lws/mbedtls-client: Support loading default ca

[ThePassionate]

We used libwebsockets and found that mbedtls-client did not support loading the default certificate path. After careful observation, we found that openssl-client had a related implementation, so we made the following efforts to align the implementation between openssl-client and mbedtls-client.

1. export openssl interfaces SSL_CTX_load_verify_file/SSL_CTX_load_verify_dir/SSL_CTX_load_verify_locations with mbedtls implementation
2. aligned with openssl-client operations to support load default cert path

[lws-team]

Thanks, it's pushed on main and v4.4-stable.

[lws-team]

This blew chunks in CI starting with

In file included from /home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_methods.c:17:
/home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_methods.c: In function ‘X509_method’:
/home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_methods.c:82:27: error: initialization of ‘int (*)(X509 *)’ {aka ‘int (*)(struct x509_st *)’} from incompatible pointer type ‘int (*)(X509 *, const char *)’ {aka ‘int (*)(struct x509_st *, const char *)’} [-Wincompatible-pointer-types]
   82 |             x509_pm_load, x509_pm_load_file,

This is against mbedtls-3.6.4

[ThePassionate]

This blew chunks in CI starting with

In file included from /home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_methods.c:17:
/home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_methods.c: In function ‘X509_method’:
/home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_methods.c:82:27: error: initialization of ‘int (*)(X509 *)’ {aka ‘int (*)(struct x509_st *)’} from incompatible pointer type ‘int (*)(X509 *, const char *)’ {aka ‘int (*)(struct x509_st *, const char *)’} [-Wincompatible-pointer-types]
   82 |             x509_pm_load, x509_pm_load_file,

This is against mbedtls-3.6.4

how can i run CI?

[lws-team]

You can see the results here

https://libwebsockets.org/sai/index.html?task=3a323ad55c8187ef599f4c2b89cd48e4ae50e412233b543ac8fd9905e226a0d3

The first part of that has more info on what it's building and how

[ThePassionate]

You can see the results here

https://libwebsockets.org/sai/index.html?task=3a323ad55c8187ef599f4c2b89cd48e4ae50e412233b543ac8fd9905e226a0d3

The first part of that has more info on what it's building and how

ok, let me check

[ThePassionate]

@lws-team sorry i couldn‘t know how to run ci in local, but i find i miss a change in x509_method_st, which could invoke chunks in CI. I am so sorry about that, could you add this patch and run ci again?
#3434?

[ThePassionate]

@lws-team or any other mistake in ci ?

[lws-team]

I can't event build it locally on rocky 10 with rocky's mbedtls 3.6.4

It seems wrong level of indirection (this is with your extra patch)

/home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/platform/ssl_pm.c: In function ‘x509_pm_load_file’:
/home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/platform/ssl_pm.c:730:27: error: passing argument 1 of ‘mbedtls_x509_crt_free’ from incompatible pointer type [-Wincompatible-pointer-types]
  730 |     mbedtls_x509_crt_free(&x509_pm->x509_crt);
      |                           ^~~~~~~~~~~~~~~~~~
      |                           |
      |                           mbedtls_x509_crt **
In file included from /usr/include/mbedtls/ssl.h:35,
                 from /home/agreen/projects/libwebsockets/include/libwebsockets.h:310,
                 from /home/agreen/projects/libwebsockets/lib/core/./private-lib-core.h:150,
                 from /home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/platform/ssl_pm.c:15:
/usr/include/mbedtls/x509_crt.h:899:46: note: expected ‘mbedtls_x509_crt *’ but argument is of type ‘mbedtls_x509_crt **’
  899 | void mbedtls_x509_crt_free(mbedtls_x509_crt *crt);

[ThePassionate]

I can't event build it locally on rocky 10 with rocky's mbedtls 3.6.4

It seems wrong level of indirection (this is with your extra patch)

/home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/platform/ssl_pm.c: In function ‘x509_pm_load_file’:
/home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/platform/ssl_pm.c:730:27: error: passing argument 1 of ‘mbedtls_x509_crt_free’ from incompatible pointer type [-Wincompatible-pointer-types]
  730 |     mbedtls_x509_crt_free(&x509_pm->x509_crt);
      |                           ^~~~~~~~~~~~~~~~~~
      |                           |
      |                           mbedtls_x509_crt **
In file included from /usr/include/mbedtls/ssl.h:35,
                 from /home/agreen/projects/libwebsockets/include/libwebsockets.h:310,
                 from /home/agreen/projects/libwebsockets/lib/core/./private-lib-core.h:150,
                 from /home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/platform/ssl_pm.c:15:
/usr/include/mbedtls/x509_crt.h:899:46: note: expected ‘mbedtls_x509_crt *’ but argument is of type ‘mbedtls_x509_crt **’
  899 | void mbedtls_x509_crt_free(mbedtls_x509_crt *crt);

I get it. I optimized the x509 structure before, did not use pointer types because I thought that too much dynamic memory was not in line with the advantages of mbedtls. I will fix my patch to rebase community's implementation.

[ThePassionate]

@lws-team I have pushed #3434 again