From c55b50034343d733f77441172ddda3cf2a9a9a89 Mon Sep 17 00:00:00 2001
From: Matthias Schulz <mschulz@hilscher.com>
Date: Tue, 7 Nov 2023 16:47:37 +0100
Subject: [PATCH] Changed notes in x509_csr.h to better describe the behavior
 of mbedtls_x509_csr_parse_der and mbedtls_x509_csr_parse_der_with_ext_cb.

Signed-off-by: Matthias Schulz <mschulz@hilscher.com>
---
 include/mbedtls/x509_csr.h | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h
index f3ac57045..dc4f86de4 100644
--- a/include/mbedtls/x509_csr.h
+++ b/include/mbedtls/x509_csr.h
@@ -87,7 +87,9 @@ mbedtls_x509write_csr;
 /**
  * \brief          Load a Certificate Signing Request (CSR) in DER format
  *
- * \note           CSR attributes (if any) are currently silently ignored.
+ * \note           Any unsupported requested extensions are silently
+ *                 ignored, unless the critical flag is set, in which case
+ *                 the CSR is rejected.
  *
  * \note           If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
  *                 subsystem must have been initialized by calling
@@ -140,7 +142,10 @@ typedef int (*mbedtls_x509_csr_ext_cb_t)(void *p_ctx,
 /**
  * \brief          Load a Certificate Signing Request (CSR) in DER format
  *
- * \note           CSR attributes (if any) are currently silently ignored.
+ * \note           Any unsupported requested extensions are silently
+ *                 ignored, unless the critical flag is set, in which case
+ *                 the result of the callback function decides whether
+ *                 CSR is rejected.
  *
  * \note           If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
  *                 subsystem must have been initialized by calling