wolfssl: fix cipher list, skip 5.8.4 regression

- adjust cipher list in infof() statement for min/max TLS version

- skip test_17_07 for wolfSSL 5.8.4 when CHACHA20 is negotiated
  due to regression with homebrew build on ARM systems.

Fixes #19644
Reported-by: Viktor Szakats
Closes #19662

diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
index a8090d1bf1adc91290ee53eb13d0e8bc83f66577..c8fc8c4add1a065aeca57af80b0cb926750acb5b 100644 (file)
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@@ -1043,62 +1043,69 @@ static CURLcode client_certificate(struct Curl_easy *data,
 
 static CURLcode ssl_version(struct Curl_easy *data,
                             struct ssl_primary_config *conn_config,
-                            struct wssl_ctx *wctx)
+                            struct wssl_ctx *wctx,
+                            int *min_version, int *max_version)
 {
   int res;
+  *min_version = *max_version = 0;
   switch(conn_config->version) {
   case CURL_SSLVERSION_DEFAULT:
   case CURL_SSLVERSION_TLSv1:
   case CURL_SSLVERSION_TLSv1_0:
-    res = wolfSSL_CTX_set_min_proto_version(wctx->ssl_ctx, TLS1_VERSION);
+    *min_version = TLS1_VERSION;
     break;
   case CURL_SSLVERSION_TLSv1_1:
-    res = wolfSSL_CTX_set_min_proto_version(wctx->ssl_ctx, TLS1_1_VERSION);
+    *min_version = TLS1_1_VERSION;
     break;
   case CURL_SSLVERSION_TLSv1_2:
-    res = wolfSSL_CTX_set_min_proto_version(wctx->ssl_ctx, TLS1_2_VERSION);
+    *min_version = TLS1_2_VERSION;
     break;
 #ifdef WOLFSSL_TLS13
   case CURL_SSLVERSION_TLSv1_3:
-    res = wolfSSL_CTX_set_min_proto_version(wctx->ssl_ctx, TLS1_3_VERSION);
+    *min_version = TLS1_3_VERSION;
     break;
 #endif
   default:
     failf(data, "wolfSSL: unsupported minimum TLS version value");
     return CURLE_SSL_CONNECT_ERROR;
   }
-  if(res != WOLFSSL_SUCCESS) {
-    failf(data, "wolfSSL: failed set the minimum TLS version");
-    return CURLE_SSL_CONNECT_ERROR;
-  }
 
   switch(conn_config->version_max) {
 #ifdef WOLFSSL_TLS13
   case CURL_SSLVERSION_MAX_TLSv1_3:
-    res = wolfSSL_CTX_set_max_proto_version(wctx->ssl_ctx, TLS1_3_VERSION);
+    *max_version = TLS1_3_VERSION;
     break;
 #endif
   case CURL_SSLVERSION_MAX_TLSv1_2:
-    res = wolfSSL_CTX_set_max_proto_version(wctx->ssl_ctx, TLS1_2_VERSION);
+    *max_version = TLS1_2_VERSION;
     break;
   case CURL_SSLVERSION_MAX_TLSv1_1:
-    res = wolfSSL_CTX_set_max_proto_version(wctx->ssl_ctx, TLS1_1_VERSION);
+    *max_version = TLS1_1_VERSION;
     break;
   case CURL_SSLVERSION_MAX_TLSv1_0:
-    res = wolfSSL_CTX_set_max_proto_version(wctx->ssl_ctx, TLS1_VERSION);
+    *max_version = TLS1_VERSION;
     break;
   case CURL_SSLVERSION_MAX_DEFAULT:
   case CURL_SSLVERSION_MAX_NONE:
-    res = WOLFSSL_SUCCESS;
     break;
   default:
     failf(data, "wolfSSL: unsupported maximum TLS version value");
     return CURLE_SSL_CONNECT_ERROR;
   }
+
+  res = wolfSSL_CTX_set_min_proto_version(wctx->ssl_ctx, *min_version);
   if(res != WOLFSSL_SUCCESS) {
-    failf(data, "wolfSSL: failed set the maximum TLS version");
+    failf(data, "wolfSSL: failed set the minimum TLS version");
     return CURLE_SSL_CONNECT_ERROR;
   }
+
+  if(*max_version) {
+    res = wolfSSL_CTX_set_max_proto_version(wctx->ssl_ctx, *max_version);
+    if(res != WOLFSSL_SUCCESS) {
+      failf(data, "wolfSSL: failed set the maximum TLS version");
+      return CURLE_SSL_CONNECT_ERROR;
+    }
+  }
   return CURLE_OK;
 }
 
@@ -1126,6 +1133,7 @@ CURLcode Curl_wssl_ctx_init(struct wssl_ctx *wctx,
 #endif
   CURLcode result = CURLE_FAILED_INIT;
   unsigned char transport;
+  int tls_min, tls_max;
 
   DEBUGASSERT(!wctx->ssl_ctx);
   DEBUGASSERT(!wctx->ssl);
@@ -1159,7 +1167,7 @@ CURLcode Curl_wssl_ctx_init(struct wssl_ctx *wctx,
     goto out;
   }
 
-  result = ssl_version(data, conn_config, wctx);
+  result = ssl_version(data, conn_config, wctx, &tls_min, &tls_max);
   if(result)
     goto out;
 
@@ -1183,12 +1191,14 @@ CURLcode Curl_wssl_ctx_init(struct wssl_ctx *wctx,
     struct dynbuf c;
     curlx_dyn_init(&c, MAX_CIPHER_LEN);
 
-    if(ciphers13)
-      result = curlx_dyn_add(&c, ciphers13);
-    else
-      result = wssl_add_default_ciphers(TRUE, &c);
+    if(!tls_max || (tls_max >= TLS1_3_VERSION)) {
+      if(ciphers13)
+        result = curlx_dyn_add(&c, ciphers13);
+      else
+        result = wssl_add_default_ciphers(TRUE, &c);
+    }
 
-    if(!result) {
+    if(!result && (tls_min < TLS1_3_VERSION)) {
       if(ciphers12) {
         if(curlx_dyn_len(&c))
           result = curlx_dyn_addn(&c, ":", 1);

diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py
index 58ad7fdf1576a756a53da65dd4f59d489e73e9cb..85c43d568e2ce06e11b70d403ed65cfb0c35cd41 100644 (file)
--- a/tests/http/test_17_ssl_use.py
+++ b/tests/http/test_17_ssl_use.py
@@ -258,6 +258,10 @@ class TestSSLUse:
         curl = CurlClient(env=env)
         url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
         # SSL backend specifics
+        # see wolfSSL/wolfssl#9462
+        if env.curl_uses_lib('wolfssl') and env.curl_lib_version('wolfssl') == '5.8.4' \
+           and ciphers13 and 'TLS_CHACHA20_POLY1305_SHA256' in ciphers13:
+            pytest.skip('wolfSSL 5.8.4 is borked on ARM with CHACHA20')
         if env.curl_uses_lib('gnutls'):
             pytest.skip('GnuTLS does not support setting ciphers')
         elif env.curl_uses_lib('boringssl'):