cmake: Use a default CA path when not using system curl

When using system curl, we trust it to be configured with desired CA
certs.  When using our own build of curl, we use os-configured CA certs
on Windows and OS X.  On other systems, try to achieve this by searching
for common CA cert locations.  According to a brief investigation, the
curl packages on popular Linux distros are currently configured as:

* Arch: /etc/ssl/certs/ca-certificates.crt
* Debian with OpenSSL: /etc/ssl/certs
* Debian with GNU TLS: /etc/ssl/certs/ca-certificates.crt
* Debian with NSS: /etc/ssl/certs/ca-certificates.crt
* Fedora: /etc/pki/tls/certs/ca-bundle.crt
* Gentoo with OpenSSL: /etc/ssl/certs
* Gentoo without OpenSSL: /etc/ssl/certs/ca-certificates.crt

Teach CMake and CTest to look for these paths and use them as a CA path
or bundle when no other os-configured or user-specified CAs are
available.

1 files changed, 64 insertions, 0 deletions

diff --git a/Source/cmCurl.cxx b/Source/cmCurl.cxx
new file mode 100644
index 0000000..96d3547
--- /dev/null
+++ b/Source/cmCurl.cxx
@@ -0,0 +1,64 @@
+/*============================================================================
+  CMake - Cross Platform Makefile Generator
+  Copyright 2000-2015 Kitware, Inc., Insight Software Consortium
+
+  Distributed under the OSI-approved BSD License (the "License");
+  see accompanying file Copyright.txt for details.
+
+  This software is distributed WITHOUT ANY WARRANTY; without even the
+  implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+  See the License for more information.
+============================================================================*/
+#include "cmCurl.h"
+#include "cmSystemTools.h"
+
+#define check_curl_result(result, errstr)                               \
+  if (result != CURLE_OK)                                               \
+    {                                                                   \
+    e += e.empty()? "" : "\n";                                          \
+    e += errstr;                                                        \
+    e += ::curl_easy_strerror(result);                                  \
+    }
+
+//----------------------------------------------------------------------------
+std::string cmCurlSetCAInfo(::CURL *curl, const char* cafile)
+{
+  std::string e;
+  if(cafile && *cafile)
+    {
+    ::CURLcode res = ::curl_easy_setopt(curl, CURLOPT_CAINFO, cafile);
+    check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
+    }
+#if !defined(CMAKE_USE_SYSTEM_CURL) && \
+    !defined(_WIN32) && !defined(__APPLE__) && \
+    !defined(CURL_CA_BUNDLE) && !defined(CURL_CA_PATH)
+# define CMAKE_CAFILE_FEDORA "/etc/pki/tls/certs/ca-bundle.crt"
+  else if(cmSystemTools::FileExists(CMAKE_CAFILE_FEDORA, true))
+    {
+    ::CURLcode res =
+      ::curl_easy_setopt(curl, CURLOPT_CAINFO, CMAKE_CAFILE_FEDORA);
+    check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
+    }
+# undef CMAKE_CAFILE_FEDORA
+  else
+    {
+#   define CMAKE_CAFILE_COMMON "/etc/ssl/certs/ca-certificates.crt"
+    if(cmSystemTools::FileExists(CMAKE_CAFILE_COMMON, true))
+      {
+      ::CURLcode res =
+        ::curl_easy_setopt(curl, CURLOPT_CAINFO, CMAKE_CAFILE_COMMON);
+      check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
+      }
+#   undef CMAKE_CAFILE_COMMON
+#   define CMAKE_CAPATH_COMMON "/etc/ssl/certs"
+    if(cmSystemTools::FileIsDirectory(CMAKE_CAPATH_COMMON))
+      {
+      ::CURLcode res =
+        ::curl_easy_setopt(curl, CURLOPT_CAPATH, CMAKE_CAPATH_COMMON);
+      check_curl_result(res, "Unable to set TLS/SSL Verify CAPATH: ");
+      }
+#   undef CMAKE_CAPATH_COMMON
+    }
+#endif
+  return e;
+}