From 301daf568f291341b6268adced17fe5d7064c23e Mon Sep 17 00:00:00 2001
From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Mon, 23 Jun 2025 09:07:00 +0200
Subject: [PATCH] rec: avoid implicit truncating cast of inception skew

Avoid coverity complaint:
store_truncates_time_t: A time_t value is stored in an integer with too few bits to accommodate it.
The expression sig.d_siginception - g_signatureInceptionSkew is cast to unsigned int.

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>
---
 pdns/recursordist/rec-main.cc | 12 +++++++-----
 pdns/validate.cc              |  2 +-
 pdns/validate.hh              |  2 +-
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/pdns/recursordist/rec-main.cc b/pdns/recursordist/rec-main.cc
index 64c8e9fe6e..03648b77f7 100644
--- a/pdns/recursordist/rec-main.cc
+++ b/pdns/recursordist/rec-main.cc
@@ -1712,11 +1712,13 @@ static int initDNSSEC(Logr::log_t log)
     return 1;
   }
 
-  g_signatureInceptionSkew = ::arg().asNum("signature-inception-skew");
-  if (g_signatureInceptionSkew < 0) {
-    SLOG(g_log << Logger::Error << "A negative value for 'signature-inception-skew' is not allowed" << endl,
-         log->info(Logr::Error, "A negative value for 'signature-inception-skew' is not allowed"));
-    return 1;
+  {
+    auto value = ::arg().asNum("signature-inception-skew");
+    if (value < 0) {
+      log->info(Logr::Error, "A negative value for 'signature-inception-skew' is not allowed");
+      return 1;
+    }
+    g_signatureInceptionSkew = value;
   }
 
   g_dnssecLogBogus = ::arg().mustDo("dnssec-log-bogus");
diff --git a/pdns/validate.cc b/pdns/validate.cc
index 882f84e2a4..6df1564d22 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -28,7 +28,7 @@
 #include "base32.hh"
 #include "logger.hh"
 
-time_t g_signatureInceptionSkew{0};
+uint32_t g_signatureInceptionSkew{0};
 uint16_t g_maxNSEC3Iterations{0};
 uint16_t g_maxRRSIGsPerRecordToConsider{0};
 uint16_t g_maxNSEC3sPerRecordToConsider{0};
diff --git a/pdns/validate.hh b/pdns/validate.hh
index 164875981d..fed16c330b 100644
--- a/pdns/validate.hh
+++ b/pdns/validate.hh
@@ -29,7 +29,7 @@
 #include "dnssecinfra.hh"
 #include "logger.hh"
 
-extern time_t g_signatureInceptionSkew;
+extern uint32_t g_signatureInceptionSkew;
 extern uint16_t g_maxNSEC3Iterations;
 extern uint16_t g_maxRRSIGsPerRecordToConsider;
 extern uint16_t g_maxNSEC3sPerRecordToConsider;
-- 
2.47.2