From: Willem Toorop <willem@NLnetLabs.nl>
Date: Mon, 8 Oct 2012 14:33:22 +0000 (+0000)
Subject: Part of code review from Wouter part 2
X-Git-Tag: release-1.6.14rc1~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f8c6879375338c3a7d1bf33d77e4785adbc0f800;p=thirdparty%2Fldns.git

Part of code review from Wouter part 2
---

diff --git a/dane.c b/dane.c
index 3179793d..793005dd 100644
--- a/dane.c
+++ b/dane.c
@@ -658,8 +658,11 @@ ldns_dane_verify_rr(const ldns_rr* tlsa_rr,
 		s = ldns_dane_match_cert_with_data(cert,
 				selector, matching_type, data);
 
-		return ldns_dane_pkix_validate(cert, extra_certs,
-				pkix_validation_store);
+		if (s == LDNS_STATUS_OK) {
+			return ldns_dane_pkix_validate(cert, extra_certs,
+					pkix_validation_store);
+		}
+		return s;
 		break;
 
 	case LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION:
diff --git a/drill/drill_util.c b/drill/drill_util.c
index 826870b3..d24d5d96 100644
--- a/drill/drill_util.c
+++ b/drill/drill_util.c
@@ -16,7 +16,7 @@
 static int
 read_line(FILE *input, char *line, size_t len)
 {
-	size_t i;
+	int i;
 	
 	char c;
 	for (i = 0; i < len-1; i++) {
diff --git a/examples/ldns-dane.1 b/examples/ldns-dane.1
index c488ddad..52472302 100644
--- a/examples/ldns-dane.1
+++ b/examples/ldns-dane.1
@@ -85,15 +85,15 @@ TLS connect IPv4 only
 .IP -6
 TLS connect IPv6 only
 .IP "-a \fIaddress\fR"
-Don't try to resolve \fIname\fR, but connect to \fIaddress\fR in stead.
+Don't try to resolve \fIname\fR, but connect to \fIaddress\fR instead.
 
 This option may be given more than once.
 .IP -b
-print "\fIname\fR\. TYPE52 \\# \fIsize\fR \fIhexdata\fR" form in stead
+print "\fIname\fR\. TYPE52 \\# \fIsize\fR \fIhexdata\fR" form instead
 of TLSA presentation format.
 .IP "-c \fIcertfile\fR"
 Do not TLS connect to \fIname\fR:\fIport\fR, but authenticate (or make
-TLSA records) for the certificate (chain) in \fIcertfile\fR in stead.
+TLSA records) for the certificate (chain) in \fIcertfile\fR instead.
 .IP -d
 Assume DNSSEC validity even when the TLSA records were acquired insecure
 or were bogus.
@@ -136,7 +136,7 @@ are also given, only TLSA records that match the \fIname\fR, \fIport\fR and
 \fItransport\fR are used. Otherwise the owner name of the TLSA record(s)
 will be used to determine \fIname\fR, \fIport\fR and \fItransport\fR.
 .IP -u
-Use UDP transport in stead of TCP.
+Use UDP transport instead of TCP.
 .IP -v
 Show version and exit.
 
diff --git a/ldns/dane.h b/ldns/dane.h
index c530f70c..32f8c693 100644
--- a/ldns/dane.h
+++ b/ldns/dane.h
@@ -145,9 +145,9 @@ ldns_status ldns_dane_cert2rdf(ldns_rdf** rdf, X509* cert,
  *            "CA constraint" or "Service Certificate Constraint" to 
  *            validate the certificate and, in case of "CA constraint",
  *            select the CA.
- *            When NULL, validation is explicitely turned off and the
- *            behaviour is then the same as for "Trust anchor assertion"
- *            and "Domain issued certificate" respectively.
+ *            When pkix_validation_store is NULL, validation is explicitely
+ *            turned off and the behaviour is then the same as for "Trust
+ *            anchor assertion" and "Domain issued certificate" respectively.
  * \param[in] cert_usage Which certificate to use and how to validate.
  * \param[in] index Used to select the trust anchor when certificate usage
  *            is "Trust Anchor Assertion". 0 is the last certificate in the