cyassl: deal with lack of *get_peer_certificate

The function is only present in wolfssl/cyassl if it was built with
--enable-opensslextra. With these checks added, pinning support is disabled
unless the TLS lib has that function available.

Also fix the mistake in configure that checks for the wrong lib name.

Closes #566

diff --git a/configure.ac b/configure.ac
index 3031f05aef3c580de6643cd4f41b3d62d03efcf0..4fba8171508fb5a5fdd6a96b05f47f301cd3cec3 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -2182,7 +2182,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then
     fi
 
     if test "x$USE_CYASSL" = "xyes"; then
-      AC_MSG_NOTICE([detected CyaSSL])
+      AC_MSG_NOTICE([detected $cyassllibname])
 
       dnl cyassl/ctaocrypt/types.h needs SIZEOF_LONG_LONG defined!
       AC_CHECK_SIZEOF(long long)
@@ -2195,9 +2195,14 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then
 
       LIBS="-l$cyassllibname -lm $LIBS"
 
-      if test "x$cyassllib" = "xwolfssl"; then
+      if test "x$cyassllibname" = "xwolfssl"; then
         dnl Recent WolfSSL versions build without SSLv3 by default
-        AC_CHECK_FUNCS(wolfSSLv3_client_method)
+        dnl WolfSSL needs configure --enable-opensslextra to have *get_peer*
+        AC_CHECK_FUNCS(wolfSSLv3_client_method \
+                       wolfSSL_get_peer_certificate)
+      else
+        dnl Cyassl needs configure --enable-opensslextra to have *get_peer*
+        AC_CHECK_FUNCS(CyaSSL_get_peer_certificate)
       fi
 
       if test -n "$cyassllib"; then

diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c
index 20629f45d42ff237ddb88d550d2a722fe1c7f1ed..e762d339fe545926ef0d394955c4016b225aff8b 100644 (file)
--- a/lib/vtls/cyassl.c
+++ b/lib/vtls/cyassl.c
@@ -413,6 +413,8 @@ cyassl_connect_step2(struct connectdata *conn,
   }
 
   if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) {
+#if defined(HAVE_WOLFSSL_GET_PEER_CERTIFICATE) ||       \
+  defined(HAVE_CYASSL_GET_PEER_CERTIFICATE)
     X509 *x509;
     const char *x509_der;
     int x509_der_len;
@@ -449,6 +451,10 @@ cyassl_connect_step2(struct connectdata *conn,
       failf(data, "SSL: public key does not match pinned public key!");
       return result;
     }
+#else
+    failf(data, "Library lacks pinning support built-in");
+    return CURLE_NOT_BUILT_IN;
+#endif
   }
 
   conssl->connecting_state = ssl_connect_3;