Merge remote-tracking branch 'public/pr/2144' into mbedtls-2.7
diff --git a/ChangeLog b/ChangeLog
index 8eab14b..5f689d6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -15,6 +15,8 @@
* Add explicit integer to enumeration type casts to example program
programs/pkey/gen_key which previously led to compilation failure
on some toolchains. Reported by phoenixmcallister. Fixes #2170.
+ * Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence
+ of check for certificate/key matching. Reported by Attila Molnar, #507.
= mbed TLS 2.7.8 branch released 2018-11-30
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index db8b85f..5593a52 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1618,6 +1618,14 @@
* whether it matches those preferences - the server can then
* decide what it wants to do with it.
*
+ * \note The provided \p pk_key needs to match the public key in the
+ * first certificate in \p own_cert, or all handshakes using
+ * that certificate will fail. It is your responsibility
+ * to ensure that; this function will not perform any check.
+ * You may use mbedtls_pk_check_pair() in order to perform
+ * this check yourself, but be aware that this function can
+ * be computationally expensive on some key types.
+ *
* \param conf SSL configuration
* \param own_cert own public certificate chain
* \param pk_key own private key