amissl: make AmiSSL v5 a minimum requirement

AmiSSL v5 is the latest version, featuring a port of OpenSSL 3.0.
Support for previous OpenSSL 1.1.x versions has been dropped, so
makes sense to enforce v5 as the minimum requirement. This also
allows all the AmiSSL stub workarounds to be removed as they are
now provided in a link library in the AmiSSL SDK.

Closes #9267

diff --git a/configure.ac b/configure.ac
index 5559409427a15e3ea4eb998586ef5e6dc5b8d70e..6f19a5f4c46cbb86c8301170161e720118b059fb 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1942,7 +1942,7 @@ if test "x$curl_cv_native_windows" = "xyes" &&
   LIBS="-lbcrypt $LIBS"
 fi
 
-case "x$OPENSSL_ENABLED$GNUTLS_ENABLED$NSS_ENABLED$MBEDTLS_ENABLED$WOLFSSL_ENABLED$SCHANNEL_ENABLED$SECURETRANSPORT_ENABLED$BEARSSL_ENABLED$AMISSL_ENABLED$RUSTLS_ENABLED"
+case "x$OPENSSL_ENABLED$GNUTLS_ENABLED$NSS_ENABLED$MBEDTLS_ENABLED$WOLFSSL_ENABLED$SCHANNEL_ENABLED$SECURETRANSPORT_ENABLED$BEARSSL_ENABLED$RUSTLS_ENABLED"
 in
 x)
   AC_MSG_WARN([SSL disabled, you will not be able to use HTTPS, FTPS, NTLM and more.])

diff --git a/lib/amigaos.c b/lib/amigaos.c
index 6c144095f848c3201b03529722f32ef6f0619880..d76f5b03fd0994502abfd56d99fa698c851f6572 100644 (file)
--- a/lib/amigaos.c
+++ b/lib/amigaos.c
@@ -87,38 +87,5 @@ ADD2EXIT(Curl_amiga_cleanup, -50);
 
 #endif /* HAVE_PROTO_BSDSOCKET_H */
 
-#ifdef USE_AMISSL
-void Curl_amiga_X509_free(X509 *a)
-{
-  X509_free(a);
-}
-
-/* AmiSSL replaces many functions with macros. Curl requires pointer
- * to some of these functions. Thus, we have to encapsulate these macros.
- */
-
-#include "warnless.h"
-
-int (SHA256_Init)(SHA256_CTX *c)
-{
-  return SHA256_Init(c);
-};
-
-int (SHA256_Update)(SHA256_CTX *c, const void *data, size_t len)
-{
-  return SHA256_Update(c, data, curlx_uztoui(len));
-};
-
-int (SHA256_Final)(unsigned char *md, SHA256_CTX *c)
-{
-  return SHA256_Final(md, c);
-};
-
-void (X509_INFO_free)(X509_INFO *a)
-{
-  X509_INFO_free(a);
-};
-
-#endif /* USE_AMISSL */
 #endif /* __AMIGA__ */
 

diff --git a/lib/amigaos.h b/lib/amigaos.h
index 8757aa8e73d4c4a25597c6baada69a8b9ebbfa28..5255194dc7454ddccd461bc578d254c0b63e83a4 100644 (file)
--- a/lib/amigaos.h
+++ b/lib/amigaos.h
@@ -37,10 +37,5 @@ void Curl_amiga_cleanup();
 
 #endif
 
-#ifdef USE_AMISSL
-#include <openssl/x509v3.h>
-void Curl_amiga_X509_free(X509 *a);
-#endif /* USE_AMISSL */
-
 #endif /* HEADER_CURL_AMIGAOS_H */
 

diff --git a/lib/md4.c b/lib/md4.c
index 63bade00df26ac6f61133fcced2fc31abb6a0f92..e976fe7bdc07b69374ff08b4d9c52da3e27bdcb2 100644 (file)
--- a/lib/md4.c
+++ b/lib/md4.c
@@ -32,7 +32,8 @@
 
 #ifdef USE_OPENSSL
 #include <openssl/opensslconf.h>
-#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) && \
+   !defined(USE_AMISSL)
 /* OpenSSL 3.0.0 marks the MD4 functions as deprecated */
 #define OPENSSL_NO_MD4
 #endif

diff --git a/lib/md5.c b/lib/md5.c
index 2164e15ff25cae93262f8cddbc49af2cd723f537..5be639929d7081b6c6a8657e3b7e90ff4c8b8270 100644 (file)
--- a/lib/md5.c
+++ b/lib/md5.c
@@ -41,7 +41,7 @@
 #endif
 #endif /* USE_MBEDTLS */
 
-#if defined(USE_OPENSSL) && !defined(USE_AMISSL)
+#ifdef USE_OPENSSL
   #include <openssl/opensslconf.h>
   #if !defined(OPENSSL_NO_MD5) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     #define USE_OPENSSL_MD5

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 25e065d6cbceb3b1a3bf799ce731d8dfdb234f6c..5a7a6124078d122c1dd063ce3d722b2a7f962dd3 100644 (file)
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -78,10 +78,6 @@
 #include <openssl/buffer.h>
 #include <openssl/pkcs12.h>
 
-#ifdef USE_AMISSL
-#include "amigaos.h"
-#endif
-
 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_OCSP)
 #include <openssl/ocsp.h>
 #endif
@@ -996,11 +992,7 @@ int cert_stuff(struct Curl_easy *data,
   fail:
       EVP_PKEY_free(pri);
       X509_free(x509);
-#ifdef USE_AMISSL
-      sk_X509_pop_free(ca, Curl_amiga_X509_free);
-#else
       sk_X509_pop_free(ca, X509_free);
-#endif
       if(!cert_done)
         return 0; /* failure! */
       break;

diff --git a/m4/curl-amissl.m4 b/m4/curl-amissl.m4
index df07bdb295da51f309b5265d1f8c13b39dba73d7..dfa626da930eeb6a4079599714210031a4cb18bb 100644 (file)
--- a/m4/curl-amissl.m4
+++ b/m4/curl-amissl.m4
@@ -23,21 +23,46 @@
 #***************************************************************************
 
 AC_DEFUN([CURL_WITH_AMISSL], [
-AC_MSG_CHECKING([whether to enable Amiga native SSL/TLS (AmiSSL)])
+AC_MSG_CHECKING([whether to enable Amiga native SSL/TLS (AmiSSL v5)])
 if test "$HAVE_PROTO_BSDSOCKET_H" = "1"; then
   if test "x$OPT_AMISSL" != xno; then
     ssl_msg=
-    if test "x$OPT_AMISSL" != "xno"; then
-      AC_MSG_RESULT(yes)
+    AC_COMPILE_IFELSE([
+      AC_LANG_PROGRAM([[
+        #include <libraries/amisslmaster.h>
+        #include <openssl/opensslv.h>
+      ]],[[
+        #if defined(AMISSL_CURRENT_VERSION) && (AMISSL_CURRENT_VERSION >= AMISSL_V303) && \
+            defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) && \
+            defined(PROTO_AMISSL_H)
+        return 0;
+        #else
+        #error not AmiSSL v5 / OpenSSL 3
+        #endif
+      ]])
+    ],[
+      AC_MSG_RESULT([yes])
       ssl_msg="AmiSSL"
       test amissl != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
       AMISSL_ENABLED=1
-      LIBS="-lamisslauto $LIBS"
+      OPENSSL_ENABLED=1
+      # Use AmiSSL's built-in ca bundle
+      check_for_ca_bundle=1
+      with_ca_fallback=yes
+      LIBS="-lamisslstubs -lamisslauto $LIBS"
       AC_DEFINE(USE_AMISSL, 1, [if AmiSSL is in use])
       AC_DEFINE(USE_OPENSSL, 1, [if OpenSSL is in use])
-    else
-      AC_MSG_RESULT(no)
-    fi
+      AC_DEFINE_UNQUOTED(HAVE_OPENSSL3, 1, [Define to 1 if using OpenSSL 3 or later.])
+      AC_CHECK_HEADERS(openssl/x509.h openssl/rsa.h openssl/crypto.h \
+                       openssl/pem.h openssl/ssl.h openssl/err.h)
+      dnl OpenSSLv3 marks the DES functions deprecated but we have no
+      dnl replacements (yet) so tell the compiler to not warn for them
+      dnl
+      dnl Ask OpenSSL to suppress the warnings.
+      CPPFLAGS="$CPPFLAGS -DOPENSSL_SUPPRESS_DEPRECATED"
+    ],[
+      AC_MSG_RESULT([no])
+    ])
     test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"
   else
     AC_MSG_RESULT(no)