Part of code review from Wouter part 2

diff --git a/dane.c b/dane.c
index 3179793dfda4c07c3c0b6b71e88316d62521a6d6..793005ddcb30f99094af049ce9660694bff25458 100644 (file)
--- a/dane.c
+++ b/dane.c
@@ -658,8 +658,11 @@ ldns_dane_verify_rr(const ldns_rr* tlsa_rr,
                s = ldns_dane_match_cert_with_data(cert,
                                selector, matching_type, data);
 
-               return ldns_dane_pkix_validate(cert, extra_certs,
-                               pkix_validation_store);
+               if (s == LDNS_STATUS_OK) {
+                       return ldns_dane_pkix_validate(cert, extra_certs,
+                                       pkix_validation_store);
+               }
+               return s;
                break;
 
        case LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION:

diff --git a/drill/drill_util.c b/drill/drill_util.c
index 826870b313315bfc4bb7ad5b9bf16e02d08b4249..d24d5d96fc1e52693f81d8db457e520146f14059 100644 (file)
--- a/drill/drill_util.c
+++ b/drill/drill_util.c
@@ -16,7 +16,7 @@
 static int
 read_line(FILE *input, char *line, size_t len)
 {
-       size_t i;
+       int i;
        
        char c;
        for (i = 0; i < len-1; i++) {

diff --git a/examples/ldns-dane.1 b/examples/ldns-dane.1
index c488ddad2925f58caca856c57626e6f1604caed6..52472302663d2533e786e7b57fce96e5158f598a 100644 (file)
--- a/examples/ldns-dane.1
+++ b/examples/ldns-dane.1
@@ -85,15 +85,15 @@ TLS connect IPv4 only
 .IP -6
 TLS connect IPv6 only
 .IP "-a \fIaddress\fR"
-Don't try to resolve \fIname\fR, but connect to \fIaddress\fR in stead.
+Don't try to resolve \fIname\fR, but connect to \fIaddress\fR instead.
 
 This option may be given more than once.
 .IP -b
-print "\fIname\fR\. TYPE52 \\# \fIsize\fR \fIhexdata\fR" form in stead
+print "\fIname\fR\. TYPE52 \\# \fIsize\fR \fIhexdata\fR" form instead
 of TLSA presentation format.
 .IP "-c \fIcertfile\fR"
 Do not TLS connect to \fIname\fR:\fIport\fR, but authenticate (or make
-TLSA records) for the certificate (chain) in \fIcertfile\fR in stead.
+TLSA records) for the certificate (chain) in \fIcertfile\fR instead.
 .IP -d
 Assume DNSSEC validity even when the TLSA records were acquired insecure
 or were bogus.
@@ -136,7 +136,7 @@ are also given, only TLSA records that match the \fIname\fR, \fIport\fR and
 \fItransport\fR are used. Otherwise the owner name of the TLSA record(s)
 will be used to determine \fIname\fR, \fIport\fR and \fItransport\fR.
 .IP -u
-Use UDP transport in stead of TCP.
+Use UDP transport instead of TCP.
 .IP -v
 Show version and exit.
 

diff --git a/ldns/dane.h b/ldns/dane.h
index c530f70c950b1d6309d4e89297d6bf8e9e7794e5..32f8c693fb1c862925ba0c69104ffedb442fadc5 100644 (file)
--- a/ldns/dane.h
+++ b/ldns/dane.h
@@ -145,9 +145,9 @@ ldns_status ldns_dane_cert2rdf(ldns_rdf** rdf, X509* cert,
  *            "CA constraint" or "Service Certificate Constraint" to 
  *            validate the certificate and, in case of "CA constraint",
  *            select the CA.
- *            When NULL, validation is explicitely turned off and the
- *            behaviour is then the same as for "Trust anchor assertion"
- *            and "Domain issued certificate" respectively.
+ *            When pkix_validation_store is NULL, validation is explicitely
+ *            turned off and the behaviour is then the same as for "Trust
+ *            anchor assertion" and "Domain issued certificate" respectively.
  * \param[in] cert_usage Which certificate to use and how to validate.
  * \param[in] index Used to select the trust anchor when certificate usage
  *            is "Trust Anchor Assertion". 0 is the last certificate in the