Extract verify_nodes() from dns_zoneverify_dnssec()

Extract the part of dns_zoneverify_dnssec() responsible for verifying
DNSSEC signatures against the DNSKEY RRset at zone apex and checking
consistency of NSEC/NSEC3 chains to a separate function.

diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c
index 1befc54cec1d5727e1698a00d7830b9576893fdf..e3668c5a39f18e2306f99e1167d5369415087d01 100644 (file)
--- a/lib/dns/zoneverify.c
+++ b/lib/dns/zoneverify.c
@@ -1356,45 +1356,18 @@ determine_active_algorithms(vctx_t *vctx, isc_boolean_t ignore_kskflag,
        }
 }
 
-void
-dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
-                     dns_name_t *origin, isc_mem_t *mctx,
-                     isc_boolean_t ignore_kskflag,
-                     isc_boolean_t keyset_kskonly)
-{
-       char algbuf[80];
-       dns_dbiterator_t *dbiter = NULL;
-       dns_dbnode_t *node = NULL, *nextnode = NULL;
+/*%
+ * Check that all the records not yet verified were signed by keys that are
+ * present in the DNSKEY RRset.
+ */
+static void
+verify_nodes(vctx_t *vctx, isc_result_t *vresult) {
        dns_fixedname_t fname, fnextname, fprevname, fzonecut;
        dns_name_t *name, *nextname, *prevname, *zonecut;
-       int i;
+       dns_dbnode_t *node = NULL, *nextnode;
+       dns_dbiterator_t *dbiter = NULL;
        isc_boolean_t done = ISC_FALSE;
-       isc_boolean_t first = ISC_TRUE;
-       isc_result_t result, vresult = ISC_R_UNSET;
-       vctx_t vctx;
-
-       result = vctx_init(&vctx, mctx, zone, db, ver, origin);
-       if (result != ISC_R_SUCCESS) {
-               return;
-       }
-
-       check_apex_rrsets(&vctx);
-
-       check_dnskey(&vctx);
-
-       if (ignore_kskflag ) {
-               if (!vctx.goodksk && !vctx.goodzsk)
-                       fatal("No self-signed DNSKEY found.");
-       } else if (!vctx.goodksk)
-               fatal("No self-signed KSK DNSKEY found.  Supply an active\n"
-                     "key with the KSK flag set, or use '-P'.");
-
-       determine_active_algorithms(&vctx, ignore_kskflag, keyset_kskonly);
-
-       /*
-        * Check that all the other records were signed by keys that are
-        * present in the DNSKEY RRSET.
-        */
+       isc_result_t result;
 
        name = dns_fixedname_initname(&fname);
        nextname = dns_fixedname_initname(&fnextname);
@@ -1403,7 +1376,7 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
        dns_fixedname_init(&fzonecut);
        zonecut = NULL;
 
-       result = dns_db_createiterator(vctx.db, DNS_DB_NONSEC3, &dbiter);
+       result = dns_db_createiterator(vctx->db, DNS_DB_NONSEC3, &dbiter);
        check_result(result, "dns_db_createiterator()");
 
        result = dns_dbiterator_first(dbiter);
@@ -1414,9 +1387,9 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 
                result = dns_dbiterator_current(dbiter, &node, name);
                check_dns_dbiterator_current(result);
-               if (!dns_name_issubdomain(name, vctx.origin)) {
-                       check_no_nsec(&vctx, name, node);
-                       dns_db_detachnode(vctx.db, &node);
+               if (!dns_name_issubdomain(name, vctx->origin)) {
+                       check_no_nsec(vctx, name, node);
+                       dns_db_detachnode(vctx->db, &node);
                        result = dns_dbiterator_next(dbiter);
                        if (result == ISC_R_NOMORE)
                                done = ISC_TRUE;
@@ -1424,11 +1397,11 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
                                check_result(result, "dns_dbiterator_next()");
                        continue;
                }
-               if (is_delegation(&vctx, name, node, NULL)) {
+               if (is_delegation(vctx, name, node, NULL)) {
                        zonecut = dns_fixedname_name(&fzonecut);
                        dns_name_copy(name, zonecut, NULL);
                        isdelegation = ISC_TRUE;
-               } else if (has_dname(&vctx, node)) {
+               } else if (has_dname(vctx, node)) {
                        zonecut = dns_fixedname_name(&fzonecut);
                        dns_name_copy(name, zonecut, NULL);
                }
@@ -1438,51 +1411,51 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
                        result = dns_dbiterator_current(dbiter, &nextnode,
                                                        nextname);
                        check_dns_dbiterator_current(result);
-                       if (!dns_name_issubdomain(nextname, vctx.origin) ||
+                       if (!dns_name_issubdomain(nextname, vctx->origin) ||
                            (zonecut != NULL &&
                             dns_name_issubdomain(nextname, zonecut)))
                        {
-                               check_no_nsec(&vctx, nextname, nextnode);
-                               dns_db_detachnode(vctx.db, &nextnode);
+                               check_no_nsec(vctx, nextname, nextnode);
+                               dns_db_detachnode(vctx->db, &nextnode);
                                result = dns_dbiterator_next(dbiter);
                                continue;
                        }
-                       if (is_empty(&vctx, nextnode)) {
-                               dns_db_detachnode(vctx.db, &nextnode);
+                       if (is_empty(vctx, nextnode)) {
+                               dns_db_detachnode(vctx->db, &nextnode);
                                result = dns_dbiterator_next(dbiter);
                                continue;
                        }
-                       dns_db_detachnode(vctx.db, &nextnode);
+                       dns_db_detachnode(vctx->db, &nextnode);
                        break;
                }
                if (result == ISC_R_NOMORE) {
                        done = ISC_TRUE;
-                       nextname = vctx.origin;
+                       nextname = vctx->origin;
                } else if (result != ISC_R_SUCCESS)
                        fatal("iterating through the database failed: %s",
                              isc_result_totext(result));
-               result = verifynode(&vctx, name, node, isdelegation,
-                                   &vctx.keyset, &vctx.nsecset,
-                                   &vctx.nsec3paramset, nextname);
-               if (vresult == ISC_R_UNSET)
-                       vresult = ISC_R_SUCCESS;
-               if (vresult == ISC_R_SUCCESS && result != ISC_R_SUCCESS)
-                       vresult = result;
+               result = verifynode(vctx, name, node, isdelegation,
+                                   &vctx->keyset, &vctx->nsecset,
+                                   &vctx->nsec3paramset, nextname);
+               if (*vresult == ISC_R_UNSET)
+                       *vresult = ISC_R_SUCCESS;
+               if (*vresult == ISC_R_SUCCESS && result != ISC_R_SUCCESS)
+                       *vresult = result;
                if (prevname != NULL) {
-                       result = verifyemptynodes(&vctx, name, prevname,
+                       result = verifyemptynodes(vctx, name, prevname,
                                                  isdelegation,
-                                                 &vctx.nsec3paramset);
+                                                 &vctx->nsec3paramset);
                } else
                        prevname = dns_fixedname_name(&fprevname);
                dns_name_copy(name, prevname, NULL);
-               if (vresult == ISC_R_SUCCESS && result != ISC_R_SUCCESS)
-                       vresult = result;
-               dns_db_detachnode(vctx.db, &node);
+               if (*vresult == ISC_R_SUCCESS && result != ISC_R_SUCCESS)
+                       *vresult = result;
+               dns_db_detachnode(vctx->db, &node);
        }
 
        dns_dbiterator_destroy(&dbiter);
 
-       result = dns_db_createiterator(vctx.db, DNS_DB_NSEC3ONLY, &dbiter);
+       result = dns_db_createiterator(vctx->db, DNS_DB_NSEC3ONLY, &dbiter);
        check_result(result, "dns_db_createiterator()");
 
        for (result = dns_dbiterator_first(dbiter);
@@ -1490,13 +1463,47 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
             result = dns_dbiterator_next(dbiter) ) {
                result = dns_dbiterator_current(dbiter, &node, name);
                check_dns_dbiterator_current(result);
-               result = verifynode(&vctx, name, node, ISC_FALSE, &vctx.keyset,
+               result = verifynode(vctx, name, node, ISC_FALSE, &vctx->keyset,
                                    NULL, NULL, NULL);
                check_result(result, "verifynode");
-               record_found(&vctx, name, node, &vctx.nsec3paramset);
-               dns_db_detachnode(vctx.db, &node);
+               record_found(vctx, name, node, &vctx->nsec3paramset);
+               dns_db_detachnode(vctx->db, &node);
        }
+
        dns_dbiterator_destroy(&dbiter);
+}
+
+void
+dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+                     dns_name_t *origin, isc_mem_t *mctx,
+                     isc_boolean_t ignore_kskflag,
+                     isc_boolean_t keyset_kskonly)
+{
+       char algbuf[80];
+       int i;
+       isc_boolean_t first = ISC_TRUE;
+       isc_result_t result, vresult = ISC_R_UNSET;
+       vctx_t vctx;
+
+       result = vctx_init(&vctx, mctx, zone, db, ver, origin);
+       if (result != ISC_R_SUCCESS) {
+               return;
+       }
+
+       check_apex_rrsets(&vctx);
+
+       check_dnskey(&vctx);
+
+       if (ignore_kskflag ) {
+               if (!vctx.goodksk && !vctx.goodzsk)
+                       fatal("No self-signed DNSKEY found.");
+       } else if (!vctx.goodksk)
+               fatal("No self-signed KSK DNSKEY found.  Supply an active\n"
+                     "key with the KSK flag set, or use '-P'.");
+
+       determine_active_algorithms(&vctx, ignore_kskflag, keyset_kskonly);
+
+       verify_nodes(&vctx, &vresult);
 
        result = verify_nsec3_chains(&vctx, mctx);
        if (vresult == ISC_R_UNSET)