file(DOWNLOAD/UPLOAD): Require minimum TLS 1.2 by default

Fixes: #25701
author: Brad King <brad.king@kitware.com> 2024-09-23 18:47:04 (GMT)
committer: Brad King <brad.king@kitware.com> 2024-09-26 14:10:20 (GMT)
commit: 5e1a59dc2ba9b3f532adf21f79ad0f51b514c08f (patch)
tree: 720d4e4903699fb5f804940b0dd9d4ee81e7cb34 /Source
parent: 0acff8e622de3192a47c38643cc0c2022695e852 (diff)
download: CMake-5e1a59dc2ba9b3f532adf21f79ad0f51b514c08f.zip
CMake-5e1a59dc2ba9b3f532adf21f79ad0f51b514c08f.tar.gz
CMake-5e1a59dc2ba9b3f532adf21f79ad0f51b514c08f.tar.bz2
1 files changed, 17 insertions, 0 deletions
diff --git a/Source/cmFileCommand.cxx b/Source/cmFileCommand.cxx
index 30d92ca..92e6b3e 100644
--- a/Source/cmFileCommand.cxx
+++ b/Source/cmFileCommand.cxx
@@ -1741,6 +1741,7 @@ bool HandleNativePathCommand(std::vector<std::string> const& args,
 #if !defined(CMAKE_BOOTSTRAP)
 
 const bool TLS_VERIFY_DEFAULT = true;
+const std::string TLS_VERSION_DEFAULT = "1.2";
 
 // Stuff for curl download/upload
 using cmFileCommandVectorOfChar = std::vector<char>;
@@ -2128,6 +2129,11 @@ bool HandleDownloadCommand(std::vector<std::string> const& args,
       tlsVersionOpt = std::move(v);
     }
   }
+  bool tlsVersionDefaulted = false;
+  if (!tlsVersionOpt.has_value()) {
+    tlsVersionOpt = TLS_VERSION_DEFAULT;
+    tlsVersionDefaulted = true;
+  }
 
   // Can't calculate hash if we don't save the file.
   // TODO Incrementally calculate hash in the write callback as the file is
@@ -2212,6 +2218,9 @@ bool HandleDownloadCommand(std::vector<std::string> const& args,
   if (tlsVersionOpt.has_value()) {
     if (cm::optional<int> v = cmCurlParseTLSVersion(*tlsVersionOpt)) {
       res = ::curl_easy_setopt(curl, CURLOPT_SSLVERSION, *v);
+      if (tlsVersionDefaulted && res == CURLE_NOT_BUILT_IN) {
+        res = CURLE_OK;
+      }
       check_curl_result(res,
                         cmStrCat("DOWNLOAD cannot set TLS/SSL version ",
                                  *tlsVersionOpt, ": "));
@@ -2554,6 +2563,11 @@ bool HandleUploadCommand(std::vector<std::string> const& args,
       tlsVersionOpt = std::move(v);
     }
   }
+  bool tlsVersionDefaulted = false;
+  if (!tlsVersionOpt.has_value()) {
+    tlsVersionOpt = TLS_VERSION_DEFAULT;
+    tlsVersionDefaulted = true;
+  }
 
   // Open file for reading:
   //
@@ -2603,6 +2617,9 @@ bool HandleUploadCommand(std::vector<std::string> const& args,
   if (tlsVersionOpt.has_value()) {
     if (cm::optional<int> v = cmCurlParseTLSVersion(*tlsVersionOpt)) {
       res = ::curl_easy_setopt(curl, CURLOPT_SSLVERSION, *v);
+      if (tlsVersionDefaulted && res == CURLE_NOT_BUILT_IN) {
+        res = CURLE_OK;
+      }
       check_curl_result(
         res,
         cmStrCat("UPLOAD cannot set TLS/SSL version ", *tlsVersionOpt, ": "));
author	Brad King <brad.king@kitware.com>	2024-09-23 18:47:04 (GMT)
committer	Brad King <brad.king@kitware.com>	2024-09-26 14:10:20 (GMT)
commit	5e1a59dc2ba9b3f532adf21f79ad0f51b514c08f (patch)
tree	720d4e4903699fb5f804940b0dd9d4ee81e7cb34 /Source
parent	0acff8e622de3192a47c38643cc0c2022695e852 (diff)
download	CMake-5e1a59dc2ba9b3f532adf21f79ad0f51b514c08f.zip CMake-5e1a59dc2ba9b3f532adf21f79ad0f51b514c08f.tar.gz CMake-5e1a59dc2ba9b3f532adf21f79ad0f51b514c08f.tar.bz2