diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-04-26 13:35:35 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-04-26 13:35:35 +0200 |
| commit | f6e8825676a18a69aac923badfaeae9f0c1e40fe (patch) | |
| tree | de23abd0947c0d74f504344375fe49cdc681052c | |
| parent | 8bc0caafd6a73fa56dbcdba9d8a11155fe1a975d (diff) | |
| download | gnutls-f6e8825676a18a69aac923badfaeae9f0c1e40fe.tar.gz | |
dane: updated documentation of dane_verify_crt_raw
| -rw-r--r-- | libdane/dane.c | 23 |
1 files changed, 4 insertions, 19 deletions
diff --git a/libdane/dane.c b/libdane/dane.c index dd5378ef41..7d9c861875 100644 --- a/libdane/dane.c +++ b/libdane/dane.c @@ -744,24 +744,11 @@ verify_ee(const gnutls_datum_t * raw_crt, * @vflags: Verification flags; an OR'ed list of %dane_verify_flags_t. * @verify: An OR'ed list of %dane_verify_status_t. * - * This function will verify the given certificate chain against the - * CA constrains and/or the certificate available via DANE. - * If no information via DANE can be obtained the flag %DANE_VERIFY_NO_DANE_INFO - * is set. If a DNSSEC signature is not available for the DANE - * record then the verify flag %DANE_VERIFY_NO_DNSSEC_DATA is set. + * This is the low-level function of dane_verify_crt(). See the + * high level function for documentation. * - * Due to the many possible options of DANE, there is no single threat - * model countered. When notifying the user about DANE verification results - * it may be better to mention: DANE verification did not reject the certificate, - * rather than mentioning a successful DANE verication. - * - * Note that this function is designed to be run in addition to - * PKIX - certificate chain - verification. To be run independently - * the %DANE_VFLAG_ONLY_CHECK_EE_USAGE flag should be specified; - * then the function will check whether the key of the peer matches the - * key advertized in the DANE entry. - * - * If the @q parameter is provided it will be used for caching entries. + * This function does not perform any resolving, it utilizes + * cached entries from @r. * * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a * negative error value. @@ -865,8 +852,6 @@ dane_verify_crt_raw(dane_state_t s, * then the function will check whether the key of the peer matches the * key advertized in the DANE entry. * - * If the @q parameter is provided it will be used for caching entries. - * * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a * negative error value. * |