Do not call exit() upon verifyset() errors

Replace all check_result() and fprintf() calls inside verifyset() with
zoneverify_log_error() calls and error handling code.  Enable
verifyset() to signal errors to the caller using its return value.

Modify the call site of verifyset() so that its errors are properly
handled.

Define buffer sizes using named constants rather than plain integers.

diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c
index e29646cdbdcf7c080fdd3e12cc31b6a7cbe061d0..07ccc05915d3b71ea726c9628d5be1f48be60d67 100644 (file)
--- a/lib/dns/zoneverify.c
+++ b/lib/dns/zoneverify.c
@@ -723,14 +723,14 @@ verifynsec3s(const vctx_t *vctx, dns_name_t *name,
        return (result);
 }
 
-static void
+static isc_result_t
 verifyset(vctx_t *vctx, dns_rdataset_t *rdataset, dns_name_t *name,
          dns_dbnode_t *node, dns_rdataset_t *keyrdataset)
 {
        unsigned char set_algorithms[256];
        char namebuf[DNS_NAME_FORMATSIZE];
-       char algbuf[80];
-       char typebuf[80];
+       char algbuf[DNS_SECALG_FORMATSIZE];
+       char typebuf[DNS_RDATATYPE_FORMATSIZE];
        dns_rdataset_t sigrdataset;
        dns_rdatasetiter_t *rdsiter = NULL;
        isc_result_t result;
@@ -738,7 +738,11 @@ verifyset(vctx_t *vctx, dns_rdataset_t *rdataset, dns_name_t *name,
 
        dns_rdataset_init(&sigrdataset);
        result = dns_db_allrdatasets(vctx->db, node, vctx->ver, 0, &rdsiter);
-       check_result(result, "dns_db_allrdatasets()");
+       if (result != ISC_R_SUCCESS) {
+               zoneverify_log_error(vctx, "dns_db_allrdatasets(): %s",
+                                    isc_result_totext(result));
+               return (result);
+       }
        for (result = dns_rdatasetiter_first(rdsiter);
             result == ISC_R_SUCCESS;
             result = dns_rdatasetiter_next(rdsiter)) {
@@ -751,12 +755,13 @@ verifyset(vctx_t *vctx, dns_rdataset_t *rdataset, dns_name_t *name,
        if (result != ISC_R_SUCCESS) {
                dns_name_format(name, namebuf, sizeof(namebuf));
                dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf));
-               fprintf(stderr, "No signatures for %s/%s\n", namebuf, typebuf);
+               zoneverify_log_error(vctx, "No signatures for %s/%s",
+                                    namebuf, typebuf);
                for (i = 0; i < 256; i++)
                        if (vctx->act_algorithms[i] != 0)
                                vctx->bad_algorithms[i] = 1;
-               dns_rdatasetiter_destroy(&rdsiter);
-               return;
+               result = ISC_R_SUCCESS;
+               goto done;
        }
 
        memset(set_algorithms, 0, sizeof(set_algorithms));
@@ -773,8 +778,10 @@ verifyset(vctx_t *vctx, dns_rdataset_t *rdataset, dns_name_t *name,
                        dns_name_format(name, namebuf, sizeof(namebuf));
                        dns_rdatatype_format(rdataset->type, typebuf,
                                             sizeof(typebuf));
-                       fprintf(stderr, "TTL mismatch for %s %s keytag %u\n",
-                               namebuf, typebuf, sig.keyid);
+                       zoneverify_log_error(vctx,
+                                            "TTL mismatch for "
+                                            "%s %s keytag %u",
+                                            namebuf, typebuf, sig.keyid);
                        continue;
                }
                if ((set_algorithms[sig.algorithm] != 0) ||
@@ -783,7 +790,8 @@ verifyset(vctx_t *vctx, dns_rdataset_t *rdataset, dns_name_t *name,
                if (goodsig(vctx, &rdata, name, keyrdataset, rdataset))
                        set_algorithms[sig.algorithm] = 1;
        }
-       dns_rdatasetiter_destroy(&rdsiter);
+       result = ISC_R_SUCCESS;
+
        if (memcmp(set_algorithms, vctx->act_algorithms,
                   sizeof(set_algorithms))) {
                dns_name_format(name, namebuf, sizeof(namebuf));
@@ -792,12 +800,21 @@ verifyset(vctx_t *vctx, dns_rdataset_t *rdataset, dns_name_t *name,
                        if ((vctx->act_algorithms[i] != 0) &&
                            (set_algorithms[i] == 0)) {
                                dns_secalg_format(i, algbuf, sizeof(algbuf));
-                               fprintf(stderr, "No correct %s signature for "
-                                       "%s %s\n", algbuf, namebuf, typebuf);
+                               zoneverify_log_error(vctx,
+                                                    "No correct %s signature "
+                                                    "for %s %s",
+                                                    algbuf, namebuf, typebuf);
                                vctx->bad_algorithms[i] = 1;
                        }
        }
-       dns_rdataset_disassociate(&sigrdataset);
+
+ done:
+       if (dns_rdataset_isassociated(&sigrdataset)) {
+               dns_rdataset_disassociate(&sigrdataset);
+       }
+       dns_rdatasetiter_destroy(&rdsiter);
+
+       return (result);
 }
 
 static isc_result_t
@@ -835,7 +852,13 @@ verifynode(vctx_t *vctx, dns_name_t *name, dns_dbnode_t *node,
                    rdataset.type != dns_rdatatype_dnskey &&
                    (!delegation || rdataset.type == dns_rdatatype_ds ||
                     rdataset.type == dns_rdatatype_nsec)) {
-                       verifyset(vctx, &rdataset, name, node, keyrdataset);
+                       result = verifyset(vctx, &rdataset, name, node,
+                                          keyrdataset);
+                       if (result != ISC_R_SUCCESS) {
+                               dns_rdataset_disassociate(&rdataset);
+                               dns_rdatasetiter_destroy(&rdsiter);
+                               return (result);
+                       }
                        dns_nsec_setbit(types, rdataset.type, 1);
                        if (rdataset.type > maxtype)
                                maxtype = rdataset.type;