diff options
| author | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2015-09-16 19:59:12 -0400 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2015-09-17 10:06:03 +0200 |
| commit | 41c6ce961a881a3f0c86bd6f303c41a5c68966ea (patch) | |
| tree | f27ec0ef4f1b65a46b5d75686ad98fec05018c29 /lib/cert.c | |
| parent | 368018efccee25f82149cba47e05f5af6af28ae9 (diff) | |
| download | gnutls-41c6ce961a881a3f0c86bd6f303c41a5c68966ea.tar.gz | |
improve docs for gnutls_certificate_verify_peers*()
The gnutls_certificate_verify_peers{,2,3}() functions all return
GNUTLS_E_SUCCESS (0) even in situations when the peer's certificate
was not verified. This is explained in the first paragraphs
("i.e. failure to trust a certificate does not imply a negative return
value"), but the Returns: line isn't comparably clear.
Diffstat (limited to 'lib/cert.c')
| -rw-r--r-- | lib/cert.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/lib/cert.c b/lib/cert.c index fb01d1b994..2d79c9672e 100644 --- a/lib/cert.c +++ b/lib/cert.c @@ -597,7 +597,9 @@ _gnutls_openpgp_crt_verify_peers(gnutls_session_t session, * the verified certificate belongs to the actual peer, see gnutls_x509_crt_check_hostname(), * or use gnutls_certificate_verify_peers3(). * - * Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) on success. + * Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) + * when the peer's certificate was successfully parsed, whether or not + * it was verified. **/ int gnutls_certificate_verify_peers2(gnutls_session_t session, @@ -629,7 +631,9 @@ gnutls_certificate_verify_peers2(gnutls_session_t session, * In order to verify the purpose of the end-certificate (by checking the extended * key usage), use gnutls_certificate_verify_peers(). * - * Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) on success. + * Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) + * when the peer's certificate was successfully parsed, whether or not + * it was verified. * * Since: 3.1.4 **/ @@ -673,7 +677,9 @@ gnutls_typed_vdata_st data; * usage PKIX extension, it will be required to be have the provided key purpose * or be marked for any purpose, otherwise verification will fail with %GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE status. * - * Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) on success. + * Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) + * when the peer's certificate was successfully parsed, whether or not + * it was verified. * * Since: 3.3.0 **/ |