mirror/CMake
1
0
Fork 0
mirror of https://github.com/Kitware/CMake.git synced 2026-04-26 00:00:39 -05:00
Code Issues Packages Projects Releases Wiki Activity

file(UPLOAD): Add support for TLS_VERIFY and TLS_CAINFO

Browse Source 
* Improve and test err messages when TLS_VERIFY and TLS_CAINFO
  are not set in file(DOWNLOAD) and file(UPLOAD).
This commit is contained in:
Harry Mallon
2020-04-07 18:03:07 +01:00
parent 37fa5122c2
commit bf94dcba76
16 changed files with 80 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Help/command/file.rst
+12 -13
View File
@@ -836,6 +836,18 @@ Options to both ``DOWNLOAD`` and ``UPLOAD`` are:
If neither ``NETRC`` option is given CMake will check variables If neither ``NETRC`` option is given CMake will check variables
``CMAKE_NETRC`` and ``CMAKE_NETRC_FILE``, respectively. ``CMAKE_NETRC`` and ``CMAKE_NETRC_FILE``, respectively.
``TLS_VERIFY <ON|OFF>``
Specify whether to verify the server certificate for ``https://`` URLs.
The default is to *not* verify.
``TLS_CAINFO <file>``
Specify a custom Certificate Authority file for ``https://`` URLs.
For ``https://`` URLs CMake must be built with OpenSSL support. ``TLS/SSL``
certificates are not checked by default. Set ``TLS_VERIFY`` to ``ON`` to
check certificates. If neither ``TLS`` option is given CMake will check
variables ``CMAKE_TLS_VERIFY`` and ``CMAKE_TLS_CAINFO``, respectively.
Additional options to ``DOWNLOAD`` are: Additional options to ``DOWNLOAD`` are:
``EXPECTED_HASH ALGO=<value>`` ``EXPECTED_HASH ALGO=<value>``
@@ -847,19 +859,6 @@ Additional options to ``DOWNLOAD`` are:
``EXPECTED_MD5 <value>`` ``EXPECTED_MD5 <value>``
Historical short-hand for ``EXPECTED_HASH MD5=<value>``. Historical short-hand for ``EXPECTED_HASH MD5=<value>``.
``TLS_VERIFY <ON|OFF>``
Specify whether to verify the server certificate for ``https://`` URLs.
The default is to *not* verify.
``TLS_CAINFO <file>``
Specify a custom Certificate Authority file for ``https://`` URLs.
For ``https://`` URLs CMake must be built with OpenSSL support. ``TLS/SSL``
certificates are not checked by default. Set ``TLS_VERIFY`` to ``ON`` to
check certificates and/or use ``EXPECTED_HASH`` to verify downloaded content.
If neither ``TLS`` option is given CMake will check variables
``CMAKE_TLS_VERIFY`` and ``CMAKE_TLS_CAINFO``, respectively.
Locking Locking
^^^^^^^ ^^^^^^^
Help/release/dev/file-upload-tls.rst
+5
View File
@@ -0,0 +1,5 @@
file-upload-tls
---------------
* The :command:`file(UPLOAD)` command gained ``TLS_VERIFY`` and ``TLS_CAINFO``
options to control server certificate verification.
Source/cmFileCommand.cxx
+35 -6
View File
@@ -1610,7 +1610,7 @@ bool HandleDownloadCommand(std::vector<std::string> const& args,
if (i != args.end()) { if (i != args.end()) {
tls_verify = cmIsOn(*i); tls_verify = cmIsOn(*i);
} else { } else {
status.SetError("TLS_VERIFY missing bool value."); status.SetError("DOWNLOAD missing bool value for TLS_VERIFY.");
return false; return false;
} }
} else if (*i == "TLS_CAINFO") { } else if (*i == "TLS_CAINFO") {
@@ -1618,7 +1618,7 @@ bool HandleDownloadCommand(std::vector<std::string> const& args,
if (i != args.end()) { if (i != args.end()) {
cainfo = i->c_str(); cainfo = i->c_str();
} else { } else {
status.SetError("TLS_CAFILE missing file value."); status.SetError("DOWNLOAD missing file value for TLS_CAINFO.");
return false; return false;
} }
} else if (*i == "NETRC_FILE") { } else if (*i == "NETRC_FILE") {
@@ -1760,11 +1760,12 @@ bool HandleDownloadCommand(std::vector<std::string> const& args,
// check to see if TLS verification is requested // check to see if TLS verification is requested
if (tls_verify) { if (tls_verify) {
res = ::curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1); res = ::curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1);
check_curl_result(res, "Unable to set TLS/SSL Verify on: "); check_curl_result(res, "DOWNLOAD cannot set TLS/SSL Verify on: ");
} else { } else {
res = ::curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0); res = ::curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
check_curl_result(res, "Unable to set TLS/SSL Verify off: "); check_curl_result(res, "DOWNLOAD cannot set TLS/SSL Verify off: ");
} }
// check to see if a CAINFO file has been specified // check to see if a CAINFO file has been specified
// command arg comes first // command arg comes first
std::string const& cainfo_err = cmCurlSetCAInfo(curl, cainfo); std::string const& cainfo_err = cmCurlSetCAInfo(curl, cainfo);
@@ -1929,6 +1930,8 @@ bool HandleUploadCommand(std::vector<std::string> const& args,
std::string logVar; std::string logVar;
std::string statusVar; std::string statusVar;
bool showProgress = false; bool showProgress = false;
bool tls_verify = status.GetMakefile().IsOn("CMAKE_TLS_VERIFY");
const char* cainfo = status.GetMakefile().GetDefinition("CMAKE_TLS_CAINFO");
std::string userpwd; std::string userpwd;
std::string netrc_level = std::string netrc_level =
status.GetMakefile().GetSafeDefinition("CMAKE_NETRC"); status.GetMakefile().GetSafeDefinition("CMAKE_NETRC");
@@ -1970,6 +1973,22 @@ bool HandleUploadCommand(std::vector<std::string> const& args,
statusVar = *i; statusVar = *i;
} else if (*i == "SHOW_PROGRESS") { } else if (*i == "SHOW_PROGRESS") {
showProgress = true; showProgress = true;
} else if (*i == "TLS_VERIFY") {
++i;
if (i != args.end()) {
tls_verify = cmIsOn(*i);
} else {
status.SetError("UPLOAD missing bool value for TLS_VERIFY.");
return false;
}
} else if (*i == "TLS_CAINFO") {
++i;
if (i != args.end()) {
cainfo = i->c_str();
} else {
status.SetError("UPLOAD missing file value for TLS_CAINFO.");
return false;
}
} else if (*i == "NETRC_FILE") { } else if (*i == "NETRC_FILE") {
++i; ++i;
if (i != args.end()) { if (i != args.end()) {
@@ -2055,8 +2074,18 @@ bool HandleUploadCommand(std::vector<std::string> const& args,
cmFileCommandCurlDebugCallback); cmFileCommandCurlDebugCallback);
check_curl_result(res, "UPLOAD cannot set debug function: "); check_curl_result(res, "UPLOAD cannot set debug function: ");
// make sure default CAInfo is set // check to see if TLS verification is requested
std::string const& cainfo_err = cmCurlSetCAInfo(curl, nullptr); if (tls_verify) {
res = ::curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1);
check_curl_result(res, "UPLOAD cannot set TLS/SSL Verify on: ");
} else {
res = ::curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
check_curl_result(res, "UPLOAD cannot set TLS/SSL Verify off: ");
}
// check to see if a CAINFO file has been specified
// command arg comes first
std::string const& cainfo_err = cmCurlSetCAInfo(curl, cainfo);
if (!cainfo_err.empty()) { if (!cainfo_err.empty()) {
status.SetError(cainfo_err); status.SetError(cainfo_err);
return false; return false;
Tests/RunCMake/file/DOWNLOAD-tls-cainfo-not-set-result.txt
+1
View File
@@ -0,0 +1 @@
1
Tests/RunCMake/file/DOWNLOAD-tls-cainfo-not-set-stderr.txt
+4
View File
@@ -0,0 +1,4 @@
^CMake Error at DOWNLOAD-tls-cainfo-not-set.cmake:[0-9]+ \(file\):
file DOWNLOAD missing file value for TLS_CAINFO.
Call Stack \(most recent call first\):
CMakeLists.txt:[0-9]+ \(include\)$
Tests/RunCMake/file/DOWNLOAD-tls-cainfo-not-set.cmake
+1
View File
@@ -0,0 +1 @@
file(DOWNLOAD "" "" TLS_CAINFO)
Tests/RunCMake/file/DOWNLOAD-tls-verify-not-set-result.txt
+1
View File
@@ -0,0 +1 @@
1
Tests/RunCMake/file/DOWNLOAD-tls-verify-not-set-stderr.txt
+4
View File
@@ -0,0 +1,4 @@
^CMake Error at DOWNLOAD-tls-verify-not-set.cmake:[0-9]+ \(file\):
file DOWNLOAD missing bool value for TLS_VERIFY.
Call Stack \(most recent call first\):
CMakeLists.txt:[0-9]+ \(include\)$
Tests/RunCMake/file/DOWNLOAD-tls-verify-not-set.cmake
+1
View File
@@ -0,0 +1 @@
file(DOWNLOAD "" "" TLS_VERIFY)
Tests/RunCMake/file/RunCMakeTest.cmake
+4
View File
@@ -8,6 +8,8 @@ run_cmake(DOWNLOAD-hash-mismatch)
run_cmake(DOWNLOAD-unused-argument) run_cmake(DOWNLOAD-unused-argument)
run_cmake(DOWNLOAD-httpheader-not-set) run_cmake(DOWNLOAD-httpheader-not-set)
run_cmake(DOWNLOAD-netrc-bad) run_cmake(DOWNLOAD-netrc-bad)
run_cmake(DOWNLOAD-tls-cainfo-not-set)
run_cmake(DOWNLOAD-tls-verify-not-set)
run_cmake(DOWNLOAD-pass-not-set) run_cmake(DOWNLOAD-pass-not-set)
run_cmake(TOUCH) run_cmake(TOUCH)
run_cmake(TOUCH-error-in-source-directory) run_cmake(TOUCH-error-in-source-directory)
@@ -15,6 +17,8 @@ run_cmake(TOUCH-error-missing-directory)
run_cmake(UPLOAD-unused-argument) run_cmake(UPLOAD-unused-argument)
run_cmake(UPLOAD-httpheader-not-set) run_cmake(UPLOAD-httpheader-not-set)
run_cmake(UPLOAD-netrc-bad) run_cmake(UPLOAD-netrc-bad)
run_cmake(UPLOAD-tls-cainfo-not-set)
run_cmake(UPLOAD-tls-verify-not-set)
run_cmake(UPLOAD-pass-not-set) run_cmake(UPLOAD-pass-not-set)
run_cmake(INSTALL-DIRECTORY) run_cmake(INSTALL-DIRECTORY)
run_cmake(INSTALL-FILES_FROM_DIR) run_cmake(INSTALL-FILES_FROM_DIR)
Tests/RunCMake/file/UPLOAD-tls-cainfo-not-set-result.txt
+1
View File
@@ -0,0 +1 @@
1
Tests/RunCMake/file/UPLOAD-tls-cainfo-not-set-stderr.txt
+4
View File
@@ -0,0 +1,4 @@
^CMake Error at UPLOAD-tls-cainfo-not-set.cmake:[0-9]+ \(file\):
file UPLOAD missing file value for TLS_CAINFO.
Call Stack \(most recent call first\):
CMakeLists.txt:[0-9]+ \(include\)$
Tests/RunCMake/file/UPLOAD-tls-cainfo-not-set.cmake
+1
View File
@@ -0,0 +1 @@
file(UPLOAD "" "" TLS_CAINFO)
Tests/RunCMake/file/UPLOAD-tls-verify-not-set-result.txt
+1
View File
@@ -0,0 +1 @@
1
Tests/RunCMake/file/UPLOAD-tls-verify-not-set-stderr.txt
+4
View File
@@ -0,0 +1,4 @@
^CMake Error at UPLOAD-tls-verify-not-set.cmake:[0-9]+ \(file\):
file UPLOAD missing bool value for TLS_VERIFY.
Call Stack \(most recent call first\):
CMakeLists.txt:[0-9]+ \(include\)$
Tests/RunCMake/file/UPLOAD-tls-verify-not-set.cmake
+1
View File
@@ -0,0 +1 @@
file(UPLOAD "" "" TLS_VERIFY)