validator: similarly also limit excessive NSEC3 salt length

Limit combination of iterations and salt length, based on estimated
expense of the computation.  Note that the result only differs for
salt length > 44 which is rather nonsensical and very rare:
https://chat.dns-oarc.net/community/pl/h58qx9sjkbgt9dajb7x988p78a

2 files changed, 2 insertions, 2 deletions

diff --git a/lib/cache/api.c b/lib/cache/api.c
index 116d775e..bb627ea7 100644
--- a/lib/cache/api.c
+++ b/lib/cache/api.c
@@ -500,7 +500,7 @@ static ssize_t stash_rrset(struct kr_cache *cache, const struct kr_query *qry,
 		return kr_ok();
 	}
 	if (rr->type == KNOT_RRTYPE_NSEC3 && rr->rrs.count
-	    && knot_nsec3_iters(rr->rrs.rdata) > KR_NSEC3_MAX_ITERATIONS) {
+	    && kr_nsec3_limited_rdata(rr->rrs.rdata)) {
 		/* This shouldn't happen often, thanks to downgrades during validation. */
 		VERBOSE_MSG(qry, "=> skipping NSEC3 with too many iterations\n");
 		return kr_ok();
diff --git a/lib/cache/nsec3.c b/lib/cache/nsec3.c
index 0b707759..98326309 100644
--- a/lib/cache/nsec3.c
+++ b/lib/cache/nsec3.c
@@ -84,7 +84,7 @@ static knot_db_val_t key_NSEC3_name(struct key *k, const knot_dname_t *name,
 		.data = (uint8_t *)/*const-cast*/name,
 	};
 
-	if (kr_fails_assert(nsec_p->libknot.iterations <= KR_NSEC3_MAX_ITERATIONS)) {
+	if (kr_fails_assert(!kr_nsec3_limited_params(&nsec_p->libknot))) {
 		/* This is mainly defensive; it shouldn't happen thanks to downgrades. */
 		return VAL_EMPTY;
 	}