SSL async callback: cert is not always from mbedtls_ssl_conf_own_cert
The certificate passed to async callbacks may not be the one set by
mbedtls_ssl_conf_own_cert. For example, when using an SNI callback,
it's whatever the callback is using. Document this, and add a test
case (and code sample) with SNI.
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 097b86a..b199e2e 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -601,9 +601,12 @@
* \param ssl The SSL connection instance. It should not be
* modified other than via mbedtls_ssl_async_set_data().
* \param cert Certificate containing the public key.
- * This is one of the pointers passed to
+ * In simple cases, this is one of the pointers passed to
* mbedtls_ssl_conf_own_cert() when configuring the SSL
- * connection.
+ * connection. However, if other callbacks are used, this
+ * property may not hold. For example, if an SNI callback
+ * is registered with mbedtls_ssl_conf_sni(), then
+ * this callback determines what certificate is used.
* \param md_alg Hash algorithm.
* \param hash Buffer containing the hash. This buffer is
* no longer valid when the function returns.
@@ -665,9 +668,12 @@
* \param ssl The SSL connection instance. It should not be
* modified other than via mbedtls_ssl_async_set_data().
* \param cert Certificate containing the public key.
- * This is one of the pointers passed to
+ * In simple cases, this is one of the pointers passed to
* mbedtls_ssl_conf_own_cert() when configuring the SSL
- * connection.
+ * connection. However, if other callbacks are used, this
+ * property may not hold. For example, if an SNI callback
+ * is registered with mbedtls_ssl_conf_sni(), then
+ * this callback determines what certificate is used.
* \param input Buffer containing the input ciphertext. This buffer
* is no longer valid when the function returns.
* \param input_len Size of the \p input buffer in bytes.