From f7f96a5fdb2e185b877964155e0df721bc2169d4 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 16 Oct 2025 16:52:57 +1100
Subject: [PATCH] dnssec-verify now returns failure on bad arguments

(cherry picked from commit ac3fba068e87206209deed008f288f2e4ed16166)
---
 bin/check/named-checkzone.c      | 15 ++++++++-------
 bin/delv/delv.c                  | 15 +++++++++------
 bin/dnssec/dnssec-dsfromkey.c    | 14 ++++++++------
 bin/dnssec/dnssec-importkey.c    | 13 +++++++------
 bin/dnssec/dnssec-keyfromlabel.c | 14 ++++++++------
 bin/dnssec/dnssec-keygen.c       | 14 ++++++++------
 bin/dnssec/dnssec-revoke.c       | 14 ++++++++------
 bin/dnssec/dnssec-settime.c      | 17 ++++++++++-------
 bin/dnssec/dnssec-signzone.c     | 14 ++++++++------
 bin/dnssec/dnssec-verify.c       | 13 +++++++------
 bin/dnssec/dnssectool.c          |  4 ++--
 bin/dnssec/dnssectool.h          |  2 +-
 12 files changed, 84 insertions(+), 65 deletions(-)

diff --git a/bin/check/named-checkzone.c b/bin/check/named-checkzone.c
index 9f5bf45aa2..ae8feafc8c 100644
--- a/bin/check/named-checkzone.c
+++ b/bin/check/named-checkzone.c
@@ -63,10 +63,10 @@ static enum { progmode_check, progmode_compile } progmode;
 	} while (0)
 
 noreturn static void
-usage(void);
+usage(int ret);
 
 static void
-usage(void) {
+usage(int ret) {
 	fprintf(stderr,
 		"usage: %s [-djqvD] [-c class] "
 		"[-f inputformat] [-F outputformat] [-J filename] "
@@ -79,7 +79,7 @@ usage(void) {
 		"%s zonename [ (filename|-) ]\n",
 		prog_name,
 		progmode == progmode_check ? "[-o filename]" : "-o filename");
-	exit(EXIT_FAILURE);
+	exit(ret);
 }
 
 static void
@@ -431,9 +431,10 @@ main(int argc, char **argv) {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					prog_name, isc_commandline_option);
 			}
-			FALLTHROUGH;
+			usage(EXIT_FAILURE);
+
 		case 'h':
-			usage();
+			usage(EXIT_SUCCESS);
 
 		default:
 			fprintf(stderr, "%s: unhandled option -%c\n", prog_name,
@@ -496,7 +497,7 @@ main(int argc, char **argv) {
 		if (output_filename == NULL) {
 			fprintf(stderr, "output file required, but not "
 					"specified\n");
-			usage();
+			usage(EXIT_FAILURE);
 		}
 	}
 
@@ -520,7 +521,7 @@ main(int argc, char **argv) {
 	if (argc - isc_commandline_index < 1 ||
 	    argc - isc_commandline_index > 2)
 	{
-		usage();
+		usage(EXIT_FAILURE);
 	}
 
 	isc_mem_create(&mctx);
diff --git a/bin/delv/delv.c b/bin/delv/delv.c
index 041f4b65ca..84ce80f1aa 100644
--- a/bin/delv/delv.c
+++ b/bin/delv/delv.c
@@ -171,8 +171,11 @@ get_reverse(char *reverse, size_t len, char *value, bool strict);
 static isc_result_t
 parse_uint(uint32_t *uip, const char *value, uint32_t max, const char *desc);
 
+noreturn static void
+usage(int ret);
+
 static void
-usage(void) {
+usage(int ret) {
 	fprintf(stderr,
 		"Usage:  delv [@server] {q-opt} {d-opt} [domain] [q-type] "
 		"[q-class]\n"
@@ -256,7 +259,7 @@ usage(void) {
 		"process)\n"
 		"                 +[no]yaml           (Present the results as "
 		"YAML)\n");
-	exit(EXIT_FAILURE);
+	exit(ret);
 }
 
 noreturn static void
@@ -1438,7 +1441,7 @@ plus_option(char *option) {
 	invalid_option:
 	need_value:
 		fprintf(stderr, "Invalid option: +%s\n", option);
-		usage();
+		usage(EXIT_FAILURE);
 	}
 	return;
 }
@@ -1491,8 +1494,8 @@ dash_option(char *option, char *next, bool *open_type_class) {
 			}
 			break;
 		case 'h':
-			usage();
-			exit(EXIT_SUCCESS);
+			usage(EXIT_SUCCESS);
+
 		case 'i':
 			no_sigs = true;
 			root_validation = false;
@@ -1645,7 +1648,7 @@ dash_option(char *option, char *next, bool *open_type_class) {
 	invalid_option:
 	default:
 		fprintf(stderr, "Invalid option: -%s\n", option);
-		usage();
+		usage(EXIT_FAILURE);
 	}
 	UNREACHABLE();
 	return false;
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
index f0adc4b0d1..8a645338c0 100644
--- a/bin/dnssec/dnssec-dsfromkey.c
+++ b/bin/dnssec/dnssec-dsfromkey.c
@@ -331,10 +331,10 @@ emits(bool showall, bool cds, dns_rdata_t *rdata) {
 }
 
 noreturn static void
-usage(void);
+usage(int ret);
 
 static void
-usage(void) {
+usage(int ret) {
 	fprintf(stderr, "Usage:\n");
 	fprintf(stderr, "    %s [options] keyfile\n\n", program);
 	fprintf(stderr, "    %s [options] -f zonefile [zonename]\n\n", program);
@@ -361,7 +361,7 @@ usage(void) {
 			"    -V: print version information\n");
 	fprintf(stderr, "Output: DS or CDS RRs\n");
 
-	exit(EXIT_FAILURE);
+	exit(ret);
 }
 
 int
@@ -381,7 +381,7 @@ main(int argc, char **argv) {
 	dns_rdata_init(&rdata);
 
 	if (argc == 1) {
-		usage();
+		usage(EXIT_FAILURE);
 	}
 
 	isc_mem_create(&mctx);
@@ -451,10 +451,12 @@ main(int argc, char **argv) {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
 			}
-			FALLTHROUGH;
+			/* Does not return. */
+			usage(EXIT_FAILURE);
+
 		case 'h':
 			/* Does not return. */
-			usage();
+			usage(EXIT_SUCCESS);
 
 		case 'V':
 			/* Does not return. */
diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c
index 0d11d95e25..77fb59923d 100644
--- a/bin/dnssec/dnssec-importkey.c
+++ b/bin/dnssec/dnssec-importkey.c
@@ -264,10 +264,10 @@ emit(const char *dir, dns_rdata_t *rdata) {
 }
 
 noreturn static void
-usage(void);
+usage(int ret);
 
 static void
-usage(void) {
+usage(int ret) {
 	fprintf(stderr, "Usage:\n");
 	fprintf(stderr, "    %s options [-K dir] keyfile\n\n", program);
 	fprintf(stderr, "    %s options -f file [keyname]\n\n", program);
@@ -290,7 +290,7 @@ usage(void) {
 	fprintf(stderr, "    -D sync date/[+-]offset/none: set/unset "
 			"CDS and CDNSKEY deletion date\n");
 
-	exit(EXIT_FAILURE);
+	exit(ret);
 }
 
 int
@@ -308,7 +308,7 @@ main(int argc, char **argv) {
 	dns_rdata_init(&rdata);
 
 	if (argc == 1) {
-		usage();
+		usage(EXIT_FAILURE);
 	}
 
 	isc_mem_create(&mctx);
@@ -384,10 +384,11 @@ main(int argc, char **argv) {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
 			}
-			FALLTHROUGH;
+			usage(EXIT_FAILURE);
+
 		case 'h':
 			/* Does not return. */
-			usage();
+			usage(EXIT_SUCCESS);
 
 		case 'V':
 			/* Does not return. */
diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index 8bd181708c..a133b7b7ad 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -46,10 +46,10 @@ const char *program = "dnssec-keyfromlabel";
 static uint16_t tag_min = 0, tag_max = 0xffff;
 
 noreturn static void
-usage(void);
+usage(int ret);
 
 static void
-usage(void) {
+usage(int ret) {
 	fprintf(stderr, "Usage:\n");
 	fprintf(stderr, "    %s -l label [options] name\n\n", program);
 	fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
@@ -105,7 +105,7 @@ usage(void) {
 	fprintf(stderr, "     K<name>+<alg>+<id>.key, "
 			"K<name>+<alg>+<id>.private\n");
 
-	exit(EXIT_FAILURE);
+	exit(ret);
 }
 
 int
@@ -156,7 +156,7 @@ main(int argc, char **argv) {
 	isc_stdtime_t now = isc_stdtime_now();
 
 	if (argc == 1) {
-		usage();
+		usage(EXIT_FAILURE);
 	}
 
 	isc_mem_create(&mctx);
@@ -336,10 +336,12 @@ main(int argc, char **argv) {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
 			}
-			FALLTHROUGH;
+			/* Does not return. */
+			usage(EXIT_FAILURE);
+
 		case 'h':
 			/* Does not return. */
-			usage();
+			usage(EXIT_SUCCESS);
 
 		case 'V':
 			/* Does not return. */
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 13f34000fa..d690cbabdb 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -75,7 +75,7 @@ static int min_dh = 128;
 isc_log_t *lctx = NULL;
 
 noreturn static void
-usage(void);
+usage(int ret);
 
 static void
 progress(int p);
@@ -140,7 +140,7 @@ struct keygen_ctx {
 typedef struct keygen_ctx keygen_ctx_t;
 
 static void
-usage(void) {
+usage(int ret) {
 	fprintf(stderr, "Usage:\n");
 	fprintf(stderr, "    %s [options] name\n\n", program);
 	fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
@@ -226,7 +226,7 @@ usage(void) {
 	fprintf(stderr, "     K<name>+<alg>+<id>.key, "
 			"K<name>+<alg>+<id>.private\n");
 
-	exit(EXIT_FAILURE);
+	exit(ret);
 }
 
 static void
@@ -879,7 +879,7 @@ main(int argc, char **argv) {
 	};
 
 	if (argc == 1) {
-		usage();
+		usage(EXIT_FAILURE);
 	}
 
 	isc_commandline_errprint = false;
@@ -1134,10 +1134,12 @@ main(int argc, char **argv) {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
 			}
-			FALLTHROUGH;
+			/* Does not return. */
+			usage(EXIT_FAILURE);
+
 		case 'h':
 			/* Does not return. */
-			usage();
+			usage(EXIT_SUCCESS);
 
 		case 'V':
 			/* Does not return. */
diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
index 01595a12bb..847c2ac128 100644
--- a/bin/dnssec/dnssec-revoke.c
+++ b/bin/dnssec/dnssec-revoke.c
@@ -39,10 +39,10 @@ const char *program = "dnssec-revoke";
 static isc_mem_t *mctx = NULL;
 
 noreturn static void
-usage(void);
+usage(int ret);
 
 static void
-usage(void) {
+usage(int ret) {
 	fprintf(stderr, "Usage:\n");
 	fprintf(stderr, "    %s [options] keyfile\n\n", program);
 	fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
@@ -58,7 +58,7 @@ usage(void) {
 	fprintf(stderr, "     K<name>+<alg>+<new id>.key, "
 			"K<name>+<alg>+<new id>.private\n");
 
-	exit(EXIT_FAILURE);
+	exit(ret);
 }
 
 int
@@ -79,7 +79,7 @@ main(int argc, char **argv) {
 	bool id = false;
 
 	if (argc == 1) {
-		usage();
+		usage(EXIT_FAILURE);
 	}
 
 	isc_mem_create(&mctx);
@@ -118,10 +118,12 @@ main(int argc, char **argv) {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
 			}
-			FALLTHROUGH;
+			/* Does not return. */
+			usage(EXIT_FAILURE);
+
 		case 'h':
 			/* Does not return. */
-			usage();
+			usage(EXIT_SUCCESS);
 
 		case 'V':
 			/* Does not return. */
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
index f61b63af50..ec0ec7fea8 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -43,10 +43,10 @@ const char *program = "dnssec-settime";
 static isc_mem_t *mctx = NULL;
 
 noreturn static void
-usage(void);
+usage(int ret);
 
 static void
-usage(void) {
+usage(int ret) {
 	fprintf(stderr, "Usage:\n");
 	fprintf(stderr, "    %s [options] keyfile\n\n", program);
 	fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
@@ -101,7 +101,7 @@ usage(void) {
 	fprintf(stderr, "     K<name>+<alg>+<new id>.key, "
 			"K<name>+<alg>+<new id>.private\n");
 
-	exit(EXIT_FAILURE);
+	exit(ret);
 }
 
 static void
@@ -242,7 +242,7 @@ main(int argc, char **argv) {
 	options = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_STATE;
 
 	if (argc == 1) {
-		usage();
+		usage(EXIT_FAILURE);
 	}
 
 	isc_mem_create(&mctx);
@@ -339,10 +339,13 @@ main(int argc, char **argv) {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
 			}
-			FALLTHROUGH;
+			/* Does not return. */
+			usage(EXIT_FAILURE);
+
 		case 'h':
 			/* Does not return. */
-			usage();
+			usage(EXIT_SUCCESS);
+
 		case 'I':
 			if (setinact || unsetinact) {
 				fatal("-I specified more than once");
@@ -476,7 +479,7 @@ main(int argc, char **argv) {
 				case ' ':
 					break;
 				default:
-					usage();
+					usage(EXIT_FAILURE);
 					break;
 				}
 			} while (*p != '\0');
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 10f7f7d242..1ae677b262 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -3234,10 +3234,10 @@ print_version(FILE *fp) {
 }
 
 noreturn static void
-usage(void);
+usage(int ret);
 
 static void
-usage(void) {
+usage(int ret) {
 	fprintf(stderr, "Usage:\n");
 	fprintf(stderr, "\t%s [options] zonefile [keys]\n", program);
 
@@ -3325,7 +3325,7 @@ usage(void) {
 	fprintf(stderr, "(default: all zone keys that have private keys)\n");
 	fprintf(stderr, "\tkeyfile (Kname+alg+tag)\n");
 
-	exit(EXIT_FAILURE);
+	exit(ret);
 }
 
 static void
@@ -3699,10 +3699,12 @@ main(int argc, char *argv[]) {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
 			}
-			FALLTHROUGH;
+			/* Does not return. */
+			usage(EXIT_FAILURE);
+
 		case 'h':
 			/* Does not return. */
-			usage();
+			usage(EXIT_SUCCESS);
 
 		case 'V':
 			/* Does not return. */
@@ -3795,7 +3797,7 @@ main(int argc, char *argv[]) {
 	argv += isc_commandline_index;
 
 	if (argc < 1) {
-		usage();
+		usage(EXIT_FAILURE);
 	}
 
 	file = argv[0];
diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c
index 74157cd918..27c17e905d 100644
--- a/bin/dnssec/dnssec-verify.c
+++ b/bin/dnssec/dnssec-verify.c
@@ -138,10 +138,10 @@ loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) {
 }
 
 noreturn static void
-usage(void);
+usage(int ret);
 
 static void
-usage(void) {
+usage(int ret) {
 	fprintf(stderr, "Usage:\n");
 	fprintf(stderr, "\t%s [options] zonefile [keys]\n", program);
 
@@ -163,7 +163,7 @@ usage(void) {
 	fprintf(stderr, "\t-x:\tDNSKEY record signed with KSKs only, "
 			"not ZSKs\n");
 	fprintf(stderr, "\t-z:\tAll records signed with KSKs\n");
-	exit(EXIT_SUCCESS);
+	exit(ret);
 }
 
 int
@@ -259,11 +259,12 @@ main(int argc, char *argv[]) {
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
 			}
-			FALLTHROUGH;
+			/* Does not return. */
+			usage(EXIT_FAILURE);
 
 		case 'h':
 			/* Does not return. */
-			usage();
+			usage(EXIT_SUCCESS);
 
 		case 'V':
 			/* Does not return. */
@@ -292,7 +293,7 @@ main(int argc, char *argv[]) {
 	argv += isc_commandline_index;
 
 	if (argc < 1) {
-		usage();
+		usage(EXIT_FAILURE);
 	}
 
 	file = argv[0];
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index 5a0f81c97c..15fab3e3f6 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -574,13 +574,13 @@ try_key:
 }
 
 bool
-isoptarg(const char *arg, char **argv, void (*usage)(void)) {
+isoptarg(const char *arg, char **argv, void (*usage)(int ret)) {
 	if (!strcasecmp(isc_commandline_argument, arg)) {
 		if (argv[isc_commandline_index] == NULL) {
 			fprintf(stderr, "%s: missing argument -%c %s\n",
 				program, isc_commandline_option,
 				isc_commandline_argument);
-			usage();
+			usage(EXIT_FAILURE);
 		}
 		isc_commandline_argument = argv[isc_commandline_index];
 		/* skip to next argument */
diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h
index 1df15a9a11..e4591f4c79 100644
--- a/bin/dnssec/dnssectool.h
+++ b/bin/dnssec/dnssectool.h
@@ -112,7 +112,7 @@ key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
 	      isc_mem_t *mctx, uint16_t min, uint16_t max, bool *exact);
 
 bool
-isoptarg(const char *arg, char **argv, void (*usage)(void));
+isoptarg(const char *arg, char **argv, void (*usage)(int ret));
 
 void
 loadjournal(isc_mem_t *mctx, dns_db_t *db, const char *journal);