[WIP] Fix crash during TLS handshake in http_pool_post

[Copilot]

• Add get_ca_bundle_path() helper function to source/protocol/http/multicurlinterface.c
• Set CURLOPT_SSL_VERIFYHOST to 2L in init_connection_pool() loop
• Set CURLOPT_CAINFO to validated CA bundle path in init_connection_pool() loop
• Update source/test/protocol/MultiCurlInterfaceTest.cpp: fix pool size env var, remove incorrect pthread_mutex_init/cond_init expectations, add access() mock expectations
• Update source/test/protocol/ProtocolTest.cpp: add default access() mock expectation to prevent crash in existing protocol tests
• Verified: all previously-passing test binaries (profile, datamodel, profilexconf, t2markers, reportprofiles, reportgen, t2parser, ccspinterface) still pass
• Full dcautil test suite run pending (timed out in container)

Original prompt

Problem

A crash occurs during the TLS handshake in http_pool_post() (and potentially http_pool_get()) when curl_easy_perform() triggers OpenSSL's CA certificate loading. The crash stack trace shows:

sa_doall (sparse_array.c:86)
ossl_method_store_do_all (property.c:96)
evp_generic_do_all (evp_fetch.c:676)
EVP_KEYMGMT_do_all_provided (keymgmt_meth.c:290)
ossl_decoder_ctx_setup_for_pkey (decoder_pkey.c:350)
OSSL_DECODER_CTX_new_for_pkey (decoder_pkey.c:454)
x509_pubkey_ex_d2i_ex (x_pubkey.c:208)
... ASN1 decoding chain ...
PEM_X509_INFO_read_bio_ex (pem_info.c:168)
X509_load_cert_crl_file_ex (by_file.c:231)
by_file_ctrl_ex (by_file.c:72)
X509_STORE_load_file_ex (x509_d2.c:52)
ossl_connect_step1 (openssl.c:3566)
... curl connection chain ...
http_pool_post (multicurlinterface.c:949)
sendReportOverHTTP (curlinterface.c:81)
CollectAndReportXconf (profilexconf.c:380)

Root Cause Analysis

1. No explicit CURLOPT_CAINFO or CURLOPT_CAPATH is set in init_connection_pool() or any request function, so curl uses the system default CA bundle. If the system CA bundle is missing, corrupted, or has malformed entries, OpenSSL crashes during ASN1 parsing in the provider enumeration path (sa_doall).

2. OpenSSL 3.0.15 thread-safety issues: The system uses lib32-openssl 3.0.15. OpenSSL 3.0.x has known thread-safety issues in ossl_method_store_do_all / sa_doall when multiple threads concurrently enumerate providers during certificate loading. Since the pool supports multiple concurrent handles (up to 5 via T2_CONNECTION_POOL_SIZE), each curl_easy_perform() may trigger X509_STORE_load_file_ex independently.

3. No CA bundle validation: There is no check to verify the CA certificate file exists and is readable before attempting TLS connections.

Required Changes

In source/protocol/http/multicurlinterface.c:

1. Add a CURLOPT_CAINFO configuration to explicitly set the CA bundle path during pool initialization (init_connection_pool()), with validation that the file exists and is readable. This avoids relying on the system default which may be in a bad state. Use common RDK CA bundle paths with fallback logic:

   • Primary: /etc/ssl/certs/ca-certificates.crt
   • Fallback: /etc/pki/tls/certs/ca-bundle.crt

2. Add a helper function get_ca_bundle_path() that:

   • Checks known CA bundle file paths for existence and readability
   • Logs which CA bundle is being used (or warns if none found)
   • Returns the first valid path, or NULL if none found (allowing curl to use its compiled-in default as a last resort)

3. Set CURLOPT_CAINFO on each pool entry's easy handle during initialization (in the loop at lines 242-324), right after the existing SSL settings at line 280.

4. Add a CURLOPT_SSL_VERIFYHOST setting set to 2L during pool initialization for proper hostname verification (currently missing - only CURLOPT_SSL_VERIFYPEER is set).

5. Add detailed error logging when the CA bundle file is not found, to aid debugging on devices where certificate issues cause connection failures.

The changes should be minimal and focused - only adding the CA bundle configuration and validation. Do not change any other behavior of the existing mTLS, cert selector, or connection pool logic.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: sa_doall
/usr/src/debug/lib32-openssl/3.0.15-r1/build/../openssl-3.0.15/crypto/sparse_array.c:86

ossl_method_store_do_all
/usr/src/debug/lib32-openssl/3.0.15-r1/build/../openssl-3.0.15/crypto/property/property.c:96

evp_generic_do_all
/usr/src/debug/lib32-openssl/3.0.15-r1/build/../openssl-3.0.15/crypto/evp/evp_fetch.c:676

EVP_KEYMGMT_do_all_provided
/usr/src/debug/lib32-openssl/3.0.15-r1/build/../openssl-3.0.15/crypto/evp/keymgmt_meth.c:290

ossl_decoder_ctx_setup_for_pkey
/usr/src/debug/lib32-openssl/3.0.15-r1/build/../openssl-3.0.15/crypto/encode_decode/decoder_pkey.c:350

OSSL_DECODER_CTX_new_for_pkey
/usr/src/debug/lib32-openssl/3.0.15-r1/build/../openssl-3.0.15/crypto/encode_decode/decoder_pkey.c:454

x509_pubkey_ex_d2i_ex
/usr/src/debug/lib32-openssl/3.0.15-r1/build/../openssl-3.0.15/crypto/x509/x_pubkey.c:208

asn1_item_embed_d2i
/usr/src/debug/lib32-openssl/3.0.15-r1/build/../openssl-3.0.15/crypto/asn1/tasn_dec.c:262

asn1_template_noexp_d2i
/usr/src/debug/lib32-openssl/3.0.15-r1/build/../openssl-3.0.15/crypto/asn1/tasn_dec.c:682

asn1_item_embed_d2i
/usr/src/debug/lib32-openssl/3.0.15-r1/build/../openssl-3.0.15/crypto/asn1/tasn_dec.c:422

asn1_template_noexp_d2i
/usr/src/debug/lib32-openssl/3.0.15-r1/build/../openssl-3.0.15/crypto/asn1/tasn_dec.c:682

asn1_item_embed_d2i
/usr/src/debug/lib32-openssl/3.0.15-r1/build/../openssl-3.0.15/crypto/asn1/tasn_dec.c:422

asn1_item_ex_d2i_intern
/usr/src/debug/lib32-openssl/3.0.15-r1/build/../openssl-3.0.15/crypto/asn1/tasn_dec.c:118

ASN1_item_d2i_ex
/usr/src/debug/lib32-openssl/3.0.15-r1/build/../openssl...

This pull request was created from Copilot chat.

---

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.