1. 15 Jun, 2018 39 commits
    • Michał Kępień's avatar
      8649c59a
    • Michał Kępień's avatar
      Constify function arguments throughout lib/dns/zoneverify.c · c094d1e4
      Michał Kępień authored
      Where possible, apply the const qualifier to arguments of functions
      present in lib/dns/zoneverify.c.
      c094d1e4
    • Michał Kępień's avatar
      Propagate dns_zoneverify_dnssec() errors to callers · 24bca1c4
      Michał Kępień authored
      Since exit() is no longer called upon any dns_zoneverify_dnssec() error,
      verification failures should be signalled to callers.  Make
      dns_zoneverify_dnssec() return an isc_result_t and handle both success
      and error appropriately in bin/dnssec/dnssec-signzone.c and
      bin/dnssec/dnssec-verify.c.  This enables memory leak detection during
      shutdown of these tools and causes dnssec-signzone to print signing
      statistics even when zone verification fails.
      24bca1c4
    • Michał Kępień's avatar
      Remove fatal() and check_result() from lib/dns/zoneverify.c · a7ae6157
      Michał Kępień authored
      Since no function in lib/dns/zoneverify.c uses fatal() or check_result()
      any more, remove them.
      a7ae6157
    • Michał Kępień's avatar
      Replace remaining fprintf() calls with zoneverify_*() calls · 5609472f
      Michał Kępień authored
      Replace all fprintf() calls inside lib/dns/zoneverify.c, but outside of
      zoneverify_log_error() and zoneverify_print() with calls to these
      functions.
      5609472f
    • Michał Kępień's avatar
      Properly handle record_found() errors · 11a552a6
      Michał Kępień authored
      record_found() returns an isc_result_t, but its value is not checked.
      Modify the only call site of record_found() so that its errors are
      properly handled.
      11a552a6
    • Michał Kępień's avatar
      Do not call exit() upon dns_zoneverify_dnssec() errors · 5ac14cb7
      Michał Kępień authored
      Replace the remaining fatal() calls inside dns_zoneverify_dnssec() with
      zoneverify_log_error() and zoneverify_print() calls, ensuring proper
      cleanup.
      5ac14cb7
    • Michał Kępień's avatar
      Do not call exit() upon record_nsec3() errors · bf65f729
      Michał Kępień authored
      Replace the fprintf() call inside record_nsec3() with a
      zoneverify_log_error() call.  Remove the "mctx" argument of
      record_nsec3() as it can be extracted from "vctx".
      
      Modify one of the record_nsec3() call sites so that its errors are
      properly handled.
      bf65f729
    • Michał Kępień's avatar
      Do not call exit() upon match_nsec3() errors · 0d07de92
      Michał Kępień authored
      Make match_nsec3() return the verification result through a separate
      pointer, thus making it possible to signal errors using function
      return value.  Replace all check_result() and fprintf() calls inside
      match_nsec3() with zoneverify_log_error() calls and error handling code.
      
      Modify all call sites of match_nsec3() so that its errors are properly
      handled.
      0d07de92
    • Michał Kępień's avatar
      Do not call exit() upon isoptout() errors · 0ed3a2b2
      Michał Kępień authored
      Replace all check_result() calls inside isoptout() with
      zoneverify_log_error() calls and error handling code.  Enable isoptout()
      to signal errors to the caller using its return value.
      
      Modify the call site of isoptout() so that its errors are properly
      handled.
      0ed3a2b2
    • Michał Kępień's avatar
      Do not call exit() upon NSEC3 verification errors · c76fcdd2
      Michał Kępień authored
      Make verifynsec3(), verifynsec3s(), and verifyemptynodes() return the
      verification result through a separate pointer, thus making it possible
      to signal errors using function return values.  Replace all
      check_result() and fprintf() calls inside these functions with
      zoneverify_log_error() calls and error handling code.
      
      Modify all call sites of verifynsec3(), verifynsec3s(), and
      verifyemptynodes() so that their errors are properly handled.
      c76fcdd2
    • Michał Kępień's avatar
      Do not call exit() upon verifynsec() errors · 84486911
      Michał Kępień authored
      Make verifynsec() return the verification result through a separate
      pointer, thus making it possible to signal errors using function
      return value.  Replace all check_result() and fprintf() calls inside
      verifynsec() with zoneverify_log_error() calls and error handling code.
      
      Modify the call site of verifynsec() so that its errors are properly
      handled.
      
      Rename "tresult" to "tvresult" in order to improve variable naming
      consistency between functions.
      84486911
    • Michał Kępień's avatar
      Do not call exit() upon check_no_rrsig() errors · 0ed9ec49
      Michał Kępień authored
      Replace all check_result() and fprintf() calls inside check_no_rrsig()
      with zoneverify_log_error() calls and error handling code.  Enable
      check_no_rrsig() to signal errors to the caller using its return
      value.
      
      Modify the call site of check_no_rrsig() so that its errors are properly
      handled.
      
      Define buffer size using a named constant rather than a plain integer.
      0ed9ec49
    • Michał Kępień's avatar
      Do not call exit() upon verifyset() errors · 30e837f3
      Michał Kępień authored
      Replace all check_result() and fprintf() calls inside verifyset() with
      zoneverify_log_error() calls and error handling code.  Enable
      verifyset() to signal errors to the caller using its return value.
      
      Modify the call site of verifyset() so that its errors are properly
      handled.
      
      Define buffer sizes using named constants rather than plain integers.
      30e837f3
    • Michał Kępień's avatar
      Do not call exit() upon verifynode() errors · d782fcc6
      Michał Kępień authored
      Make verifynode() return the verification result through a separate
      pointer, thus making it possible to signal errors using function
      return value.  Replace all fatal() and check_result() calls inside
      verifynode() with zoneverify_log_error() calls and error handling code.
      Add a REQUIRE assertion to emphasize verifynode() may be called with
      some of its arguments set to NULL.
      
      Modify all call sites of verifynode() so that its errors are properly
      handled.
      d782fcc6
    • Michał Kępień's avatar
      Do not call exit() upon is_empty() errors · 7a996f0c
      Michał Kępień authored
      Replace the check_result() call inside is_empty() with a
      zoneverify_log_error() call and error handling code.  Enable is_empty()
      to signal errors to the caller using its return value.
      
      Modify the call site of is_empty() so that its errors are properly
      handled.
      7a996f0c
    • Michał Kępień's avatar
      Do not call exit() upon check_no_nsec() errors · 04038baf
      Michał Kępień authored
      Replace the fatal() call inside check_no_nsec() with a
      zoneverify_log_error() call.  Enable check_no_nsec() to signal errors to
      the caller using its return value.
      
      Modify all call sites of check_no_nsec() so that its errors are properly
      handled.
      04038baf
    • Michał Kępień's avatar
      Do not call exit() upon verify_nodes() errors · 4354f44d
      Michał Kępień authored
      Replace all fatal(), check_result(), and check_dns_dbiterator_current()
      calls inside verify_nodes() with zoneverify_log_error() calls and error
      handling code.  Enable verify_nodes() to signal errors to the caller
      using its return value.
      
      Modify the call site of verify_nodes() so that its errors are properly
      handled.
      
      Free all heap elements upon verification context cleanup as a
      verification error may prevent them from being freed elsewhere.
      
      Remove the check_dns_dbiterator_current() macro as it is no longer used
      anywhere in lib/dns/zoneverify.c.
      4354f44d
    • Michał Kępień's avatar
      Do not call exit() upon check_bad_algorithms() errors · 00ecbad2
      Michał Kępień authored
      Replace all fatal() and fprintf() calls inside check_bad_algorithms()
      with zoneverify_print() calls and error handling code.  Enable
      check_bad_algorithms() to signal errors to the caller using its return
      value.
      
      Modify the call site of check_bad_algorithms() so that its errors are
      properly handled.
      00ecbad2
    • Michał Kępień's avatar
      Do not call exit() upon check_dnskey() errors · 7c3f6531
      Michał Kępień authored
      Replace all fatal() and check_result() calls inside check_dnskey() with
      zoneverify_log_error() calls and error handling code.  Enable
      check_dnskey() to signal errors to the caller using its return value.
      
      Modify the call site of check_dnskey() so that its errors are properly
      handled.
      7c3f6531
    • Michał Kępień's avatar
      Do not call exit() upon check_apex_rrsets() errors · 1a6525ff
      Michał Kępień authored
      Replace all fatal() calls inside check_apex_rrsets() with
      zoneverify_log_error() calls and error handling code.  Enable
      check_apex_rrsets() to signal errors to the caller using its return
      value.
      
      Modify the call site of check_apex_rrsets() so that its errors are
      properly handled.
      1a6525ff
    • Michał Kępień's avatar
      Use RUNTIME_CHECK instead of check_result() where it is safe to do so · ee061820
      Michał Kępień authored
      Replace calls to check_result() with RUNTIME_CHECK assertions for all
      dns_rdata_tostruct() calls in lib/dns/zoneverify.c as this function
      cannot fail when the "mctx" argument is NULL (and that is the case for
      all call sites of this function throughout lib/dns/zoneverify.c).
      ee061820
    • Michał Kępień's avatar
      Extract print_summary() from dns_zoneverify_dnssec() · fc6b5ad5
      Michał Kępień authored
      Extract the part of dns_zoneverify_dnssec() responsible for printing a
      summary for a fully signed zone to a separate function.
      fc6b5ad5
    • Michał Kępień's avatar
      Extract check_bad_algorithms() from dns_zoneverify_dnssec() · b3d2ab44
      Michał Kępień authored
      Extract the part of dns_zoneverify_dnssec() responsible for checking
      whether the zone is fully signed using all active algorithms to a
      separate function.
      b3d2ab44
    • Michał Kępień's avatar
      Extract verify_nodes() from dns_zoneverify_dnssec() · eb17957c
      Michał Kępień authored
      Extract the part of dns_zoneverify_dnssec() responsible for verifying
      DNSSEC signatures against the DNSKEY RRset at zone apex and checking
      consistency of NSEC/NSEC3 chains to a separate function.
      eb17957c
    • Michał Kępień's avatar
      Extract determine_active_algorithms() from dns_zoneverify_dnssec() · dc81d8cb
      Michał Kępień authored
      Extract the part of dns_zoneverify_dnssec() responsible for determining
      and printing a list of DNSSEC algorithms active in the verified zone to
      a separate function.
      dc81d8cb
    • Michał Kępień's avatar
      Extract check_dnskey_sigs() from check_dnskey() · f06a755d
      Michał Kępień authored
      Extract the part of check_dnskey() responsible for determining active
      algorithms in the verified zone based on the signatures at zone apex to
      a separate function.
      f06a755d
    • Michał Kępień's avatar
      Extract check_dnskey() from dns_zoneverify_dnssec() · d4f3b14c
      Michał Kępień authored
      Extract the part of dns_zoneverify_dnssec() responsible for checking the
      DNSKEY RRset at zone apex to a separate function.
      d4f3b14c
    • Michał Kępień's avatar
      Extract check_apex_rrsets() from dns_zoneverify_dnssec() · 097b5774
      Michał Kępień authored
      Extract the part of dns_zoneverify_dnssec() responsible for fetching and
      preliminarily checking DNSKEY, SOA, NSEC, and NSEC3PARAM RRsets from
      zone apex to a separate function.
      097b5774
    • Michał Kępień's avatar
      Implement zoneverify_log_error() and zoneverify_print() · d949a5d8
      Michał Kępień authored
      These functions will be used in the process of replacing fatal(),
      check_result(), and fprintf() calls throughout lib/dns/zoneverify.c with
      code that does not call exit().  They are intended for:
      
        - zoneverify_log_error(): logging problems encountered while
          performing zone verification,
      
        - zoneverify_print(): printing status messages and reports which are
          only useful in standalone tools.
      
      To make using dns_zone_logv() possible, add a new "zone" argument to
      dns_zoneverify_dnssec() that standalone tools are expected to set to
      NULL.
      d949a5d8
    • Michał Kępień's avatar
      Move algorithm tables to the verification context structure · 730cc3e3
      Michał Kępień authored
      Tables representing algorithm use in the verified zone are commonly
      accessed throughout dns_zoneverify_dnssec().  Move them into the
      structure representing a verification context.  While this does not
      really simplify currently existing code, it will facilitate passing data
      around between smaller functions that dns_zoneverify_dnssec() is about
      to get split into.
      730cc3e3
    • Michał Kępień's avatar
      Move commonly used dns_rdataset_t structures to the verification context structure · 5d666f53
      Michał Kępień authored
      Eight structures representing four RRsets and their signatures are
      commonly accessed throughout dns_zoneverify_dnssec().  Move them into
      the structure representing a verification context.  While this does not
      really simplify currently existing code, it will facilitate passing data
      around between smaller functions that dns_zoneverify_dnssec() is about
      to get split into.
      5d666f53
    • Michał Kępień's avatar
      Move commonly used variables to the verification context structure · 43d0fb84
      Michał Kępień authored
      Move variables commonly used throughout dns_zoneverify_dnssec() and its
      helper functions to the structure representing a verification context in
      order to reduce the number of arguments passed between functions.
      43d0fb84
    • Michał Kępień's avatar
      Do not use static variables in lib/dns/zoneverify.c · ffc79977
      Michał Kępień authored
      Make dns_zoneverify_dnssec() eligible for multithreaded use by replacing
      the static variables it accesses with a stack-allocated structure
      containing these variables.  Implement setup and cleanup routines for
      that structure, ensuring no error in these routines causes exit() to be
      called any more.  Pass a pointer to that structure to functions
      requiring access to variables which were previously static.
      ffc79977
    • Michał Kępień's avatar
      Rename verifyzone() to dns_zoneverify_dnssec() · 7554e8d2
      Michał Kępień authored
      This makes the function's name match the naming convention used for
      libdns functions.
      7554e8d2
    • Michał Kępień's avatar
      Move verifyzone() and its dependencies into lib/dns/zoneverify.c · 3a14450d
      Michał Kępień authored
      This commit only moves code around, with the following exceptions:
      
        - the check_dns_dbiterator_current() macro and functions
          is_delegation() and has_dname() were removed from
          bin/dnssec/dnssectool.{c,h} and duplicated in two locations:
          bin/dnssec/dnssec-signzone.c and lib/dns/zoneverify.c; these
          functions are used both by the code in bin/dnssec/dnssec-signzone.c
          and verifyzone(), but are not a good fit for being exported by a
          code module responsible for zone verification,
      
        - fatal() and check_result() were duplicated in lib/dns/zoneverify.c
          as static functions which do not use the "program" variable any more
          (as it is only set by the tools in bin/dnssec/); this is a temporary
          step which only aims to prevent compilation from breaking - these
          duplicate functions will be removed once lib/dns/zoneverify.c is
          refactored not to use them,
      
        - the list of header files included by lib/dns/zoneverify.c was
          expanded to encompass all header files that are actually used by the
          code in that file,
      
        - a description of the purpose of the commented out "fields" inside
          struct nsec3_chain_fixed was added.
      3a14450d
    • Michał Kępień's avatar
      Replace type_format() and TYPE_FORMATSIZE with their libdns counterparts · ffe8ddd9
      Michał Kępień authored
      Rather than use custom functions and macros local to bin/dnssec/, use
      their counterparts provided by libdns.
      ffe8ddd9
    • Michał Kępień's avatar
      Merge branch '341-constify-dns_rdata_tostruct' into 'master' · c37537cf
      Michał Kępień authored
      Resolve "constify dns_rdata_tostruct"
      
      Closes #341
      
      See merge request !378
      c37537cf
    • Mark Andrews's avatar
  2. 14 Jun, 2018 1 commit