macOS: Work around bug in system curl 8.{3,4,5} LibreSSL backend

Since commit d3cbee99e3 (macOS: Prefer building with system-provided curl, 2024-05-09, v3.30.0-rc1~130^2~1) CMake uses the macOS-provided curl, which uses the LibreSSL backend by default. This exposes us to curl issue 12525, created and fixed by the following upstream curl commits: * commit `bec0c5bbf` (openssl: switch to modern init for LibreSSL 2.7.0+, 2023-08-07, `curl-8_3_0~201`) * commit `9f2d2290d` (openssl: re-match LibreSSL deinit with init, 2023-12-15, `curl-8_6_0~219`) Work around the bug by preferring the secure-transport backend by default on the problematic versions of curl.
author: Brad King <brad.king@kitware.com> 2024-07-16 19:50:58 (GMT)
committer: Brad King <brad.king@kitware.com> 2024-07-17 13:13:26 (GMT)
commit: f2596dfa0ebce746ca4c69f671d3cac3fe8fc032 (patch)
tree: db2daedaa7ec7e80ac49c57eb696908342d1d2a5 /Source
parent: 3b2ef9b54ca91ed9e0be2680558021b3d000a2ea (diff)
download: CMake-f2596dfa0ebce746ca4c69f671d3cac3fe8fc032.zip
CMake-f2596dfa0ebce746ca4c69f671d3cac3fe8fc032.tar.gz
CMake-f2596dfa0ebce746ca4c69f671d3cac3fe8fc032.tar.bz2
5 files changed, 34 insertions, 0 deletions
diff --git a/Source/CTest/cmCTestCurl.cxx b/Source/CTest/cmCTestCurl.cxx
index 3a5806b..b8e5db1 100644
--- a/Source/CTest/cmCTestCurl.cxx
+++ b/Source/CTest/cmCTestCurl.cxx
@@ -19,6 +19,7 @@ cmCTestCurl::cmCTestCurl(cmCTest* ctest)
   , CurlOpts(ctest)
 {
   this->SetProxyType();
+  cmCurlInitOnce();
   // In windows, this will init the winsock stuff
   ::curl_global_init(CURL_GLOBAL_ALL);
   this->Curl = curl_easy_init();
diff --git a/Source/CTest/cmCTestSubmitHandler.cxx b/Source/CTest/cmCTestSubmitHandler.cxx
index e69a7fe..85c77be 100644
--- a/Source/CTest/cmCTestSubmitHandler.cxx
+++ b/Source/CTest/cmCTestSubmitHandler.cxx
@@ -171,6 +171,7 @@ bool cmCTestSubmitHandler::SubmitUsingHTTP(
     headers = ::curl_slist_append(headers, h.c_str());
   }
 
+  cmCurlInitOnce();
   /* In windows, this will init the winsock stuff */
   ::curl_global_init(CURL_GLOBAL_ALL);
   cmCTestCurlOpts curlOpts(this->CTest);
diff --git a/Source/cmCurl.cxx b/Source/cmCurl.cxx
index ddd5f69..65fccd0 100644
--- a/Source/cmCurl.cxx
+++ b/Source/cmCurl.cxx
@@ -39,6 +39,11 @@
 #  define CURL_SSLVERSION_TLSv1_3 CURL_SSLVERSION_LAST
 #endif
 
+// curl versions before 7.64.1 referred to Secure Transport as DarwinSSL
+#if defined(LIBCURL_VERSION_NUM) && LIBCURL_VERSION_NUM < 0x074001
+#  define CURLSSLBACKEND_SECURETRANSPORT CURLSSLBACKEND_DARWINSSL
+#endif
+
 // Make sure we keep up with new TLS versions supported by curl.
 // Do this only for our vendored curl to avoid breaking builds
 // against external future versions of curl.
@@ -47,6 +52,30 @@ static_assert(CURL_SSLVERSION_LAST == 8,
               "A new CURL_SSLVERSION_ may be available!");
 #endif
 
+void cmCurlInitOnce()
+{
+  // curl 7.56.0 introduced curl_global_sslset.
+#if defined(__APPLE__) && defined(CMAKE_USE_SYSTEM_CURL) &&                   \
+  defined(LIBCURL_VERSION_NUM) && LIBCURL_VERSION_NUM >= 0x073800
+  static bool initialized = false;
+  if (initialized) {
+    return;
+  }
+  initialized = true;
+
+  cm::optional<std::string> curl_ssl_backend =
+    cmSystemTools::GetEnvVar("CURL_SSL_BACKEND");
+  if (!curl_ssl_backend || curl_ssl_backend->empty()) {
+    curl_version_info_data* cv = curl_version_info(CURLVERSION_FIRST);
+    // curl 8.3.0 through 8.5.x did not re-initialize LibreSSL correctly,
+    // so prefer the Secure Transport backend by default in those versions.
+    if (cv->version_num >= 0x080300 && cv->version_num < 0x080600) {
+      curl_global_sslset(CURLSSLBACKEND_SECURETRANSPORT, NULL, NULL);
+    }
+  }
+#endif
+}
+
 cm::optional<int> cmCurlParseTLSVersion(cm::string_view tls_version)
 {
   cm::optional<int> v;
diff --git a/Source/cmCurl.h b/Source/cmCurl.h
index 8b8c88b..bb2221f 100644
--- a/Source/cmCurl.h
+++ b/Source/cmCurl.h
@@ -11,6 +11,7 @@
 
 #include <cm3p/curl/curl.h>
 
+void cmCurlInitOnce();
 cm::optional<int> cmCurlParseTLSVersion(cm::string_view tls_version);
 cm::optional<std::string> cmCurlPrintTLSVersion(int curl_tls_version);
 std::string cmCurlSetCAInfo(::CURL* curl, const std::string& cafile = {});
diff --git a/Source/cmFileCommand.cxx b/Source/cmFileCommand.cxx
index ce8cc2a..6265f82 100644
--- a/Source/cmFileCommand.cxx
+++ b/Source/cmFileCommand.cxx
@@ -2115,6 +2115,7 @@ bool HandleDownloadCommand(std::vector<std::string> const& args,
   url = cmCurlFixFileURL(url);
 
   ::CURL* curl;
+  cmCurlInitOnce();
   ::curl_global_init(CURL_GLOBAL_DEFAULT);
   curl = ::curl_easy_init();
   if (!curl) {
@@ -2488,6 +2489,7 @@ bool HandleUploadCommand(std::vector<std::string> const& args,
   url = cmCurlFixFileURL(url);
 
   ::CURL* curl;
+  cmCurlInitOnce();
   ::curl_global_init(CURL_GLOBAL_DEFAULT);
   curl = ::curl_easy_init();
   if (!curl) {
author	Brad King <brad.king@kitware.com>	2024-07-16 19:50:58 (GMT)
committer	Brad King <brad.king@kitware.com>	2024-07-17 13:13:26 (GMT)
commit	f2596dfa0ebce746ca4c69f671d3cac3fe8fc032 (patch)
tree	db2daedaa7ec7e80ac49c57eb696908342d1d2a5 /Source
parent	3b2ef9b54ca91ed9e0be2680558021b3d000a2ea (diff)
download	CMake-f2596dfa0ebce746ca4c69f671d3cac3fe8fc032.zip CMake-f2596dfa0ebce746ca4c69f671d3cac3fe8fc032.tar.gz CMake-f2596dfa0ebce746ca4c69f671d3cac3fe8fc032.tar.bz2