From f6e8825676a18a69aac923badfaeae9f0c1e40fe Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 26 Apr 2016 13:35:35 +0200 Subject: dane: updated documentation of dane_verify_crt_raw --- libdane/dane.c | 23 ++++------------------- 1 file changed, 4 insertions(+), 19 deletions(-) diff --git a/libdane/dane.c b/libdane/dane.c index dd5378ef41..7d9c861875 100644 --- a/libdane/dane.c +++ b/libdane/dane.c @@ -744,24 +744,11 @@ verify_ee(const gnutls_datum_t * raw_crt, * @vflags: Verification flags; an OR'ed list of %dane_verify_flags_t. * @verify: An OR'ed list of %dane_verify_status_t. * - * This function will verify the given certificate chain against the - * CA constrains and/or the certificate available via DANE. - * If no information via DANE can be obtained the flag %DANE_VERIFY_NO_DANE_INFO - * is set. If a DNSSEC signature is not available for the DANE - * record then the verify flag %DANE_VERIFY_NO_DNSSEC_DATA is set. + * This is the low-level function of dane_verify_crt(). See the + * high level function for documentation. * - * Due to the many possible options of DANE, there is no single threat - * model countered. When notifying the user about DANE verification results - * it may be better to mention: DANE verification did not reject the certificate, - * rather than mentioning a successful DANE verication. - * - * Note that this function is designed to be run in addition to - * PKIX - certificate chain - verification. To be run independently - * the %DANE_VFLAG_ONLY_CHECK_EE_USAGE flag should be specified; - * then the function will check whether the key of the peer matches the - * key advertized in the DANE entry. - * - * If the @q parameter is provided it will be used for caching entries. + * This function does not perform any resolving, it utilizes + * cached entries from @r. * * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a * negative error value. @@ -865,8 +852,6 @@ dane_verify_crt_raw(dane_state_t s, * then the function will check whether the key of the peer matches the * key advertized in the DANE entry. * - * If the @q parameter is provided it will be used for caching entries. - * * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a * negative error value. * -- cgit v1.2.1