Make match_nsec3() return the verification result through a separate
pointer, thus making it possible to signal errors using function
return value. Replace all check_result() and fprintf() calls inside
match_nsec3() with zoneverify_log_error() calls and error handling code.
Modify all call sites of match_nsec3() so that its errors are properly
handled.
Replace all check_result() calls inside isoptout() with
zoneverify_log_error() calls and error handling code. Enable isoptout()
to signal errors to the caller using its return value.
Modify the call site of isoptout() so that its errors are properly
handled.
Make verifynsec3(), verifynsec3s(), and verifyemptynodes() return the
verification result through a separate pointer, thus making it possible
to signal errors using function return values. Replace all
check_result() and fprintf() calls inside these functions with
zoneverify_log_error() calls and error handling code.
Modify all call sites of verifynsec3(), verifynsec3s(), and
verifyemptynodes() so that their errors are properly handled.
Make verifynsec() return the verification result through a separate
pointer, thus making it possible to signal errors using function
return value. Replace all check_result() and fprintf() calls inside
verifynsec() with zoneverify_log_error() calls and error handling code.
Modify the call site of verifynsec() so that its errors are properly
handled.
Rename "tresult" to "tvresult" in order to improve variable naming
consistency between functions.
Replace all check_result() and fprintf() calls inside check_no_rrsig()
with zoneverify_log_error() calls and error handling code. Enable
check_no_rrsig() to signal errors to the caller using its return
value.
Modify the call site of check_no_rrsig() so that its errors are properly
handled.
Define buffer size using a named constant rather than a plain integer.
Replace all check_result() and fprintf() calls inside verifyset() with
zoneverify_log_error() calls and error handling code. Enable
verifyset() to signal errors to the caller using its return value.
Modify the call site of verifyset() so that its errors are properly
handled.
Define buffer sizes using named constants rather than plain integers.
Make verifynode() return the verification result through a separate
pointer, thus making it possible to signal errors using function
return value. Replace all fatal() and check_result() calls inside
verifynode() with zoneverify_log_error() calls and error handling code.
Add a REQUIRE assertion to emphasize verifynode() may be called with
some of its arguments set to NULL.
Modify all call sites of verifynode() so that its errors are properly
handled.
Replace the check_result() call inside is_empty() with a
zoneverify_log_error() call and error handling code. Enable is_empty()
to signal errors to the caller using its return value.
Modify the call site of is_empty() so that its errors are properly
handled.
Replace the fatal() call inside check_no_nsec() with a
zoneverify_log_error() call. Enable check_no_nsec() to signal errors to
the caller using its return value.
Modify all call sites of check_no_nsec() so that its errors are properly
handled.
Replace all fatal(), check_result(), and check_dns_dbiterator_current()
calls inside verify_nodes() with zoneverify_log_error() calls and error
handling code. Enable verify_nodes() to signal errors to the caller
using its return value.
Modify the call site of verify_nodes() so that its errors are properly
handled.
Free all heap elements upon verification context cleanup as a
verification error may prevent them from being freed elsewhere.
Remove the check_dns_dbiterator_current() macro as it is no longer used
anywhere in lib/dns/zoneverify.c.
Replace all fatal() and fprintf() calls inside check_bad_algorithms()
with zoneverify_print() calls and error handling code. Enable
check_bad_algorithms() to signal errors to the caller using its return
value.
Modify the call site of check_bad_algorithms() so that its errors are
properly handled.
Replace all fatal() and check_result() calls inside check_dnskey() with
zoneverify_log_error() calls and error handling code. Enable
check_dnskey() to signal errors to the caller using its return value.
Modify the call site of check_dnskey() so that its errors are properly
handled.
Replace all fatal() calls inside check_apex_rrsets() with
zoneverify_log_error() calls and error handling code. Enable
check_apex_rrsets() to signal errors to the caller using its return
value.
Modify the call site of check_apex_rrsets() so that its errors are
properly handled.
Replace calls to check_result() with RUNTIME_CHECK assertions for all
dns_rdata_tostruct() calls in lib/dns/zoneverify.c as this function
cannot fail when the "mctx" argument is NULL (and that is the case for
all call sites of this function throughout lib/dns/zoneverify.c).
Extract the part of dns_zoneverify_dnssec() responsible for checking
whether the zone is fully signed using all active algorithms to a
separate function.
Extract the part of dns_zoneverify_dnssec() responsible for verifying
DNSSEC signatures against the DNSKEY RRset at zone apex and checking
consistency of NSEC/NSEC3 chains to a separate function.
Extract the part of dns_zoneverify_dnssec() responsible for determining
and printing a list of DNSSEC algorithms active in the verified zone to
a separate function.
Extract the part of check_dnskey() responsible for determining active
algorithms in the verified zone based on the signatures at zone apex to
a separate function.
Extract the part of dns_zoneverify_dnssec() responsible for fetching and
preliminarily checking DNSKEY, SOA, NSEC, and NSEC3PARAM RRsets from
zone apex to a separate function.
These functions will be used in the process of replacing fatal(),
check_result(), and fprintf() calls throughout lib/dns/zoneverify.c with
code that does not call exit(). They are intended for:
- zoneverify_log_error(): logging problems encountered while
performing zone verification,
- zoneverify_print(): printing status messages and reports which are
only useful in standalone tools.
To make using dns_zone_logv() possible, add a new "zone" argument to
dns_zoneverify_dnssec() that standalone tools are expected to set to
NULL.
Tables representing algorithm use in the verified zone are commonly
accessed throughout dns_zoneverify_dnssec(). Move them into the
structure representing a verification context. While this does not
really simplify currently existing code, it will facilitate passing data
around between smaller functions that dns_zoneverify_dnssec() is about
to get split into.
Eight structures representing four RRsets and their signatures are
commonly accessed throughout dns_zoneverify_dnssec(). Move them into
the structure representing a verification context. While this does not
really simplify currently existing code, it will facilitate passing data
around between smaller functions that dns_zoneverify_dnssec() is about
to get split into.
Move variables commonly used throughout dns_zoneverify_dnssec() and its
helper functions to the structure representing a verification context in
order to reduce the number of arguments passed between functions.
Make dns_zoneverify_dnssec() eligible for multithreaded use by replacing
the static variables it accesses with a stack-allocated structure
containing these variables. Implement setup and cleanup routines for
that structure, ensuring no error in these routines causes exit() to be
called any more. Pass a pointer to that structure to functions
requiring access to variables which were previously static.
This commit only moves code around, with the following exceptions:
- the check_dns_dbiterator_current() macro and functions
is_delegation() and has_dname() were removed from
bin/dnssec/dnssectool.{c,h} and duplicated in two locations:
bin/dnssec/dnssec-signzone.c and lib/dns/zoneverify.c; these
functions are used both by the code in bin/dnssec/dnssec-signzone.c
and verifyzone(), but are not a good fit for being exported by a
code module responsible for zone verification,
- fatal() and check_result() were duplicated in lib/dns/zoneverify.c
as static functions which do not use the "program" variable any more
(as it is only set by the tools in bin/dnssec/); this is a temporary
step which only aims to prevent compilation from breaking - these
duplicate functions will be removed once lib/dns/zoneverify.c is
refactored not to use them,
- the list of header files included by lib/dns/zoneverify.c was
expanded to encompass all header files that are actually used by the
code in that file,
- a description of the purpose of the commented out "fields" inside
struct nsec3_chain_fixed was added.
