Propagate dns_zoneverify_dnssec() errors to callers

Since exit() is no longer called upon any dns_zoneverify_dnssec() error,
verification failures should be signalled to callers.  Make
dns_zoneverify_dnssec() return an isc_result_t and handle both success
and error appropriately in bin/dnssec/dnssec-signzone.c and
bin/dnssec/dnssec-verify.c.  This enables memory leak detection during
shutdown of these tools and causes dnssec-signzone to print signing
statistics even when zone verification fails.

bin/dnssec/dnssec-signzone.c

@@ -3227,7 +3227,7 @@ main(int argc, char *argv[]) {
 	isc_time_t timer_start, timer_finish;
 	isc_time_t sign_start, sign_finish;
 	dns_dnsseckey_t *key;
-	isc_result_t result;
+	isc_result_t result, vresult;
 	isc_log_t *log = NULL;
 #ifdef USE_PKCS11
 	const char *engine = PKCS11_ENGINE;
@@ -3912,9 +3912,18 @@ main(int argc, char *argv[]) {
 	postsign();
 	TIME_NOW(&sign_finish);
 
-	if (!disable_zone_check)
-		dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin, mctx,
-				      ignore_kskflag, keyset_kskonly);
+	if (disable_zone_check) {
+		vresult = ISC_R_SUCCESS;
+	} else {
+		vresult = dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin,
+						mctx, ignore_kskflag,
+						keyset_kskonly);
+		if (vresult != ISC_R_SUCCESS) {
+			fprintf(output_stdout ? stderr : stdout,
+				"Zone verification failed (%s)\n",
+				isc_result_totext(vresult));
+		}
+	}
 
 	if (outputformat != dns_masterformat_text) {
 		dns_masterrawheader_t header;
@@ -3940,12 +3949,16 @@ main(int argc, char *argv[]) {
 		check_result(result, "isc_stdio_close");
 		removefile = ISC_FALSE;
 
-		result = isc_file_rename(tempfile, output);
-		if (result != ISC_R_SUCCESS)
-			fatal("failed to rename temp file to %s: %s",
-			      output, isc_result_totext(result));
-
-		printf("%s\n", output);
+		if (vresult == ISC_R_SUCCESS) {
+			result = isc_file_rename(tempfile, output);
+			if (result != ISC_R_SUCCESS) {
+				fatal("failed to rename temp file to %s: %s",
+				      output, isc_result_totext(result));
+			}
+			printf("%s\n", output);
+		} else {
+			isc_file_remove(tempfile);
+		}
 	}
 
 	dns_db_closeversion(gdb, &gversion, ISC_FALSE);
@@ -3985,5 +3998,5 @@ main(int argc, char *argv[]) {
 #ifdef _WIN32
 	DestroySockets();
 #endif
-	return (0);
+	return (vresult == ISC_R_SUCCESS ? 0 : 1);
 }

bin/dnssec/dnssec-verify.c

@@ -323,8 +323,8 @@ main(int argc, char *argv[]) {
 	result = dns_db_newversion(gdb, &gversion);
 	check_result(result, "dns_db_newversion()");
 
-	dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin, mctx,
-			      ignore_kskflag, keyset_kskonly);
+	result = dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin, mctx,
+				       ignore_kskflag, keyset_kskonly);
 
 	dns_db_closeversion(gdb, &gversion, ISC_FALSE);
 	dns_db_detach(&gdb);
@@ -338,5 +338,5 @@ main(int argc, char *argv[]) {
 
 	(void) isc_app_finish();
 
-	return (0);
+	return (result == ISC_R_SUCCESS ? 0 : 1);
 }

lib/dns/include/dns/zoneverify.h

@@ -31,7 +31,7 @@ ISC_LANG_BEGINDECLS
  *   The rest of the zone was signed with at least one of the ZSKs
  *   present in the DNSKEY RRSET.
  */
-void
+isc_result_t
 dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 		      dns_name_t *origin, isc_mem_t *mctx,
 		      isc_boolean_t ignore_kskflag,

lib/dns/zoneverify.c

@@ -1809,7 +1809,7 @@ print_summary(const vctx_t *vctx, isc_boolean_t keyset_kskonly) {
 	}
 }
 
-void
+isc_result_t
 dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 		      dns_name_t *origin, isc_mem_t *mctx,
 		      isc_boolean_t ignore_kskflag,
@@ -1820,7 +1820,7 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 
 	result = vctx_init(&vctx, mctx, zone, db, ver, origin);
 	if (result != ISC_R_SUCCESS) {
-		return;
+		return (result);
 	}
 
 	result = check_apex_rrsets(&vctx);
@@ -1879,4 +1879,6 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 
  done:
 	vctx_destroy(&vctx);
+
+	return (result);
 }