Propagate dns_zoneverify_dnssec() errors to callers

Since exit() is no longer called upon any dns_zoneverify_dnssec() error, verification failures should be signalled to callers. Make dns_zoneverify_dnssec() return an isc_result_t and handle both success and error appropriately in bin/dnssec/dnssec-signzone.c and bin/dnssec/dnssec-verify.c. This enables memory leak detection during shutdown of these tools and causes dnssec-signzone to print signing statistics even when zone verification fails.
2025-09-02 15:45:25 +00:00 · 2018-06-15 09:59:20 +02:00
parent a7ae615743
commit 24bca1c4b4
4 changed files with 32 additions and 17 deletions
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -3227,7 +3227,7 @@ main(int argc, char *argv[]) {
 	isc_time_t timer_start, timer_finish;
 	isc_time_t sign_start, sign_finish;
 	dns_dnsseckey_t *key;
-	isc_result_t result;
+	isc_result_t result, vresult;
 	isc_log_t *log = NULL;
 #ifdef USE_PKCS11
 	const char *engine = PKCS11_ENGINE;
@@ -3912,9 +3912,18 @@ main(int argc, char *argv[]) {
 	postsign();
 	TIME_NOW(&sign_finish);
-	if (!disable_zone_check)
+	if (disable_zone_check) {
-		dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin, mctx,
+		vresult = ISC_R_SUCCESS;
-				      ignore_kskflag, keyset_kskonly);
+	} else {
 		vresult = dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin,
 						mctx, ignore_kskflag,
 						keyset_kskonly);
 		if (vresult != ISC_R_SUCCESS) {
 			fprintf(output_stdout ? stderr : stdout,
 				"Zone verification failed (%s)\n",
 				isc_result_totext(vresult));
 		}
 	}
 	if (outputformat != dns_masterformat_text) {
 		dns_masterrawheader_t header;
@@ -3940,12 +3949,16 @@ main(int argc, char *argv[]) {
 		check_result(result, "isc_stdio_close");
 		removefile = ISC_FALSE;
 		if (vresult == ISC_R_SUCCESS) {
 			result = isc_file_rename(tempfile, output);
-		if (result != ISC_R_SUCCESS)
+			if (result != ISC_R_SUCCESS) {
 				fatal("failed to rename temp file to %s: %s",
 				      output, isc_result_totext(result));
-
+			}
 			printf("%s\n", output);
 		} else {
 			isc_file_remove(tempfile);
 		}
 	}
 	dns_db_closeversion(gdb, &gversion, ISC_FALSE);
@@ -3985,5 +3998,5 @@ main(int argc, char *argv[]) {
 #ifdef _WIN32
 	DestroySockets();
 #endif
-	return (0);
+	return (vresult == ISC_R_SUCCESS ? 0 : 1);
 }
--- a/bin/dnssec/dnssec-verify.c
+++ b/bin/dnssec/dnssec-verify.c
@@ -323,7 +323,7 @@ main(int argc, char *argv[]) {
 	result = dns_db_newversion(gdb, &gversion);
 	check_result(result, "dns_db_newversion()");
-	dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin, mctx,
+	result = dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin, mctx,
 				       ignore_kskflag, keyset_kskonly);
 	dns_db_closeversion(gdb, &gversion, ISC_FALSE);
@@ -338,5 +338,5 @@ main(int argc, char *argv[]) {
 	(void) isc_app_finish();
-	return (0);
+	return (result == ISC_R_SUCCESS ? 0 : 1);
 }
--- a/lib/dns/include/dns/zoneverify.h
+++ b/lib/dns/include/dns/zoneverify.h
@@ -31,7 +31,7 @@ ISC_LANG_BEGINDECLS
 *   The rest of the zone was signed with at least one of the ZSKs
 *   present in the DNSKEY RRSET.
 */
-void
+isc_result_t
 dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 		      dns_name_t *origin, isc_mem_t *mctx,
 		      isc_boolean_t ignore_kskflag,
--- a/lib/dns/zoneverify.c
+++ b/lib/dns/zoneverify.c
@@ -1809,7 +1809,7 @@ print_summary(const vctx_t *vctx, isc_boolean_t keyset_kskonly) {
 	}
 }
-void
+isc_result_t
 dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 		      dns_name_t *origin, isc_mem_t *mctx,
 		      isc_boolean_t ignore_kskflag,
@@ -1820,7 +1820,7 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 	result = vctx_init(&vctx, mctx, zone, db, ver, origin);
 	if (result != ISC_R_SUCCESS) {
-		return;
+		return (result);
 	}
 	result = check_apex_rrsets(&vctx);
@@ -1879,4 +1879,6 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 done:
 	vctx_destroy(&vctx);
 	return (result);
 }