diff options
author | Harry Mallon <hjmallon@gmail.com> | 2020-04-07 17:03:07 (GMT) |
---|---|---|
committer | Harry Mallon <hjmallon@gmail.com> | 2020-04-08 14:15:49 (GMT) |
commit | bf94dcba7606a7ac0c44d9071636bdfb50c2cabf (patch) | |
tree | ad8a3fd470474cc873e8dfd7332ca95f1a22c838 | |
parent | 37fa5122c2c1e2138b9e01191dc3cc1800f6ba40 (diff) | |
download | CMake-bf94dcba7606a7ac0c44d9071636bdfb50c2cabf.zip CMake-bf94dcba7606a7ac0c44d9071636bdfb50c2cabf.tar.gz CMake-bf94dcba7606a7ac0c44d9071636bdfb50c2cabf.tar.bz2 |
file(UPLOAD): Add support for TLS_VERIFY and TLS_CAINFO
* Improve and test err messages when TLS_VERIFY and TLS_CAINFO
are not set in file(DOWNLOAD) and file(UPLOAD).
16 files changed, 80 insertions, 19 deletions
diff --git a/Help/command/file.rst b/Help/command/file.rst index 6105219..bb560a9 100644 --- a/Help/command/file.rst +++ b/Help/command/file.rst @@ -836,6 +836,18 @@ Options to both ``DOWNLOAD`` and ``UPLOAD`` are: If neither ``NETRC`` option is given CMake will check variables ``CMAKE_NETRC`` and ``CMAKE_NETRC_FILE``, respectively. +``TLS_VERIFY <ON|OFF>`` + Specify whether to verify the server certificate for ``https://`` URLs. + The default is to *not* verify. + +``TLS_CAINFO <file>`` + Specify a custom Certificate Authority file for ``https://`` URLs. + +For ``https://`` URLs CMake must be built with OpenSSL support. ``TLS/SSL`` +certificates are not checked by default. Set ``TLS_VERIFY`` to ``ON`` to +check certificates. If neither ``TLS`` option is given CMake will check +variables ``CMAKE_TLS_VERIFY`` and ``CMAKE_TLS_CAINFO``, respectively. + Additional options to ``DOWNLOAD`` are: ``EXPECTED_HASH ALGO=<value>`` @@ -847,19 +859,6 @@ Additional options to ``DOWNLOAD`` are: ``EXPECTED_MD5 <value>`` Historical short-hand for ``EXPECTED_HASH MD5=<value>``. -``TLS_VERIFY <ON|OFF>`` - Specify whether to verify the server certificate for ``https://`` URLs. - The default is to *not* verify. - -``TLS_CAINFO <file>`` - Specify a custom Certificate Authority file for ``https://`` URLs. - -For ``https://`` URLs CMake must be built with OpenSSL support. ``TLS/SSL`` -certificates are not checked by default. Set ``TLS_VERIFY`` to ``ON`` to -check certificates and/or use ``EXPECTED_HASH`` to verify downloaded content. -If neither ``TLS`` option is given CMake will check variables -``CMAKE_TLS_VERIFY`` and ``CMAKE_TLS_CAINFO``, respectively. - Locking ^^^^^^^ diff --git a/Help/release/dev/file-upload-tls.rst b/Help/release/dev/file-upload-tls.rst new file mode 100644 index 0000000..e19be24 --- /dev/null +++ b/Help/release/dev/file-upload-tls.rst @@ -0,0 +1,5 @@ +file-upload-tls +--------------- + +* The :command:`file(UPLOAD)` command gained ``TLS_VERIFY`` and ``TLS_CAINFO`` + options to control server certificate verification. diff --git a/Source/cmFileCommand.cxx b/Source/cmFileCommand.cxx index 204e99f..af3c554 100644 --- a/Source/cmFileCommand.cxx +++ b/Source/cmFileCommand.cxx @@ -1610,7 +1610,7 @@ bool HandleDownloadCommand(std::vector<std::string> const& args, if (i != args.end()) { tls_verify = cmIsOn(*i); } else { - status.SetError("TLS_VERIFY missing bool value."); + status.SetError("DOWNLOAD missing bool value for TLS_VERIFY."); return false; } } else if (*i == "TLS_CAINFO") { @@ -1618,7 +1618,7 @@ bool HandleDownloadCommand(std::vector<std::string> const& args, if (i != args.end()) { cainfo = i->c_str(); } else { - status.SetError("TLS_CAFILE missing file value."); + status.SetError("DOWNLOAD missing file value for TLS_CAINFO."); return false; } } else if (*i == "NETRC_FILE") { @@ -1760,11 +1760,12 @@ bool HandleDownloadCommand(std::vector<std::string> const& args, // check to see if TLS verification is requested if (tls_verify) { res = ::curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1); - check_curl_result(res, "Unable to set TLS/SSL Verify on: "); + check_curl_result(res, "DOWNLOAD cannot set TLS/SSL Verify on: "); } else { res = ::curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0); - check_curl_result(res, "Unable to set TLS/SSL Verify off: "); + check_curl_result(res, "DOWNLOAD cannot set TLS/SSL Verify off: "); } + // check to see if a CAINFO file has been specified // command arg comes first std::string const& cainfo_err = cmCurlSetCAInfo(curl, cainfo); @@ -1929,6 +1930,8 @@ bool HandleUploadCommand(std::vector<std::string> const& args, std::string logVar; std::string statusVar; bool showProgress = false; + bool tls_verify = status.GetMakefile().IsOn("CMAKE_TLS_VERIFY"); + const char* cainfo = status.GetMakefile().GetDefinition("CMAKE_TLS_CAINFO"); std::string userpwd; std::string netrc_level = status.GetMakefile().GetSafeDefinition("CMAKE_NETRC"); @@ -1970,6 +1973,22 @@ bool HandleUploadCommand(std::vector<std::string> const& args, statusVar = *i; } else if (*i == "SHOW_PROGRESS") { showProgress = true; + } else if (*i == "TLS_VERIFY") { + ++i; + if (i != args.end()) { + tls_verify = cmIsOn(*i); + } else { + status.SetError("UPLOAD missing bool value for TLS_VERIFY."); + return false; + } + } else if (*i == "TLS_CAINFO") { + ++i; + if (i != args.end()) { + cainfo = i->c_str(); + } else { + status.SetError("UPLOAD missing file value for TLS_CAINFO."); + return false; + } } else if (*i == "NETRC_FILE") { ++i; if (i != args.end()) { @@ -2055,8 +2074,18 @@ bool HandleUploadCommand(std::vector<std::string> const& args, cmFileCommandCurlDebugCallback); check_curl_result(res, "UPLOAD cannot set debug function: "); - // make sure default CAInfo is set - std::string const& cainfo_err = cmCurlSetCAInfo(curl, nullptr); + // check to see if TLS verification is requested + if (tls_verify) { + res = ::curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1); + check_curl_result(res, "UPLOAD cannot set TLS/SSL Verify on: "); + } else { + res = ::curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0); + check_curl_result(res, "UPLOAD cannot set TLS/SSL Verify off: "); + } + + // check to see if a CAINFO file has been specified + // command arg comes first + std::string const& cainfo_err = cmCurlSetCAInfo(curl, cainfo); if (!cainfo_err.empty()) { status.SetError(cainfo_err); return false; diff --git a/Tests/RunCMake/file/DOWNLOAD-tls-cainfo-not-set-result.txt b/Tests/RunCMake/file/DOWNLOAD-tls-cainfo-not-set-result.txt new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/Tests/RunCMake/file/DOWNLOAD-tls-cainfo-not-set-result.txt @@ -0,0 +1 @@ +1 diff --git a/Tests/RunCMake/file/DOWNLOAD-tls-cainfo-not-set-stderr.txt b/Tests/RunCMake/file/DOWNLOAD-tls-cainfo-not-set-stderr.txt new file mode 100644 index 0000000..1552baa --- /dev/null +++ b/Tests/RunCMake/file/DOWNLOAD-tls-cainfo-not-set-stderr.txt @@ -0,0 +1,4 @@ +^CMake Error at DOWNLOAD-tls-cainfo-not-set.cmake:[0-9]+ \(file\): + file DOWNLOAD missing file value for TLS_CAINFO. +Call Stack \(most recent call first\): + CMakeLists.txt:[0-9]+ \(include\)$ diff --git a/Tests/RunCMake/file/DOWNLOAD-tls-cainfo-not-set.cmake b/Tests/RunCMake/file/DOWNLOAD-tls-cainfo-not-set.cmake new file mode 100644 index 0000000..b476425 --- /dev/null +++ b/Tests/RunCMake/file/DOWNLOAD-tls-cainfo-not-set.cmake @@ -0,0 +1 @@ +file(DOWNLOAD "" "" TLS_CAINFO) diff --git a/Tests/RunCMake/file/DOWNLOAD-tls-verify-not-set-result.txt b/Tests/RunCMake/file/DOWNLOAD-tls-verify-not-set-result.txt new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/Tests/RunCMake/file/DOWNLOAD-tls-verify-not-set-result.txt @@ -0,0 +1 @@ +1 diff --git a/Tests/RunCMake/file/DOWNLOAD-tls-verify-not-set-stderr.txt b/Tests/RunCMake/file/DOWNLOAD-tls-verify-not-set-stderr.txt new file mode 100644 index 0000000..2f46c0c --- /dev/null +++ b/Tests/RunCMake/file/DOWNLOAD-tls-verify-not-set-stderr.txt @@ -0,0 +1,4 @@ +^CMake Error at DOWNLOAD-tls-verify-not-set.cmake:[0-9]+ \(file\): + file DOWNLOAD missing bool value for TLS_VERIFY. +Call Stack \(most recent call first\): + CMakeLists.txt:[0-9]+ \(include\)$ diff --git a/Tests/RunCMake/file/DOWNLOAD-tls-verify-not-set.cmake b/Tests/RunCMake/file/DOWNLOAD-tls-verify-not-set.cmake new file mode 100644 index 0000000..919368c --- /dev/null +++ b/Tests/RunCMake/file/DOWNLOAD-tls-verify-not-set.cmake @@ -0,0 +1 @@ +file(DOWNLOAD "" "" TLS_VERIFY) diff --git a/Tests/RunCMake/file/RunCMakeTest.cmake b/Tests/RunCMake/file/RunCMakeTest.cmake index f5461ad..a4de1d3 100644 --- a/Tests/RunCMake/file/RunCMakeTest.cmake +++ b/Tests/RunCMake/file/RunCMakeTest.cmake @@ -8,6 +8,8 @@ run_cmake(DOWNLOAD-hash-mismatch) run_cmake(DOWNLOAD-unused-argument) run_cmake(DOWNLOAD-httpheader-not-set) run_cmake(DOWNLOAD-netrc-bad) +run_cmake(DOWNLOAD-tls-cainfo-not-set) +run_cmake(DOWNLOAD-tls-verify-not-set) run_cmake(DOWNLOAD-pass-not-set) run_cmake(TOUCH) run_cmake(TOUCH-error-in-source-directory) @@ -15,6 +17,8 @@ run_cmake(TOUCH-error-missing-directory) run_cmake(UPLOAD-unused-argument) run_cmake(UPLOAD-httpheader-not-set) run_cmake(UPLOAD-netrc-bad) +run_cmake(UPLOAD-tls-cainfo-not-set) +run_cmake(UPLOAD-tls-verify-not-set) run_cmake(UPLOAD-pass-not-set) run_cmake(INSTALL-DIRECTORY) run_cmake(INSTALL-FILES_FROM_DIR) diff --git a/Tests/RunCMake/file/UPLOAD-tls-cainfo-not-set-result.txt b/Tests/RunCMake/file/UPLOAD-tls-cainfo-not-set-result.txt new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/Tests/RunCMake/file/UPLOAD-tls-cainfo-not-set-result.txt @@ -0,0 +1 @@ +1 diff --git a/Tests/RunCMake/file/UPLOAD-tls-cainfo-not-set-stderr.txt b/Tests/RunCMake/file/UPLOAD-tls-cainfo-not-set-stderr.txt new file mode 100644 index 0000000..a5fa4e8 --- /dev/null +++ b/Tests/RunCMake/file/UPLOAD-tls-cainfo-not-set-stderr.txt @@ -0,0 +1,4 @@ +^CMake Error at UPLOAD-tls-cainfo-not-set.cmake:[0-9]+ \(file\): + file UPLOAD missing file value for TLS_CAINFO. +Call Stack \(most recent call first\): + CMakeLists.txt:[0-9]+ \(include\)$ diff --git a/Tests/RunCMake/file/UPLOAD-tls-cainfo-not-set.cmake b/Tests/RunCMake/file/UPLOAD-tls-cainfo-not-set.cmake new file mode 100644 index 0000000..8eb7c83 --- /dev/null +++ b/Tests/RunCMake/file/UPLOAD-tls-cainfo-not-set.cmake @@ -0,0 +1 @@ +file(UPLOAD "" "" TLS_CAINFO) diff --git a/Tests/RunCMake/file/UPLOAD-tls-verify-not-set-result.txt b/Tests/RunCMake/file/UPLOAD-tls-verify-not-set-result.txt new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/Tests/RunCMake/file/UPLOAD-tls-verify-not-set-result.txt @@ -0,0 +1 @@ +1 diff --git a/Tests/RunCMake/file/UPLOAD-tls-verify-not-set-stderr.txt b/Tests/RunCMake/file/UPLOAD-tls-verify-not-set-stderr.txt new file mode 100644 index 0000000..c4dffcd --- /dev/null +++ b/Tests/RunCMake/file/UPLOAD-tls-verify-not-set-stderr.txt @@ -0,0 +1,4 @@ +^CMake Error at UPLOAD-tls-verify-not-set.cmake:[0-9]+ \(file\): + file UPLOAD missing bool value for TLS_VERIFY. +Call Stack \(most recent call first\): + CMakeLists.txt:[0-9]+ \(include\)$ diff --git a/Tests/RunCMake/file/UPLOAD-tls-verify-not-set.cmake b/Tests/RunCMake/file/UPLOAD-tls-verify-not-set.cmake new file mode 100644 index 0000000..8b9d293 --- /dev/null +++ b/Tests/RunCMake/file/UPLOAD-tls-verify-not-set.cmake @@ -0,0 +1 @@ +file(UPLOAD "" "" TLS_VERIFY) |