amissl: make AmiSSL v5 a minimum requirement

AmiSSL v5 is the latest version, featuring a port of OpenSSL 3.0. Support for previous OpenSSL 1.1.x versions has been dropped, so makes sense to enforce v5 as the minimum requirement. This also allows all the AmiSSL stub workarounds to be removed as they are now provided in a link library in the AmiSSL SDK. Closes curl#9267
dongc · Aug 8, 2022 · e1acfaf · e1acfaf
1 parent c7b322a
commit e1acfaf
Show file tree

Hide file tree

Showing 7 changed files with 36 additions and 56 deletions.
diff --git a/configure.ac b/configure.ac
@@ -1942,7 +1942,7 @@ if test "x$curl_cv_native_windows" = "xyes" &&
   LIBS="-lbcrypt $LIBS"
 fi
 
-case "x$OPENSSL_ENABLED$GNUTLS_ENABLED$NSS_ENABLED$MBEDTLS_ENABLED$WOLFSSL_ENABLED$SCHANNEL_ENABLED$SECURETRANSPORT_ENABLED$BEARSSL_ENABLED$AMISSL_ENABLED$RUSTLS_ENABLED"
+case "x$OPENSSL_ENABLED$GNUTLS_ENABLED$NSS_ENABLED$MBEDTLS_ENABLED$WOLFSSL_ENABLED$SCHANNEL_ENABLED$SECURETRANSPORT_ENABLED$BEARSSL_ENABLED$RUSTLS_ENABLED"
 in
 x)
   AC_MSG_WARN([SSL disabled, you will not be able to use HTTPS, FTPS, NTLM and more.])

diff --git a/lib/amigaos.c b/lib/amigaos.c
@@ -87,38 +87,5 @@ ADD2EXIT(Curl_amiga_cleanup, -50);
 
 #endif /* HAVE_PROTO_BSDSOCKET_H */
 
-#ifdef USE_AMISSL
-void Curl_amiga_X509_free(X509 *a)
-{
-  X509_free(a);
-}
-
-/* AmiSSL replaces many functions with macros. Curl requires pointer
- * to some of these functions. Thus, we have to encapsulate these macros.
- */
-
-#include "warnless.h"
-
-int (SHA256_Init)(SHA256_CTX *c)
-{
-  return SHA256_Init(c);
-};
-
-int (SHA256_Update)(SHA256_CTX *c, const void *data, size_t len)
-{
-  return SHA256_Update(c, data, curlx_uztoui(len));
-};
-
-int (SHA256_Final)(unsigned char *md, SHA256_CTX *c)
-{
-  return SHA256_Final(md, c);
-};
-
-void (X509_INFO_free)(X509_INFO *a)
-{
-  X509_INFO_free(a);
-};
-
-#endif /* USE_AMISSL */
 #endif /* __AMIGA__ */
 
diff --git a/lib/amigaos.h b/lib/amigaos.h
@@ -37,10 +37,5 @@ void Curl_amiga_cleanup();
 
 #endif
 
-#ifdef USE_AMISSL
-#include <openssl/x509v3.h>
-void Curl_amiga_X509_free(X509 *a);
-#endif /* USE_AMISSL */
-
 #endif /* HEADER_CURL_AMIGAOS_H */
 
diff --git a/lib/md4.c b/lib/md4.c
@@ -32,7 +32,8 @@
 
 #ifdef USE_OPENSSL
 #include <openssl/opensslconf.h>
-#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) && \
+   !defined(USE_AMISSL)
 /* OpenSSL 3.0.0 marks the MD4 functions as deprecated */
 #define OPENSSL_NO_MD4
 #endif

diff --git a/lib/md5.c b/lib/md5.c
@@ -41,7 +41,7 @@
 #endif
 #endif /* USE_MBEDTLS */
 
-#if defined(USE_OPENSSL) && !defined(USE_AMISSL)
+#ifdef USE_OPENSSL
   #include <openssl/opensslconf.h>
   #if !defined(OPENSSL_NO_MD5) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     #define USE_OPENSSL_MD5

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
@@ -78,10 +78,6 @@
 #include <openssl/buffer.h>
 #include <openssl/pkcs12.h>
 
-#ifdef USE_AMISSL
-#include "amigaos.h"
-#endif
-
 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_OCSP)
 #include <openssl/ocsp.h>
 #endif
@@ -996,11 +992,7 @@ int cert_stuff(struct Curl_easy *data,
   fail:
       EVP_PKEY_free(pri);
       X509_free(x509);
-#ifdef USE_AMISSL
-      sk_X509_pop_free(ca, Curl_amiga_X509_free);
-#else
       sk_X509_pop_free(ca, X509_free);
-#endif
       if(!cert_done)
         return 0; /* failure! */
       break;

diff --git a/m4/curl-amissl.m4 b/m4/curl-amissl.m4
@@ -23,21 +23,46 @@
 #***************************************************************************
 
 AC_DEFUN([CURL_WITH_AMISSL], [
-AC_MSG_CHECKING([whether to enable Amiga native SSL/TLS (AmiSSL)])
+AC_MSG_CHECKING([whether to enable Amiga native SSL/TLS (AmiSSL v5)])
 if test "$HAVE_PROTO_BSDSOCKET_H" = "1"; then
   if test "x$OPT_AMISSL" != xno; then
     ssl_msg=
-    if test "x$OPT_AMISSL" != "xno"; then
-      AC_MSG_RESULT(yes)
+    AC_COMPILE_IFELSE([
+      AC_LANG_PROGRAM([[
+        #include <libraries/amisslmaster.h>
+        #include <openssl/opensslv.h>
+      ]],[[
+        #if defined(AMISSL_CURRENT_VERSION) && (AMISSL_CURRENT_VERSION >= AMISSL_V303) && \
+            defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) && \
+            defined(PROTO_AMISSL_H)
+        return 0;
+        #else
+        #error not AmiSSL v5 / OpenSSL 3
+        #endif
+      ]])
+    ],[
+      AC_MSG_RESULT([yes])
       ssl_msg="AmiSSL"
       test amissl != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
       AMISSL_ENABLED=1
-      LIBS="-lamisslauto $LIBS"
+      OPENSSL_ENABLED=1
+      # Use AmiSSL's built-in ca bundle
+      check_for_ca_bundle=1
+      with_ca_fallback=yes
+      LIBS="-lamisslstubs -lamisslauto $LIBS"
       AC_DEFINE(USE_AMISSL, 1, [if AmiSSL is in use])
       AC_DEFINE(USE_OPENSSL, 1, [if OpenSSL is in use])
-    else
-      AC_MSG_RESULT(no)
-    fi
+      AC_DEFINE_UNQUOTED(HAVE_OPENSSL3, 1, [Define to 1 if using OpenSSL 3 or later.])
+      AC_CHECK_HEADERS(openssl/x509.h openssl/rsa.h openssl/crypto.h \
+                       openssl/pem.h openssl/ssl.h openssl/err.h)
+      dnl OpenSSLv3 marks the DES functions deprecated but we have no
+      dnl replacements (yet) so tell the compiler to not warn for them
+      dnl
+      dnl Ask OpenSSL to suppress the warnings.
+      CPPFLAGS="$CPPFLAGS -DOPENSSL_SUPPRESS_DEPRECATED"
+    ],[
+      AC_MSG_RESULT([no])
+    ])
     test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"
   else
     AC_MSG_RESULT(no)