SSL async callback: cert is not always from mbedtls_ssl_conf_own_cert

The certificate passed to async callbacks may not be the one set by mbedtls_ssl_conf_own_cert. For example, when using an SNI callback, it's whatever the callback is using. Document this, and add a test case (and code sample) with SNI.
2018-04-30 10:30:49 +02:00 · 2018-04-30 10:30:49 +02:00 · 807d74a062
commit 807d74a062
parent 0b53e24c6b
3 changed files with 46 additions and 7 deletions
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -601,9 +601,12 @@ typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
 * \param ssl             The SSL connection instance. It should not be
 *                        modified other than via mbedtls_ssl_async_set_data().
 * \param cert            Certificate containing the public key.
- *                        This is one of the pointers passed to
+ *                        In simple cases, this is one of the pointers passed to
 *                        mbedtls_ssl_conf_own_cert() when configuring the SSL
- *                        connection.
+ *                        connection. However, if other callbacks are used, this
+ *                        property may not hold. For example, if an SNI callback
+ *                        is registered with mbedtls_ssl_conf_sni(), then
+ *                        this callback determines what certificate is used.
 * \param md_alg          Hash algorithm.
 * \param hash            Buffer containing the hash. This buffer is
 *                        no longer valid when the function returns.
@ -665,9 +668,12 @@ typedef int mbedtls_ssl_async_sign_t( mbedtls_ssl_context *ssl,
 * \param ssl             The SSL connection instance. It should not be
 *                        modified other than via mbedtls_ssl_async_set_data().
 * \param cert            Certificate containing the public key.
- *                        This is one of the pointers passed to
+ *                        In simple cases, this is one of the pointers passed to
 *                        mbedtls_ssl_conf_own_cert() when configuring the SSL
- *                        connection.
+ *                        connection. However, if other callbacks are used, this
+ *                        property may not hold. For example, if an SNI callback
+ *                        is registered with mbedtls_ssl_conf_sni(), then
+ *                        this callback determines what certificate is used.
 * \param input           Buffer containing the input ciphertext. This buffer
 *                        is no longer valid when the function returns.
 * \param input_len       Size of the \p input buffer in bytes.