diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-04-26 13:35:35 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-04-26 13:36:10 +0200 |
| commit | 11b58baf46e48806939058c12ab905557b654f55 (patch) | |
| tree | 082c8f05e126961e264c8c4a2e81616e06ca14b6 | |
| parent | 6c04ebb849c19ce4efbfd93354aba7a8b4762e54 (diff) | |
| download | gnutls-11b58baf46e48806939058c12ab905557b654f55.tar.gz | |
dane: updated documentation of dane_verify_crt_raw [ci skip]
| -rw-r--r-- | libdane/dane.c | 23 |
1 files changed, 4 insertions, 19 deletions
diff --git a/libdane/dane.c b/libdane/dane.c index 4223350497..76a769047e 100644 --- a/libdane/dane.c +++ b/libdane/dane.c @@ -742,24 +742,11 @@ verify_ee(const gnutls_datum_t * raw_crt, * @vflags: Verification flags; an OR'ed list of %dane_verify_flags_t. * @verify: An OR'ed list of %dane_verify_status_t. * - * This function will verify the given certificate chain against the - * CA constrains and/or the certificate available via DANE. - * If no information via DANE can be obtained the flag %DANE_VERIFY_NO_DANE_INFO - * is set. If a DNSSEC signature is not available for the DANE - * record then the verify flag %DANE_VERIFY_NO_DNSSEC_DATA is set. + * This is the low-level function of dane_verify_crt(). See the + * high level function for documentation. * - * Due to the many possible options of DANE, there is no single threat - * model countered. When notifying the user about DANE verification results - * it may be better to mention: DANE verification did not reject the certificate, - * rather than mentioning a successful DANE verication. - * - * Note that this function is designed to be run in addition to - * PKIX - certificate chain - verification. To be run independently - * the %DANE_VFLAG_ONLY_CHECK_EE_USAGE flag should be specified; - * then the function will check whether the key of the peer matches the - * key advertized in the DANE entry. - * - * If the @q parameter is provided it will be used for caching entries. + * This function does not perform any resolving, it utilizes + * cached entries from @r. * * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a * negative error value. @@ -863,8 +850,6 @@ dane_verify_crt_raw(dane_state_t s, * then the function will check whether the key of the peer matches the * key advertized in the DANE entry. * - * If the @q parameter is provided it will be used for caching entries. - * * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a * negative error value. * |