Minor refactoring on function match_nsec3

The logic for matching a set of nsec3 objects against an nsec3param
object was moved to a specific function.

For more details check thread:
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/291#note_12176

diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c
index c54be29074f7a959e5ee96dc3ee6f8ea6fd26a78..5b1e185090ee1b8096f827587980a8f2d37edd56 100644 (file)
--- a/lib/dns/zoneverify.c
+++ b/lib/dns/zoneverify.c
@@ -424,17 +424,15 @@ record_nsec3(const vctx_t *vctx, const unsigned char *rawhash,
        return (result);
 }
 
+/*
+ * Check whether any NSEC3 within 'rdataset' matches the parameters in
+ * 'nsec3param'.
+ */
 static isc_result_t
-match_nsec3(const vctx_t *vctx, const dns_name_t *name,
-           const dns_rdata_nsec3param_t *nsec3param, dns_rdataset_t *rdataset,
-           const unsigned char types[8192], unsigned int maxtype,
-           const unsigned char *rawhash, size_t rhsize,
-           isc_result_t *vresult) {
-       unsigned char cbm[8244];
-       char namebuf[DNS_NAME_FORMATSIZE];
-       dns_rdata_nsec3_t nsec3;
+find_nsec3_match(const dns_rdata_nsec3param_t *nsec3param,
+                dns_rdataset_t *rdataset, size_t rhsize,
+                dns_rdata_nsec3_t *nsec3_match) {
        isc_result_t result;
-       unsigned int len;
 
        /*
         * Find matching NSEC3 record.
@@ -444,18 +442,35 @@ match_nsec3(const vctx_t *vctx, const dns_name_t *name,
        {
                dns_rdata_t rdata = DNS_RDATA_INIT;
                dns_rdataset_current(rdataset, &rdata);
-               result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
+               result = dns_rdata_tostruct(&rdata, nsec3_match, NULL);
                RUNTIME_CHECK(result == ISC_R_SUCCESS);
-               if (nsec3.hash == nsec3param->hash &&
-                   nsec3.next_length == rhsize &&
-                   nsec3.iterations == nsec3param->iterations &&
-                   nsec3.salt_length == nsec3param->salt_length &&
-                   memcmp(nsec3.salt, nsec3param->salt,
+               if (nsec3_match->hash == nsec3param->hash &&
+                   nsec3_match->next_length == rhsize &&
+                   nsec3_match->iterations == nsec3param->iterations &&
+                   nsec3_match->salt_length == nsec3param->salt_length &&
+                   memcmp(nsec3_match->salt, nsec3param->salt,
                           nsec3param->salt_length) == 0)
                {
-                       break;
+                       return (ISC_R_SUCCESS);
                }
        }
+
+       return (result);
+}
+
+static isc_result_t
+match_nsec3(const vctx_t *vctx, const dns_name_t *name,
+           const dns_rdata_nsec3param_t *nsec3param, dns_rdataset_t *rdataset,
+           const unsigned char types[8192], unsigned int maxtype,
+           const unsigned char *rawhash, size_t rhsize,
+           isc_result_t *vresult) {
+       unsigned char cbm[8244];
+       char namebuf[DNS_NAME_FORMATSIZE];
+       dns_rdata_nsec3_t nsec3;
+       isc_result_t result;
+       unsigned int len;
+
+       result = find_nsec3_match(nsec3param, rdataset, rhsize, &nsec3);
        if (result != ISC_R_SUCCESS) {
                dns_name_format(name, namebuf, sizeof(namebuf));
                zoneverify_log_error(vctx, "Missing NSEC3 record for %s",