Hi Mat,

 >
> -LIB_EXPORT void l_tls_set_auth_data(struct l_tls *tls, const char *cert_path,
> -				const char *priv_key_path,
> -				const char *priv_key_passphrase)
> +LIB_EXPORT bool l_tls_set_auth_data(struct l_tls *tls, const char *cert_path,
> +					const char *priv_key_path,
> +					const char *priv_key_passphrase)
>   {
> +	uint8_t *priv_key = NULL;
> +	bool is_public = true;
> +

Just a quick nitpick.  Can you move these into the if (priv_key_path) block?

>   	if (tls->cert_path) {
>   		l_free(tls->cert_path);
> -		l_free(tls->priv_key_path);
>   		tls->cert_path = NULL;
> -		tls->priv_key_path = NULL;
>   	}
>
> -	if (cert_path) {
> -		tls->cert_path = l_strdup(cert_path);
> -		tls->priv_key_path = l_strdup(priv_key_path);
> +	if (tls->priv_key) {
> +		l_key_free(tls->priv_key);
> +		tls->priv_key = NULL;
> +		tls->priv_key_size = 0;
>   	}
>
> -	if (tls->priv_key_passphrase) {
> -		memset(tls->priv_key_passphrase, 0,
> -				strlen(tls->priv_key_passphrase));
> -		l_free(tls->priv_key_passphrase);
> -		tls->priv_key_passphrase = NULL;
> +	if (priv_key_path) {
> +		priv_key = l_pem_load_private_key(priv_key_path,
> +							priv_key_passphrase,
> +							&tls->priv_key_size);
> +
> +		tls->priv_key = l_key_new(L_KEY_RSA, priv_key,
> +						tls->priv_key_size);
> +		if (priv_key) {
> +			memset(priv_key, 0, tls->priv_key_size);
> +			l_free(priv_key);
> +		}
> +
> +		if (!l_key_get_info(tls->priv_key, L_CIPHER_RSA_PKCS1_V1_5,
> +					L_CHECKSUM_NONE, &tls->priv_key_size,
> +					&is_public) || is_public) {
> +			l_key_free(tls->priv_key);
> +			tls->priv_key = NULL;
> +			tls->priv_key_size = 0;
> +			return false;
> +		}
> +
> +		tls->priv_key_size /= 8;
>   	}
>
> -	if (priv_key_passphrase)
> -		tls->priv_key_passphrase = l_strdup(priv_key_passphrase);
> +	if (cert_path)
> +		tls->cert_path = l_strdup(cert_path);
> +
> +	return true;
>   }
>
>   LIB_EXPORT const char *l_tls_alert_to_str(enum l_tls_alert_desc desc)
> diff --git a/ell/tls.h b/ell/tls.h
> index a3f3a28..0a7c920 100644
> --- a/ell/tls.h
> +++ b/ell/tls.h
> @@ -97,7 +97,7 @@ void l_tls_set_cacert(struct l_tls *tls, const char *ca_cert_path);
>    * one certificate of each type so they can be used depending on which
>    * is compatible with the negotiated parameters.
>    */
> -void l_tls_set_auth_data(struct l_tls *tls, const char *cert_path,
> +bool l_tls_set_auth_data(struct l_tls *tls, const char *cert_path,
>   				const char *priv_key_path,
>   				const char *priv_key_passphrase);
>
>

Regards,
-Denis