Extract verify_nodes() from dns_zoneverify_dnssec()

Extract the part of dns_zoneverify_dnssec() responsible for verifying
DNSSEC signatures against the DNSKEY RRset at zone apex and checking
consistency of NSEC/NSEC3 chains to a separate function.

lib/dns/zoneverify.c

@@ -1356,45 +1356,18 @@ determine_active_algorithms(vctx_t *vctx, isc_boolean_t ignore_kskflag,
 	}
 }
 
-void
-dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
-		      dns_name_t *origin, isc_mem_t *mctx,
-		      isc_boolean_t ignore_kskflag,
-		      isc_boolean_t keyset_kskonly)
-{
-	char algbuf[80];
-	dns_dbiterator_t *dbiter = NULL;
-	dns_dbnode_t *node = NULL, *nextnode = NULL;
+/*%
+ * Check that all the records not yet verified were signed by keys that are
+ * present in the DNSKEY RRset.
+ */
+static void
+verify_nodes(vctx_t *vctx, isc_result_t *vresult) {
 	dns_fixedname_t fname, fnextname, fprevname, fzonecut;
 	dns_name_t *name, *nextname, *prevname, *zonecut;
-	int i;
+	dns_dbnode_t *node = NULL, *nextnode;
+	dns_dbiterator_t *dbiter = NULL;
 	isc_boolean_t done = ISC_FALSE;
-	isc_boolean_t first = ISC_TRUE;
-	isc_result_t result, vresult = ISC_R_UNSET;
-	vctx_t vctx;
-
-	result = vctx_init(&vctx, mctx, zone, db, ver, origin);
-	if (result != ISC_R_SUCCESS) {
-		return;
-	}
-
-	check_apex_rrsets(&vctx);
-
-	check_dnskey(&vctx);
-
-	if (ignore_kskflag ) {
-		if (!vctx.goodksk && !vctx.goodzsk)
-			fatal("No self-signed DNSKEY found.");
-	} else if (!vctx.goodksk)
-		fatal("No self-signed KSK DNSKEY found.  Supply an active\n"
-		      "key with the KSK flag set, or use '-P'.");
-
-	determine_active_algorithms(&vctx, ignore_kskflag, keyset_kskonly);
-
-	/*
-	 * Check that all the other records were signed by keys that are
-	 * present in the DNSKEY RRSET.
-	 */
+	isc_result_t result;
 
 	name = dns_fixedname_initname(&fname);
 	nextname = dns_fixedname_initname(&fnextname);
@@ -1403,7 +1376,7 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 	dns_fixedname_init(&fzonecut);
 	zonecut = NULL;
 
-	result = dns_db_createiterator(vctx.db, DNS_DB_NONSEC3, &dbiter);
+	result = dns_db_createiterator(vctx->db, DNS_DB_NONSEC3, &dbiter);
 	check_result(result, "dns_db_createiterator()");
 
 	result = dns_dbiterator_first(dbiter);
@@ -1414,9 +1387,9 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 
 		result = dns_dbiterator_current(dbiter, &node, name);
 		check_dns_dbiterator_current(result);
-		if (!dns_name_issubdomain(name, vctx.origin)) {
-			check_no_nsec(&vctx, name, node);
-			dns_db_detachnode(vctx.db, &node);
+		if (!dns_name_issubdomain(name, vctx->origin)) {
+			check_no_nsec(vctx, name, node);
+			dns_db_detachnode(vctx->db, &node);
 			result = dns_dbiterator_next(dbiter);
 			if (result == ISC_R_NOMORE)
 				done = ISC_TRUE;
@@ -1424,11 +1397,11 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 				check_result(result, "dns_dbiterator_next()");
 			continue;
 		}
-		if (is_delegation(&vctx, name, node, NULL)) {
+		if (is_delegation(vctx, name, node, NULL)) {
 			zonecut = dns_fixedname_name(&fzonecut);
 			dns_name_copy(name, zonecut, NULL);
 			isdelegation = ISC_TRUE;
-		} else if (has_dname(&vctx, node)) {
+		} else if (has_dname(vctx, node)) {
 			zonecut = dns_fixedname_name(&fzonecut);
 			dns_name_copy(name, zonecut, NULL);
 		}
@@ -1438,51 +1411,51 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 			result = dns_dbiterator_current(dbiter, &nextnode,
 							nextname);
 			check_dns_dbiterator_current(result);
-			if (!dns_name_issubdomain(nextname, vctx.origin) ||
+			if (!dns_name_issubdomain(nextname, vctx->origin) ||
 			    (zonecut != NULL &&
 			     dns_name_issubdomain(nextname, zonecut)))
 			{
-				check_no_nsec(&vctx, nextname, nextnode);
-				dns_db_detachnode(vctx.db, &nextnode);
+				check_no_nsec(vctx, nextname, nextnode);
+				dns_db_detachnode(vctx->db, &nextnode);
 				result = dns_dbiterator_next(dbiter);
 				continue;
 			}
-			if (is_empty(&vctx, nextnode)) {
-				dns_db_detachnode(vctx.db, &nextnode);
+			if (is_empty(vctx, nextnode)) {
+				dns_db_detachnode(vctx->db, &nextnode);
 				result = dns_dbiterator_next(dbiter);
 				continue;
 			}
-			dns_db_detachnode(vctx.db, &nextnode);
+			dns_db_detachnode(vctx->db, &nextnode);
 			break;
 		}
 		if (result == ISC_R_NOMORE) {
 			done = ISC_TRUE;
-			nextname = vctx.origin;
+			nextname = vctx->origin;
 		} else if (result != ISC_R_SUCCESS)
 			fatal("iterating through the database failed: %s",
 			      isc_result_totext(result));
-		result = verifynode(&vctx, name, node, isdelegation,
-				    &vctx.keyset, &vctx.nsecset,
-				    &vctx.nsec3paramset, nextname);
-		if (vresult == ISC_R_UNSET)
-			vresult = ISC_R_SUCCESS;
-		if (vresult == ISC_R_SUCCESS && result != ISC_R_SUCCESS)
-			vresult = result;
+		result = verifynode(vctx, name, node, isdelegation,
+				    &vctx->keyset, &vctx->nsecset,
+				    &vctx->nsec3paramset, nextname);
+		if (*vresult == ISC_R_UNSET)
+			*vresult = ISC_R_SUCCESS;
+		if (*vresult == ISC_R_SUCCESS && result != ISC_R_SUCCESS)
+			*vresult = result;
 		if (prevname != NULL) {
-			result = verifyemptynodes(&vctx, name, prevname,
+			result = verifyemptynodes(vctx, name, prevname,
 						  isdelegation,
-						  &vctx.nsec3paramset);
+						  &vctx->nsec3paramset);
 		} else
 			prevname = dns_fixedname_name(&fprevname);
 		dns_name_copy(name, prevname, NULL);
-		if (vresult == ISC_R_SUCCESS && result != ISC_R_SUCCESS)
-			vresult = result;
-		dns_db_detachnode(vctx.db, &node);
+		if (*vresult == ISC_R_SUCCESS && result != ISC_R_SUCCESS)
+			*vresult = result;
+		dns_db_detachnode(vctx->db, &node);
 	}
 
 	dns_dbiterator_destroy(&dbiter);
 
-	result = dns_db_createiterator(vctx.db, DNS_DB_NSEC3ONLY, &dbiter);
+	result = dns_db_createiterator(vctx->db, DNS_DB_NSEC3ONLY, &dbiter);
 	check_result(result, "dns_db_createiterator()");
 
 	for (result = dns_dbiterator_first(dbiter);
@@ -1490,13 +1463,47 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 	     result = dns_dbiterator_next(dbiter) ) {
 		result = dns_dbiterator_current(dbiter, &node, name);
 		check_dns_dbiterator_current(result);
-		result = verifynode(&vctx, name, node, ISC_FALSE, &vctx.keyset,
+		result = verifynode(vctx, name, node, ISC_FALSE, &vctx->keyset,
 				    NULL, NULL, NULL);
 		check_result(result, "verifynode");
-		record_found(&vctx, name, node, &vctx.nsec3paramset);
-		dns_db_detachnode(vctx.db, &node);
+		record_found(vctx, name, node, &vctx->nsec3paramset);
+		dns_db_detachnode(vctx->db, &node);
 	}
+
 	dns_dbiterator_destroy(&dbiter);
+}
+
+void
+dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+		      dns_name_t *origin, isc_mem_t *mctx,
+		      isc_boolean_t ignore_kskflag,
+		      isc_boolean_t keyset_kskonly)
+{
+	char algbuf[80];
+	int i;
+	isc_boolean_t first = ISC_TRUE;
+	isc_result_t result, vresult = ISC_R_UNSET;
+	vctx_t vctx;
+
+	result = vctx_init(&vctx, mctx, zone, db, ver, origin);
+	if (result != ISC_R_SUCCESS) {
+		return;
+	}
+
+	check_apex_rrsets(&vctx);
+
+	check_dnskey(&vctx);
+
+	if (ignore_kskflag ) {
+		if (!vctx.goodksk && !vctx.goodzsk)
+			fatal("No self-signed DNSKEY found.");
+	} else if (!vctx.goodksk)
+		fatal("No self-signed KSK DNSKEY found.  Supply an active\n"
+		      "key with the KSK flag set, or use '-P'.");
+
+	determine_active_algorithms(&vctx, ignore_kskflag, keyset_kskonly);
+
+	verify_nodes(&vctx, &vresult);
 
 	result = verify_nsec3_chains(&vctx, mctx);
 	if (vresult == ISC_R_UNSET)