Do not call exit() upon match_nsec3() errors

Make match_nsec3() return the verification result through a separate
pointer, thus making it possible to signal errors using function
return value.  Replace all check_result() and fprintf() calls inside
match_nsec3() with zoneverify_log_error() calls and error handling code.

Modify all call sites of match_nsec3() so that its errors are properly
handled.

diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c
index f06dd062d31df1212436cd572a87f91f1ae715b6..67e8bf787bd45c385d049760f4b919f2fb6f0ed4 100644 (file)
--- a/lib/dns/zoneverify.c
+++ b/lib/dns/zoneverify.c
@@ -444,7 +444,7 @@ static isc_result_t
 match_nsec3(const vctx_t *vctx, dns_name_t *name,
            dns_rdata_nsec3param_t *nsec3param, dns_rdataset_t *rdataset,
            unsigned char types[8192], unsigned int maxtype,
-           unsigned char *rawhash, size_t rhsize)
+           unsigned char *rawhash, size_t rhsize, isc_result_t *vresult)
 {
        unsigned char cbm[8244];
        char namebuf[DNS_NAME_FORMATSIZE];
@@ -472,8 +472,10 @@ match_nsec3(const vctx_t *vctx, dns_name_t *name,
        }
        if (result != ISC_R_SUCCESS) {
                dns_name_format(name, namebuf, sizeof(namebuf));
-               fprintf(stderr, "Missing NSEC3 record for %s\n", namebuf);
-               return (result);
+               zoneverify_log_error(vctx, "Missing NSEC3 record for %s",
+                                    namebuf);
+               *vresult = result;
+               return (ISC_R_SUCCESS);
        }
 
        /*
@@ -482,9 +484,12 @@ match_nsec3(const vctx_t *vctx, dns_name_t *name,
        len = dns_nsec_compressbitmap(cbm, types, maxtype);
        if (nsec3.len != len || memcmp(cbm, nsec3.typebits, len) != 0) {
                dns_name_format(name, namebuf, sizeof(namebuf));
-               fprintf(stderr, "Bad NSEC3 record for %s, bit map "
-                               "mismatch\n", namebuf);
-               return (ISC_R_FAILURE);
+               zoneverify_log_error(vctx,
+                                    "Bad NSEC3 record for %s, bit map "
+                                    "mismatch",
+                                    namebuf);
+               *vresult = ISC_R_FAILURE;
+               return (ISC_R_SUCCESS);
        }
 
        /*
@@ -492,7 +497,11 @@ match_nsec3(const vctx_t *vctx, dns_name_t *name,
         */
        result = record_nsec3(rawhash, &nsec3, vctx->mctx,
                              vctx->expected_chains);
-       check_result(result, "record_nsec3()");
+       if (result != ISC_R_SUCCESS) {
+               zoneverify_log_error(vctx, "record_nsec3(): %s",
+                                    isc_result_totext(result));
+               return (result);
+       }
 
        /*
         * Make sure there is only one NSEC3 record with this set of
@@ -511,17 +520,20 @@ match_nsec3(const vctx_t *vctx, dns_name_t *name,
                    memcmp(nsec3.salt, nsec3param->salt,
                           nsec3.salt_length) == 0) {
                        dns_name_format(name, namebuf, sizeof(namebuf));
-                       fprintf(stderr, "Multiple NSEC3 records with the "
-                               "same parameter set for %s", namebuf);
-                       result = DNS_R_DUPLICATE;
-                       break;
+                       zoneverify_log_error(vctx,
+                                            "Multiple NSEC3 records with the "
+                                            "same parameter set for %s",
+                                            namebuf);
+                       *vresult = DNS_R_DUPLICATE;
+                       return (ISC_R_SUCCESS);
                }
        }
        if (result != ISC_R_NOMORE)
                return (result);
 
-       result = ISC_R_SUCCESS;
-       return (result);
+       *vresult = ISC_R_SUCCESS;
+
+       return (ISC_R_SUCCESS);
 }
 
 static isc_boolean_t
@@ -679,7 +691,7 @@ verifynsec3(const vctx_t *vctx, dns_name_t *name, dns_rdata_t *rdata,
        dns_rdata_nsec3param_t nsec3param;
        dns_fixedname_t fixed;
        dns_name_t *hashname;
-       isc_result_t result;
+       isc_result_t result, tvresult;
        dns_dbnode_t *node = NULL;
        unsigned char rawhash[NSEC3_MAX_HASH_LENGTH];
        size_t rhsize = sizeof(rawhash);
@@ -737,17 +749,23 @@ verifynsec3(const vctx_t *vctx, dns_name_t *name, dns_rdata_t *rdata,
                result = ISC_R_SUCCESS;
        } else if (result == ISC_R_SUCCESS) {
                result = match_nsec3(vctx, name, &nsec3param, &rdataset, types,
-                                    maxtype, rawhash, rhsize);
+                                    maxtype, rawhash, rhsize, &tvresult);
+               if (result != ISC_R_SUCCESS) {
+                       goto done;
+               }
+               result = tvresult;
        }
 
        *vresult = result;
+       result = ISC_R_SUCCESS;
 
+ done:
        if (dns_rdataset_isassociated(&rdataset))
                dns_rdataset_disassociate(&rdataset);
        if (node != NULL)
                dns_db_detachnode(vctx->db, &node);
 
-       return (ISC_R_SUCCESS);
+       return (result);
 }
 
 static isc_result_t