Improve documentation of cn in x509_crt_verify() Mention explicitly that only DNS names are supported so far, and while at it explain where the name is searched. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

commit: f58e5cc4f4d0729a8762e98ebcd17028b6aba059 [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Fri Jul 24 10:31:37 2020 +0200
committer: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Tue Aug 11 10:24:21 2020 +0200
tree: 7fc4ffce78f21c22b8817003127ea1a978029dfc
parent: f3e4bd8632b71dc491e52e6df87dc3e409d2b869 [diff]
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index ab0d0cd..d24204d 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h

@@ -585,8 +585,11 @@
  * \param crt      The certificate chain to be verified.
  * \param trust_ca The list of trusted CAs.
  * \param ca_crl   The list of CRLs for trusted CAs.
- * \param cn       The expected Common Name. This may be \c NULL if the
- *                 CN need not be verified.
+ * \param cn       The expected Common Name. This will be checked to be
+ *                 present in the certificate's subjectAltNames extension or,
+ *                 if this extension is absent, as a CN component in its
+ *                 Subject name. Currently only DNS names are supported. This
+ *                 may be \c NULL if the CN need not be verified.
  * \param flags    The address at which to store the result of the verification.
  *                 If the verification couldn't be completed, the flag value is
  *                 set to (uint32_t) -1.
commit	f58e5cc4f4d0729a8762e98ebcd17028b6aba059	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Fri Jul 24 10:31:37 2020 +0200
committer	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Tue Aug 11 10:24:21 2020 +0200
tree	7fc4ffce78f21c22b8817003127ea1a978029dfc
parent	f3e4bd8632b71dc491e52e6df87dc3e409d2b869 [diff]