Clarify documentation of ssl_set_own_cert()

fixes #507
2024-11-22 18:05:40 +01:00 · 2018-10-25 13:24:21 +02:00 · 2018-10-25 13:24:21 +02:00 · d8e3a1ef66
commit d8e3a1ef66
parent c774e32939
2 changed files with 10 additions and 0 deletions
--- a/2
+++ b/2
@ -7,6 +7,8 @@ Bugfix
     invalidated keys of a lifetime of less than a 1s. Fixes #1968.
   * Fix failure in hmac_drbg in the benchmark sample application, when
     MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095
+   * Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence
+     of check for certificate/key matching. Reported by Attila Molnar, #507.

 Changes
   * Add tests for session resumption in DTLS.
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -2043,6 +2043,14 @@ void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
 *                 whether it matches those preferences - the server can then
 *                 decide what it wants to do with it.
 *
+ * \note           The provided \p pk_key needs to match the public key in the
+ *                 first certificate in \p own_cert, or all handshakes using
+ *                 that certificate will fail. It is your responsibility
+ *                 to ensure that; this function will not perform any check.
+ *                 You may use mbedtls_pk_check_pair() in order to perform
+ *                 this check yourself, but be aware that this function can
+ *                 be computationally expensive on some key types.
+ *
 * \param conf     SSL configuration
 * \param own_cert own public certificate chain
 * \param pk_key   own private key