From 803183f5fe62b27c54eefec101c0994fcd17557b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Wed, 27 Jan 2016 15:16:16 +0100
Subject: [PATCH] Improve error string about X.509 name mismatch

The name is actually check against either SAN or CN, so mentioning only one
in the error string might wrongfully suggest the other was ignored.

OTOH, keep the same error code for both, as the distinction between both types
is a rather low-level detail (and anyway changing the error code returned in
some cases would be an API change so is not an option at this point).
---
 include/mbedtls/x509.h | 2 +-
 library/x509_crt.c     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h
index 54dac166b..2d99d18e6 100644
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@@ -85,7 +85,7 @@
 /* Reminder: update x509_crt_verify_strings[] in library/x509_crt.c */
 #define MBEDTLS_X509_BADCERT_EXPIRED             0x01  /**< The certificate validity has expired. */
 #define MBEDTLS_X509_BADCERT_REVOKED             0x02  /**< The certificate has been revoked (is on a CRL). */
-#define MBEDTLS_X509_BADCERT_CN_MISMATCH         0x04  /**< The certificate Common Name (CN) does not match with the expected CN. */
+#define MBEDTLS_X509_BADCERT_CN_MISMATCH         0x04  /**< The certificate Common Name (CN) or subjectAltName (SAN) does not match with the expected name. */
 #define MBEDTLS_X509_BADCERT_NOT_TRUSTED         0x08  /**< The certificate is not correctly signed by the trusted CA. */
 #define MBEDTLS_X509_BADCRL_NOT_TRUSTED          0x10  /**< The CRL is not correctly signed by the trusted CA. */
 #define MBEDTLS_X509_BADCRL_EXPIRED              0x20  /**< The CRL is expired. */
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 6dc5ad34f..9573438b0 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1470,7 +1470,7 @@ struct x509_crt_verify_string {
 static const struct x509_crt_verify_string x509_crt_verify_strings[] = {
     { MBEDTLS_X509_BADCERT_EXPIRED,       "The certificate validity has expired" },
     { MBEDTLS_X509_BADCERT_REVOKED,       "The certificate has been revoked (is on a CRL)" },
-    { MBEDTLS_X509_BADCERT_CN_MISMATCH,   "The certificate Common Name (CN) does not match with the expected CN" },
+    { MBEDTLS_X509_BADCERT_CN_MISMATCH,   "The certificate Common Name (CN) or subjectAltName (SAN) does not match with the expected name" },
     { MBEDTLS_X509_BADCERT_NOT_TRUSTED,   "The certificate is not correctly signed by the trusted CA" },
     { MBEDTLS_X509_BADCRL_NOT_TRUSTED,    "The CRL is not correctly signed by the trusted CA" },
     { MBEDTLS_X509_BADCRL_EXPIRED,        "The CRL is expired" },