lws/mbedtls: export Export SSL_CTX_load_verify series interfaces

Support interfaces SSL_CTX_load_verify_file/SSL_CTX_load_verify_dir/SSL_CTX_load_verify_locations to align with openssl-client behavior
Signed-off-by: makejian <makejian@xiaomi.com>

Author: ThePassionate

lib/tls/mbedtls/wrapper/include/internal/ssl_methods.h

@@ -72,12 +72,16 @@
                 new, \
                 free, \
                 load, \
+                load_file, \
+                load_path, \
                 show_info) \
     const X509_METHOD* func_name(void) { \
         static const X509_METHOD func_name##_data LOCAL_ATRR = { \
                 new, \
                 free, \
                 load, \
+                load_file, \
+                load_path, \
                 show_info \
         }; \
         return &func_name##_data; \

lib/tls/mbedtls/wrapper/include/internal/ssl_types.h

@@ -297,6 +297,10 @@ struct x509_method_st {
 
     int (*x509_load)(X509 *x, const unsigned char *buf, int len);
 
+    int (*x509_load_file)(X509 *x, const char *file);
+
+    int (*x509_load_path)(X509 *x, const char *path);
+
     int (*x509_show_info)(X509 *x);
 };
 

lib/tls/mbedtls/wrapper/include/openssl/ssl.h

@@ -1822,6 +1822,44 @@ const char *SSL_get_psk_identity_hint(SSL *ssl);
  */
 const char *SSL_get_psk_identity(SSL *ssl);
 
+/**
+ * @brief Load a file containing CA certificates for verification into the SSL context
+ *
+ * @param ctx    - SSL context pointer
+ * @param CAfile - Path to the file containing CA certificates.
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_load_verify_file(SSL_CTX *ctx, const char *CAfile);
+
+/**
+ * @brief Load a directory containing CA certificates for verification into the SSL context
+ *
+ * @param ctx    - SSL context pointer
+ * @param CApath - Path to the directory containing CA certificates.
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath);
+
+/**
+ * @brief Load CA certificates from file and/or directory for verification
+ *
+ * @param ctx    - SSL context pointer
+ * @param CAfile - Path to the file containing CA certificates.
+ * @param CApath - Path to the directory containing CA certificates.
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
+                                  const char *CApath);
+
 #ifdef __cplusplus
 }
 #endif

lib/tls/mbedtls/wrapper/include/platform/ssl_pm.h

@@ -47,6 +47,8 @@ int x509_pm_show_info(X509 *x);
 int x509_pm_new(X509 *x, X509 *m_x);
 void x509_pm_free(X509 *x);
 int x509_pm_load(X509 *x, const unsigned char *buffer, int len);
+int x509_pm_load_file(X509 *x, const char *path);
+int x509_pm_load_path(X509 *x, const char *path);
 
 int pkey_pm_new(EVP_PKEY *pk, EVP_PKEY *m_pk, void *rngctx);
 void pkey_pm_free(EVP_PKEY *pk);

lib/tls/mbedtls/wrapper/library/ssl_lib.c

@@ -1257,3 +1257,59 @@ void SSL_set_alpn_select_cb(SSL *ssl, void *arg)
 
 	_ssl_set_alpn_list(ssl);
 }
+
+int SSL_CTX_load_verify_file(SSL_CTX *ctx, const char *CAfile)
+{
+	X509 *x;
+	int ret;
+
+	SSL_ASSERT1(ctx);
+	SSL_ASSERT1(CAfile);
+
+	x = X509_new();
+	ret = X509_METHOD_CALL(load_file, x, CAfile);
+	if (ret) {
+		X509_free(x);
+		return 0;
+	}
+
+	SSL_CTX_add_client_CA(ctx, x);
+	return 1;
+}
+
+int SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath)
+{
+	X509 *x;
+	int ret;
+
+	SSL_ASSERT1(ctx);
+	SSL_ASSERT1(CApath);
+
+	x = X509_new();
+	ret = X509_METHOD_CALL(load_path, x, CApath);
+	if (ret) {
+		X509_free(x);
+		return 0;
+	}
+
+	SSL_CTX_add_client_CA(ctx, x);
+	return 1;
+}
+
+int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
+                                  const char *CApath)
+{
+	if (CAfile == NULL && CApath == NULL) {
+		return 0;
+	}
+
+	if (CAfile != NULL && !SSL_CTX_load_verify_file(ctx, CAfile)) {
+		return 0;
+	}
+
+	if (CApath != NULL && !SSL_CTX_load_verify_dir(ctx, CApath)) {
+		return 0;
+	}
+
+	return 1;
+}

lib/tls/mbedtls/wrapper/library/ssl_methods.c

@@ -79,7 +79,8 @@ IMPLEMENT_SSL_METHOD(SSL3_VERSION, -1, TLS_method_func, SSLv3_method);
  */
 IMPLEMENT_X509_METHOD(X509_method,
             x509_pm_new, x509_pm_free,
-            x509_pm_load, x509_pm_show_info);
+            x509_pm_load, x509_pm_load_file,
+            x509_pm_load_path, x509_pm_show_info);
 
 /**
  * @brief get private key object method

lib/tls/mbedtls/wrapper/platform/ssl_pm.c

@@ -722,6 +722,68 @@ int x509_pm_load(X509 *x, const unsigned char *buffer, int len)
     return -1;
 }
 
+int x509_pm_load_file(X509 *x, const char *path)
+{
+    int ret;
+    struct x509_pm *x509_pm = (struct x509_pm *)x->x509_pm;
+
+    if (!x509_pm->x509_crt) {
+        x509_pm->x509_crt = ssl_mem_malloc(sizeof(mbedtls_x509_crt) + 80);
+        if (!x509_pm->x509_crt) {
+            SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (x509_pm->x509_crt)");
+            goto no_mem;
+        }
+        mbedtls_x509_crt_init(x509_pm->x509_crt);
+    }
+
+    ret = mbedtls_x509_crt_parse_file(x509_pm->x509_crt, path);
+    if (ret) {
+        SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL,
+                  "mbedtls_x509_crt_parse_file return -0x%x", -ret);
+        goto failed;
+    }
+
+    return 0;
+
+failed:
+    mbedtls_x509_crt_free(x509_pm->x509_crt);
+    ssl_mem_free(x509_pm->x509_crt);
+    x509_pm->x509_crt = NULL;
+no_mem:
+    return -1;
+}
+
+int x509_pm_load_path(X509 *x, const char *path)
+{
+    int ret;
+    struct x509_pm *x509_pm = (struct x509_pm *)x->x509_pm;
+
+    if (!x509_pm->x509_crt) {
+        x509_pm->x509_crt = ssl_mem_malloc(sizeof(mbedtls_x509_crt) + 80);
+        if (!x509_pm->x509_crt) {
+            SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (x509_pm->x509_crt)");
+            goto no_mem;
+        }
+        mbedtls_x509_crt_init(x509_pm->x509_crt);
+    }
+
+    ret = mbedtls_x509_crt_parse_path(x509_pm->x509_crt, path);
+    if (ret) {
+        SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL,
+                  "mbedtls_x509_crt_parse_path return -0x%x", -ret);
+        goto failed;
+    }
+
+    return 0;
+
+failed:
+    mbedtls_x509_crt_free(x509_pm->x509_crt);
+    ssl_mem_free(x509_pm->x509_crt);
+    x509_pm->x509_crt = NULL;
+no_mem:
+    return -1;
+}
+
 int pkey_pm_new(EVP_PKEY *pk, EVP_PKEY *m_pkey, void *rngctx)
 {
     struct pkey_pm *pkey_pm;