summaryrefslogtreecommitdiffstats
path: root/lib/dnssec
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--lib/dnssec.c13
1 files changed, 8 insertions, 5 deletions
diff --git a/lib/dnssec.c b/lib/dnssec.c
index 262570c..12b8f20 100644
--- a/lib/dnssec.c
+++ b/lib/dnssec.c
@@ -240,8 +240,11 @@ fail:
return NULL;
}
-/// Return if we want to afford yet another crypto-validation (and account it).
-static bool check_crypto_limit(const kr_rrset_validation_ctx_t *vctx)
+/** Checks whether we want to allow yet another crypto-validation and if yes,
+ * decrements the remaining number of allowed validations.
+ *
+ * Returns `true` if the crypto-validation is allowed; otherwise false */
+static bool account_crypto_limit(kr_rrset_validation_ctx_t *vctx)
{
if (vctx->limit_crypto_remains == NULL)
return true; // no limiting
@@ -281,7 +284,7 @@ static int kr_svldr_rrset_with_key(knot_rrset_t *rrs, const knot_rdataset_t *rrs
} else if (retv != 0) {
continue;
}
- if (!check_crypto_limit(vctx))
+ if (!account_crypto_limit(vctx))
return vctx->result = kr_error(E2BIG);
// We only expect non-expanded wildcard records in input;
// that also means we don't need to perform non-existence proofs.
@@ -392,7 +395,7 @@ static int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx,
break;
}
}
- if (!check_crypto_limit(vctx)) {
+ if (!account_crypto_limit(vctx)) {
vctx->result = kr_error(E2BIG);
goto finish;
}
@@ -477,7 +480,7 @@ int kr_dnskeys_trusted(kr_rrset_validation_ctx_t *vctx, const knot_rdataset_t *s
ret = kr_svldr_rrset_with_key(keys, sigs, vctx, &key);
svldr_key_del(&key);
if (ret == 0 || ret == kr_error(E2BIG)) {
- kr_assert(vctx->result == 0);
+ kr_assert(vctx->result == ret);
return vctx->result;
}
}