commit 9855d63acbfd11d12c3e7cb3fed03097a3014b61
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Fri Jan 29 11:50:56 2016 +0100
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Fri Jan 29 15:02:41 2016 +0100
tree 4342bf35ea74c41aa037a3a3b224f6172ff174e7
parent 47f71d49c40adbceaefa6d4a281b956dd043e425

x509: implement verification of IPs in SAN

include/mbedtls/x509_crt.h

diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index a5c1b8e..f53573c 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -314,7 +314,16 @@
  *                 for ECDSA) apply to all certificates: trusted root,
  *                 intermediate CAs if any, and end entity certificate.
  *
- * \note           TODO: IP addresses in exp_name
+ * \note           If MBEDTLS_X509_SAN_IP_ADDRESS_SUPPORT is enabled, instead
+ *                 of a DNS name, exp_name can also contain the string "IP:"
+ *                 followed by an IP address. This address must be either an
+ *                 IPv4 address in dotted decimal notation, or an IPv6
+ *                 address consisting of exactly 8 groups of 4 hexadecimal
+ *                 digits separated by colons. For example, if the expected
+ *                 IPv6 is fe80::1, then exp_name must be the string
+ *                 "IP:fe80:0000:0000:0000:0000:0000:0000:0001" or its
+ *                 uppercase equivalent. If the expected IPv4 is 127.0.0.1,
+ *                 then exp_name should be "IP:127.0.0.1".
  *
  * \return         0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
  *                 in which case *flags will have one or more