mbedtls: change cert load semantics to append

Adapt the wrapper for SSL_CTX_add_client_CA_ASN1 to reuse
any existing x.509 chain and just add to it.  Previously it
was replacing it.

lib/tls/mbedtls/wrapper/library/ssl_x509.c

@@ -174,20 +174,14 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
 int SSL_CTX_add_client_CA_ASN1(SSL_CTX *ctx, int len,
                 const unsigned char *d)
 {
-	X509 *x;
+	SSL_ASSERT1(ctx);
 
-	x = d2i_X509(NULL, d, len);
-	if (!x) {
+	if (!d2i_X509(&ctx->client_CA, d, len)) {
 		SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_X509() return NULL");
 		return 0;
 	}
-    SSL_ASSERT1(ctx);
 
-    X509_free(ctx->client_CA);
-
-    ctx->client_CA = x;
-
-    return 1;
+	return 1;
 }
 
 /**

lib/tls/mbedtls/wrapper/platform/ssl_pm.c

@@ -641,18 +641,15 @@ int x509_pm_load(X509 *x, const unsigned char *buffer, int len)
     unsigned char *load_buf;
     struct x509_pm *x509_pm = (struct x509_pm *)x->x509_pm;
 
-	if (x509_pm->x509_crt)
-        mbedtls_x509_crt_free(x509_pm->x509_crt);
-
     if (!x509_pm->x509_crt) {
         x509_pm->x509_crt = ssl_mem_malloc(sizeof(mbedtls_x509_crt));
         if (!x509_pm->x509_crt) {
             SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (x509_pm->x509_crt)");
             goto no_mem;
         }
+        mbedtls_x509_crt_init(x509_pm->x509_crt);
     }
 
-    mbedtls_x509_crt_init(x509_pm->x509_crt);
     if (buffer[0] != 0x30) {
 	    load_buf = ssl_mem_malloc((unsigned int)len + 1);
 	    if (!load_buf) {
@@ -665,11 +662,8 @@ int x509_pm_load(X509 *x, const unsigned char *buffer, int len)
 
 	    ret = mbedtls_x509_crt_parse(x509_pm->x509_crt, load_buf, (unsigned int)len + 1);
 	    ssl_mem_free(load_buf);
-    } else {
-	    // printf("parsing as der\n");
-
+    } else
 	    ret = mbedtls_x509_crt_parse_der(x509_pm->x509_crt, buffer, (unsigned int)len);
-    }
 
     if (ret) {
         printf("mbedtls_x509_crt_parse return -0x%x", -ret);