad_algorithms[i] != 0) {
if (first)
fprintf(stderr, "The zone is not fully signed "
"for the following algorithms:");
dns_secalg_format(i, algbuf, sizeof(algbuf));
fprintf(stderr, " %s", algbuf);
first = ISC_FALSE;
}
}
if (!first) {
fprintf(stderr, ".\n");
fatal("DNSSEC completeness test failed.");
}
if (vresult != ISC_R_SUCCESS) if (vresult != ISC_R_SUCCESS)
fatal("DNSSEC completeness test failed (%s).", fatal("DNSSEC completeness test failed (%s).",
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment