1. 21 Jun, 2018 3 commits
  2. 20 Jun, 2018 5 commits
  3. 19 Jun, 2018 4 commits
  4. 15 Jun, 2018 28 commits
    • Michał Kępień's avatar
      Merge branch '266-convert-verifyzone-to-a-libdns-function' into 'master' · e495999c
      Michał Kępień authored
      Convert verifyzone() to a libdns function
      
      Closes #266
      
      See merge request !291
      e495999c
    • Michał Kępień's avatar
      Add CHANGES entry · ad118d6e
      Michał Kępień authored
      4973.	[func]		verifyzone() and the functions it uses were moved to
      			libdns and refactored to prevent exit() from being
      			called upon failure.  A side effect of that is that
      			dnssec-signzone and dnssec-verify now check for memory
      			leaks upon shutdown. [GL #266]
      ad118d6e
    • Michał Kępień's avatar
      8649c59a
    • Michał Kępień's avatar
      Constify function arguments throughout lib/dns/zoneverify.c · c094d1e4
      Michał Kępień authored
      Where possible, apply the const qualifier to arguments of functions
      present in lib/dns/zoneverify.c.
      c094d1e4
    • Michał Kępień's avatar
      Propagate dns_zoneverify_dnssec() errors to callers · 24bca1c4
      Michał Kępień authored
      Since exit() is no longer called upon any dns_zoneverify_dnssec() error,
      verification failures should be signalled to callers.  Make
      dns_zoneverify_dnssec() return an isc_result_t and handle both success
      and error appropriately in bin/dnssec/dnssec-signzone.c and
      bin/dnssec/dnssec-verify.c.  This enables memory leak detection during
      shutdown of these tools and causes dnssec-signzone to print signing
      statistics even when zone verification fails.
      24bca1c4
    • Michał Kępień's avatar
      Remove fatal() and check_result() from lib/dns/zoneverify.c · a7ae6157
      Michał Kępień authored
      Since no function in lib/dns/zoneverify.c uses fatal() or check_result()
      any more, remove them.
      a7ae6157
    • Michał Kępień's avatar
      Replace remaining fprintf() calls with zoneverify_*() calls · 5609472f
      Michał Kępień authored
      Replace all fprintf() calls inside lib/dns/zoneverify.c, but outside of
      zoneverify_log_error() and zoneverify_print() with calls to these
      functions.
      5609472f
    • Michał Kępień's avatar
      Properly handle record_found() errors · 11a552a6
      Michał Kępień authored
      record_found() returns an isc_result_t, but its value is not checked.
      Modify the only call site of record_found() so that its errors are
      properly handled.
      11a552a6
    • Michał Kępień's avatar
      Do not call exit() upon dns_zoneverify_dnssec() errors · 5ac14cb7
      Michał Kępień authored
      Replace the remaining fatal() calls inside dns_zoneverify_dnssec() with
      zoneverify_log_error() and zoneverify_print() calls, ensuring proper
      cleanup.
      5ac14cb7
    • Michał Kępień's avatar
      Do not call exit() upon record_nsec3() errors · bf65f729
      Michał Kępień authored
      Replace the fprintf() call inside record_nsec3() with a
      zoneverify_log_error() call.  Remove the "mctx" argument of
      record_nsec3() as it can be extracted from "vctx".
      
      Modify one of the record_nsec3() call sites so that its errors are
      properly handled.
      bf65f729
    • Michał Kępień's avatar
      Do not call exit() upon match_nsec3() errors · 0d07de92
      Michał Kępień authored
      Make match_nsec3() return the verification result through a separate
      pointer, thus making it possible to signal errors using function
      return value.  Replace all check_result() and fprintf() calls inside
      match_nsec3() with zoneverify_log_error() calls and error handling code.
      
      Modify all call sites of match_nsec3() so that its errors are properly
      handled.
      0d07de92
    • Michał Kępień's avatar
      Do not call exit() upon isoptout() errors · 0ed3a2b2
      Michał Kępień authored
      Replace all check_result() calls inside isoptout() with
      zoneverify_log_error() calls and error handling code.  Enable isoptout()
      to signal errors to the caller using its return value.
      
      Modify the call site of isoptout() so that its errors are properly
      handled.
      0ed3a2b2
    • Michał Kępień's avatar
      Do not call exit() upon NSEC3 verification errors · c76fcdd2
      Michał Kępień authored
      Make verifynsec3(), verifynsec3s(), and verifyemptynodes() return the
      verification result through a separate pointer, thus making it possible
      to signal errors using function return values.  Replace all
      check_result() and fprintf() calls inside these functions with
      zoneverify_log_error() calls and error handling code.
      
      Modify all call sites of verifynsec3(), verifynsec3s(), and
      verifyemptynodes() so that their errors are properly handled.
      c76fcdd2
    • Michał Kępień's avatar
      Do not call exit() upon verifynsec() errors · 84486911
      Michał Kępień authored
      Make verifynsec() return the verification result through a separate
      pointer, thus making it possible to signal errors using function
      return value.  Replace all check_result() and fprintf() calls inside
      verifynsec() with zoneverify_log_error() calls and error handling code.
      
      Modify the call site of verifynsec() so that its errors are properly
      handled.
      
      Rename "tresult" to "tvresult" in order to improve variable naming
      consistency between functions.
      84486911
    • Michał Kępień's avatar
      Do not call exit() upon check_no_rrsig() errors · 0ed9ec49
      Michał Kępień authored
      Replace all check_result() and fprintf() calls inside check_no_rrsig()
      with zoneverify_log_error() calls and error handling code.  Enable
      check_no_rrsig() to signal errors to the caller using its return
      value.
      
      Modify the call site of check_no_rrsig() so that its errors are properly
      handled.
      
      Define buffer size using a named constant rather than a plain integer.
      0ed9ec49
    • Michał Kępień's avatar
      Do not call exit() upon verifyset() errors · 30e837f3
      Michał Kępień authored
      Replace all check_result() and fprintf() calls inside verifyset() with
      zoneverify_log_error() calls and error handling code.  Enable
      verifyset() to signal errors to the caller using its return value.
      
      Modify the call site of verifyset() so that its errors are properly
      handled.
      
      Define buffer sizes using named constants rather than plain integers.
      30e837f3
    • Michał Kępień's avatar
      Do not call exit() upon verifynode() errors · d782fcc6
      Michał Kępień authored
      Make verifynode() return the verification result through a separate
      pointer, thus making it possible to signal errors using function
      return value.  Replace all fatal() and check_result() calls inside
      verifynode() with zoneverify_log_error() calls and error handling code.
      Add a REQUIRE assertion to emphasize verifynode() may be called with
      some of its arguments set to NULL.
      
      Modify all call sites of verifynode() so that its errors are properly
      handled.
      d782fcc6
    • Michał Kępień's avatar
      Do not call exit() upon is_empty() errors · 7a996f0c
      Michał Kępień authored
      Replace the check_result() call inside is_empty() with a
      zoneverify_log_error() call and error handling code.  Enable is_empty()
      to signal errors to the caller using its return value.
      
      Modify the call site of is_empty() so that its errors are properly
      handled.
      7a996f0c
    • Michał Kępień's avatar
      Do not call exit() upon check_no_nsec() errors · 04038baf
      Michał Kępień authored
      Replace the fatal() call inside check_no_nsec() with a
      zoneverify_log_error() call.  Enable check_no_nsec() to signal errors to
      the caller using its return value.
      
      Modify all call sites of check_no_nsec() so that its errors are properly
      handled.
      04038baf
    • Michał Kępień's avatar
      Do not call exit() upon verify_nodes() errors · 4354f44d
      Michał Kępień authored
      Replace all fatal(), check_result(), and check_dns_dbiterator_current()
      calls inside verify_nodes() with zoneverify_log_error() calls and error
      handling code.  Enable verify_nodes() to signal errors to the caller
      using its return value.
      
      Modify the call site of verify_nodes() so that its errors are properly
      handled.
      
      Free all heap elements upon verification context cleanup as a
      verification error may prevent them from being freed elsewhere.
      
      Remove the check_dns_dbiterator_current() macro as it is no longer used
      anywhere in lib/dns/zoneverify.c.
      4354f44d
    • Michał Kępień's avatar
      Do not call exit() upon check_bad_algorithms() errors · 00ecbad2
      Michał Kępień authored
      Replace all fatal() and fprintf() calls inside check_bad_algorithms()
      with zoneverify_print() calls and error handling code.  Enable
      check_bad_algorithms() to signal errors to the caller using its return
      value.
      
      Modify the call site of check_bad_algorithms() so that its errors are
      properly handled.
      00ecbad2
    • Michał Kępień's avatar
      Do not call exit() upon check_dnskey() errors · 7c3f6531
      Michał Kępień authored
      Replace all fatal() and check_result() calls inside check_dnskey() with
      zoneverify_log_error() calls and error handling code.  Enable
      check_dnskey() to signal errors to the caller using its return value.
      
      Modify the call site of check_dnskey() so that its errors are properly
      handled.
      7c3f6531
    • Michał Kępień's avatar
      Do not call exit() upon check_apex_rrsets() errors · 1a6525ff
      Michał Kępień authored
      Replace all fatal() calls inside check_apex_rrsets() with
      zoneverify_log_error() calls and error handling code.  Enable
      check_apex_rrsets() to signal errors to the caller using its return
      value.
      
      Modify the call site of check_apex_rrsets() so that its errors are
      properly handled.
      1a6525ff
    • Michał Kępień's avatar
      Use RUNTIME_CHECK instead of check_result() where it is safe to do so · ee061820
      Michał Kępień authored
      Replace calls to check_result() with RUNTIME_CHECK assertions for all
      dns_rdata_tostruct() calls in lib/dns/zoneverify.c as this function
      cannot fail when the "mctx" argument is NULL (and that is the case for
      all call sites of this function throughout lib/dns/zoneverify.c).
      ee061820
    • Michał Kępień's avatar
      Extract print_summary() from dns_zoneverify_dnssec() · fc6b5ad5
      Michał Kępień authored
      Extract the part of dns_zoneverify_dnssec() responsible for printing a
      summary for a fully signed zone to a separate function.
      fc6b5ad5
    • Michał Kępień's avatar
      Extract check_bad_algorithms() from dns_zoneverify_dnssec() · b3d2ab44
      Michał Kępień authored
      Extract the part of dns_zoneverify_dnssec() responsible for checking
      whether the zone is fully signed using all active algorithms to a
      separate function.
      b3d2ab44
    • Michał Kępień's avatar
      Extract verify_nodes() from dns_zoneverify_dnssec() · eb17957c
      Michał Kępień authored
      Extract the part of dns_zoneverify_dnssec() responsible for verifying
      DNSSEC signatures against the DNSKEY RRset at zone apex and checking
      consistency of NSEC/NSEC3 chains to a separate function.
      eb17957c
    • Michał Kępień's avatar
      Extract determine_active_algorithms() from dns_zoneverify_dnssec() · dc81d8cb
      Michał Kępień authored
      Extract the part of dns_zoneverify_dnssec() responsible for determining
      and printing a list of DNSSEC algorithms active in the verified zone to
      a separate function.
      dc81d8cb